To perform the crack, we'll use coWPAtty. While it would be nice to show the details by hand, this feat would be almost impossible because WPA employs several hashing algorithms (HMAC, SHA1, and MD5). Manually working through these calculations would take a very long time, and is well beyond the scope of this article.
Using coWPAtty is simple. The help menu provides several hints as to what we need to prepare prior to using this program:
colinux:/downloads/wpa# ./cowpatty cowpatty - WPA-PSK dictionary attack. <firstname.lastname@example.org> cowpatty: Must supply a list of passphrases in a file with -f. Use "-f -" to accept words on stdin. Usage: cowpatty [options] -f Dictionary file -r Packet capture file -s Network SSID -h Print this help information and exit -v Print verbose information (more -v for more verbosity) -V Print program version and exit
coWPAtty is a brute-force cracking tool, which means that it systematically attempts to crack the WPA-PSK by testing numerous passwords, in order, one at a time. The quality of this type of tool is related to its speed; in other words, how fast it can test each password. Unfortunately, coWPAtty is not very fast, and can try a maximum of 30–60 words per second. That may sound like a lot, but assuming that coWPAtty can test 45 words per second, by the end of day a cracker would have tested only 3,888,000 words. When you compare this number to the fact that there are 208,827,064,576 possible ways to create the minimum eight-letter password, it would take more than 53710 days just to be sure that the passphrase isn't as simple as "aaaaaaaa." Combine the requirement that all WPA-PSK passwords have to be greater than eight characters, and you have a problem.
Still, coWPAtty can quickly rule out the standard weak passwords. In addition, it was written in such a way that it provides an excellent teaching tool to demonstrate WPA's weakness.
Using coWPAtty is fairly straightforward. You need to provide a password list, a capture file with a complete EAP four-way handshake, as well as the SSID for the target network. The following sections outline the steps to collect the handshake and SSID.