Home > Articles > Cisco Network Technology > Wireless/Optical/High Speed > Cracking Wi-Fi Protected Access (WPA), Part 2

Cracking Wi-Fi Protected Access (WPA), Part 2

Article Description

Concluding his two-part series, Seth Fogie describes in detail how WPA-PSK can be cracked.

Like this article? We recommend

Network Security Fundamentals

Network Security Fundamentals


Collecting Data

Prior to using coWPAtty, we need to capture a WPA-PSK TKIP/EAP/802.1x negotiation session between an access point and a node. This can be accomplished using any number of sniffers, including Ethereal and tcpdump.

Our illustration is a highly filtered capture of only four packets, each of which represents one of the parts of the four-way handshake. In a normal capture, you would see WLAN management packets and encrypted traffic from other connected devices. You must have all four packets associated with the handshake. The problem is how to differentiate one EAP packet from another.

Fortunately, the 802.11 specifications help. Figures 1-4 provide the details of each individual packet in Ethereal. Note that the ACK flag is set only when the packet originates from the Linksys AP. Also, note the encryption information that appears only in packets 2 and 3. Finally, the Install flag is set only in packet 3, which comes from the authenticator (discussed in part 1 of this series).

Figure 1

Figure 1 Packet 1.

Figure 2

Figure 2 Packet 2.

Figure 3

Figure 3 Packet 3.

Figure 4

Figure 4 Packet 4.

Joshua Wright's tool takes all these differences into consideration and automatically determines whether a packet capture contains the relevant data required to crack WPA. If any one of these packets is missing, cracking efforts will fail.

4. Collecting Data | Next Section Previous Section