How to Hack Wi-Fi: Cracking WPA2-PSK Passwords with Cowpatty

Aug 30, 2013 04:36 PM
Jul 22, 2017 05:59 AM
635134593322336685.jpg

Welcome, my hacker novitiates!

As part of my series on hacking Wi-Fi, I want to demonstrate another excellent piece of hacking software for cracking WPA2-PSK passwords. In my last post, we cracked WPA2 using aircrack-ng. In this tutorial, we'll use a piece of software developed by wireless security researcher Joshua Wright called cowpatty (often stylized as coWPAtty). This app simplifies and speeds up the dictionary/hybrid attack against WPA2 passwords, so let's get to it!

For this to work, we'll need to use a compatible wireless network adapter. Check out our 2017 list of Kali Linux and Backtrack compatible wireless network adapters in the link above, or you can grab our most popular adapter for beginners here.

635134593571625122.jpg

Step 1: Find Cowpatty

Cowpatty is one of the hundreds of pieces of software that are included in the BackTrack suite of software. For some reason, it was not placed in the /pentest/wireless directory, but instead was left in the /usr/local/bin directory, so let's navigate there.

  • cd /usr/local/bin

Because cowpatty is in the /usr/local/bin directory and this directory should be in your PATH, we should be able to run it from any directory in BackTrack.

Step 2: Find the Cowpatty Help Screen

To get a brief rundown of the cowpatty options, simply type:

  • cowpatty
635134574895428319.jpg

BackTrack will provide you a brief help screen. Take a note that cowpatty requires all of the following.

  • a word list
  • a file where the password hash has been captured
  • the SSID of the target AP

Step 3: Place the Wireless Adapter in Monitor Mode

Just as in cracking with aircrack-ng, we need to put the wireless adapter into monitor mode.

  • airmon-ng start wlan0
635134575019448537.jpg

Step 4: Start a Capture File

Next, we need to start a capture file where the hashed password will be stored when we capture the 4-way handshake.

  • airodump-ng --bssid 00:25:9C:97:4F:48 -c 9 -w cowpatty mon0

This will start a dump on the selected AP (00:25:9C:97:4F:48), on the selected channel (-c 9) and save the the hash in a file named cowcrack.

Step 5: Capture the Handshake

Now when someone connects to the AP, we'll capture the hash and airdump-ng will show us it has been captured in the upper right-hand corner.

635134575153608773.jpg

Step 6: Run the Cowpatty

Now that we have the hash of the password, we can use it with cowpatty and our wordlist to crack the hash.

  • cowpatty -f /pentest/passwords/wordlists/darkc0de.lst -r /root/cowcrack-01.cap -s Mandela2
635134575329265081.jpg

As you can see in the screenshot above, cowpatty is generating a hash of every word on our wordlist with the SSID as a seed and comparing it to the captured hash. When the hashes match, it dsplays the password of the AP.

Step 7: Make Your Own Hash

Although running cowpatty can be rather simple, it can also be very slow. The password hash is hashed with SHA1 with a seed of the SSID. This means that the same password on different SSIDs will generate different hashes. This prevents us from simply using a rainbow table against all APs. Cowpatty must take the password list you provide and compute the hash with the SSID for each word. This is very CPU intensive and slow.

Cowpatty now supports using a pre-computed hash file rather than a plain-text word file, making the cracking of the WPA2-PSK password 1000x faster! Pre-computed hash files are available from the Church of WiFi, and these pre-computed hash files are generated using 172,000 dictionary file and the 1,000 most popular SSIDs. As useful as this is, if your SSID is not in that 1,000, the hash list really doesn't help us.

In that case, we need to generate our own hashes for our target SSID. We can do this by using an application called genpmk. We can generate our hash file for the "darkcode" wordlist for the SSID "Mandela2" by typing:

  • genpmk -f /pentest/passwords/wordlists/darkc0de.lst -d hashes -s Mandela2
635134575445953286.jpg

Step 8: Using Our Hash

Once we have generated our hashes for the particular SSIDs, we can then crack the password with cowpatty by typing:

  • cowpatty -d hashfile -r dumpfile -s ssid

Stay Tuned for More Wireless Hacking Guides

If you're looking for a cheap, handy platform to get started using Cowpatty, check out our Kali Linux Raspberry Pi build using the $35 Raspberry Pi.

636362746983175324.jpg

Get started using Cowpatty with the Raspberry Pi.

Keep coming back for more on Wi-Fi hacking and other hacking techniques! Haven't seen the other Wi-Fi hacking guides yet? Check them out here. If you have questions on any of this, please ask them in the comments below. If it's something unrelated, try asking in the Null Byte forum.

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Comments

No Comments Exist

Be the first, drop a comment!