WPA is vulnerable to a dictionary attack and this attack is necessary to get the 4 way handshake between client and access point. It also requires a wordlist or dictionary words. Then, using tools such as Aircrack-ng cowpatty and try to get the pre shared key for WPA/WPA2.
Cowpatty was created by Joshua Wright http://www.willhackforsushi.com/?page_id=50 and has all the features one could want from a good tool without leaving your purpose. This tool is to automate the dictionary attack on WPA-PSK networks and is very easy to use. First thing we do is launch airodump-ng to select a target.
root@bt:~# airodump-ng mon0
As we can see in the picture above, two clients connected to the network “Wireless” and has WPA encryption with TKIP encryption. Now what is arem launch airodump-ng to listen on the channel which is broadcasting the access point which we aim, in this case “Wireless” which is broadcasting on channel 11 and then launch the “Attack 0 Deauthentication” to desautenticar a client and get the 4 way handshake.
root@bt:~# airodump-ng --channel 11 --bssid FX:XX:XX:XF:AB:7C --write wpademo mon0
Well in my case it does is desautenticar the client MAC address “0C: XX: 76: XX: D5: 5B” ESSID “Wireless”.
root@bt:~# aireplay-ng --deauth 1 -a FX:XX:XX:XF:AB:7C -c 00:60:76:71:D5:5B mon0
I detached the client access point, now the customer what they will do is return to reauthenticate and then get the 4 packets of the handshake. Reauthentication will be generated in the 4 authentication packages (handshake) in which we are interested in capturing. After these packages use them to try to obtain the WPA/WPA2 pre-shared key.
Well now pay attention to the following image showing a session and airodump-ng on the top image shows a message “WPA handshake F4: C7: 14:6 F: AB: 7″. The four-way handshake has been captured.
As shown in the picture above, we obtained the 4-way handshake. These four packages as mentioned earlier we will use for WPA/WPA2 pre-shared key. For this we need a wordlist or dictionary of words, which contains the WPA/WPA2-PSK password.
Before proceeding to the next step, now you do is stop airodump-ng and we will open the files. “Cap” captured with Wireshark to see the “four-way handshake”. The file should look something like the screenshot.
Well now you do is start cracking, for this we need a wordlist and here comes into play cowpatty. We must tell the path where we cowpatty the wordlist or dictionary of words, the capture of four-way handshake and finally the wireless network SSID, in this case is “Wireless”. Basically what we will do is to go cowpatty each of these words in the dictionary if the key matches. This process will all be depending on the speed of your CPU, also the quality and size of the dictionary of words (wordlist), this may take some time, even days or years hehe if you’re impatient you can expect: D Well cowpatty launched from console.
root@bt:~# cowpatty -r wpademo-02.cap -f /pentest/passwords/john/password.lst -2 -s Wireless
To specify our dictionary of words we do with the-f (-f / pentest / password / john / password.lst), the SSID with the-s (-s Wireless) and the captured file with the-r (-r wpademo-02.cap). The last parameter -2, is not so strict, that is required when we have captured the 4 frames of the handshake, that is the complete package. Certainly a pretty good option.
In this example I used a dictionary of words that comes bundled with BackTrack John the Ripper, the file is located in the / pentest / password / john / password.lst
It is important to note that for WPA cracking we have a very good dictionary of words. The BackTrack distribution includes a few dictionaries but these may not be sufficient for this need to search Google or equal generators exist that automate this process words to generate dictionaries.
Now an example using Aircrak final-ng. We will specify the path to our dictionary with the-w (-w / pentest / password / john / password.lst) and our capture file (wpademo-02.cap).
root@bt:~# aircrack-ng -w /pentest/passwords/john/password.lst wpademo-02.cap
For WPA2 cracking process is the same, no difference. Also keep in mind that being a dictionary attack the prerequisite is that the password must be in the dictionary of words that we are telling, whether the sentence or password is not in the dictionary, the attack will succeed.