Offline WPA-PSK auditing tool (coWPAtty)
A while back, Robert Moskowitz published a paper titled "Weakness in
Passphrase Choice in WPA Interface" [1] that described a dictionary
attack against wireless networks using the TKIP protocol with a
pre-shared key (PSK).
Even though the WPA-PSK authentication mechanism was intended to be used
solely for consumer networks, I've seen a surprising number of SMB and
Enterprise networks that have adopted it, presumably for its ease of use.
Fortunately, offline dictionary attacks are not terribly effective
against WPA-PSK networks, due to the IEEE selection of the pbkdf2
algorithm for PSK hashing. For a dictionary attack to be effective, it
must take each dictionary word and perform 4096 iterations of HMAC-SHA1
with two nonce values and the supplicant and authenticator MAC
addresses. I've optimized the ipad and opad calculations in an attempt
to optimize this process, but I'm only able to accommodate approximately
70 words/second on a Pentium 4 3.8 GHz system (5570 bogomips).
Max Moser offered to host coWPAtty for me, available at
http://www.remote-exploit.org/?page=codes. coWPAtty was written for
Linux systems; please let me know if you get it running on other
platforms as well. More information is available in the README and FAQ
files included in the tarball.
Thanks,
-Josh
[1] http://wifinetnews.com/archives/002452.html
--
-Joshua Wright
jwright@xxxxxxxxxxx
http://home.jwu.edu/jwright/
pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
Today I stumbled across the world's largest hotspot. The SSID is "linksys".