Router Charts

Router Charts

Router Ranker

Router Ranker

Router Chooser

Router Chooser

NAS Charts

NAS Charts

NAS Ranker

NAS Ranker

More Tools

More Tools

Wireless How To

Performing the Crack

The Wi-Fi Alliance was wise to implement an eight character minimum for WPA-PSK. Making the key that long essentially renders brute force methods useless. This is because the number of possible typeable character combinations for keys of an eight character length is just above six quadrillion (that's 948 or about 6 x 1015).

My poor little laptop can only crunch about 35 hashes a second, so it would take me about five-and-a-half million years (I'm not kidding here either, I did the math!) to create a hash table for an eight character hash table or to test all possible combinations when brute-forcing a key.

And what's more, since the hash is salted with the SSID of the AP, that hash table I just spent five million years creating, would be good only against APs with that exact SSID. So, clearly we're not going to be brute-forcing any WPA keys anytime soon.

What we can do, however, is limit the list of possible passphrases by making educated guesses, compute the hashes of those guesses and check them against our captured key. This technique is referred to as a dictionary attack.

BackTrack v2 comes bundled with a good offering of simple wordlists, as well as four lists of passwords common in the '90s, reverse-sorted by occurrence (more common passwords are at the top, less common passwords are at the bottom). The lists seem to be missing from Backtrack v3, but there are plenty of wordlists around the 'net.

Using the wordlists in Backtrack version 2, we can mount a dictionary attack on our captured WPA handshake using either aircrack-ng or coWPAtty. Aircrack-ng runs much faster on my attacking system (testing 3740 keys took 35 seconds), and has native optimization for multiple processors. coWPAtty, on the other hand, runs much slower (testing the same 3740 keys took almost 2 minutes) and can accept hash files precomputed by genpmk.

Some of the commands below have been formatted into multiple lines to fit our page. All commands should be entered on one line.

aircrack-ng attack

Start a dictionary attack against a WPA key with the following:

General Form:

aircrack-ng -e AP_SID -w dictionary_file capture_file

Example (BackTrack v3):

aircrack-ng -e snb -w /pentest/wireless
/cowpatty-4.0/dict Kismet-Jan-15-2008-1.dump

Aircrack-ng shows the hex hashes of the keys as it tries them, which is nice since some attacks can take a long time. Figure 8 shows that Aircrack-ng took 35 seconds to find the test key "dictionary".

Aircrack-ng, Key Found!

Figure 8: Aircrack-ng, Key Found!


First move into the cowpatty directory, either by selecting it from the menu or by changing to /pentest/wireless/cowpatty-4.0. Then run:

General Form:

./cowpatty -s AP_SID -f dictionary_file -r capture_file


./cowpatty -s snb -f dict -r Kismet-Jan-15-2008-1.dump

coWPAtty doesn't say much about its run-time status, but prints updates every thousand keys. Figure 9 shows that coWPAtty took a little over two minutes to recover the test key "dictionary".

coWPAtty, Key Found!

Figure 9: coWPAtty, Key Found!

Alternately, coWPAtty can use a precomputed hash file to attack a WPA key. Precomputed hash files use a technique similar to Rainbow Tables allowing you to trade the amount of time required to crack a given key for hash file size (and precomputation time).

Hashes are paired with their plain text precursor allowing the engine to simply look up the captured WPA key hash and read off its corresponding plain text key. Since WPA keys are salted, this technique only works against AP's with the same SSID used to compute the table.

Hash tables can be very effective but require disk space to store the tables that can get rather large, quickly. Even with these limitations, the Church of WiFi has computed hash tables for the 1000 most common SSID's against one million common passphrases.

You can generate a hash table from within the cowpatty directory with coWPAtty's genpmk:

General Form:

./genpmk -s AP_SID -f dictionary_file -d hash_output_file


./genpmk -s snb -f dict -d dict_hash

genpmk Hash Table Generation

Figure 10: genpmk Hash Table Generation

Now, using the newly created hash table, the crack takes only a fraction of a second (0.11 to be precise). This is just shy of 1/1100th the time it took when not using a hash table.

General Form:

./cowpatty -s AP_SID -d hash_output_file -r capture_file


./cowpatty -s snb -d dict_hash -r Kismet-Jan-15-2008-1.dump

coWPAtty Hash Table Attack

Figure 11: coWPAtty Hash Table Attack

More Wireless

Featured Sponsors

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Top Performing Routers


Top Performing NASes


Over In The Forums

When I go to certain websites and it auto recognizes my location (zip) it is always wrong. I am thinking this is because I don't use my ISP's DNS serv...
I currently have an AC1750-based network made up of two Asus RT-AC66U routers (one primary, one in media bridge mode) and a Buffalo AirStation AC medi...
Hi all, I am new to this website (actually a newbie about routers/networking too). I recently bought ASUS RT-3100 with high hopes but so far I am very...
OK - I am quite new to networking. I have a bridge question. Current setup: A RT-N66U in my living room where the cable modem is located. But I ha...
I was on 380.61 and the OpenVPN performance was good. I have upgraded to 380.62 and noticed the performance dropped significantly. 1. Is it possible...

Don't Miss These

  • 1
  • 2
  • 3