Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Wireless How To

Performing the Crack

The Wi-Fi Alliance was wise to implement an eight character minimum for WPA-PSK. Making the key that long essentially renders brute force methods useless. This is because the number of possible typeable character combinations for keys of an eight character length is just above six quadrillion (that's 948 or about 6 x 1015).

My poor little laptop can only crunch about 35 hashes a second, so it would take me about five-and-a-half million years (I'm not kidding here either, I did the math!) to create a hash table for an eight character hash table or to test all possible combinations when brute-forcing a key.

And what's more, since the hash is salted with the SSID of the AP, that hash table I just spent five million years creating, would be good only against APs with that exact SSID. So, clearly we're not going to be brute-forcing any WPA keys anytime soon.

What we can do, however, is limit the list of possible passphrases by making educated guesses, compute the hashes of those guesses and check them against our captured key. This technique is referred to as a dictionary attack.

BackTrack v2 comes bundled with a good offering of simple wordlists, as well as four lists of passwords common in the '90s, reverse-sorted by occurrence (more common passwords are at the top, less common passwords are at the bottom). The lists seem to be missing from Backtrack v3, but there are plenty of wordlists around the 'net.

Using the wordlists in Backtrack version 2, we can mount a dictionary attack on our captured WPA handshake using either aircrack-ng or coWPAtty. Aircrack-ng runs much faster on my attacking system (testing 3740 keys took 35 seconds), and has native optimization for multiple processors. coWPAtty, on the other hand, runs much slower (testing the same 3740 keys took almost 2 minutes) and can accept hash files precomputed by genpmk.

Some of the commands below have been formatted into multiple lines to fit our page. All commands should be entered on one line.

aircrack-ng attack

Start a dictionary attack against a WPA key with the following:

General Form:

aircrack-ng -e AP_SID -w dictionary_file capture_file

Example (BackTrack v3):

aircrack-ng -e snb -w /pentest/wireless
/cowpatty-4.0/dict Kismet-Jan-15-2008-1.dump

Aircrack-ng shows the hex hashes of the keys as it tries them, which is nice since some attacks can take a long time. Figure 8 shows that Aircrack-ng took 35 seconds to find the test key "dictionary".

Aircrack-ng, Key Found!

Figure 8: Aircrack-ng, Key Found!


First move into the cowpatty directory, either by selecting it from the menu or by changing to /pentest/wireless/cowpatty-4.0. Then run:

General Form:

./cowpatty -s AP_SID -f dictionary_file -r capture_file


./cowpatty -s snb -f dict -r Kismet-Jan-15-2008-1.dump

coWPAtty doesn't say much about its run-time status, but prints updates every thousand keys. Figure 9 shows that coWPAtty took a little over two minutes to recover the test key "dictionary".

coWPAtty, Key Found!

Figure 9: coWPAtty, Key Found!

Alternately, coWPAtty can use a precomputed hash file to attack a WPA key. Precomputed hash files use a technique similar to Rainbow Tables allowing you to trade the amount of time required to crack a given key for hash file size (and precomputation time).

Hashes are paired with their plain text precursor allowing the engine to simply look up the captured WPA key hash and read off its corresponding plain text key. Since WPA keys are salted, this technique only works against AP's with the same SSID used to compute the table.

Hash tables can be very effective but require disk space to store the tables that can get rather large, quickly. Even with these limitations, the Church of WiFi has computed hash tables for the 1000 most common SSID's against one million common passphrases.

You can generate a hash table from within the cowpatty directory with coWPAtty's genpmk:

General Form:

./genpmk -s AP_SID -f dictionary_file -d hash_output_file


./genpmk -s snb -f dict -d dict_hash

genpmk Hash Table Generation

Figure 10: genpmk Hash Table Generation

Now, using the newly created hash table, the crack takes only a fraction of a second (0.11 to be precise). This is just shy of 1/1100th the time it took when not using a hash table.

General Form:

./cowpatty -s AP_SID -d hash_output_file -r capture_file


./cowpatty -s snb -d dict_hash -r Kismet-Jan-15-2008-1.dump

coWPAtty Hash Table Attack

Figure 11: coWPAtty Hash Table Attack

More Wireless

Wi-Fi System Tools
Check out the new Wi-Fi System Charts, Ranker and Finder!

Featured Sponsors

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

Hi Forum,I'm using ASUS-Merlin on a RT-AC68U router (T-mobile one I believe). It was working great.Recently (probably 380.63, not sure) router keep cr...
I have a RT-AC68U and running an old version of the merlin firmware ( It has been working perfectly, so haven't kept up with the rec...
As someone not versed in networking, this has been a frustrating, but informative path.Many have suggested an Edgerouter X with two Unifi AP Lites. I ...
Basically I'm trying to only block web browsing on a single LAN wired device. So anytime someone pulls up a web browser and types in a standard port 8...
Hi,I'm new to this forum. I'm a long time Asus router user. I'm currently on AC3200. However, I would like to add another router to extend the WIFI co...

Don't Miss These

  • 1
  • 2
  • 3
Get Backblaze Now!