Linux tools, Howtos


Tools Index


Wireless Commands


FC6 Build Howto


FC5 Build Howto


FC4 Build Howto


Live Linux Distros



Site Search







WIN32 tools, Howtos


Tools Index



Get Firefox!





Miscellaneous WI-FI


Default WI-FI Settings


Rogue AP Howtos


WI-FI Certifications


802.11 Standards




Formats / Extensions


WI-FI Home Security


Useful Links






coWPAtty MAIN:


"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." - Joshua Wright.


Project Homepage:



also see:



Local Mirror: cowpatty-4.6.tgz  MD5: b90fd36ad987c99e7cc1d2a05a565cbd



Installing coWPAtty


coWPAtty Dictionary Attack


Precomputing WPA PMK to crack WPA PSK


coWPAtty Precomputed WPA Attack


coWPAtty Tables



NOTE: coWPAtty 4.0 and above also include WPA2 attack capabilities (usage remains the same).



Installing coWPAtty:


Download the latest coWPAtty (currently coWPAtty-4.2) to /tools/wifi


tar zxvf cowpatty-4.2.tgz


cd cowpatty-4.2





coWPAtty Dictionary Attack:


To perform the coWPAtty dictionary attack we need to supply the tool with a capture file that includes the TKIP four-way handshake, a dictionary file of passphrases to guess with and the SSID for the network.


In order to collect the four-way handshake you can either wait until a client joins the network or preferably you can force it to rejoin the network using tools like void11 or aireplay and capture the handshakes using something like kismet, ethereal or airodump.


./cowpatty -r  wpa-test-01.cap -f dict -s cuckoo





As you can see this dictionary attack took in excess of 3 minutes, we can speed up this process by precomputing the WPA-PMK to crack the WPA-PSK (see below).


wpa-test-01.cap is the capture containing the four-way handshake


dict is the password file


cuckoo is the network SSID



Precomputing WPA PMK to crack WPA PSK:


genpmk is used to precompute the hash files in a similar way to Rainbow tables is used to pre-hash passwords in Windows LANMan attacks.  There is a slight difference however in WPA in that the SSID of the network is used as well as the WPA-PSK to "salt" the hash.  This means that we need a different set of hashes for each and every unique SSID i.e. a set for "linksys" a set for "tsunami" etc..



So to generate some hash files for a network using the SSID cuckoo we use:



./genpmk  -f  dict  -d hashfile  -s cuckoo 



dict is the password file


hashfile is our output file


cuckoo is the network SSID



coWPAtty Precomputed WPA Attack:


Now we have created our hash file we can use it against any WPA-PSK network that is utilising a network SSID of cuckoo.  Remember the capture (wpa-test-01.cap) must contain the four-way handshake to be successful.



./cowpatty  -r  wpa-test-01.cap  -d  hashfile  -s cuckoo 





wpa-test-01.cap is the capture containing the four-way handshake


hashfile is our precomputed hashes


cuckoo is the network SSID



Notice that cracking the WPA-PSK took 0.21 seconds with the pre-computed attacked as opposed to 200 seconds with standard dictionary attack mode, albeit you do need to pre-compute the hash files prior to the attack.  However, precomputing large hash files for common SSIDS (e.g. linksys, tsunami) would be a sensible move for most penetration testers.



coWPAtty Tables:


The Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file


The resultant table are approximately 7 Gigabytes [LINK NO LONGER AVAILABLE]



A second set of 33 Gigabytes tables were later produced and are available via:


Or you can buy them via DVD, direct from Renderman (initiator of the project):


   Copyright 2010 All Rights Reserved.