Offline WPA-PSK auditing tool (coWPAtty)

[Joshua Wright <jwright () hasborg com>]

A while back, Robert Moskowitz published a paper titled "Weakness in 
Passphrase Choice in WPA Interface" [1] that described a dictionary 
attack against wireless networks using the TKIP protocol with a 
pre-shared key (PSK).

Even though the WPA-PSK authentication mechanism was intended to be used 
solely for consumer networks, I've seen a surprising number of SMB and 
Enterprise networks that have adopted it, presumably for its ease of use.

Fortunately, offline dictionary attacks are not terribly effective 
against WPA-PSK networks, due to the IEEE selection of the pbkdf2 
algorithm for PSK hashing.  For a dictionary attack to be effective, it 
must take each dictionary word and perform 4096 iterations of HMAC-SHA1 
with two nonce values and the supplicant and authenticator MAC 
addresses.  I've optimized the ipad and opad calculations in an attempt 
to optimize this process, but I'm only able to accommodate approximately 
70 words/second on a Pentium 4 3.8 GHz system (5570 bogomips).

Max Moser offered to host coWPAtty for me, available at 
http://www.remote-exploit.org/?page=codes.  coWPAtty was written for 
Linux systems; please let me know if you get it running on other 
platforms as well.  More information is available in the README and FAQ 
files included in the tarball.

Thanks,

-Josh

[1] http://wifinetnews.com/archives/002452.html
--
-Joshua Wright
jwright () hasborg com
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

Today I stumbled across the world's largest hotspot.  The SSID is "linksys".