Wireless Attackswpawpa-pskdictionary-attackwirelesscrackingpmk

cowpatty

Brute-force dictionary attack tool for cracking WPA-PSK and WPA2-PSK passphrases using precomputed PMK hash files and packet captures containing 4-way handshakes.

Description

cowpatty is designed for auditing WPA-PSK and WPA2-PSK networks to identify weak passphrases. It performs dictionary attacks by testing passphrases against captured 4-way handshakes to recover the pre-shared key (PSK). The tool requires a libpcap capture file containing the authentication handshake, a dictionary of potential passphrases, and the target network SSID.

The workflow involves two main components: genpmk for precomputing Pairwise Master Keys (PMKs) from a passphrase dictionary and the target SSID, and cowpatty for performing the actual dictionary attack against the captured handshake. This precomputation step significantly speeds up the cracking process by avoiding real-time PMK calculations during the attack.

Use cases include wireless penetration testing and security assessments where identifying weak WPA/2-PSK passphrases is necessary to evaluate network security posture.

How It Works

cowpatty attacks WPA-PSK authentication by exploiting the 4-way handshake process. The genpmk tool precomputes PMK hash files from passphrase dictionaries using PBKDF2-HMAC-SHA1 with 4096 iterations for the given SSID. cowpatty then reads libpcap captures, extracts the 4-way handshake (ANonce, SNonce, MIC), and tests dictionary passphrases by recomputing PMKs from the precomputed file and deriving PTK to verify MIC authenticity. Successful passphrase recovery reveals the PSK.

Installation

bash

sudo apt install cowpatty

Flags

-fDictionary file

-dHash file (genpmk)

-rPacket capture file

-sNetwork SSID (enclose in quotes if SSID includes spaces)

-cCheck for valid 4-way frames, does not crack

-hPrint this help information and exit

-vPrint verbose information (more -v for more verbosity)

-VPrint program version and exit

Examples

Generate PMK hashfile from nmap wordlist dictionary for ESSID 'securenet', saving to cowpatty_dict file

genpmk -f /usr/share/wordlists/nmap.lst -d cowpatty_dict -s securenet

Crack WPA-PSK password using precomputed hashfile against Kismet pcap capture for ESSID '6F36E6'

cowpatty -d cowpatty_dict -r Kismet-20181113-13-37-00-1.pcapdump -s 6F36E6

Display help information and usage for cowpatty

cowpatty -h

Display help information and usage for genpmk

genpmk -h

Crack WPA-PSK with quoted SSID containing spaces using custom hashfile and pcap

cowpatty -d hashfile -r capture.pcap -s "My Network"

Check pcap file for valid 4-way handshake frames without performing cracking

cowpatty -c -r handshake.pcap

Display cowpatty program version

cowpatty -V

Updated 2026-04-16kali.org ↗