I have just tested new BT4 beta and found bug in coWPAtty 4.3. After capturing wireless packets (with handshake) with MADWIFI drivers, I try to find the key using coWPAtty. coWPAtty returns segmentation fault error when opening the PCAP file.
I have also tested coWPAtty on different systems (BT3, FC9, FC10) with different libPCAP libreries, tcpdump and tshark versions and coWPAtty still returns the same error. Ath5k driver doesn’t solve the problem as well.
Does anybody have idea what makes the problem?
Although this thread has nothing to do with backtrack, I just have been exchanging emails with Josh on this matter.
First of all you need to be sure you are using the cowpatty in the /pentest/oc directory.
Second of all here is what Josh told me: When grabbing a hand shake the actual password is transmitted from the client to the AP in frames one and two so if you get those then aircrack will work becasue it only looks at frame 1 and 2. Cowpatty however uses frame 4 because that's where the AP verifies the password. If you only use frame 1 and 2 then aircrack doeant know if the password that the client tried to authenticate with is valid or not.
So most likely you have a incomplete 4 way hand shake even if it works with aircrack.
If you would like to send me the .cap Ill take a look at it and test it out. I have been doing extensive work in this area lately.
I have checked that PCAP file contain all 4 packets from 4-way handshake. Even if no handhsake is in PCAP file coWPAtty should return error like 'incomplete 4-way handshake' not 'segmentation fault' error. I have tested BT4 and coWPAtty with diffrent WPA versions, like WPA1-PSK TKIP, WPA2-PSK AES. In my PCAP files I had full handshake and no handshake which doesn't change anything. I have also used diffrent APs.
The strange thing is that PCAPs with handshakes captured on old systems like FC6 or BT2 work on coWPAtty 4.3 from BT4. IMHO sth is wrong with libraries or modules used form capturing wireless data. I have checked different libPCAPs version but it doesn't help. I have no idea what makes the problem but it has to be connected to the data capturing.
BTW i was using all coWPAtty's version which I could found on BT4.
I know that problem is more universal then BT4 however I hope that sombeody can help me.
In your opinion, does this lead you to believe that coWPAtty does a better job handling the .cap file in which a 4-way is captured?
As you stated, the same .cap file opened with aircrack-ng and by coWPAtty can give different results(i.e. aircrack-ng sees a 4-way, coWPAtty does not).
Clearly this has big implications in the success of a crack attempt.
You. Are. Doing. It. Wrong.
Well the way Josh explained it was if a client authenticated with the wrong password then aircrack would not know because I guess the confirmation from the AP hasn't happened. SO like if the password was backtrack but I try to authenticate with windows_rawks! then aircrack would fail but you would really never know. This is the reason Josh said he choose to make cowpatty look at the 4th frame. To be totally honest I'm still researching and trying to fully grasp the subject but that is the dummy version I was given
I have just found that disabling all radiotap and prism headers in MADWIFI driver (echo '801' > /proc/sys/net/ath0/dev_type) solves the "segmentation fault" error. However coWPAtty in this case doesn't see handshake which Aircrack-ng does.
I have no idea what about ath5k drivers which are now more popular.