Even though the WPA-PSK authentication mechanism was intended to be used solely for consumer networks, I've seen a surprising number of SMB and Enterprise networks that have adopted it, presumably for its ease of use.
Fortunately, offline dictionary attacks are not terribly effective against WPA-PSK networks, due to the IEEE selection of the pbkdf2 algorithm for PSK hashing. For a dictionary attack to be effective, it must take each dictionary word and perform 4096 iterations of HMAC-SHA1 with two nonce values and the supplicant and authenticator MAC addresses. I've optimized the ipad and opad calculations in an attempt to optimize this process, but I'm only able to accommodate approximately 70 words/second on a Pentium 4 3.8 GHz system (5570 bogomips).
Max Moser offered to host coWPAtty for me, available at http://www.remote-exploit.org/?page=codes. coWPAtty was written for Linux systems; please let me know if you get it running on other platforms as well. More information is available in the README and FAQ files included in the tarball.
Thanks,
-Josh
[1] http://wifinetnews.com/archives/002452.html -- -Joshua Wright jwright@xxxxxxxxxxx http://home.jwu.edu/jwright/
pgpkey: http://home.jwu.edu/jwright/pgpkey.htm fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
Today I stumbled across the world's largest hotspot. The SSID is "linksys".
