Tuesday, May 20, 2014

Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux

http://www.blackmoreops.com/2014/03/10/cracking-wifi-wpawpa2-passwords-using-pyrit-cowpatty

There are just too many guides on Cracking Wifi WPA/WPA2 passwords using different methods. Everyone has their own take on it. Personally, I think there’s no right or wrong way of pentesting a Wireless Access Point. Following way is my way and I found it extremely efficient and fast during my tests for Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux where I attacked with Dictionary using either cuda or calpp (cal++) and at the same time I used WiFite to fast track a few things. This whole process was used in Kali Linux and it took me less than 10 minutes to crack a Wifi WPA/WPA2 password using pyrit cowpatty WiFite combination using my laptop running a AMD ATI 7500HD Graphics card.
16 - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops
You can make the following process faster like I did. If you have an AMD ATI Graphics card you’ll have to follow these guides below:

NVIDIA Users:

  1. Install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver
  2. Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda

AMD Users:

  1. Install AMD ATI proprietary fglrx driver in Kali Linux 1.0.6
  2. Install AMD APP SDK in Kali Linux
  3. Install Pyrit in Kali Linux
  4. Install CAL++ in Kali Linux

Readers, those who would like to try alternate ways of cracking Wifi WPA WPA2 passwords, use HashCat or cudaHashcat or oclHashcat to crack your unknown Wifi WPA WPA2 passwords. The benefit of using Hashcat is, you can create your own rule to match a pattern and do a Brute-force attack. This is an alternative to using dictionary attack where dictionary can contain only certain amount of words but a brute-force attack will allow you to test every possible combinations of given charsets. Hashcat can crack Wifi WPA/WPA2 passwords and you can also use it to crack MD5, phpBB, MySQL and SHA1 passwords. Using Hashcat is an good option as if you can guess 1 or 2 characters in a password, it only takes few minutes. For example: if you know 3 characters in a password, it takes 12 minutes to crack it. If you know 4 characters in a password, it takes 3 minutes. You can make rules to only try letters and numbers to crack a completely unknown password if you know a certain Router’s default password contains only those. Possibilities of cracking is a lot higher in this way.

Important Note: Many users try to capture with network cards that are not supported. You should purchase a card that supports Kali Linux including injection and monitor mode etc. A list can be found in 802.11 Recommended USB Wireless Cards for Kali Linux. It is very important that you have a supported card, otherwise you’ll be just wasting time and effort on something that just won’t do the job.

Capture handshake with WiFite

Why WiFite instead of other guides that uses Aircrack-ng? Because it’s faster and we don’t have to type in commands..
Type in the following command in your Kali Linux terminal:
wifite –wpa
You could also type in
wifite wpa2
If you want to see everything, (wep, wpa or wpa2, just type the following command. It doesn’t make any differences except few more minutes
wifite
Once you type in following is what you’ll see.
1 - Wifite - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops
So, we can see bunch of Access Points (AP in short).  Always try to go for the ones with CLIENTS because it’s just much faster. You can choose all or pick by numbers. See screenshot below:
2 - Wifite Screen - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops
Awesome, we’ve got few with clients attached. I will pick 1 and 2 cause they have the best signal strength. Try picking the ones with good signal strength. If you pick one with poor signal, you might be waiting a LONG time before you capture anything .. if anything at all.
So I’ve picked 1 and 2. Press Enter to let WiFite do it’s magic.
3 - WiFite Choice - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops
Once you press ENTER, following is what you will see. I got impatient as the number 1 choice wasn’t doing anything for a LONG time. So I pressed CTRL+C to quit out of it.
This is actually a great feature of WIfite. It now asks me,
What do you want to do?
  1. [c]ontinue attacking targets
  2. [e]xit completely.
I can type in c to continue or e to exit. This is the feature I was talking about. I typed c to continue. What it does, it skips choice 1 and starts attacking choice 2. This is a great feature cause not all routers or AP’s or targets will respond to an attack the similar way. You could of course wait and eventually get a respond, but if you’re just after ANY AP’s, it just saves time.
4 - WiFite continue - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops
And voila, took it only few seconds to capture a handshake. This AP had lots of clients and I managed to capture a handshake.
This handshake was saved in /root/hs/BigPond_58-98-35-E9-2B-8D.cap file.
Once the capture is complete and there’s no more AP’s to attack, Wifite will just quit and you get your prompt back.
5 - WiFite captured handshake - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops
Now that we have a capture file with handshake on it, we can do a few things:
  1. We can Dictionary attack it.
  2. We can BruteForce attack it.
    1. Amongst BruteForce, we can use crunch
    2. We can use oclhashcat.
In this guide, I will show Dictionary attack as almost 20% (that’s 1 in every  5) AP’s will have a standard dictionary password. In later chapters of this guide, I will show Brute Forcing.

Dictionary attack .cap capture file to crack Wifi password
To do a Dictionary attack, we need to grab a dictionary file.
Kali Linux provides some dictionary files as part of its standard installation. How sweet. Thanks Kali Linux Dev team.
Let’s copy one of best dictionary file to root directory.
cp /usr/share/wordlists/rockyou.txt.gz .
Unzip it.
gunzip rockyou.txt.gz
Because WPA2 minimum password requirement is 8 characters, let’s parse this file to filter out any passwords that is less than 8 characters and more than 63 characters. (well, you could just leave this line, but it is completely up to you). So we are saving this file as newrockyou.txt name.
cat rockyou.txt | sort | uniq | pw-inspector -m 8 -M 63 > newrockyou.txt
Let’s see how many passwords this file contains:
wc -l newrockyou.txt
That’s a whopping 9606665 passwords.
Original file contained even more..
wc -l rockyou.txt
That’s 14344392 passwords. So we made this file shorter which means we can test more AP’s in less time.
Finally, lets rename this file to wpa.lst.
mv newrockyou.txt wpa.lst

6 - Get dictionary File and cleaning it - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Create ESSID in Pyrit Database

Now we need to create ESSID in Pyrit Database.
pyrit –e BigPond create_essid
NOTE: If you have an AP that’s got Space it in, example: “NetComm Wireless” then your command will become like this:
pyrit -e 'NetComm Wireless' create_essid
I know a lot of the people struggles with this issue :)
7 - pyrit create essid - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops
Awesome, now we have our ESSID added to Pyrit Database.

Import Dictionary in Pyrit

Now that we have our ESSID added to Pyrit database, lets go an import our Password Dictionary.
Use the following command to import previously created password dictionary wpa.lst to Pyrit Database.
pyrit -i /root/cudacapture/wpa.lst import_passwords
8 - pyrit import dictionary password file - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Create tables in Pyrit using batch process

We now need to batch process to create tables.
This is simple, just issue the following command
pyrit batch
9 - pyrit create tables using batch process - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops
Because I’m on a laptop with a crappy AMD 7500 graphics card, I’m getting only 15019 PMKs per second (that includes my CAL++). If you got a more powerful Graphics card and managed to install either CUDA for NVIDIA Graphics card or CAL++ for AMD Cards, your speed will be a lot more.
Oh, and I just took this awesome screenshot while Pyrit was doing the batch processing. Check out my CPU usage, it’s hitting absolutely 100%.
10 - pyrit 100 percent CPU usage - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops
Also check out my temperature of my cores:
17 - pyrit high CPU Temperature - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops
You should be careful how big your dictionary file is and how HOT your CPU and Graphics card is burning. Use extra cooling if you can to avoid damage.

Cracking Process

We can crack using few different process.
  1. Using Pyrit
  2. Using Cowpatty

Attack a handshake with PMKs from the db using Pyrit

Simple. Just use the following command to start the cracking process.
pyrit -r hs/BigPond_58-98-35-E9-2B-8D.cap attack_db

21 - pyrit attack_db - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

That’s it. It will take few minutes to go through the whole Database Table to get the password if it existed in the Dictionary. As you can see, 159159186.00 PMK's per second was the speed and it took less than 1 second to crack it. This is by far the fastest. I also had to blank out much of the screenshot.
Note: I tried it from a different workstation with a NVIDIA GTX460 Graphics card with CUDA and Cpyrit-CUDA installed. Obviously, this was much faster than my Laptop. But either way, this is super fast.

Attack a handshake with passwords from a file or Dictionary using Pyrit

If you don’t want to create Datbase and crunch through Dictionary file directly (much slower), following is what you can do:
pyrit -r hs/BigPond_58-98-35-E9-2B-8D.cap -i /root/wpa.lst attack_passthrough
Speed this way? 7807 PMKs per second. Much slower for my taste.


Crack using Cowpatty

To crack using cowpatty, you need to export in cowpatty format and then start the cracking process.

Export to cowpatty

I hope up to this point, everything went as planned and worked out. From Pyrit, we can push our output to either cowpatty or airolib-ng. All my tests shows that cowpatty is a lot more faster, so I’ll stick with that.
So let’s make our cowpatty file. This is again simple, issue the following command to export your output to cowpatty.
pyrit -e BigPond -o cow.out export_cowpatty
12 - pyrit export to cowpatty - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Let it rip: Crack WPA WPA2 PSK password using cowpatty

Now that we have our cowpatty output, let’s try to crack WPA2/PSK passphrase. Issue the following command to start the cracking process.
cowpatty -d cow.out -s BigPond -r hs/BigPond_58-98-35-E9-2B-8D.cap
13 - crack wpa wpa2 psk password cowpatty - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops
Once you type it in, you’ll a bunch of passwords being tried against your hash file. This will keep going until the end of the file. Once a matching password is found in the dictionary file, the cracking process will stop with an output containing the password.
14 - cracked it -  wpa wpa2 psk password cowpatty - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops
And bingo, it found a matching password. Look at the number of passwords tried in a secods
164823.00 passphrases/second.
NOTE: cowpatty will fail if your password/dictionary file is larger than 2GB. You’ll have to stick to airolib-ng even though that’s slower.

Attack a handshake with PMKs from a cowpatty-file using Pyrit

Here’s another way using Pyrit…
You can use cow.out file in Pyrit next time
pyrit -r hs/BigPond_58-98-35-E9-2B-8D.cap -i /root/cow.out attack_cowpatty
Speed this way? 31683811 PMKs per second. Much slower than using Pyrit attack_db process. But at least you don’t have to batch process this way.

Cleanup Pyrit and database

Lastly, if you feel like, you can delete your essid and cleanup.
pyrit BigPond delete_essid
15 - cleanup pyrit and database - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Conclusion

Thanks for reading. This process is not always possible and sometimes cracking Wifi WPA/WPA2 passwords using Reaver-WPS is much easier. You might want to check that too.
If this guide helped you to achieve what you wanted, please share this article with friends.
Update: 13/03/2014: I just realized I forgot to credit purehate for his ORIGINAL post in BackTrack forum. Without his guide, much of this wouldn’t be possible.
Follow us on Facebook/Twitter.
Last but not the least, I’ll cover up my back …
Disclaimer: This guide is for training and educational purposes only. Ensure you have permission before you attack an access point as it is a felony in many countries. I take no responsibility of the usage of these instructions containing in this guide. 

3 comments: