Last updated Mar. 8, 2018
If you are following the series from the very beginning you must be familiar with the Handshake we captured and used it with a Wordlist to crack the WPA2-PSK. As there is a tremendous possibility for WPA2 passphrases as they can be AlphaNumeric including special characters that too with 8-63 characters long. There is practically no limit to the wordlist we could create, They can reach Even PetaBytes in size which will take time till next Big Bang for the CPU/GPU to crack the correct passphrase, if it is a strong one.
So, we need to discover various ways to crack the WPA2-PSK within a short span of time. Which is possible if we somehow get the PSK via router panel, keylogger or use a GPU instead of CPU to use it’s multiple cores to boost cracking speed, or something even different.
That is what we will learn in this chapter. We will boost the WPA2 cracking speed without using any GPU or Cloud. Which can be very useful with the AP’s with very common name like “Airtel“, “MTNL“, “Belkin” etc.
[YB]This article is an excerpt from my WiFi Penetration testing and Security eBook in which I talk about hacking WiFi enabled devices with rogue access points, war driving, custom captive portals and splash page, multiple access points from a single NIC and much more. Click here to download the sample copy[/YB]
WPA2 cracking is dependent on SSID and passphrase that means that if there are 2 access points with different SSID but same Passphrase, there PMK will be completely different.
What is PMK ?
The 256 Bit value derived by the PBKDF2 function using the SSID, Passphrase(PSK) as the differentiating factors used for authenticating between the AP and the Client. It will look like this:
These are 32 HexaDecimal values, every HexaDecimal values takes 8 bit, so 32*8 = 256 Bit, which is th PMK i.e 256-Bit key
We can also cross check this without cracking the key with aircrack-ng.
By using wpa_passphrase command that comes pre-installed on almost every *nix distribution.
Open terminal and type:
- wpa_passphrase <SSID> <Passphrase>
wpa_passphrase rootsh3ll iamrootsh3ll
We need to insert SSID along with Passphrase because as told earlier WPA2-PSK is SSID dependent, it changes completely with a slight change in SSID. Now,
Here’s the output, compare the highlighted value with the value of Master Key above:
Yes, it’s exactly the same. So here is the confirmation that PMK we calculated and the PMK aircrack-ng calculated for a specific SSID and Passphrase is the same. Now we will see how to boost the speed.
Content of this chapter will go like this:
- CoWPAtty from Source code
- Pyrit from Source code
- Generate PMKs:
- Using GenPMK, Included in CoWPAtty (Single-threaded)
- Using Pyrit (Multi-threaded)
- Cracking PSK(Pre-Shared Key):
- With PMKs [ CoWPAtty vs. Aircrack-ng ]
- [ EXTRA! ] Pyrit + CoWPAtty Stdin
What is CoWPAtty ?
CoWPAtty is a free command line tool that automates the dictionary attack for WPA-PSK. It runs on Linux. It is an implementation of an offline dictionary attack against WPA/WPA2 networks using PSK-based authentication. CoWPAtty take 2 types of input to crack WPA-PSK i.e
- Standard Wordlist
- Pre-generated PMKs or Hash
CoWPAtty comes pre-installed in Kali Linux.
CoWPAtty can be downloaded from www.willhackforsushi.com.
What is Pyrit ?
Pyrit is a tool written in Python that allows you to create massive databases, pre-compute the WPA2-PSK to save time. This technique is called space-time-tradeoff. Pyrit supports both CPU and GPU. for using GPU you need to install supported graphics driver.
Pyrit comes pre-installed in Kali Linux. Pyrit can be downloaded from https://github.com/JPaulMora/Pyrit
What is space-time-tradeoff ?
If you remember in one of the previous chapters we cracked the WPA2 passphrase using aircrack-ng by passing it a wordlist, which supposedly contained the actual passphrase. Which is not likely to be possible with most of the times as wordlist have no limit, passphrase can be in any dictionary we have chosen or cannot be in the dictionary, we as a penetration tester just don’t know and also the cracking speed for the WPA2-PSK is very low so we need to speed up the process some how. This is where space-time tradeoff comes into picture.
What we actually do is we pre-compute the PMK(Pairwise Master Key) with corresponding SSID and store it on a hard drive and we can use it at anytime with the Cap file for the same SSID, as WPA2-PSK is SSID and Password sensitive. As we have pre-computed the PMKs and stored on our hard drive, it is just like a lookup for the system into the table which doesn’t take much time and cracking speed are very high, saving us a lot of time.
Only condition is there must be a Pre-computed file with same SSID and different passphrases picked from a wordlist. Although even this doesn’t guarantee cracking the PSK but cracking speed is significantly higher than any CPU or GPU, that we will see in this tutorial.
Installing CoWPAtty from Source code
Open terminal and type:
cd ~/Desktop wget http://www.willhackforsushi.com/code/cowpatty/4.6/cowpatty-4.6.tgz # Download Source code tar zxfv cowpatty-4.6.tgz # Extracting Compressed tar.gunzip File cd cowpatty-4.6/ # Change directory make # Compile Source code to Executable Binaries sudo cp cowpatty /usr/bin # Copy CoWPAtty Executable to /usr/bin/ folder to run as command
Installing Pyrit from Source code
Open terminal and type:
wget https://pyrit.googlecode.com/files/pyrit-0.4.0.tar.gz # Download Source code tar xvzf pyrit-0.4.0.tar.gz # Extracting Compressed tar.gunzip File cd pyrit-0.4.0 # Point to Extracted directory python setup.py build # Build setup sudo python setup.py install # Installing Pyrit
Generate PMKs Using GenPMK
GenPMK is a tool which installs along with cowpatty as a substitute for generating the hash file(PMKs) and allowing coWPAtty to crack WPA2-PSK at higher speeds.
Let’s see how to create PMKs using GenPMK.
Open terminal and type:
- genpmk -f “wordlist” -d “output_filename” -s “SSID”
genpmk -f "length08.txt" -d "GENPMK_rootsh3ll" -s "rootsh3ll"
Now you should a similar output
NOTE: GENPMK_rootsh3ll didn’t exist, so genpmk created a new file. In case the file already exists, the hashes will be appended to the existing file.
Now wait for genpmk to finish creating PMKs. and it will show you the average speed (Passphrases/sec) at which it generated PMKs. Mine was
20000 passphrases tested in 54.94 seconds: 363.99 passphrases/second
As I have told already, GenPMK is a singlethreaded program. Here you can see that while running GenPMK only one core was used to 100%
Now let’s move on to Creating PMKs using Pyrit.
Generate PMKs Using Pyrit
Open terminal and type:
- pyrit -o “Output_filename” -i “Wordlist” -e “SSID” passthrough
pyrit -o "PYRIT_rootsh3ll" -i "length08.txt" -e "rootsh3ll" passthrough
If you notice, options required are still the same we have just changed the output filename with a prefix “PYRIT” to distinguish the PMKs generated using Pyrit and GenPMK.
passthrough is an option in pyrit used to create the PMKs from the passphrase taken from the dictionary at a moment. Speed is comparitively high from GenPMK. Notice and compare the speed in the image below.
See the difference,
363.99 vs. 2089. why ? because GenPMK is a single threaded program whereas Pyrit is a tool that utilizes full power of the CPU i.e either 4 cores or 8 cores, pyrit will get the maximum power. Which is what makes it better option to chose for generating PMKs over GenPMK.
See the CPU usage while Pyrit was generating PMKs:
Now let’s begin the PSK cracking.
Crack WPA2-Pre Shared Key [ CoWPAtty vs. Aircrack-ng ]
It would be better if we first check the aircrack-ng’s cracking speed on this system and then notice a boost in speed using CoWPAtty.
Cracking WPA2-PSK with Aircrack-ng
- 4-way EAPoL Handshake (Pcap file)
- Wordlist (8-63 character length)
In this example I have kept real password at the end of the file and checked the maximum speed aircrack-ng reached while cracking the PSK.
Go to Desktop, where Pcap file and wordlists are located. Open terminal and Simply type
- aircrack-ng -w <wordlist> <Pcap file>
aircrack-ng -w length08.txt rootsh3ll-01.cap
Notice the speed:
1708.09 Keys/sec, that’s what aircrack-ng reached at max on my system(i5, 2.5 GHz).
Now we will use the pre computed PMKs with CoWPAtty and see the difference in speed
NOTE: There is no GPU involved in generation of PMKs or cracking of Key at any step.
Open terminal and type:
- cowpatty -d <Hash File> -r <Pcap file> -s <SSID>
cowpatty -d PYRIT_rootsh3ll -r rootsh3ll-01.cap -s rootsh3ll
You can also use GENPMK_rootsh3ll, both are same. I am using PYRIT_rootsh3ll because it contains more passphrases(PMKs) due to the higher calculation speed of Pyrit.
See the difference, same system, same RAM, no GPU included and almost 12,676% of boost in speed.
Aircrack-ng: 1708 Passphrases/second
Cowpatty with pre-generated PMK: 216521 Passphrases/second
This has been possible just because we had pre-computed Keys and what coWPAtty had to do is just loopup the hash file, No calculations involved.
We have already learned in the one of the starting chapters of the series that the most crucial part of the WPA2-PSK cracking is the PBKDF2 function which goes like this:
PBKDF2(Passphrase, SSID, ssidLen, 4096, 256)
PBKDF2 stands for Password Based Key Derivation Function which uses a Passphrase and an SSID, length of SSID(9 for ‘rootsh3ll’) iterates 4096 times for each passphrase, hashing with SHA1 algorithm and come out with a 256-bit key that is called the PMK.
One passwords takes 4096 CPU Iterations to come out with the 256-bit PSK. Imagine a wordlist containing 1 million passphrases. How many CPU cycles will it take for that wordlist to process and generate the PMKs ? 4,096,000,000 that’s 4 billion iterations for 1 million words. Even 1 million words are nothing Dictionary sizes go way beyon GigaBytes, or TeraBytes.
This is why we get very less cracking speeds as compared to MD5, SHA1 Hash cracking.
[ EXTRA! ] Pyrit + CoWPAtty Stdin
Now, We have learned to separately create PMKs and using it with coWPAtty to boost the cracking speeds. Here is one method, which doesn’t improves the speed compared to aircrack-ng but is very interesting to learn and see the working of the commands as well as the terminal, since this series is for beginners this thing is a worthwhile.
Here what we are going to do is
- We will pass a dictionary(8-63 Char length) to pyrit and tell it to generate the PMKs and
- We will not write the output to a file rather passing it to CoWPAtty.
- CoWPAtty will recieve PMKs as a stdin(standard input) and
- cracking will begin
You can see this as a sophisticated version of cracking with aircrack-ng as in aircrack-ng we just pass the cap file and dictionary. This will be quite long and deep in terms of understanding.
Here is the command:
pyrit -i length08.txt -e rootsh3ll -o - passthrough | cowpatty -d - -r rootsh3ll-01.cap -s rootsh3ll
Yes, this might seem very confusing if you are a beginner in the Linux world. You need to understand the command. Let’s break it to make it simple and easy to understand.
‘|’ : Pipeline operator
This is a Linux shell’s operator used to pipe one commands output to another(right hand side) i.e after the operator.
What we did is we passed the output of the pyrit command to the coWPAtty in realtime and coWPAtty is executing at the same time and trying to crack the passphrase.
If you notice, you would see that Before and After Pipeline both are the same commands we used above with just one difference.
We neither used any output filename with Pyrit(PYRIT_rootsh3ll previously), Nor input file for Cowpatty with -d option that is for hash file(see coWPAtty help menu).
So what did we do ?
We used another Linux Shell’s feature to store the input in the STDIN(STaNdard INput) and recieve it at the same time from STDIN. This is done by using ‘-‘ operator. This operator works as STDIN when we have to direct some output to/from a file. i.e writing to Hash file with pyrit and taking input from Hash file with CoWPAtty.
So, if you notice we replaced both the filenames with ‘-‘ that simply means Pyrit will write the calculated PMKs to Standard Input and the output will be passed using ‘|’ operator to the coWPAtty command. Now at the very same moment at which coWPAtty starts reveiving the Input from the STDIN, as told to ‘-d’ option, CoWPAtty will take the calculated PMKs from the STDIN and start cracking the PSK. If PMK matched the passphrase will be found, else try other dictionaries and keep going.
This is what it will look like when executed:
Speed is almost similar to what aircrack-ng was calculating at because PMKs are being calculated at realtime and being passed to coWPAtty. CPU is being consumed!
Hope you got a better insight of what happens while cracking and speeding up the whole process.
There is one thing I would like you to have a look at: Airolib-ng to speed up Cracking process
Do some research and testing and let me know what were your results in speed or what problems you faced during the above tutorial or Airolib-ng.
There is a lot more interesting stuff coming in next tutorials. so Stay Tuned!
Thanks for being till the very end of this tutorial!
See you at next part of Chapter 5!
High Gain Antenna:
USB Drive (32 GB):