Pyrit is one of the fastest WPA crackers available. The nice thing about it is that it supports opencl, cuda, and has support for CPU’s with SSE2 acceleration. Unfortunately even an extremely fast system can only achieve about 100k keys/sec which makes brute forcing a WPA key pretty pointless for full character set passwords with lengths above five characters. This means the only effective method is to use a dictionary based attack. Personally I’m all for having a lot of dictionary files but there comes a point when even a massive dictionary collection can’t crack those hard to recover WPA keys. This is where Hashcat comes in, with release 0.35 there now includes an option to output mangled words to standard out. Since Pyrit supports wordlist on stdin we can simply pipe hashcat output into Pyrit. To get started we need to create an uncrackable hash file with only a single hash, this is so Hashcat constantly outputs the plaintext.
# echo ffffffffffffffff > nofind.hash
We set the Hashcat mode to –m 200 (mysql) because it is one of the fastest modes and can use a smaller number of threads. As an example you can see what happens when you don’t pipe Hashcat’s output into Pyrit.
# ./hashcat-cli64.bin -m 200 -r rules/best64.rule --debug-mode=3 nofind.hash dictionary.dic
Ctrl+C to stop
Something to consider is for every 1 rule that you use with Hashcat it will increase your dictionary by 1 times. So given a dictionary that is 1000 words and using 64 rules will expand your dictionary to 64,000 words. So if you calculate that it takes 20 minutes for your dictionary to complete normally then with 64 rules it would take nearly 21 hours. Hashcat 0.35 includes a rule file called best64.rule located in the rules folder. Since best64.rule is sorted by the top finding rules you could make a new rule file with less rules.
# head –n 10 best64.rule > best10.rule
Now to add it all together..
# ./hashcat-cli64.bin -m 200 –n 2 -r rules/best10.rule --debug-mode=3 nofind.hash dictionary.dic | pyrit –r wpa_test.cap –i – attack_passthrough
If you’ve done everything correctly you should see something like…
Pyrit 0.3.1-dev (svn r283) (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Parsing file ‘ /wpa_test.cap’ (1/1)…
Parsed 5 packets (5 802.11-packets), got 1 AP(s)
Picked AccessPoint 00:0d:ea:d0:01:00 (‘test’) automatically.
Tried 3840192 PMKs so far; 106871 PMKs per second.
Hopefully if all goes well you will see this –
The password is 'Passw0rd'.
For the switches used in Hashcat v0.35 -m 200 sets it to mode mysql, -n 2 sets it to use only 2 threads instead of 8 which is the default. This way there are more threads devoted to cracking wpa keys. -r sets the rule file, and finally –debug-mode=3 is what actually outputs the mangled words to stdout.
Hashcat can be downloaded at hashcat.net
Original article: http://ob-security.info/?p=18