PYRIT(1)
NAME
pyrit - A GPGPU-driven WPA/WPA2-PSK key cracker
SYNOPSIS
pyrit [options] command
DESCRIPTION
Pyrit exploits the computational power of many-core- and GPGPU-platforms to create massive databases, pre-computing part of the
WPA/WPA2-PSK authentication phase in a space-time tradeoff. It is a
powerful attack against one of the world's most used security-protocols.
This document tries to describe and explain all functions the commandline-client pyrit provides. One or more options may be given on the
commandline to customize a command. The exact behaviour of options
depends on the command.
At the time of this writing, cowpatty is not available in Debian. References to cowpatty and its commands are nevertheless preserved for the
sake of completeness.
OPTIONS
Pyrit recognizes the following options:
- -b BSSID
- Specifies a BSSID. Can be used to restrict commands to certain Access-Points.
- -e ESSID
- Specifies the ESSID. Commands usually refer to all ESSIDs in the database when this option is omitted.
- -i infile
- Specifies a filename to read from; the special filename '-' can be used for stdin. The file may be gzip-compressed in which case its name must end in .gz for transparent decompression.
- -o outfile
- Specifies a filename to write to; the special filename '-' can be used for stdout. Filenames that end in .gz cause pyrit to gzip-compress the file on the fly.
- -r capfile
- Specifies a packet-capture file in pcap format (possibly gzipcompressed).
- -u URL Specifies the URL of the storage-device in the form of
driver://username:password@host:port/database- Pyrit can use the filesystem, a remote Pyrit-Relay-Server and, if the package python-sqlalchemy is installed, SQL-Databases as storage. The driver file:// refers to Pyrit's own filesystembased storage, http:// connects to a Pyrit-Relay-Server and all other URLs are passed directly to python-sqlalchemy, if available. The default storage-URL can also be specified by the key defaultstorage in pyrit's configuration file (see FILES below).
COMMANDS
- analyze
- Parse one or more packet-capture files (in pcap-format, possibly
gzip-compressed) given by the option -r and try to detect
Access-Points, Stations and EAPOL-handshakes. For example:
pyrit -r "test*.pcap" analyze - The suffix 'handshake found' is appended to the Station's BSSID if the communication between the Access-Point and the Station seems to include a valid EAPOL-handshake.
- attack_batch
- Attack an EAPOL-handshake found in the packet-capture file(s)
given by the option -r using the Pairwise Master Keys and passwords stored in the database. The options -b and -e can be used
to specify the Access-Point to attack; it is picked automatically if both options are omitted. The password is written to
the filename given by the option -o if specified. For example:
pyrit -r test.pcap -e MyNetwork -b 00:de:ad:c0:de:00 \-o MyNetworkPassword.txt attack_batch - Pairwise Master Keys that have been computed and stored in the database previously are taken from there; all other passwords are translated into their respective Pairwise Master Keys and added to the database for later re-use. ESSIDs are created automatically in the database if necessary.
- attack_cowpatty
- Attack an EAPOL-handshake found in the packet-capture file(s)
given by the option -r using Pairwise Master Keys from a cowpatty-like file (e.g. generated by ``genpmk'' from cowpatty, or
export_cowpatty below) given by the option -f. The options -b
and -e can be used to specify the Access-Point to attack; it is
picked automatically if both options are omitted. The password
is written to the filename given by the option -o if specified.
The cowpatty-file may be gzip-compressed and must match the chosen ESSID. For example:
pyrit -r test.pcap -e MyOwnNetwork \-i MyOwnNetwork.cow.gz -o - attack_cowpatty - Pyrit's own database is not touched by attack_cowpatty.
- attack_db
- Attack an EAPOL-handshake found in the packet-capture file(s)
given by the option -r using the Pairwise Master Keys stored in
the database. The options -b and -e can be used to specify the
Access-Point to attack; it is picked automatically if both
options are omitted. The password is written to the filename
given by the option -o if specified. For example:
pyrit -r test.pcap -e MyOtherNetwork attack_db - Only Pairwise Master Keys that have been computed previously and are stored in the database are used by attack_db.
- attack_passthrough
- Attack an EAPOL-handshake found in the packet-capture file given
by the option -r using the passwords read from the file given by
the option -i. The options -b and -e can be used to specify the
Access-Point to attack; it is picked automatically if both
options are omitted. The password is written to the filename
given by the option -o if specified. For example:
pyrit -r test.pcap -b 00:de:ad:be:ef:00 \-i words.txt attack_passthrough - This command circumvents Pyrit's database and should only be used if storage-space is a problem (e.g. on LiveCDs). You should consider using attack_batch otherwise.
- batch
- Start to translate all passwords in the database into their
respective PMKs and store the results in the database. The
option -e may be used to restrict this command to a single
ESSID; if it is omitted, all ESSIDs are processed one after the
other in undefined order. For example:
pyrit -e NETGEAR batch - The option -o can be used to specify a filename the results
should additionally be written to in cowpatty's binary format.
The option -e becomes mandatory and the ESSID is automatically
created in the database if necessary. Pairwise Master Keys that
previously have been computed and stored in the database are
exported from there without further processing. Pyrit stops and
exits if an IOError is raised while writing to the specified
file but signals success on exit. This makes it very convenient
to pipe results directly to other programs but also keep them
for later use. For example:
pyrit -e NETGEAR -o - batch | \cowpatty -d - -r wpatestcapture.cap -s NETGEAR - benchmark
- Determine the peak-performance of the available hardware by computing dummy-results. For example:
pyrit benchmark - create_essid
- Add the ESSID given by -e to the database. Re-creating an existing ESSID does not result in an error. For example:
pyrit -e NETGEAR create_essid - delete_essid
- Delete the ESSID given by -e from the database. This includes
all results that may have been stored for that particular ESSID.
For example:
pyrit -e NETGEAR delete_essid - eval
- Count all available passwords, all ESSIDs and their respective
results in the database. For example:
pyrit eval - export_passwords
- Write all passwords that are currently stored in the database to
a new file given by -o. Passwords are terminated by a single
newline-character ("\n"). Existing files are overwritten without
confirmation. For example:
pyrit -o myword.txt.gz export_passwords - export_cowpatty
- Write all results for the ESSID given by -e to the file given by
-o in cowpatty's binary format. Existing files are overwritten
without confirmation. For example:
pyrit -o NETGEAR.cow -e NETGEAR export_cowpatty - export_hashdb
- Write all results currently stored in the database to the
airolib-ng-database given by -o. The database is created with a
default table layout if the file does not yet exist. The option
-e can be used to limit the export to a single ESSID. For example:
pyrit -o NETGEAR.db -e NETGEAR export_hashdb - import_passwords
- Read the file given by -i and import one password per line to
the database. The passwords may contain all characters (including NULL-bytes) apart from the terminating newline-character
("\n"). Passwords that are not suitable for being used with
WPA-/WPA2-PSK are ignored. Pyrit's storage-implementation guarantees that all passwords remain unique throughout the entire
database. For example:
pyrit -i dirty_words.txt import_passwords - import_unique_passwords
- Read the file given by -i and import one password per line to
the database. The passwords may contain all characters (including NULL-bytes) apart from the terminating newline-character
("\n"). Passwords that are not suitable for being used with
WPA-/WPA2-PSK are ignored. This command does not check if there
are duplicating passwords within the file or between the file
and the database; it should be used with caution to prevent the
database from getting poisoned with duplicated passwords. This
command however can be much faster than import_passwords. For
example:
pyrit -i dirty_words.txt import_unique_passwords - list_cores
- Show a list of all available hardware modules Pyrit currently
uses. For example:
pyrit list_cores - list_essids
- Show a list of all ESSIDs currently stored in the database. This
function is faster than eval in case you don't need to know the
number of computed results. For example:
pyrit list_essids - passthrough
- Read passwords from the file given by -i and compute their PMKs
for the ESSID given by -e. The results are written to the file
specified by -o in cowpatty's binary format and are not stored
in the database for later use. This command therefor circumvents
the entire database and should only be used if storage-space is
a problem (e.g. when using Pyrit on a LiveCD). The batch-command
provides exactly the same functionality as passthrough but can
give much better performance as results may be read from the
database instead of recomputing them. For example:
pyrit -i dirty_words.txt.gz -e NETGEAR \-o - passthrough | cowpatty -d - \
-r wpatestcapture.cap -s NETGEAR - relay
- Start a server to relay another storage device via XML-RPC;
other Pyrit-clients can use the server as storage-device. This allows to have network-based access to storage source that don't provide network-access on their own (like file:// and sqlite://) or hide a SQL-database behind a firewall and let multiple clients access that database only via Pyrit's RPC-interface. The TCP-port 17934 must be open for this function to work. For example, on the server (where the database is):
pyrit -u sqlite://var/local/pyrit.db relay - and the client (where the big GPU is):
pyrit -u http://192.168.0.100:17934 batch - selftest
- Run an extensive selftest for about 60 seconds. This test
includes the entire scheduling-mechanism and all cores that are
listed by list_cores. You can use this function to detect broken
hardware-modules or malicious network-clients. For example:
pyrit selftest - serve
- Start a server that provides access to the local computing hardware to help other Pyrit clients. The server's IP-address should
be added to the client's configuration file (see FILES) as a
space-separated list under known_clients. The client's
rpc_server-setting must also be set to 'true'. The TCP- and UDPPort 17935 must be accessible. For example, on the server (where
the GPU is):
pyrit serve - and on the client (the server's IP-address has been added to
known_clients and rpc_server is set to 'true'):
pyrit -r test.pcap -b 00:de:ad:be:ef:00 \-i words.txt attack_passthrough - strip
- Parse one or more packet-capture files given by the option -r,
extract only packets that are necessary for EAPOL-handshake
detection and write a new dump to the filename given by the
option -o. The options -e and -b can be used to filter certain
Access-Points. For example:
pyrit -r "large_dumps_*.pcap" -e MyNetwork \-o tiny_compressed_dump_MyNetwork.dump.gz strip - stripLive
- Parse a packet-capture file given by the option -r, extract only
packets that are necessary for EAPOL-handshake detection and
write a new dump to the file given by the option -o. This command differs from strip as the capture-file can be any character
device including sockets and other pseudo-files that look like
files in pcap-format. stripLive writes relevant packets to the
new file given by -o as they arrive instead of trying to read
the entire capture-file first.
pyrit -r /temp/kismet_dump -o small_dump.pcap stripLive - verify
- Randomly pick 10% of the results stored in the database and verify their value by recomputation. You need this function if you
suspect broken hardware or malicious network-clients. For example:
pyrit -e NETGEAR verify
EXIT STATUS
If command succeeds, pyrit's process exit status is set to 0; otherwise
it is set to 1 and (usually) an error message or a python-traceback is
written to stderr.
FILES
- ~/.pyrit/config
- The pyrit configuration file. You can find a documented example in /usr/share/doc/pyrit/examples/config.example.
NOTES
The author does not encourage or support using pyrit for the infringement of peoples' communication-privacy. The exploration and realization
of the technology discussed here motivate as a purpose of their own;
this is documented by the open development, strictly sourcecode-based
distribution and 'copyleft'-licensing.
AUTHOR
pyrit was written by Lukas Lueg <lukas.lueg@gmail.com>.
- This manual page was written by Christian Kastner <debian@kvr.at> for
the Debian project (but may be used by others).