Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux

There are just too many guides on Cracking Wifi WPA/WPA2 passwords using different methods. Everyone has their own take on it. Personally, I think there’s no right or wrong way of pentesting a Wireless Access Point. Following way is my way and I found it extremely efficient and fast during my tests for Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux where I attacked with Dictionary using either cuda or calpp (cal++) and at the same time I used WiFite to fast track a few things. This whole process was used in Kali Linux and it took me less than 10 minutes to crack a Wifi WPA/WPA2 password using pyrit cowpatty WiFite combination using my laptop running a AMD ATI 7500HD Graphics card.

Readers, those who would like to try alternate ways of cracking Wifi WPA WPA2 passwords, use HashCat or cudaHashcat or oclHashcat to crack your unknown Wifi WPA WPA2 passwords. The benefit of using Hashcat is, you can create your own rule to match a pattern and do a Brute-force attack. This is an alternative to using dictionary attack where dictionary can contain only certain amount of words but a brute-force attack will allow you to test every possible combinations of given charsets. Hashcat can crack Wifi WPA/WPA2 passwords and you can also use it to crack MD5, phpBB, MySQL and SHA1 passwords. Using Hashcat is an good option as if you can guess 1 or 2 characters in a password, it only takes few minutes. For example: if you know 3 characters in a password, it takes 12 minutes to crack it. If you know 4 characters in a password, it takes 3 minutes. You can make rules to only try letters and numbers to crack a completely unknown password if you know a certain Router’s default password contains only those. Possibilities of cracking is a lot higher in this way.

Capture handshake with WiFite

Why WiFite instead of other guides that uses Aircrack-ng? Because it’s faster and we don’t have to type in commands..

Type in the following command in your Kali Linux terminal:

wifite –wpa

You could also type in

wifite wpa2

If you want to see everything, (wep, wpa or wpa2, just type the following command. It doesn’t make any differences except few more minutes

wifite

Once you type in following is what you’ll see.

So, we can see bunch of Access Points (AP in short).  Always try to go for the ones with CLIENTS because it’s just much faster. You can choose all or pick by numbers. See screenshot below:

Awesome, we’ve got few with clients attached. I will pick 1 and 2 cause they have the best signal strength. Try picking the ones with good signal strength. If you pick one with poor signal, you might be waiting a LONG time before you capture anything .. if anything at all.

So I’ve picked 1 and 2. Press Enter to let WiFite do it’s magic.

Once you press ENTER, following is what you will see. I got impatient as the number 1 choice wasn’t doing anything for a LONG time. So I pressed CTRL+C to quit out of it.

This is actually a great feature of WIfite. It now asks me,

What do you want to do?

1. [c]ontinue attacking targets
2. [e]xit completely.

I can type in c to continue or e to exit. This is the feature I was talking about. I typed c to continue. What it does, it skips choice 1 and starts attacking choice 2. This is a great feature cause not all routers or AP’s or targets will respond to an attack the similar way. You could of course wait and eventually get a respond, but if you’re just after ANY AP’s, it just saves time.

And voila, took it only few seconds to capture a handshake. This AP had lots of clients and I managed to capture a handshake.

This handshake was saved in /root/hs/BigPond_58-98-35-E9-2B-8D.cap file.

Once the capture is complete and there’s no more AP’s to attack, Wifite will just quit and you get your prompt back.

Now that we have a capture file with handshake on it, we can do a few things:

1. We can Dictionary attack it.
2. We can BruteForce attack it.
   1. Amongst BruteForce, we can use crunch
   2. We can use oclhashcat.

In this guide, I will show Dictionary attack as almost 20% (that’s 1 in every  5) AP’s will have a standard dictionary password. In later chapters of this guide, I will show Brute Forcing.

Dictionary attack .cap capture file to crack Wifi password

To do a Dictionary attack, we need to grab a dictionary file.

Kali Linux provides some dictionary files as part of its standard installation. How sweet. Thanks Kali Linux Dev team.

Let’s copy one of best dictionary file to root directory.

cp /usr/share/wordlists/rockyou.txt.gz .

Unzip it.

gunzip rockyou.txt.gz

Because WPA2 minimum password requirement is 8 characters, let’s parse this file to filter out any passwords that is less than 8 characters and more than 63 characters. (well, you could just leave this line, but it is completely up to you). So we are saving this file as newrockyou.txt name.

cat rockyou.txt | sort | uniq | pw-inspector -m 8 -M 63 > newrockyou.txt

Let’s see how many passwords this file contains:

wc -l newrockyou.txt

That’s a whopping 9606665 passwords.

Original file contained even more..

wc -l rockyou.txt

That’s 14344392 passwords. So we made this file shorter which means we can test more AP’s in less time.

Finally, lets rename this file to wpa.lst.

mv newrockyou.txt wpa.lst

Create ESSID in Pyrit Database

Now we need to create ESSID in Pyrit Database.

pyrit –e BigPond create_essid

NOTE: If you have an AP that’s got Space it in, example: “NetComm Wireless” then your command will become like this:

pyrit -e 'NetComm Wireless' create_essid

I know a lot of the people struggles with this issue 

Awesome, now we have our ESSID added to Pyrit Database.

Import Dictionary in Pyrit

Now that we have our ESSID added to Pyrit database, lets go an import our Password Dictionary.

Use the following command to import previously created password dictionary wpa.lst to Pyrit Database.

pyrit -i /root/cudacapture/wpa.lst import_passwords

Create tables in Pyrit using batch process

We now need to batch process to create tables.

This is simple, just issue the following command

pyrit batch

Because I’m on a laptop with a crappy AMD 7500 graphics card, I’m getting only 15019 PMKs per second (that includes my CAL++). If you got a more powerful Graphics card and managed to install either CUDA for NVIDIA Graphics card or CAL++ for AMD Cards, your speed will be a lot more.

Oh, and I just took this awesome screenshot while Pyrit was doing the batch processing. Check out my CPU usage, it’s hitting absolutely 100%.

Also check out my temperature of my cores:

You should be careful how big your dictionary file is and how HOT your CPU and Graphics card is burning. Use extra cooling if you can to avoid damage.

Cracking Process

We can crack using few different process.

1. Using Pyrit
2. Using Cowpatty

Attack a handshake with PMKs from the db using Pyrit

Simple. Just use the following command to start the cracking process.

pyrit -r hs/BigPond_58-98-35-E9-2B-8D.cap attack_db

That’s it. It will take few minutes to go through the whole Database Table to get the password if it existed in the Dictionary. As you can see,159159186.00 PMK's per second was the speed and it took less than 1 second to crack it. This is by far the fastest. I also had to blank out much of the screenshot.

Note: I tried it from a different workstation with a NVIDIA GTX460 Graphics card with CUDA and Cpyrit-CUDA installed. Obviously, this was much faster than my Laptop. But either way, this is super fast.

Attack a handshake with passwords from a file or Dictionary using Pyrit

If you don’t want to create Datbase and crunch through Dictionary file directly (much slower), following is what you can do:

pyrit -r hs/BigPond_58-98-35-E9-2B-8D.cap -i /root/wpa.lst attack_passthrough

Speed this way? 7807 PMKs per second. Much slower for my taste.

Crack using Cowpatty

To crack using cowpatty, you need to export in cowpatty format and then start the cracking process.

Export to cowpatty

I hope up to this point, everything went as planned and worked out. From Pyrit, we can push our output to either cowpatty or airolib-ng. All my tests shows that cowpatty is a lot more faster, so I’ll stick with that.

So let’s make our cowpatty file. This is again simple, issue the following command to export your output to cowpatty.

pyrit -e BigPond -o cow.out export_cowpatty

Let it rip: Crack WPA WPA2 PSK password using cowpatty

Now that we have our cowpatty output, let’s try to crack WPA2/PSK passphrase. Issue the following command to start the cracking process.

cowpatty -d cow.out -s BigPond -r hs/BigPond_58-98-35-E9-2B-8D.cap

Once you type it in, you’ll a bunch of passwords being tried against your hash file. This will keep going until the end of the file. Once a matching password is found in the dictionary file, the cracking process will stop with an output containing the password.

And bingo, it found a matching password. Look at the number of passwords tried in a secods

164823.00 passphrases/second.

NOTE: cowpatty will fail if your password/dictionary file is larger than 2GB. You’ll have to stick to airolib-ng even though that’s slower.

Attack a handshake with PMKs from a cowpatty-file using Pyrit

Here’s another way using Pyrit…

You can use cow.out file in Pyrit next time

pyrit -r hs/BigPond_58-98-35-E9-2B-8D.cap -i /root/cow.out attack_cowpatty

Speed this way? 31683811 PMKs per second. Much slower than using Pyrit attack_db process. But at least you don’t have to batch process this way.

Cleanup Pyrit and database

Lastly, if you feel like, you can delete your essid and cleanup.

pyrit BigPond delete_essid

Conclusion

Thanks for reading. This process is not always possible and sometimes cracking Wifi WPA/WPA2 passwords using Reaver-WPS is much easier. You might want to check that too.

If this guide helped you to achieve what you wanted, please share this article with friends.

Update: 13/03/2014: I just realized I forgot to credit purehate for his ORIGINAL post in BackTrack forum. Without his guide, much of this wouldn’t be possible.

Follow us on Facebook/Twitter.

Last but not the least, I’ll cover up my back …

Disclaimer: This guide is for training and educational purposes only. Ensure you have permission before you attack an access point as it is a felony in many countries. I take no responsibility of the usage of these instructions containing in this guide.