namtrac35 / pyrit

Automatically exported from code.google.com/p/pyrit
0 stars 0 forks source link

Enhancement: Alternative iterator #348

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Sometimes the format of the WPA key is known and should be easily crackable by 
brute force on a few GPUs.  E.g. 8 characters from the set [a-z] or 10 digits 
[0-9].  To crack those I have to write a script to generate all possible 
values, and pipe to pyrit -i - -r ... attack_passthrough.  This means 
generating keys, reading from a pipe, enqueing, dequeing, etc of a very simple 
series, and this is CPU bound.  The GPUs are mostly idle while the CPU is busy 
with this simple task.  (At least on my Athlon X2 with 1 x HD5970 + 2 x HD6990.)

I suggest an alternate iterator which eliminates most of the steps by just 
taking the format as input and iterate through all possible values.  E.g. 
[a-z]{8}, [0-9]{10} or [A-z][0-9]{6}[a-z].  This could even partly be done by 
the GPUs, so the gpu_inbuffer could be replaced with a series of starting point 
and a number of increments to try for each starting point.  E.g. [aaaaaaaa 26] 
[aaaaaaba 26] ...  This enhancement will make brute force cracking of short WPA 
keys a real possibility with several fast GPUs.

Original issue reported on code.google.com by stur...@gmail.com on 6 Sep 2011 at 8:55

GoogleCodeExporter commented 9 years ago
I suggest a hard-drive upgrade to something in the Tera-byte range. This way, 
you could build a structure of .gz files encompassing all possible values in 
your desired range and have pyrit act upon them in succession. The -i switch in 
pyrit allows .gz filetypes, and you could wrap the pyrit commands around a few 
lines of simple bash script to move from one to the next.

You'd at least move from being CPU bound to something a bit faster, like being 
I/O bound, but it may increase your total throughput. You've got a pretty nice 
machine with a couple 6990's and a 5970 ... are you pushing 130K plus PMK's per 
second?

Original comment by cpmitc...@gmail.com on 6 Sep 2011 at 6:17

GoogleCodeExporter commented 9 years ago
can you show me the script or how to write a script to do E.g. 8 characters 
from the set [a-z] or 10 digits [0-9] and save them to a txt file please

Original comment by mannydia...@gmail.com on 9 Sep 2011 at 4:33

GoogleCodeExporter commented 9 years ago
Here a slow and stupid way to generate list of password. 

A. copy this text into a file named create.sh

for n0 in 0 1 2 3 4 5 6 7 8 9; do
 for n1 in 0 1 2 3 4 5 6 7 8 9; do
  for n2 in 0 1 2 3 4 5 6 7 8 9; do
   for n3 in 0 1 2 3 4 5 6 7 8 9; do
    for n4 in 0 1 2 3 4 5 6 7 8 9; do
     for n5 in 0 1 2 3 4 5 6 7 8 9; do
      for n6 in 0 1 2 3 4 5 6 7 8 9; do
       for n7 in 0 1 2 3 4 5 6 7 8 9; do
        echo $n0$n1$n2$n3$n4$n5$n6$n7;
       done;
      done;
     done;
    done;
   done;
  done;
 done;
done;

B. make the script runnable with: chmod +x create.sh
C. run the scrit as follow: ./script.sh > list.txt

wait... wait... wait....

now the file list.txt contains all the passwords from 00000000 to 99999999.

It is enough you modify the script to obtain all the password you wish.

Cheers.

Original comment by pyrit.lo...@gmail.com on 9 Sep 2011 at 1:15

GoogleCodeExporter commented 9 years ago
@pyrit.lover - That's a good option, but the output file would be enormous.

I've been using crunch with very good results. The crunch command comes 
packaged in past and current BackTrack distros.

Example:
crunch 8 8 0123456789 -t @@@@@@@@ -o all8.txt

Above command specifies output to be minimum 8 and maximum 8 in length, with -t 
switch and @ pattern to be populated with numbers 0-9 inclusive, the -o is the 
output switch, writing to file all8.txt

I suggest splitting into reasonable file sizes with the split command. Example:
split -l 10000000 all8.txt

So now you will find 10 files containing 10 million lines each, which is 
reasonable, ready for your pyrit commands to act upon.

Cheers

Original comment by cpmitc...@gmail.com on 9 Sep 2011 at 5:16

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
thank you guys for the info

Original comment by mannydia...@gmail.com on 11 Sep 2011 at 4:38

GoogleCodeExporter commented 9 years ago
Sorry for replying late..

Against a database (batch), I get maximum about 15 kPMK/s, and the
number og GPUs I'm using doesn't matter much.  The GPU utilization is
seldom more than 30%, and cracking WPA with pyrit will not make the
GPU temperature rise.  When taking input from a script, I can get
above 50 kPMK/s, and GPU utilization is a bit higher.  CPU utilization
from pyrit is 100% or more when taking input from a script via a pipe.
E.g.: perl -e {foreach (0..999999999) {printf "%09d\n"}' | pyrit -i -
-r wpa.cap

The last iterator is so simple, it wouldn't take many cycles on a GPU.
 Instead I run into a CPU bottleneck with this or a general I/O
bottleneck with a database.  May passwords are of the form
"password123", and those could be tested as well with a better
iterator, without actually putting password000..password999 in the
wordlist.  It would not take much longer time because the work is
offloaded to the GPU, and otherwise the work would be I/O bound.

By running two of the above script, my PMK rate almost doubles as both
scripts use one CPU core each and utilize the GPUs better.  Better
multithreading may improve performance as well on computers with more
CPU cores than GPUs.

Original comment by stur...@gmail.com on 26 Oct 2011 at 9:33