pyrit 介绍

Pyrit允许您创建大规模的数据库,预先计算WPA space-time-tradeoff/ WPA2-PSK身份验证阶段。通过使用多核cpu的计算能力和通过ATI-Stream,Nvidia CUDA OpenCL其他平台,目前为止最强大的攻击之一,世界上使用的最安全协议。

作者:John Mora, Lukas Lueg
证书:GPL-3+ with OpenSSL exception

工具来源 工具主页
Kali pyrit Repo 仓库

pyrit-GPU-driven 是WPA/WPA2-PSK秘钥爆破工具

root@kali:~# pyrit -h
Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora
https://github.com/JPaulMora/Pyrit
This code is distributed under the GNU General Public License v3+

Usage: pyrit [options] command

Recognized options:
  -b               : Filters AccessPoint by BSSID
  -e               : Filters AccessPoint by ESSID
  -h               : Print help for a certain command
  -i               : Filename for input ('-' is stdin)
  -o               : Filename for output ('-' is stdout)
  -r               : Packet capture source in pcap-format
  -u               : URL of the storage-system to use
  --all-handshakes : Use all handshakes instead of the best one
  --aes            : Use AES

Recognized commands:
  analyze                 : Analyze a packet-capture file
  attack_batch            : Attack a handshake with PMKs/passwords from the db
  attack_cowpatty         : Attack a handshake with PMKs from a cowpatty-file
  attack_db               : Attack a handshake with PMKs from the db
  attack_passthrough      : Attack a handshake with passwords from a file
  batch                   : Batchprocess the database
  benchmark               : Determine performance of available cores
  benchmark_long          : Longer and more accurate version of benchmark (5 minutes)
  check_db                : Check the database for errors
  create_essid            : Create a new ESSID
  delete_essid            : Delete a ESSID from the database
  eval                    : Count the available passwords and matching results
  export_cowpatty         : Export results to a new cowpatty file
  export_hashdb           : Export results to an airolib database
  export_passwords        : Export passwords to a file
  help                    : Print general help
  import_passwords        : Import passwords from a file-like source
  import_unique_passwords : Import unique passwords from a file-like source
  list_cores              : List available cores
  list_essids             : List all ESSIDs but don't count matching results
  passthrough             : Compute PMKs and write results to a file
  relay                   : Relay a storage-url via RPC
  selftest                : Test hardware to ensure it computes correct results
  serve                   : Serve local hardware to other Pyrit clients
  strip                   : Strip packet-capture files to the relevant packets
  stripLive               : Capture relevant packets from a live capture-source
  verify                  : Verify 10% of the results by recomputation

pyrit 用法示例

benchmark的选项和显示系统破解速度。

root@kali:~# pyrit benchmark
Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora
https://github.com/JPaulMora/Pyrit
This code is distributed under the GNU General Public License v3+

Running benchmark (1353.0 PMKs/s)... /

Computed 1352.97 PMKs/s total.
#1: 'CPU-Core (SSE2/AES)': 464.7 PMKs/s (RTT 2.9)
#2: 'CPU-Core (SSE2/AES)': 91.4 PMKs/s (RTT 10.3)
#3: 'CPU-Core (SSE2/AES)': 742.3 PMKs/s (RTT 2.5)
#4: 'CPU-Core (SSE2/AES)': 498.4 PMKs/s (RTT 3.6)

读取抓取的文件(/usr/share/doc/aircrack-ng/examples/wpa2.eapol.cap) 跟分析.

root@kali:~# pyrit -r /usr/share/doc/aircrack-ng/examples/wpa2.eapol.cap analyze
Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora
https://github.com/JPaulMora/Pyrit
This code is distributed under the GNU General Public License v3+

Parsing file '/usr/share/doc/aircrack-ng/examples/wpa2.eapol.cap' (1/1)...
Parsed 5 packets (5 802.11-packets), got 1 AP(s)

#1: AccessPoint 00:14:6c:7e:40:80 ('Harkonen'):
  #1: Station 00:13:46:fe:32:0c, 1 handshake(s):
    #1: HMAC_SHA1_AES, good, spread 1

创建一个ESSID(create_essid),指定名称(-e Harkonen)发现在上面的分析。

root@kali:~# pyrit -e Harkonen create_essid
Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora
https://github.com/JPaulMora/Pyrit
This code is distributed under the GNU General Public License v3+

Connecting to storage at 'file://'...  connected.
Created ESSID 'Harkonen'

读取密码文件(-i /usr/share/wordlists/metasploit/password.lst)并将它们导入数据库(import_passwords)。

root@kali:~# pyrit -i /usr/share/wordlists/metasploit/password.lst import_passwords
Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora
https://github.com/JPaulMora/Pyrit
This code is distributed under the GNU General Public License v3+

Connecting to storage at 'file://'...  connected.
88396 lines read. Flushing buffers....
All done.

使用ESSID和密码计算分析PMKs

root@kali:~# pyrit batch
Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora
https://github.com/JPaulMora/Pyrit
This code is distributed under the GNU General Public License v3+

Connecting to storage at 'file://'...  connected.
Working on ESSID 'Harkonen'
Processed all workunits for ESSID 'Harkonen'; 1756 PMKs per second.

Batchprocessing done.

读捕获文件(-r /usr/share/doc/aircrack-ng/examples/wpa2.eapol.cap)并尝试破解密码(attack_db)。

root@kali:~# pyrit -r /usr/share/doc/aircrack-ng/examples/wpa2.eapol.cap attack_db
Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora
https://github.com/JPaulMora/Pyrit
This code is distributed under the GNU General Public License v3+

Connecting to storage at 'file://'...  connected.
Parsing file '/usr/share/doc/aircrack-ng/examples/wpa2.eapol.cap' (1/1)...
Parsed 5 packets (5 802.11-packets), got 1 AP(s)

Picked AccessPoint 00:14:6c:7e:40:80 ('Harkonen') automatically.
Attacking handshake with Station 00:13:46:fe:32:0c...
Tried 15877 PMKs so far (33.2%); 9788764 PMKs per second.

The password is '12345678'.