Documente Academic
Documente Profesional
Documente Cultură
This document will guide you through your first steps with Pyrit. Before continuing,
you should have Pyrit installed and working. See the Installation-Wiki for details.
You will also need to have Scapy installed, which should come with your distribution or
may be installed from source. Pyrit can use SQLAlchemy to access various kinds of
SQL-databases and you'll need to have it installed if you want to try that feature as
explained below.
You should also take a look at the manual when new commands get introduced below;
more information and details about the features a command provides are given there.
Throughout this tutorial we will refer to files and examples that are distributed together
with Pyrit's source-code. Therefore the first step is to get yourself a copy of the sourcecode tarball, unpack it and switch to the /test-directory:
wget http://pyrit.googlecode.com/files/pyrit-0.3.0.tar.gz
tar xvzf pyrit-0.3.0.tar.gz
cd pyrit-0.3.0/test
You should find three files within this directory that will be of interest for us:
Pyrit should answer with output very similar like the following:
Pyrit 0.3.0 (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Parsing file 'wpapsk-linksys.dump.gz' (1/1)...
587 packets (587 802.11-packets), 1 APs
#1: AccessPoint 00:0b:86:c2:a4:85 ('linksys')
Pyrit has successfuly parsed the capture file and found one AccessPoint with BSSID
00:0b:86:c2:a4:85 and ESSID 'linksys' and three Stations communicating with that
AccessPoint. The key-negotiation (known as the fourway-handshake) between the
Station with MAC 00:13:ce:55:98:ef and the AccessPoint has also been recorded in the
capture file. We can use the data from this handshake to guess that password that is used
to protect the network.
Please note that Pyrit can transparently read/write gzip-compressed files; this becomes
very handy when dealing with large wordlists or cowpatty-files that may take hundrets
of megabytes.
This tells Pyrit to take the capture-file wpapsk-linksys.dump.gz and attack the keynegotiation with AccessPoint 00:0b:86:c2:a4:85 using the dictionary-file dict.gz.
Please note that you do not always have to tell Pyrit which AccessPoint to choose from
the capture-file - Pyrit will usually be able to figure that out by itself.
You should get a response very similar to the following:
Pyrit 0.3.0 (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Parsing file 'wpapsk-linksys.dump.gz' (1/1)...
587 packets (587 802.11-packets), 1 APs
Tried 4091 PMKs so far; 935 PMKs per second.
The password is 'dictionary'.
We've successfully revealed that the password used to protect the network
00:0b:86:c2:a4:85 is "dictionary"...
AccessPoint and Station. Pyrit can help reducing the size of a packet-capture file by
analyzing the traffic and throwing away all packets that are of no use for us. We end up
with a new, very small capture file that still holds all valuable information and is
useable with other tools like Wireshark.
Please note that stripping a capture file is not necessary. It's sole purpose is to make life
a little easier when it comes to large capture files.
Our original example has 587 packets and a size of roughly 13kb. Issue the following
command:
pyrit -r wpapsk-linksys.dump.gz -o wpapsk-linksys_stripped.dump.gz
strip
The new capture file wpapsk-linksys_stripped.dump.gz has a size of only a few hundred
bytes and contains only three from the key-negotiation (used to attack the password)
and one beacon-frame (used to detect the network's ESSID).
connected.
Pyrit will read the file 'dict.gz' and store the wordlist in it's internal database format.
You should get a response like the following:
Pyrit 0.3.0 (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Connecting to storage at 'file://'...
10202 lines read. Flushing buffers...
All done.
connected.
Please note that you can add more passwords to the database later on; the command
'import_passwords' ensures that duplicates within the wordlist or between the wordlist
and the database are tossed out and not stored again. For now, run the 'eval'-command
again to see how the database has been populated with passwords from 'dict.gz'. You
should get output similar to this:
Pyrit 0.3.0 (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Connecting to storage at 'file://'...
Passwords available: 4078
connected.
You'll notice that Pyrit has only stored 4,078 out of the 10,202 passwords from the file.
Pyrit has automatically filtered passwords that are not suitable for WPA(2)-PSK and
also sorted out duplicates. Now that we have some passwords in the database, we have
to create an ESSID. Issue the following command:
pyrit -e linksys create_essid
connected.
Run the 'eval'-command again and you'll see that ESSID 'linksys' has been created in the
database:
Pyrit 0.3.0 (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Connecting to storage at 'file://'...
Passwords available: 4078
connected.
The database now contains enough information to start batch-processing it. Pyrit will
take all (ESSID:password)-combinations, compute the corresponding Pairwise master
Keys and store those for later use.
Please note that you can stop Pyrit's batch-processing at any time (with ctrl+c or
sending SIGTERM). Pyrit will start at the point where it stopped the next time you start
batch-processing. Issue to following command:
pyrit batch
... and watch how Pyrit crunches through the database until it runs out of work:
Pyrit 0.3.0 (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Connecting to storage at 'file://'... connected.
Working on ESSID 'linksys'
Processed all workunits for ESSID 'linksys'; 1035 PMKs per second.
Batchprocessing done.
You can use the 'eval'-command once more to see that all workunits for ESSID 'linksys'
have been computed.
Please note that we did neither specify the network's ESSID nor it's BSSID.
You should get a response very similar to the following:
Pyrit 0.3.0 (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Pyrit uses SQLAlchemy and can therefor use all kinds of SQL-databases for it's internal
storage mechanism: SQLite has all the benefits described above (except the networkfunctionality), MySQL and PostgreSQL require some setup but provide more features
and better scaling. Please refer to SQLAlchemy's documentation for more details about
supported databases.
Using a database as storage is extremely easy - all you got to do is to provide an
alternative connection-string instead of 'file://' that Pyrit uses by default (please refer to
the manual for details about the connection-string). In the following example, we use a
SQLite-database stored in the single file 'mydb.db':
pyrit -u sqlite:///mydb.db -i dict.gz import_passwords
Please note that we do not have to care about creating the database (in the case of
SQLite) or any tables within it. Pyrit will take care of this. You should get an output
very similar to this:
Pyrit 0.3.0 (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Connecting to storage at 'sqlite:///mydb.db'...
10202 lines read. Flushing buffers...
All done.
connected.
To make life a little easier, you can save the default connection-string in Pyrit's
configuration-file at '~/.pyrit/config'. Change the value of the key default_storage to a
new connection-string and you won't have to supply it every single time.