Jump to content

Pyrit vs hashcat. Gpu (proper logging of success/failure)


i8igmac
 Share

Recommended Posts

(Pyrit Example command below)

First ill start with my problem of pyrit.

Output logging is hacky, after 15 hours of work, there should be something logged to the file like "Password is or was not found"

 

Notice 2>&1 should log both stdout and stderr to a file. if I grep threw the log file, the Password String does not exist.

(15 hours of work)

 

if I test this with a small dictionary file, I achieve different results, Password string exist and is grepable.

(5 minutes of work)

 

pyrit -r handshakes.cap -i Rocktastic12a -b XX:XX:XX:XX:XX attack_passthrough 2>&1 | tee -a resaults.log

 

love the application, it works for the most part but it seems there has not been much improvement since 2014.

 

 

So, what about hashcat. this is my first attempt poking around, I knew of its existence but felt that pyrit works just fine so no need to bother with hashcat.

 

(Hashcat)

I have installed then ran the examples provided and I like the detailed output. Rocktastic cracked an enormous amount of the example hashs. Pretty cool...

 

now when i try to run hashcat on my handshake.cap file, I notice I have to convert to hashcat format with cap2hccapcx. I installed hashcat-utils-1.8 and ran cap2hccapx in my aircrack capture file and see this error. 

 

hashcat-utils-1.8/src $ ./cap2hccapx.bin ../../out.pcap-01.cap output.hccapx
Zero value timestamps detected in file: ../../out.pcap-01.cap.
This prevents correct EAPOL-Key timeout calculation.
Do not use preprocess the capture file with tools such as wpaclean.

 

If I remember, this file was straight from aircrack. I did not run cleanup tools.

I tried another tool that converts cap files to hashcat format hcxtools. This attempt just looks ugly when I pass the newly generated cap.hccapx.... could a outdated version of aircrack(1.2 rc4) be the cause of this struggle?

 

The good news is, hashcat is updated consistently and has a large irc channel.

Link to comment
Share on other sites

I generally use john. When done, if i can't see a password in the terminal because it scrolled off screen, you type "john hashfile.txt --show" where hashfile.txt was what you were trying to crack, and if found, it will show you what hashes were cracked. With the other tools, I've dabbled with hashcat, but i don't have a GPU to use with it(since I use it in a VM) and have always had to use the older CPU only version, where John just seems so much faster in this respect when I can fork 40 threads on a rockyou.txt file and crack in minutes(if not hours depending on the hash type).

 

edit: forgot to mention, you have to convert the pcap file to use with john.

Also note, you can pipe crunch directly into aircrack if you want to brute all possible combos, but anything over 8 in length is going to take forever, where good wordlists are better suited.

GPU cracking on a high end rig is probably the way to go these days though, I just don't have that kind of budget.

Edited by digip
Link to comment
Share on other sites

Ill check out john. Also looking into opencl vs cuda..

I currently hacked up a logging function with pyrit. I would hate to see 100hours of work go by and failure to see a success... this function would also allow me to recover the attack from any location of the word list... 

 

Im running 2 gpu's and 2 decent cpu's... blew all the dust out of the fans for the long haul.

14000psk's

22000psk's

 

a 3rd gpu sitting on a bench, I expect 40,000 psk's from this gpu and pyrit...

 

I'm want to try extreme over clicking with home brew cooling... I would like to see how much I can squeeze out of a dirt cheap gpu but also keep things stable.

Edited by i8igmac
Link to comment
Share on other sites

I haven't used pyrit yet,. but check the man pages or documentation. Nearly all of these tools log found passwords.

Link to comment
Share on other sites

Disclaimer: I am not a hashcat developer but I am on Team Hashcat, I am going to apologize for some corrections but they need to be made.
 

1) wpaclean is part of the aircrack-ng suite, it should not be used for extracting hashes from wpa traffic for use in hashcat, the format it extracts in has been superceded and any requests for support using it will be denied.

There is an alternative wlandump from hcxtools https://github.com/ZerBea/hcxtools which is supported under the most recent versions of hashcat and these tools are very specific and purpose built, other tools in the suite include:

wlandump-ng Small, fast and simple but powerfull WLAN scanner
wlanresponse Extreme fast deauthentication/authentication/response tool
wlanrcascan Small, fast and simple passive WLAN channel assignment scanner (status output)
pioff Turns Raspberry Pi off via GPIO switch
wlancapinfo Shows info of pcap file
wlancap2hcx Converts cap to hccapx (recommended for use with wlandump-ng and wlanresponse)
wlanhcx2cap Converts hccapx to cap
wlanhc2hcx Converts hccap to hccapx
wlanhcx2essid Merges hccapx containing the same ESSID
wlanhcx2ssid Strips BSSID, ESSID, OUI
wlanhcx2john Converts hccapx to format expected by John the Ripper
wlanhcxinfo Shows detailed info from contents of hccapxfile
wlanhcxmnc Manually do nonce correction on byte number xx of a nonce
whoismac Show vendor information
pwhash Generate hash of a word by using a given charset

2) from your post "I generally use john. When done, if i can't see a password in the terminal because it scrolled off screen, you type "john hashfile.txt --show"

hashcat has had this support for some time with --show, also --username if you are using a dump with usernames so there is no need to use john

3) from your post "I've dabbled with hashcat, but i don't have a GPU to use with it"

Hashcat supports CPU as of 3.00 with the correct opencl libraries

4) from your post "had to use the older CPU only version, where John just seems so much faster in this respect "

hashcats opencl cpu code is multiple times faster than johns native cpu code because of algorithms are optimized on math level

5) from your post "you can pipe crunch directly into aircrack"

Crunch is a legacy processor, you really should be using hashcat-utils maskprocessor instead, its much faster.  That being said you don't need to use it as hashcat has it built in with -a 3 plus its markov-chain optimized

In summary stop using legacy tools like pyrit they haven't been updated in ages and no new research is being done, the guy who is writing hcxtools is the one who pushes WPA cracking today.  There's not been any improvement on wpa based attacks since a long time for aircrack-ng and pyrit and both fail to do deauth attacks cleanly (without creating invalid handshakes)

For some good reading:
WPA Cracking with hashcat
https://hashcat.net/forum/thread-6150.html

New parameter: --nonce-error-corrections
https://hashcat.net/forum/thread-6361.html

hashcat v3.00 release notes
https://hashcat.net/forum/thread-5559.html

For anything else please visit the hashcat forums, wiki and IRC channel

Link to comment
Share on other sites

3 hours ago, EvilMog said:

Disclaimer: I am not a hashcat developer but I am on Team Hashcat, I am going to apologize for some corrections but they need to be made.
 

1) wpaclean is part of the aircrack-ng suite, it should not be used for extracting hashes from wpa traffic for use in hashcat, the format it extracts in has been superceded and any requests for support using it will be denied.

There is an alternative wlandump from hcxtools https://github.com/ZerBea/hcxtools which is supported under the most recent versions of hashcat and these tools are very specific and purpose built, other tools in the suite include:

wlandump-ng Small, fast and simple but powerfull WLAN scanner
wlanresponse Extreme fast deauthentication/authentication/response tool
wlanrcascan Small, fast and simple passive WLAN channel assignment scanner (status output)
pioff Turns Raspberry Pi off via GPIO switch
wlancapinfo Shows info of pcap file
wlancap2hcx Converts cap to hccapx (recommended for use with wlandump-ng and wlanresponse)
wlanhcx2cap Converts hccapx to cap
wlanhc2hcx Converts hccap to hccapx
wlanhcx2essid Merges hccapx containing the same ESSID
wlanhcx2ssid Strips BSSID, ESSID, OUI
wlanhcx2john Converts hccapx to format expected by John the Ripper
wlanhcxinfo Shows detailed info from contents of hccapxfile
wlanhcxmnc Manually do nonce correction on byte number xx of a nonce
whoismac Show vendor information
pwhash Generate hash of a word by using a given charset

2) from your post "I generally use john. When done, if i can't see a password in the terminal because it scrolled off screen, you type "john hashfile.txt --show"

hashcat has had this support for some time with --show, also --username if you are using a dump with usernames so there is no need to use john

3) from your post "I've dabbled with hashcat, but i don't have a GPU to use with it"

Hashcat supports CPU as of 3.00 with the correct opencl libraries

4) from your post "had to use the older CPU only version, where John just seems so much faster in this respect "

hashcats opencl cpu code is multiple times faster than johns native cpu code because of algorithms are optimized on math level

5) from your post "you can pipe crunch directly into aircrack"

Crunch is a legacy processor, you really should be using hashcat-utils maskprocessor instead, its much faster.  That being said you don't need to use it as hashcat has it built in with -a 3 plus its markov-chain optimized

In summary stop using legacy tools like pyrit they haven't been updated in ages and no new research is being done, the guy who is writing hcxtools is the one who pushes WPA cracking today.  There's not been any improvement on wpa based attacks since a long time for aircrack-ng and pyrit and both fail to do deauth attacks cleanly (without creating invalid handshakes)

For some good reading:
WPA Cracking with hashcat
https://hashcat.net/forum/thread-6150.html

New parameter: --nonce-error-corrections
https://hashcat.net/forum/thread-6361.html

hashcat v3.00 release notes
https://hashcat.net/forum/thread-5559.html

For anything else please visit the hashcat forums, wiki and IRC channel

I did try out hcxtools, the hccapx generated with no errors but when i attampt to start hashcat, (ill try and post the resaults) just looks like a ugly mess... it says no hashes loaded.

 

There was no cleaning done by any scripted tools. Its a fresh cap file from aircrack-ng 1.2 rc4.

 

 

Edited by i8igmac
Link to comment
Share on other sites

Quote

2) from your post "I generally use john. When done, if i can't see a password in the terminal because it scrolled off screen, you type "john hashfile.txt --show"

hashcat has had this support for some time with --show, also --username if you are using a dump with usernames so there is no need to use john
 

Good to know. As for speed, I'm using these in a Kali VM, and personally, John has been faster for me with wordlists, but just my experience. In Kali, the latest would only run on GPU, I had to remove and install the older version of hashcat to use it against the CPU in my VM, but that was a while ago, using 2016.1 or 2, and haven't tried recently. Using --fork=## john is also plenty fast for my needs. I'm not dumping databases with thousands of hashes that need cracking. It's mostly one offs from vulnhub CTFs.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...