Provided by: pyrit_0.4.0-2build1_amd64 bug

NAME

       pyrit - A GPGPU-driven WPA/WPA2-PSK key cracker

SYNOPSIS

       pyrit [options] command

DESCRIPTION

       Pyrit exploits the computational power of many-core- and GPGPU-platforms to create massive
       databases, pre-computing part of the WPA/WPA2-PSK authentication  phase  in  a  space-time
       tradeoff. It is a powerful attack against one of the world's most used security-protocols.

       This  document  tries  to  describe and explain all functions the commandline-client pyrit
       provides.  One or more options may be given on the commandline to customize a command. The
       exact behaviour of options depends on the command.

       At  the time of this writing, cowpatty is not available in Debian.  References to cowpatty
       and its commands are nevertheless preserved for the sake of completeness.

OPTIONS

       Pyrit recognizes the following options:

       -b BSSID
              Specifies a BSSID. Can be used to restrict commands to certain Access-Points.

       -e ESSID
              Specifies the ESSID. Commands usually refer to all ESSIDs in the database when this
              option is omitted.

       -i infile
              Specifies  a filename to read from; the special filename "-" can be used for stdin.
              The file may be gzip-compressed in  which  case  its  name  must  end  in  .gz  for
              transparent decompression.

       -o outfile
              Specifies  a filename to write to; the special filename "-" can be used for stdout.
              Filenames that end in .gz cause pyrit to gzip-compress the file on the fly.

       -r capture-file
              Specifies a packet-capture file in pcap  format  (possibly  gzip-compressed)  or  a
              device (e.g.: "wlan0") to capture from.

       -u URL Specifies the URL of the storage-device in the form of

                   driver://username:password@host:port/database

              Pyrit  can  use  the  filesystem,  a  remote Pyrit-Relay-Server and, if the package
              python-sqlalchemy is installed, SQL-Databases as storage. The driver file:// refers
              to  Pyrit's  own filesystem-based storage, http:// connects to a Pyrit-Relay-Server
              and all other URLs are passed directly  to  python-sqlalchemy,  if  available.  The
              default  storage-URL  can  also  be  specified by the key defaultstorage in pyrit's
              configuration file (see FILES below).

       --all-handshakes
              The  commands  attack_batch,  attack_db,  attack_cowpatty  and   attack_passthrough
              automatically  use the single handshake of highest quality only. In some cases even
              this handshake may have been  wrongfully  reconstructed  from  the  captured  data,
              rendering the attack futile. In case more than one EAPOL-handshake is reconstructed
              from the capture-file, the option  --all-handshakes  may  be  used  to  attack  all
              handshakes  reconstructable from the captured data. Exact behaviour of the commands
              affected by this option is described below.

COMMANDS

       analyze
              Parse one or more packet-capture files (in pcap-format,  possibly  gzip-compressed)
              given  by  the  option  -r  and  try  to  detect Access-Points, Stations and EAPOL-
              handshakes.  For example:

                   pyrit -r "test*.pcap" analyze

              Pyrit shows a list of Access-Points, associated Stations and EAPOL-handshakes  that
              could  be  identified from the captured data. Handshakes are shown ordered by their
              "quality":

                          Good: The handshake includes the challenge from the  Access-Point,  the
                          response from the Station and the confirmation from the Access-Point.

                          Workable:  The handshake includes the response from the Station and the
                          confirmation from the Access-Point. The challenge was not captured.

                          Bad: The handshake includes the challenge from the Access-Point and the
                          response from the Station. The confirmation was not captured.

                          Handshakes  of  the  same  quality are ordered by how close the packets
                          that make up the handshake are to each other.

              attack_batch
                     Attack an EAPOL-handshake found in the packet-capture file(s) given  by  the
                     option  -r  using  the  Pairwise  Master  Keys  and  passwords stored in the
                     database. The options -b and -e can be used to specify the  Access-Point  to
                     attack;  it  is  picked  automatically  if  both  options  are omitted.  The
                     password is written to the filename given by the option -o if specified. For
                     example:

                          pyrit -r test.pcap -e MyNetwork -b 00:de:ad:c0:de:00 \
                              -o MyNetworkPassword.txt attack_batch

                     Pairwise  Master  Keys  that previously have been computed and stored in the
                     database are taken from there; all other passwords are translated into their
                     respective  Pairwise Master Keys and added to the database for later re-use.
                     ESSIDs are created automatically in the database if necessary.

                     Pyrit works down the list of  reconstructed  EAPOL-handshakes  in  case  the
                     option --all-handshakes is supplied.

              attack_cowpatty
                     Attack  an  EAPOL-handshake found in the packet-capture file(s) given by the
                     option -r using  Pairwise  Master  Keys  from  a  cowpatty-like  file  (e.g.
                     generated  by  ``genpmk''  from cowpatty, or export_cowpatty below) given by
                     the option -f. The options -b and -e can be used to specify the Access-Point
                     to  attack;  it  is  picked  automatically  if both options are omitted. The
                     password is written to the filename given by the  option  -o  if  specified.
                     The  cowpatty-file  may  be gzip-compressed and must match the chosen ESSID.
                     For example:

                          pyrit -r test.pcap -e MyOwnNetwork \
                              -i MyOwnNetwork.cow.gz -o - attack_cowpatty

                     Pyrit's own database is not touched by attack_cowpatty.

                     Pyrit  attacks  all  EAPOL-handshakes  at  the  same  time  if  the   option
                     --all-handshakes   is  supplied.  This  will  reduce  througput  (e.g.:  33%
                     throughout in case of three handshakes).

              attack_db
                     Attack an EAPOL-handshake found in the packet-capture file(s) given  by  the
                     option -r using the Pairwise Master Keys stored in the database. The options
                     -b and -e can be used to specify the Access-Point to attack;  it  is  picked
                     automatically  if  both options are omitted.  The password is written to the
                     filename given by the option -o if specified. For example:

                          pyrit -r test.pcap -e MyOtherNetwork attack_db

                     Only Pairwise Master Keys that have been computed previously and are  stored
                     in the database are used by attack_db.

                     Pyrit  works  down  the  list  of reconstructed EAPOL-handshakes in case the
                     option --all-handshakes is supplied.

              attack_passthrough
                     Attack an EAPOL-handshake found in the packet-capture file(s) given  by  the
                     option  -r  using  the  passwords read from the file given by the option -i.
                     The options -b and -e can be used to specify the Access-Point to attack;  it
                     is picked automatically if both options are omitted. The password is written
                     to the filename given by the option -o if specified. For example:

                          pyrit -r test.pcap -b 00:de:ad:be:ef:00 \
                              -i words.txt attack_passthrough

                     This command circumvents  Pyrit's  database  and  should  only  be  used  if
                     storage-space  is  a  problem  (e.g.  on LiveCDs). You should consider using
                     attack_batch otherwise.

                     Pyrit  attacks  all  EAPOL-handshakes  at  the  same  time  if  the   option
                     --all-handshakes is supplied.

              batch
                     Start  to  translate  all  passwords  in  the database into their respective
                     Pairwise Master Keys and store the results in the database.  The  option  -e
                     may  be  used  to restrict this command to a single ESSID; if it is omitted,
                     all ESSIDs are processed  one  after  the  other  in  undefined  order.  For
                     example:

                          pyrit -e NETGEAR batch

                     The  option  -o  can  be  used  to  specify  a  filename  the results should
                     additionally be written to  in  cowpatty's  binary  format.  The  option  -e
                     becomes  mandatory and the ESSID is automatically created in the database if
                     necessary. Pairwise Master Keys  that  previously  have  been  computed  and
                     stored  in  the database are exported from there without further processing.
                     Pyrit stops and exits if an IOError is raised while writing to the specified
                     file.  This  makes  it  very  convenient  to  pipe results directly to other
                     programs but also keep them for later use. For example:

                          pyrit -e NETGEAR -o - batch | \
                              cowpatty -d - -r wpatestcapture.cap -s NETGEAR

              benchmark
                     Determine the peak-performance of the available hardware by computing dummy-
                     results. For example:

                          pyrit benchmark

              check_db
                     Unpack  the  entire  database  and  check for errors like data corruption or
                     reference errors. This function does not check the value of computed results
                     (see verify). For example:

                          pyrit check_db

              create_essid
                     Add  new  ESSIDs  to the database. A single ESSID may be given by the option
                     -e.  Multiple ESSIDs can be created by supplying a file (one per  line)  via
                     the  option  -i.  Re-creating an existing ESSID does not result in an error.
                     For example:

                          pyrit -e NETGEAR create_essid

              delete_essid
                     Delete the ESSID given by -e from the database. This  includes  all  results
                     that may have been stored for that particular ESSID. For example:

                          pyrit -e NETGEAR delete_essid

              eval
                     Count  all  available  passwords, all ESSIDs and their respective results in
                     the database. For example:

                          pyrit eval

              export_passwords
                     Write all passwords that are currently stored in the database to a new  file
                     given  by -o. Passwords are terminated by a single newline-character ("\n").
                     Existing files are overwritten without confirmation. For example:

                          pyrit -o myword.txt.gz export_passwords

              export_cowpatty
                     Write all results for the ESSID given by -e to  the  file  given  by  -o  in
                     cowpatty's   binary   format.   Existing   files   are  overwritten  without
                     confirmation. For example:

                          pyrit -o NETGEAR.cow -e NETGEAR export_cowpatty

              export_hashdb
                     Write all results currently  stored  in  the  database  to  the  airolib-ng-
                     database given by -o. The database is created with a default table layout if
                     the file does not yet exist. The option -e can be used to limit  the  export
                     to a single ESSID. For example:

                          pyrit -o NETGEAR.db -e NETGEAR export_hashdb

              import_passwords
                     Read  the file given by -i and import one password per line to the database.
                     The passwords may contain all characters (including NULL-bytes)  apart  from
                     the  terminating  newline-character ("\n").  Passwords that are not suitable
                     for  being  used  with  WPA-/WPA2-PSK   are   ignored.    Pyrit's   storage-
                     implementation  guarantees  that  all passwords remain unique throughout the
                     entire database. For example:

                          pyrit -i dirty_words.txt import_passwords

              import_unique_passwords
                     Read the file given by -i and import one password per line to the  database.
                     The  passwords  may contain all characters (including NULL-bytes) apart from
                     the terminating newline-character ("\n"). Passwords that  are  not  suitable
                     for  being  used with WPA-/WPA2-PSK are ignored. This command does not check
                     if there are duplicate passwords within the file or between the file and the
                     database;  it  should  be  used  with  caution  to prevent the database from
                     getting poisoned with duplicated passwords. This command however can be much
                     faster than import_passwords. For example:

                          pyrit -i dirty_words.txt import_unique_passwords

              list_cores
                     Show  a  list  of  all  available hardware modules Pyrit currently uses. For
                     example:

                          pyrit list_cores

              list_essids
                     Show a list of all ESSIDs currently stored in the database. This function is
                     faster  than  eval  in  case  you  don't need to know the number of computed
                     results. For example:

                          pyrit list_essids

              passthrough
                     Read passwords from the file given by -i and compute their  Pairwise  Master
                     Keys  for  the  ESSID  given  by  -e.  The  results  are written to the file
                     specified by -o in cowpatty's binary  format  and  are  not  stored  in  the
                     database  for  later  use.  This  command  therefor  circumvents  the entire
                     database and should only be used if storage-space is a  problem  (e.g.  when
                     using  Pyrit  on  a  LiveCD).  The  batch-command  provides exactly the same
                     functionality as passthrough but can give much better performance as results
                     may be read from the database instead of recomputing them. For example:

                          pyrit -i dirty_words.txt.gz -e NETGEAR \
                              -o - passthrough | cowpatty -d - \
                              -r wpatestcapture.cap -s NETGEAR

              relay
                     Start  a  server  to  relay another storage device via XML-RPC; other Pyrit-
                     clients can use the server  as  storage-device.  This  allows  one  to  have
                     network-based  access to storage source that don't provide network-access on
                     their own (like file:// and sqlite://)  or  hide  a  SQL-database  behind  a
                     firewall and let multiple clients access that database only via Pyrit's RPC-
                     interface.  The TCP-port 17934 must be open for this function to  work.  For
                     example, on the server (where the database is):

                          pyrit -u sqlite://var/local/pyrit.db relay

                     and the client (where the big GPU is):

                          pyrit -u http://192.168.0.100:17934 batch

              selftest
                     Run  an  extensive  selftest  for  about  60 seconds. This test includes the
                     entire scheduling-mechanism and all cores that are listed by list_cores. You
                     can  use  this  function  to  detect  broken  hardware-modules  or malicious
                     network-clients. For example:

                          pyrit selftest

              serve
                     Start a server that provides access to the local computing hardware to  help
                     other Pyrit clients. The server's IP-address should be added to the client's
                     configuration  file  (see   FILES)   as   a   space-separated   list   under
                     known_clients.  The  client's rpc_server-setting must also be set to 'true'.
                     The TCP- and UDP-Port 17935 must be accessible. For example, on  the  server
                     (where the GPU is):

                          pyrit serve

                     and  on  the client (the server's IP-address has been added to known_clients
                     and rpc_server is set to 'true'):

                          pyrit -r test.pcap -b 00:de:ad:be:ef:00 \
                              -i words.txt attack_passthrough

              strip
                     Parse one or more packet-capture files given by the option -r, extract  only
                     packets  that  are  necessary  for EAPOL-handshake detection and write a new
                     dump to the filename given by the option -o. The options -e and  -b  can  be
                     used to filter certain Access-Points. For example:

                          pyrit -r "large_dumps_*.pcap" -e MyNetwork \
                              -o tiny_compressed_dump_MyNetwork.dump.gz strip

              stripLive
                     Parse  a  packet-capture  file  given by the option -r, extract only packets
                     that are necessary for EAPOL-handshake detection and write a new dump to the
                     file given by the option -o. This command differs from strip as the capture-
                     file can be any character device including sockets  and  other  pseudo-files
                     that  look  like  files in pcap-format. stripLive writes relevant packets to
                     the new file given by -o as they arrive instead of trying to read the entire
                     capture-file first.

                          pyrit -r /temp/kismet_dump -o small_dump.pcap stripLive

              verify
                     Randomly  pick  10%  of  the results stored in the database and verify their
                     value by recomputation.  You  need  this  function  if  you  suspect  broken
                     hardware or malicious network-clients. For example:

                          pyrit -e NETGEAR verify

EXIT STATUS

       If command succeeds, pyrit's process exit status is set to 0; otherwise it is set to 1 and
       (usually) an error message or a python-traceback  is  written  to  stderr.  The  following
       commands also indicate an error condition in certain cases:
                       analyze: Not at least one valid EAPOL-handshake could be detected.

                       attack_passthrough,   attack_batch,  attack_db  and  attack_cowpatty:  The
                   password could not be found.

                       verify At least one workunit contained invalid results.

                       check_db Errors in the database were found (and possibly fixed).

FILES

       ~/.pyrit/config
              The  pyrit  configuration  file.   You   can   find   a   documented   example   in
              /usr/share/doc/pyrit/examples/config.example.

NOTES

       The  author  does  not  encourage  or support using pyrit for the infringement of people's
       communication-privacy. The exploration and realization of the  technology  discussed  here
       motivate  as  a purpose of their own; this is documented by the open development, strictly
       sourcecode-based distribution and 'copyleft'-licensing.

AUTHOR

       pyrit was written by Lukas Lueg <lukas.lueg@gmail.com>.

       This manual page was written by Christian Kastner <debian@kvr.at> for the  Debian  project
       (but may be used by others).