Home / Cracking / Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux

Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux

Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty– with cuda or calpp in Kali Linux

There are just too many guides on Cracking Wifi  WPA/WPA2 passwords using different methods. 16-Cracking-Wifi-WPAWPA2-passwords-using-pyrit-and-cowpatty-blackMORE-OpsEveryone has their own take on it. Personally, I think there’s no right or wrong way of cracking a Wireless Access Point. Following way is my way and I found it extremely efficient and fast during my tests for Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux where I attacked with Dictionary using either cuda or calpp (cal++) and at the same time I used WiFite to fast track a few things. This whole process was used in Kali Linux and it took me less than 10 minutes to crack a Wifi WPA/WPA2 password using pyrit cowpatty WiFite combination using my laptop running a AMD ATI 7500HD Graphics card.

You can make the following process faster like I did. If you have an AMD ATI Graphics card you’ll have to follow these guides below:

NVIDIA Users:

  1. Install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver
  2. Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda

AMD Users:

  1. Install AMD ATI proprietary fglrx driver in Kali Linux 1.0.6
  2. Install AMD APP SDK in Kali Linux
  3. Install Pyrit in Kali Linux
  4. Install CAL++ in Kali Linux

Readers: Please find the most recent article that applies to your graphics card. It’s getting almost impossible to keep with with updates and changing links alone. Find the article with recent date.

Readers, those who would like to try alternate ways of cracking Wifi WPA WPA2 passwords, use HashCat or cudaHashcat or oclHashcat to crack your unknown Wifi WPA WPA2 passwords. The benefit of using Hashcat is, you can create your own rule to match a pattern and do a Brute-force attack. This is an alternative to using dictionary attack where dictionary can contain only certain amount of words but a brute-force attack will allow you to test every possible combinations of given charsets. Hashcat can crack Wifi WPA/WPA2 passwords and you can also use it to crack MD5, phpBB, MySQL and SHA1 passwords. Using Hashcat is an good option as if you can guess 1 or 2 characters in a password, it only takes few minutes. For example: if you know 3 characters in a password, it takes 12 minutes to crack it. If you know 4 characters in a password, it takes 3 minutes. You can make rules to only try letters and numbers to crack a completely unknown password if you know a certain Router’s default password contains only those. Possibilities of cracking is a lot higher in this way.

Important Note: Many users try to capture with network cards that are not supported. You should purchase a card that supports Kali Linux including injection and monitor mode etc. A list can be found in 802.11 Recommended USB Wireless Cards for Kali Linux. It is very important that you have a supported card, otherwise you’ll be just wasting time and effort on something that just won’t do the job.

Capture handshake with WiFite

Why WiFite instead of other guides that uses Aircrack-ng? Because it’s faster and we don’t have to type in commands..

Type in the following command in your Kali Linux terminal:

wifite –wpa

You could also type in

wifite wpa2

If you want to see everything, (wep, wpa or wpa2, just type the following command. It doesn’t make any differences except few more minutes

wifite

Once you type in following is what you’ll see.

1-Wifite-Cracking-Wifi-WPAWPA2-passwords-using-pyrit-and-cowpatty-blackMORE-Ops

So, we can see bunch of Access Points (AP in short). Always try to go for the ones with CLIENTS because it’s just much faster. You can choose all or pick by numbers. See screenshot below:

2-Wifite-Screen-Cracking-Wifi-WPAWPA2-passwords-using-pyrit-and-cowpatty-blackMORE-Ops

Awesome, we’ve got few with clients attached. I will pick 1 and 2 cause they have the best signal strength. Try picking the ones with good signal strength. If you pick one with poor signal, you might be waiting a LONG time before you capture anything .. if anything at all.

So I’ve picked 1 and 2. Press Enter to let WiFite do it’s magic.

3-WiFite-Choice-Cracking-Wifi-WPAWPA2-passwords-using-pyrit-and-cowpatty-blackMORE-Ops

Once you press ENTER, following is what you will see. I got impatient as the number 1 choice wasn’t doing anything for a LONG time. So I pressed CTRL+C to quit out of it.

This is actually a great feature of WiFite. It now asks me,

What do you want to do?

  1. [c][/c]ontinue attacking targets
  2. [e]xit completely.

I can type in c to continue or e to exit. This is the feature I was talking about. I typed c to continue. What it does, it skips choice 1 and starts attacking choice 2. This is a great feature cause not all routers or AP’s or targets will respond to an attack the similar way. You could of course wait and eventually get a respond, but if you’re just after ANY AP’s, it just saves time.

4-WiFite-continue-Cracking-Wifi-WPAWPA2-passwords-using-pyrit-and-cowpatty-blackMORE-Ops

And voila, took it only few seconds to capture a handshake. This AP had lots of clients and I managed to capture a handshake.

This handshake was saved in /root/hs/BigPond_58-98-35-E9-2B-8D.cap file.

Once the capture is complete and there’s no more AP’s to attack, Wifite will just quit and you get your prompt back.

5-WiFite-captured-handshake-Cracking-Wifi-WPAWPA2-passwords-using-pyrit-and-cowpatty-blackMORE-Ops

Now that we have a capture file with handshake on it, we can do a few things:

  1. We can Dictionary attack it.
  2. We can BruteForce attack it.
    • Amongst BruteForce, we can use crunch
    • We can use oclhashcat.

In this guide, I will show Dictionary attack as almost 20% (that’s 1 in every 5) AP’s will have a standard dictionary password. In later chapters of this guide, I will show Brute Forcing.

Check Also

Correct way of installing VirtualBox Guest Additions in Kali Linux 2016.2/2017 (Kali Rolling)

How to install VirtualBox Guest Additions in Kali Linux (Kali Rolling / Kali Linux 2016.2 / Kali 2017)

Since Kali Linux 2016 came out (also known as Kali Rolling), it seems that Official …

Steganography in Kali Linux - Hiding data in image - blackMORE Ops

Steganography in Kali Linux – Hiding data in image

Steganography is the practice of concealing a file, message, image, or video within another file, …

50 comments

  1. This is a newbie question, but here goes: if I have two different handshakes from two different ESSID that I want to crack, do I have to run the batch process twice?

  2. xyxyxyxyxy@gmail.com

    hey if u have time please add a tread how to start from Rasberry p ..i want to start with Kali Linux and i don`t know anything have to learn commands and all ill b very thankful if you could do this i come from windows and Kali seems much greater ..i`ll come baq here soon :) mayb u can drop a link if u have time for that thank u for all what u doin to share your knowledge

  3. Hi, how about cleanup the passwords in Pyrit?

  4. I have a .cap file,can you crack it?

  5. Thank-you, very helpful ;)

  6. Hi, I think need to add -e option for pyrit BigPond delete_essid

  7. you blanked the essid of all your screenshots expect “check out the temp of my cores”

  8. You state that when using attack_cowpatty we don’t have to batch process. But when I try to do that i get an error, “0 entries written. All done’

    Even if attack_db is much faster, it doesn’t matter because creating the database takes so long. do you only create the db once per wordlist? because otherwise the speed from attack_db or attack_cowpatty doesn’t matter, all that matters is the speed of creating the database, which for me was about 8000/s

    Am I doing something wrong? I don’t understand why you wouldn’t just recommend the attack_cowpatty method if you really can do it w/o creating a batch process to create tables. because of course someone would rather do that at 31 million keys per second than the 15 thousand keys per second you got creating tables.

  9. Hi BlackmoreOps !
    I am new to Kali-Linux, and I find out that most of your posts are very useful for newbie like me. I followed all your steps to install Nvidia driver, pyrit and cpyrit. However, my result comes out poorly with computed just 3681 MPK/ps. I don’t know how to make cpyrit computed around 40,000 MPK/ps. My laptop is Sony vaio VPCF15FM, Nvidia Graphic Card is GT 216 (Getforce: GT 330M)
    Computed 3686.29 PMKs/s total
    #01: CUDA-Device #1: ‘GeForce GT 330M”: 2431.1 PMKs/s (RTT 2.9)
    #02: ‘CPU-Core (SSE2)’: 222.6 PMKs/s (RTT 3.0)
    #03: ‘CPU-Core (SSE2)’: 221.1 PMKs/s (RTT 3.0)
    #04: ‘CPU-Core (SSE2)’: 224.2 PMKs/s (RTT 3.0)
    #05: ‘CPU-Core (SSE2)’: 221.4 PMKs/s (RTT 2.9)
    #06: ‘CPU-Core (SSE2)’: 222.4 PMKs/s (RTT 3.0)
    #07: ‘CPU-Core (SSE2)’: 221.3 PMKs/s (RTT 3.0)
    #08: ‘CPU-Core (SSE2)’: 224.3 PMKs/s (RTT 3.0)
    It is very slow compared to your result. Can you tell me what is wrong with it, please. Thank you buddy.

    • I’m having the same exact issue. I have a Sony Vaio F Series : VPCF226FM it has Nvida GeForce with CUDA. Followed all installation steps but it does not seem to be offloading processing to the graphics card. Do you know of any troubleshooting steps I could follow to figure out why and resolve the issue.

      • did you use the version of pyrit from the repository
        svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit_svn

        download that and

        cd ~/pyrit_svn/pyrit
        ./setup.py build install.

        instead of going int the ../cpyrit_callpp folder go into../cpyrit_opencl
        ./setup.py build install

        when done…

        pyrit list _cores

        see how you go.

  10. My box liked this command pyrit -e BigPond delete_essid (needed -e) in order to delete

  11. I did not understand that NVIDIA AMD part.

    • The CPU on a good graphics card can compute the encessary hashes faster than the CPU of motherboard can. so with the proprietary NVIDA or AMD drivers loaded, processing can be offloaded to the Graphics card.

  12. i have 2 diffrent handshake, can I just add the essid of the other hand shake into the databse and tun the batch once? Ihave 112gb of wordlist to import and right now im on the 24th hour of importing if I batch this twice maybe I have to wait for a weej to crack that AP. Its a 8-10 digit password.0-9 diffrwnt combination can you crack this hand shake in your DB?

  13. Thank you for this tremendous documentation. Just to let you know there is a typo on the command concerning Import Dictionary in Pyrit.
    It should be: pyrit -I wpa.lst import_passwords as shown in the screen captured I.e without /root/cudacapture/ path
    Regards

  14. want to really hack wifi just see my latest wifi hacking
    https://www.youtube.com/watch?v=ZFC5bUr43lw

  15. Im running a laptop running intel graphics chip. What would be my best route for wifi cracking?

    • Reaver, honestly. Pixie Dust attacks work great as well with Reaver. I’m commenting to come back to this since I’m generally curious to the answer as well.

  16. How can Idownload dictionarys I am using backbox does it have any

  17. Just wondering My box seems to hang when its flushing the buffers is this usual? I set it to import the passwords before i went to bed but woke up to find my laptop had rebooted running x64 kali on x64 Vbox via win7 x64. Tried to get aircrack going on a wheezy install on another lappy to see if there was a difference but cant get the backport version working and the wiki is out of date.

    Any help? Vheers

    • Not too sure mate, I never tried this in VBox, only HDD installation. VBox got 3d Memory limitation (128mb?) which might be causing this issue. Also, you don’t really need GUI to do this, it’s better off doing in CLI so that you can put every bit of CPU and Gfx into the job. Hope someone else who had similar issues replies back to. Good luck. Cheers,
      -BMO

  18. I am wondering why my GPU only works 3% based on status from nvidia-smi either working in pyrit batch process or attack_passthrough directly without batching process. I have been monitoring nvidia-smi every 1 seconds and getting the same value of 3%. I am using NVIDIA GT335 with driver 304.125. I have tried to install the current one for this series (340.76) but didn’t work.

  19. It stays at listening to a handshake for a long time and doesn’t quit

  20. Dear… thank you for all your time and effort .. and for helping us , if i win one day a lottery you will get some money from me , you are inspiring me..

    can you help me with this question ? maybe it is the most easiest part of your tut.. but why am i not able to follow this command or it wont work ;cat rockyou.txt | sort | uniq | pw-inspector -m 8 -M 63 > newrockyou.txt

    Can you explain me what i am doing wrong i tried serveral things but cant figure it out ! , I hope you will contact me soon ,

    Kindly regards,

    Stephan from Holland

    • Dear blackmore Ops .. i think i figured it out .. i just copied the Original file to the root folder , then fill in your command in the terminal and it worked ! thank you a lot and apoligize for interrupting ! hope i can get your help with some more difficult questions in the pas. Ciao for now

  21. Can you create a database only 1 time for a wordlist and use it over again for different passwords?
    Can you use Cowpatty-> pyrit without creating databases?

  22. Thanks blackmore. I followed this very easily nice and clear. no results yet. but im smashing 30k P M K’s after followin your other guide on cpyrit. unfortunately i can’t get cal…++ working so had to settle for O C L. using 1.1/ 3.18 i tried about 5 fresh installs using AMD 2.7 -2.8 -2.9. …i get them all installed properly but i get an operation error every time. Any ideas? i cant really do apt -get upgrade because im tethering from my cell phone,which is why I’m kinda here in the first place lol.

  23. Is it possible to create the Pyrit database with the ESSID and wordlist when you aren’t within range of the AP or do you have to be within range the whole time?

    • No. Capturing the handshake is the only part where you need to be within the range of the AP. Thereafter, everything else can be done offline.

      • Thank you. I did some research and found the answer to my question a long time ago, but thanks anyways. Have you done this process before? If so, how many PMK’s/s could your computer calculate during the database batch process? Any feedback is appreciated.

  24. This article mentions you don’t need to commence the batch process with Cowpatty. Does this mean you don’t have to pre compute any sort of database at all and can attack the pcap file directly after you capture it?

  25. Ok. In comand ~ wifite -wpa ~ didn’t get any handshake but when I type ~ wifite – wpa -aircrack ~ I get a handshake. I’m on Kali by the way.

  26. boys please it is possible to run pyrit in way that it will compute PMKs on the fly? I mean i have created pyrit database and ssid on external drive and since database is too big and i want try mulitple ssids i want to skip batch processing and compute PMKs realtime with hacking attempt. Precomputing PMKs with big database for multiple SSIDs is time consuming either.

  27. well i can’t find the .cap file !!

  28. I added a 10,000,000 word dictionary to Pyrit.
    I added 1 essid (Wi-Fi name) to Pyrit.
    I ran BATCH and it compiled in about 2 hours.
    Everything worked fine.

    Later I might wish to add another dictionary of 100 words.
    Will I have to execute BATCH again?
    Will it take another 2 hours…. or will it just quickly process the new 100 words?

    Later I might wish to add a 2nd essid (Wi-Fi name).
    Will I have to execute BATCH yet again?
    Will it take another 2 hours… or will it just quickly process the 1 new essid?

  29. I dont understand can you have time i want to hack grandmother wifi any tell me how

    And can you give your number

    It work in Android device yes or no

    • Mmm Grandma! Dude my grandma didn’t even have WiFi, she would have told me if I asked, why don’t you just ask her? Did your Gramdma not give you guns to go outback shooting? I think that’s what’s wrong with the word I was at this nursing home with by grandma before she died and I noticed old peoples don’t like when they kids are on the phone typing all day (your mom and dad) which probably pisses her off to see you sit around with your thumbs on a phone all day, watch TV with her go to the American legal and chill with her while she drinks her rum n coke and keep your phone in your pocket.

  30. All dictionary “atacks” is like gambling for jackpot in casino in Vegas,crap

  31. Granted I don’t understand WPA handshakes. So have to wonder why, once a valid handshake is captured, it must be “hit or miss” from a dictionary list. If a guess is say, 50% right, wouldn’t whatever values are being generated with aircrack or similar be at least partially correct when compared to the capture? Then, with that knowledge, couldn’t the key be honed in on more intelligently? (I’ll probably end up dissecting the source of aircrack-ng to understand, which is the only way I learn)

Leave a Reply

Your email address will not be published. Required fields are marked *