How To Hack Your Neighbor’s WIFI/Wireless With Your Graphics Card

Pirating Wireless With Pyrit:

Pyrit is a wonderful program that utilizes the power of multi-core processors. Through the addition of modules, it has the ability to use the extreme parallel processing power of graphics cards. This enables what would have taken days, to now be completed in minutes. We will also be using the Aircrack suite to capture the packets for cracking.

The first step in our cracking adventure is to change our MAC address. You need to know the name of your wireless interface. It will probably be something like wlan0 or ath0. From a command prompt, run the following commands:

ifconfig (interface) down
macchanger –mac 00:11:22:33:44:55 (interface)
airmon-ng start (interface)

Now we have our wireless card in what is called monitor mode. This enables us to capture packets across all the different wireless channels. For the next few examples we will assume that airmon-ng created a new interface called mon0. If yours is not named mon0, then substitute where necessary. The next step is to find our target and start capturing packets. Run the following command from a command prompt:

airodump-ng mon0

This will list all of the access points that are around you. We have setup a test access point called TechwareLabs that we are going to hack.

Now that we know what channel our target access point is on, we can do a more refined capture. This way we aren’t capturing packets from access points that don’t matter. To do this we run the commands:

airmon-ng stop mon0

airmon-ng start (interface) (channel of the access point)

airodump-ng -c (channel of the access point) -w (name of the capture file) -a –bssid (MAC address of the access point) mon0

This next step may be optional if you’re lucky. The main purpose is to capture a WPA handshake. This happens when a computer tries to connect to an access point. The next command sends out a DEAUTH packet to a target client that is connected to the access point. This forces them to be disconnected from the access point and then try to reconnect. It also makes for some interesting DOS attacks.

aireplay-ng -0 5 -a (MAC address of access point) -c (MAC address of client connected to access point) mon0

Once we have successfully captured a handshake, we can stop airodump-ng from capturing by using the Ctrl + C keyboard shortcut.  We should now verify that our capture file has all the information that pyrit will need to start cracking. Pyrit has a command for analyzing capture files.

pyrit -r (capture file) analyze

We are now ready to use pyrit to try and crack the password using our dictionary file. BackTrack comes with a few dictionary files, but you will probably want to create your own in the long run. Run the command below in a command prompt. NOTE: In order to use your graphics cards, you must be in an X session.

pyrit -r (capture file) -i (dictionary file) -b (access point MAC address) attack_passthrough

Depending on how large your dictionary file is and how complicated the password is, the process can take a while. Just sit back and crack one open while your computer chugs away.

What If The Password Wasn’t In The Dictionary?:

Sometimes people actually follow proper password policies and choose something that isn’t super easy to guess. However, if they don’t pick a very long password, it is still susceptible to brute force cracking within a reasonable amount of time. Luckily, with the help of another program, we can pipe generated passwords on the fly to pyrit for it to try out. This way we can attempt the entire key space and will absolutely get the password. The only factor is time. The WPA/WPA2 standard allows for a password of up to 63 characters in length. If they do have a password that’s 63 characters long, you’ll have a better chance of walking up to their front door and asking for the key than brute force cracking it in your lifetime. Realistically most people have a password that is 8 characters or less. While it still may take a while, it is within the realm of possibility. We will be using a word list generator called crunch to directly pipe words into pyrit to try out.

crunch (min password length) (max password length) (charset) | pyrit -r (capture file) -b (access point MAC address) -i – attack_passthrough

For example, if you wanted to crack a password between 1 and 6 characters in length that you knew was only numbers, the commands would look as follows.

cd /pentest/passwords/crunch

./crunch 1 6 0123456789 | pyrit -r /root/capture.cap -b 00:11:22:33:44:55 -i – attack_passthrough

This will get the job done, but it will take quite a while and should be used as a last resort.

Tips and Tricks:

During my testing I noticed that the xorg.conf file doesn’t like to maintain the changes for the proprietary drivers to work properly whenever you restart. To combat this you can add a few lines to your rc.local script to have the configuration tool for your graphics driver run at startup. This is also useful if you plan on moving the flash drive around to different machines that have different graphics cards installed. In the latter case you will need to make sure you have both the Nvidia and ATI drivers installed. In the image below, I have it configured to run the configuration utilities for both display drivers. If you plan on using the flash drive in a computer that only has Nvidia graphics cards, then you don’t need the other configuration tool to run, and vice versa.

To edit your rc.local file you would type in the following commands:

nano /etc/rc.local

when you are done making the changes, don’t forget to hit Ctrl-O to write out the file and then Ctrl-X to exit nano.