Updated Oct 13, 2009 by lukas.lueg
Labels:	Featured

ReferenceManual

Reference manual for the commandline-client

Introduction

This document tries to describe and explain all functions the commandline-client pyrit provides. Please notice that this document always refers to the latest stable versions so actual functionality might differ if you use code from svn-trunk.

One or more options may be given on the commandline to customize a command:

pyrit [options] command

The exact behaviour of options depends on the command and is described in the specific section further below.

If command succeeds, pyrit's process exit status is set to 0; otherwise it is set to 1 and (usually) an error message or a python-traceback is written to stderr. You may want to read the Troubleshooting-page in case you run into problems.

Options

Pyrit recognizes the following options:

-b

Specifies a BSSID. Can be used to restrict commands to certain Access-Points.

-e

Specifies the ESSID. Commands usually refer to all ESSIDs in the database when this option is omitted.

-f

Specifies a filename. Beware that depending on the given command this may be a file that is read from or written to. The special filename '-' can be used for stdin/stdout.

-r

Specifies a packet-capture file in pcap format (possibly gzip-compressed).

Commands

analyze

Parse one or more packet-capture files (in pcap-format, possibly gzip-compressed) and try to detect Access-Points, Stations and EAPOL-handshakes. For example:
pyrit -r "test*.pcap" analyze

The suffix 'handshake found' is appended to the Station's BSSID if the communication between the Access-Point and the Station seems to include a valid EAPOL-handshake.

attack

Synonym for attack_batch

attack_batch

Attack an EAPOL-handshake found in the packet-capture file(s) given by the option -r using the Pairwise Master Keys and passwords stored in the database. The options -b and -e can be used to specify the Access-Point to attack; it is picked automatically if both options are omitted. For example:
pyrit -r test.pcap -e MyNetwork -b 00:de:ad:c0:de:00 attack_batch

Pairwise Master Keys that have been computed previously and are stored in the database are taken from there; all other passwords are translated into their respective Pairwise Master Keys and added to the database for later re-use. ESSIDs are created automatically in the database if necessary.

attack_cowpatty (0.2.5)

Attack an EAPOL-handshake found in the packet-capture file(s) given by the option -r using Pairwise Master Keys from a cowpatty-like file (e.g. generated by genpmk/export_cowpatty) given by the option -f. The options -b and -e can be used to specify the Access-Point to attack; it is picked automatically if both options are omitted. The cowpatty-file may be gzip-compressed and must match the chosen ESSID. For example:
pyrit -r test.pcap -e MyOwnNetwork -f MyOwnNetwork.cow.gz attack_cowpatty

Pyrit's own database is not touched by attack_cowpatty

attack_db

Attack an EAPOL-handshake found in the packet-capture file(s) given by the option -r using the Pairwise Master Keys stored in the database. The options -b and -e can be used to specify the Access-Point to attack; it is picked automatically if both options are omitted. For example:
pyrit -r test.pcap -e MyOtherNetwork attack_db

Only Pairwise Master Keys that have been computed previously and are stored in the database are used by attack_db.

attack_passthrough

Attack an EAPOL-handshake found in the packet-capture file given by the option -r using the passwords read from the file given by the option -f. The options -b and -e can be used to specify the Access-Point to attack; it is picked automatically if both options are omitted. For example:
pyrit -r test.pcap -b 00:de:ad:be:ef:00 -f words.txt attack_passthrough

This command circumvents Pyrit's database and should only be used if storage-space is a problem (e.g. on LiveCDs). You should consider using attack_batch otherwise.

batch

Start to translate all passwords in the database into their respective PMKs and store the results in the database. The option -e may be used to restrict this command to a single ESSID; if it is ommitted, all ESSIDs are processed one after the other in undefined order. For example:
pyrit -e NETGEAR batch

The option -f can be used to specify a filename the results should additionally be written to in cowpatty's binary format. The option -e becomes mandatory and the ESSID is automatically created in the database if necessary. Pairwise Master Keys that previously have been computed and stored in the database are exported from there without further processing. Pyrit stops and exits if an IOError is raised while writing to the specified file but signals success on exit. This makes it very convenient to pipe results directly to other programs but also keep them for later use. For example:
pyrit -e NETGEAR -f - batch | cowpatty -d - -r wpatestcapture.cap -s NETGEAR

benchmark

Determine the peak-performance of the available hardware by computing dummy-results. For example:
pyrit benchmark

The results given by benchmark include readings like "Occ. 99.8%; RTT 2.9". This means the core was occupied (computing and not e.g. waiting for more work) 99.8% of the time and had an average round-trip-time (execution time per call to hardware) of 2.9 seconds. Pyrit's scheduling mechanisms target a RTT of 3.0 seconds and 100% occupancy.

create_essid

Add the ESSID given by -e to the database. Re-creating an existing ESSID does not result in an error. For example:
pyrit -e NETGEAR create_essid

delete_essid

Delete the ESSID given by -e from the database. This includes all results that may have been stored for that particular ESSID. For example:
pyrit -e NETGEAR delete_essid

eval

Count all available passwords, all ESSIDs and their respective results in the database. For example:
pyrit eval

export_passwords

Write all passwords that are currently stored in the database to a new file given by -f. Passwords are terminated by a single newline-character (\n). Existing files are overwritten without confirmation. For example:
pyrit -f myword.txt.gz export_passwords

export_cowpatty

Write all results for the ESSID given by -e to the file given by -f in cowpatty's binary format. Existing files are overwritten without confirmation. For example:
pyrit -f NETGEAR.cow -e NETGEAR export_cowpatty

export_hashdb

Write all results currently stored in the database to the airolib-ng-database given by -f. The database is created with a default table layout if the file does not yet exist. The option -e can be used to limit the export to a single ESSID. For example:
pyrit -f NETGEAR.db -e NETGEAR export_hashdb

import_passwords

Read the file given by -f and import one password per line to the database. The passwords may contain all characters (including NULL-bytes) apart from the terminating newline-character \n. Passwords that are not suitable for being used with WPA-/WPA2-PSK are ignored. Pyrit's storage-implementation guarantees that all passwords remain unique throughout the entire database. For example:
pyrit -f dirty_words.txt import_passwords

list_cores

Show a list of all available hardware modules pyrit currently uses. For example:
pyrit list_cores

list_essids

Show a list of all ESSIDs currently stored in the database. This function is faster than eval in case you don't need to know the number of computed results. For example:
pyrit list_essids

passthrough

Read passwords from the file given by -f and compute their PMKs for the ESSID given by -e. The results are written to stdout in cowpatty's binary format and are not stored in the database for later use. This command therefor circumvents the entire database and should only be used if storage-space is a problem (e.g. when using pyrit on a LiveCD). The batch-command provides exactly the same functionality as passthrough but can give much better performance as results may be read from the database instead of recomputing them. For example:
pyrit -f dirty_words.txt.gz -e NETGEAR passthrough | cowpatty -d - -r wpatestcapture.cap -s NETGEAR

selftest

Run an extensive selftest for about 60 seconds. This test includes the entire scheduling-mechanism and all cores that are listed by list_cores. You can use this function to detect broken hardware-modules or malicious network-clients. For example:
pyrit selftest

strip

Parse one or more packet-capture files given by the option -r, extract only packets that are necessary for EAPOL-handshake detection and write a new dump to the filename given by the option -f. The options -e and -b can be used to filter certain Access-Points. For example:
pyrit -r "large_dumps_*.pcap" -e MyNetwork -f tiny_compressed_dump_MyNetwork.dump.gz strip

stripLive (0.2.5)

Parse a packet-capture file given by the option -r, extract only packets that are necessary for EAPOL-handshake detection and write a new dump to the file given by the option -f. This command differs from strip as the capture-file can be any character device including sockets and other pseudo-files that look like files in pcap-format. stripLive writes relevant packets to the new file given by -f as they arrive instead of trying to read the entire capture-file first.
pyrit -r /temp/kismet_dump -f small_dump.pcap stripLive

verify

Randomly pick 10% of the results stored in the database and verify their value by recomputation. You need this function if you suspect broken hardware or malicious network-clients. For example:
pyrit -e NETGEAR verify