Using the new CCMP-attack in Pyrit

The last post described some of the background details of how the new CCMP-attack works. Using this feature in Pyrit is quite easy:

As the Temporal Key is not used during the authentication but only in the following data-stream, Pyrit needs more than just the fourway-handshake. The ‘analyze‘-command from now on indicates if an encrypted packet can be associated with an authentication and sufficiently constrained to actually “belong” to this authentication (encrypted with the Temporal Key from that authentication). A simply asterisk shows that:

>pyrit -r wpa2psk-linksys.dump.gz analyze
Pyrit 0.4.1-dev (svn r304) (C) 2008-2011 Lukas Lueg
This code is distributed under the GNU General Public License v3+

Parsing file ‘wpa2psk-linksys.dump.gz’ (1/1)…
Parsed 499 packets (499 802.11-packets), got 1 AP(s)

#1: AccessPoint 00:0b:86:c2:a4:85 (‘linksys’):
#1: Station 00:13:ce:55:98:ef, 3 handshake(s):
#1: HMAC_SHA1_AES, good*, spread 1
#2: HMAC_SHA1_AES, good*, spread 1
#3: HMAC_SHA1_AES, good*, spread 1

All “attack“-commands from now on understand the new switch “–aes“. This switch tells Pyrit to attack an authentication using the new CCMP-approach if possible. You can, in fact, apply this switch all the time. Pyrit will figure out if the CCMP-path is actually possible. The switch will be removed (or reversed) in the future.

>pyrit -r wpa2psk-linksys.dump.gz -i dict.gz –aes attack_passthrough
Pyrit 0.4.1-dev (svn r304) (C) 2008-2011 Lukas Lueg
This code is distributed under the GNU General Public License v3+

Parsing file ‘wpa2psk-linksys.dump.gz’ (1/1)…
Parsed 499 packets (499 802.11-packets), got 1 AP(s)

Picked AccessPoint 00:0b:86:c2:a4:85 (‘linksys’) automatically.
Tried 4094 PMKs so far; 1049 PMKs per second.

The password is ‘dictionary’.

Pyrit can use the new AES-NI instruction-set found in recent processors (e.g. Intel Sandy Bridge) to boost performance. The “list-cores“-command shows if the local processor supports this instruction-set:

> pyrit list_cores
Pyrit 0.4.1-dev (svn r304) (C) 2008-2011 Lukas Lueg
This code is distributed under the GNU General Public License v3+

The following cores seem available…
#1:  ‘CPU-Core (SSE2/AES)’
#2:  ‘CPU-Core (SSE2/AES)’
#3:  ‘CPU-Core (SSE2/AES)’
#4:  ‘CPU-Core (SSE2/AES)’

Note that a recent version of GCC 4.4+ is required to compile the intrinsics for the new AES-NI instructions. Pyrit‘s module will not be able to use the hardware-based AES-acceleration if it was compiled with a previous version of GCC.

Please also note that this feature is currently only the the svn-codebase and not found in a released stable version. Your help is required to make this process faster. Please submit cases where Pyrit is able to successfully attack a handshake using the original approach but fails to do so when the –aes switch is applied. Such regressions need to be sorted out before we can make the new CCMP-approach a default and get a new stable version 0.4.1 out onto the road. Please open a bug on Pyrit’s bugtracker for these cases (including all necessary information).


  1. […] Putting this all together, the number of passwords Pyrit can check on my Intel i7 4×3.4Ghz increases from 5.4 million to 7.9 million per second, a straight 50% increase. I will post more details about how to use this new feature in the next blog-entry. […]

  2. “Intel i7 4×3.4Ghz increases from 5.4 million to 7.9 million per second”

    Is it true? My ati 5970 make only 150.000 per second.

    • What dose he mean “Intel i7 4×3.4Ghz increases from 5.4 million to 7.9 million per second”

      Are you saying that you can do 7.9 million PMKs a second with aes?

      • yes

      • Well I don’t know if I can wait for the new AMD bulldozer chips to come out I might have to switch to Intel.

    • Your ATI 5970 can compute 150.000 Pairwise Master Keys per second. That number will not change with the recently introduced feature. What has been improved is the performance you get out of these pre-computed Pairwise Master Keys.

      • So firstly, you generate LARGE hash database with SSID and dictionary.

        Secondly, you compare the hash database with the handshake. (there is use the new AES-IN instruction?!)

        This is good?

  3. In order to help with regression, I could configure my router for CCMP, capture handshake, and provide the file for your testing. I do not have nearly the hardware to test myself … is this idea useful?

    • You are very welcome to do that. However only those cases are of interest where Pyrit is not able to find the correct password when using the “–aes” switch but can find it when the switch is omitted. This would demonstrate a case where either Pyrit fails to correctly mount the CCMP-approach or wrongly picked that approach in the first place.

  4. Immy:
    Yes, you are right, this whole attack is just about to speed up things after you got a huge Hash-DB computed or downloaded.

    Will do some tests ASAP and see if pyrit can do the job as it is supposed to :)

    • For example you generate hash database for the “linksys” SSID.
      If you want to break “linksys1” SSID network, you will not use “linksys” database?!

      In my conclusion the best way if you want to break different SSID network, you use the “attack_passthrough”.

      • That is true indeed, but it is possible to create a database with more than one SSID in it, have look at the Church of Wifi WPA-tables, they have the 1000 most common SSIDs and 1million most popular passwords compiled in them :)

  5. My conclusion:

    New CCMP attack only use, when you have got a pre-computed hash database.

    Is this true?

    • You can in fact use it in “passthrough”-like attacks. However as 99% of the required cpu- or gpu-time is spent computing the Pairwise Master Key, you don’t get much benefit from improving the remaining 1% to 0.5%

    • Yes, since the whole attack has improved the process that happens AFTER the PMK has been computed (or read from a hash-DB).

  6. So you’re trying to brute force WPA2 with a dictionary and found a newer faster way to do it?

    Is it useful?

    • Pretty much yes, probably not too useful on the practical side, but more revolutionary on the theoretical side.

    • Yes, I think so. There are two sides to this:

      1) More performance is always useful.
      2) With the cloud (TM) becoming more and more available and tools like Pyrit moving there, performance improvements can also be leveraged against cost: You can either have better performance with the same cost or the same performance as before with less cpu-time and therefor cost.

  7. Can pyrit use cuda and AES-NI instructions at the same time?

    • Yes, they are totally unrelated.

      • Thanks :D

  8. Not to necro comment, but how do I filter these “Temporal Keys” from a wireshark filter?

    • AFAIK Wireshark can’t do that. You can take a look at and _cpyrit_cpu.c on how to compute the Temporal Keys from authentication-data.

  9. […] concern is that there is a tool called Pyrit which claims to make 7.9 million password guesses per second or about 682.5 Billion per day. This […]

Comments RSS TrackBack Identifier URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.