Moscrack README

Moscrack 2.08b
Copyright 2011 Ryan Babchishin

Contents:

1. Version info
2. Description
3. Supported software
4. Requirements
5. Installation
6. Usage
7. SSH and RSH modes
8. Aircrack-ng + Mosix?
9. Moscrack GUI
10. Hot config support
11. File access modes
12. Performance
13. Auto tuning mode
14. Moscrack monitoring tool
15. Pyrit
16. Checkpoint and resume
17. Hang Detection
18. Dynamic node configuration
19. Node types
20. Plugins
31. API

1. Version info

This release contains a new plugin framework that allows Moscrack to be extended
beyond it's original design. Currently there are only two plugins, Pyrit and
Dehasher. I hope you are pleased. Please review release-notes.txt for details.

Further documentation, screenshots, downloads: http://moscrack.sf.net

If you find any serious bugs please let me know as I don't want people to be
disappointed. Since this release is beta, it means there could still be
problems with it. You should check back for updates often as Moscrack is always
improving.

SVN will always have the latest bug fixes and enahancements if you are looking
for them.

SVN download:
svn co https://moscrack.svn.sourceforge.net/svnroot/moscrack moscrack

2. Description

Moscrack facilitates the use of a WPA cracker on a cluster.
Currently it works with Mosix (clustering software), SSH, RSH and Pyrit.
It works by reading a word list from STDIN or a file, breaking it into chunks
and passing those chunks off to seperate processes that run in parallel. The
parallel processes can then execute on different nodes in your cluster. All
results are checked and recorded on your master node. Logging,
error handling, etc... are all handled for you. Moscrack capable of running
for long periods of time (days/weeks/months/etc...) reliably and without
risk of losing data or having to restart.

3. Supported software

See Requirements section below

4. Requirements

Master server:

Linux or possibly others
Mosix (optional)
zenity (GUI support)
Pyrit (optional)
rsh/rcp clients (optional)
scp client (optional)
Perl 5.8
Perl DateTime
Perl Math::Round
Perl Getopt::Lucid
Perl Acme::Tools
Perl Storable
Perl Term::ANSIColor
Perl File::Basename
Perl Sruct::Compare
Perl LWP::UserAgent
Perl HTTP::Request
Perl Net::SSH2
Perl Compress::Zlib
Perl Config::Std

End nodes:

Linux/Cygwin/FreeBSD/Solaris/MacOSX/iPhone all tested or Moscrack Live CD
One of Mosix, SSH v2 daemon, RSH daemon, Pyrit in serve mode
aircrack-ng v1.1 unless using Pyrit

5. Installation

This assumes you are using 'copy' file mode. If you want to know more
see "File access modes".

- Run ./install_modules to check for (and optionaly install) required Perl
modules
- Copy moscrack, mosctop, moscd, moscapid to anywhere you like, possibly in your
path like /usr/local/bin
- Configure your system to start moscapid and optionally moscd on startup
- Copy moscrack.cgi to your web servers cgi-bin (doesn't need to be on Moscrack master)
- Edit moscrack.conf and copy to /etc/moscrack/moscrack.conf
- Copy plugins/ to /etc/moscrack/plugins/
- Create a working directory (home) for Moscrack. e.g. /opt/moscrack/
- Edit nodes.dat and add all of your nodes and type. The format is documented
in the file. Copy it to where you specified in the configuration file.
- Start moscapid (needed my mosctop and moscrack.cgi)
- Tune nodes.dat (mandatory). See "Auto tuning mode" and optionaly
"Performance" for details.
- If using ssh nodes, setup public-key authentication with each node
e.g. ssh-copy-id user@node
- If using rsh nodes, configure .rhosts file on each node
- Install aircrack-ng on each node (or pyrit see "Plugins")
- Make sure you can access all nodes (of any type) without a password
- Launch "moscd" if using dynamic nodes (see "Dynamic node configuration")
- Run "moscrack" (see Usage section)
- In another terminal, optionally run "mosctop" to watch what's going on
- Access http://yourserver/cgi-bin/moscrack.cgi to view CGI status interface

6. Usage

You start it like this: ./moscrack -c -e -w

If wordlist is a "-", moscrack reads from STDIN. This allows you to use things
like word list generators such as john or crunch.

Ex. using a word list

moscrack -c ./MYSSID-01.cap -e MYSSID -w mywordlist.txt

Ex. using john the ripper to generate incremental wordlist by piping to STDIN
john -i:WPA -stdout | moscrack -c ./MYSSID-01.cap -e MYSSID -w -

7. SSH and RSH modes

You can configure nodes of type "ssh" or "rsh". All they need to communicate with
Moscrack is an ssh/rsh daemon. These modes are actually pretty useful even if you run
a Mosix cluster. I use it for my 32 bit systems as my master is 64 bit.

SSH mode requires that you use public-key password-less authentication and the
same user name on every node.

RSH mode requires that you configure the nodes .rhosts file to allow connections
from Moscrack as the same user on every node.

8. Aircrack-ng + Mosix?

Aircrack-ng is super fast but it uses threads. Mosix doesn't work with threads.
So I made the decision to keep using Mosix because it's so easy to use and just
run aircrack-ng in "Native Mode" (mosrun -E). In this mode, processes behave
like they were spawned with rsh/ssh or something. They cannot be migrated and
they cannot access resources on the home node.

9. Moscrack GUI

Moscrack contains an experimental GUI. It hasn't been used/tested very much as
I don't care much about GUIs.

To launch the GUI, cd to the moscrack share and run it. It is important that it
runs relative to the share that moscrack and related files reside in. You must
still load wordlists, etc... from that share only as the other nodes need to
access it all.

E.g.

$ cd /haze
$ ./gui

10. Hot config support

Moscrack allows you to add/remove/modify nodes on the fly while it is running.
Just edit nodes.dat to your liking and save it. You'll see Moscrack notice the
change and pickup/remove the nodes as configured. Chunk size will be recalculated
and chunk files resized as needed.

Hot config will not load plugins. They must be loaded at startup.

11. File access modes

Moscrack has two different ways to share files with nodes. They are "shared"
and "copy" modes. The default file mode is "copy".

Usage:
To change the file mode, set "fileMode" in the configuration file. You can also
specify the --filemode argument on the command line.

Shared mode:
-Shared storage is required, like NFS, SMBFS, whatever
-Master and nodes all access the same files

The advantage of Shared mode is that it could be much faster depending on your
setup (direct IO shared filesystem, GigE). It also doesn't have the lag that
SSH/RSH have when logging in, etc...

Copy mode:
-Files are copied to each node for processing as needed and then cleaned up

The advantage of "copy" mode is that it may work better with slow links
(Internet) and requires less configuration of the node. Copy mode uses scp for
ssh nodes, rcp for RSH nodes and Mosix pipes/IO for Mosix nodes.

12. Performance

Mosix:

Mosix nodes are the fastest for local and fast networks, because of reduced
latency, no encryption, no login, direct pipes, etc... i.e. Mosix was made for
this kind of thing.

Compression:

Moscrack uses compression for file transfers in copy file mode on ssh nodes.
Mosix can use it's own compression if you configure it. Copy file mode is
probably best for slower links. Shared file mode will not use any compression
unless your file sharing protocol supports it.

Network IO:

One thing you can do to reduce network IO and file transfer time is to extract
the WPA handshake from your capture file. This will reduce the size of this
file significantly. For example, I have one that is 1.3MB, but when extracted
the resulting handshake is only 2.5KB. This can make a big difference for ssh
nodes with copy file mode as they recieve a copy this file with every chunk.
1.3MB could waste a lot of bandwidth and time during the lifetime of a long
cracking session.

You can use the included shrinkCapFile script to extract the handshake from
your capture file. It depends on tshark, the text version of wireshark.

Usage: shrinkCapFile

A file will be created called -handshake.cap in the current
directory. Use that file with Moscrack instead of the original capture file.

Node Multiplier and Chunk Size:

In the nodes configuration file you can specify a speed in keys/sec for each node.
This determines how many chunks a node will receive at a time for processing.
The base chunk size is set in the configuration file.

Moscrack uses an algorithm to determine how many chunks a node gets. Each node's
speed is compared against all others, the slowest node is used as a baseline for
a "node multiplier". The slowest node gets multiplier value of "1" and every other
node gets a value representing it's speed as a multiple of the slowest node.

e.g. Node A = 500 k/s, Node B = 1200 k/s, Node C = 650 k/s

-Node A is the slowest, set to multiplier "1" and used as baseline comparison
-Node B is 2x faster than Node A, set to multiplier "2"
-Node C is not 2x faster than Node A, set to multiplier "1"

Each node gets MULTIPLIER chunks at a time.

e.g. Using same nodes as above

Base chunk size settings in conf file: chunkSize = 100000

Node A gets 100000 words at a time
Node B gets 200000 words at a time
Node C gets 100000 words at a time

The advantage of the varaible chunk size approach is that faster nodes will come
back around the same time as slower nodes for new chunks if tuned properly. This
prevents fast nodes from wasting time fetching small chunks and slower nodes
from holding up processing by faster nodes.

Tuning the chunk size and setting node speeds can provide a significant performance
improvement.

Auto-Chunksize Settings:

Moscrack has various methods of automatically determining the chunksize for you.
These settings are documented in the sample moscrack.conf.

Auto-Tuning:

Moscrack has a special mode for automatically determining you nodes processing
speed. See "Auto tuning mode" for details.

Node Prioritization:

Based on the node speed setting, the fastest node free/available is always chosen
to process a chunk. e.g. node1 has a speed of 1200 and node2 has a speed of 822
and both are free, node1 will be used first. When the time comes to process
another chunk, the list of available nodes is prioritized again. All nodes
will still be used, just starting from fastest to slowest.

13. Auto tuning mode

Moscrack can automatically determine your nodes processing speed using your
nodes configuration file. To do this, pass the command line argument --tune.

Example:

./moscrack --tune -c tune.cap -w tune.words -e test

You can specify specific nodes instead of doing the whole file:

./moscrack --tune -c tune.cap -w tune.words -e test -n mynode1.net -n mynode2.net

In the above example, tune.cap and tune.words are files in tuning/
sub-directory of Moscrack. They are intended for this purpose. The essid for
tune.cap is 'test'. tune.words is 2000 lines and does not contain the key.
This ensures the whole word list is processed. You can use your own files,
but these are provided to make your life easier.

Upon completion, Moscrack will print out your nodes configuration with included
node speeds. It will also write this information to nodes.dat.tuned which you can
rename and use as your nodes.dat.

How it works:

It works by reading nodes.dat and loading your configuration. It then executes
aircrack-ng on each of your nodes using a small word list and capture file that
does not contain the key. The whole word list will be processed and aircrack-ng
will tell Moscrack how fast the machine was able to test the words. This
measurement (keys/sec) is recorded per node.

14. Moscrack monitoring tool

There are two tools

Terminal application mosctop:

Moscrack includes a separate tool for monitoring it's activity. It displays
data in a fashion similar to Un*x "top", thus the name "mosctop".

Mosctop works by reading "status.dat", which is created and updated often
by Moscrack while it is running. It uses the data from the file to
display the following things per node: name, last result, status, failure
count, throttle time left, PID of current process handling this node, chunk
file. It also displays the computation rate in words/sec and the amount of
data processed as a percentage.

To use mosctop, cd to the working directory for moscrack (where status.dat
is) and run it.

CGI inteface moscrack.cgi:

There is a CGI script that does basicaly what mosctop does, but a little
nicer looking. Just copy moscrack.cgi to your web servers CGI directory
and edit it, setting the value "my $statusFile = ".
the file status.dat is generated by Moscrack and will reside in your
Moscrack working directory.

15. Pyrit

Pyrit is an open-source WPA cracker that has the ability to process data
in parallel on multiple nodes (like Moscrack) as well as use CUDA and
OpenCL drivers to offload processing onto graphics cores. If you have
any high end graphics cards, it is worth trying it.

Moscrack can use a local Pyrit client to process data and can use any resources
that Pyrit has to offer, such as other Pyrit nodes that it is configured
to use and graphics cores. Therefore there are no "pyrit" nodes, rather a
single entry in the nodes.dat file identifying that pyrit should be used.
Nodes of any other type can still be used along side Pyrit.

Pyrit support has been moved to a plugin. See "Plugins" for details.

16. Checkpoint and resume

Moscrack writes data regarding it's progress in the wordlist to a file called
"position.dat". If Moscrack is interrupted, that data can be used to resume
processing where it left off.

Usage:

To have Moscrack determine your last processed line in the wordlist, run the
following command in the Moscrack working directory. It will give you a line
number and a word. This is the last line/word that Moscrack completed
processing. Before resuming it is recommended that you backup this file
in case something goes wrong and it is overwritten.

moscrack --position

To resume, use the line number provided by --position and run this command:

moscrack --resume -P CAPTURE -w WORDLIST -e ESSID

It's up to you to make sure you specify the same word list and capture file, etc...
to be processed. Moscrack will skip ahead and start processing at the position
you specified. Resume works with STDIN as well.

17. Hang detection

Moscrack has detect if a PID/node is hung (not responding or finishing). The feature is
documented in the included moscrack.conf file.

One note about hang detection is that it assumes your nodes are always the same speed.
So if your nodes are shared (doing other CPU intensive things) or are somehow going
to change speeds (slow down) e.g. Virtual machines, amazon EC2, variable clock speeds, then
hang detection could cause problems for you.

18. Dynamic node configuration

Moscrack is packaged with client and server daemons that allow for automatic configuration
and discovery of nodes. As long as the Moscrack server and nodes are running these
daemons, they will always be ready to work together even between IP address changes,
reboots, configuration changes, etc...

There is also a live CD available that runs SUSE Linux and auto-starts the Moscrack Client
daemon. All you need to do it boot a machine with it and it becomes a dynamic Moscrack node
with no changes or server configuration necessary.

Full documentation is in README.daemon
The Moscrack Live CD is available at htt://moscrack.sf.net

19. Node types

Moscrack supports a number of connectivity methods for executing commands. When you define
a node in the nodes.dat configuration file, you must select one of these.

Node types available:

local - execute a command locally
- perform no status check
- copy no files
ssh - execute a command over SSH using the Net::SSH2 Perl module
- perform a TCP status check to specified port
- copy files to node with scp command line utility if needed
rsh - execute a command over rsh using the rsh command line tool specified in moscrack.conf
- perform a TCP status check to specified port
- copy files to node with rcp command line utility if needed
mosix - execute a command with mosrun, the Mosix cluster launching tool
- perform a status check with "mosrun -$node status"
- copy files by piping through mosrun command

Example node.dat entry:
192.168.0.1:ssh::5000

Plugins:

Plugins can be used instead of the standard node types to extend functionality. They still must
be passed a standard node type, whether they use all of it's features or not. Plugins can choose
to behave differently based on what node type is passed to them.

The format for the type field in nodes.dat for a plugin is: pluginName/type

Example: 192.168.0.1:pyrit/rsh::5000

20. Plugins

Plugins are seperate pieces of code that Moscrack can load at startup. Moscrack will only attempt
to load plugins if the --plugin argument is specified. See --help for details.

Two basic types of plugins:

-Node definition
This plugin type will define a new node type. See "Node Types" above for details.

-Other
This plugin type does not define a new node type, however it alters Moscracks behaviour in some
other way.

Plugins by default are located in /etc/moscrack/plugins/. Any file in that directory with the
extension .def will be loaded on startup.

Using plugins:
Plugins may require command line arguments, configuration settings, etc... you should view their
documentation for full details. The --list argument will provide a list of plugins available
and their help facility if one is provided.

Prioritizing plugins:
If one plugin is dependant on another, you can load them in sequence by renaming the plugin.
Prefix the filename with a number such as 001, 002, etc... to have them load in that order.
e.g. 001dehasher.def, 002dehasher-addon.def

Disabling plugins:
Remove .def from the end. e.g. dehasher.def.disabled

Creating your own plugins:
The framework for plugins is not 100% stable, but it should not change much. I'll try only to
add to it in the future. The module "dehasher.def" is fully commented and is intended to be
used to document the plugin framework. Please use it as a template/example for your own
plugins. If you develop a nice plugin and want to share it, send it to me and I will publish it
with Moscrack.

Plugins bundled with Moscrack:
- pyrit.def: Enables the use of Pyrit to crack WPA keys, can be combined with default methods
- dehasher.def: Enable the use of dehasher to dehash various hashes, disables other node types

Plugin documentation:
There is a plugins/pluginname.def.README for each plugin.

21. API

Moscrack has an API that is a work in progress. Only a few things are supported. The API access
is provided by "moscapid" which must run in the background on your Moscrack master server.

Currently the API allows mosctop and moscrack.cgi to gather information remotely, or without
directly accessing the status.dat from Moscrack. moscrack.cgi is also able to stop Moscrack and
should eventually be able to launch it.

If you run mosctop or moscrack.cgi on a system other than the Moscrack master, copy
/etc/moscrack/moscrack.conf to that system as it will be needed. Configure the moscapid
section as necessary.

moscapid should now be considered a dependancy of Moscracks tools and be kept running at all
times.