def build_pos_maker(self):
model = Sequential()
model.add(Dense(256 * int(self.img_rows * self.img_cols), activation="relu",
input_dim=self.latent_dim, name = 'PD1'))
model.add(Reshape((self.img_cols , self.img_rows, 256)))
model.add(UpSampling2D())
model.add(Conv2D(128, kernel_size=3, strides=2, padding="same", name = 'PC1'))
model.add(BatchNormalization(momentum=0.8, name = 'PB1'))
model.add(Activation("relu"))
model.add(UpSampling2D())
model.add(Conv2D(128, kernel_size=3, strides=2, padding="same", name = 'PC2'))
model.add(BatchNormalization(momentum=0.8, name = 'PB2'))
model.add(Activation("relu"))
model.add(UpSampling2D())
model.add(Conv2D(64, kernel_size=3, strides=2, padding="same", name = 'PC3'))
model.add(BatchNormalization(momentum=0.8, name = 'PB3'))
model.add(Activation("relu"))
model.add(UpSampling2D())
model.add(Conv2D(32, kernel_size=3, strides=2, padding="same", name = 'PC4'))
model.add(BatchNormalization(momentum=0.8, name = 'PB4'))
model.add(Activation("relu"))
model.add(Conv2D(1, kernel_size=3, strides=1, padding="same", name = 'PC5'))
model.add(Activation("tanh"))
model.summary()
noise = Input(shape=(self.latent_dim,))
print(noise)
pos = model(noise)
return Model(noise, Container(noise, pos)(noise), name='pos_gen')
//略
self.generator.save_weights('pos_gan_weight.h5')
2つの学習機をつなげる
# The generator takes noise as input and generates imgs
z = Input(shape=(self.latent_dim,))
pos = self.pos_maker(z)
img = Input(shape=self.txt_shape)
fake = self.generator(pos)
# For the combined model we will only train the generator
#Fix pos_maker weights
self.pos_maker.load_weights('pos_gan_weight.h5', True)
self.pos_maker.trainable = False
# The generator takes noise as input and generates imgs
z = Input(shape=(self.latent_dim,)) #雑音の形の定義
img = self.generator(z) #生成された画像がimg
# For the combined model we will only train the generator
self.discriminator.trainable = False
# The discriminator takes generated images as input and determines validity
valid = self.discriminator(img) #Validが判定結果
# The combined model (stacked generator and discriminator)
# Trains the generator to fool the discriminator
self.combined = Model(z, valid) #入力が雑音で、出力が判定結果のモデル
self.combined.compile(loss='binary_crossentropy', optimizer=optimizer)
all_sentences = joblib.load('{0}/all_sentences.pkl'.format(WRITE_JOBLIB_DIR))
sentences = [[word for word in document.lower().split()] for document in all_sentences]
print("Building Word2Vec")
word_model = Word2Vec(sentences, size=63, min_count=1, window=5)
joblib.dump(word_model, '{0}/word2vec.pkl'.format(WRITE_JOBLIB_DIR))
{method ‘acquire’ of ‘thread.lock’ objects} (0.7%)
cpyrit.py(<module>) (0.2%)
pyrit_cli.py(benchmark) (0.1%)
48cpu/0gpu
{time.sleep} (92.0%)
{method ‘acquire’ of ‘thread.lock’ objects} (4.5%)
pyrit_cli.py(benchmark) (2.21%)
cpyrit.py(<module>) (0.22%)
0cpu/4gpu
pyrit_cli.py(benchmark) (61.3%)
{method ‘flush’ of ‘file’ objects} (14.6%)
{method ‘acquire’ of ‘thread.lock’ objects} (12.4%)
cpyrit.py(dequeue) (4.04%)
48cpu/4gpu
{method ‘acquire’ of ‘thread.lock’ objects} (65.2%)
pyrit_cli.py:1184(benchmark) (16.5%)
cpyrit.py(dequeue) (5.0%)
{time.sleep} (3.8%)
だいたい上位に並ぶのはどれも同じ顔ぶればかりなのですが、下のほうに行けばいくほど、つまり、たくさんのCPUやGPUが仕事を要求するようになればなるほど、sleepよりも{method ‘acquire’ of ‘thread.lock’ objects}の処理時間がガンガン増えていく事がわかります。一番下の一番処理を取り合っているところではなんと6割もロックにつぎ込んでいます。これじゃあ、GPUのパスワードのクラックではなく、ロックを取り合うプログラムを実行していたと言っても過言ではありませんな。
def main():
for R in [10,100,1000,10000]:
for C in [10,100,1000,10000]:
A = np.ones((R, C))
B = np.ones((R, C))
start = timer()
NormalSmooth(B, A)
normal_time = timer() - start
print('When [{0}, {1}] matrix, NormalSmooth took {2} seconds'.format(R, C, normal_time))
start = timer()
GpuSmooth(B, A)
gpu_time = timer() - start
print('When [{0}, {1}] matrix, GpuSmooth took {2} seconds'.format(R, C, gpu_time))
print('x{0} speed'.format(normal_time/gpu_time))
~/src/Pyrit$ pyrit -r zoi.cap -i passwords.txt -b '00:1a:eb:ac:51:30' --all-handshakes attack_passthrough
Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora
https://github.com/JPaulMora/Pyrit
This code is distributed under the GNU General Public License v3+
Parsing file 'zoi.cap' (1/1)...
Parsed 4055 packets (4055 802.11-packets), got 104 AP(s)
Attacking 4 handshake(s).
Tried 1 PMKs so far; 0 PMKs per second. xxxxxxxxx
The password is 'xxxxxxxxx'.
$ pyrit -r zoi.cap -i test/dict.gz -b '00:1a:eb:ac:51:30' --all-handshakes attack_passthrough
Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora
https://github.com/JPaulMora/Pyrit
This code is distributed under the GNU General Public License v3+
Parsing file 'zoi.cap' (1/1)...
Parsed 4055 packets (4055 802.11-packets), got 104 AP(s)
Attacking 4 handshake(s).
Tried 4094 PMKs so far; 1552 PMKs per second. abrogate
Password was not found.
def attack_passthrough(self, infile, capturefile, essid=None, \
bssid=None, outfile=None, all_handshakes=False, \
use_aes=False):
# ...
if not all_handshakes:
crackers.append(cpyrit.pckttools.AuthCracker(auths[0], use_aes))
else:
self.tell("Attacking %i handshake(s)." % (len(auths),))
for auth in auths:
crackers.append(cpyrit.pckttools.AuthCracker(auth, use_aes))
with cpyrit.util.FileWrapper(infile) as reader:
with cpyrit.cpyrit.PassthroughIterator(essid, reader) as rstiter:
for results in rstiter:
for cracker in crackers:
cracker.enqueue(results)
# ...
for cracker in crackers:
cracker.join()
if cracker.solution is not None:
self.tell("\nThe password is '%s'.\n" % cracker.solution)
if outfile is not None:
with cpyrit.util.FileWrapper(outfile, 'w') as writer:
writer.write(cracker.solution)
break
else:
errmsg = "\nPassword was not found."
class AuthCracker(object):
def __init__(self, authentication, use_aes=False):
self.queue = Queue.Queue(10)
self.workers = []
self.solution = None
if authentication.version == "HMAC_SHA1_AES" \
and authentication.ccmpframe is not None \
and use_aes:
self.cracker = CCMPCrackerThread
else:
self.cracker = EAPOLCrackerThread
for i in xrange(util.ncpus):
self.workers.append(self.cracker(self.queue, authentication))
def _getSolution(self):
if self.solution is None:
for worker in self.workers:
if worker.solution is not None:
self.solution = worker.solution
break
def enqueue(self, results):
self.queue.put(results)
self._getSolution()
def join(self):
self.queue.join()
for worker in self.workers:
worker.shallStop = True
self._getSolution()
それぞれのCrackerはsolve()という(C言語で書かれた)メソッドを持ってて、ここへresultsというのが降ってくるのがわかりますが、このresultsというのは具体的に何なのだろう…と思って”The password is “のところまで戻ってもっかい手繰っていくと、cpyrit.cpyrit.PassThroughIteratorというところへ行き着き、これはさらにその名もCPyritというクラスに処理を投げていることが見て取れます。…そして、こちらにはCUDAとかなんとか書いてありますね。
class CPyrit(object):
"""Enumerates and manages all available hardware resources provided in
the module and does most of the scheduling-magic.
The class provides FIFO-scheduling of workunits towards the 'host'
which can use .enqueue() and corresponding calls to .dequeue().
Scheduling towards the hardware is provided by _gather(), _scatter() and
_revoke().
"""
def __init__(self):
"""Create a new instance that blocks calls to .enqueue() when more than
the given amount of passwords are currently waiting to be scheduled
to the hardware.
"""
self.inqueue = []
self.outqueue = {}
self.workunits = []
self.slices = {}
self.in_idx = self.out_idx = 0
self.cores = []
self.CUDAs = []
self.OpCL = []
self.all = []
self.cv = threading.Condition()
# CUDA
if config.cfg['use_CUDA'] == 'true' and 'cpyrit._cpyrit_cuda' in sys.modules and config.cfg['use_OpenCL'] == 'false':
CUDA = _cpyrit_cuda.listDevices()
for dev_idx, device in enumerate(CUDA):
self.CUDAs.append(CUDACore(queue=self, dev_idx=dev_idx))
# ...
# CPUs
for i in xrange(util.ncpus):
self.cores.append(CPUCore(queue=self))
# ...
なにはなくとも、まずは攻撃するために、ルータがスマホをパスワードで認証して通信を開始する「ハンドシェイク」の瞬間のパケットをキャプチャしましょう。以下、わたしの使っているMacBook Pro + OSX HighSierraでWPA2-PSKのパケットをキャプチャする方法を説明します。Linuxでの方法は他の人に譲ることにします。餅は餅屋なので。
$ pyrit list_cores
Pyrit 0.5.1 (C) 2008-2011 Lukas Lueg - 2015 John Mora
https://github.com/JPaulMora/Pyrit
This code is distributed under the GNU General Public License v3+
The following cores seem available...
#1: 'CPU-Core (SSE2/AES)'
(略)
#48: 'CPU-Core (SSE2/AES)'
The following CUDA GPUs seem aviable...
#1: 'CUDA-Device #1 'Tesla V100-PCIE-16GB''
#2: 'CUDA-Device #2 'Tesla V100-PCIE-16GB''
#3: 'CUDA-Device #3 'GeForce GTX 1080 Ti''
#4: 'CUDA-Device #4 'GeForce GTX 1080 Ti''