Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,510 --> 00:00:08,370
So cracking WPA or WPA to encrypted networks it's not simple especially that all the Pakistan are sent
2
00:00:08,370 --> 00:00:14,460
into the air are not useful for us as they do not contain any information that can help us determine
3
00:00:14,700 --> 00:00:17,040
the WPA key.
4
00:00:17,040 --> 00:00:23,640
Before we get into cracking WPA and WPA too there is a feature called WPX.
5
00:00:23,660 --> 00:00:29,390
It allows users and clients to connect to the network by a push of a button.
6
00:00:29,550 --> 00:00:36,780
So on Windows 8 if you look on so my wife my printers they have a W.P. as a button.
7
00:00:36,900 --> 00:00:43,800
So if you priced out the Spartan and you go to your router and personally WPX button there as well or
8
00:00:43,800 --> 00:00:51,900
go to the configuration page and press the spot on the client the printer or your windows device will
9
00:00:51,900 --> 00:00:55,220
connect to the network without having to enter the key.
10
00:00:55,380 --> 00:01:02,310
So the purpose of using WPA is it's a feature that allows clients to connect to the network easily without
11
00:01:02,310 --> 00:01:05,280
having to enter the WPA key manually.
12
00:01:05,280 --> 00:01:07,680
So it's just a feature in routers.
13
00:01:08,040 --> 00:01:14,230
This feature works and authenticates the client base using an eight digit PIN.
14
00:01:14,310 --> 00:01:17,540
So it doesn't use the actual WPA key.
15
00:01:17,580 --> 00:01:19,790
It uses an eight digit PIN.
16
00:01:19,830 --> 00:01:23,110
This is the only digits and it's only 8 bits long.
17
00:01:23,250 --> 00:01:27,190
So there isn't too many possibilities for this.
18
00:01:27,190 --> 00:01:31,870
And if we use a brute force attack we are guaranteed to get this pin.
19
00:01:32,310 --> 00:01:39,480
If we successfully get this plan then we can use a tool called River which would calculate the WPA key
20
00:01:39,660 --> 00:01:40,670
from this pen.
21
00:01:40,710 --> 00:01:46,470
So we're going to brute force the pin the digits on and that because it's only 8 digits we're guaranteed
22
00:01:46,470 --> 00:01:48,680
to be able to brute force it successfully.
23
00:01:48,840 --> 00:01:53,840
Once we do that we can calculate the WPA key use the river.
24
00:01:54,330 --> 00:01:57,110
Again this is only a feature in routers.
25
00:01:57,150 --> 00:02:01,080
This flaw is not in WPA or WPA to encryption.
26
00:02:01,080 --> 00:02:04,750
The problem is and the WPX feature.
27
00:02:04,770 --> 00:02:06,310
So let's see how we do this.
28
00:02:06,310 --> 00:02:11,980
First to look for access points that have WPX enabled.
29
00:02:12,090 --> 00:02:14,240
We're going to use a tool called wash.
30
00:02:14,400 --> 00:02:17,690
So I'm just going to put wash 1 0
31
00:02:21,030 --> 00:02:24,630
so we have our test a.p shown up here.
32
00:02:24,630 --> 00:02:27,430
That's the AP that we're going to use to crack.
33
00:02:27,600 --> 00:02:30,020
So this is actually running on WPA.
34
00:02:30,020 --> 00:02:33,390
Now it's not used in wet as we saw in the previous videos.
35
00:02:33,390 --> 00:02:36,870
I can confirm that for you here and we are just going to use arundo.
36
00:02:36,930 --> 00:02:38,490
This step is not important.
37
00:02:38,490 --> 00:02:44,820
I'm just going to use it to show you that test AP is actually used in the encryption.
38
00:02:44,820 --> 00:02:46,720
It's not easy.
39
00:02:46,800 --> 00:02:50,950
So as you can see here first is used in WPA encryption.
40
00:02:51,540 --> 00:02:52,520
Let's just go back.
41
00:02:52,650 --> 00:02:59,380
So these are the access points that have WPX enabled to have the Deputy PM feature enabled.
42
00:02:59,640 --> 00:03:05,190
And we can see the channel the RSS which is the distance between us and the access point.
43
00:03:05,400 --> 00:03:09,850
The WPX version and the WPA slug's.
44
00:03:09,890 --> 00:03:17,530
Now some routers when you try to brute force the WPA Espen they lock after a few failed attempts.
45
00:03:17,550 --> 00:03:23,550
So if you try for example for wrong pins they're going to lock and not accept any plans for a certain
46
00:03:23,550 --> 00:03:24,470
amount of time.
47
00:03:24,660 --> 00:03:30,930
So if the WPX law says yes here then you can't actually use this attack now so you need to wait for
48
00:03:30,930 --> 00:03:34,710
a little bit and come back to this access point.
49
00:03:34,770 --> 00:03:42,440
So to go on Schriever Now river is going to brute force BWP Espin and once it's able to find the WPI
50
00:03:42,440 --> 00:03:49,770
spin it's going to work out the WPA key ruber support to pause and resume.
51
00:03:49,770 --> 00:03:56,970
So if you reach if you for example brute force 30 percent of the possibilities and cancel the attack
52
00:03:57,240 --> 00:04:00,330
if you come back you've got to start again from 30000.
53
00:04:00,390 --> 00:04:02,350
You're not going to start from zero.
54
00:04:02,490 --> 00:04:09,290
So let's launch reverse we're going to put B to choose to be this idea or the Mac address of the target
55
00:04:09,290 --> 00:04:09,940
access point
56
00:04:12,830 --> 00:04:23,210
and then see to choose the channel which is 11 and then I choose the Wi-Fi card with my Intel mode and
57
00:04:23,210 --> 00:04:24,110
that's 1 0.
58
00:04:24,110 --> 00:04:30,220
So very simple reverse access point B as is the channel.
59
00:04:30,500 --> 00:04:39,860
And then the wife I had with my timeout atom and not ever associated with the target or sprint it tried
60
00:04:40,460 --> 00:04:42,440
to determine the WPA Spen.
61
00:04:42,440 --> 00:04:46,040
Now I have an easy pin which is 1 2 3 4 5 6 7 0.
62
00:04:46,280 --> 00:04:50,410
And from that it was able to calculate my WPA key.
63
00:04:50,450 --> 00:04:54,610
So that's WPA key you or you or them when you as X or.
64
00:04:55,040 --> 00:04:57,250
And that's just the name of the access point.
65
00:04:57,290 --> 00:05:04,430
So I can just come now and connect to my network and I put the key that we just found
66
00:05:08,030 --> 00:05:15,470
then I show the password is you a you or the X or next.
67
00:05:15,650 --> 00:05:19,480
As you can see we connected successfully to the network.
68
00:05:19,490 --> 00:05:22,670
Now there's a few options that I'd like to show you for either.
69
00:05:22,670 --> 00:05:29,890
I'm just going to go river help and that's all the options that you can use with reverb.
70
00:05:30,310 --> 00:05:36,080
So as I said some routers would look after a few failed attempts.
71
00:05:36,250 --> 00:05:42,100
Therefore you can use some of these other advanced options to make Kleber to get three more to work
72
00:05:42,160 --> 00:05:44,190
against these access points.
73
00:05:44,200 --> 00:05:51,340
For example you can use the delay option and specify the amount of time in seconds that reverse should
74
00:05:51,340 --> 00:05:55,590
wait between each brute force attempt or each pin attempt.
75
00:05:55,630 --> 00:05:59,400
You can also use the lock delay to tell revert to wait.
76
00:05:59,400 --> 00:06:06,580
For example 60 seconds after if the if the access points gets locked then wait for 60 seconds and then
77
00:06:06,580 --> 00:06:10,310
continue your brute force attempt.
78
00:06:10,360 --> 00:06:14,800
You can use the full weight as well to set the time that you should wait.
79
00:06:14,800 --> 00:06:23,590
After 10 failed attempts you can use the the option to revert to sleep after a certain amount just sleep
80
00:06:23,590 --> 00:06:27,800
for a certain amount of seconds after a certain number of tries.
81
00:06:28,060 --> 00:06:30,110
You can set up the timeout.
82
00:06:30,340 --> 00:06:36,360
You can play with these options the delay options and the time out the fairways and all that.
83
00:06:36,460 --> 00:06:41,660
If the access point was locking or was ignoring some of your brute force attempts.
8671
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.