Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,630 --> 00:00:06,360 So in the previous lecture we've seen if we run a river against this particular network the network 2 00:00:06,360 --> 00:00:13,710 will get locked and we won't be able to brute force the WPA spin because the network will just refuse 3 00:00:13,710 --> 00:00:14,990 any requests. 4 00:00:15,390 --> 00:00:23,430 So we said one of the ways to try and reset or get the network to get unlocked is to just run the authentication 5 00:00:23,430 --> 00:00:29,700 attack like we did before and hope that one of the users will just go in and physically turn off the 6 00:00:29,700 --> 00:00:31,890 router and then turn it back on. 7 00:00:32,220 --> 00:00:36,480 And we said this is not a great way because we actually were relying on a person to go and turn off 8 00:00:36,480 --> 00:00:43,140 the router but it has a high chance of success because what would you do when you lose internet connection. 9 00:00:43,140 --> 00:00:48,840 Most people will just go and turn off their now a router and turn it back on. 10 00:00:48,840 --> 00:00:55,320 So in this lecture were going to use a tool called MBK 3 and we're going to use it to run a didoes attack 11 00:00:55,680 --> 00:01:02,490 a denial of service attack basically on the target network and in some routers this attack will just 12 00:01:02,490 --> 00:01:03,580 flood the router. 13 00:01:03,660 --> 00:01:09,600 And then it will cause the router to reset automatically and then when it resets it will get unlocked 14 00:01:09,630 --> 00:01:10,350 as well. 15 00:01:10,350 --> 00:01:15,450 So we'll be able to run river and start guessing the WPA Espen again. 16 00:01:15,450 --> 00:01:21,870 And since reverse supports pause and rescue this cat can work really well so even if you're at 60 percent 17 00:01:22,110 --> 00:01:27,690 and then the router locks you can just control Siri either run the attack get the router to be unlocked 18 00:01:27,900 --> 00:01:31,350 and then run the attack again and it all starts from 60 percent. 19 00:01:31,350 --> 00:01:33,260 It's not going to start from zero. 20 00:01:33,900 --> 00:01:36,200 So I'm just going to split the screen here. 21 00:01:40,050 --> 00:01:43,060 And I'm just going to run the tool that we're going to be using. 22 00:01:43,060 --> 00:01:50,420 Is called M.D K3 and I'm going to type in help just to see the options that this tool gives us. 23 00:01:52,560 --> 00:01:59,100 And we consider this to actually let us run a number of attacks and test modes are listed in here. 24 00:01:59,340 --> 00:02:02,800 So the way the tool works is you specify the name of the tool. 25 00:02:03,000 --> 00:02:09,420 You follow it up with your interface and monitor mode and then you follow it with the test mode which 26 00:02:09,420 --> 00:02:11,130 are listed in here. 27 00:02:11,130 --> 00:02:17,460 And then you give it the options for each of these test mode for this lecture we're going to be using 28 00:02:17,760 --> 00:02:22,290 the option which is the authentication DOS mode. 29 00:02:23,310 --> 00:02:29,460 So to see all the options and get more information about this attack we're going to do the K3 minus 30 00:02:29,460 --> 00:02:33,780 minus help and then put the test mode which is a. 31 00:02:33,870 --> 00:02:44,150 So I'm just going to do K3 minus minus help and I'm going to put a and this will give us more information 32 00:02:44,150 --> 00:02:50,240 about the attack that we want to do so it's going to be an authentication those mood that's going to 33 00:02:50,240 --> 00:02:53,360 send authentication frames to the AP. 34 00:02:53,360 --> 00:03:00,380 So basically what it's going to do is we're going to specify a MYF address for our target and the K-3 35 00:03:00,560 --> 00:03:06,890 will create fake mac addresses and get all of these MAC addresses to pretend as if their computers are 36 00:03:06,890 --> 00:03:13,730 clients and these clients are trying to connect to that network when there is a very large number of 37 00:03:13,730 --> 00:03:17,000 clients trying to connect to one network to one router. 38 00:03:17,240 --> 00:03:23,180 Some routers will not be able to handle all this demand and they'll actually just restart and reset 39 00:03:23,210 --> 00:03:24,010 everything. 40 00:03:24,260 --> 00:03:30,840 And when they do that they'll unlock WPX and we'll be able to run river again. 41 00:03:30,860 --> 00:03:36,410 So if you're on it if you're on indicator you with the option to do that on all the networks around 42 00:03:36,410 --> 00:03:36,500 you. 43 00:03:36,500 --> 00:03:40,850 So it's going to create a very large number of clients and it's going to get all of these clients to 44 00:03:40,850 --> 00:03:43,110 connect to all the networks do you. 45 00:03:43,280 --> 00:03:44,090 And we don't want that. 46 00:03:44,090 --> 00:03:45,920 We only want to target one network. 47 00:03:46,070 --> 00:03:52,540 So we're going to specify the target network with the minus option to specify the target mark. 48 00:03:52,940 --> 00:04:00,080 And we're also going to use minus m to tell it that we want you to use valid Maxo marks of actual devices 49 00:04:00,290 --> 00:04:06,430 instead of using a Mac that looks like it's fake like 000 000. 50 00:04:06,470 --> 00:04:08,050 So let's run the command. 51 00:04:08,060 --> 00:04:11,150 Let me show you the command that we're going to use and things are going to get more clear. 52 00:04:11,420 --> 00:04:16,880 So the programs that we're going to use is called M.D K3. 53 00:04:17,210 --> 00:04:21,320 Then we're going to give it the interface in monitor mode and it's 1 0. 54 00:04:21,320 --> 00:04:28,680 In my case then we're going to give it the test mode or the attack mode and that's the authentication 55 00:04:28,680 --> 00:04:29,450 DOS mode. 56 00:04:29,460 --> 00:04:36,410 So that's going to be a and then we want to run that against only one specific router. 57 00:04:36,470 --> 00:04:37,610 Not all routers. 58 00:04:37,640 --> 00:04:47,110 So we're going to specify the minus a and give it the MAC address of my target's router which is the 59 00:04:47,110 --> 00:04:49,270 same MAC address in here. 60 00:04:49,420 --> 00:04:57,490 It's the same MAC address that's locked in here right here and then we're going to give it minus and 61 00:04:57,690 --> 00:05:02,200 to tell it to use valid MAC addresses instead of just ones that look wrong. 62 00:05:02,450 --> 00:05:04,770 So we're going to do minus. 63 00:05:05,300 --> 00:05:06,740 And that's it we're ready to go. 64 00:05:06,740 --> 00:05:09,410 So we're just going to go over the command one more time. 65 00:05:09,410 --> 00:05:11,970 We're using a tool called M.D K3. 66 00:05:12,060 --> 00:05:14,240 We're given at the interface in monitor mode. 67 00:05:14,240 --> 00:05:20,930 In my case it's mon's euro Wartelle and we want to use the attack that's referred to with the option 68 00:05:20,930 --> 00:05:27,400 which is the authentication DOS mode we're given it my target access point after the minus. 69 00:05:27,890 --> 00:05:32,320 And then I'm giving it minus to use valid MAC addresses. 70 00:05:32,510 --> 00:05:38,480 I'm going to hit enter and I actually misspelled M.D K-3 I said M-K D-3. 71 00:05:38,540 --> 00:05:39,590 I do that a lot. 72 00:05:39,830 --> 00:05:42,560 So it's MBK three hit enter 73 00:05:45,390 --> 00:05:51,180 and you might see a result like this saying that the target computer see the target router does not 74 00:05:51,180 --> 00:05:54,140 seem to be vulnerable but just let it work. 75 00:05:54,360 --> 00:05:58,370 Sometimes you might have to let it work up to 50000 clients. 76 00:05:58,530 --> 00:06:03,510 You can see that it's creating fake clients and it's trying to get them to connect to the router so 77 00:06:03,510 --> 00:06:09,600 you can try to associate with the router really not connect and you can see that we reached 5000 clients 78 00:06:09,600 --> 00:06:11,780 right here. 79 00:06:11,830 --> 00:06:14,530 This could be different from one router to another. 80 00:06:14,530 --> 00:06:17,910 So sometimes I had to let this go up to 50000. 81 00:06:18,040 --> 00:06:24,370 In this case with my home router right here it usually resets between 5000 and 10000. 82 00:06:24,400 --> 00:06:27,430 So I'm just going to let it go up to 10000 in this case. 83 00:06:28,660 --> 00:06:36,160 And once it's 10000 like this I'm going to Control-C at the same time to get out of this and we're going 84 00:06:36,160 --> 00:06:41,290 to run wash again to see if the network is still locked so you can see the last time around wash the 85 00:06:41,290 --> 00:06:42,980 network was locked. 86 00:06:43,030 --> 00:06:48,040 So I'm just going to give it some time to reset and then I'm just going to be run and wash the same 87 00:06:48,040 --> 00:06:51,110 command that we always use this just wash minus. 88 00:06:51,150 --> 00:06:58,530 I want zero and keep in mind this doesn't work against all routers but it works against a lot of routers 89 00:06:58,530 --> 00:07:00,050 really but not all. 90 00:07:00,060 --> 00:07:02,990 So it might not just work for you. 91 00:07:03,300 --> 00:07:06,120 So I'm going to hit Enter now to look for networks around me. 92 00:07:09,150 --> 00:07:11,900 Looks like something went wrong with my wireless card. 93 00:07:12,000 --> 00:07:16,710 So I'm just going to disconnected reconnected enable monitor mode and run wash again. 94 00:07:18,170 --> 00:07:23,020 OK so I'm just going to run wash again here. 95 00:07:23,430 --> 00:07:31,130 And as you can see now our target network got reset and you can see that WPX is not locked anymore. 96 00:07:31,610 --> 00:07:37,300 So I can actually start Rivara again and it will be able to pick up from where it left the last time. 97 00:07:38,130 --> 00:07:45,480 So last time the pin count was left at 0 and right now if I run it again I'll be able to go to pin count 98 00:07:45,480 --> 00:07:48,160 1 so I'll actually be able to test one more pin. 99 00:07:48,390 --> 00:07:56,020 So if we just do revert again using the same command that we did before you can see that it's asking 100 00:07:56,020 --> 00:08:04,160 me if I want to continue from where I left the last time I'm going to say yes please. 101 00:08:04,170 --> 00:08:05,930 Now again the router got locked again. 102 00:08:05,970 --> 00:08:13,370 Now what you can see that we managed to go ahead with one more pin to test one pin right now. 103 00:08:13,530 --> 00:08:18,550 And if we do the same now get the router to unlock and do the same. 104 00:08:18,600 --> 00:08:20,790 You'll be able to go to the next pin. 105 00:08:20,790 --> 00:08:26,940 Now this network is actually a quite stubborn one usually networks lock after four or sometimes even 106 00:08:26,940 --> 00:08:27,960 10 attempts. 107 00:08:27,990 --> 00:08:30,810 Very rarely they lock after one attempt only. 108 00:08:30,960 --> 00:08:34,010 But again this just serves with our examples. 109 00:08:34,020 --> 00:08:39,300 The main thing is you can unlock most networks using this method use an empty K-3. 12051