Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:01,200 --> 00:00:09,140
Okay now that we know the methods that we can use to gain access to WPA Enterprise Networks and this
2
00:00:09,140 --> 00:00:17,170
lecture I want to show you the more advanced method the one where we create a fake WPA enterprise network.
3
00:00:17,610 --> 00:00:19,170
So the first method.
4
00:00:19,290 --> 00:00:22,570
Like I said it just uses a traditional fake access point.
5
00:00:22,680 --> 00:00:30,330
And I covered this before in details I covered each aspect of learning this attack in details so that
6
00:00:30,330 --> 00:00:32,330
you can adapt it to any scenario.
7
00:00:32,550 --> 00:00:38,070
And this is a perfect example where you can use tools like Fluxion and wife fishier and you'll have
8
00:00:38,070 --> 00:00:39,150
to do it manually.
9
00:00:39,270 --> 00:00:41,880
And I covered how to do it manually before.
10
00:00:41,880 --> 00:00:46,610
That's why I'm going to be covering the more advanced method in this lecture.
11
00:00:47,070 --> 00:00:53,910
So I'm going to go to Cali and the first thing that I'm going to do is all need to install a modified
12
00:00:53,910 --> 00:00:56,460
version of host APD.
13
00:00:56,460 --> 00:01:01,010
So we use to host a PDA to generate the normal fake access point.
14
00:01:01,020 --> 00:01:10,020
Now there is a modified version called Host APD WPB and that version of host a PDA is designed to run
15
00:01:10,110 --> 00:01:15,500
a fake access point with WPA enterprise with free radius server.
16
00:01:16,020 --> 00:01:22,990
So first of all I'm going to have to update my sources so I'm going to do apt get update now that my
17
00:01:22,990 --> 00:01:24,120
sources are updated.
18
00:01:24,130 --> 00:01:30,640
I'm going to do apt get install followed by the program that I want to install which is called Host.
19
00:01:30,650 --> 00:01:33,680
AP The WP.
20
00:01:33,910 --> 00:01:36,140
So we always use apt get.
21
00:01:36,250 --> 00:01:43,320
We're just telling it to install on the package name or the program name it's called Host APD W.P..
22
00:01:43,510 --> 00:01:49,900
I'm going to hit enter and that will automatically download the program all the needed packages and
23
00:01:49,900 --> 00:01:51,290
configure it for me.
24
00:01:53,480 --> 00:01:55,500
OK now that's all done.
25
00:01:55,520 --> 00:01:56,970
So I'm going to clear the screen.
26
00:01:58,600 --> 00:02:04,130
And the next thing that we want to do is very similar to what we used to do with host a PDA.
27
00:02:04,180 --> 00:02:11,030
We want to modify its configuration so to do that we're going to do a live pod which is my text editor
28
00:02:11,730 --> 00:02:22,300
and I'm going to put the location of the configuration file and that's stored in ATC host APD WP and
29
00:02:22,330 --> 00:02:25,810
again host APD the blue dot com.
30
00:02:27,870 --> 00:02:34,140
So we're doing Lafond which is our text editor and then we're given at the location of the configuration
31
00:02:34,140 --> 00:02:35,440
file for host.
32
00:02:35,440 --> 00:02:37,470
APD WPEC.
33
00:02:37,830 --> 00:02:43,760
I'm going to hit enter and the main things that you want to make sure are set correctly is first of
34
00:02:43,760 --> 00:02:45,040
all the interface.
35
00:02:45,140 --> 00:02:47,100
This is your wireless adapter.
36
00:02:47,240 --> 00:02:50,090
So in my case it's actually called Line 0.
37
00:02:50,120 --> 00:02:54,440
If you don't then what it's called You have to do if config as you should know by now and then you can
38
00:02:54,440 --> 00:02:56,210
get the name of it.
39
00:02:56,330 --> 00:03:00,100
The next thing that I want to modify is the SS ID.
40
00:03:00,170 --> 00:03:09,590
This is the name of the fake access point and it's set by default to be called Host APD WPEC.
41
00:03:09,620 --> 00:03:13,250
Now my target is called company network.
42
00:03:13,370 --> 00:03:19,400
So I'm going to call this company network as well because as you know this is an evil to an attack.
43
00:03:19,430 --> 00:03:25,390
So you want your fake access point to have the exact same name as the target access point.
44
00:03:25,620 --> 00:03:33,090
So call an IT company network you can also modify the channel and here if you want but I'm going to
45
00:03:33,090 --> 00:03:35,070
keep that the same.
46
00:03:35,070 --> 00:03:39,000
And I'm actually going to leave everything else here the same.
47
00:03:39,000 --> 00:03:43,300
Now if you scroll down you'll actually see after this point and it says is it.
48
00:03:43,500 --> 00:03:49,350
And it says it here and the comment everything that comes after here is literally just the normal host
49
00:03:49,380 --> 00:03:51,570
APD configuration.
50
00:03:51,570 --> 00:03:58,870
So like I said this is just a modified version of host APD which is modified so that it can use WPA
51
00:03:58,870 --> 00:04:02,350
a enterprise with free radius server.
52
00:04:03,000 --> 00:04:05,940
So I'm going to save this control apps and quit it.
53
00:04:05,940 --> 00:04:06,480
Control.
54
00:04:06,480 --> 00:04:08,300
Q OK.
55
00:04:08,400 --> 00:04:09,510
Now we're done.
56
00:04:09,600 --> 00:04:11,220
We're ready to run the attack.
57
00:04:11,400 --> 00:04:18,240
But before we do that like we did with host APD we have to stop the network manager because it's managing
58
00:04:18,240 --> 00:04:19,640
my wireless interface.
59
00:04:19,770 --> 00:04:24,650
And if it stays running it won't let me use it to create a fake access point.
60
00:04:25,050 --> 00:04:33,520
So I'm going to do service network manager stop this or stop the network manager for me.
61
00:04:33,700 --> 00:04:40,330
And now I can run the fake access point with WPA enterprise to do that.
62
00:04:40,330 --> 00:04:50,620
We're going to host a PDA WPEC followed by the location of the configuration file which is an ATC host
63
00:04:50,680 --> 00:04:56,860
APD WPEC host AP DWP either or CANF.
64
00:04:57,340 --> 00:05:02,230
So this command is actually very similar to the host APD command that we use to use.
65
00:05:02,290 --> 00:05:08,350
You just put the name of the tool followed by the location of the configuration file.
66
00:05:08,380 --> 00:05:15,970
I'm going to hit enter and as you can see right now it's still in me that the network is working its
67
00:05:15,990 --> 00:05:18,790
broadcast and under the name company network.
68
00:05:18,960 --> 00:05:26,760
And now you can just go ahead and run the authentication attack as I showed you before you can do authenticate
69
00:05:26,820 --> 00:05:28,360
all clients or some clients.
70
00:05:28,350 --> 00:05:34,200
Again as shown before clients will not be able to access their network they won't be able to use the
71
00:05:34,200 --> 00:05:34,840
network.
72
00:05:35,070 --> 00:05:39,550
So they'll think Oh maybe I can just connect to the other company network.
73
00:05:39,870 --> 00:05:44,690
So let's go to a Windows machine and see what we have.
74
00:05:47,080 --> 00:05:49,400
So I have my company network in here.
75
00:05:49,780 --> 00:05:51,060
I'm going to connect to us.
76
00:05:53,910 --> 00:06:02,400
And I'm going to put my user name as zayd and my password as one two three four A B C D.
77
00:06:02,600 --> 00:06:05,120
I'm going to connect.
78
00:06:05,300 --> 00:06:10,480
Now this is just a warning saying that if you expect to see this network then connect to it.
79
00:06:10,520 --> 00:06:11,870
Otherwise don't.
80
00:06:12,110 --> 00:06:19,670
Most people would just connect to it because like I said WPA enterprise is usually used in large organizations.
81
00:06:19,760 --> 00:06:25,520
So people are used to see a number of routers and connecting to a number of routers and if you're on
82
00:06:25,580 --> 00:06:30,290
the authentication attack and they can't connect to their own router then there is a very high chance
83
00:06:30,290 --> 00:06:35,870
of them trying to connect to the other router or the other to the other access point that has the exact
84
00:06:35,870 --> 00:06:38,470
same name that they're used to.
85
00:06:38,480 --> 00:06:45,310
Therefore I'm going to click on Connect now saying it can't connect to this network because I actually
86
00:06:45,310 --> 00:06:47,530
use the wrong username and password anyway.
87
00:06:47,800 --> 00:06:55,270
But if we go to the Kalli machine you'll see that we captured the username we captured the challenge
88
00:06:55,600 --> 00:06:58,240
and we captured the response.
89
00:06:58,240 --> 00:07:03,850
Now I know this is not the password that I put so you still can't see one two three four a b c d and
90
00:07:03,850 --> 00:07:06,300
that's because the password is encrypted.
91
00:07:06,610 --> 00:07:13,810
That's why I said the basic evil twin method that we showed before has an advantage over this method
92
00:07:13,810 --> 00:07:19,000
because the password will be sent in plain text overhasty TTP.
93
00:07:19,060 --> 00:07:25,360
The problem with that method was the logon screen wasn't very convincing with this method.
94
00:07:25,360 --> 00:07:32,580
You'll get a proper system log in box because we are implementing a proper WPA enterprise network.
95
00:07:32,650 --> 00:07:34,680
So there's nothing fake about it.
96
00:07:34,690 --> 00:07:41,800
The only problem is because this is a proper WPA a enterprise network the password will be sent.
97
00:07:41,800 --> 00:07:48,370
Based on the authentication method used which is a challenge response method where there either sense
98
00:07:48,430 --> 00:07:53,100
a challenge and then the client sends a response based on that.
99
00:07:53,410 --> 00:07:57,520
Now in the next section I'm going to talk more about this and I'm going to show you how to crack the
100
00:07:57,520 --> 00:08:00,920
response and get the key for the network.
101
00:08:01,150 --> 00:08:03,530
But for now our attack is done.
102
00:08:03,580 --> 00:08:07,380
We managed to capture the username and the hash for that password.
103
00:08:07,570 --> 00:08:10,420
And in the next lecture I'm going to show you how to crack that password.
11001
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.