Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,600 --> 00:00:06,900
Now in this video I'd like to cover a configuration that might be used on the target router that could
2
00:00:06,900 --> 00:00:09,660
make a crack in it a little bit different.
3
00:00:09,810 --> 00:00:16,920
Now as we know WEP is very rare to see now anyway and this configuration is actually really really rare.
4
00:00:16,950 --> 00:00:22,220
And most routers don't even supported it is a bit different to crack it though.
5
00:00:22,260 --> 00:00:26,550
And usually people get confused when they see it and won't even know what to do.
6
00:00:26,760 --> 00:00:33,120
But it's actually kind of easier to crack this type of configuration than the normal web configuration.
7
00:00:33,120 --> 00:00:38,820
What I want to talk about is if the target router does not use open authentication.
8
00:00:39,030 --> 00:00:44,180
So we've seen in all the previous videos the first step was to do a fake authentication attack.
9
00:00:44,190 --> 00:00:51,900
We changed the auth and arrow dump ngi to open in this case the router can be configured to use a shared
10
00:00:51,900 --> 00:00:53,190
key authentication.
11
00:00:53,190 --> 00:00:59,020
So I have my router settings page here and I can see that I changed the setting here required.
12
00:00:59,190 --> 00:01:06,330
And what this basically does is it prevents anybody from even associate it with the router if they don't
13
00:01:06,330 --> 00:01:07,650
know the key.
14
00:01:07,650 --> 00:01:14,800
So usually routers use open authentication which basically means anybody can associate with the router.
15
00:01:15,060 --> 00:01:18,840
And then the router will check if you have the right password if you have the right key.
16
00:01:18,930 --> 00:01:20,340
If you do they let you connect.
17
00:01:20,340 --> 00:01:22,290
If you don't they won't let you to connect.
18
00:01:22,290 --> 00:01:28,380
So they actually allow you to associate and they'll communicate with you if a shared key is used then
19
00:01:28,380 --> 00:01:34,470
the router will not even allow you to associate unless you encrypt a challenge for it and send it to
20
00:01:34,470 --> 00:01:34,870
it.
21
00:01:35,010 --> 00:01:41,510
You won't even be able to associate with the router if you don't have this shared key.
22
00:01:41,520 --> 00:01:43,000
Let me show you an example here.
23
00:01:43,290 --> 00:01:47,520
So I'm just going to do first of all Aradigm engineman Zero to see all the networks around us
24
00:01:50,910 --> 00:01:57,420
and you can see that I have this network which I configured for this class and it's called S-K a test
25
00:01:57,470 --> 00:01:58,490
AP.
26
00:01:59,010 --> 00:02:06,620
So it's right on channel 1 and I'm going to copy its MAC address and we're going to run aero dump ngi
27
00:02:06,660 --> 00:02:14,030
against this network only We're going to give the VSS ID the channel
28
00:02:17,230 --> 00:02:24,910
and we're going to store the data to our file and we'll call the file as a test and then I'm going to
29
00:02:24,910 --> 00:02:28,290
put my wireless card in monitor mode which is Monsey.
30
00:02:28,750 --> 00:02:32,320
So it's the same command that we've always been do and don't Bengie the B side.
31
00:02:32,320 --> 00:02:38,700
SS idea of the target the channel and we're right in a file We're going to hit enter and this is going
32
00:02:38,700 --> 00:02:41,330
to run against our target only.
33
00:02:41,670 --> 00:02:47,200
And now I'm just going to come in and do a fake authentication just to show you what happens in S-K
34
00:02:47,210 --> 00:02:48,030
networks.
35
00:02:48,060 --> 00:02:51,280
So we're going to do a fake authentication exactly like we did it before.
36
00:02:51,330 --> 00:02:58,120
So it's going to be airplay and fake Auth. and we're going to put zero.
37
00:02:58,830 --> 00:03:05,830
And then we're going to do minus a put the mac address of the router and then I'm going to do minor
38
00:03:05,990 --> 00:03:13,230
each and put my own MAC address which is now i'm doing all this real quick because you should know all
39
00:03:13,230 --> 00:03:22,420
of this by now because we covered that in previous lectures my own MAC address is 0 0 0 see a 2 8 2
40
00:03:22,450 --> 00:03:24,730
9 8.
41
00:03:25,090 --> 00:03:30,750
Then we're going to put our wireless card in monitor mode which is than zero.
42
00:03:30,760 --> 00:03:36,100
So again same command that we always use for the fake authentication we're going to do play ngi fake
43
00:03:36,120 --> 00:03:40,500
RS 0 target MAC address my MAC address.
44
00:03:40,600 --> 00:03:41,380
I'm going to hit enter
45
00:03:44,320 --> 00:03:52,560
so I'm going to Control-C this so you can see that we have S-K here under the auth instead of open.
46
00:03:52,730 --> 00:03:56,290
And that means we can't really do all the attacks that we did previously.
47
00:03:56,290 --> 00:04:02,240
The three methods the three injection methods that we spoke about previously the way to fake authenticate
48
00:04:02,240 --> 00:04:08,970
yourself with S-K networks is you'll have to authenticate one of the connectors clients in here.
49
00:04:08,990 --> 00:04:09,950
So you actually need.
50
00:04:09,950 --> 00:04:14,750
You have to have a client connect to the network you're going to have to be authenticated.
51
00:04:14,930 --> 00:04:18,730
Once you do that Aradigm ngi will capture NSK.
52
00:04:18,890 --> 00:04:25,520
You can see that I have a broken S-K here but if you do that properly you will get a normal Eskay and
53
00:04:25,520 --> 00:04:31,460
then he'll use that file with the minus y option to fake authenticate yourself to associate with the
54
00:04:31,460 --> 00:04:32,050
network.
55
00:04:32,240 --> 00:04:37,110
And then he can do all the attacks that he spoke about in the previous lectures the three methods.
56
00:04:37,190 --> 00:04:43,580
The thing is that's a bit too complicated and there is two better methods to do that because as I said
57
00:04:43,700 --> 00:04:50,000
if you want to associate and the target network uses K.A. the network has to have a connected client
58
00:04:50,000 --> 00:04:52,590
has to have at least one connected client.
59
00:04:52,610 --> 00:04:58,100
So based on that fact there's actually better ways to crack that network and I'm going to show you the
60
00:04:58,100 --> 00:05:04,430
first method right now and that is use in an AARP replay attack.
61
00:05:04,440 --> 00:05:05,650
So let me close this first
62
00:05:09,360 --> 00:05:17,390
and I'm going to clear this and I'm actually going to stop this and clear it and run the attack again
63
00:05:17,420 --> 00:05:21,980
because I want to show you that you actually don't even need to run a fake authentication for this.
64
00:05:22,310 --> 00:05:27,920
So we're just going to name them something else we're going to call it as a test too and we're going
65
00:05:27,920 --> 00:05:29,340
to launch or don't punji.
66
00:05:29,630 --> 00:05:35,570
And as you can see right here you don't have authentication or anything on this network right now.
67
00:05:35,570 --> 00:05:40,340
And what I'm going to do is I'm going to do and peer play attack.
68
00:05:40,340 --> 00:05:43,730
So we spoke about that and we actually did it in a previous lecture.
69
00:05:43,760 --> 00:05:49,460
The only difference is when we did it we did a fake authentication and we associate it with the network
70
00:05:50,000 --> 00:05:57,200
and then we use the replay attack based on our mac address so we played packets from our computer and
71
00:05:57,200 --> 00:05:59,330
injected them in the router.
72
00:05:59,510 --> 00:06:04,550
And this lecture because we actually have a client when we did it in previous lectures there was no
73
00:06:04,550 --> 00:06:11,060
clients connected so we had to associate our client showed up in here and then we used our client Mac
74
00:06:11,060 --> 00:06:16,490
address to replay one of the AARP packets and we managed to increase the number of data rapidly that
75
00:06:16,490 --> 00:06:17,600
way.
76
00:06:17,600 --> 00:06:21,060
What we're going to do today is because we already have a connected client.
77
00:06:21,200 --> 00:06:27,050
We're going to use this connect to the client in our replay attack and this method will work against
78
00:06:27,050 --> 00:06:33,930
both normal networks and against the network the web networks that use as a.
79
00:06:33,960 --> 00:06:37,950
So this attack is going to be exactly the same as they are pure play attack that we did.
80
00:06:37,950 --> 00:06:42,690
The only difference is we're going to use the MAC address of a connected client and instead of my own
81
00:06:42,690 --> 00:06:44,140
MAC address.
82
00:06:44,380 --> 00:06:54,470
So the cabal is going to be air flanged AARP or play then we're going to do minus Beith and we're going
83
00:06:54,470 --> 00:07:00,230
to give it the MAC address of the target network then we're going to do minor stage.
84
00:07:00,470 --> 00:07:05,240
And instead of giving it my own MAC address like we did in previous videos I'm going to use the MAC
85
00:07:05,240 --> 00:07:08,720
address of one of the connected clients which is this one
86
00:07:13,300 --> 00:07:18,550
then I'm going to put my wireless card in monitor mode which is zero and we're ready to go.
87
00:07:18,550 --> 00:07:20,680
So again we're using airplanes.
88
00:07:21,040 --> 00:07:24,470
We're doing our pure play attack exactly like we did before.
89
00:07:24,730 --> 00:07:28,330
We're specifying the target network after the minus bit.
90
00:07:28,690 --> 00:07:35,050
And then we were specifying the MAC address of a connected client this time instead of specifying my
91
00:07:35,050 --> 00:07:43,540
own MAC address so I'm going to hit enter and all this is going to do is it's going to wait or appropriate
92
00:07:43,740 --> 00:07:49,970
a packet and once it captures one of them it's going to injected into traffic more and when it's going
93
00:07:49,960 --> 00:07:55,810
to do that it's actually relying on disconnected the client and it's injecting it as if this packet
94
00:07:55,810 --> 00:07:59,030
is coming from this connected client.
95
00:07:59,080 --> 00:08:04,840
And as you can see the number of data is increasing very very fast right now and I can just run track
96
00:08:04,960 --> 00:08:08,420
ngi on the side and I should be able to crack the password.
97
00:08:09,270 --> 00:08:11,670
So again I'm going to run this like we did before.
98
00:08:12,090 --> 00:08:15,470
And we named the file Eskay test.
99
00:08:15,490 --> 00:08:23,150
And we named it to and we have to append the minus 0 1 because the arrow dump entry does that automatically
100
00:08:23,740 --> 00:08:27,740
and that's going to be a dot com But again a hit Enter
101
00:08:31,340 --> 00:08:36,850
now I'm going to stop this.
102
00:08:37,030 --> 00:08:39,250
As you can see we managed to get the key.
103
00:08:39,370 --> 00:08:45,070
Now we can use this we just remove these dots from it and connect to the target network and we'll be
104
00:08:45,070 --> 00:08:46,560
able to connect to it.
105
00:08:47,750 --> 00:08:54,440
So again this method works on both normal web networks and the ones that use shared key authentication
106
00:08:54,710 --> 00:08:56,560
or Eskay.
107
00:08:56,720 --> 00:09:01,710
The only thing that it requires is an existing connected client to the network.
108
00:09:01,760 --> 00:09:03,650
So it's not a client less cracking method.
12013
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.