Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,600 --> 00:00:06,900 Now in this video I'd like to cover a configuration that might be used on the target router that could 2 00:00:06,900 --> 00:00:09,660 make a crack in it a little bit different. 3 00:00:09,810 --> 00:00:16,920 Now as we know WEP is very rare to see now anyway and this configuration is actually really really rare. 4 00:00:16,950 --> 00:00:22,220 And most routers don't even supported it is a bit different to crack it though. 5 00:00:22,260 --> 00:00:26,550 And usually people get confused when they see it and won't even know what to do. 6 00:00:26,760 --> 00:00:33,120 But it's actually kind of easier to crack this type of configuration than the normal web configuration. 7 00:00:33,120 --> 00:00:38,820 What I want to talk about is if the target router does not use open authentication. 8 00:00:39,030 --> 00:00:44,180 So we've seen in all the previous videos the first step was to do a fake authentication attack. 9 00:00:44,190 --> 00:00:51,900 We changed the auth and arrow dump ngi to open in this case the router can be configured to use a shared 10 00:00:51,900 --> 00:00:53,190 key authentication. 11 00:00:53,190 --> 00:00:59,020 So I have my router settings page here and I can see that I changed the setting here required. 12 00:00:59,190 --> 00:01:06,330 And what this basically does is it prevents anybody from even associate it with the router if they don't 13 00:01:06,330 --> 00:01:07,650 know the key. 14 00:01:07,650 --> 00:01:14,800 So usually routers use open authentication which basically means anybody can associate with the router. 15 00:01:15,060 --> 00:01:18,840 And then the router will check if you have the right password if you have the right key. 16 00:01:18,930 --> 00:01:20,340 If you do they let you connect. 17 00:01:20,340 --> 00:01:22,290 If you don't they won't let you to connect. 18 00:01:22,290 --> 00:01:28,380 So they actually allow you to associate and they'll communicate with you if a shared key is used then 19 00:01:28,380 --> 00:01:34,470 the router will not even allow you to associate unless you encrypt a challenge for it and send it to 20 00:01:34,470 --> 00:01:34,870 it. 21 00:01:35,010 --> 00:01:41,510 You won't even be able to associate with the router if you don't have this shared key. 22 00:01:41,520 --> 00:01:43,000 Let me show you an example here. 23 00:01:43,290 --> 00:01:47,520 So I'm just going to do first of all Aradigm engineman Zero to see all the networks around us 24 00:01:50,910 --> 00:01:57,420 and you can see that I have this network which I configured for this class and it's called S-K a test 25 00:01:57,470 --> 00:01:58,490 AP. 26 00:01:59,010 --> 00:02:06,620 So it's right on channel 1 and I'm going to copy its MAC address and we're going to run aero dump ngi 27 00:02:06,660 --> 00:02:14,030 against this network only We're going to give the VSS ID the channel 28 00:02:17,230 --> 00:02:24,910 and we're going to store the data to our file and we'll call the file as a test and then I'm going to 29 00:02:24,910 --> 00:02:28,290 put my wireless card in monitor mode which is Monsey. 30 00:02:28,750 --> 00:02:32,320 So it's the same command that we've always been do and don't Bengie the B side. 31 00:02:32,320 --> 00:02:38,700 SS idea of the target the channel and we're right in a file We're going to hit enter and this is going 32 00:02:38,700 --> 00:02:41,330 to run against our target only. 33 00:02:41,670 --> 00:02:47,200 And now I'm just going to come in and do a fake authentication just to show you what happens in S-K 34 00:02:47,210 --> 00:02:48,030 networks. 35 00:02:48,060 --> 00:02:51,280 So we're going to do a fake authentication exactly like we did it before. 36 00:02:51,330 --> 00:02:58,120 So it's going to be airplay and fake Auth. and we're going to put zero. 37 00:02:58,830 --> 00:03:05,830 And then we're going to do minus a put the mac address of the router and then I'm going to do minor 38 00:03:05,990 --> 00:03:13,230 each and put my own MAC address which is now i'm doing all this real quick because you should know all 39 00:03:13,230 --> 00:03:22,420 of this by now because we covered that in previous lectures my own MAC address is 0 0 0 see a 2 8 2 40 00:03:22,450 --> 00:03:24,730 9 8. 41 00:03:25,090 --> 00:03:30,750 Then we're going to put our wireless card in monitor mode which is than zero. 42 00:03:30,760 --> 00:03:36,100 So again same command that we always use for the fake authentication we're going to do play ngi fake 43 00:03:36,120 --> 00:03:40,500 RS 0 target MAC address my MAC address. 44 00:03:40,600 --> 00:03:41,380 I'm going to hit enter 45 00:03:44,320 --> 00:03:52,560 so I'm going to Control-C this so you can see that we have S-K here under the auth instead of open. 46 00:03:52,730 --> 00:03:56,290 And that means we can't really do all the attacks that we did previously. 47 00:03:56,290 --> 00:04:02,240 The three methods the three injection methods that we spoke about previously the way to fake authenticate 48 00:04:02,240 --> 00:04:08,970 yourself with S-K networks is you'll have to authenticate one of the connectors clients in here. 49 00:04:08,990 --> 00:04:09,950 So you actually need. 50 00:04:09,950 --> 00:04:14,750 You have to have a client connect to the network you're going to have to be authenticated. 51 00:04:14,930 --> 00:04:18,730 Once you do that Aradigm ngi will capture NSK. 52 00:04:18,890 --> 00:04:25,520 You can see that I have a broken S-K here but if you do that properly you will get a normal Eskay and 53 00:04:25,520 --> 00:04:31,460 then he'll use that file with the minus y option to fake authenticate yourself to associate with the 54 00:04:31,460 --> 00:04:32,050 network. 55 00:04:32,240 --> 00:04:37,110 And then he can do all the attacks that he spoke about in the previous lectures the three methods. 56 00:04:37,190 --> 00:04:43,580 The thing is that's a bit too complicated and there is two better methods to do that because as I said 57 00:04:43,700 --> 00:04:50,000 if you want to associate and the target network uses K.A. the network has to have a connected client 58 00:04:50,000 --> 00:04:52,590 has to have at least one connected client. 59 00:04:52,610 --> 00:04:58,100 So based on that fact there's actually better ways to crack that network and I'm going to show you the 60 00:04:58,100 --> 00:05:04,430 first method right now and that is use in an AARP replay attack. 61 00:05:04,440 --> 00:05:05,650 So let me close this first 62 00:05:09,360 --> 00:05:17,390 and I'm going to clear this and I'm actually going to stop this and clear it and run the attack again 63 00:05:17,420 --> 00:05:21,980 because I want to show you that you actually don't even need to run a fake authentication for this. 64 00:05:22,310 --> 00:05:27,920 So we're just going to name them something else we're going to call it as a test too and we're going 65 00:05:27,920 --> 00:05:29,340 to launch or don't punji. 66 00:05:29,630 --> 00:05:35,570 And as you can see right here you don't have authentication or anything on this network right now. 67 00:05:35,570 --> 00:05:40,340 And what I'm going to do is I'm going to do and peer play attack. 68 00:05:40,340 --> 00:05:43,730 So we spoke about that and we actually did it in a previous lecture. 69 00:05:43,760 --> 00:05:49,460 The only difference is when we did it we did a fake authentication and we associate it with the network 70 00:05:50,000 --> 00:05:57,200 and then we use the replay attack based on our mac address so we played packets from our computer and 71 00:05:57,200 --> 00:05:59,330 injected them in the router. 72 00:05:59,510 --> 00:06:04,550 And this lecture because we actually have a client when we did it in previous lectures there was no 73 00:06:04,550 --> 00:06:11,060 clients connected so we had to associate our client showed up in here and then we used our client Mac 74 00:06:11,060 --> 00:06:16,490 address to replay one of the AARP packets and we managed to increase the number of data rapidly that 75 00:06:16,490 --> 00:06:17,600 way. 76 00:06:17,600 --> 00:06:21,060 What we're going to do today is because we already have a connected client. 77 00:06:21,200 --> 00:06:27,050 We're going to use this connect to the client in our replay attack and this method will work against 78 00:06:27,050 --> 00:06:33,930 both normal networks and against the network the web networks that use as a. 79 00:06:33,960 --> 00:06:37,950 So this attack is going to be exactly the same as they are pure play attack that we did. 80 00:06:37,950 --> 00:06:42,690 The only difference is we're going to use the MAC address of a connected client and instead of my own 81 00:06:42,690 --> 00:06:44,140 MAC address. 82 00:06:44,380 --> 00:06:54,470 So the cabal is going to be air flanged AARP or play then we're going to do minus Beith and we're going 83 00:06:54,470 --> 00:07:00,230 to give it the MAC address of the target network then we're going to do minor stage. 84 00:07:00,470 --> 00:07:05,240 And instead of giving it my own MAC address like we did in previous videos I'm going to use the MAC 85 00:07:05,240 --> 00:07:08,720 address of one of the connected clients which is this one 86 00:07:13,300 --> 00:07:18,550 then I'm going to put my wireless card in monitor mode which is zero and we're ready to go. 87 00:07:18,550 --> 00:07:20,680 So again we're using airplanes. 88 00:07:21,040 --> 00:07:24,470 We're doing our pure play attack exactly like we did before. 89 00:07:24,730 --> 00:07:28,330 We're specifying the target network after the minus bit. 90 00:07:28,690 --> 00:07:35,050 And then we were specifying the MAC address of a connected client this time instead of specifying my 91 00:07:35,050 --> 00:07:43,540 own MAC address so I'm going to hit enter and all this is going to do is it's going to wait or appropriate 92 00:07:43,740 --> 00:07:49,970 a packet and once it captures one of them it's going to injected into traffic more and when it's going 93 00:07:49,960 --> 00:07:55,810 to do that it's actually relying on disconnected the client and it's injecting it as if this packet 94 00:07:55,810 --> 00:07:59,030 is coming from this connected client. 95 00:07:59,080 --> 00:08:04,840 And as you can see the number of data is increasing very very fast right now and I can just run track 96 00:08:04,960 --> 00:08:08,420 ngi on the side and I should be able to crack the password. 97 00:08:09,270 --> 00:08:11,670 So again I'm going to run this like we did before. 98 00:08:12,090 --> 00:08:15,470 And we named the file Eskay test. 99 00:08:15,490 --> 00:08:23,150 And we named it to and we have to append the minus 0 1 because the arrow dump entry does that automatically 100 00:08:23,740 --> 00:08:27,740 and that's going to be a dot com But again a hit Enter 101 00:08:31,340 --> 00:08:36,850 now I'm going to stop this. 102 00:08:37,030 --> 00:08:39,250 As you can see we managed to get the key. 103 00:08:39,370 --> 00:08:45,070 Now we can use this we just remove these dots from it and connect to the target network and we'll be 104 00:08:45,070 --> 00:08:46,560 able to connect to it. 105 00:08:47,750 --> 00:08:54,440 So again this method works on both normal web networks and the ones that use shared key authentication 106 00:08:54,710 --> 00:08:56,560 or Eskay. 107 00:08:56,720 --> 00:09:01,710 The only thing that it requires is an existing connected client to the network. 108 00:09:01,760 --> 00:09:03,650 So it's not a client less cracking method. 12013