Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,630 --> 00:00:06,930 Now in this video I'd like to cover a configuration that might be used on the target router that could 2 00:00:06,930 --> 00:00:09,690 make a crack in it a little bit different. 3 00:00:09,840 --> 00:00:16,950 Now as we know WEP is very rare to see now anyway and this configuration is actually really really rare. 4 00:00:16,980 --> 00:00:22,260 And most routers don't even supported it is a bit different to crack it though. 5 00:00:22,300 --> 00:00:26,580 And usually people get confused when they see it and won't even know what to do. 6 00:00:26,800 --> 00:00:33,130 But it's actually kind of easier to crack this type of configuration than the normal web configuration. 7 00:00:33,130 --> 00:00:38,870 What I want to talk about is if the target router does not use open authentication. 8 00:00:39,070 --> 00:00:44,190 So we've seen in all the previous videos the first step was to do a fake authentication attack. 9 00:00:44,200 --> 00:00:51,940 We changed the oath and arrow don't ngi to open in this case the router can be configured to use a shared 10 00:00:51,940 --> 00:00:53,230 key authentication. 11 00:00:53,230 --> 00:00:59,650 So I have my router settings page here and you can see that I changed the setting here required and 12 00:00:59,800 --> 00:01:06,550 what this basically does is it prevents anybody from even associate with the router if they don't know 13 00:01:06,550 --> 00:01:07,340 the key. 14 00:01:07,690 --> 00:01:14,840 So usually routers use open authentication which basically means anybody can associate with the router. 15 00:01:15,100 --> 00:01:18,890 And then the router will check if you have the right password if you have the right key. 16 00:01:18,940 --> 00:01:20,380 If you do they let you connect. 17 00:01:20,380 --> 00:01:22,150 If you don't they won't let you to connect. 18 00:01:22,300 --> 00:01:28,420 So they actually allow you to associate and they'll communicate with you if a shared key is used then 19 00:01:28,420 --> 00:01:34,510 the router will not even allow you to associate unless you encrypt a challenge for it and send it to 20 00:01:34,510 --> 00:01:34,890 it. 21 00:01:35,020 --> 00:01:41,550 You won't even be able to associate with the router if you don't have this shared key. 22 00:01:41,560 --> 00:01:43,130 Let me show you an example here. 23 00:01:43,330 --> 00:01:47,560 So I'm just going to do first of all Aradigm engineman Zero to see all the networks around us 24 00:01:50,950 --> 00:01:57,460 and you can see that I have this network which I configured for this class and it's called S-K a test 25 00:01:57,510 --> 00:01:58,660 AP. 26 00:01:59,050 --> 00:02:06,490 So it's right on channel 1 and I'm going to copy its MAC address and we're going to run aero dump and 27 00:02:06,490 --> 00:02:14,060 G against this network only We're going to give the SS ID the channel 28 00:02:17,260 --> 00:02:24,940 and we're going to store the data to our file and we'll call the file as a test and then I'm going to 29 00:02:24,940 --> 00:02:28,340 put my wireless card in monitor mode which is Monsey. 30 00:02:28,810 --> 00:02:32,370 So it's the same command that we've always been do and don't Bengie the B side. 31 00:02:32,380 --> 00:02:36,030 SS idea of the target the channel and we're right in a file. 32 00:02:36,280 --> 00:02:41,570 We're going to hit enter and this is going to run against our target only. 33 00:02:41,700 --> 00:02:47,220 And now I'm just going to come in and do a fake authentication just to show you what happens in S-K 34 00:02:47,250 --> 00:02:48,060 networks. 35 00:02:48,090 --> 00:02:51,320 So we're going to do a fake authentication exactly like we did it before. 36 00:02:51,360 --> 00:03:00,200 So it's going to be airplay N.G. fake Auth. and we're going to put zero and then we're going to do minus 37 00:03:00,230 --> 00:03:09,210 a put the mac address of the router and then I'm going to do minus each and put my own MAC address which 38 00:03:09,270 --> 00:03:14,740 is now i'm doing all this real quick because you should know all of this by now because we covered it 39 00:03:14,800 --> 00:03:24,710 in previous lectures my own MAC address is ZERO ZERO ZERO see a 2 8 2 9 8. 40 00:03:25,120 --> 00:03:29,190 Then we're going to put our wireless card in monitor mode which is more than zero. 41 00:03:30,770 --> 00:03:36,470 So again same commando we always use for the fake authentication we're going to do play N-G fake of 42 00:03:36,950 --> 00:03:40,530 zero target MAC address my MAC address. 43 00:03:40,630 --> 00:03:41,410 I'm going to hit enter 44 00:03:44,330 --> 00:03:52,620 so I'm going to Control-C this so you can see that we have S-K here under the auth instead of open. 45 00:03:52,790 --> 00:03:56,320 And that means we can't really do all the attacks that we did previously. 46 00:03:56,320 --> 00:04:02,270 The three methods the three injection methods that we spoke about previously the way to fake authenticate 47 00:04:02,270 --> 00:04:09,020 yourself with S-K networks is you'll have to be authenticate one of the connected clients in here. 48 00:04:09,020 --> 00:04:09,980 So you actually need. 49 00:04:09,980 --> 00:04:15,380 You have to have a client connect to the network you're going to have to deal authenticated once you 50 00:04:15,380 --> 00:04:16,250 do that. 51 00:04:16,620 --> 00:04:18,750 Ngi will capture and. 52 00:04:18,920 --> 00:04:21,300 You can see that I have a broken S-K here. 53 00:04:21,470 --> 00:04:27,950 But if you do that properly you will get a normal Eskay and then you'll use that file with the minus 54 00:04:27,950 --> 00:04:32,140 y option to fake authenticate yourself to associate with the network. 55 00:04:32,270 --> 00:04:37,220 And then you can do all the attacks that we spoke about in the previous lectures the three methods. 56 00:04:37,220 --> 00:04:43,610 The thing is that's a bit too complicated and there is two better methods to do that because as I said 57 00:04:43,730 --> 00:04:50,030 if you want to associate and the target network uses as K.A. the network has to have a connected client 58 00:04:50,030 --> 00:04:52,640 has to have at least one connected client. 59 00:04:52,640 --> 00:04:58,130 So based on that fact there's actually better ways to crack that network and I'm going to show you the 60 00:04:58,130 --> 00:05:04,460 first method right now and that is use in an AARP replay attack. 61 00:05:04,480 --> 00:05:05,860 So let me close this first. 62 00:05:09,400 --> 00:05:17,450 And I'm going to clear this and I'm actually going to stop this and clear it and run the attack again 63 00:05:17,450 --> 00:05:22,060 because I want to show you that you actually don't even need to run a fake authentication for this. 64 00:05:22,340 --> 00:05:28,410 So we're just going to name something else we're going to call it as a test to and we're going to launch 65 00:05:28,430 --> 00:05:29,380 or don't punji. 66 00:05:29,650 --> 00:05:35,210 And as you can see right here you don't have authentication or anything on this network right now. 67 00:05:35,590 --> 00:05:40,210 And what I'm going to do is I'm going to do an hour peer or play attack. 68 00:05:40,390 --> 00:05:43,750 So we spoke about that and we actually did it in a previous lecture. 69 00:05:43,780 --> 00:05:49,480 The only difference is when we did it we did a fake authentication and we associated with the network 70 00:05:50,020 --> 00:05:56,680 and then we use the replay attack based on our mac address so we would play packets from our computer 71 00:05:57,070 --> 00:06:03,310 and injected them in the router and this lecture because we actually have a client when we did it in 72 00:06:03,310 --> 00:06:05,430 previous lectures there was no clients connected. 73 00:06:05,430 --> 00:06:12,310 So we had to associate our client showed up in here and then we use our client Mac address to replay 74 00:06:12,310 --> 00:06:17,650 one of the ERP packets and we managed to increase the number of data rapidly that way. 75 00:06:17,650 --> 00:06:21,080 What we're going to do today is because we already have a connected client. 76 00:06:21,220 --> 00:06:27,100 We're going to use this connect to the client in our replay attack and this method will work against 77 00:06:27,100 --> 00:06:33,960 both normal networks and against the network the web networks that use as a. 78 00:06:33,980 --> 00:06:37,960 So this attack is going to be exactly the same as the RPO play attack that we did. 79 00:06:37,970 --> 00:06:44,200 The difference is we're going to use the MAC address of a connected client instead of my own MAC address. 80 00:06:44,420 --> 00:06:54,350 So the command is going to be air and you AARP or play then we're going to do minus Beith and we're 81 00:06:54,350 --> 00:07:00,220 going to give it the MAC address of the target network then we're going to do minor stage. 82 00:07:00,530 --> 00:07:05,270 And instead of giving it my own MAC address like we did in previous videos I'm going to use the MAC 83 00:07:05,270 --> 00:07:08,750 address of one of the connected clients which is this one 84 00:07:13,330 --> 00:07:18,580 then I'm going to put my wireless card in monitor mode which is my 0 and we're ready to go. 85 00:07:18,580 --> 00:07:24,970 So again we're using airplay and we were doing an hour pure play attack exactly like we did before we're 86 00:07:24,970 --> 00:07:28,340 specifying the target network after the minus bit. 87 00:07:28,720 --> 00:07:35,110 And then we were specifying the MAC address of a connected client this time instead of specify in my 88 00:07:35,110 --> 00:07:43,570 own MAC address so I'm going to hit enter and all this is going to do is it's going to wait for appropriate 89 00:07:44,300 --> 00:07:50,000 packet and once it captures one of them it's going to injected into traffic more and when it's going 90 00:07:50,010 --> 00:07:55,840 to do that it's actually relying on disconnected the client and it's injecting it as if this packet 91 00:07:55,840 --> 00:07:59,110 is coming from this connected client. 92 00:07:59,110 --> 00:08:04,840 And as you can see the number of data is increasing very very fast right now and I can just run our 93 00:08:04,990 --> 00:08:08,490 ngi on the side and I should be able to crack the password. 94 00:08:09,330 --> 00:08:15,510 So again I'm going to run this like we did before and we named the file S.K. test. 95 00:08:15,530 --> 00:08:22,020 And we named it to and we have to append the minus zero 1 because the arrow dump. 96 00:08:22,030 --> 00:08:27,760 Does that automatically and that's going to be a dot com but we're going to hit enter 97 00:08:31,370 --> 00:08:36,870 now I'm going to stop this. 98 00:08:37,060 --> 00:08:39,330 As you can see we managed to get the key. 99 00:08:39,400 --> 00:08:45,100 Now we can use this we just remove these dots from it and connect to the target network and we'll be 100 00:08:45,100 --> 00:08:46,570 able to connect to it. 101 00:08:47,780 --> 00:08:54,500 So again this method works on both normal web networks and the ones that use shared key authentication 102 00:08:54,740 --> 00:08:56,580 or Eskay. 103 00:08:56,750 --> 00:09:01,750 The only thing that it requires is an existing connected client to the network. 104 00:09:01,790 --> 00:09:03,900 So it's not a client list cracking method. 12284