Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,980 --> 00:00:08,420 ‫OK, now that we know what the bloops is and how it can be used to recover the password for a WPA and 2 00:00:08,420 --> 00:00:12,710 ‫WPA two networks, let's see how to do that in practice. 3 00:00:14,000 --> 00:00:20,450 ‫So right here I have my curling machine, I've already enabled monitor mode on my wireless adapter on 4 00:00:20,450 --> 00:00:21,080 ‫one zero. 5 00:00:21,590 --> 00:00:26,190 ‫Now usually we use aero dump energy to see all the networks around us. 6 00:00:26,990 --> 00:00:31,870 ‫But right now we want to see the networks that have the enabled. 7 00:00:32,060 --> 00:00:36,980 ‫But because, like I said, it's just a feature and people can turn this feature off. 8 00:00:37,910 --> 00:00:40,820 ‫So first of all, I'm going to use a tool called Wash. 9 00:00:42,220 --> 00:00:51,880 ‫To display all the networks around me that have enabled, so we're going to do wash dash dash interface 10 00:00:52,660 --> 00:00:56,390 ‫and give it my interface in monitor mode, which is more on zero. 11 00:00:57,070 --> 00:01:03,670 ‫So all we're doing is wash is the name of the tool interface to give it the interface, and one zero 12 00:01:03,670 --> 00:01:06,100 ‫is my wireless adapter in miter mode. 13 00:01:06,580 --> 00:01:10,870 ‫If I hit enter now, you'll see it'll list my network straight away. 14 00:01:11,950 --> 00:01:17,590 ‫Now I press control City Council this similar to dump and because it'll keep running unless you cancel 15 00:01:17,590 --> 00:01:17,770 ‫it. 16 00:01:18,340 --> 00:01:20,840 ‫And you can see this is my target network. 17 00:01:20,860 --> 00:01:22,180 ‫It's called Test app. 18 00:01:22,480 --> 00:01:26,290 ‫It's given us the vendor of the hardware used in this network. 19 00:01:26,290 --> 00:01:35,080 ‫And this access point, the LC key, tell us whether WPC is locked or not, because sometimes WPC logs 20 00:01:35,080 --> 00:01:37,060 ‫after a number of failed attempts. 21 00:01:37,630 --> 00:01:42,070 ‫So right now, this is no which means that we can actually go ahead and try to guess the pin. 22 00:01:42,940 --> 00:01:46,270 ‫It's given us the version of the it's using version one. 23 00:01:47,140 --> 00:01:51,540 ‫The signal strength is in here, the channel on the backside. 24 00:01:52,780 --> 00:01:58,630 ‫Now I explained the meaning of all of these things before in my A-roads lecture, so I'm not going to 25 00:01:58,630 --> 00:01:59,650 ‫talk about them now. 26 00:01:59,770 --> 00:02:04,930 ‫If you forgot the meaning of any of these terms, please go back to the Arrow Dump and G Lecture. 27 00:02:06,220 --> 00:02:12,850 ‫Now, this network actually uses WPA, too, so just to confirm this to you, if I go here to my host 28 00:02:12,850 --> 00:02:15,100 ‫machine and just try to connect to it. 29 00:02:16,500 --> 00:02:22,920 ‫You'll see that instilled in me that this uses a WPA to password, but like I said, we don't care if 30 00:02:22,920 --> 00:02:29,910 ‫it's WPA or WPA two because we're going to be exploiting a feature in these inscriptions, which is 31 00:02:29,910 --> 00:02:31,410 ‫the WPA feature. 32 00:02:32,640 --> 00:02:35,670 ‫So now that we know our target network uses the. 33 00:02:36,960 --> 00:02:39,630 ‫There's a good chance that this attack will work against it. 34 00:02:39,930 --> 00:02:46,260 ‫The only reason it might fail is if the target uses PPC or push button authentication. 35 00:02:47,070 --> 00:02:53,490 ‫Like I said, if the target uses PPC, then it will refuse all the pins unless the button is pressed 36 00:02:53,490 --> 00:02:56,340 ‫on the router and therefore this attack will fail. 37 00:02:57,000 --> 00:03:00,870 ‫The only way to know is to literally try this attack and see if it works. 38 00:03:02,290 --> 00:03:06,270 ‫So I'm going to copy the Mac address of this network or the society. 39 00:03:08,070 --> 00:03:13,770 ‫And the first thing that I'm going to do, similar to what we did with the Blue EP, I'm going to associate 40 00:03:13,770 --> 00:03:17,370 ‫with the target network using a fake authentication attack. 41 00:03:17,610 --> 00:03:20,580 ‫So basically, I'll be saying I want to communicate with you. 42 00:03:20,700 --> 00:03:21,960 ‫Please don't ignore me. 43 00:03:22,080 --> 00:03:27,420 ‫So that when I run the attack, the network will start accepting the pins and not ignore me. 44 00:03:28,260 --> 00:03:33,990 ‫So to associate, we're going to use the exact same command that we used when we did it with W EP. 45 00:03:34,290 --> 00:03:37,980 ‫So we're going to use airplay and we're going to tell it. 46 00:03:37,980 --> 00:03:40,410 ‫I want to run a fake authentication attack. 47 00:03:41,460 --> 00:03:42,930 ‫We're going to give it the delay. 48 00:03:43,260 --> 00:03:46,950 ‫So this is the time to wait between association attempts. 49 00:03:47,310 --> 00:03:51,660 ‫Previously, we set it to zero and we had to do this manually every now and then. 50 00:03:52,050 --> 00:03:58,530 ‫Right now, I'm going to set it to 30 so that we associate with the target network every 30 seconds. 51 00:04:00,110 --> 00:04:06,320 ‫Then I'm going to do a Dash eight to give it the Mac address of my target and Dash H to give it the 52 00:04:06,320 --> 00:04:09,440 ‫Mac address of my wireless adapter in monitor mode. 53 00:04:09,680 --> 00:04:12,710 ‫And we see that we can get this by doing ifconfig. 54 00:04:14,820 --> 00:04:18,270 ‫And copy it from here, we said it's the first 12 digits. 55 00:04:20,610 --> 00:04:23,910 ‫And I'll just replace the minus with the column. 56 00:04:25,260 --> 00:04:30,690 ‫And finally, I'm going to give it the name of my wireless adapter in monitor mode, which is my zero. 57 00:04:32,230 --> 00:04:34,270 ‫So I explained this in details before. 58 00:04:34,810 --> 00:04:36,330 ‫That's why I did it quickly. 59 00:04:36,370 --> 00:04:38,140 ‫If you don't remember how I did this. 60 00:04:38,380 --> 00:04:41,440 ‫Please go back to the fake authentication attack lecture. 61 00:04:42,420 --> 00:04:45,850 ‫So the command is ready now, but I'm not going to execute it. 62 00:04:46,200 --> 00:04:51,840 ‫I'm going to go down to the bottom terminal and run river, which is the program that will brute force 63 00:04:51,840 --> 00:04:59,780 ‫the pin for me, and only then I will associate with the target because otherwise a Triple-A energy 64 00:04:59,790 --> 00:05:02,430 ‫will fail to associate with my network. 65 00:05:03,830 --> 00:05:06,380 ‫So I'm going to move to this terminal right here. 66 00:05:06,680 --> 00:05:08,120 ‫I'm going to clear the screen. 67 00:05:09,190 --> 00:05:15,100 ‫And we're going to run River, which is the program that's going to brute force the pin, so it's going 68 00:05:15,100 --> 00:05:18,670 ‫to try every possible pin until it get the right pin. 69 00:05:18,790 --> 00:05:24,280 ‫Once it has the right pin, it will use it to compute the actual WPA key. 70 00:05:25,270 --> 00:05:27,760 ‫So using river is very, very simple. 71 00:05:27,760 --> 00:05:30,490 ‫It's very similar to everything we've been doing so far. 72 00:05:30,820 --> 00:05:34,150 ‫So first of all, we have to type the program name, which is the river. 73 00:05:35,800 --> 00:05:40,990 ‫Then I'm going to do a dash dash beside to give it the Mac address of my target network. 74 00:05:41,260 --> 00:05:42,550 ‫So I'm just going to paste it. 75 00:05:43,870 --> 00:05:45,640 ‫Then I'm going to do a Dash Dash channel. 76 00:05:47,120 --> 00:05:50,060 ‫And give it the channel of the target network, which is one. 77 00:05:51,180 --> 00:05:58,020 ‫Then we're going to do a Dash Dash interface and give it my wireless adapter innovator mode, which 78 00:05:58,020 --> 00:05:59,010 ‫is than zero. 79 00:06:00,290 --> 00:06:05,570 ‫So a very, very simple command we're using reverse, this is the name of the program that will do the 80 00:06:05,570 --> 00:06:07,610 ‫brute force thing for us and give us the key. 81 00:06:08,180 --> 00:06:11,450 ‫We're giving it the best ideas, the Mac address of my target. 82 00:06:11,810 --> 00:06:14,540 ‫We're doing that channel to give it the channel. 83 00:06:14,690 --> 00:06:16,730 ‫That's my target is running on. 84 00:06:17,060 --> 00:06:23,180 ‫And we're doing Dash Dash interface to give it the name of my wireless adapter in monitor mode. 85 00:06:24,410 --> 00:06:26,690 ‫I'm also going to add two more options. 86 00:06:26,690 --> 00:06:32,120 ‫I'm going to add Dash V to show us as much information as possible. 87 00:06:32,480 --> 00:06:35,750 ‫This is really helpful if it fails or things go wrong. 88 00:06:35,930 --> 00:06:41,810 ‫We'll be able to know what's happening, why things are going wrong, and I'm also going to do a dash 89 00:06:41,810 --> 00:06:42,200 ‫dash. 90 00:06:42,440 --> 00:06:44,540 ‫No associate. 91 00:06:46,400 --> 00:06:52,490 ‫To tell the river not to associate with the target network because we're already manually doing that 92 00:06:52,490 --> 00:06:53,060 ‫in here. 93 00:06:53,870 --> 00:06:57,050 ‫So River can automatically do this, tap right here for you. 94 00:06:57,320 --> 00:06:59,540 ‫But I've seen that it's fills a lot. 95 00:06:59,780 --> 00:07:06,380 ‫Therefore, it's actually better to do it ourselves manually here and then tell the river not to associate. 96 00:07:07,780 --> 00:07:13,660 ‫So now I'm going to hit enter to get the river to walk, and I'm going to go up to the top terminal 97 00:07:13,870 --> 00:07:19,840 ‫and I'm going to to enter to associate with the target network telling it Please don't ignore us so 98 00:07:19,840 --> 00:07:27,460 ‫that river at the bottom here can brute force the pin and try every possible pin until we get the correct 99 00:07:27,460 --> 00:07:29,800 ‫pin, which we'll use to get the password. 100 00:07:30,310 --> 00:07:32,870 ‫And as you can see right now, River is trying. 101 00:07:33,100 --> 00:07:35,620 ‫The PIN one two three four five six seven. 102 00:07:37,680 --> 00:07:38,520 ‫Aren't perfect. 103 00:07:38,970 --> 00:07:44,100 ‫You can see the pin was actually one two three four five six seven zero, so it's a simple pin. 104 00:07:44,520 --> 00:07:46,230 ‫It actually came with this pin. 105 00:07:46,230 --> 00:07:48,120 ‫So I it's manually set this pin. 106 00:07:48,270 --> 00:07:52,830 ‫My writer came from the factory with the GPS enabled with this pin. 107 00:07:53,340 --> 00:07:57,360 ‫So like I said, this still works, but again, not against old rafters. 108 00:07:58,200 --> 00:08:05,100 ‫From that, it was able to discover the WPA key, which is you are you are W6 or and the name of the 109 00:08:05,100 --> 00:08:06,420 ‫writer is Test AP. 110 00:08:07,200 --> 00:08:09,990 ‫So it can literally go ahead and connect with this password. 111 00:08:10,170 --> 00:08:16,530 ‫And I'll be able to connect to the network and see and decrypt all of the packets sent in the air. 11629