Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,560 --> 00:00:09,430 Previously we've seen how we can use river to crack the WPX spin and from it get the WPA key. 2 00:00:09,610 --> 00:00:14,560 We've seen the basic usage against a router that's not very secure. 3 00:00:14,610 --> 00:00:20,850 Now like I said that router was given to me by the Internet provider with these default settings so 4 00:00:20,850 --> 00:00:26,970 most people will actually leave it at the settings and it'll be as easy as that to exploit all the networks 5 00:00:26,970 --> 00:00:31,960 that use these routers unless the user went and manually changed the settings. 6 00:00:33,500 --> 00:00:38,040 Now with this lecture I want to show you another example of a more secure router. 7 00:00:38,060 --> 00:00:43,820 So this is another matter that I have in here and I want to run very very against it and we will see 8 00:00:43,940 --> 00:00:48,350 how we can crack it spin and get the password. 9 00:00:48,370 --> 00:00:53,930 So first of all we're going to have to run wash to see all the WPX enabled routers against me. 10 00:00:54,010 --> 00:00:59,120 So we're going to do wash I mean zero. 11 00:00:59,140 --> 00:01:04,570 So this is exactly the same command that we were running before my 0 is my wireless adapter in monitor 12 00:01:04,570 --> 00:01:05,210 mode. 13 00:01:05,440 --> 00:01:06,360 I'm going to hit enter 14 00:01:09,720 --> 00:01:14,820 and as you can see I have all the WPX enabled routers around me. 15 00:01:14,820 --> 00:01:23,760 Now my target in this video is going to be this one which is called Test AP 2 and it has this MAC address. 16 00:01:23,870 --> 00:01:25,000 So like we did before. 17 00:01:25,010 --> 00:01:31,990 I'm going to first copy this and I'm going to run the basic griever command that we used previously. 18 00:01:32,180 --> 00:01:33,710 So it's just going to be reversed. 19 00:01:34,980 --> 00:01:44,970 B.S. ID then divide the channel which is 11 and then we'll give it my wireless adapter in monitor mode 20 00:01:45,240 --> 00:01:47,000 which is 1 0. 21 00:01:47,520 --> 00:01:51,080 So a very basic command that we've seen before we're just doing River. 22 00:01:51,210 --> 00:01:58,600 We're given a society of the target network then we're giving it the channel of that network as well. 23 00:01:58,770 --> 00:02:02,330 And then we are given that my wireless card in monitor mode. 24 00:02:02,520 --> 00:02:08,410 I'm going to enter now I've actually executed this command before. 25 00:02:08,410 --> 00:02:14,090 So it's asking me do I want to continue from where I left in the last time do I want to restart my session. 26 00:02:14,200 --> 00:02:17,850 I'm going to say no because I want you to see what's going to happen. 27 00:02:18,100 --> 00:02:20,420 So we're assuming that we're starting from scratch. 28 00:02:23,610 --> 00:02:31,410 And as you can see it keeps saying failed to associate with my mac address and this message will keep 29 00:02:31,410 --> 00:02:33,440 continuing to show in here. 30 00:02:33,510 --> 00:02:38,460 So it will be it will basically just be stuck in here and we're just not going to get any results at 31 00:02:38,460 --> 00:02:39,080 all. 32 00:02:40,300 --> 00:02:49,040 So I'm going to first Control-C out of this now to fix this issue we're going to manually associate 33 00:02:49,370 --> 00:02:51,020 with this access point. 34 00:02:51,290 --> 00:02:56,900 So I actually covered before in a full lecture how to run a fake authentication attack. 35 00:02:57,230 --> 00:03:00,770 This is exactly what they mean here by association. 36 00:03:00,770 --> 00:03:07,430 So what we're going to do we're going to manually associate with the target use an airplay ngi and then 37 00:03:07,430 --> 00:03:12,410 we'll run river again and tell it not to associate because we're going to do that manually. 38 00:03:12,440 --> 00:03:18,860 So we'll just revert to do the rest of the things that we usually do but don't associate this time because 39 00:03:18,950 --> 00:03:23,020 I'm going to do that manually so I'm going to split the screen 40 00:03:26,320 --> 00:03:30,620 and I'm going to run airplay ngi here to associate with my target. 41 00:03:30,850 --> 00:03:38,370 So I'm going to do airplanes you I'm going to do dash dash fake Auth. to associate with the target to 42 00:03:38,370 --> 00:03:42,820 do a fake authentication attack then I'm going to have to give the delay. 43 00:03:42,990 --> 00:03:48,450 And previously we used to give this at zero because we don't do this for a long period of time so we 44 00:03:48,450 --> 00:03:54,050 usually don't need to stay associated with the target for a long period of time. 45 00:03:54,250 --> 00:04:02,490 And this example we want to be associated with the target for as long as the time when River is working. 46 00:04:02,490 --> 00:04:04,810 So I'm going to send this to 100. 47 00:04:05,370 --> 00:04:13,080 And what this is going to do it'll basically set a delay of 500 seconds between the association attempts 48 00:04:13,080 --> 00:04:20,560 between the time when airplay and you send the fake authentication packets next. 49 00:04:20,670 --> 00:04:25,220 I'm going to have to give the Mac address of the target access point. 50 00:04:25,290 --> 00:04:31,590 So we're going to do a dash 8 and give the Mac address then I'm going to have to give the Mac address 51 00:04:32,010 --> 00:04:40,230 of my own wireless card and we'll do that using the dash Hage option and to get my mac address. 52 00:04:40,500 --> 00:04:42,570 I'm going to have to split the screen again. 53 00:04:45,370 --> 00:04:47,670 And do ifconfig 1 0. 54 00:04:47,920 --> 00:04:53,630 So we're doing ifconfig followed by the name of your wireless adapter in monitor mode. 55 00:04:54,280 --> 00:05:00,430 I'm going to her and turn and under the UN spec this is your MAC address. 56 00:05:00,490 --> 00:05:05,030 So it's the first 12 digits of the unspayed field. 57 00:05:05,170 --> 00:05:15,100 So in here to type it this is going to be 0 0 0 see a 8 2 8 2 9 8. 58 00:05:15,100 --> 00:05:21,560 Finally we'll type the name of my wireless adapter in monitor mode which is zero. 59 00:05:21,740 --> 00:05:23,230 So I'm going to close this here. 60 00:05:26,120 --> 00:05:28,460 And I'm just going to go over the command one more time. 61 00:05:28,610 --> 00:05:35,480 So the whole idea of doing this command is so that I can manually associate with my target because as 62 00:05:35,480 --> 00:05:41,650 you can see here river is failing to associate it can't associate with my target therefore it can't 63 00:05:41,660 --> 00:05:44,660 go and start brute forcing the pin. 64 00:05:44,720 --> 00:05:46,880 So we're going to do this manually here. 65 00:05:47,030 --> 00:05:53,240 We're doing it use an airplay and you were told on G that I want you to do a fake authentication attack 66 00:05:53,240 --> 00:05:55,880 to associate with my target. 67 00:05:56,060 --> 00:06:00,980 I want you to use a delay of a hundred seconds between the association attempts. 68 00:06:00,980 --> 00:06:08,620 I want the MAC address of the target access point to be this one and my own MAC address is this one. 69 00:06:08,960 --> 00:06:12,420 And this is my wireless adapter and monitor mode. 70 00:06:14,220 --> 00:06:15,620 Now this is all good. 71 00:06:15,690 --> 00:06:21,030 Now we need to go back to River and whenever we're going to run river we're going to use the exact same 72 00:06:21,030 --> 00:06:23,130 command that we were on previously. 73 00:06:23,130 --> 00:06:27,220 The only thing is I'm going to do a dash till a. 74 00:06:27,780 --> 00:06:31,590 Now I didn't discover this myself if you just do reverse dash dash help. 75 00:06:31,680 --> 00:06:36,200 You'll see all the options that you can use with the river including the dash 8. 76 00:06:36,300 --> 00:06:43,220 And you'll see a description that you can use this to tell the lever not to associate with the target. 77 00:06:43,270 --> 00:06:45,660 So we're run river like that now. 78 00:06:47,570 --> 00:06:51,550 And this is asking me if I want to restart my session I'm going to say no. 79 00:06:51,920 --> 00:06:58,220 And then as soon as I hit Enter I'm going to go down here and start the fake authentication process. 80 00:06:58,370 --> 00:07:03,510 So I'm going to hit enter here go down here hit enter and let's see what's going to happen. 81 00:07:09,200 --> 00:07:10,140 And perfect. 82 00:07:10,140 --> 00:07:13,420 Now we managed to bypass this issue. 83 00:07:13,440 --> 00:07:18,690 We managed to bypass the association issue because as you can see it seemed that it's associated and 84 00:07:18,690 --> 00:07:22,100 it looks like it's trying to get trying to get it. 85 00:07:22,230 --> 00:07:24,450 But for some reason we're not moving ahead. 86 00:07:24,450 --> 00:07:28,170 We're still stuck at zero point zero zero percent. 87 00:07:28,860 --> 00:07:35,370 So for now we actually bypassed the association problem and in the next lecture I'll show you how to 88 00:07:35,370 --> 00:07:38,870 debug and tackle the other problem that we're facing. 9878