Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,660 --> 00:00:06,540 Now the attacks that we've seen in the previous video worked perfectly because the pin was really simple 2 00:00:06,550 --> 00:00:12,210 it was set to 1 2 3 4 5 6 7 0 and it actually came from the factory like this. 3 00:00:12,210 --> 00:00:14,560 So most people will not be modify that. 4 00:00:14,630 --> 00:00:20,130 And if your target is using the same router that I got from my internet provider then you'll be able 5 00:00:20,130 --> 00:00:23,220 to crack their password very very easily. 6 00:00:23,220 --> 00:00:28,320 Right now I just want to show you an example I actually modified the router settings and I set the pin 7 00:00:28,320 --> 00:00:29,960 to be something more random again. 8 00:00:29,970 --> 00:00:34,610 It still has to be eight digits and still has to be made out of digits on the. 9 00:00:34,620 --> 00:00:38,660 So you'll still be able to cover all possibilities and crack it. 10 00:00:38,790 --> 00:00:41,880 And I just want to show you that this still works. 11 00:00:41,910 --> 00:00:46,740 If the pin was more complicated than just one two three four five six seven. 12 00:00:47,100 --> 00:00:48,770 So I'm just going to run Washington 13 00:00:53,780 --> 00:00:59,030 and we can see that I have my target here the taste a.p and I'm just going to run a river against it 14 00:00:59,030 --> 00:01:01,230 exactly like I did in the previous lecture. 15 00:01:03,350 --> 00:01:08,810 Get with the SS ID on the channel and my wireless interface. 16 00:01:08,810 --> 00:01:15,070 I'm going to hit enter and river actually supports pause and resume. 17 00:01:15,080 --> 00:01:21,260 So if you were a crack in a network and you reached 50 percent for example and then you wanted to stop 18 00:01:21,260 --> 00:01:27,110 that attack for some reason you can just press control-C at the same time go do whatever you want it 19 00:01:27,110 --> 00:01:33,290 to do and come back even weeks after and just launch Schriever again against that network and river 20 00:01:33,290 --> 00:01:38,640 will know where it stopped and it'll start from 50 percent so it's not going to start from scratch. 21 00:01:38,660 --> 00:01:39,880 So with this I'm going to tell it. 22 00:01:39,890 --> 00:01:40,760 Yes please. 23 00:01:40,780 --> 00:01:46,610 Reassume and it's going to start with me so you can see that so far I tried 25 and it's just going 24 00:01:46,610 --> 00:01:50,830 to keep going and it's going to try to brute force all possibilities. 25 00:01:50,930 --> 00:01:57,620 And if we look at the start you'll remember that it said there is eleven thousand possibilities so it 26 00:01:57,620 --> 00:02:00,620 can actually cover all these possibilities it's not a huge number. 27 00:02:00,680 --> 00:02:06,260 And then when it covers all of them it will definitely be able to get the pin and then calculate the 28 00:02:06,260 --> 00:02:08,110 key from the pin. 29 00:02:08,120 --> 00:02:12,560 Now I'm going to Control-C out of this because this is actually working properly and I just wanted I 30 00:02:12,560 --> 00:02:16,550 just want to show you what it would look like while it's working. 31 00:02:16,550 --> 00:02:23,900 If the pin was a bit more complicated so you can see right here it is zero point 37 percent and it's 32 00:02:23,900 --> 00:02:30,500 saying that the estimated maximum time is 6 hours five minutes to cover all possibilities. 33 00:02:30,560 --> 00:02:35,520 So you might actually be able to get the to guess the pain before that time and get the key. 34 00:02:35,630 --> 00:02:40,340 But the maximum time that you're going to have to wait is six hours five minutes and 18 seconds. 35 00:02:40,340 --> 00:02:48,350 Now if I go up now notice that it 0.37 percent if I go up you'll see that I was at zero point three 36 00:02:48,350 --> 00:02:49,010 three percent. 37 00:02:49,010 --> 00:02:54,350 So it's actually work in it's stride and the pins it's going through the pins and trying them one by 38 00:02:54,350 --> 00:02:56,430 one individually so everything is working. 39 00:02:56,450 --> 00:03:02,280 All I have to do in this case is just wait for it to get the pin and then give me the key. 40 00:03:02,290 --> 00:03:09,040 Now this router is configured in a way that it's going to accept failed attempts and it will never lock. 41 00:03:09,040 --> 00:03:13,030 So when we run wash I'm just going to go and run wash again like I did 42 00:03:16,710 --> 00:03:19,970 you'll see the WPX locked here. 43 00:03:19,980 --> 00:03:28,900 And for my test AP It's still sad to know what this basically means is some routers lock after a number 44 00:03:28,900 --> 00:03:30,070 of failed attempts. 45 00:03:30,070 --> 00:03:35,240 So when you try to authenticate with them use an Iraq pin after four or five six. 46 00:03:35,320 --> 00:03:40,270 However the router is configured they will lock and they'll stop accepting any requests. 47 00:03:40,270 --> 00:03:42,260 Even if we try the right pin. 48 00:03:42,280 --> 00:03:46,250 So rather than trying against right now the test AP never locks. 49 00:03:46,270 --> 00:03:49,560 Even if I try a thousand wrong pins it'll never lock. 50 00:03:49,570 --> 00:03:50,830 So that's really handy. 51 00:03:50,830 --> 00:03:52,730 And that's why it's very easy to crack. 52 00:03:53,440 --> 00:03:58,630 While you were testing you might face some routers that are configured to lock after a number of failed 53 00:03:58,630 --> 00:03:59,590 attempts. 54 00:03:59,740 --> 00:04:04,300 And once the router locks basically you won't be able to do anything and you'll have to wait for it 55 00:04:04,330 --> 00:04:07,000 until it unlocks some routers unlock. 56 00:04:07,000 --> 00:04:13,600 After a minute some writers lock after five minutes and some routers take days to unlock. 57 00:04:13,600 --> 00:04:18,170 So it's not really a good idea to just sit down and wait for the router to unlock. 58 00:04:19,280 --> 00:04:25,850 Now my other router the updated one that's sent from the company actually does lock after failed attempts 59 00:04:26,240 --> 00:04:30,710 and I'm going to show you now I'm just going to run Rivara against it and I'm going to show you how 60 00:04:30,710 --> 00:04:32,930 the router looks like if it's locked. 61 00:04:32,930 --> 00:04:36,110 So my other router is actually the one that I'm using currently. 62 00:04:36,110 --> 00:04:41,260 So it's still named the default name and it's this one. 63 00:04:41,570 --> 00:04:46,880 So I'm going around revolt against it again using the same command that we did in the previous lecture. 64 00:04:46,880 --> 00:04:52,310 I'm not going to do anything fancy So it's just going to be I'm going to clear this first and then I'm 65 00:04:52,310 --> 00:05:01,190 going to do Reverchon minus B and thrown in on channel 6 and then I'm going to give him my wireless 66 00:05:01,190 --> 00:05:03,510 card and monitor mode hit enter. 67 00:05:04,720 --> 00:05:06,310 Sorry I had to give it after mine. 68 00:05:06,320 --> 00:05:06,530 I 69 00:05:09,500 --> 00:05:14,650 and again is asking me if I wanted to continue from the last time I'm going to say no to start from 70 00:05:14,650 --> 00:05:15,460 scratch. 71 00:05:17,470 --> 00:05:21,450 And I can see that it works for a bit and then it just completely locks. 72 00:05:21,460 --> 00:05:25,420 It doesn't really do anything it just sits down there. 73 00:05:25,450 --> 00:05:29,990 Now if I press control-C and greenwash again 74 00:05:33,890 --> 00:05:39,950 you'll see that the writer got locked right here and it won't accept anymore requests right now so we 75 00:05:39,950 --> 00:05:44,020 can't really do anything at the moment because WPX is locked. 76 00:05:45,610 --> 00:05:52,990 Now the simplest way to get the router to unlock is to just the authenticate all the connected computers 77 00:05:53,320 --> 00:05:59,500 and keep doing that for a long period of time until the user one of the users will just think that there 78 00:05:59,500 --> 00:06:05,080 is something happening in the network and just goes in and turn off the router and turn it back on when 79 00:06:05,080 --> 00:06:10,670 they do that the router will get unlocked and then you'll be able to run revert again. 80 00:06:10,690 --> 00:06:14,900 So to do that all you have to do is the authentication attacked like we did before. 81 00:06:14,950 --> 00:06:22,180 So we're going to do airplane Engy the Auth. if we're going to give it the access point 82 00:06:25,240 --> 00:06:30,100 and you're not going to specify a client because you wanted to connect all the clients and then you're 83 00:06:30,100 --> 00:06:33,660 going to give it the card in monitor mode which is zero. 84 00:06:34,270 --> 00:06:41,050 And don't forget to specify a really large number after the deal with no we spoke about this before 85 00:06:41,060 --> 00:06:45,920 and I'm not going to run this attack right now because it actually requires physical interaction of 86 00:06:45,920 --> 00:06:49,740 the user to go and restart the router. 87 00:06:49,750 --> 00:06:54,390 So again it's not the best way but it is a way to get the router to restart. 88 00:06:54,480 --> 00:06:56,700 There is better methods to do that. 89 00:06:56,770 --> 00:07:01,790 We're going to do them using a tool called MBK 3 and we'll talk about them in the next lecture. 10134