Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,120 --> 00:00:10,010 Okay so far we know WPA enterprise is an authentication method that can be used with WPA or WPA to networks. 2 00:00:10,280 --> 00:00:19,220 So it uses encryption and it each user have to use their own unique username and password to authenticate 3 00:00:19,640 --> 00:00:21,350 and connect to the network. 4 00:00:21,650 --> 00:00:27,250 And we said all of this is managed using a radius or a central server. 5 00:00:27,680 --> 00:00:33,950 Now let me show you an example of a network that uses WPA enterprise just so you get an idea of how 6 00:00:33,950 --> 00:00:34,920 it works. 7 00:00:35,300 --> 00:00:42,390 So if I go to Wi-Fi here you'll see that I have a network here called company network. 8 00:00:42,840 --> 00:00:49,830 If I try to connect to this you'll see it won't even try to establish a connection. 9 00:00:49,830 --> 00:00:54,880 The first thing that it's going to do is it's going to ask me to enter a username and password. 10 00:00:55,960 --> 00:01:00,400 Now the same happens here if I go to an OS X machine. 11 00:01:00,610 --> 00:01:07,040 So if I just connect to it in here you'll see that I'm going to be asked for a username and password. 12 00:01:07,060 --> 00:01:10,550 The only difference is the log in box looks a little bit different. 13 00:01:11,840 --> 00:01:18,710 Now if you think of the idea it's very similar to what happens with captive portals it's just implemented 14 00:01:18,860 --> 00:01:22,590 in a much more secure manner as shown before. 15 00:01:22,680 --> 00:01:27,530 Captive for tools also ask the users to enter a username and password. 16 00:01:27,710 --> 00:01:31,190 And if they're correct they'll allow them to use the password. 17 00:01:31,220 --> 00:01:35,180 The only difference is captive portals are open networks. 18 00:01:35,180 --> 00:01:37,570 They do not use any encryption. 19 00:01:37,730 --> 00:01:44,390 Therefore we were able to go in monitor mode sniff all the data and if a user authenticates will be 20 00:01:44,390 --> 00:01:47,280 able to capture their username and password. 21 00:01:47,330 --> 00:01:54,260 Not only that because it's an open network we were able to connect run an AARP spoofing network redirect 22 00:01:54,260 --> 00:01:56,810 the flow of packets through our computer. 23 00:01:56,810 --> 00:02:00,900 And that way we were able to read the usernames and passwords as well. 24 00:02:02,170 --> 00:02:09,160 Now both of these methods will not work with WPA enterprise enterprise first because like I said it 25 00:02:09,160 --> 00:02:10,520 uses encryption. 26 00:02:10,660 --> 00:02:16,780 Therefore even if we go in monitor mode and sniff data that the data is going to be encrypted and because 27 00:02:16,780 --> 00:02:22,370 we don't have the key then we won't be able to find the passwords that's entered by the users. 28 00:02:23,840 --> 00:02:30,320 The other problem because as we see in we can't connect to the network without having a key. 29 00:02:30,320 --> 00:02:36,590 Therefore we can't run an IP spoofing attack because we can only do that attack after we connect to 30 00:02:36,590 --> 00:02:37,880 the network. 31 00:02:38,450 --> 00:02:42,400 Therefore both of these methods are useless against WPA enterprise. 32 00:02:42,650 --> 00:02:47,750 And the only way to attack it is use in an evil to an attack. 33 00:02:47,750 --> 00:02:49,610 Now there are two ways to do that. 34 00:02:49,640 --> 00:02:54,420 You can create a traditional evil IP just like I showed you before. 35 00:02:54,470 --> 00:03:00,530 The only thing is you want to make sure that the log in page that you automatically display to the person 36 00:03:00,530 --> 00:03:01,640 when they connect. 37 00:03:01,640 --> 00:03:09,050 Looks like a logon box because with captive portals We've seen by default users log in use a page using 38 00:03:09,050 --> 00:03:11,960 the hashtag M-L web page with this. 39 00:03:11,960 --> 00:03:13,550 We've seen that in Windows. 40 00:03:13,580 --> 00:03:20,100 You get you have to log in here and OS X you get a box or log in box like this one. 41 00:03:20,660 --> 00:03:28,550 So you're going to have to fool your target to think the DML page is what they usually use with OS X 42 00:03:28,560 --> 00:03:33,280 that this might be easier because like we've seen with captive four toes. 43 00:03:33,410 --> 00:03:37,400 OS X will still show in the hasty M-L page inside the window. 44 00:03:37,400 --> 00:03:42,860 So you'll just have to style your fake log and page a little bit to make it look like a system log and 45 00:03:42,860 --> 00:03:46,160 box when it comes to Windows. 46 00:03:46,160 --> 00:03:51,200 It's going to be a little bit more challenging because as we see in Windows automatically opens the 47 00:03:51,200 --> 00:03:54,210 log in page and the default web browser. 48 00:03:54,380 --> 00:03:58,780 So the user will feel that there is something suspicious in there. 49 00:03:58,790 --> 00:04:03,740 Another problem you'll see in here you can see that it says secured. 50 00:04:03,990 --> 00:04:11,800 Also and OS X if you look at the network name here on the top you'll see there is a lock beside it. 51 00:04:13,170 --> 00:04:18,870 Now as you remember when we were creating our fake access point it has to be an open network so they 52 00:04:18,870 --> 00:04:21,850 can connect to it and then authenticate. 53 00:04:21,960 --> 00:04:29,530 Therefore the traditional method of doing this is good but it might not fool all users. 54 00:04:30,700 --> 00:04:36,460 The advantage of this method is that the user is going to send the passwords through the DML form which 55 00:04:36,460 --> 00:04:42,510 is sent in our fake log in page and therefore it will be very easy for us to capture it and read it. 56 00:04:42,550 --> 00:04:50,370 As I showed you before now executing this method is identical to target in a captive portal. 57 00:04:50,440 --> 00:04:56,270 So I covered all of these steps before in details and therefore I'm not going to be covering it in here. 58 00:04:56,350 --> 00:05:02,880 I'm just simply mentioning that you can actually use that method to target this type of networks. 59 00:05:02,890 --> 00:05:09,740 What I'm going to show you though the next method which is a little bit more advanced now this is also 60 00:05:09,740 --> 00:05:16,100 an evil twin attack will be also creating a fake access point but will actually configure this access 61 00:05:16,100 --> 00:05:19,140 point to use WPA enterprise. 62 00:05:19,580 --> 00:05:24,410 So when the user connect to it they'll get a log and box a system log in box. 63 00:05:24,410 --> 00:05:27,920 So in Windows they'll get something like this in OS X. 64 00:05:27,980 --> 00:05:34,520 They'll get something like this but once they put the password obviously the password will be sent to 65 00:05:34,520 --> 00:05:39,710 us because we will be running the radius server the central authentication server that I was talking 66 00:05:39,710 --> 00:05:40,710 about. 67 00:05:40,790 --> 00:05:47,690 And that way it will be much easier to fool your target to connect to your network because these networks 68 00:05:47,690 --> 00:05:50,020 are usually used in large enterprises. 69 00:05:50,030 --> 00:05:56,330 So again like I said similar to fake access points the users are used to connect to a number of routers 70 00:05:56,600 --> 00:05:59,380 and are used to see a number of routers around them. 71 00:05:59,390 --> 00:06:05,420 So what we'll be doing is we will be authenticating them from the router and we'll be creating a router 72 00:06:05,420 --> 00:06:09,010 that looks identical to the router it's going to have the same name. 73 00:06:09,050 --> 00:06:12,930 It's going to be used in the exact same configuration that so they'll be logging in. 74 00:06:12,940 --> 00:06:15,820 Exactly the same way that they usually log in. 75 00:06:15,950 --> 00:06:20,650 Therefore they're not going to be suspicious of the whole process. 76 00:06:20,660 --> 00:06:28,220 The only problem with this method is the data sent to us or the password is going to be encrypted and 77 00:06:28,220 --> 00:06:34,130 therefore will actually have to use a wordlist attack to try and crack this password. 78 00:06:34,130 --> 00:06:39,080 Now in the next lectures I'm going to talk in details about how to execute this attack how to create 79 00:06:39,080 --> 00:06:42,440 a fake access point with WPA enterprise. 80 00:06:42,440 --> 00:06:47,300 And I'll also be discussing why the password is going to be encrypted and how to decrypt it. 9291