1 1 00:00:01,309 --> 00:00:02,360 In the last lecture, 2 2 00:00:02,360 --> 00:00:05,100 we've seen to use airodump-ng 3 3 00:00:05,100 --> 00:00:07,670 to list all the networks around us 4 4 00:00:07,670 --> 00:00:10,943 and display useful information about them. 5 5 00:00:11,780 --> 00:00:13,980 Usually, we do this in order 6 6 00:00:13,980 --> 00:00:16,270 to see our target network, 7 7 00:00:16,270 --> 00:00:20,360 see the signal strength, see how far we are from it 8 8 00:00:20,360 --> 00:00:24,133 and then start targeting this target network. 9 9 00:00:24,970 --> 00:00:26,590 Now, in this example, 10 10 00:00:26,590 --> 00:00:28,990 I'm gonna assume that my target network 11 11 00:00:28,990 --> 00:00:30,840 is this one right here. 12 12 00:00:30,840 --> 00:00:32,330 This is actually the network 13 13 00:00:32,330 --> 00:00:35,560 that my host machine is connected to 14 14 00:00:35,560 --> 00:00:37,660 and now that I have my target network, 15 15 00:00:37,660 --> 00:00:40,530 and I have some basic information about it, 16 16 00:00:40,530 --> 00:00:43,640 let's see how we can run airodump-ng 17 17 00:00:43,640 --> 00:00:45,650 against this network only, 18 18 00:00:45,650 --> 00:00:47,680 not against all networks. 19 19 00:00:47,680 --> 00:00:49,530 And this way, we'll be able 20 20 00:00:49,530 --> 00:00:52,673 to gather more information about it. 21 21 00:00:53,720 --> 00:00:56,010 So to do this, first of all, 22 22 00:00:56,010 --> 00:00:58,670 I'm gonna have to write the name of my program 23 23 00:00:58,670 --> 00:01:00,573 which is airodump-ng. 24 24 00:01:01,780 --> 00:01:06,630 Then I'm going to specify a specific BSSID 25 25 00:01:06,630 --> 00:01:08,500 or a specific MAC address 26 26 00:01:08,500 --> 00:01:12,520 for airodump-ng to sniff data from. 27 27 00:01:12,520 --> 00:01:16,490 So my target network has a BSSID of this. 28 28 00:01:16,490 --> 00:01:19,440 We can see it here under the BSSID. 29 29 00:01:19,440 --> 00:01:20,640 So I'm gonna copy it 30 30 00:01:21,640 --> 00:01:25,710 and then I'm gonna do --bssid 31 31 00:01:25,710 --> 00:01:29,323 and I'm gonna give it the BSSID that I just copied. 32 32 00:01:30,470 --> 00:01:33,420 Next, I'm gonna specify a channel 33 33 00:01:33,420 --> 00:01:36,091 for airodump-ng to sniff. 34 34 00:01:36,091 --> 00:01:39,900 Again, if we look under the Channel column in here, 35 35 00:01:39,900 --> 00:01:41,970 we can see my target network 36 36 00:01:41,970 --> 00:01:43,213 is on channel two. 37 37 00:01:44,160 --> 00:01:48,520 So I'm gonna do --channel 2. 38 38 00:01:48,520 --> 00:01:50,820 So now, we're telling airodump-ng 39 39 00:01:50,820 --> 00:01:54,100 that I want you to sniff data on channel two 40 40 00:01:54,100 --> 00:01:57,893 and only from a network that has this BSSID. 41 41 00:01:59,100 --> 00:02:02,110 I'm also going to tell airodump-ng 42 42 00:02:02,110 --> 00:02:05,200 that I want you to store all the data 43 43 00:02:05,200 --> 00:02:08,430 that you're gonna gather for me in a file. 44 44 00:02:08,430 --> 00:02:11,350 So I'm gonna say --write 45 45 00:02:11,350 --> 00:02:13,770 and then I'm gonna type a file name 46 46 00:02:13,770 --> 00:02:15,370 and let's call this test 47 47 00:02:16,830 --> 00:02:19,120 and at the end, as usual, 48 48 00:02:19,120 --> 00:02:22,300 I need to give it the name of my wireless adapter 49 49 00:02:22,300 --> 00:02:23,540 in monitor mode 50 50 00:02:23,540 --> 00:02:26,910 which is mon0 in my case. 51 51 00:02:26,910 --> 00:02:28,930 So a very simple command. 52 52 00:02:28,930 --> 00:02:31,040 Let's go over it one more time. 53 53 00:02:31,040 --> 00:02:33,272 We're doing airodump-ng, 54 54 00:02:33,272 --> 00:02:35,380 that's the name of the program that I wanna use. 55 55 00:02:35,380 --> 00:02:38,730 I'm telling it that I only want you to sniff data 56 56 00:02:38,730 --> 00:02:41,380 from a specific bssid. 57 57 00:02:41,380 --> 00:02:45,114 Then I'm giving it the BSSID of my target. 58 58 00:02:45,114 --> 00:02:48,550 Then I'm telling it I want you to only sniff data 59 59 00:02:48,550 --> 00:02:50,320 from a specific channel 60 60 00:02:50,320 --> 00:02:51,540 and I'm giving it the channel 61 61 00:02:51,540 --> 00:02:53,410 that I want it to sniff data from, 62 62 00:02:53,410 --> 00:02:56,700 again, we can get it from here, it's number two. 63 63 00:02:56,700 --> 00:02:58,990 Finally, I'm telling it that I want you 64 64 00:02:58,990 --> 00:03:00,550 to write all the data 65 65 00:03:00,550 --> 00:03:02,880 that you're gonna capture in a file 66 66 00:03:02,880 --> 00:03:05,240 that we're gonna call it test 67 67 00:03:05,240 --> 00:03:07,880 and then I'm giving it my wireless adapter 68 68 00:03:07,880 --> 00:03:10,363 in monitor mode which is mon0. 69 69 00:03:11,480 --> 00:03:12,803 Now, I'm gonna hit Enter. 70 70 00:03:13,670 --> 00:03:16,520 And as you can see, unlike the last time, 71 71 00:03:16,520 --> 00:03:20,583 airodump-ng is only showing me one network in here. 72 72 00:03:21,420 --> 00:03:25,680 This is the network that I wanted it to sniff data on. 73 73 00:03:25,680 --> 00:03:27,410 And we can also see, 74 74 00:03:27,410 --> 00:03:30,460 we have a completely new section right now. 75 75 00:03:30,460 --> 00:03:34,940 So when I run airodump-ng in the previous lecture, 76 76 00:03:34,940 --> 00:03:37,700 you've seen I only had the networks in here 77 77 00:03:37,700 --> 00:03:40,490 and I had nothing here at the bottom. 78 78 00:03:40,490 --> 00:03:43,630 But now, you can see we have more entries in here 79 79 00:03:43,630 --> 00:03:45,790 at the second section of networks 80 80 00:03:46,640 --> 00:03:49,770 and basically, anything that you see here 81 81 00:03:49,770 --> 00:03:51,390 in the second section, 82 82 00:03:51,390 --> 00:03:56,020 these are the clients or the devices connected 83 83 00:03:56,020 --> 00:03:57,333 to this network. 84 84 00:03:58,370 --> 00:04:00,430 So right now, we can see this network 85 85 00:04:00,430 --> 00:04:02,940 has three devices connected to it 86 86 00:04:02,940 --> 00:04:06,470 and you can see the MAC addresses of these devices 87 87 00:04:06,470 --> 00:04:08,520 under the Station. 88 88 00:04:08,520 --> 00:04:11,250 So you can see all of these devices 89 89 00:04:11,250 --> 00:04:13,140 are connected to the same network. 90 90 00:04:13,140 --> 00:04:15,500 So the BSSID is still the same, 91 91 00:04:15,500 --> 00:04:18,080 this is the MAC address of the network 92 92 00:04:18,080 --> 00:04:19,590 and under the Station, 93 93 00:04:19,590 --> 00:04:23,670 we have the different clients or different devices connected 94 94 00:04:23,670 --> 00:04:24,693 to this network. 95 95 00:04:25,550 --> 00:04:28,950 We can also see the Power, so this is the signal strength 96 96 00:04:28,950 --> 00:04:31,120 of each of these devices. 97 97 00:04:31,120 --> 00:04:32,730 We can see the speed, 98 98 00:04:32,730 --> 00:04:35,040 we can see the amount of data lost, 99 99 00:04:35,040 --> 00:04:37,630 we can see the amount of frames or packets 100 100 00:04:37,630 --> 00:04:39,700 that we have captured 101 101 00:04:39,700 --> 00:04:42,460 and we can see if any of these devices 102 102 00:04:42,460 --> 00:04:44,990 are still probing for networks. 103 103 00:04:44,990 --> 00:04:47,520 So sometimes, when you run airodump-ng 104 104 00:04:47,520 --> 00:04:48,920 against all networks, 105 105 00:04:48,920 --> 00:04:50,830 you'd still see the section 106 106 00:04:50,830 --> 00:04:52,900 and you'd see that some devices 107 107 00:04:52,900 --> 00:04:55,410 are not connected and they're literally trying 108 108 00:04:55,410 --> 00:04:56,973 or looking for networks. 109 109 00:04:57,900 --> 00:04:59,700 So you'd see the name of the networks 110 110 00:04:59,700 --> 00:05:02,163 that they're looking for under the Probe. 111 111 00:05:03,040 --> 00:05:05,410 Now, if I hit Control + C, 112 112 00:05:05,410 --> 00:05:08,320 airodump-ng will quit, it'll stop working 113 113 00:05:08,320 --> 00:05:12,700 but I should have new files in my current working directory 114 114 00:05:12,700 --> 00:05:14,460 that contain the data 115 115 00:05:14,460 --> 00:05:16,590 that we just captured 'cause remember, 116 116 00:05:16,590 --> 00:05:19,820 when we run the command, we use the write option in here 117 117 00:05:19,820 --> 00:05:22,423 to store the data in a file called test. 118 118 00:05:23,350 --> 00:05:26,010 So if I just do ls to list all the files 119 119 00:05:26,010 --> 00:05:28,060 in my current working directory, 120 120 00:05:28,060 --> 00:05:30,260 you can see I have four files, 121 121 00:05:30,260 --> 00:05:32,530 all of them start with test. 122 122 00:05:32,530 --> 00:05:35,110 But they all have different extensions. 123 123 00:05:35,110 --> 00:05:38,390 So we have a CSV, we have a netxml, 124 124 00:05:38,390 --> 00:05:39,930 we have a cap 125 125 00:05:39,930 --> 00:05:42,323 and we have a Kismet.csv. 126 126 00:05:43,370 --> 00:05:46,690 Now also notice that airodump-ng 127 127 00:05:46,690 --> 00:05:50,360 automatically appended minus 01 128 128 00:05:50,360 --> 00:05:52,410 to each of these files. 129 129 00:05:52,410 --> 00:05:53,890 So in the future, when you go 130 130 00:05:53,890 --> 00:05:56,060 and try to use the capture file, 131 131 00:05:56,060 --> 00:05:58,580 make sure you append -01 132 132 00:05:58,580 --> 00:06:02,023 to the file name that you specified in the command. 133 133 00:06:03,280 --> 00:06:05,950 Now, the main file that we're gonna be using 134 134 00:06:05,950 --> 00:06:07,320 is the cap file. 135 135 00:06:07,320 --> 00:06:09,940 Again, this file contains the data 136 136 00:06:09,940 --> 00:06:12,350 that we captured during the period 137 137 00:06:12,350 --> 00:06:16,100 that airodump-ng was working on in here. 138 138 00:06:16,100 --> 00:06:19,920 And basically this file should contain everything 139 139 00:06:19,920 --> 00:06:24,010 that was sent to and from my target network. 140 140 00:06:24,010 --> 00:06:26,010 So it should contain URLs, 141 141 00:06:26,010 --> 00:06:28,700 chat messages, usernames, passwords 142 142 00:06:28,700 --> 00:06:33,700 or anything that any of these devices did on the internet 143 143 00:06:33,810 --> 00:06:35,750 because anything that they have to do 144 144 00:06:35,750 --> 00:06:37,710 will have to be sent to the router 145 145 00:06:37,710 --> 00:06:39,033 as we've seen before. 146 146 00:06:40,060 --> 00:06:44,240 The only problem is if you look at the encryption in here, 147 147 00:06:44,240 --> 00:06:49,173 you can see that my target network uses WPA2 encryption. 148 148 00:06:50,010 --> 00:06:53,430 So all of the data sent between the router 149 149 00:06:53,430 --> 00:06:56,730 and the clients is encrypted. 150 150 00:06:56,730 --> 00:06:58,730 So let me show you what I mean. 151 151 00:06:58,730 --> 00:07:00,890 I'm gonna use a tool called Wireshark 152 152 00:07:00,890 --> 00:07:02,350 to analyze the data 153 153 00:07:02,350 --> 00:07:04,880 and don't worry about how to use Wireshark. 154 154 00:07:04,880 --> 00:07:08,330 We will talk about it in details later on. 155 155 00:07:08,330 --> 00:07:10,100 Right now, I just want to make sure 156 156 00:07:10,100 --> 00:07:11,950 that you understand the idea 157 157 00:07:11,950 --> 00:07:15,030 that now we're able to capture all these packets, 158 158 00:07:15,030 --> 00:07:19,070 the only problem is these packets are encrypted. 159 159 00:07:19,070 --> 00:07:21,903 So I'm gonna do wireshark to run Wireshark. 160 160 00:07:25,170 --> 00:07:27,680 And then I'm gonna open my capture file, 161 161 00:07:27,680 --> 00:07:30,480 so I'm gonna go to File, Open 162 162 00:07:31,436 --> 00:07:33,510 and it's already in my root directory, 163 163 00:07:33,510 --> 00:07:35,300 so I'm just gonna scroll down 164 164 00:07:35,300 --> 00:07:38,430 and select my test-01.cap. 165 165 00:07:38,430 --> 00:07:40,110 I'm gonna open it 166 166 00:07:40,110 --> 00:07:42,810 and I'll just put this in full screen 167 167 00:07:42,810 --> 00:07:43,900 and as you can see, 168 168 00:07:43,900 --> 00:07:46,360 if we click on any of these packets, 169 169 00:07:46,360 --> 00:07:49,650 you see we really have no useful data. 170 170 00:07:49,650 --> 00:07:52,130 You can see everything looks like gibberish 171 171 00:07:52,130 --> 00:07:53,640 and we can't read anything 172 172 00:07:53,640 --> 00:07:57,230 even though these packets might contain usernames, 173 173 00:07:57,230 --> 00:07:58,630 passwords or URLs. 174 174 00:07:59,960 --> 00:08:02,410 The only useful thing that we can see here 175 175 00:08:02,410 --> 00:08:04,600 is the device manufacturer. 176 176 00:08:04,600 --> 00:08:08,000 So we know one of the devices connected to the network 177 177 00:08:08,000 --> 00:08:11,370 that has this specific MAC address, 178 178 00:08:11,370 --> 00:08:13,880 so it's the one that ends with E8 179 179 00:08:13,880 --> 00:08:18,350 and if we go up, we can see that it's this specific device, 180 180 00:08:18,350 --> 00:08:21,070 we know now it is an Apple device. 181 181 00:08:21,070 --> 00:08:23,760 So it could be an Apple computer, 182 182 00:08:23,760 --> 00:08:27,490 it could be an iPhone or an iPad 183 183 00:08:27,490 --> 00:08:29,910 and this is actually my MacBook computer 184 184 00:08:29,910 --> 00:08:32,290 that is the host machine. 185 185 00:08:32,290 --> 00:08:34,430 Again, we can see we also have a device 186 186 00:08:34,430 --> 00:08:36,240 that's using a Huawei chip set 187 187 00:08:36,240 --> 00:08:40,090 so this can be a phone or it could be the router. 188 188 00:08:40,090 --> 00:08:42,580 And if you look at the MAC address here, 189 189 00:08:42,580 --> 00:08:44,790 and compare it to the MAC addresses 190 190 00:08:44,790 --> 00:08:46,760 that we have here, you can see 191 191 00:08:46,760 --> 00:08:49,950 that this is actually under the BSSID 192 192 00:08:49,950 --> 00:08:52,220 so this is the MAC address of the router. 193 193 00:08:52,220 --> 00:08:54,020 So now we know that the brand 194 194 00:08:54,020 --> 00:08:56,023 of my router is Huawei. 195 195 00:08:57,130 --> 00:08:59,750 So we can gather more information 196 196 00:08:59,750 --> 00:09:01,810 by opening this file in Wireshark 197 197 00:09:01,810 --> 00:09:03,720 and we can kinda guess 198 198 00:09:03,720 --> 00:09:05,400 what computers are there 199 199 00:09:05,400 --> 00:09:08,540 and what operating systems they use 200 200 00:09:08,540 --> 00:09:11,160 but this is not detailed enough 201 201 00:09:11,160 --> 00:09:13,450 and the main problem with this 202 202 00:09:13,450 --> 00:09:17,330 is the fact that the network is using encryption. 203 203 00:09:17,330 --> 00:09:18,720 Now, in the next section, 204 204 00:09:18,720 --> 00:09:21,830 we're gonna be talking about how to break this encryption 205 205 00:09:21,830 --> 00:09:25,250 and once we do, you'll see how we can see the passwords, 206 206 00:09:25,250 --> 00:09:27,470 the usernames in plain text 207 207 00:09:27,470 --> 00:09:31,150 and you'll also see how we can map all 208 208 00:09:31,150 --> 00:09:33,140 of the computers on the same network, 209 209 00:09:33,140 --> 00:09:35,520 gather detailed information about them, 210 210 00:09:35,520 --> 00:09:39,053 hack into them and do some really, really cool stuff. 211 211 00:09:40,000 --> 00:09:43,090 Now, you should guess by everything that I said so far, 212 212 00:09:43,090 --> 00:09:45,150 if this network was an open network, 213 213 00:09:45,150 --> 00:09:48,610 if it was a network that does not use any passwords, 214 214 00:09:48,610 --> 00:09:50,190 then you would have been able 215 215 00:09:50,190 --> 00:09:52,840 to actually see all the URLs and everything 216 216 00:09:52,840 --> 00:09:55,240 that they do in here. 217 217 00:09:55,240 --> 00:09:57,430 But again, if you can't connect to the network 218 218 00:09:57,430 --> 00:09:58,590 without a password, 219 219 00:09:58,590 --> 00:10:02,310 then you'll automatically be at the post connection section 220 220 00:10:02,310 --> 00:10:04,040 and in that section, like I said, 221 221 00:10:04,040 --> 00:10:06,750 we're gonna talk about some really, really cool attacks 222 222 00:10:06,750 --> 00:10:07,810 that you can do 223 223 00:10:07,810 --> 00:10:11,110 once you have the password or once you can connect 224 224 00:10:11,110 --> 00:10:12,520 to the network. 225 225 00:10:12,520 --> 00:10:14,600 So don't worry about Wireshark for now. 226 226 00:10:14,600 --> 00:10:16,660 I just wanted to make sure 227 227 00:10:16,660 --> 00:10:19,730 that you understand why encryption is useful 228 228 00:10:19,730 --> 00:10:21,040 and why it's used 229 229 00:10:21,040 --> 00:10:23,160 and why we can't see much now 230 230 00:10:23,160 --> 00:10:25,320 because we don't know the key. 231 231 00:10:25,320 --> 00:10:28,560 We will talk about Wireshark and all of that later on 232 232 00:10:28,560 --> 00:10:29,653 in the next section.