1 1 00:00:01,070 --> 00:00:03,280 Now before leaving this section and moving 2 2 00:00:03,280 --> 00:00:06,300 to the gaining access section where I'm gonna teach you 3 3 00:00:06,300 --> 00:00:09,560 how to break the different encryptions and gain access 4 4 00:00:09,560 --> 00:00:14,200 to networks, I want to spend one more lecture talking about 5 5 00:00:14,200 --> 00:00:17,880 a really useful attack that still falls under the 6 6 00:00:17,880 --> 00:00:20,911 pre-connection attacks under this section. 7 7 00:00:20,911 --> 00:00:23,100 The attack that I want to talk about, 8 8 00:00:23,100 --> 00:00:25,873 is the de-authentication attack. 9 9 00:00:26,750 --> 00:00:29,880 This attack allow us to disconnect any device, 10 10 00:00:29,880 --> 00:00:34,000 from any network, before connecting to any of these networks 11 11 00:00:34,000 --> 00:00:38,540 and without the need to know the password for the network. 12 12 00:00:38,540 --> 00:00:42,430 To do this, we're going to pretend to be the client 13 13 00:00:42,430 --> 00:00:45,960 that we want to disconnect, by changing our MAC address 14 14 00:00:45,960 --> 00:00:49,360 to the MAC address of that client, and tell the router 15 15 00:00:49,360 --> 00:00:51,513 that I want to disconnect from you. 16 16 00:00:52,430 --> 00:00:55,710 Then, we're going to pretend to be the router, again, 17 17 00:00:55,710 --> 00:00:59,260 by changing our MAC address to the router's MAC address 18 18 00:00:59,260 --> 00:01:02,000 and tell the client that you're requested 19 19 00:01:02,000 --> 00:01:06,070 to be disconnected, so I'm going to disconnect you. 20 20 00:01:06,070 --> 00:01:09,210 This will allow us to successfully disconnect, 21 21 00:01:09,210 --> 00:01:13,283 or de-authenticate any client from any network. 22 22 00:01:14,700 --> 00:01:17,420 Now, we're actually not going to do this manually, 23 23 00:01:17,420 --> 00:01:21,363 we're gonna use a tool called aireplay-ng to do that. 24 24 00:01:22,670 --> 00:01:25,195 From the previous lecture, we know that this MAC 25 25 00:01:25,195 --> 00:01:29,610 address right here, belongs to an Apple computer, and like 26 26 00:01:29,610 --> 00:01:33,640 I said, this Apple computer is actually my computer 27 27 00:01:33,640 --> 00:01:34,870 right here. 28 28 00:01:34,870 --> 00:01:38,550 And, as you can see, this host machine is connected to this 29 29 00:01:38,550 --> 00:01:42,210 network right here, which is the same as the one that you 30 30 00:01:42,210 --> 00:01:46,020 see in here, and it actually has internet access. 31 31 00:01:46,020 --> 00:01:49,480 So, if I just look for test, you'll see that I'm connected 32 32 00:01:49,480 --> 00:01:51,960 and I can look for things, I can use google. 33 33 00:01:51,960 --> 00:01:54,883 So, I have a proper working internet connection. 34 34 00:01:55,720 --> 00:01:59,530 Now, we're gonna come back here, and we're gonna use a tool 35 35 00:01:59,530 --> 00:02:03,970 called aireplay-ng, to launch the de-authentication attack, 36 36 00:02:03,970 --> 00:02:07,943 and disconnect this MAC computer from the internet. 37 37 00:02:09,020 --> 00:02:11,639 So, we're gonna type the name of the program, which is 38 38 00:02:11,639 --> 00:02:15,799 aireplay-ng, we're gonna tell it that I want to run 39 39 00:02:15,799 --> 00:02:20,710 a de-authentication attack, then, I'm gonna give it 40 40 00:02:20,710 --> 00:02:25,710 the number of de-authentication packets that I want to send. 41 41 00:02:25,840 --> 00:02:28,840 So, I'm gonna give it a really large number, so that 42 42 00:02:28,840 --> 00:02:32,790 it keeps sending these packets to both the router, 43 43 00:02:32,790 --> 00:02:37,310 and the target device, therefore, I'll disconnect my target 44 44 00:02:37,310 --> 00:02:41,090 device for a very long period of time, and the only way 45 45 00:02:41,090 --> 00:02:45,400 to get it back to connect is to hit Control + C and quit 46 46 00:02:45,400 --> 00:02:46,233 aireplay-ng. 47 47 00:02:47,750 --> 00:02:51,760 Next, I'm gonna give aireplay-ng the MAC address 48 48 00:02:51,760 --> 00:02:53,940 of my target network. 49 49 00:02:53,940 --> 00:02:58,570 So, I'm gonna do -a and give it the MAC address, which 50 50 00:02:58,570 --> 00:03:00,403 I'm gonna copy from here. 51 51 00:03:02,320 --> 00:03:07,320 Then, I'm gonna use -c to give it the MAC address of the 52 52 00:03:07,410 --> 00:03:10,300 client that I want to disconnect. 53 53 00:03:10,300 --> 00:03:13,500 And, the client that I want to disconnect is this client 54 54 00:03:13,500 --> 00:03:16,920 right here, which is the Apple computer like we said. 55 55 00:03:16,920 --> 00:03:20,573 So, I'm gonna copy it, and paste it here. 56 56 00:03:21,990 --> 00:03:23,000 And finally, 57 57 00:03:23,000 --> 00:03:26,710 I'm gonna give it the name of my wireless adapter in 58 58 00:03:26,710 --> 00:03:30,743 monitor mode, and in my case it's called mon zero. 59 59 00:03:31,730 --> 00:03:34,130 So, a very, very simple command. 60 60 00:03:34,130 --> 00:03:37,290 We're typing aireplay-ng, this is the name of the program 61 61 00:03:37,290 --> 00:03:41,390 that we're going to use, we're doing --deauth to tell 62 62 00:03:41,390 --> 00:03:45,440 aireplay-ng that I want to run a de-authentication attack, 63 63 00:03:45,440 --> 00:03:49,020 I'm givin' it a really large number of packets, so that it 64 64 00:03:49,020 --> 00:03:52,380 keeps sending the de-authentication packets 65 65 00:03:52,380 --> 00:03:55,450 to both the router and the client, and keep the client 66 66 00:03:55,450 --> 00:04:00,450 disconnected, I'm using -a to specify the MAC address of the 67 67 00:04:00,710 --> 00:04:05,320 target router, or the target access point, then I'm using -c 68 68 00:04:06,170 --> 00:04:09,233 to specify the MAC address of the client. 69 69 00:04:10,200 --> 00:04:13,280 Finally, I'm givin' it mon zero, which is the name 70 70 00:04:13,280 --> 00:04:16,193 of my wireless adapter in monitor mode. 71 71 00:04:17,430 --> 00:04:20,810 Now, you can run this command like this, and in most cases 72 72 00:04:20,810 --> 00:04:25,240 it would work, but in very rare cases, this command will 73 73 00:04:25,240 --> 00:04:29,450 fail unless airodump-ng is running against the target 74 74 00:04:29,450 --> 00:04:31,100 network. 75 75 00:04:31,100 --> 00:04:33,800 So, what I'm gonna do now is, I'm gonna go back to my 76 76 00:04:33,800 --> 00:04:37,840 first terminal in here, and I'm going to run airodump-ng 77 77 00:04:37,840 --> 00:04:41,030 using the command that we seen before, and I don't want 78 78 00:04:41,030 --> 00:04:44,134 to write anything to our file, so I'm going to remove the 79 79 00:04:44,134 --> 00:04:45,663 write argument. 80 80 00:04:47,320 --> 00:04:50,550 So, I'm just doin' a normal airodump-ng command. 81 81 00:04:50,550 --> 00:04:54,780 I'm literally just givin' it the BSSID of my target network, 82 82 00:04:54,780 --> 00:04:58,210 and I'm givin' it the target channel, and then I'm just 83 83 00:04:58,210 --> 00:04:59,300 gonna hit Enter. 84 84 00:04:59,300 --> 00:05:02,060 We seen how to do this, we spent a full lecture on it, 85 85 00:05:02,060 --> 00:05:04,087 that's why I did it really quick. 86 86 00:05:04,087 --> 00:05:06,970 And then I'm gonna go back to the command that we wrote 87 87 00:05:06,970 --> 00:05:09,690 so far, and I'm gonna hit Enter. 88 88 00:05:09,690 --> 00:05:12,970 Now, as you can see, aireplay-ng it's telling me that it's 89 89 00:05:12,970 --> 00:05:16,850 sending the de-authentication packets, and if we go back 90 90 00:05:16,850 --> 00:05:21,850 here and look up, you can see that I actually lost 91 91 00:05:22,280 --> 00:05:25,393 my connection, and I'm trying to connect back. 92 92 00:05:26,600 --> 00:05:29,815 So, obviously if I try to look for anything, so let's say 93 93 00:05:29,815 --> 00:05:34,815 test 2, you'll see I'll get stuck and nothing will load 94 94 00:05:35,530 --> 00:05:36,363 for me. 95 95 00:05:37,430 --> 00:05:41,220 So, the only way for me to connect back is, if I go back 96 96 00:05:41,220 --> 00:05:46,220 here, if I quit this by doing Control+C, quit this again, 97 97 00:05:46,397 --> 00:05:50,220 and now my machine should be able to connect back, 98 98 00:05:50,220 --> 00:05:52,023 and restore its connection. 99 99 00:05:53,020 --> 00:05:56,260 This is actually very,very handy in so many ways. 100 100 00:05:56,260 --> 00:05:59,010 It's very useful in social engineering cases, 101 101 00:05:59,010 --> 00:06:02,810 where you could disconnect clients from the target network, 102 102 00:06:02,810 --> 00:06:06,940 and then call the user and pretend to be, a person from the 103 103 00:06:06,940 --> 00:06:11,210 IT Department and ask them to install a virus or a backdoor, 104 104 00:06:11,210 --> 00:06:13,930 telling them that this would fix their issue. 105 105 00:06:13,930 --> 00:06:17,560 You could also set, create other fake access point and get 106 106 00:06:17,560 --> 00:06:20,730 them to connect to the fake access point, and then start 107 107 00:06:20,730 --> 00:06:23,380 spying on them, from that access point. 108 108 00:06:23,380 --> 00:06:26,080 And, we'll see how to do that later on in the course. 109 109 00:06:26,080 --> 00:06:29,040 And, you can also use this to capture the handshake, 110 110 00:06:29,040 --> 00:06:31,670 which is what happened in here, actually. 111 111 00:06:31,670 --> 00:06:36,100 And, this is vital when it comes to WPA cracking and we'll 112 112 00:06:36,100 --> 00:06:40,143 talk about this once we get to the WPA cracking section. 113 113 00:06:41,360 --> 00:06:45,760 So, like I said, this is a small attack that can be used as 114 114 00:06:45,760 --> 00:06:49,973 a plug into other attacks to make other attacks possible.