1 1 00:00:01,237 --> 00:00:02,500 In the previous lectures, 2 2 00:00:02,500 --> 00:00:06,310 we've seen how to crack the WEP encryption in minutes 3 3 00:00:06,310 --> 00:00:09,423 even if the target network is not busy. 4 4 00:00:10,350 --> 00:00:11,940 Now in the next lectures, 5 5 00:00:11,940 --> 00:00:16,543 we will talk about cracking WPA and WPA2. 6 6 00:00:17,790 --> 00:00:19,610 First of all before we start talking 7 7 00:00:19,610 --> 00:00:21,850 about how to crack these encryptions, 8 8 00:00:21,850 --> 00:00:24,140 it is very important to understand 9 9 00:00:24,140 --> 00:00:26,990 that both of them are very very similar, 10 10 00:00:26,990 --> 00:00:28,800 the only difference between them 11 11 00:00:28,800 --> 00:00:32,560 is the encryption used to ensure message integrity. 12 12 00:00:32,560 --> 00:00:35,470 WPA uses TKIP 13 13 00:00:35,470 --> 00:00:39,513 and WPA2 uses an encryption called CCMP. 14 14 00:00:40,490 --> 00:00:43,660 In any case, this does not affect the methods 15 15 00:00:43,660 --> 00:00:48,250 that we're gonna use to crack WPA and WPA2. 16 16 00:00:48,250 --> 00:00:51,030 Therefore, all of the methods that I'm gonna show you 17 17 00:00:51,030 --> 00:00:55,600 from now on, will work on both WPA and WPA2. 18 18 00:00:57,530 --> 00:01:00,408 Now both of these encryptions came after WEP 19 19 00:01:00,408 --> 00:01:04,203 and they were designed to address the weaknesses in it. 20 20 00:01:05,070 --> 00:01:08,140 Therefore both of them are much more secure 21 21 00:01:08,140 --> 00:01:10,463 and cracking them is more challenging. 22 22 00:01:11,450 --> 00:01:14,910 So, before we start talking about how to crack them, 23 23 00:01:14,910 --> 00:01:19,700 I want to cover a feature that if enabled and misconfigured, 24 24 00:01:19,700 --> 00:01:22,570 can be exploited to recover the key 25 25 00:01:22,570 --> 00:01:25,883 without having to crack the actual encryption. 26 26 00:01:26,820 --> 00:01:29,270 The feature is called WPS. 27 27 00:01:29,270 --> 00:01:32,870 It allows devices to connect the network easily 28 28 00:01:32,870 --> 00:01:36,840 without having to enter the key for the network. 29 29 00:01:36,840 --> 00:01:38,470 So it was designed to simplify 30 30 00:01:38,470 --> 00:01:42,980 the process of connecting printers and such devices. 31 31 00:01:42,980 --> 00:01:45,580 You can actually see a WPS button 32 32 00:01:45,580 --> 00:01:48,550 on most wireless-enabled printers. 33 33 00:01:48,550 --> 00:01:50,000 If this button is pressed 34 34 00:01:50,000 --> 00:01:53,470 and then you press the WPS button on the router, 35 35 00:01:53,470 --> 00:01:56,670 you'll notice that the printer will connect to the router 36 36 00:01:56,670 --> 00:01:59,720 without you having to enter the key. 37 37 00:01:59,720 --> 00:02:01,950 This way, the authentication is done 38 38 00:02:01,950 --> 00:02:04,510 using an eight-digit PIN. 39 39 00:02:04,510 --> 00:02:06,910 So you can think of this, as a password 40 40 00:02:06,910 --> 00:02:08,720 made up of only numbers 41 41 00:02:08,720 --> 00:02:11,693 and the length of this password is only eight. 42 42 00:02:12,560 --> 00:02:13,870 So this actually gives us 43 43 00:02:13,870 --> 00:02:16,830 a relatively small list of possible passwords 44 44 00:02:16,830 --> 00:02:20,120 and we can try all of these possible passwords 45 45 00:02:20,120 --> 00:02:22,203 within a relatively short time. 46 46 00:02:23,100 --> 00:02:24,620 Once we get this PIN, 47 47 00:02:24,620 --> 00:02:29,217 it can be used to recover the actual WPA or WPA2 key. 48 48 00:02:30,990 --> 00:02:32,730 So as you can see with this method 49 49 00:02:32,730 --> 00:02:36,130 we are not exploiting WPA or WPA2, 50 50 00:02:36,130 --> 00:02:38,650 we are actually exploiting a feature 51 51 00:02:38,650 --> 00:02:42,450 that can be enabled on these encryptions. 52 52 00:02:42,450 --> 00:02:45,360 So for this to work, first of all we need WPS 53 53 00:02:45,360 --> 00:02:49,300 to be enabled on the network because it can't be disabled. 54 54 00:02:49,300 --> 00:02:51,740 Also it needs to be misconfigured, 55 55 00:02:51,740 --> 00:02:53,600 so it needs to be configured 56 56 00:02:53,600 --> 00:02:56,130 to use a normal PIN authentication 57 57 00:02:56,130 --> 00:02:59,070 and not a Push Button Authentication . 58 58 00:02:59,070 --> 00:03:01,510 If Push Button Authentication is used, 59 59 00:03:01,510 --> 00:03:05,230 then the router will refuse any PINs that we try 60 60 00:03:05,230 --> 00:03:09,150 unless the WPS button is pressed on the router. 61 61 00:03:09,150 --> 00:03:11,070 Therefore, the method will not work 62 62 00:03:11,070 --> 00:03:13,703 if push button or PBC is enabled. 63 63 00:03:14,610 --> 00:03:18,110 So in most modern routers, PBC comes enabled 64 64 00:03:18,110 --> 00:03:21,630 by default or WPS will be disabled by default 65 65 00:03:21,630 --> 00:03:26,630 so this method might not work but because WPA and WPA2 66 66 00:03:26,940 --> 00:03:29,140 are so secure and so challenging, 67 67 00:03:29,140 --> 00:03:33,057 it is always a good idea to check if WPS is enabled 68 68 00:03:33,057 --> 00:03:35,250 and tried the method that I'm gonna show you 69 69 00:03:35,250 --> 00:03:36,680 to crack the network. 70 70 00:03:36,680 --> 00:03:39,350 If it fails, then you can try the other methods 71 71 00:03:39,350 --> 00:03:42,063 that I'm gonna show you after the next lecture.