1 1 00:00:01,040 --> 00:00:02,420 Okay, now that we know 2 2 00:00:02,420 --> 00:00:05,550 what WPS is and how it can be used 3 3 00:00:05,550 --> 00:00:10,490 to recover the password for WPA and WPA2 networks, 4 4 00:00:10,490 --> 00:00:13,023 let's see how to do that in practice. 5 5 00:00:14,070 --> 00:00:16,900 So right here I have my Kali machine. 6 6 00:00:16,900 --> 00:00:18,800 I've already enabled monitor mode 7 7 00:00:18,800 --> 00:00:20,813 on my wireless adapter on 10. 8 8 00:00:21,700 --> 00:00:24,220 Now, usually we use airodump-ng 9 9 00:00:24,220 --> 00:00:27,100 to see all the networks around us. 10 10 00:00:27,100 --> 00:00:29,710 But right now, we want to see the networks 11 11 00:00:29,710 --> 00:00:32,200 that have WPS enabled 12 12 00:00:32,200 --> 00:00:35,020 but because like I said it's just a feature 13 13 00:00:35,020 --> 00:00:37,285 and people can turn this feature off, 14 14 00:00:37,285 --> 00:00:41,000 so first of all, I'm gonna use a tool called wash 15 15 00:00:42,340 --> 00:00:45,400 to display all the networks around me 16 16 00:00:45,400 --> 00:00:48,310 that have WPS enabled. 17 17 00:00:48,310 --> 00:00:52,810 So we're gonna do wash --interface 18 18 00:00:52,810 --> 00:00:55,220 and give it my interface in monitor mode 19 19 00:00:55,220 --> 00:00:57,210 which is mon0. 20 20 00:00:57,210 --> 00:01:00,350 So all we're doing is wash is the name of the tool, 21 21 00:01:00,350 --> 00:01:02,830 interface to give it the interface 22 22 00:01:02,830 --> 00:01:06,830 and mon0 is my wireless adapter in monitor mode. 23 23 00:01:06,830 --> 00:01:08,210 If I hit Enter now, 24 24 00:01:08,210 --> 00:01:11,233 you'll see it'll list my network straight away. 25 25 00:01:12,080 --> 00:01:14,010 Now, I pressed Control + C to cancel this, 26 26 00:01:14,010 --> 00:01:15,550 similar to airodump-ng 27 27 00:01:15,550 --> 00:01:16,810 because it'll keep running 28 28 00:01:16,810 --> 00:01:18,520 unless you cancel it. 29 29 00:01:18,520 --> 00:01:20,960 And you can see this is my target network. 30 30 00:01:20,960 --> 00:01:22,620 It's called Test_AP. 31 31 00:01:22,620 --> 00:01:24,160 It's giving us the vendor 32 32 00:01:24,160 --> 00:01:26,430 of the hardware used in this network 33 33 00:01:26,430 --> 00:01:28,340 in this access point. 34 34 00:01:28,340 --> 00:01:32,930 The Lck tell us whether WPS is locked or not 35 35 00:01:32,930 --> 00:01:35,220 because sometimes WPS locks 36 36 00:01:35,220 --> 00:01:37,790 after a number failed attempts. 37 37 00:01:37,790 --> 00:01:39,220 So right now this says no, 38 38 00:01:39,220 --> 00:01:40,960 which means that we can actually go ahead 39 39 00:01:40,960 --> 00:01:43,110 and try to guess the PIN. 40 40 00:01:43,110 --> 00:01:47,300 It's giving us the version of WPS, it's using version one. 41 41 00:01:47,300 --> 00:01:49,450 The signal strength is in here. 42 42 00:01:49,450 --> 00:01:51,833 The channel and the BSSID. 43 43 00:01:52,970 --> 00:01:55,880 Now, I explained the meaning of all these things before 44 44 00:01:55,880 --> 00:01:58,180 in my airodump-ng lecture 45 45 00:01:58,180 --> 00:01:59,960 so I'm not gonna talk about them now. 46 46 00:01:59,960 --> 00:02:02,500 If you forgot the meaning of any of these terms, 47 47 00:02:02,500 --> 00:02:05,423 please go back to the airodump-ng lecture. 48 48 00:02:05,423 --> 00:02:09,230 Now, this network actually uses WPA2, 49 49 00:02:09,230 --> 00:02:11,210 so just to confirm this to you, 50 50 00:02:11,210 --> 00:02:13,730 if I go here to my host machine 51 51 00:02:13,730 --> 00:02:15,524 and just try to connect to it, 52 52 00:02:15,524 --> 00:02:17,980 you'll see that it's telling me 53 53 00:02:17,980 --> 00:02:21,580 that this uses a WPA2 password. 54 54 00:02:21,580 --> 00:02:23,020 But like I said, we don't care 55 55 00:02:23,020 --> 00:02:25,440 if it's WPA or WPA2 56 56 00:02:25,440 --> 00:02:28,490 because we're gonna be exploiting a features 57 57 00:02:28,490 --> 00:02:31,793 in these encryptions which is the WPS feature. 58 58 00:02:32,840 --> 00:02:37,180 So now that we know our target network uses WPS, 59 59 00:02:37,180 --> 00:02:40,160 there's a good chance that this attack will work against it. 60 60 00:02:40,160 --> 00:02:42,240 The only reason it might fail 61 61 00:02:42,240 --> 00:02:44,660 is if the target uses PBC 62 62 00:02:44,660 --> 00:02:47,310 or push button authentication. 63 63 00:02:47,310 --> 00:02:50,210 Like I said, if the target uses PBC, 64 64 00:02:50,210 --> 00:02:52,190 then it will refuse all the PINs 65 65 00:02:52,190 --> 00:02:54,700 unless the button is pressed on the router 66 66 00:02:54,700 --> 00:02:57,230 and therefore this attack will fail. 67 67 00:02:57,230 --> 00:02:59,950 The only way to know is to literally try this attack 68 68 00:02:59,950 --> 00:03:00,993 and see if it works. 69 69 00:03:02,520 --> 00:03:05,320 So I'm gonna copy the MAC address of this network 70 70 00:03:05,320 --> 00:03:06,610 or the BSSID 71 71 00:03:08,340 --> 00:03:09,840 and the first thing that I'm gonna do, 72 72 00:03:09,840 --> 00:03:12,480 similar to what we did with WEP, 73 73 00:03:12,480 --> 00:03:15,420 I'm going to associate with the target network 74 74 00:03:15,420 --> 00:03:17,840 using a fake authentication attack. 75 75 00:03:17,840 --> 00:03:19,660 So basically I'll be saying I want 76 76 00:03:19,660 --> 00:03:20,970 to communicate with you, 77 77 00:03:20,970 --> 00:03:22,340 please don't ignore me 78 78 00:03:22,340 --> 00:03:24,100 so that when I run the attack, 79 79 00:03:24,100 --> 00:03:26,540 the network will start accepting the PINs 80 80 00:03:26,540 --> 00:03:28,520 and not ignore me. 81 81 00:03:28,520 --> 00:03:31,640 So to associate, we're gonna use the exact same command 82 82 00:03:31,640 --> 00:03:34,570 that we used when we did it with WEP. 83 83 00:03:34,570 --> 00:03:36,120 So we're gonna use aireplay.ng. 84 84 00:03:37,490 --> 00:03:38,910 We're gonna tell it I want to run 85 85 00:03:38,910 --> 00:03:40,853 a fake authentication attack. 86 86 00:03:41,750 --> 00:03:43,530 We're gonna give it the delay, 87 87 00:03:43,530 --> 00:03:45,290 so this is the time to wait 88 88 00:03:45,290 --> 00:03:47,590 between association attempts. 89 89 00:03:47,590 --> 00:03:49,370 Previously we set it to zero 90 90 00:03:49,370 --> 00:03:52,360 and we had to do this manually every now and then. 91 91 00:03:52,360 --> 00:03:54,105 Right now I'm gonna set it to 30 92 92 00:03:54,105 --> 00:03:55,990 so that we associate 93 93 00:03:55,990 --> 00:03:59,033 with the target network every 30 seconds. 94 94 00:04:00,410 --> 00:04:03,540 Then I'm gonna do -a to give it the MAC address 95 95 00:04:03,540 --> 00:04:06,000 of my target and -h 96 96 00:04:06,000 --> 00:04:08,790 to give it the MAC address of my wireless adapter 97 97 00:04:08,790 --> 00:04:10,020 in monitor mode 98 98 00:04:10,020 --> 00:04:13,203 and we see that we can get this by doing ifconfig. 99 99 00:04:15,130 --> 00:04:16,670 And copy it from here. 100 100 00:04:16,670 --> 00:04:18,793 We said it's the first 12 digits. 101 101 00:04:20,920 --> 00:04:24,433 And I'll just replace the minus with the colon. 102 102 00:04:25,580 --> 00:04:27,510 And finally, I'm gonna give it the name 103 103 00:04:27,510 --> 00:04:30,930 of my wireless adapter in monitor mode which is mon0. 104 104 00:04:32,550 --> 00:04:35,170 So I explained this in details before. 105 105 00:04:35,170 --> 00:04:36,720 That's why I did it quickly. 106 106 00:04:36,720 --> 00:04:38,680 If you don't remember how I did this, 107 107 00:04:38,680 --> 00:04:42,760 please go back to the fake authentication attack lecture. 108 108 00:04:42,760 --> 00:04:44,520 So the command is ready now, 109 109 00:04:44,520 --> 00:04:46,560 but I'm not gonna execute it. 110 110 00:04:46,560 --> 00:04:48,930 I'm gonna go down to the bottom terminal 111 111 00:04:48,930 --> 00:04:51,070 and run Reaver which is the program 112 112 00:04:51,070 --> 00:04:53,620 that will boot first the PIN for me 113 113 00:04:53,620 --> 00:04:57,520 and only then I will associate with the target 114 114 00:04:57,520 --> 00:05:00,870 because otherwise, aireplay.ng will fail 115 115 00:05:00,870 --> 00:05:02,933 to associate with my network. 116 116 00:05:04,180 --> 00:05:07,060 So I'm gonna move to this terminal right here, 117 117 00:05:07,060 --> 00:05:08,663 I'm gonna clear the screen. 118 118 00:05:09,590 --> 00:05:12,540 And we're gonna run Reaver which is the program 119 119 00:05:12,540 --> 00:05:15,010 that's going to boot first the PIN, 120 120 00:05:15,010 --> 00:05:17,400 so it's gonna try every possible PIN 121 121 00:05:17,400 --> 00:05:19,210 until it get the right PIN. 122 122 00:05:19,210 --> 00:05:20,740 Once it has the right PIN, 123 123 00:05:20,740 --> 00:05:25,640 it'll use it to compute the actual WPA key. 124 124 00:05:25,640 --> 00:05:28,120 So using Reaver is very, very simple. 125 125 00:05:28,120 --> 00:05:29,570 It's very similar to everything 126 126 00:05:29,570 --> 00:05:31,210 we've been doing so far. 127 127 00:05:31,210 --> 00:05:33,750 So first of all, we have to type the program name 128 128 00:05:33,750 --> 00:05:34,693 which is reaver. 129 129 00:05:36,190 --> 00:05:40,070 Then I'm gonna do --bssid to give it the MAC address 130 130 00:05:40,070 --> 00:05:41,660 of my target network. 131 131 00:05:41,660 --> 00:05:43,093 So I'm just gonna paste it. 132 132 00:05:44,250 --> 00:05:46,343 Then I'm gonna do --channel. 133 133 00:05:47,560 --> 00:05:49,730 And give it the channel of the target network 134 134 00:05:49,730 --> 00:05:50,693 which is one. 135 135 00:05:51,600 --> 00:05:54,710 Then we're gonna do --interface 136 136 00:05:54,710 --> 00:05:57,080 and give it my wireless adapter 137 137 00:05:57,080 --> 00:05:59,623 in monitor mode which is mon0. 138 138 00:06:00,690 --> 00:06:02,710 So a very, very simple command. 139 139 00:06:02,710 --> 00:06:05,300 We're using Reaver, this is the name of the program 140 140 00:06:05,300 --> 00:06:07,030 that'll do the brute forcing for us 141 141 00:06:07,030 --> 00:06:08,620 and give us the key. 142 142 00:06:08,620 --> 00:06:12,240 We're giving it the bssid, the MAC address of my target. 143 143 00:06:12,240 --> 00:06:15,140 We're doing --channel to give it the channel 144 144 00:06:15,140 --> 00:06:17,500 that my target is running on 145 145 00:06:17,500 --> 00:06:21,120 and we're doing --interface to give it the name 146 146 00:06:21,120 --> 00:06:23,823 of my wireless adapter in monitor mode. 147 147 00:06:24,860 --> 00:06:27,140 I'm also gonna add two more options. 148 148 00:06:27,140 --> 00:06:30,620 I'm gonna add --vvv to show us 149 149 00:06:30,620 --> 00:06:32,930 as much information as possible. 150 150 00:06:32,930 --> 00:06:34,120 This is really helpful. 151 151 00:06:34,120 --> 00:06:36,400 If it fails or things go wrong, 152 152 00:06:36,400 --> 00:06:38,750 we'll be able to know what's happening, 153 153 00:06:38,750 --> 00:06:40,890 why things are going wrong. 154 154 00:06:40,890 --> 00:06:45,080 And I'm also gonna do --no-associate 155 155 00:06:46,890 --> 00:06:50,600 to tell Reaver not to associate with the target network 156 156 00:06:50,600 --> 00:06:54,330 because we're already manually doing that in here. 157 157 00:06:54,330 --> 00:06:57,820 So Reaver can automatically do this step right here for you 158 158 00:06:57,820 --> 00:07:00,290 but I've seen that it fails a lot. 159 159 00:07:00,290 --> 00:07:01,880 Therefore it's actually better 160 160 00:07:01,880 --> 00:07:04,320 to do it ourselves manually here 161 161 00:07:04,320 --> 00:07:06,983 and then tell Reaver not to associate. 162 162 00:07:08,270 --> 00:07:09,640 So now I'm gonna hit Enter 163 163 00:07:09,640 --> 00:07:11,560 to get Reaver to work. 164 164 00:07:11,560 --> 00:07:14,380 And I'm gonna go up to the top terminal 165 165 00:07:14,380 --> 00:07:16,760 and I'm gonna hit Enter to associate 166 166 00:07:16,760 --> 00:07:18,650 with the target network telling it, 167 167 00:07:18,650 --> 00:07:22,380 please don't ignore us so that Reaver at the bottom here 168 168 00:07:22,380 --> 00:07:24,120 can brute force the PIN 169 169 00:07:24,120 --> 00:07:26,250 and try every possible PIN 170 170 00:07:26,250 --> 00:07:28,460 until we get the correct PIN 171 171 00:07:28,460 --> 00:07:31,270 which we'll use to get the password. 172 172 00:07:31,270 --> 00:07:34,720 Now, as you can see, right now I'm getting an error 173 173 00:07:34,720 --> 00:07:36,140 and this is actually a bug 174 174 00:07:36,140 --> 00:07:38,830 with the latest versions of Reaver. 175 175 00:07:38,830 --> 00:07:41,010 So if you get this bug, 176 176 00:07:41,010 --> 00:07:43,070 this means they still haven't fixed it 177 177 00:07:43,070 --> 00:07:44,520 in the latest version. 178 178 00:07:44,520 --> 00:07:48,610 So it's better to go back and use an older version. 179 179 00:07:48,610 --> 00:07:50,520 I'm gonna include an older version 180 180 00:07:50,520 --> 00:07:53,810 that works perfectly in the resources of this lecture 181 181 00:07:53,810 --> 00:07:57,090 so you can access it from the top left of the lecture. 182 182 00:07:57,090 --> 00:07:59,870 If you tried Reaver and got this error right here, 183 183 00:07:59,870 --> 00:08:02,800 then go ahead and download this older version. 184 184 00:08:02,800 --> 00:08:05,690 Right now I already have it in my downloads right here, 185 185 00:08:05,690 --> 00:08:07,600 so you can see I'm in Home, Downloads 186 186 00:08:07,600 --> 00:08:09,653 and I have it right here called Reaver. 187 187 00:08:10,640 --> 00:08:14,120 So what I'm gonna do is I'm gonna clear this again 188 188 00:08:14,120 --> 00:08:18,460 and I'm gonna navigate to my Downloads so cd Downloads. 189 189 00:08:18,460 --> 00:08:22,610 I'm gonna list and you can see we have it right here. 190 190 00:08:22,610 --> 00:08:24,700 Now, it's already in green for me 191 191 00:08:24,700 --> 00:08:27,440 but for you, you'd wanna change the permissions 192 192 00:08:27,440 --> 00:08:30,130 of this file to an executable 193 193 00:08:30,130 --> 00:08:34,933 so you'll have to do chmod +x reaver. 194 194 00:08:36,060 --> 00:08:38,430 This will make it an executable. 195 195 00:08:38,430 --> 00:08:40,250 Once it is an executable, 196 196 00:08:40,250 --> 00:08:45,250 you can run it by doing ./ followed by its name, so reaver. 197 197 00:08:47,170 --> 00:08:49,520 Then you can do the exact same command 198 198 00:08:49,520 --> 00:08:52,180 exactly like I just did it with the one 199 199 00:08:52,180 --> 00:08:54,950 that comes pre-installed in Kali. 200 200 00:08:54,950 --> 00:08:56,836 So I'm actually just gonna go back 201 201 00:08:56,836 --> 00:08:59,570 to what I had and I'm just gonna go 202 202 00:08:59,570 --> 00:09:01,210 to the start of the command 203 203 00:09:01,210 --> 00:09:02,987 and put ./ 204 204 00:09:04,457 --> 00:09:06,680 so when we put the ./ 205 205 00:09:06,680 --> 00:09:08,350 we're basically running the file 206 206 00:09:08,350 --> 00:09:10,430 that is in the current working directory. 207 207 00:09:10,430 --> 00:09:14,200 We're running this, we're not running the normal Reaver file 208 208 00:09:14,200 --> 00:09:16,053 that is pre-installed in Kali. 209 209 00:09:17,130 --> 00:09:20,060 Then we're using all of the options exactly the same way 210 210 00:09:20,060 --> 00:09:22,780 that we were using it with the built-in one. 211 211 00:09:22,780 --> 00:09:24,860 I'm gonna hit Enter. 212 212 00:09:24,860 --> 00:09:26,630 And as you can see, right now Reaver 213 213 00:09:26,630 --> 00:09:30,243 is trying the PIN 1234567. 214 214 00:09:32,210 --> 00:09:33,490 And perfect. 215 215 00:09:33,490 --> 00:09:37,450 You can see the PIN was actually 12345670. 216 216 00:09:37,450 --> 00:09:39,030 So it's a simple PIN. 217 217 00:09:39,030 --> 00:09:40,720 It actually came with the PIN 218 218 00:09:40,720 --> 00:09:42,820 so I didn't manually set this PIN. 219 219 00:09:42,820 --> 00:09:46,580 My router came from the factory with WPS enabled 220 220 00:09:46,580 --> 00:09:47,860 with this PIN. 221 221 00:09:47,860 --> 00:09:49,940 So like I said, this tool works 222 222 00:09:49,940 --> 00:09:52,730 but again, not against all routers. 223 223 00:09:52,730 --> 00:09:55,900 From that, it was able to discover the WPA key 224 224 00:09:55,900 --> 00:09:57,170 which is UAURWSXR 225 225 00:09:58,820 --> 00:10:01,720 and the name of the router is Test AP. 226 226 00:10:01,720 --> 00:10:03,040 So I can literally go ahead 227 227 00:10:03,040 --> 00:10:04,720 and connect with this password 228 228 00:10:04,720 --> 00:10:07,250 and I'll be able to connect to the network 229 229 00:10:07,250 --> 00:10:11,303 and see and decrypt all of the packets sent in the air.