1
1

00:00:01,110  -->  00:00:03,410
<v Instructor>Now, if WPS is disabled</v>
2

2

00:00:03,410  -->  00:00:05,070
on your target network,
3

3

00:00:05,070  -->  00:00:08,090
or if it's enabled, but configured
4

4

00:00:08,090  -->  00:00:10,790
to use push button or PBC,
5

5

00:00:10,790  -->  00:00:13,600
then the method that I showed you in the previous lecture
6

6

00:00:13,600  -->  00:00:15,440
will not work.
7

7

00:00:15,440  -->  00:00:17,230
Therefore, you will have to go
8

8

00:00:17,230  -->  00:00:22,230
and crack the actual WPA or WPA2 encryption.
9

9

00:00:22,580  -->  00:00:25,860
And like I said, when these encryptions were designed,
10

10

00:00:25,860  -->  00:00:29,610
the developers knew about the weaknesses in WEP
11

11

00:00:29,610  -->  00:00:30,530
and they made sure
12

12

00:00:30,530  -->  00:00:33,660
that they properly fixed these weaknesses.
13

13

00:00:33,660  -->  00:00:36,070
They actually did a pretty good job at this.
14

14

00:00:36,070  -->  00:00:40,410
Therefore, we cannot use the same method used in WEP
15

15

00:00:40,410  -->  00:00:43,383
to crack WPA and WPA2.
16

16

00:00:44,630  -->  00:00:48,920
So in WPA2, the keys are unique, they're temporary,
17

17

00:00:48,920  -->  00:00:52,390
they much longer than what they were in WEP.
18

18

00:00:52,390  -->  00:00:54,580
Therefore, the packets sent
19

19

00:00:54,580  -->  00:00:58,010
in the air contained no information
20

20

00:00:58,010  -->  00:01:00,920
that is useful for us.
21

21

00:01:00,920  -->  00:01:04,180
So it doesn't matter even if we capture one million packets,
22

22

00:01:04,180  -->  00:01:06,853
we can't use them to crack the key.
23

23

00:01:07,920  -->  00:01:11,070
The only packets that contain useful information
24

24

00:01:11,070  -->  00:01:12,983
are the handshake packets.
25

25

00:01:14,080  -->  00:01:17,630
These are four packets transferred between a client
26

26

00:01:17,630  -->  00:01:22,060
and the router when the client connects to the network.
27

27

00:01:22,060  -->  00:01:23,460
So in this lecture,
28

28

00:01:23,460  -->  00:01:26,190
I'm gonna show you how to capture these packets
29

29

00:01:26,190  -->  00:01:28,060
and in the next lectures,
30

30

00:01:28,060  -->  00:01:31,680
we'll see how to use them to crack the WPA
31

31

00:01:31,680  -->  00:01:33,593
or WPA2 key.
32

32

00:01:34,590  -->  00:01:36,250
First of all, as usual,
33

33

00:01:36,250  -->  00:01:37,970
you'd wanna run airodump-ng
34

34

00:01:37,970  -->  00:01:40,300
against all the networks around you.
35

35

00:01:40,300  -->  00:01:41,750
I've already done that
36

36

00:01:41,750  -->  00:01:44,490
and as you can see, this is my target right here.
37

37

00:01:44,490  -->  00:01:45,663
It's using WPA2.
38

38

00:01:46,673  -->  00:01:49,100
And this is the MAC address.
39

39

00:01:49,100  -->  00:01:50,253
I'm gonna copy it.
40

40

00:01:51,800  -->  00:01:55,050
And the first thing we'll do is just run airodump-ng
41

41

00:01:55,050  -->  00:01:58,040
on this network and store the data in a file,
42

42

00:01:58,040  -->  00:02:01,553
exactly the wame way that we used to do with WEP.
43

43

00:02:02,780  -->  00:02:05,347
So we're just gonna do airodump-ng --bssid
44

44

00:02:08,030  -->  00:02:10,973
and give it the BSSID of my target.
45

45

00:02:12,227  -->  00:02:16,000
<v ->-channel and give it the channel of my target</v>
46

46

00:02:16,000  -->  00:02:17,173
which is one.
47

47

00:02:18,757  -->  00:02:21,410
<v ->-write to specify a file name</v>
48

48

00:02:21,410  -->  00:02:24,570
to store all the data that we're gonna capture in.
49

49

00:02:24,570  -->  00:02:26,957
And let's call this wpa_handshake
50

50

00:02:30,260  -->  00:02:32,820
because we're gonna capture the handshake.
51

51

00:02:32,820  -->  00:02:35,790
And finally, we're gonna give it my wireless adapter
52

52

00:02:35,790  -->  00:02:36,940
in monitor mode
53

53

00:02:36,940  -->  00:02:39,220
which is mon0.
54

54

00:02:39,220  -->  00:02:40,790
So a very simple command.
55

55

00:02:40,790  -->  00:02:43,170
We've done this multiple times by now.
56

56

00:02:43,170  -->  00:02:45,030
We're using airodump-ng.
57

57

00:02:45,030  -->  00:02:47,240
We're giving it the MAC address of my target
58

58

00:02:47,240  -->  00:02:50,730
after the BSSID, I'm giving it --channel
59

59

00:02:50,730  -->  00:02:53,620
to specify the channel of my target.
60

60

00:02:53,620  -->  00:02:57,490
I'm using --write to store all the data in a file.
61

61

00:02:57,490  -->  00:02:59,280
This file will contain everything
62

62

00:02:59,280  -->  00:03:01,950
that we capture so if we capture the handshake,
63

63

00:03:01,950  -->  00:03:04,040
it'll be in this file.
64

64

00:03:04,040  -->  00:03:07,470
And finally, I'm giving it the name of my wireless adapter
65

65

00:03:07,470  -->  00:03:09,320
in monitor mode.
66

66

00:03:09,320  -->  00:03:11,180
So now I'm gonna hit Enter
67

67

00:03:11,180  -->  00:03:13,720
and as you can see, airodump-ng is working
68

68

00:03:13,720  -->  00:03:15,970
against my target network
69

69

00:03:15,970  -->  00:03:18,140
and right now, all we have to do
70

70

00:03:18,140  -->  00:03:20,490
is literally sit down and wait
71

71

00:03:20,490  -->  00:03:23,160
for the handshake to be captured.
72

72

00:03:23,160  -->  00:03:25,360
Like I said, the handshake is sent
73

73

00:03:25,360  -->  00:03:28,360
when a client connects to the network
74

74

00:03:28,360  -->  00:03:29,960
so we'll literally have to sit down
75

75

00:03:29,960  -->  00:03:33,410
and wait until a new client connect to the network.
76

76

00:03:33,410  -->  00:03:35,150
Once a new client connects,
77

77

00:03:35,150  -->  00:03:36,810
we will capture the handshake
78

78

00:03:36,810  -->  00:03:39,650
and you will see in here airodump telling us
79

79

00:03:39,650  -->  00:03:41,633
that the handshake has been captured.
80

80

00:03:42,720  -->  00:03:45,060
Alternatively, we can use something
81

81

00:03:45,060  -->  00:03:46,680
that we learned before
82

82

00:03:46,680  -->  00:03:50,040
which is a deauthentication attack.
83

83

00:03:50,040  -->  00:03:51,730
We know using that attack,
84

84

00:03:51,730  -->  00:03:54,670
we can disconnect a client from the network
85

85

00:03:54,670  -->  00:03:57,370
so we can do this for a very short period of time.
86

86

00:03:57,370  -->  00:04:00,340
We can disconnect this client from the network.
87

87

00:04:00,340  -->  00:04:04,630
He will automatically connect once we stop the attack.
88

88

00:04:04,630  -->  00:04:07,260
Therefore, when he automatically connects,
89

89

00:04:07,260  -->  00:04:09,540
the handshake will be sent in the air
90

90

00:04:09,540  -->  00:04:11,890
and we will be able to capture it.
91

91

00:04:11,890  -->  00:04:13,810
This way we will not have to sit down
92

92

00:04:13,810  -->  00:04:16,730
and wait for someone to voluntarily connect
93

93

00:04:16,730  -->  00:04:17,683
to the network.
94

94

00:04:19,300  -->  00:04:21,220
So we've seen how to do this before
95

95

00:04:21,220  -->  00:04:23,130
and it's gonna be exactly the same command
96

96

00:04:23,130  -->  00:04:24,560
as we did it before.
97

97

00:04:24,560  -->  00:04:26,473
We used aireplay-ng.
98

98

00:04:27,610  -->  00:04:29,573
We did --deauth.
99

99

00:04:31,000  -->  00:04:34,770
Then we specified a really large number of packets
100

100

00:04:34,770  -->  00:04:39,100
to keep the client disconnected for a long period of time.
101

101

00:04:39,100  -->  00:04:41,530
This time, I'm gonna set this to four
102

102

00:04:41,530  -->  00:04:45,050
to only send four deauthentication packets.
103

103

00:04:45,050  -->  00:04:47,290
This way, my client will be disconnected
104

104

00:04:47,290  -->  00:04:49,370
for a very short period of time.
105

105

00:04:49,370  -->  00:04:52,310
They won't even feel that they got disconnected
106

106

00:04:52,310  -->  00:04:54,160
but this is enough for the handshake
107

107

00:04:54,160  -->  00:04:56,540
to be sent because they will be disconnected,
108

108

00:04:56,540  -->  00:04:58,290
they will automatically connect
109

109

00:04:58,290  -->  00:04:59,610
and when they do that,
110

110

00:04:59,610  -->  00:05:01,163
we will capture the handshake.
111

111

00:05:02,380  -->  00:05:04,460
Now, the next argument we wanna set
112

112

00:05:04,460  -->  00:05:06,910
is the MAC address of my target.
113

113

00:05:06,910  -->  00:05:09,740
So we're gonna do -a followed by the MAC address
114

114

00:05:09,740  -->  00:05:11,210
of my target.
115

115

00:05:11,210  -->  00:05:14,320
Then we're gonna do -c followed by the MAC address
116

116

00:05:14,320  -->  00:05:17,180
of the client that we want to disconnect.
117

117

00:05:17,180  -->  00:05:19,590
So it's this client right here.
118

118

00:05:19,590  -->  00:05:23,070
I'm gonna copy, paste it here
119

119

00:05:23,070  -->  00:05:25,440
and finally, we're gonna give it the name
120

120

00:05:25,440  -->  00:05:28,310
of my wireless adapter in monitor mode
121

121

00:05:28,310  -->  00:05:29,763
which is mon0.
122

122

00:05:31,000  -->  00:05:32,500
And we are done.
123

123

00:05:32,500  -->  00:05:35,380
Again, I've spent a full lecture on this command
124

124

00:05:35,380  -->  00:05:38,160
explaining what a deauthentication attack is
125

125

00:05:38,160  -->  00:05:39,910
so if it's a bit confusing,
126

126

00:05:39,910  -->  00:05:42,830
please go back and revise that lecture.
127

127

00:05:42,830  -->  00:05:46,180
Basically all we're doing is we're using aireplay-ng
128

128

00:05:46,180  -->  00:05:48,450
to run a deauthentication attack
129

129

00:05:48,450  -->  00:05:50,020
to disconnect this device
130

130

00:05:50,020  -->  00:05:52,250
for a very short period of time.
131

131

00:05:52,250  -->  00:05:55,630
That's why I'm setting this to only number four.
132

132

00:05:55,630  -->  00:06:00,200
Then I'm using -a to specify the MAC address of my target,
133

133

00:06:00,200  -->  00:06:03,640
<v ->c to specify the MAC address of the client connected</v>
134

134

00:06:03,640  -->  00:06:05,020
to this network
135

135

00:06:05,020  -->  00:06:08,483
and then I'm giving it my wireless adapter in monitor mode.
136

136

00:06:09,510  -->  00:06:10,930
Now I'm gonna hit Enter
137

137

00:06:10,930  -->  00:06:13,610
and keep an eye on this side right here.
138

138

00:06:13,610  -->  00:06:16,990
You'll see the handshake will be captured in here.
139

139

00:06:16,990  -->  00:06:19,410
So I'm gonna hit Enter.
140

140

00:06:19,410  -->  00:06:21,850
Deauthentication packets are being sent
141

141

00:06:22,720  -->  00:06:24,200
and perfect, as you can see,
142

142

00:06:24,200  -->  00:06:26,580
once the client connected again,
143

143

00:06:26,580  -->  00:06:28,653
we receive the handshake.
144

144

00:06:29,780  -->  00:06:32,440
So now we can quit airodump-ng.
145

145

00:06:32,440  -->  00:06:36,150
So Control + C because we have the handshake now.
146

146

00:06:36,150  -->  00:06:37,520
It is stored in the file
147

147

00:06:37,520  -->  00:06:39,730
that we set after the right option
148

148

00:06:39,730  -->  00:06:41,180
which is called wpa_handshake
149

149

00:06:42,230  -->  00:06:45,170
and in the next lecture, I'll show you how this handshake
150

150

00:06:45,170  -->  00:06:48,603
can be used to get the key for the network.