1 1 00:00:01,290 --> 00:00:02,950 Now from the previous lectures, 2 2 00:00:02,950 --> 00:00:06,320 we learned in order to crack WPA or WPA2, 3 3 00:00:07,300 --> 00:00:10,010 we need to first capture the handshake. 4 4 00:00:10,010 --> 00:00:11,910 And second, have a wordlist, 5 5 00:00:11,910 --> 00:00:14,890 which contains a number of passwords 6 6 00:00:14,890 --> 00:00:17,400 that we're going to try, and hopefully, 7 7 00:00:17,400 --> 00:00:20,833 one of them will be the password for the target network. 8 8 00:00:21,740 --> 00:00:24,410 So right now I have both of these components, 9 9 00:00:24,410 --> 00:00:28,540 and we are ready to go and crack the password. 10 10 00:00:28,540 --> 00:00:32,580 To do this, Aircrack-ng is going to unpack the handshake 11 11 00:00:32,580 --> 00:00:35,173 and extract the useful information. 12 12 00:00:36,160 --> 00:00:40,210 The MIC right here, or the message integrity code, 13 13 00:00:40,210 --> 00:00:42,760 is what's used by the access point 14 14 00:00:42,760 --> 00:00:46,563 to verify whether a password is correct or not. 15 15 00:00:47,730 --> 00:00:51,250 So, it's gonna separate this and put it to the side, 16 16 00:00:51,250 --> 00:00:53,210 and then it's going to use all 17 17 00:00:53,210 --> 00:00:55,710 of the other information right here, 18 18 00:00:55,710 --> 00:01:00,700 combined with the first password from the wordlist 19 19 00:01:00,700 --> 00:01:05,333 to generate an MIC, another message integrity code. 20 20 00:01:06,320 --> 00:01:10,020 And then, it's going to compare this MIC 21 21 00:01:10,020 --> 00:01:13,760 to the one that's already in the handshake. 22 22 00:01:13,760 --> 00:01:17,760 If the MIC generated using this information 23 23 00:01:17,760 --> 00:01:21,700 plus the first password is the same, 24 24 00:01:21,700 --> 00:01:25,190 then the password used to generate this MIC 25 25 00:01:25,190 --> 00:01:27,570 is the password for the network. 26 26 00:01:27,570 --> 00:01:30,480 Otherwise, this password is wrong, 27 27 00:01:30,480 --> 00:01:32,843 and it'll move to the next password. 28 28 00:01:33,910 --> 00:01:37,370 Again, it'll do the same, it'll use all of this information, 29 29 00:01:37,370 --> 00:01:41,200 combined with this password, generate a new MIC, 30 30 00:01:41,200 --> 00:01:43,690 compare this new MIC to the one 31 31 00:01:43,690 --> 00:01:45,500 that's already in the handshake. 32 32 00:01:45,500 --> 00:01:47,990 If it's correct, then this is the password. 33 33 00:01:47,990 --> 00:01:52,190 If it's not, then it's gonna move onto the next password. 34 34 00:01:52,190 --> 00:01:55,420 And it'll keep doing this through all of the passwords 35 35 00:01:55,420 --> 00:01:56,790 in my wordlist. 36 36 00:01:56,790 --> 00:01:59,620 If any of them generates the right MIC, 37 37 00:01:59,620 --> 00:02:02,220 then this is the password for the network. 38 38 00:02:02,220 --> 00:02:05,960 Otherwise, we won't be able to get the password. 39 39 00:02:05,960 --> 00:02:09,790 That's why the success of this attack really depends 40 40 00:02:09,790 --> 00:02:10,873 on your wordlist. 41 41 00:02:11,920 --> 00:02:14,563 So, let's see how to do this in practice. 42 42 00:02:15,410 --> 00:02:17,880 Right now I have my wordlist right here, 43 43 00:02:17,880 --> 00:02:20,080 it's called test.txt. 44 44 00:02:20,080 --> 00:02:22,930 And I've actually manually added my password 45 45 00:02:22,930 --> 00:02:25,160 to the end of the list right here. 46 46 00:02:25,160 --> 00:02:28,510 Just so that when I run the wordlist against the handshake, 47 47 00:02:28,510 --> 00:02:30,420 I will actually find the password, 48 48 00:02:30,420 --> 00:02:34,043 because the wordlist did not contain my password by default. 49 49 00:02:35,980 --> 00:02:38,530 I also have the handshake file right here, 50 50 00:02:38,530 --> 00:02:39,780 as you can see. 51 51 00:02:39,780 --> 00:02:42,460 And all of this is in my Home directory, 52 52 00:02:42,460 --> 00:02:44,980 which is my root directory. 53 53 00:02:44,980 --> 00:02:49,180 So if I do L-S in here, you'll see I have the wordlist, 54 54 00:02:49,180 --> 00:02:50,763 and the handshake file. 55 55 00:02:51,710 --> 00:02:54,220 So, we're ready to run Aircrack-ng. 56 56 00:02:54,220 --> 00:02:57,950 So we're gonna type the name of the program as usual, 57 57 00:02:57,950 --> 00:03:00,370 followed by the name of my capture file, 58 58 00:03:00,370 --> 00:03:04,980 which is wpa_handshake.01.cap. 59 59 00:03:04,980 --> 00:03:07,460 So, so far it's identical to the way 60 60 00:03:07,460 --> 00:03:09,363 that we used to use it with WEP. 61 61 00:03:10,570 --> 00:03:12,070 The only difference right now, 62 62 00:03:12,070 --> 00:03:14,930 because this is a WPA2 network, 63 63 00:03:14,930 --> 00:03:19,140 we have to specify a wordlist with a dash W option. 64 64 00:03:19,140 --> 00:03:23,313 And the name of my wordlist is test.txt. 65 65 00:03:24,290 --> 00:03:25,640 So very, very simple. 66 66 00:03:25,640 --> 00:03:28,330 Aircrack is the name of my program. 67 67 00:03:28,330 --> 00:03:32,070 Wpa_handshake.01.cap is the name of the file 68 68 00:03:32,070 --> 00:03:33,970 that contain my handshake. 69 69 00:03:33,970 --> 00:03:37,943 And I'm using dash W to specify my wordlist file. 70 70 00:03:38,930 --> 00:03:41,010 I'm gonna hit Enter. 71 71 00:03:41,010 --> 00:03:42,830 And as you can see, now Aircrack-ng 72 72 00:03:42,830 --> 00:03:44,360 is running through the wordlist, 73 73 00:03:44,360 --> 00:03:47,900 testing each word in the wordlist one by one, 74 74 00:03:47,900 --> 00:03:49,910 as shown in this diagram. 75 75 00:03:49,910 --> 00:03:53,090 Calculated an MIC based on this information 76 76 00:03:53,090 --> 00:03:54,300 and the wordlist. 77 77 00:03:54,300 --> 00:03:57,660 And then, if the MIC is correct, it's going to tell me 78 78 00:03:57,660 --> 00:03:59,960 that this is the password. 79 79 00:03:59,960 --> 00:04:02,900 Now the speed of this depends on your processor, 80 80 00:04:02,900 --> 00:04:05,410 and the size of your wordlist file. 81 81 00:04:05,410 --> 00:04:07,220 So if you have a huge file, obviously, 82 82 00:04:07,220 --> 00:04:09,850 it will take you longer time. 83 83 00:04:09,850 --> 00:04:13,130 There are also online services that you can try 84 84 00:04:13,130 --> 00:04:15,690 where you upload the handshake, 85 85 00:04:15,690 --> 00:04:19,340 and they have huge wordlists and they have super computers 86 86 00:04:19,340 --> 00:04:21,750 to run through these wordlists and try 87 87 00:04:21,750 --> 00:04:23,610 to give you the password. 88 88 00:04:23,610 --> 00:04:26,150 Unfortunately, I can't share their links with you, 89 89 00:04:26,150 --> 00:04:28,660 but you can easily find them on Google 90 90 00:04:28,660 --> 00:04:29,810 if you search for them. 91 91 00:04:31,172 --> 00:04:32,100 And, perfect! 92 92 00:04:32,100 --> 00:04:34,900 As you can see, we managed to find the key, 93 93 00:04:34,900 --> 00:04:36,370 it's telling us the key is found, 94 94 00:04:36,370 --> 00:04:38,450 and this is the key to the network. 95 95 00:04:38,450 --> 00:04:41,150 And this is the correct key because as you know, 96 96 00:04:41,150 --> 00:04:42,800 this is the same key that we got 97 97 00:04:42,800 --> 00:04:45,730 when we exploited the WPS feature. 98 98 00:04:45,730 --> 00:04:48,640 So now we can go ahead and connect to the network, 99 99 00:04:48,640 --> 00:04:51,250 and we'll be able to run all of the cool stuff 100 100 00:04:51,250 --> 00:04:52,470 that I'm gonna teach you 101 101 00:04:52,470 --> 00:04:55,193 in the Post-Connection Attack section. 102 102 00:04:56,320 --> 00:04:59,400 Now this is the only practical way known so far 103 103 00:04:59,400 --> 00:05:03,580 to crack WPA and WPA2 keys. 104 104 00:05:03,580 --> 00:05:06,150 There are methods to speed up this process 105 105 00:05:06,150 --> 00:05:08,640 so you can use the GPU for cracking, 106 106 00:05:08,640 --> 00:05:11,190 because it's much faster than the CPU. 107 107 00:05:11,190 --> 00:05:13,240 That's if you have a GPU. 108 108 00:05:13,240 --> 00:05:15,770 You can also use rainbow tables, 109 109 00:05:15,770 --> 00:05:18,400 you can also pipe the wordlist 110 110 00:05:18,400 --> 00:05:22,150 as it's being created in Crunch to Aircrack-ng. 111 111 00:05:22,150 --> 00:05:24,540 This way you can create bigger wordlists 112 112 00:05:24,540 --> 00:05:27,600 without using any storage on your computer. 113 113 00:05:27,600 --> 00:05:29,030 There are also methods, 114 114 00:05:29,030 --> 00:05:32,120 so that you can pause your cracking process, 115 115 00:05:32,120 --> 00:05:34,010 and then come back after awhile 116 116 00:05:34,010 --> 00:05:36,150 without losing your progress, 117 117 00:05:36,150 --> 00:05:38,650 but the main idea's the same. 118 118 00:05:38,650 --> 00:05:42,890 The only way right now to crack WPA and WPA2 119 119 00:05:42,890 --> 00:05:45,850 is through a wordlist attack. 120 120 00:05:45,850 --> 00:05:47,860 You can use social engineering, however, 121 121 00:05:47,860 --> 00:05:50,960 to get the password using an evil twin attack, 122 122 00:05:50,960 --> 00:05:54,950 where you trick one of the users to give you the password. 123 123 00:05:54,950 --> 00:05:56,620 This is actually all covered 124 124 00:05:56,620 --> 00:05:59,180 in my Advanced Network Hacking course. 125 125 00:05:59,180 --> 00:06:04,180 The cracking using the GPU, pipe in Crunch to Aircrack-ng, 126 126 00:06:04,480 --> 00:06:07,580 getting the password using an evil twin attack, 127 127 00:06:07,580 --> 00:06:11,060 and much more advanced network hacking techniques. 128 128 00:06:11,060 --> 00:06:12,560 If you are interested in that, 129 129 00:06:12,560 --> 00:06:14,660 then I highly recommend you have a look 130 130 00:06:14,660 --> 00:06:17,600 on my Advanced Network Hacking course. 131 131 00:06:17,600 --> 00:06:19,600 Check out the bonus lecture of this course, 132 132 00:06:19,600 --> 00:06:21,340 the last lecture of this course. 133 133 00:06:21,340 --> 00:06:24,290 It contains links to all of my other courses, 134 134 00:06:24,290 --> 00:06:26,253 and a comparison between them.