Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
1
00:00:01,040 --> 00:00:02,420
Okay, now that we know
2
2
00:00:02,420 --> 00:00:05,550
what WPS is and how it can be used
3
3
00:00:05,550 --> 00:00:10,490
to recover the password for WPA and WPA2 networks,
4
4
00:00:10,490 --> 00:00:13,023
let's see how to do that in practice.
5
5
00:00:14,070 --> 00:00:16,900
So right here I have my Kali machine.
6
6
00:00:16,900 --> 00:00:18,800
I've already enabled monitor mode
7
7
00:00:18,800 --> 00:00:20,813
on my wireless adapter on 10.
8
8
00:00:21,700 --> 00:00:24,220
Now, usually we use airodump-ng
9
9
00:00:24,220 --> 00:00:27,100
to see all the networks around us.
10
10
00:00:27,100 --> 00:00:29,710
But right now, we want to see the networks
11
11
00:00:29,710 --> 00:00:32,200
that have WPS enabled
12
12
00:00:32,200 --> 00:00:35,020
but because like I said it's just a feature
13
13
00:00:35,020 --> 00:00:37,285
and people can turn this feature off,
14
14
00:00:37,285 --> 00:00:41,000
so first of all, I'm gonna use a tool called wash
15
15
00:00:42,340 --> 00:00:45,400
to display all the networks around me
16
16
00:00:45,400 --> 00:00:48,310
that have WPS enabled.
17
17
00:00:48,310 --> 00:00:52,810
So we're gonna do wash --interface
18
18
00:00:52,810 --> 00:00:55,220
and give it my interface in monitor mode
19
19
00:00:55,220 --> 00:00:57,210
which is mon0.
20
20
00:00:57,210 --> 00:01:00,350
So all we're doing is wash is the name of the tool,
21
21
00:01:00,350 --> 00:01:02,830
interface to give it the interface
22
22
00:01:02,830 --> 00:01:06,830
and mon0 is my wireless adapter in monitor mode.
23
23
00:01:06,830 --> 00:01:08,210
If I hit Enter now,
24
24
00:01:08,210 --> 00:01:11,233
you'll see it'll list my network straight away.
25
25
00:01:12,080 --> 00:01:14,010
Now, I pressed Control + C to cancel this,
26
26
00:01:14,010 --> 00:01:15,550
similar to airodump-ng
27
27
00:01:15,550 --> 00:01:16,810
because it'll keep running
28
28
00:01:16,810 --> 00:01:18,520
unless you cancel it.
29
29
00:01:18,520 --> 00:01:20,960
And you can see this is my target network.
30
30
00:01:20,960 --> 00:01:22,620
It's called Test_AP.
31
31
00:01:22,620 --> 00:01:24,160
It's giving us the vendor
32
32
00:01:24,160 --> 00:01:26,430
of the hardware used in this network
33
33
00:01:26,430 --> 00:01:28,340
in this access point.
34
34
00:01:28,340 --> 00:01:32,930
The Lck tell us whether WPS is locked or not
35
35
00:01:32,930 --> 00:01:35,220
because sometimes WPS locks
36
36
00:01:35,220 --> 00:01:37,790
after a number failed attempts.
37
37
00:01:37,790 --> 00:01:39,220
So right now this says no,
38
38
00:01:39,220 --> 00:01:40,960
which means that we can actually go ahead
39
39
00:01:40,960 --> 00:01:43,110
and try to guess the PIN.
40
40
00:01:43,110 --> 00:01:47,300
It's giving us the version of WPS, it's using version one.
41
41
00:01:47,300 --> 00:01:49,450
The signal strength is in here.
42
42
00:01:49,450 --> 00:01:51,833
The channel and the BSSID.
43
43
00:01:52,970 --> 00:01:55,880
Now, I explained the meaning of all these things before
44
44
00:01:55,880 --> 00:01:58,180
in my airodump-ng lecture
45
45
00:01:58,180 --> 00:01:59,960
so I'm not gonna talk about them now.
46
46
00:01:59,960 --> 00:02:02,500
If you forgot the meaning of any of these terms,
47
47
00:02:02,500 --> 00:02:05,423
please go back to the airodump-ng lecture.
48
48
00:02:05,423 --> 00:02:09,230
Now, this network actually uses WPA2,
49
49
00:02:09,230 --> 00:02:11,210
so just to confirm this to you,
50
50
00:02:11,210 --> 00:02:13,730
if I go here to my host machine
51
51
00:02:13,730 --> 00:02:15,524
and just try to connect to it,
52
52
00:02:15,524 --> 00:02:17,980
you'll see that it's telling me
53
53
00:02:17,980 --> 00:02:21,580
that this uses a WPA2 password.
54
54
00:02:21,580 --> 00:02:23,020
But like I said, we don't care
55
55
00:02:23,020 --> 00:02:25,440
if it's WPA or WPA2
56
56
00:02:25,440 --> 00:02:28,490
because we're gonna be exploiting a features
57
57
00:02:28,490 --> 00:02:31,793
in these encryptions which is the WPS feature.
58
58
00:02:32,840 --> 00:02:37,180
So now that we know our target network uses WPS,
59
59
00:02:37,180 --> 00:02:40,160
there's a good chance that this attack will work against it.
60
60
00:02:40,160 --> 00:02:42,240
The only reason it might fail
61
61
00:02:42,240 --> 00:02:44,660
is if the target uses PBC
62
62
00:02:44,660 --> 00:02:47,310
or push button authentication.
63
63
00:02:47,310 --> 00:02:50,210
Like I said, if the target uses PBC,
64
64
00:02:50,210 --> 00:02:52,190
then it will refuse all the PINs
65
65
00:02:52,190 --> 00:02:54,700
unless the button is pressed on the router
66
66
00:02:54,700 --> 00:02:57,230
and therefore this attack will fail.
67
67
00:02:57,230 --> 00:02:59,950
The only way to know is to literally try this attack
68
68
00:02:59,950 --> 00:03:00,993
and see if it works.
69
69
00:03:02,520 --> 00:03:05,320
So I'm gonna copy the MAC address of this network
70
70
00:03:05,320 --> 00:03:06,610
or the BSSID
71
71
00:03:08,340 --> 00:03:09,840
and the first thing that I'm gonna do,
72
72
00:03:09,840 --> 00:03:12,480
similar to what we did with WEP,
73
73
00:03:12,480 --> 00:03:15,420
I'm going to associate with the target network
74
74
00:03:15,420 --> 00:03:17,840
using a fake authentication attack.
75
75
00:03:17,840 --> 00:03:19,660
So basically I'll be saying I want
76
76
00:03:19,660 --> 00:03:20,970
to communicate with you,
77
77
00:03:20,970 --> 00:03:22,340
please don't ignore me
78
78
00:03:22,340 --> 00:03:24,100
so that when I run the attack,
79
79
00:03:24,100 --> 00:03:26,540
the network will start accepting the PINs
80
80
00:03:26,540 --> 00:03:28,520
and not ignore me.
81
81
00:03:28,520 --> 00:03:31,640
So to associate, we're gonna use the exact same command
82
82
00:03:31,640 --> 00:03:34,570
that we used when we did it with WEP.
83
83
00:03:34,570 --> 00:03:36,120
So we're gonna use aireplay.ng.
84
84
00:03:37,490 --> 00:03:38,910
We're gonna tell it I want to run
85
85
00:03:38,910 --> 00:03:40,853
a fake authentication attack.
86
86
00:03:41,750 --> 00:03:43,530
We're gonna give it the delay,
87
87
00:03:43,530 --> 00:03:45,290
so this is the time to wait
88
88
00:03:45,290 --> 00:03:47,590
between association attempts.
89
89
00:03:47,590 --> 00:03:49,370
Previously we set it to zero
90
90
00:03:49,370 --> 00:03:52,360
and we had to do this manually every now and then.
91
91
00:03:52,360 --> 00:03:54,105
Right now I'm gonna set it to 30
92
92
00:03:54,105 --> 00:03:55,990
so that we associate
93
93
00:03:55,990 --> 00:03:59,033
with the target network every 30 seconds.
94
94
00:04:00,410 --> 00:04:03,540
Then I'm gonna do -a to give it the MAC address
95
95
00:04:03,540 --> 00:04:06,000
of my target and -h
96
96
00:04:06,000 --> 00:04:08,790
to give it the MAC address of my wireless adapter
97
97
00:04:08,790 --> 00:04:10,020
in monitor mode
98
98
00:04:10,020 --> 00:04:13,203
and we see that we can get this by doing ifconfig.
99
99
00:04:15,130 --> 00:04:16,670
And copy it from here.
100
100
00:04:16,670 --> 00:04:18,793
We said it's the first 12 digits.
101
101
00:04:20,920 --> 00:04:24,433
And I'll just replace the minus with the colon.
102
102
00:04:25,580 --> 00:04:27,510
And finally, I'm gonna give it the name
103
103
00:04:27,510 --> 00:04:30,930
of my wireless adapter in monitor mode which is mon0.
104
104
00:04:32,550 --> 00:04:35,170
So I explained this in details before.
105
105
00:04:35,170 --> 00:04:36,720
That's why I did it quickly.
106
106
00:04:36,720 --> 00:04:38,680
If you don't remember how I did this,
107
107
00:04:38,680 --> 00:04:42,760
please go back to the fake authentication attack lecture.
108
108
00:04:42,760 --> 00:04:44,520
So the command is ready now,
109
109
00:04:44,520 --> 00:04:46,560
but I'm not gonna execute it.
110
110
00:04:46,560 --> 00:04:48,930
I'm gonna go down to the bottom terminal
111
111
00:04:48,930 --> 00:04:51,070
and run Reaver which is the program
112
112
00:04:51,070 --> 00:04:53,620
that will boot first the PIN for me
113
113
00:04:53,620 --> 00:04:57,520
and only then I will associate with the target
114
114
00:04:57,520 --> 00:05:00,870
because otherwise, aireplay.ng will fail
115
115
00:05:00,870 --> 00:05:02,933
to associate with my network.
116
116
00:05:04,180 --> 00:05:07,060
So I'm gonna move to this terminal right here,
117
117
00:05:07,060 --> 00:05:08,663
I'm gonna clear the screen.
118
118
00:05:09,590 --> 00:05:12,540
And we're gonna run Reaver which is the program
119
119
00:05:12,540 --> 00:05:15,010
that's going to boot first the PIN,
120
120
00:05:15,010 --> 00:05:17,400
so it's gonna try every possible PIN
121
121
00:05:17,400 --> 00:05:19,210
until it get the right PIN.
122
122
00:05:19,210 --> 00:05:20,740
Once it has the right PIN,
123
123
00:05:20,740 --> 00:05:25,640
it'll use it to compute the actual WPA key.
124
124
00:05:25,640 --> 00:05:28,120
So using Reaver is very, very simple.
125
125
00:05:28,120 --> 00:05:29,570
It's very similar to everything
126
126
00:05:29,570 --> 00:05:31,210
we've been doing so far.
127
127
00:05:31,210 --> 00:05:33,750
So first of all, we have to type the program name
128
128
00:05:33,750 --> 00:05:34,693
which is reaver.
129
129
00:05:36,190 --> 00:05:40,070
Then I'm gonna do --bssid to give it the MAC address
130
130
00:05:40,070 --> 00:05:41,660
of my target network.
131
131
00:05:41,660 --> 00:05:43,093
So I'm just gonna paste it.
132
132
00:05:44,250 --> 00:05:46,343
Then I'm gonna do --channel.
133
133
00:05:47,560 --> 00:05:49,730
And give it the channel of the target network
134
134
00:05:49,730 --> 00:05:50,693
which is one.
135
135
00:05:51,600 --> 00:05:54,710
Then we're gonna do --interface
136
136
00:05:54,710 --> 00:05:57,080
and give it my wireless adapter
137
137
00:05:57,080 --> 00:05:59,623
in monitor mode which is mon0.
138
138
00:06:00,690 --> 00:06:02,710
So a very, very simple command.
139
139
00:06:02,710 --> 00:06:05,300
We're using Reaver, this is the name of the program
140
140
00:06:05,300 --> 00:06:07,030
that'll do the brute forcing for us
141
141
00:06:07,030 --> 00:06:08,620
and give us the key.
142
142
00:06:08,620 --> 00:06:12,240
We're giving it the bssid, the MAC address of my target.
143
143
00:06:12,240 --> 00:06:15,140
We're doing --channel to give it the channel
144
144
00:06:15,140 --> 00:06:17,500
that my target is running on
145
145
00:06:17,500 --> 00:06:21,120
and we're doing --interface to give it the name
146
146
00:06:21,120 --> 00:06:23,823
of my wireless adapter in monitor mode.
147
147
00:06:24,860 --> 00:06:27,140
I'm also gonna add two more options.
148
148
00:06:27,140 --> 00:06:30,620
I'm gonna add --vvv to show us
149
149
00:06:30,620 --> 00:06:32,930
as much information as possible.
150
150
00:06:32,930 --> 00:06:34,120
This is really helpful.
151
151
00:06:34,120 --> 00:06:36,400
If it fails or things go wrong,
152
152
00:06:36,400 --> 00:06:38,750
we'll be able to know what's happening,
153
153
00:06:38,750 --> 00:06:40,890
why things are going wrong.
154
154
00:06:40,890 --> 00:06:45,080
And I'm also gonna do --no-associate
155
155
00:06:46,890 --> 00:06:50,600
to tell Reaver not to associate with the target network
156
156
00:06:50,600 --> 00:06:54,330
because we're already manually doing that in here.
157
157
00:06:54,330 --> 00:06:57,820
So Reaver can automatically do this step right here for you
158
158
00:06:57,820 --> 00:07:00,290
but I've seen that it fails a lot.
159
159
00:07:00,290 --> 00:07:01,880
Therefore it's actually better
160
160
00:07:01,880 --> 00:07:04,320
to do it ourselves manually here
161
161
00:07:04,320 --> 00:07:06,983
and then tell Reaver not to associate.
162
162
00:07:08,270 --> 00:07:09,640
So now I'm gonna hit Enter
163
163
00:07:09,640 --> 00:07:11,560
to get Reaver to work.
164
164
00:07:11,560 --> 00:07:14,380
And I'm gonna go up to the top terminal
165
165
00:07:14,380 --> 00:07:16,760
and I'm gonna hit Enter to associate
166
166
00:07:16,760 --> 00:07:18,650
with the target network telling it,
167
167
00:07:18,650 --> 00:07:22,380
please don't ignore us so that Reaver at the bottom here
168
168
00:07:22,380 --> 00:07:24,120
can brute force the PIN
169
169
00:07:24,120 --> 00:07:26,250
and try every possible PIN
170
170
00:07:26,250 --> 00:07:28,460
until we get the correct PIN
171
171
00:07:28,460 --> 00:07:31,270
which we'll use to get the password.
172
172
00:07:31,270 --> 00:07:34,720
Now, as you can see, right now I'm getting an error
173
173
00:07:34,720 --> 00:07:36,140
and this is actually a bug
174
174
00:07:36,140 --> 00:07:38,830
with the latest versions of Reaver.
175
175
00:07:38,830 --> 00:07:41,010
So if you get this bug,
176
176
00:07:41,010 --> 00:07:43,070
this means they still haven't fixed it
177
177
00:07:43,070 --> 00:07:44,520
in the latest version.
178
178
00:07:44,520 --> 00:07:48,610
So it's better to go back and use an older version.
179
179
00:07:48,610 --> 00:07:50,520
I'm gonna include an older version
180
180
00:07:50,520 --> 00:07:53,810
that works perfectly in the resources of this lecture
181
181
00:07:53,810 --> 00:07:57,090
so you can access it from the top left of the lecture.
182
182
00:07:57,090 --> 00:07:59,870
If you tried Reaver and got this error right here,
183
183
00:07:59,870 --> 00:08:02,800
then go ahead and download this older version.
184
184
00:08:02,800 --> 00:08:05,690
Right now I already have it in my downloads right here,
185
185
00:08:05,690 --> 00:08:07,600
so you can see I'm in Home, Downloads
186
186
00:08:07,600 --> 00:08:09,653
and I have it right here called Reaver.
187
187
00:08:10,640 --> 00:08:14,120
So what I'm gonna do is I'm gonna clear this again
188
188
00:08:14,120 --> 00:08:18,460
and I'm gonna navigate to my Downloads so cd Downloads.
189
189
00:08:18,460 --> 00:08:22,610
I'm gonna list and you can see we have it right here.
190
190
00:08:22,610 --> 00:08:24,700
Now, it's already in green for me
191
191
00:08:24,700 --> 00:08:27,440
but for you, you'd wanna change the permissions
192
192
00:08:27,440 --> 00:08:30,130
of this file to an executable
193
193
00:08:30,130 --> 00:08:34,933
so you'll have to do chmod +x reaver.
194
194
00:08:36,060 --> 00:08:38,430
This will make it an executable.
195
195
00:08:38,430 --> 00:08:40,250
Once it is an executable,
196
196
00:08:40,250 --> 00:08:45,250
you can run it by doing ./ followed by its name, so reaver.
197
197
00:08:47,170 --> 00:08:49,520
Then you can do the exact same command
198
198
00:08:49,520 --> 00:08:52,180
exactly like I just did it with the one
199
199
00:08:52,180 --> 00:08:54,950
that comes pre-installed in Kali.
200
200
00:08:54,950 --> 00:08:56,836
So I'm actually just gonna go back
201
201
00:08:56,836 --> 00:08:59,570
to what I had and I'm just gonna go
202
202
00:08:59,570 --> 00:09:01,210
to the start of the command
203
203
00:09:01,210 --> 00:09:02,987
and put ./
204
204
00:09:04,457 --> 00:09:06,680
so when we put the ./
205
205
00:09:06,680 --> 00:09:08,350
we're basically running the file
206
206
00:09:08,350 --> 00:09:10,430
that is in the current working directory.
207
207
00:09:10,430 --> 00:09:14,200
We're running this, we're not running the normal Reaver file
208
208
00:09:14,200 --> 00:09:16,053
that is pre-installed in Kali.
209
209
00:09:17,130 --> 00:09:20,060
Then we're using all of the options exactly the same way
210
210
00:09:20,060 --> 00:09:22,780
that we were using it with the built-in one.
211
211
00:09:22,780 --> 00:09:24,860
I'm gonna hit Enter.
212
212
00:09:24,860 --> 00:09:26,630
And as you can see, right now Reaver
213
213
00:09:26,630 --> 00:09:30,243
is trying the PIN 1234567.
214
214
00:09:32,210 --> 00:09:33,490
And perfect.
215
215
00:09:33,490 --> 00:09:37,450
You can see the PIN was actually 12345670.
216
216
00:09:37,450 --> 00:09:39,030
So it's a simple PIN.
217
217
00:09:39,030 --> 00:09:40,720
It actually came with the PIN
218
218
00:09:40,720 --> 00:09:42,820
so I didn't manually set this PIN.
219
219
00:09:42,820 --> 00:09:46,580
My router came from the factory with WPS enabled
220
220
00:09:46,580 --> 00:09:47,860
with this PIN.
221
221
00:09:47,860 --> 00:09:49,940
So like I said, this tool works
222
222
00:09:49,940 --> 00:09:52,730
but again, not against all routers.
223
223
00:09:52,730 --> 00:09:55,900
From that, it was able to discover the WPA key
224
224
00:09:55,900 --> 00:09:57,170
which is UAURWSXR
225
225
00:09:58,820 --> 00:10:01,720
and the name of the router is Test AP.
226
226
00:10:01,720 --> 00:10:03,040
So I can literally go ahead
227
227
00:10:03,040 --> 00:10:04,720
and connect with this password
228
228
00:10:04,720 --> 00:10:07,250
and I'll be able to connect to the network
229
229
00:10:07,250 --> 00:10:11,303
and see and decrypt all of the packets sent in the air.
19105
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.