Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 1 00:00:01,110 --> 00:00:03,410 Now, if WPS is disabled 2 2 00:00:03,410 --> 00:00:05,070 on your target network, 3 3 00:00:05,070 --> 00:00:08,090 or if it's enabled, but configured 4 4 00:00:08,090 --> 00:00:10,790 to use push button or PBC, 5 5 00:00:10,790 --> 00:00:13,600 then the method that I showed you in the previous lecture 6 6 00:00:13,600 --> 00:00:15,440 will not work. 7 7 00:00:15,440 --> 00:00:17,230 Therefore, you will have to go 8 8 00:00:17,230 --> 00:00:22,230 and crack the actual WPA or WPA2 encryption. 9 9 00:00:22,580 --> 00:00:25,860 And like I said, when these encryptions were designed, 10 10 00:00:25,860 --> 00:00:29,610 the developers knew about the weaknesses in WEP 11 11 00:00:29,610 --> 00:00:30,530 and they made sure 12 12 00:00:30,530 --> 00:00:33,660 that they properly fixed these weaknesses. 13 13 00:00:33,660 --> 00:00:36,070 They actually did a pretty good job at this. 14 14 00:00:36,070 --> 00:00:40,410 Therefore, we cannot use the same method used in WEP 15 15 00:00:40,410 --> 00:00:43,383 to crack WPA and WPA2. 16 16 00:00:44,630 --> 00:00:48,920 So in WPA2, the keys are unique, they're temporary, 17 17 00:00:48,920 --> 00:00:52,390 they much longer than what they were in WEP. 18 18 00:00:52,390 --> 00:00:54,580 Therefore, the packets sent 19 19 00:00:54,580 --> 00:00:58,010 in the air contained no information 20 20 00:00:58,010 --> 00:01:00,920 that is useful for us. 21 21 00:01:00,920 --> 00:01:04,180 So it doesn't matter even if we capture one million packets, 22 22 00:01:04,180 --> 00:01:06,853 we can't use them to crack the key. 23 23 00:01:07,920 --> 00:01:11,070 The only packets that contain useful information 24 24 00:01:11,070 --> 00:01:12,983 are the handshake packets. 25 25 00:01:14,080 --> 00:01:17,630 These are four packets transferred between a client 26 26 00:01:17,630 --> 00:01:22,060 and the router when the client connects to the network. 27 27 00:01:22,060 --> 00:01:23,460 So in this lecture, 28 28 00:01:23,460 --> 00:01:26,190 I'm gonna show you how to capture these packets 29 29 00:01:26,190 --> 00:01:28,060 and in the next lectures, 30 30 00:01:28,060 --> 00:01:31,680 we'll see how to use them to crack the WPA 31 31 00:01:31,680 --> 00:01:33,593 or WPA2 key. 32 32 00:01:34,590 --> 00:01:36,250 First of all, as usual, 33 33 00:01:36,250 --> 00:01:37,970 you'd wanna run airodump-ng 34 34 00:01:37,970 --> 00:01:40,300 against all the networks around you. 35 35 00:01:40,300 --> 00:01:41,750 I've already done that 36 36 00:01:41,750 --> 00:01:44,490 and as you can see, this is my target right here. 37 37 00:01:44,490 --> 00:01:45,663 It's using WPA2. 38 38 00:01:46,673 --> 00:01:49,100 And this is the MAC address. 39 39 00:01:49,100 --> 00:01:50,253 I'm gonna copy it. 40 40 00:01:51,800 --> 00:01:55,050 And the first thing we'll do is just run airodump-ng 41 41 00:01:55,050 --> 00:01:58,040 on this network and store the data in a file, 42 42 00:01:58,040 --> 00:02:01,553 exactly the wame way that we used to do with WEP. 43 43 00:02:02,780 --> 00:02:05,347 So we're just gonna do airodump-ng --bssid 44 44 00:02:08,030 --> 00:02:10,973 and give it the BSSID of my target. 45 45 00:02:12,227 --> 00:02:16,000 -channel and give it the channel of my target 46 46 00:02:16,000 --> 00:02:17,173 which is one. 47 47 00:02:18,757 --> 00:02:21,410 -write to specify a file name 48 48 00:02:21,410 --> 00:02:24,570 to store all the data that we're gonna capture in. 49 49 00:02:24,570 --> 00:02:26,957 And let's call this wpa_handshake 50 50 00:02:30,260 --> 00:02:32,820 because we're gonna capture the handshake. 51 51 00:02:32,820 --> 00:02:35,790 And finally, we're gonna give it my wireless adapter 52 52 00:02:35,790 --> 00:02:36,940 in monitor mode 53 53 00:02:36,940 --> 00:02:39,220 which is mon0. 54 54 00:02:39,220 --> 00:02:40,790 So a very simple command. 55 55 00:02:40,790 --> 00:02:43,170 We've done this multiple times by now. 56 56 00:02:43,170 --> 00:02:45,030 We're using airodump-ng. 57 57 00:02:45,030 --> 00:02:47,240 We're giving it the MAC address of my target 58 58 00:02:47,240 --> 00:02:50,730 after the BSSID, I'm giving it --channel 59 59 00:02:50,730 --> 00:02:53,620 to specify the channel of my target. 60 60 00:02:53,620 --> 00:02:57,490 I'm using --write to store all the data in a file. 61 61 00:02:57,490 --> 00:02:59,280 This file will contain everything 62 62 00:02:59,280 --> 00:03:01,950 that we capture so if we capture the handshake, 63 63 00:03:01,950 --> 00:03:04,040 it'll be in this file. 64 64 00:03:04,040 --> 00:03:07,470 And finally, I'm giving it the name of my wireless adapter 65 65 00:03:07,470 --> 00:03:09,320 in monitor mode. 66 66 00:03:09,320 --> 00:03:11,180 So now I'm gonna hit Enter 67 67 00:03:11,180 --> 00:03:13,720 and as you can see, airodump-ng is working 68 68 00:03:13,720 --> 00:03:15,970 against my target network 69 69 00:03:15,970 --> 00:03:18,140 and right now, all we have to do 70 70 00:03:18,140 --> 00:03:20,490 is literally sit down and wait 71 71 00:03:20,490 --> 00:03:23,160 for the handshake to be captured. 72 72 00:03:23,160 --> 00:03:25,360 Like I said, the handshake is sent 73 73 00:03:25,360 --> 00:03:28,360 when a client connects to the network 74 74 00:03:28,360 --> 00:03:29,960 so we'll literally have to sit down 75 75 00:03:29,960 --> 00:03:33,410 and wait until a new client connect to the network. 76 76 00:03:33,410 --> 00:03:35,150 Once a new client connects, 77 77 00:03:35,150 --> 00:03:36,810 we will capture the handshake 78 78 00:03:36,810 --> 00:03:39,650 and you will see in here airodump telling us 79 79 00:03:39,650 --> 00:03:41,633 that the handshake has been captured. 80 80 00:03:42,720 --> 00:03:45,060 Alternatively, we can use something 81 81 00:03:45,060 --> 00:03:46,680 that we learned before 82 82 00:03:46,680 --> 00:03:50,040 which is a deauthentication attack. 83 83 00:03:50,040 --> 00:03:51,730 We know using that attack, 84 84 00:03:51,730 --> 00:03:54,670 we can disconnect a client from the network 85 85 00:03:54,670 --> 00:03:57,370 so we can do this for a very short period of time. 86 86 00:03:57,370 --> 00:04:00,340 We can disconnect this client from the network. 87 87 00:04:00,340 --> 00:04:04,630 He will automatically connect once we stop the attack. 88 88 00:04:04,630 --> 00:04:07,260 Therefore, when he automatically connects, 89 89 00:04:07,260 --> 00:04:09,540 the handshake will be sent in the air 90 90 00:04:09,540 --> 00:04:11,890 and we will be able to capture it. 91 91 00:04:11,890 --> 00:04:13,810 This way we will not have to sit down 92 92 00:04:13,810 --> 00:04:16,730 and wait for someone to voluntarily connect 93 93 00:04:16,730 --> 00:04:17,683 to the network. 94 94 00:04:19,300 --> 00:04:21,220 So we've seen how to do this before 95 95 00:04:21,220 --> 00:04:23,130 and it's gonna be exactly the same command 96 96 00:04:23,130 --> 00:04:24,560 as we did it before. 97 97 00:04:24,560 --> 00:04:26,473 We used aireplay-ng. 98 98 00:04:27,610 --> 00:04:29,573 We did --deauth. 99 99 00:04:31,000 --> 00:04:34,770 Then we specified a really large number of packets 100 100 00:04:34,770 --> 00:04:39,100 to keep the client disconnected for a long period of time. 101 101 00:04:39,100 --> 00:04:41,530 This time, I'm gonna set this to four 102 102 00:04:41,530 --> 00:04:45,050 to only send four deauthentication packets. 103 103 00:04:45,050 --> 00:04:47,290 This way, my client will be disconnected 104 104 00:04:47,290 --> 00:04:49,370 for a very short period of time. 105 105 00:04:49,370 --> 00:04:52,310 They won't even feel that they got disconnected 106 106 00:04:52,310 --> 00:04:54,160 but this is enough for the handshake 107 107 00:04:54,160 --> 00:04:56,540 to be sent because they will be disconnected, 108 108 00:04:56,540 --> 00:04:58,290 they will automatically connect 109 109 00:04:58,290 --> 00:04:59,610 and when they do that, 110 110 00:04:59,610 --> 00:05:01,163 we will capture the handshake. 111 111 00:05:02,380 --> 00:05:04,460 Now, the next argument we wanna set 112 112 00:05:04,460 --> 00:05:06,910 is the MAC address of my target. 113 113 00:05:06,910 --> 00:05:09,740 So we're gonna do -a followed by the MAC address 114 114 00:05:09,740 --> 00:05:11,210 of my target. 115 115 00:05:11,210 --> 00:05:14,320 Then we're gonna do -c followed by the MAC address 116 116 00:05:14,320 --> 00:05:17,180 of the client that we want to disconnect. 117 117 00:05:17,180 --> 00:05:19,590 So it's this client right here. 118 118 00:05:19,590 --> 00:05:23,070 I'm gonna copy, paste it here 119 119 00:05:23,070 --> 00:05:25,440 and finally, we're gonna give it the name 120 120 00:05:25,440 --> 00:05:28,310 of my wireless adapter in monitor mode 121 121 00:05:28,310 --> 00:05:29,763 which is mon0. 122 122 00:05:31,000 --> 00:05:32,500 And we are done. 123 123 00:05:32,500 --> 00:05:35,380 Again, I've spent a full lecture on this command 124 124 00:05:35,380 --> 00:05:38,160 explaining what a deauthentication attack is 125 125 00:05:38,160 --> 00:05:39,910 so if it's a bit confusing, 126 126 00:05:39,910 --> 00:05:42,830 please go back and revise that lecture. 127 127 00:05:42,830 --> 00:05:46,180 Basically all we're doing is we're using aireplay-ng 128 128 00:05:46,180 --> 00:05:48,450 to run a deauthentication attack 129 129 00:05:48,450 --> 00:05:50,020 to disconnect this device 130 130 00:05:50,020 --> 00:05:52,250 for a very short period of time. 131 131 00:05:52,250 --> 00:05:55,630 That's why I'm setting this to only number four. 132 132 00:05:55,630 --> 00:06:00,200 Then I'm using -a to specify the MAC address of my target, 133 133 00:06:00,200 --> 00:06:03,640 c to specify the MAC address of the client connected 134 134 00:06:03,640 --> 00:06:05,020 to this network 135 135 00:06:05,020 --> 00:06:08,483 and then I'm giving it my wireless adapter in monitor mode. 136 136 00:06:09,510 --> 00:06:10,930 Now I'm gonna hit Enter 137 137 00:06:10,930 --> 00:06:13,610 and keep an eye on this side right here. 138 138 00:06:13,610 --> 00:06:16,990 You'll see the handshake will be captured in here. 139 139 00:06:16,990 --> 00:06:19,410 So I'm gonna hit Enter. 140 140 00:06:19,410 --> 00:06:21,850 Deauthentication packets are being sent 141 141 00:06:22,720 --> 00:06:24,200 and perfect, as you can see, 142 142 00:06:24,200 --> 00:06:26,580 once the client connected again, 143 143 00:06:26,580 --> 00:06:28,653 we receive the handshake. 144 144 00:06:29,780 --> 00:06:32,440 So now we can quit airodump-ng. 145 145 00:06:32,440 --> 00:06:36,150 So Control + C because we have the handshake now. 146 146 00:06:36,150 --> 00:06:37,520 It is stored in the file 147 147 00:06:37,520 --> 00:06:39,730 that we set after the right option 148 148 00:06:39,730 --> 00:06:41,180 which is called wpa_handshake 149 149 00:06:42,230 --> 00:06:45,170 and in the next lecture, I'll show you how this handshake 150 150 00:06:45,170 --> 00:06:48,603 can be used to get the key for the network. 12526