Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
1
00:00:01,110 --> 00:00:03,410
Now, if WPS is disabled
2
2
00:00:03,410 --> 00:00:05,070
on your target network,
3
3
00:00:05,070 --> 00:00:08,090
or if it's enabled, but configured
4
4
00:00:08,090 --> 00:00:10,790
to use push button or PBC,
5
5
00:00:10,790 --> 00:00:13,600
then the method that I showed you in the previous lecture
6
6
00:00:13,600 --> 00:00:15,440
will not work.
7
7
00:00:15,440 --> 00:00:17,230
Therefore, you will have to go
8
8
00:00:17,230 --> 00:00:22,230
and crack the actual WPA or WPA2 encryption.
9
9
00:00:22,580 --> 00:00:25,860
And like I said, when these encryptions were designed,
10
10
00:00:25,860 --> 00:00:29,610
the developers knew about the weaknesses in WEP
11
11
00:00:29,610 --> 00:00:30,530
and they made sure
12
12
00:00:30,530 --> 00:00:33,660
that they properly fixed these weaknesses.
13
13
00:00:33,660 --> 00:00:36,070
They actually did a pretty good job at this.
14
14
00:00:36,070 --> 00:00:40,410
Therefore, we cannot use the same method used in WEP
15
15
00:00:40,410 --> 00:00:43,383
to crack WPA and WPA2.
16
16
00:00:44,630 --> 00:00:48,920
So in WPA2, the keys are unique, they're temporary,
17
17
00:00:48,920 --> 00:00:52,390
they much longer than what they were in WEP.
18
18
00:00:52,390 --> 00:00:54,580
Therefore, the packets sent
19
19
00:00:54,580 --> 00:00:58,010
in the air contained no information
20
20
00:00:58,010 --> 00:01:00,920
that is useful for us.
21
21
00:01:00,920 --> 00:01:04,180
So it doesn't matter even if we capture one million packets,
22
22
00:01:04,180 --> 00:01:06,853
we can't use them to crack the key.
23
23
00:01:07,920 --> 00:01:11,070
The only packets that contain useful information
24
24
00:01:11,070 --> 00:01:12,983
are the handshake packets.
25
25
00:01:14,080 --> 00:01:17,630
These are four packets transferred between a client
26
26
00:01:17,630 --> 00:01:22,060
and the router when the client connects to the network.
27
27
00:01:22,060 --> 00:01:23,460
So in this lecture,
28
28
00:01:23,460 --> 00:01:26,190
I'm gonna show you how to capture these packets
29
29
00:01:26,190 --> 00:01:28,060
and in the next lectures,
30
30
00:01:28,060 --> 00:01:31,680
we'll see how to use them to crack the WPA
31
31
00:01:31,680 --> 00:01:33,593
or WPA2 key.
32
32
00:01:34,590 --> 00:01:36,250
First of all, as usual,
33
33
00:01:36,250 --> 00:01:37,970
you'd wanna run airodump-ng
34
34
00:01:37,970 --> 00:01:40,300
against all the networks around you.
35
35
00:01:40,300 --> 00:01:41,750
I've already done that
36
36
00:01:41,750 --> 00:01:44,490
and as you can see, this is my target right here.
37
37
00:01:44,490 --> 00:01:45,663
It's using WPA2.
38
38
00:01:46,673 --> 00:01:49,100
And this is the MAC address.
39
39
00:01:49,100 --> 00:01:50,253
I'm gonna copy it.
40
40
00:01:51,800 --> 00:01:55,050
And the first thing we'll do is just run airodump-ng
41
41
00:01:55,050 --> 00:01:58,040
on this network and store the data in a file,
42
42
00:01:58,040 --> 00:02:01,553
exactly the wame way that we used to do with WEP.
43
43
00:02:02,780 --> 00:02:05,347
So we're just gonna do airodump-ng --bssid
44
44
00:02:08,030 --> 00:02:10,973
and give it the BSSID of my target.
45
45
00:02:12,227 --> 00:02:16,000
-channel and give it the channel of my target
46
46
00:02:16,000 --> 00:02:17,173
which is one.
47
47
00:02:18,757 --> 00:02:21,410
-write to specify a file name
48
48
00:02:21,410 --> 00:02:24,570
to store all the data that we're gonna capture in.
49
49
00:02:24,570 --> 00:02:26,957
And let's call this wpa_handshake
50
50
00:02:30,260 --> 00:02:32,820
because we're gonna capture the handshake.
51
51
00:02:32,820 --> 00:02:35,790
And finally, we're gonna give it my wireless adapter
52
52
00:02:35,790 --> 00:02:36,940
in monitor mode
53
53
00:02:36,940 --> 00:02:39,220
which is mon0.
54
54
00:02:39,220 --> 00:02:40,790
So a very simple command.
55
55
00:02:40,790 --> 00:02:43,170
We've done this multiple times by now.
56
56
00:02:43,170 --> 00:02:45,030
We're using airodump-ng.
57
57
00:02:45,030 --> 00:02:47,240
We're giving it the MAC address of my target
58
58
00:02:47,240 --> 00:02:50,730
after the BSSID, I'm giving it --channel
59
59
00:02:50,730 --> 00:02:53,620
to specify the channel of my target.
60
60
00:02:53,620 --> 00:02:57,490
I'm using --write to store all the data in a file.
61
61
00:02:57,490 --> 00:02:59,280
This file will contain everything
62
62
00:02:59,280 --> 00:03:01,950
that we capture so if we capture the handshake,
63
63
00:03:01,950 --> 00:03:04,040
it'll be in this file.
64
64
00:03:04,040 --> 00:03:07,470
And finally, I'm giving it the name of my wireless adapter
65
65
00:03:07,470 --> 00:03:09,320
in monitor mode.
66
66
00:03:09,320 --> 00:03:11,180
So now I'm gonna hit Enter
67
67
00:03:11,180 --> 00:03:13,720
and as you can see, airodump-ng is working
68
68
00:03:13,720 --> 00:03:15,970
against my target network
69
69
00:03:15,970 --> 00:03:18,140
and right now, all we have to do
70
70
00:03:18,140 --> 00:03:20,490
is literally sit down and wait
71
71
00:03:20,490 --> 00:03:23,160
for the handshake to be captured.
72
72
00:03:23,160 --> 00:03:25,360
Like I said, the handshake is sent
73
73
00:03:25,360 --> 00:03:28,360
when a client connects to the network
74
74
00:03:28,360 --> 00:03:29,960
so we'll literally have to sit down
75
75
00:03:29,960 --> 00:03:33,410
and wait until a new client connect to the network.
76
76
00:03:33,410 --> 00:03:35,150
Once a new client connects,
77
77
00:03:35,150 --> 00:03:36,810
we will capture the handshake
78
78
00:03:36,810 --> 00:03:39,650
and you will see in here airodump telling us
79
79
00:03:39,650 --> 00:03:41,633
that the handshake has been captured.
80
80
00:03:42,720 --> 00:03:45,060
Alternatively, we can use something
81
81
00:03:45,060 --> 00:03:46,680
that we learned before
82
82
00:03:46,680 --> 00:03:50,040
which is a deauthentication attack.
83
83
00:03:50,040 --> 00:03:51,730
We know using that attack,
84
84
00:03:51,730 --> 00:03:54,670
we can disconnect a client from the network
85
85
00:03:54,670 --> 00:03:57,370
so we can do this for a very short period of time.
86
86
00:03:57,370 --> 00:04:00,340
We can disconnect this client from the network.
87
87
00:04:00,340 --> 00:04:04,630
He will automatically connect once we stop the attack.
88
88
00:04:04,630 --> 00:04:07,260
Therefore, when he automatically connects,
89
89
00:04:07,260 --> 00:04:09,540
the handshake will be sent in the air
90
90
00:04:09,540 --> 00:04:11,890
and we will be able to capture it.
91
91
00:04:11,890 --> 00:04:13,810
This way we will not have to sit down
92
92
00:04:13,810 --> 00:04:16,730
and wait for someone to voluntarily connect
93
93
00:04:16,730 --> 00:04:17,683
to the network.
94
94
00:04:19,300 --> 00:04:21,220
So we've seen how to do this before
95
95
00:04:21,220 --> 00:04:23,130
and it's gonna be exactly the same command
96
96
00:04:23,130 --> 00:04:24,560
as we did it before.
97
97
00:04:24,560 --> 00:04:26,473
We used aireplay-ng.
98
98
00:04:27,610 --> 00:04:29,573
We did --deauth.
99
99
00:04:31,000 --> 00:04:34,770
Then we specified a really large number of packets
100
100
00:04:34,770 --> 00:04:39,100
to keep the client disconnected for a long period of time.
101
101
00:04:39,100 --> 00:04:41,530
This time, I'm gonna set this to four
102
102
00:04:41,530 --> 00:04:45,050
to only send four deauthentication packets.
103
103
00:04:45,050 --> 00:04:47,290
This way, my client will be disconnected
104
104
00:04:47,290 --> 00:04:49,370
for a very short period of time.
105
105
00:04:49,370 --> 00:04:52,310
They won't even feel that they got disconnected
106
106
00:04:52,310 --> 00:04:54,160
but this is enough for the handshake
107
107
00:04:54,160 --> 00:04:56,540
to be sent because they will be disconnected,
108
108
00:04:56,540 --> 00:04:58,290
they will automatically connect
109
109
00:04:58,290 --> 00:04:59,610
and when they do that,
110
110
00:04:59,610 --> 00:05:01,163
we will capture the handshake.
111
111
00:05:02,380 --> 00:05:04,460
Now, the next argument we wanna set
112
112
00:05:04,460 --> 00:05:06,910
is the MAC address of my target.
113
113
00:05:06,910 --> 00:05:09,740
So we're gonna do -a followed by the MAC address
114
114
00:05:09,740 --> 00:05:11,210
of my target.
115
115
00:05:11,210 --> 00:05:14,320
Then we're gonna do -c followed by the MAC address
116
116
00:05:14,320 --> 00:05:17,180
of the client that we want to disconnect.
117
117
00:05:17,180 --> 00:05:19,590
So it's this client right here.
118
118
00:05:19,590 --> 00:05:23,070
I'm gonna copy, paste it here
119
119
00:05:23,070 --> 00:05:25,440
and finally, we're gonna give it the name
120
120
00:05:25,440 --> 00:05:28,310
of my wireless adapter in monitor mode
121
121
00:05:28,310 --> 00:05:29,763
which is mon0.
122
122
00:05:31,000 --> 00:05:32,500
And we are done.
123
123
00:05:32,500 --> 00:05:35,380
Again, I've spent a full lecture on this command
124
124
00:05:35,380 --> 00:05:38,160
explaining what a deauthentication attack is
125
125
00:05:38,160 --> 00:05:39,910
so if it's a bit confusing,
126
126
00:05:39,910 --> 00:05:42,830
please go back and revise that lecture.
127
127
00:05:42,830 --> 00:05:46,180
Basically all we're doing is we're using aireplay-ng
128
128
00:05:46,180 --> 00:05:48,450
to run a deauthentication attack
129
129
00:05:48,450 --> 00:05:50,020
to disconnect this device
130
130
00:05:50,020 --> 00:05:52,250
for a very short period of time.
131
131
00:05:52,250 --> 00:05:55,630
That's why I'm setting this to only number four.
132
132
00:05:55,630 --> 00:06:00,200
Then I'm using -a to specify the MAC address of my target,
133
133
00:06:00,200 --> 00:06:03,640
c to specify the MAC address of the client connected
134
134
00:06:03,640 --> 00:06:05,020
to this network
135
135
00:06:05,020 --> 00:06:08,483
and then I'm giving it my wireless adapter in monitor mode.
136
136
00:06:09,510 --> 00:06:10,930
Now I'm gonna hit Enter
137
137
00:06:10,930 --> 00:06:13,610
and keep an eye on this side right here.
138
138
00:06:13,610 --> 00:06:16,990
You'll see the handshake will be captured in here.
139
139
00:06:16,990 --> 00:06:19,410
So I'm gonna hit Enter.
140
140
00:06:19,410 --> 00:06:21,850
Deauthentication packets are being sent
141
141
00:06:22,720 --> 00:06:24,200
and perfect, as you can see,
142
142
00:06:24,200 --> 00:06:26,580
once the client connected again,
143
143
00:06:26,580 --> 00:06:28,653
we receive the handshake.
144
144
00:06:29,780 --> 00:06:32,440
So now we can quit airodump-ng.
145
145
00:06:32,440 --> 00:06:36,150
So Control + C because we have the handshake now.
146
146
00:06:36,150 --> 00:06:37,520
It is stored in the file
147
147
00:06:37,520 --> 00:06:39,730
that we set after the right option
148
148
00:06:39,730 --> 00:06:41,180
which is called wpa_handshake
149
149
00:06:42,230 --> 00:06:45,170
and in the next lecture, I'll show you how this handshake
150
150
00:06:45,170 --> 00:06:48,603
can be used to get the key for the network.
12526
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.