Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
1
00:00:00,450 --> 00:00:02,170
Now that we have associated
2
2
00:00:02,170 --> 00:00:03,970
with our target network,
3
3
00:00:03,970 --> 00:00:08,520
we can start communicating with it, and it won't ignore us.
4
4
00:00:08,520 --> 00:00:11,790
So now we can go and start injecting packets
5
5
00:00:11,790 --> 00:00:16,220
into the traffic to force the access point
6
6
00:00:16,220 --> 00:00:20,020
to generate new packets with new IVs.
7
7
00:00:20,020 --> 00:00:22,320
This will increase the number of data
8
8
00:00:22,320 --> 00:00:24,470
really, really quickly, allowing us
9
9
00:00:24,470 --> 00:00:27,740
to crack WEP networks in minutes,
10
10
00:00:27,740 --> 00:00:30,140
even if the network was not busy,
11
11
00:00:30,140 --> 00:00:33,023
like the one that we are targeting right now.
12
12
00:00:34,360 --> 00:00:36,820
Now, there are a number of ways to do this,
13
13
00:00:36,820 --> 00:00:39,320
but in this course, I'm going to explain
14
14
00:00:39,320 --> 00:00:41,130
the most reliable method
15
15
00:00:41,130 --> 00:00:45,113
which is using an ARP request replay attack.
16
16
00:00:46,330 --> 00:00:48,200
I actually explain other methods
17
17
00:00:48,200 --> 00:00:50,100
in my network hacking course,
18
18
00:00:50,100 --> 00:00:52,470
but they are a little bit more complex
19
19
00:00:52,470 --> 00:00:54,820
and have less success rate.
20
20
00:00:54,820 --> 00:00:56,950
So this is the most reliable method
21
21
00:00:56,950 --> 00:00:59,610
and it should work against most networks
22
22
00:00:59,610 --> 00:01:04,450
if you have a good signal and a good wireless adapter.
23
23
00:01:04,450 --> 00:01:06,710
So the idea behind this method is
24
24
00:01:06,710 --> 00:01:09,400
to wait for an ARP packet,
25
25
00:01:09,400 --> 00:01:12,980
and I'll talk about ARP in more details later on.
26
26
00:01:12,980 --> 00:01:16,800
So for now, just think of it as a special type of a packet
27
27
00:01:16,800 --> 00:01:18,810
that we're gonna be waiting on.
28
28
00:01:18,810 --> 00:01:21,700
Once this packet is sent in the network,
29
29
00:01:21,700 --> 00:01:25,370
we're going to capture it and retransmit it.
30
30
00:01:25,370 --> 00:01:28,440
Once we do this, the router is forced
31
31
00:01:28,440 --> 00:01:31,713
to generate a new packet with a new IV.
32
32
00:01:33,660 --> 00:01:37,890
So by repeating this process, we will be forcing the router
33
33
00:01:37,890 --> 00:01:42,820
to continuously generate new packets with new IVs.
34
34
00:01:42,820 --> 00:01:46,410
Then once we have enough data, once we have enough IVs,
35
35
00:01:46,410 --> 00:01:48,320
we can run aircrack-ng,
36
36
00:01:48,320 --> 00:01:51,973
exactly as we seen before and crack the key.
37
37
00:01:53,000 --> 00:01:55,343
So let me show you how to do this in practice.
38
38
00:01:56,690 --> 00:01:58,170
Now, as you can see,
39
39
00:01:58,170 --> 00:02:02,610
I'm already running airodump-ng against my target network.
40
40
00:02:02,610 --> 00:02:05,590
And I have already associated with it
41
41
00:02:05,590 --> 00:02:08,220
as shown in the previous lecture.
42
42
00:02:08,220 --> 00:02:10,690
So the only thing that's left right now
43
43
00:02:10,690 --> 00:02:13,680
is to run the ARP replay attack
44
44
00:02:13,680 --> 00:02:16,600
in order to inject packets into the traffic,
45
45
00:02:16,600 --> 00:02:19,830
and force the router to generate new packets
46
46
00:02:19,830 --> 00:02:21,903
and increase the number of data.
47
47
00:02:22,970 --> 00:02:26,480
To do that, we're gonna use aireplay-ng again.
48
48
00:02:26,480 --> 00:02:29,130
And the command is actually gonna be very similar
49
49
00:02:29,130 --> 00:02:31,230
to this command right here.
50
50
00:02:31,230 --> 00:02:34,403
So I'm actually gonna copy all of this because I'm lazy,
51
51
00:02:35,430 --> 00:02:39,830
and I'm gonna clear this, and paste the command here.
52
52
00:02:39,830 --> 00:02:43,510
Now, there are only a few things that I need to modify.
53
53
00:02:43,510 --> 00:02:45,510
First of all, I don't want to run
54
54
00:02:45,510 --> 00:02:47,510
a fake authentication attack,
55
55
00:02:47,510 --> 00:02:50,100
so I'm gonna remove all of this,
56
56
00:02:50,100 --> 00:02:54,203
and I want to run an ARP replay attack.
57
57
00:02:56,090 --> 00:02:58,550
Also, this attack does not take a number,
58
58
00:02:58,550 --> 00:03:00,910
so I'm gonna remove this number.
59
59
00:03:00,910 --> 00:03:05,910
And I'm also gonna replace the a with b, and we're done.
60
60
00:03:06,010 --> 00:03:09,200
So if you look at it, you'll see it's actually very similar
61
61
00:03:09,200 --> 00:03:10,960
to this command right here.
62
62
00:03:10,960 --> 00:03:13,070
We're using aireplay-ng,
63
63
00:03:13,070 --> 00:03:16,490
but instead of doing a fake authentication attack,
64
64
00:03:16,490 --> 00:03:19,220
we're doing an ARP replay attack,
65
65
00:03:19,220 --> 00:03:22,020
we're giving it the MAC address of my target network
66
66
00:03:22,020 --> 00:03:25,120
after the b instead of the a.
67
67
00:03:25,120 --> 00:03:26,890
Then we're giving it the MAC address
68
68
00:03:26,890 --> 00:03:29,800
of my wireless adapter after the h,
69
69
00:03:29,800 --> 00:03:31,900
which is identical to this.
70
70
00:03:31,900 --> 00:03:32,890
And then we're giving it
71
71
00:03:32,890 --> 00:03:36,070
my wireless adapter in monitor mode.
72
72
00:03:36,070 --> 00:03:40,420
Now, I'm actually gonna associate again, before I do that,
73
73
00:03:40,420 --> 00:03:43,660
and then I'm gonna hit Enter here.
74
74
00:03:43,660 --> 00:03:46,150
And what's happening right now is
75
75
00:03:46,150 --> 00:03:50,540
my wireless adapter is waiting for an ARP packet,
76
76
00:03:50,540 --> 00:03:54,290
once there is an ARP packet transmitted in this network,
77
77
00:03:54,290 --> 00:03:58,430
it's gonna capture it, and it's going to retransmit it.
78
78
00:03:58,430 --> 00:04:01,470
Once it does that, the access point will be forced
79
79
00:04:01,470 --> 00:04:04,320
to generate a new packet with a new IV,
80
80
00:04:04,320 --> 00:04:07,020
and we'll keep doing this, forcing the access point
81
81
00:04:07,020 --> 00:04:10,783
to continually generate new packets with new IVs.
82
82
00:04:11,810 --> 00:04:13,970
So you should just wait for it right now,
83
83
00:04:13,970 --> 00:04:16,520
we're literally just waiting for an ARP packets
84
84
00:04:16,520 --> 00:04:18,880
to be sent in the air.
85
85
00:04:18,880 --> 00:04:21,120
And as you can see, the number of data
86
86
00:04:21,120 --> 00:04:23,990
is increasing now very, very quickly, which means
87
87
00:04:23,990 --> 00:04:27,560
that we actually managed to capture an ARP packet.
88
88
00:04:27,560 --> 00:04:31,470
This ARP packet got retransmitted, forced the router
89
89
00:04:31,470 --> 00:04:34,300
to generate a new packet with a new IV,
90
90
00:04:34,300 --> 00:04:37,500
and we are continually doing this process,
91
91
00:04:37,500 --> 00:04:41,643
forcing the router to generate new packets with new IVs.
92
92
00:04:42,630 --> 00:04:45,720
So right now we can go ahead and run aircrack-ng,
93
93
00:04:45,720 --> 00:04:48,450
to crack this network, and before I do that,
94
94
00:04:48,450 --> 00:04:51,340
I'll actually just associate one more time.
95
95
00:04:51,340 --> 00:04:53,333
And then I'm gonna do aircrack-ng,
96
96
00:04:56,660 --> 00:04:58,820
and give it the name of the file
97
97
00:04:58,820 --> 00:05:00,630
which we're storing the data in,
98
98
00:05:00,630 --> 00:05:05,367
which is called arpreplay-01.cap.
99
99
00:05:06,950 --> 00:05:08,650
So I'm gonna hit Enter,
100
100
00:05:08,650 --> 00:05:11,610
and you'll notice the cracking process right now
101
101
00:05:11,610 --> 00:05:15,790
will actually require more data packets.
102
102
00:05:15,790 --> 00:05:17,600
The reason for this is,
103
103
00:05:17,600 --> 00:05:20,690
I've actually modified the settings of this network,
104
104
00:05:20,690 --> 00:05:24,600
so that it uses 128 bit key,
105
105
00:05:24,600 --> 00:05:29,600
because in WEP, you can either use a 64 bit or 128 bit key,
106
106
00:05:30,490 --> 00:05:34,410
and obviously, the 128 key is longer.
107
107
00:05:34,410 --> 00:05:36,810
Therefore, I actually modified the key length
108
108
00:05:36,810 --> 00:05:40,540
for this lecture to make sure it's the longest key possible.
109
109
00:05:40,540 --> 00:05:43,200
And as you can see, we still managed to get it
110
110
00:05:43,200 --> 00:05:46,520
within about 47,000 packets.
111
111
00:05:46,520 --> 00:05:48,870
We have the key right here in ASCII,
112
112
00:05:48,870 --> 00:05:51,270
and we have the key in here in hex,
113
113
00:05:51,270 --> 00:05:54,233
where we can use after we remove the colons.
114
114
00:05:55,070 --> 00:05:58,130
So perfect, now we managed to crack the target network,
115
115
00:05:58,130 --> 00:06:00,100
it was idle as you could see,
116
116
00:06:00,100 --> 00:06:03,670
the was no data being sent, and we managed to do this
117
117
00:06:03,670 --> 00:06:06,240
by forcing the target access point
118
118
00:06:06,240 --> 00:06:09,223
to generate new packets with new IVs.
10345
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.