Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
1
00:00:01,290 --> 00:00:02,950
Now from the previous lectures,
2
2
00:00:02,950 --> 00:00:06,320
we learned in order to crack WPA or WPA2,
3
3
00:00:07,300 --> 00:00:10,010
we need to first capture the handshake.
4
4
00:00:10,010 --> 00:00:11,910
And second, have a wordlist,
5
5
00:00:11,910 --> 00:00:14,890
which contains a number of passwords
6
6
00:00:14,890 --> 00:00:17,400
that we're going to try, and hopefully,
7
7
00:00:17,400 --> 00:00:20,833
one of them will be the password for the target network.
8
8
00:00:21,740 --> 00:00:24,410
So right now I have both of these components,
9
9
00:00:24,410 --> 00:00:28,540
and we are ready to go and crack the password.
10
10
00:00:28,540 --> 00:00:32,580
To do this, Aircrack-ng is going to unpack the handshake
11
11
00:00:32,580 --> 00:00:35,173
and extract the useful information.
12
12
00:00:36,160 --> 00:00:40,210
The MIC right here, or the message integrity code,
13
13
00:00:40,210 --> 00:00:42,760
is what's used by the access point
14
14
00:00:42,760 --> 00:00:46,563
to verify whether a password is correct or not.
15
15
00:00:47,730 --> 00:00:51,250
So, it's gonna separate this and put it to the side,
16
16
00:00:51,250 --> 00:00:53,210
and then it's going to use all
17
17
00:00:53,210 --> 00:00:55,710
of the other information right here,
18
18
00:00:55,710 --> 00:01:00,700
combined with the first password from the wordlist
19
19
00:01:00,700 --> 00:01:05,333
to generate an MIC, another message integrity code.
20
20
00:01:06,320 --> 00:01:10,020
And then, it's going to compare this MIC
21
21
00:01:10,020 --> 00:01:13,760
to the one that's already in the handshake.
22
22
00:01:13,760 --> 00:01:17,760
If the MIC generated using this information
23
23
00:01:17,760 --> 00:01:21,700
plus the first password is the same,
24
24
00:01:21,700 --> 00:01:25,190
then the password used to generate this MIC
25
25
00:01:25,190 --> 00:01:27,570
is the password for the network.
26
26
00:01:27,570 --> 00:01:30,480
Otherwise, this password is wrong,
27
27
00:01:30,480 --> 00:01:32,843
and it'll move to the next password.
28
28
00:01:33,910 --> 00:01:37,370
Again, it'll do the same, it'll use all of this information,
29
29
00:01:37,370 --> 00:01:41,200
combined with this password, generate a new MIC,
30
30
00:01:41,200 --> 00:01:43,690
compare this new MIC to the one
31
31
00:01:43,690 --> 00:01:45,500
that's already in the handshake.
32
32
00:01:45,500 --> 00:01:47,990
If it's correct, then this is the password.
33
33
00:01:47,990 --> 00:01:52,190
If it's not, then it's gonna move onto the next password.
34
34
00:01:52,190 --> 00:01:55,420
And it'll keep doing this through all of the passwords
35
35
00:01:55,420 --> 00:01:56,790
in my wordlist.
36
36
00:01:56,790 --> 00:01:59,620
If any of them generates the right MIC,
37
37
00:01:59,620 --> 00:02:02,220
then this is the password for the network.
38
38
00:02:02,220 --> 00:02:05,960
Otherwise, we won't be able to get the password.
39
39
00:02:05,960 --> 00:02:09,790
That's why the success of this attack really depends
40
40
00:02:09,790 --> 00:02:10,873
on your wordlist.
41
41
00:02:11,920 --> 00:02:14,563
So, let's see how to do this in practice.
42
42
00:02:15,410 --> 00:02:17,880
Right now I have my wordlist right here,
43
43
00:02:17,880 --> 00:02:20,080
it's called test.txt.
44
44
00:02:20,080 --> 00:02:22,930
And I've actually manually added my password
45
45
00:02:22,930 --> 00:02:25,160
to the end of the list right here.
46
46
00:02:25,160 --> 00:02:28,510
Just so that when I run the wordlist against the handshake,
47
47
00:02:28,510 --> 00:02:30,420
I will actually find the password,
48
48
00:02:30,420 --> 00:02:34,043
because the wordlist did not contain my password by default.
49
49
00:02:35,980 --> 00:02:38,530
I also have the handshake file right here,
50
50
00:02:38,530 --> 00:02:39,780
as you can see.
51
51
00:02:39,780 --> 00:02:42,460
And all of this is in my Home directory,
52
52
00:02:42,460 --> 00:02:44,980
which is my root directory.
53
53
00:02:44,980 --> 00:02:49,180
So if I do L-S in here, you'll see I have the wordlist,
54
54
00:02:49,180 --> 00:02:50,763
and the handshake file.
55
55
00:02:51,710 --> 00:02:54,220
So, we're ready to run Aircrack-ng.
56
56
00:02:54,220 --> 00:02:57,950
So we're gonna type the name of the program as usual,
57
57
00:02:57,950 --> 00:03:00,370
followed by the name of my capture file,
58
58
00:03:00,370 --> 00:03:04,980
which is wpa_handshake.01.cap.
59
59
00:03:04,980 --> 00:03:07,460
So, so far it's identical to the way
60
60
00:03:07,460 --> 00:03:09,363
that we used to use it with WEP.
61
61
00:03:10,570 --> 00:03:12,070
The only difference right now,
62
62
00:03:12,070 --> 00:03:14,930
because this is a WPA2 network,
63
63
00:03:14,930 --> 00:03:19,140
we have to specify a wordlist with a dash W option.
64
64
00:03:19,140 --> 00:03:23,313
And the name of my wordlist is test.txt.
65
65
00:03:24,290 --> 00:03:25,640
So very, very simple.
66
66
00:03:25,640 --> 00:03:28,330
Aircrack is the name of my program.
67
67
00:03:28,330 --> 00:03:32,070
Wpa_handshake.01.cap is the name of the file
68
68
00:03:32,070 --> 00:03:33,970
that contain my handshake.
69
69
00:03:33,970 --> 00:03:37,943
And I'm using dash W to specify my wordlist file.
70
70
00:03:38,930 --> 00:03:41,010
I'm gonna hit Enter.
71
71
00:03:41,010 --> 00:03:42,830
And as you can see, now Aircrack-ng
72
72
00:03:42,830 --> 00:03:44,360
is running through the wordlist,
73
73
00:03:44,360 --> 00:03:47,900
testing each word in the wordlist one by one,
74
74
00:03:47,900 --> 00:03:49,910
as shown in this diagram.
75
75
00:03:49,910 --> 00:03:53,090
Calculated an MIC based on this information
76
76
00:03:53,090 --> 00:03:54,300
and the wordlist.
77
77
00:03:54,300 --> 00:03:57,660
And then, if the MIC is correct, it's going to tell me
78
78
00:03:57,660 --> 00:03:59,960
that this is the password.
79
79
00:03:59,960 --> 00:04:02,900
Now the speed of this depends on your processor,
80
80
00:04:02,900 --> 00:04:05,410
and the size of your wordlist file.
81
81
00:04:05,410 --> 00:04:07,220
So if you have a huge file, obviously,
82
82
00:04:07,220 --> 00:04:09,850
it will take you longer time.
83
83
00:04:09,850 --> 00:04:13,130
There are also online services that you can try
84
84
00:04:13,130 --> 00:04:15,690
where you upload the handshake,
85
85
00:04:15,690 --> 00:04:19,340
and they have huge wordlists and they have super computers
86
86
00:04:19,340 --> 00:04:21,750
to run through these wordlists and try
87
87
00:04:21,750 --> 00:04:23,610
to give you the password.
88
88
00:04:23,610 --> 00:04:26,150
Unfortunately, I can't share their links with you,
89
89
00:04:26,150 --> 00:04:28,660
but you can easily find them on Google
90
90
00:04:28,660 --> 00:04:29,810
if you search for them.
91
91
00:04:31,172 --> 00:04:32,100
And, perfect!
92
92
00:04:32,100 --> 00:04:34,900
As you can see, we managed to find the key,
93
93
00:04:34,900 --> 00:04:36,370
it's telling us the key is found,
94
94
00:04:36,370 --> 00:04:38,450
and this is the key to the network.
95
95
00:04:38,450 --> 00:04:41,150
And this is the correct key because as you know,
96
96
00:04:41,150 --> 00:04:42,800
this is the same key that we got
97
97
00:04:42,800 --> 00:04:45,730
when we exploited the WPS feature.
98
98
00:04:45,730 --> 00:04:48,640
So now we can go ahead and connect to the network,
99
99
00:04:48,640 --> 00:04:51,250
and we'll be able to run all of the cool stuff
100
100
00:04:51,250 --> 00:04:52,470
that I'm gonna teach you
101
101
00:04:52,470 --> 00:04:55,193
in the Post-Connection Attack section.
102
102
00:04:56,320 --> 00:04:59,400
Now this is the only practical way known so far
103
103
00:04:59,400 --> 00:05:03,580
to crack WPA and WPA2 keys.
104
104
00:05:03,580 --> 00:05:06,150
There are methods to speed up this process
105
105
00:05:06,150 --> 00:05:08,640
so you can use the GPU for cracking,
106
106
00:05:08,640 --> 00:05:11,190
because it's much faster than the CPU.
107
107
00:05:11,190 --> 00:05:13,240
That's if you have a GPU.
108
108
00:05:13,240 --> 00:05:15,770
You can also use rainbow tables,
109
109
00:05:15,770 --> 00:05:18,400
you can also pipe the wordlist
110
110
00:05:18,400 --> 00:05:22,150
as it's being created in Crunch to Aircrack-ng.
111
111
00:05:22,150 --> 00:05:24,540
This way you can create bigger wordlists
112
112
00:05:24,540 --> 00:05:27,600
without using any storage on your computer.
113
113
00:05:27,600 --> 00:05:29,030
There are also methods,
114
114
00:05:29,030 --> 00:05:32,120
so that you can pause your cracking process,
115
115
00:05:32,120 --> 00:05:34,010
and then come back after awhile
116
116
00:05:34,010 --> 00:05:36,150
without losing your progress,
117
117
00:05:36,150 --> 00:05:38,650
but the main idea's the same.
118
118
00:05:38,650 --> 00:05:42,890
The only way right now to crack WPA and WPA2
119
119
00:05:42,890 --> 00:05:45,850
is through a wordlist attack.
120
120
00:05:45,850 --> 00:05:47,860
You can use social engineering, however,
121
121
00:05:47,860 --> 00:05:50,960
to get the password using an evil twin attack,
122
122
00:05:50,960 --> 00:05:54,950
where you trick one of the users to give you the password.
123
123
00:05:54,950 --> 00:05:56,620
This is actually all covered
124
124
00:05:56,620 --> 00:05:59,180
in my Advanced Network Hacking course.
125
125
00:05:59,180 --> 00:06:04,180
The cracking using the GPU, pipe in Crunch to Aircrack-ng,
126
126
00:06:04,480 --> 00:06:07,580
getting the password using an evil twin attack,
127
127
00:06:07,580 --> 00:06:11,060
and much more advanced network hacking techniques.
128
128
00:06:11,060 --> 00:06:12,560
If you are interested in that,
129
129
00:06:12,560 --> 00:06:14,660
then I highly recommend you have a look
130
130
00:06:14,660 --> 00:06:17,600
on my Advanced Network Hacking course.
131
131
00:06:17,600 --> 00:06:19,600
Check out the bonus lecture of this course,
132
132
00:06:19,600 --> 00:06:21,340
the last lecture of this course.
133
133
00:06:21,340 --> 00:06:24,290
It contains links to all of my other courses,
134
134
00:06:24,290 --> 00:06:26,253
and a comparison between them.
11512
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.