Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,050 --> 00:00:05,940 So far we've seen a number of methods to gain access to captive photos. 2 00:00:05,940 --> 00:00:11,100 Now let's say your target network was use in encryption or for any other reason you just couldn't gain 3 00:00:11,100 --> 00:00:14,690 your access to the network using the methods I showed you. 4 00:00:14,910 --> 00:00:23,550 Then the last resort is to target the users and use social engineering to gain your access to the network. 5 00:00:23,550 --> 00:00:30,120 Now this is usually the case when we failed to hack into the system using the software and the hardware 6 00:00:30,120 --> 00:00:30,790 installed. 7 00:00:30,870 --> 00:00:37,290 Then the last resort will be to try to target the users because the users are are always considered 8 00:00:37,290 --> 00:00:38,670 to be the weakest link. 9 00:00:38,820 --> 00:00:45,690 So you can always social engineer them and gain your access by targeting the users that use the target 10 00:00:45,690 --> 00:00:46,310 system. 11 00:00:47,880 --> 00:00:54,210 So the idea that I'm going to talk about can be used to gain access to captive portals but it can also 12 00:00:54,210 --> 00:01:01,850 be used to gain access to all types of other networks like networks that use WEP WPA or WPA too. 13 00:01:02,520 --> 00:01:04,710 So the idea is very simple. 14 00:01:04,710 --> 00:01:11,850 First of all we're going to clone the logon page that people are used to use with the normal captive 15 00:01:11,850 --> 00:01:14,250 portal with the normal network that they use. 16 00:01:14,310 --> 00:01:19,440 We're going to make a web site that look exactly like the website that they use when they first connect 17 00:01:19,440 --> 00:01:20,440 to that network. 18 00:01:21,620 --> 00:01:28,670 Then we're going to create a fake network an access point that has the same name or a similar name to 19 00:01:28,670 --> 00:01:29,900 the target. 20 00:01:29,900 --> 00:01:36,050 Now because our target is a captive foretold then this won't be suspicious at all because people captive 21 00:01:36,050 --> 00:01:41,470 portals are usually used in airports and hotels and places that have a large area. 22 00:01:41,540 --> 00:01:45,830 So they actually use a number of routers to cover this area. 23 00:01:45,860 --> 00:01:51,160 Therefore if the user sees a number of networks with the same name or with a similar name they won't 24 00:01:51,170 --> 00:01:56,200 get suspicious at all because this is actually the way it is in real life. 25 00:01:56,500 --> 00:02:02,620 Finally we're going to run a different location at Target and disconnect users from the network that 26 00:02:02,620 --> 00:02:04,060 they're connected to. 27 00:02:04,270 --> 00:02:07,850 So they'll think that there's something wrong with this specific network. 28 00:02:07,990 --> 00:02:13,570 They're going to connect to the fake network that we created which has a very similar name or maybe 29 00:02:13,570 --> 00:02:14,890 the same name. 30 00:02:14,980 --> 00:02:19,130 And once they connect they'll automatically see a logon page. 31 00:02:19,240 --> 00:02:24,440 Again this is exactly what happens when they connect to their network so they automatically see a logon 32 00:02:24,460 --> 00:02:30,070 page and logon page is going to look very similar to the logon page that they usually use and log in 33 00:02:30,070 --> 00:02:31,030 with. 34 00:02:31,030 --> 00:02:35,890 Now obviously the slogan page that we're going to create will not have any type of security and we'll 35 00:02:35,890 --> 00:02:41,900 be able to sniff the data once they put their username or password and then we'll be able to log in 36 00:02:41,900 --> 00:02:45,610 to the actual network that we're targeting. 37 00:02:46,890 --> 00:02:52,230 Now I'm going to spend a lecture or two on each of these steps and I'm going to try to keep these steps 38 00:02:52,320 --> 00:02:59,360 as generic as possible so that you can use this idea to adapt it to any type of network that you have. 39 00:02:59,580 --> 00:03:05,640 So the next lectures we're going to be doing the example on a captive portal but you can use the exact 40 00:03:05,640 --> 00:03:10,040 same way to gain access to Web and WPA to networks. 41 00:03:10,230 --> 00:03:17,190 And later on I'm going to show you how you can adapt this idea to heart into WPA WPA to networks without 42 00:03:17,190 --> 00:03:21,950 having to use a wordlist and without even having to capture the handshake. 43 00:03:21,960 --> 00:03:27,040 So I'm just going to go over the idea one more time just to make it just so that you get the idea. 44 00:03:27,210 --> 00:03:33,540 So first of all we are going to download and clone the logon page that the captive portal usually use 45 00:03:34,200 --> 00:03:40,350 then we're going to create a fake access point that has the same or a similar name to that network. 46 00:03:40,410 --> 00:03:45,420 Then we're going to disconnect the authenticate all the people that connect to that network and wait 47 00:03:45,420 --> 00:03:47,570 for them to connect to our network. 48 00:03:47,640 --> 00:03:55,780 Once they do that they'll automatically see a log in page with the same logon page that the actual network 49 00:03:55,780 --> 00:03:56,310 news. 50 00:03:56,460 --> 00:04:00,350 So this won't be suspicious at all because like I said they're used to connect. 51 00:04:00,420 --> 00:04:03,690 They're used to seeing a number of access points with the same name. 52 00:04:03,780 --> 00:04:08,430 And when they connect this is the actual procedure that they see they'll automatically see a log in 53 00:04:08,430 --> 00:04:12,780 page and log and Page is going to look exactly like the page that they expect. 54 00:04:12,780 --> 00:04:18,030 So it's not going to be suspicious at all and it usually has a very good success rate. 6106