1
00:00:00,240 --> 00:00:01,140
In this lesson,

2
00:00:01,140 --> 00:00:02,910
I'm going to demonstrate how to conduct

3
00:00:02,910 --> 00:00:04,770
an initialization vector attack

4
00:00:04,770 --> 00:00:07,050
on a WEP-protected access point.

5
00:00:07,050 --> 00:00:09,600
As I said before, WEP is extremely insecure

6
00:00:09,600 --> 00:00:12,930
because it only uses a 24-bit initialization vector.

7
00:00:12,930 --> 00:00:14,820
Regardless of what key you choose,

8
00:00:14,820 --> 00:00:17,850
this attack is going to work every single time.

9
00:00:17,850 --> 00:00:19,260
This is the reason that I say

10
00:00:19,260 --> 00:00:21,990
you never ever want to use WEP in your networks.

11
00:00:21,990 --> 00:00:24,570
If you find a network using WEP in your organization,

12
00:00:24,570 --> 00:00:28,140
you should immediately work to upgrade it to WPA2 instead.

13
00:00:28,140 --> 00:00:29,040
Let's jump into the lab

14
00:00:29,040 --> 00:00:31,050
and I'll show you exactly how this works.

15
00:00:31,050 --> 00:00:32,130
So the first thing we're going to do

16
00:00:32,130 --> 00:00:35,400
is where you're going to start with airodump-ng,

17
00:00:35,400 --> 00:00:39,090
and then the card that we have, which is wlan0mon.

18
00:00:39,090 --> 00:00:40,590
And notice, it's starting to scan

19
00:00:40,590 --> 00:00:42,960
for that particular network that we're looking for.

20
00:00:42,960 --> 00:00:44,760
In our case, we already found it.

21
00:00:44,760 --> 00:00:48,570
It is WirelessHacking. This WEP network right here.

22
00:00:48,570 --> 00:00:53,570
And this is the BSSID or the MAC address for that network.

23
00:00:53,820 --> 00:00:55,500
So for us to attack it,

24
00:00:55,500 --> 00:00:58,290
we are going to use airodump-ng again.

25
00:00:58,290 --> 00:01:02,640
And in this case, we are going to specifically tell it

26
00:01:02,640 --> 00:01:04,410
which channel we want to go after,

27
00:01:04,410 --> 00:01:06,900
which is channel 1 right here

28
00:01:06,900 --> 00:01:08,610
from the WirelessHacking network.

29
00:01:08,610 --> 00:01:11,370
We want to go after the BSSID

30
00:01:11,370 --> 00:01:13,950
that was provided for that network,

31
00:01:13,950 --> 00:01:18,480
and we want to go ahead and write that data to a file,

32
00:01:18,480 --> 00:01:21,993
which is going to be WirelessHackingDump,

33
00:01:23,310 --> 00:01:25,050
is what we're going to call that file.

34
00:01:25,050 --> 00:01:26,760
And then we're going to give it the card itself,

35
00:01:26,760 --> 00:01:29,940
which is wlan0mon, and hit Enter.

36
00:01:29,940 --> 00:01:32,790
And off it goes, starting to scan the network,

37
00:01:32,790 --> 00:01:35,520
which is helpful, but we're not quite there yet.

38
00:01:35,520 --> 00:01:37,410
Notice the data packets are climbing,

39
00:01:37,410 --> 00:01:40,680
but we haven't yet associated ourself to that network

40
00:01:40,680 --> 00:01:43,110
to be able to start doing things like packet injection

41
00:01:43,110 --> 00:01:45,360
and capturing those initialization vectors.

42
00:01:45,360 --> 00:01:47,610
So I'm going to go ahead and put this up here

43
00:01:47,610 --> 00:01:49,143
to make some extra room,

44
00:01:50,610 --> 00:01:52,590
and we'll just bring that right across the top

45
00:01:52,590 --> 00:01:54,060
and let it continue to run.

46
00:01:54,060 --> 00:01:56,640
We're going to open up a new terminal

47
00:01:56,640 --> 00:01:58,980
and I'm going to bring that down here to the bottom.

48
00:01:58,980 --> 00:02:00,990
Now, in the new terminal,

49
00:02:00,990 --> 00:02:05,310
what I need to do is I need to start doing a authentication

50
00:02:05,310 --> 00:02:08,070
to the network using fake authentication,

51
00:02:08,070 --> 00:02:10,680
which is our first step in the hack.

52
00:02:10,680 --> 00:02:12,780
So that first step in the hack

53
00:02:12,780 --> 00:02:16,920
is that we are going to do a program called Airplay.

54
00:02:16,920 --> 00:02:21,390
And in aireplay-ng,

55
00:02:21,390 --> 00:02:23,700
we are going to use fakeauth as our command,

56
00:02:23,700 --> 00:02:25,819
0 for infinite attempts,

57
00:02:25,819 --> 00:02:29,400
a and the MAC address that we are going after,

58
00:02:29,400 --> 00:02:31,893
which again, we still have pasted right there.

59
00:02:32,790 --> 00:02:35,400
And then we're going to use the MAC address

60
00:02:35,400 --> 00:02:39,390
that we're coming from, which we have to find ourself.

61
00:02:39,390 --> 00:02:42,390
So we are going to open up another terminal.

62
00:02:42,390 --> 00:02:44,430
You can see how you start getting quite a few terminals,

63
00:02:44,430 --> 00:02:47,160
and just type in something like ifconfig.

64
00:02:47,160 --> 00:02:48,060
When you do that,

65
00:02:48,060 --> 00:02:51,240
you're going to get the MAC address for wlan0mon,

66
00:02:51,240 --> 00:02:55,200
and the first eight, sorry, the first 12 digits here

67
00:02:55,200 --> 00:02:57,510
is that MAC address for our network card.

68
00:02:57,510 --> 00:03:02,070
So I'm just going to copy that and then we can paste that in.

69
00:03:02,070 --> 00:03:04,020
Now, this uses dashes,

70
00:03:04,020 --> 00:03:06,720
but for this particular command, you have to use colon.

71
00:03:06,720 --> 00:03:11,100
So I'm going to arrow through and change those to colons,

72
00:03:11,100 --> 00:03:12,093
as you can see.

73
00:03:13,410 --> 00:03:14,850
And the command's not done yet

74
00:03:14,850 --> 00:03:16,920
'cause what's the one thing we haven't told it,

75
00:03:16,920 --> 00:03:19,110
we haven't told it which card to use.

76
00:03:19,110 --> 00:03:24,110
So we have to use wlan0mon, and then we will hit Enter.

77
00:03:24,600 --> 00:03:27,450
And off it goes, sending an authentication.

78
00:03:27,450 --> 00:03:29,880
We now have an authentication made with this network.

79
00:03:29,880 --> 00:03:32,550
So we can move into the second phase of our attack,

80
00:03:32,550 --> 00:03:35,850
which is going to be the packet injection.

81
00:03:35,850 --> 00:03:37,620
So for the packet injection,

82
00:03:37,620 --> 00:03:39,960
we are going to still use the aireplay command,

83
00:03:39,960 --> 00:03:41,310
and most of it is going to be the same.

84
00:03:41,310 --> 00:03:42,825
So what I'm going to do,

85
00:03:42,825 --> 00:03:44,100
instead of typing it all is hit the Up Arrow,

86
00:03:44,100 --> 00:03:46,650
which will bring back the last command I used.

87
00:03:46,650 --> 00:03:47,700
The big differences here

88
00:03:47,700 --> 00:03:50,400
is we are not going to use fake authentication anymore.

89
00:03:50,400 --> 00:03:53,370
Instead, we want to use an arpreplay

90
00:03:53,370 --> 00:03:57,660
so that we can create additional traffic on this network.

91
00:03:57,660 --> 00:03:59,250
Instead of a for the access point,

92
00:03:59,250 --> 00:04:01,260
we're going to use b for the access point,

93
00:04:01,260 --> 00:04:03,180
which tells that that's the base station.

94
00:04:03,180 --> 00:04:05,010
We're still going to use the card that we're coming from

95
00:04:05,010 --> 00:04:07,680
and the network card wlan0mon.

96
00:04:07,680 --> 00:04:09,750
When we hit Enter, off it goes.

97
00:04:09,750 --> 00:04:13,290
And notice that we have a couple of art packets here,

98
00:04:13,290 --> 00:04:15,120
and our data is going to start going up.

99
00:04:15,120 --> 00:04:16,320
We have a lot of frame loss.

100
00:04:16,320 --> 00:04:17,850
Once you have a couple of ARP requests

101
00:04:17,850 --> 00:04:19,050
that have been successful,

102
00:04:19,050 --> 00:04:21,243
you can hit Control + C and stop that.

103
00:04:22,380 --> 00:04:23,610
Now, with this attack,

104
00:04:23,610 --> 00:04:26,160
it does help if this is a busy network.

105
00:04:26,160 --> 00:04:27,570
Right now as we're doing this,

106
00:04:27,570 --> 00:04:29,610
you can see the data packets are going up.

107
00:04:29,610 --> 00:04:31,200
The reason those data packets are going up

108
00:04:31,200 --> 00:04:34,200
is because I'm streaming YouTube on the device.

109
00:04:34,200 --> 00:04:38,790
This base station here, this client, which is my iPhone,

110
00:04:38,790 --> 00:04:42,270
is talking to this access point and streaming YouTube,

111
00:04:42,270 --> 00:04:44,550
which is collecting a lot of data.

112
00:04:44,550 --> 00:04:47,130
Now the next thing you want to do is start cracking.

113
00:04:47,130 --> 00:04:49,710
And every 5,000 data packets that go up,

114
00:04:49,710 --> 00:04:52,170
it will start trying to do another attempt.

115
00:04:52,170 --> 00:04:53,340
And it's really easy.

116
00:04:53,340 --> 00:04:55,710
You just use aircrack-ng,

117
00:04:55,710 --> 00:04:58,563
and then the file name of what you're going to be using.

118
00:05:00,330 --> 00:05:01,930
So let me clear the screen here.

119
00:05:03,630 --> 00:05:05,730
And the file that I'm going to be using

120
00:05:05,730 --> 00:05:09,210
is WirelessHackingDump-02.cap.

121
00:05:09,210 --> 00:05:10,230
And the reason it's the second one

122
00:05:10,230 --> 00:05:12,750
is 'cause I've run this attempt once before showing you.

123
00:05:12,750 --> 00:05:14,673
So all we're going to use is aircrack-ng,

124
00:05:15,600 --> 00:05:18,090
and then the file name that you're going after,

125
00:05:18,090 --> 00:05:19,470
and hit Enter.

126
00:05:19,470 --> 00:05:21,720
And off it goes, starting to crack away.

127
00:05:21,720 --> 00:05:22,553
Right now,

128
00:05:22,553 --> 00:05:25,950
it already has 14,000 initialization vectors collected,

129
00:05:25,950 --> 00:05:27,630
and you can see that here from the Data,

130
00:05:27,630 --> 00:05:28,920
but that wasn't enough.

131
00:05:28,920 --> 00:05:30,900
So when this hits 15,000,

132
00:05:30,900 --> 00:05:32,520
you're going to see this kickoff again

133
00:05:32,520 --> 00:05:33,960
without me doing anything,

134
00:05:33,960 --> 00:05:36,570
and we'll see if we can crack that key.

135
00:05:36,570 --> 00:05:38,430
So here it goes again, it's going off

136
00:05:38,430 --> 00:05:40,650
and testing the different keys.

137
00:05:40,650 --> 00:05:41,610
And it didn't find it.

138
00:05:41,610 --> 00:05:43,800
So it'll try again at 20,000.

139
00:05:43,800 --> 00:05:45,900
Generally, it's going to find it somewhere

140
00:05:45,900 --> 00:05:48,660
between 10,000 and 25,000.

141
00:05:48,660 --> 00:05:51,240
It really depends on where that particular key is

142
00:05:51,240 --> 00:05:52,710
inside the key space,

143
00:05:52,710 --> 00:05:55,410
depending on what that hexadecimal password was

144
00:05:55,410 --> 00:05:57,090
that we used.

145
00:05:57,090 --> 00:05:58,710
So again, you can see the data packets

146
00:05:58,710 --> 00:06:01,500
climbing up as I'm streaming different YouTube videos.

147
00:06:01,500 --> 00:06:02,790
Every time I start another video,

148
00:06:02,790 --> 00:06:04,620
it starts downloading all that data.

149
00:06:04,620 --> 00:06:07,620
All those frames have an initialization vector in there

150
00:06:07,620 --> 00:06:08,700
and they're able to be captured

151
00:06:08,700 --> 00:06:10,980
so that we can start seeing that information.

152
00:06:10,980 --> 00:06:13,710
So now we have over 20,000, it's going to try again.

153
00:06:13,710 --> 00:06:14,543
And there it is.

154
00:06:14,543 --> 00:06:19,440
It found our key, 17:25:83:AE:FA.

155
00:06:19,440 --> 00:06:22,650
So we now have a key, what are we going to do with it?

156
00:06:22,650 --> 00:06:24,330
Well, the next thing we want to do

157
00:06:24,330 --> 00:06:26,370
is we want to see if that key actually works

158
00:06:26,370 --> 00:06:28,410
and be able to get onto a network.

159
00:06:28,410 --> 00:06:29,550
We can do that through Kali

160
00:06:29,550 --> 00:06:31,200
or we can do it through your Windows machine

161
00:06:31,200 --> 00:06:32,700
or your Mac machine.

162
00:06:32,700 --> 00:06:34,980
It depends on where your ultimate goal is.

163
00:06:34,980 --> 00:06:37,500
For this example, I'm going to show you how to use it

164
00:06:37,500 --> 00:06:40,530
inside your Macintosh machine.

165
00:06:40,530 --> 00:06:43,710
You can do the same thing in Windows, and again, in Kali.

166
00:06:43,710 --> 00:06:47,220
So if we can cancel this capturing at this point,

167
00:06:47,220 --> 00:06:48,840
so we hit Control + C.

168
00:06:48,840 --> 00:06:51,570
And we're going to switch back to our client machine,

169
00:06:51,570 --> 00:06:53,490
in my case, Macintosh.

170
00:06:53,490 --> 00:06:56,490
So now that we're back on our Windows

171
00:06:56,490 --> 00:06:57,810
or our Macintosh machine,

172
00:06:57,810 --> 00:06:59,280
you'll connect to that wireless network

173
00:06:59,280 --> 00:07:00,690
just like you normally do.

174
00:07:00,690 --> 00:07:02,700
So we're going to go down to WirelessHacking,

175
00:07:02,700 --> 00:07:05,160
and it's going to ask us for the passcode.

176
00:07:05,160 --> 00:07:08,273
My passcode that we just cracked was 17:25:83:AE:FA.

177
00:07:11,880 --> 00:07:14,610
And if I go ahead and Join,

178
00:07:14,610 --> 00:07:18,240
we should see if I can pull an IP address from this network.

179
00:07:18,240 --> 00:07:19,650
And if we look at it,

180
00:07:19,650 --> 00:07:23,040
you can see here we did pull an IP address from this network

181
00:07:23,040 --> 00:07:25,140
and we are connected to that access point,

182
00:07:25,140 --> 00:07:28,950
starting with c8:a7 BSSID,

183
00:07:28,950 --> 00:07:31,860
which is the one for WirelessHacking.

184
00:07:31,860 --> 00:07:34,563
So our hack did work and it was successful.