1
00:00:00,510 --> 00:00:03,240
Instructor: Welcome to our first bonus section

2
00:00:03,240 --> 00:00:04,770
of the course.

3
00:00:04,770 --> 00:00:05,880
In this module,

4
00:00:05,880 --> 00:00:09,690
we will be covering how to crack a wireless password.

5
00:00:09,690 --> 00:00:13,500
Now, this process can be complex because it requires a lot

6
00:00:13,500 --> 00:00:14,820
of tools to complete,

7
00:00:14,820 --> 00:00:16,200
but besides tools,

8
00:00:16,200 --> 00:00:18,720
it also requires something that all

9
00:00:18,720 --> 00:00:19,950
of you might not have

10
00:00:19,950 --> 00:00:24,540
and that is a wireless card that supports monitor mode.

11
00:00:24,540 --> 00:00:26,470
Now, this is pretty much the reason

12
00:00:26,470 --> 00:00:28,650
why this is a bonus section.

13
00:00:28,650 --> 00:00:31,470
You need this in order to complete this attack

14
00:00:31,470 --> 00:00:35,550
and not many wireless cards support monitor mode.

15
00:00:35,550 --> 00:00:38,040
And what monitor mode allows us to do,

16
00:00:38,040 --> 00:00:41,310
is to sniff data from access points around us

17
00:00:41,310 --> 00:00:44,730
which then we will use to sniff the hashed password

18
00:00:44,730 --> 00:00:48,060
once someone tries to connect to a Wi-Fi.

19
00:00:48,060 --> 00:00:51,270
Most of the wireless cards are being ran in managed mode

20
00:00:51,270 --> 00:00:53,670
and managed mode is something you would normally

21
00:00:53,670 --> 00:00:57,450
use when you want to use Wi-Fi and surf the internet.

22
00:00:57,450 --> 00:01:01,770
However, some wireless cards have this monitor mode option

23
00:01:01,770 --> 00:01:03,930
and I will show you in the next video

24
00:01:03,930 --> 00:01:06,840
how you can check whether your wireless card can be put

25
00:01:06,840 --> 00:01:09,660
into monitor mode and how to do that.

26
00:01:09,660 --> 00:01:12,690
Anyway, let's explain how the attack will work

27
00:01:12,690 --> 00:01:14,190
in greater details.

28
00:01:14,190 --> 00:01:17,510
So, let's say we have a wireless access point,

29
00:01:17,510 --> 00:01:21,379
and this wireless access point has two devices

30
00:01:21,379 --> 00:01:23,163
connected to it.

31
00:01:24,090 --> 00:01:26,610
We also have our Cal Linux machine.

32
00:01:26,610 --> 00:01:29,370
However, Cal Linux machine isn't connected

33
00:01:29,370 --> 00:01:31,140
to the wireless access point.

34
00:01:31,140 --> 00:01:34,683
It only has to be close to it to perform this attack.

35
00:01:35,520 --> 00:01:38,460
Once we get close to our wireless AP,

36
00:01:38,460 --> 00:01:43,110
we turn our wireless card into monitor mode.

37
00:01:43,110 --> 00:01:44,910
Once we have it in monitor mode,

38
00:01:44,910 --> 00:01:46,740
we will be able to see all

39
00:01:46,740 --> 00:01:48,780
of the Wi-Fis around us,

40
00:01:48,780 --> 00:01:52,200
as well, as our target Wi-Fi.

41
00:01:52,200 --> 00:01:55,350
Once we choose out of all of those access points

42
00:01:55,350 --> 00:01:57,330
which one we want to attack,

43
00:01:57,330 --> 00:02:01,470
we need to identify two things about that access point.

44
00:02:01,470 --> 00:02:05,700
Those two things are: the channel on which it runs

45
00:02:05,700 --> 00:02:08,580
and its MAC address.

46
00:02:08,580 --> 00:02:10,919
Both of these we will be able to see

47
00:02:10,919 --> 00:02:12,750
with our tools that we will use.

48
00:02:12,750 --> 00:02:14,340
Now, channel is just a digit

49
00:02:14,340 --> 00:02:17,220
and we already know what MAC address is.

50
00:02:17,220 --> 00:02:20,010
Right now that we got our information that we need,

51
00:02:20,010 --> 00:02:22,950
the next step is to capture the password.

52
00:02:22,950 --> 00:02:24,870
But how can we do it?

53
00:02:24,870 --> 00:02:27,810
For this, a device must try to connect

54
00:02:27,810 --> 00:02:30,630
to that wireless access point, right?

55
00:02:30,630 --> 00:02:33,540
Correct and once it tries to connect,

56
00:02:33,540 --> 00:02:35,850
it will initiate four different steps,

57
00:02:35,850 --> 00:02:38,400
also known as a four-way handshake

58
00:02:38,400 --> 00:02:41,280
between the device and the access point.

59
00:02:41,280 --> 00:02:42,780
In those four steps,

60
00:02:42,780 --> 00:02:46,200
it sends the hashed password value to the access point,

61
00:02:46,200 --> 00:02:49,110
and that is what we want to sniff.

62
00:02:49,110 --> 00:02:52,650
However, it could be a long, long time until someone tries

63
00:02:52,650 --> 00:02:54,960
to connect to that Wi-Fi.

64
00:02:54,960 --> 00:02:57,360
So, are we going to just sit there

65
00:02:57,360 --> 00:02:59,820
and wait for someone to connect?

66
00:02:59,820 --> 00:03:01,530
Well, of course not.

67
00:03:01,530 --> 00:03:03,720
We are going to perform a different type

68
00:03:03,720 --> 00:03:07,320
of the attack to kick everyone off of the Wi-Fi

69
00:03:07,320 --> 00:03:11,850
and that is called Deauthentication Attack.

70
00:03:11,850 --> 00:03:14,220
Once we send deauthentication packets,

71
00:03:14,220 --> 00:03:16,560
this will disconnect every device

72
00:03:16,560 --> 00:03:20,580
that was previously connected to that access point.

73
00:03:20,580 --> 00:03:24,360
The goal of this happens once we stop deauthenticating.

74
00:03:24,360 --> 00:03:25,830
Then, those devices

75
00:03:25,830 --> 00:03:29,640
that got kicked off Wi-Fi few seconds ago will try

76
00:03:29,640 --> 00:03:32,790
to reconnect back to that access point.

77
00:03:32,790 --> 00:03:35,160
And all that time we will be sniffing

78
00:03:35,160 --> 00:03:39,120
for that four-way handshake with our password key.

79
00:03:39,120 --> 00:03:40,860
And as soon as they connect,

80
00:03:40,860 --> 00:03:44,190
we will get that password value that we want.

81
00:03:44,190 --> 00:03:46,650
After this point, we no longer need to be close

82
00:03:46,650 --> 00:03:48,330
to that Wi-Fi access point.

83
00:03:48,330 --> 00:03:49,890
We can go on the other side

84
00:03:49,890 --> 00:03:53,040
of the world in order to crack that password.

85
00:03:53,040 --> 00:03:55,110
Now, you might be asking, "How?"

86
00:03:55,110 --> 00:03:59,250
Well, we've wrote the hashed password inside of a file,

87
00:03:59,250 --> 00:04:03,030
therefore, it is on our PC, right?

88
00:04:03,030 --> 00:04:05,460
After this, all we need is a little bit

89
00:04:05,460 --> 00:04:08,640
of luck that the password is easy and not complex,

90
00:04:08,640 --> 00:04:10,800
and then we use that hashed password

91
00:04:10,800 --> 00:04:12,960
that we sniffed and we throw it

92
00:04:12,960 --> 00:04:16,413
into different tools that can help us crack this password.

93
00:04:17,279 --> 00:04:22,019
Most known tools used for this are Aircrack and Hashcat.

94
00:04:22,019 --> 00:04:25,860
Aircrack uses CPU power or processor power

95
00:04:25,860 --> 00:04:27,480
to crack the password,

96
00:04:27,480 --> 00:04:31,230
while Hashcat can use both CPU or processor power

97
00:04:31,230 --> 00:04:33,210
and your graphics card power

98
00:04:33,210 --> 00:04:37,290
and it can sometimes crack a lot faster than Aircrack.

99
00:04:37,290 --> 00:04:40,050
Now, the average speed of cracking passwords

100
00:04:40,050 --> 00:04:41,340
with these programs,

101
00:04:41,340 --> 00:04:44,460
depending on what CPU and GPU you have,

102
00:04:44,460 --> 00:04:48,660
would be around 300 to 100,000.

103
00:04:48,660 --> 00:04:50,610
And yes, of course,

104
00:04:50,610 --> 00:04:55,053
we're talking about 300 to 100,000 passwords per second.

105
00:04:55,950 --> 00:04:59,130
So, this is a completely different story than,

106
00:04:59,130 --> 00:05:01,770
for example, brute forcing weblogging page

107
00:05:01,770 --> 00:05:04,830
or as a sage or something similar.

108
00:05:04,830 --> 00:05:06,960
This is a lot faster.

109
00:05:06,960 --> 00:05:09,840
Now, of course, since we are running a virtual machine,

110
00:05:09,840 --> 00:05:12,030
the speed will be significantly lower

111
00:05:12,030 --> 00:05:15,300
but compared to previous brute force attacks that we did,

112
00:05:15,300 --> 00:05:17,910
it will still be really fast.

113
00:05:17,910 --> 00:05:21,420
If the password is not complex and we manage to crack it,

114
00:05:21,420 --> 00:05:23,160
then you guessed it,

115
00:05:23,160 --> 00:05:26,520
we can connect to that wireless access point,

116
00:05:26,520 --> 00:05:27,660
and if we want,

117
00:05:27,660 --> 00:05:30,300
we can attack the devices inside that network

118
00:05:30,300 --> 00:05:33,600
with all the previous attacks that we learned.

119
00:05:33,600 --> 00:05:35,970
But that is completely up to you what you do

120
00:05:35,970 --> 00:05:38,727
after you gain access to the Wi-Fi.

121
00:05:38,727 --> 00:05:41,760
So, now that we know how all of this works,

122
00:05:41,760 --> 00:05:43,620
let's see the practical side of it

123
00:05:43,620 --> 00:05:47,160
and let's crack a wireless access point.

124
00:05:47,160 --> 00:05:48,460
See you in the next video.