1
00:00:00,150 --> 00:00:05,520
Hello everybody and welcome back to the next story all of the wireless penetration testing.

2
00:00:05,520 --> 00:00:10,990
Now we is you can see right now I am back on my Kelly Linux machine.

3
00:00:11,110 --> 00:00:16,710
That is because I finished everything I needed to finish with the capturing handshake and now I want

4
00:00:16,710 --> 00:00:20,160
to get back to our main environment.

5
00:00:20,160 --> 00:00:27,150
Since you don't get confused by me using the other Linux distributions now as I said only needed to

6
00:00:27,150 --> 00:00:32,200
use it because I only had supported monitor mode on my laptop.

7
00:00:32,610 --> 00:00:39,030
But now that we finished with capturing the handshake now we can continue with the process of attacking

8
00:00:39,480 --> 00:00:44,250
basically from any other machine or basically from anywhere else.

9
00:00:44,250 --> 00:00:50,550
You do not need to be anywhere close to the by this access point anymore since we got everything we

10
00:00:50,550 --> 00:00:51,030
needed.

11
00:00:51,060 --> 00:00:56,280
And now for example if you wanted to you could go to the other side of the world and crack this hash

12
00:00:56,310 --> 00:01:03,780
that we received in our packet in our basically file that we were capturing packets in now you might

13
00:01:03,780 --> 00:01:13,240
notice here I plugged in you as beat in order to transfer the the files that we received from our scanning.

14
00:01:13,440 --> 00:01:20,720
Basically on my killing machine let me just connected leave it is this one in stone.

15
00:01:21,270 --> 00:01:28,740
And now I will paste the files onto my Kelvin machine as we can see open with files

16
00:01:32,630 --> 00:01:41,690
that does just let this load right here and basically you will notice that we actually received four

17
00:01:41,690 --> 00:01:43,450
files from this scan.

18
00:01:43,490 --> 00:01:44,500
One is not kept.

19
00:01:44,510 --> 00:01:49,970
One is that CCTV one is not the case method CCTV and one is not Keith Smith does not.

20
00:01:49,970 --> 00:01:52,400
Net net net x amount.

21
00:01:52,400 --> 00:01:59,390
Now let me just open the terminal right here and let me enlarge this.

22
00:01:59,390 --> 00:02:07,500
So you see it a little bit better now out of all these four files let me just first transfer them to

23
00:02:07,500 --> 00:02:09,570
the to the root section.

24
00:02:09,570 --> 00:02:24,090
So we will do that with more comments or more can you not cap scan CCD can CCTV and scan.

25
00:02:26,890 --> 00:02:33,130
And we want to move it to the directory and as you can see you can also move all four files with one

26
00:02:33,150 --> 00:02:45,300
command as I did right here and now I will inject not inject I will inject this use it right inject.

27
00:02:45,330 --> 00:02:48,000
Anyway we don't need it anymore.

28
00:02:48,000 --> 00:02:53,730
So let me just enlarge this terminal it now in the screen and go to the directory.

29
00:02:54,930 --> 00:03:01,200
And as we can see right here there are the four files that we received from our scan.

30
00:03:01,680 --> 00:03:07,350
Maybe it would be good if we put them in another directory so let's make directory called handshake

31
00:03:09,180 --> 00:03:13,250
and then let's move all of these.

32
00:03:13,320 --> 00:03:18,080
Once again I should have done this first but never mind.

33
00:03:18,240 --> 00:03:21,360
We can do it right now.

34
00:03:22,470 --> 00:03:24,770
And the last one which is kismet.

35
00:03:24,810 --> 00:03:30,420
Net X amount and we want to move it into the handshake directory just

36
00:03:33,410 --> 00:03:36,570
to name it like that which can shape.

37
00:03:36,810 --> 00:03:38,120
OK.

38
00:03:38,160 --> 00:03:44,130
And now if we change our directory to the handshake directory we should have these four files right

39
00:03:44,130 --> 00:03:44,970
here.

40
00:03:44,970 --> 00:03:52,170
Now you might ask yourself now what do we need for files for we only specified in the command to write

41
00:03:52,170 --> 00:03:53,400
it to one file.

42
00:03:53,430 --> 00:04:01,290
Well basically the only file we actually need from all of this is the scan that cap file this one if

43
00:04:01,290 --> 00:04:06,540
you want to and we will actually we will delete all the other three since we don't really need them

44
00:04:06,540 --> 00:04:07,080
at the moment.

45
00:04:07,080 --> 00:04:12,160
So you can delete all of these other files.

46
00:04:12,330 --> 00:04:13,610
We will not be needing them.

47
00:04:13,620 --> 00:04:16,370
So let's just delete them.

48
00:04:17,940 --> 00:04:26,820
And now we are left with the scan minus or wondered kept file now basically in this.

49
00:04:26,990 --> 00:04:32,570
This is a file that we can open in March shark and we will open it in a few seconds.

50
00:04:32,600 --> 00:04:35,550
And in this file we can see all the package that.

51
00:04:35,560 --> 00:04:41,600
So basically while we will running did you indication attack and while the target was connecting to

52
00:04:41,630 --> 00:04:44,840
our wireless access point we are for a handshake.

53
00:04:44,840 --> 00:04:51,070
So in order for your interest to understand it how that all was done you can basically just leave.

54
00:04:51,110 --> 00:04:57,560
You can just wash police file like this and it will open this file in the by a shark.

55
00:04:57,560 --> 00:04:59,950
So let us see if this will actually work.

56
00:04:59,960 --> 00:05:03,540
I believe it will OK.

57
00:05:03,870 --> 00:05:04,760
And here it is.

58
00:05:04,890 --> 00:05:12,330
We can see the file that we got from our scanning now basically.

59
00:05:12,900 --> 00:05:16,730
Let us first find something that we can easily find right here.

60
00:05:16,830 --> 00:05:18,500
So let me do scrolls in there.

61
00:05:18,510 --> 00:05:19,340
A lot of packets.

62
00:05:19,350 --> 00:05:23,540
And that is the the authentication package right here as we can see.

63
00:05:23,580 --> 00:05:31,340
It says even here you can dictation and it will be probably the most common packet in this file right

64
00:05:31,340 --> 00:05:35,030
here you can see it right here.

65
00:05:35,030 --> 00:05:39,900
If we go down there you can also see some of the other options that has in it.

66
00:05:40,040 --> 00:05:46,570
Some of these packets it will say that it is malformed let me just scroll down.

67
00:05:46,560 --> 00:05:50,350
Let me just find a packet that could possibly be malformed.

68
00:05:50,470 --> 00:05:55,610
Here it is the though the direct indication packet that is now thought malformed.

69
00:05:55,630 --> 00:06:00,850
Pardon me and you can also inspect some of the other package that there are here but currently we are

70
00:06:00,880 --> 00:06:03,980
only interested E for a handshake.

71
00:06:04,030 --> 00:06:11,950
Now we know that it is somewhere towards the lower part since we basically quit the youth indication

72
00:06:11,950 --> 00:06:16,480
and then right away the target has reconnected to the Internet.

73
00:06:16,480 --> 00:06:24,190
So let us scroll past the deep indication and we should see just put put this a little bit down so we

74
00:06:24,190 --> 00:06:35,210
see veteran and we will see the four way handshake as soon as this finishes as we can see it is right

75
00:06:35,210 --> 00:06:36,060
here.

76
00:06:36,080 --> 00:06:37,920
Now you can also do this.

77
00:06:38,000 --> 00:06:41,850
You can also find the four way handshake.

78
00:06:41,900 --> 00:06:43,590
We are equal.

79
00:06:45,110 --> 00:06:48,080
I believe you type it or it is not kept the letters.

80
00:06:48,080 --> 00:06:49,790
You can just type here.

81
00:06:49,790 --> 00:06:52,520
Smaller letters equal.

82
00:06:52,880 --> 00:06:59,600
And then press on this arrow right here and it will filter out only the packets that are epoch packets.

83
00:06:59,600 --> 00:07:05,000
And as we can see right here here is day four with a handshake.

84
00:07:05,240 --> 00:07:11,920
It even says message one out of four two out of four three out of four four out to four.

85
00:07:11,950 --> 00:07:20,950
Now you can basically check out what are these contents of all of these four messages as we can see

86
00:07:21,800 --> 00:07:28,090
they are different of course you can if you want to basically check out all of these right here which

87
00:07:28,090 --> 00:07:31,470
is EPA key nonce which is this one.

88
00:07:31,490 --> 00:07:38,130
Now there are a bunch of these other other stuff to actually together create the password that we use.

89
00:07:38,170 --> 00:07:42,270
And also we can see from Hoyt percent and to whom it was sent to.

90
00:07:42,310 --> 00:07:52,500
Now this right here the WHO away is basically my daughter and this right here is my mobile phone so

91
00:07:53,130 --> 00:07:59,220
just want to show you that you can inspect the packets in var shark and you can also find a four way

92
00:07:59,220 --> 00:08:06,030
handshake and look at it a little bit better if you wanted to but that is not really the case that we

93
00:08:06,030 --> 00:08:07,310
need to do right here.

94
00:08:07,320 --> 00:08:10,680
This is not necessary so I just closed the bar sharp.

95
00:08:10,910 --> 00:08:19,980
The next thing that we want to do is basically run our attack on this file brute force attack.

96
00:08:19,980 --> 00:08:21,120
Now how we do that.

97
00:08:21,120 --> 00:08:26,880
Well there is another command that we need to use which is basically called the air crack.

98
00:08:26,880 --> 00:08:29,340
Now the air crack is a problem.

99
00:08:29,340 --> 00:08:37,380
This is basically just a program that uses our sleep you power our processor power in order to perform

100
00:08:37,470 --> 00:08:41,970
the brute force attack on the hashed password.

101
00:08:41,970 --> 00:08:43,680
Now how does it do that.

102
00:08:43,740 --> 00:08:49,280
Well basically in clinics we have a pre installed principle.

103
00:08:49,500 --> 00:08:54,620
We get the some of the board lists the most common and most used one.

104
00:08:54,630 --> 00:08:57,380
And one of the biggest one is Rock You.

105
00:08:57,450 --> 00:08:59,260
That is the name of the police.

106
00:08:59,280 --> 00:09:03,990
It comes with around I believe 14 million passwords or something like that.

107
00:09:04,020 --> 00:09:13,470
Not really sure the exact number but the thought behind this attack is basically that it hashes all

108
00:09:13,470 --> 00:09:13,850
of that.

109
00:09:13,860 --> 00:09:21,900
All of those 14 million passwords and it compares the hash to the hash of the password that we received

110
00:09:21,900 --> 00:09:30,630
from our dot kept file and if the hatches match the aircraft will prompt us with these key phone message

111
00:09:30,690 --> 00:09:37,530
and it will give us the password in plain text if it is found in that border list.

112
00:09:37,560 --> 00:09:42,560
Now I will show you how to run that attack.

113
00:09:42,730 --> 00:09:44,310
Basically you will need two things.

114
00:09:44,320 --> 00:09:51,680
One of them is this file that we received which is scan y dot cap file or whatever you name it.

115
00:09:51,700 --> 00:09:56,500
Dot cap file and you will also need any word list you want to use.

116
00:09:56,560 --> 00:10:01,350
Now I will use the proc you want this since it is one of the biggest ones.

117
00:10:01,360 --> 00:10:02,560
Let me just find it.

118
00:10:02,560 --> 00:10:05,440
I'm not really sure where it is.

119
00:10:05,580 --> 00:10:07,660
It is in the user share lists.

120
00:10:07,970 --> 00:10:08,480
OK.

121
00:10:10,240 --> 00:10:18,550
So we go to the user share support lists for lists is a directory.

122
00:10:18,580 --> 00:10:22,620
So C D Oh yeah I didn't specify DCP.

123
00:10:22,650 --> 00:10:26,440
So users share word lists.

124
00:10:26,820 --> 00:10:33,910
And if I Alice right here you can see the rock you to the extent that GZ now this dodges means that

125
00:10:33,910 --> 00:10:35,680
this file is basically zip.

126
00:10:35,740 --> 00:10:37,110
So we need to unzip it.

127
00:10:37,120 --> 00:10:43,280
Now let me just remember how do we do that.

128
00:10:43,450 --> 00:10:55,960
It's not if we try on gossip rock you have to keep a G C ruptured and the fans cannot find a zip file.

129
00:10:57,980 --> 00:11:04,300
Just see how we can unzip this.

130
00:11:05,970 --> 00:11:12,840
Something I set for a GC appointment for the sure but to the actual command

131
00:11:18,790 --> 00:11:21,440
GDP is to zip it.

132
00:11:21,550 --> 00:11:32,290
We want to unzip it so I can just search right here since I forgot the command but it's okay.

133
00:11:32,470 --> 00:11:37,220
Basically you will forget some of the command slots and all.

134
00:11:37,300 --> 00:11:41,140
All you need to do is basically just search it in Google.

135
00:11:41,140 --> 00:11:44,380
So sorry we're having trouble getting a page start.

136
00:11:44,410 --> 00:11:45,640
New session.

137
00:11:45,910 --> 00:11:55,210
And let me just turn on in case I have my burp suit from the previous to from the previous section which

138
00:11:55,210 --> 00:11:59,250
was be that penetration testing section turned on as a proxy.

139
00:11:59,260 --> 00:12:02,340
We want to turn it off so we can access the Internet.

140
00:12:02,590 --> 00:12:07,810
And now we want to try how to unzip that zip file

141
00:12:10,510 --> 00:12:14,470
and hopefully we will get the solution for this.

142
00:12:14,470 --> 00:12:17,630
Now I'll probably remember the command as soon as I see it.

143
00:12:17,650 --> 00:12:19,690
I can't seem to remember it right now

144
00:12:22,940 --> 00:12:28,530
fathers you see the chip option give concept to keep option.

145
00:12:28,850 --> 00:12:34,240
We want to unzip a file in the next

146
00:12:36,820 --> 00:12:39,820
so it can see the keep option.

147
00:12:39,820 --> 00:12:41,620
So it is called guns.

148
00:12:41,800 --> 00:12:43,430
Let me just see.

149
00:12:45,780 --> 00:12:47,220
Yeah it is.

150
00:12:47,240 --> 00:12:55,630
So we just type here guns zip and then rock you dot the GC and we can see now if we type your l s we

151
00:12:55,630 --> 00:12:59,750
will have the unzipped version of rock that the extreme.

152
00:12:59,800 --> 00:13:05,570
Now if you cap this file right here you will see it will print out a bunch of these passwords.

153
00:13:05,710 --> 00:13:13,680
It will print out basically 14 million passwords contained in these in this folder and we will use these.

154
00:13:13,740 --> 00:13:19,800
This file basically or this part list in order to perform our brute force attack which we will continue

155
00:13:19,800 --> 00:13:22,190
in the next lecture.

156
00:13:22,620 --> 00:13:25,650
Now I know by default that my password is not in this list.

157
00:13:25,680 --> 00:13:29,090
So I will run it once to show you how this works.

158
00:13:29,310 --> 00:13:35,970
And I will run it a second time and put my password somewhere around someone near the beginning and

159
00:13:36,060 --> 00:13:38,320
you will see how it finds the password.

160
00:13:39,060 --> 00:13:41,550
So our city control see cities.

161
00:13:41,550 --> 00:13:43,800
So we don't list all of the words.

162
00:13:43,800 --> 00:13:50,880
It will take some time and I will continue showing you how to perform this attack in the next lecture.

163
00:13:50,910 --> 00:13:51,870
Hope I see you there.

164
00:13:51,870 --> 00:13:52,970
And bye bye.