WEBVTT

0
00:01.540 --> 00:07.720
In this lecture we'll talk about the Deauthentication Attack which is an attack of type DoS  


1
00:07.720 --> 00:14.890
that targets the communication between a wifi client and the wireless AP or router.

2
00:15.520 --> 00:23.500
The IEEE 802.11 protocol defines a spatial management frame called deauthentication

3
00:23.500 --> 00:24.630
frame.

4
00:24.670 --> 00:33.220
This frame is sent by an access point to a station as a sanction technique to inform the station that

5
00:33.310 --> 00:42.730
it has to disconnect from the network immediately. The  deauthentication attack works on wpa 2 despite

6
00:42.820 --> 00:45.900
encryption. To perform the attack

7
00:45.940 --> 00:52.900
the hacker does not have to know the WiFi network password and there is no need to be authenticated

8
00:53.290 --> 00:55.770
or connected to the network.

9
00:55.810 --> 01:05.350
These frames are not authenticated or protected in any way and anyone can inject them into the network.

10
01:05.350 --> 01:14.660
Note that wpa2 does not encrypt the headers of the packets only the payload; also note that

11
01:14.670 --> 01:23.850
deauthentication attack isn't some special exploit or bug; it's built in the WiFi protocol to be used

12
01:23.940 --> 01:32.450
in real world applications like client disassociated due to inactivity. Many times

13
01:32.520 --> 01:38.210
this attack is the starting point for other attacks yet to come.

14
01:38.250 --> 01:46.110
One of the main purposes of the deauthentication used in the hacking community is to deauthenticate the

15
01:46.110 --> 01:50.410
client to capture the WPA2 4-Way Handshake

16
01:50.550 --> 01:53.630
by forcing the user to reconnect to the network.

17
01:54.630 --> 02:03.360
The WPA handshake is used to crack the wireless password and is exchanged only at the beginning

18
02:03.360 --> 02:10.980
in the authentication phase. We'll have a dedicated to lecture on this topic later in the course.

19
02:11.070 --> 02:18.180
Other purposes of this attack is to force the user to connect to the hackers rogue access point

20
02:18.600 --> 02:20.910
or to a captive portal.

21
02:20.910 --> 02:24.930
This is also called the Evil Twin Attack.

22
02:24.990 --> 02:33.330
Of course it can only be a denial of service attack and the there were cases when the user were continuously

23
02:33.360 --> 02:37.170
disconnected from the network at conferences.

24
02:37.170 --> 02:45.270
It was also the case when hotels and other companies have lunched deauthentication attacks on their 

25
02:45.270 --> 02:46.720
own guests;

26
02:46.740 --> 02:54.340
the purpose being to drive them off their own personal hotspots and force them to pay for onsite

27
02:54.450 --> 02:55.660
WiFi services.

28
02:56.520 --> 02:58.740
OK, let's get started!

29
02:58.800 --> 02:59.720
I'll show you this 

30
02:59.720 --> 03:09.570
attack live. I set up a wireless network called " hack me " special for this lab; both my mobile phone and

31
03:09.600 --> 03:14.820
the Windows recording machine are now connected to that WiFi network.

32
03:14.840 --> 03:20.830
The attack will be performed on Kali Linux. Before continuing

33
03:20.830 --> 03:26.160
note that you need a card that supports monitor mode and packet injection.

34
03:26.170 --> 03:30.180
Remember that you cannot use a monitor mode on Windows.

35
03:30.220 --> 03:36.910
I'd recommend you to watch the previous lectures where I've explained how to check if the WiFi card

36
03:36.910 --> 03:47.350
supports monitor mode and packet injection. So the first step is to put the card into monitor mode.

37
03:47.360 --> 03:55.470
This is the WiFi interface and I'll use airmon -ng to put the card into monitor mode.

38
03:55.730 --> 04:02.810
First I want to see the process that could interfere with putting the interface into a monitor mode:

39
04:03.860 --> 04:11.800
so airmon-ng check 
and I'm killing these processes airmon-ng check 
check.

40
04:11.810 --> 04:12.170
kill

41
04:15.010 --> 04:15.680
okay.

42
04:15.820 --> 04:24.730
The next step is to put the interface into monitor mode: airmon-ng start and the name of the

43
04:24.730 --> 04:30.590
interface wlan0.

44
04:30.730 --> 04:34.600
Now the WiFi card is working in monitor mode.

45
04:34.810 --> 04:37.840
I'm checking it with iwconfig.

46
04:39.800 --> 04:42.300
Perfect! In the next step

47
04:42.320 --> 04:51.650
I'll sniff the WiFi traffic to identify the network and the targets: airdump-ng -i

48
04:51.890 --> 04:54.380
and the name of the interface

49
04:54.380 --> 04:59.340
now the name of the interface is wlan0mon.

50
04:59.430 --> 05:01.360
I'm sniffing WiFi traffic.

51
05:03.190 --> 05:05.620
Okay; it's not looking very well

52
05:05.680 --> 05:12.380
so I'm changing the theme; I'll use Kali dark; okay!

53
05:12.440 --> 05:13.000
It's better!

54
05:14.650 --> 05:19.750
This column called BSSID lists

55
05:19.810 --> 05:28.700
the MAC addresses of all access points in the range; there are so many WiFi networks in the range.

56
05:28.860 --> 05:31.810
I want to narrow down the results and I'll sniff 

57
05:31.830 --> 05:39.150
only the traffic for that that network on the channel the network operates, so only for "heck me" on

58
05:39.150 --> 05:40.600
channel 1.

59
05:40.650 --> 05:51.090
This is the channel column so I'm adding --bssid and the MAC address of the access point

60
05:54.160 --> 05:57.730
and the -c from channel 1

61
06:01.120 --> 06:02.960
and is sniffing traffic

62
06:02.960 --> 06:10.850
only of this WiFi network on Channel 1. In this section you see the clients that are connected to the

63
06:10.850 --> 06:11.360
network.

64
06:13.510 --> 06:21.040
By the way if you don't see the clients check that you sniff on the same frequency band 2.4

65
06:21.310 --> 06:30.150
or 5 gigahertz. You could temporarily disable the 5 gigahertz frequency, like I did for this lab.

66
06:31.310 --> 06:39.020
In this section we are seeing which wireless devices are connected; we have to pick an access point that

67
06:39.020 --> 06:48.410
has at least one device associated to it ,for this attack to work. In this example I'll attack the Windows

68
06:48.470 --> 06:56.420
client that is connected to this WiFi network, the Windows machine I am using for recording. You see

69
06:56.420 --> 07:09.170
that it's connected to "hack me" network. Let's check its MAC address ipconfig / all so the MAC address

70
07:09.350 --> 07:20.450
of the WiFi card is this one: 30-24-32-E2-OF-59, this one,  the second

71
07:20.750 --> 07:28.610
client in the list. I'm opening a new terminal and becoming root there as well and I'm starting

72
07:28.760 --> 07:38.450
the attack. I'm going to use airplay-ng which is part of aircrack package: so airplay-ng -

73
07:38.450 --> 07:48.190
- deauth the type of the attack, it can inject also other types of frames, how many frames

74
07:48.190 --> 07:58.420
I want to send and I want to send a lot of do deauthentication frames, something like this, now -a and

75
07:58.750 --> 08:01.090
the MAC address of the access point

76
08:04.530 --> 08:12.100
-c and the MAC address of the client; let's check it again!

77
08:12.400 --> 08:23.830
Okay the second one! And the name of the WiFi card wlan0mon; if you want to send continuously you

78
08:23.830 --> 08:31.690
can use 0 instead of  this value. Before starting the attack I want to check that the Internet is working.

79
08:33.950 --> 08:40.880
I'll continuously ping this address and of course it's working and I'm starting the attack.

80
08:44.660 --> 08:55.950
The ping has stopped and the client was deauthenticated.  See how it's trying to reconnect; the Windows

81
08:55.950 --> 09:03.480
machine was forced to deauthenticate. The deauthentication frames are sent continuously so the device

82
09:03.540 --> 09:10.920
has no chance to authenticate and to connect back to the network. When I want to stop the attack

83
09:11.010 --> 09:21.040
I simply press on Ctr +C. I've stopped it. As soon as the deauthentication stops the device t

84
09:21.150 --> 09:28.750
reconnects to the access point and we will capture the WPA 2 4 Way Handshake used to connect the WiFi

85
09:28.820 --> 09:29.320
password.

86
09:31.920 --> 09:42.570
OK it has reconnected; and ping is working again. OK, that's all about the deauthentication attack. In the

87
09:42.570 --> 09:50.190
next lecture I'll show you how to use this attack to capture the WPA 2-4 Way Handshake and crack

88
09:50.250 --> 09:51.180
the WiFi key.