WEBVTT 0 00:00.720 --> 00:10.570 WPA and WPA 2 are replacements for WEP, which has been proven flawed and easy to crack. Nowadays 1 00:10.620 --> 00:17.700 WPA 2 with pre shared key or enterprise protects all WiFi communications. 2 00:17.940 --> 00:26.700 WPA 2 uses advanced encryption standard, as the encryption protocol, which is very secure and impossible 3 00:26.700 --> 00:27.990 to crack. 4 00:27.990 --> 00:36.060 The weakness in the WPA2 pre shared key protocol is that the encrypted bpassword is shared in what 5 00:36.060 --> 00:38.850 is known as the 4-way handshake. 6 00:38.850 --> 00:47.160 This handshake is exchanged when a client wants to join a protected WiFi network and is used to confirm 7 00:47.280 --> 00:54.570 that both the client and the access point possess the correct credential which is the pre shared key of 8 00:54.570 --> 00:55.950 the network. 9 00:55.950 --> 01:03.420 At the same time the 4-way handshake also negotiates a fresh encryption key that will be used to 10 01:03.420 --> 01:11.140 encrypt all subsequent traffic ; if we can grab the handshake at that time we can then attempt to crack it. 11 01:12.360 --> 01:18.850 So hacking WPA2-PSK consists of 3 different phases. 12 01:19.080 --> 01:26.820 The first phase of the attack consists of injecting the deauthentication packets to make a WiFi client 13 01:26.880 --> 01:29.790 to deauthenticate from the network. 14 01:29.800 --> 01:31.590 Once deauthenticated, 15 01:31.590 --> 01:34.750 the client will try to reconnect to the network. 16 01:34.770 --> 01:41.070 This is the second phase when we grep we grab the WPA2 4-way handshake 17 01:41.070 --> 01:48.370 Of course we can wait for a new client to authenticate to the network and capture the 4-way handshake 18 01:48.520 --> 01:49.740 at that moment. 19 01:49.740 --> 01:56.580 However it is more appropriate to make the client to dauthenticate and then authenticate back to the 20 01:56.580 --> 02:04.510 WiFi network. I've talked about that deauthentication attack in the previous lecture; and the last 21 02:04.630 --> 02:12.720 the third phase, is to try to crack the 4-Way Handshake which is encrypted with AES offline. 22 02:12.730 --> 02:22.150 Note that if the WiFi network uses a strong password, and that means at least 12 or 14 random characters 23 02:22.720 --> 02:29.980 including letters digits and symbols, you will not be able to crack the password in a reasonable amount 24 02:29.980 --> 02:30.490 of time. 25 02:32.090 --> 02:35.270 Let's get started with a live lab! 26 02:38.060 --> 02:45.980 Now the interface wland0o is in managed mode. I'll execute the first phase which is deauthentication 27 02:46.040 --> 02:51.100 attack using airplay-ng which is part of aircrack-ng package. 28 02:52.310 --> 02:59.240 I'll do it fast without too many explanations because I've already done it in detail in the previous 29 02:59.240 --> 03:00.260 lecture. 30 03:00.320 --> 03:02.790 Take a look there if you feel the need! 31 03:02.790 --> 03:12.670 First I am putting the card into monitor mode using airmon -ng. I'm killing the processes that could 32 03:12.670 --> 03:19.690 interfere. 33 03:19.870 --> 03:21.870 This will take up to 10 seconds 34 03:24.940 --> 03:27.680 and I am putting the card into monitor mode. 35 03:34.850 --> 03:38.490 Now the WiFi card is working in monitor mode. 36 03:42.740 --> 03:51.740 Let's sniff the WiFi traffic to identify the network and the targe:t airdump - 37 03:51.760 --> 03:55.960 i and the name of the interface wlan0mon 38 03:59.560 --> 04:00.240 Okay. 39 04:00.260 --> 04:02.670 This is the target network 40 04:02.690 --> 04:08.240 " hack me" so I'm gonna sniff traffic only of that network. 41 04:10.250 --> 04:16.730 So --bssid and the Mac of the AP, this one, 42 04:20.050 --> 04:29.790 -c 1; it's working on channel 1. 43 04:29.860 --> 04:32.460 These are the connected clients. 44 04:32.470 --> 04:39.760 I'll take one of them and I'll kick it off making it to automatically reauthenticate whereby i can grab the 45 04:39.760 --> 04:44.060 encrypted password sent in the process. 46 04:44.130 --> 04:50.480 I want to save the captured traffic into a file so I'm stopping airdump-ng 47 04:50.640 --> 04:59.610 and I'm starting it again adding -w, it's used to write to a file, and the name of the file to write 48 04:59.640 --> 05:03.490 to, let's say wpa2crack. 49 05:04.380 --> 05:06.120 So it will write to this file 50 05:10.620 --> 05:11.610 in this terminal 51 05:11.610 --> 05:22.170 I'm lunching the attack, the deauthentication attack/: airplay -ng --deauth I'm 52 05:22.170 --> 05:27.300 gonna send only 3 frames, 3 deauthentication frames, 53 05:27.390 --> 05:37.420 I want the client to be able to reconnect to the network -a the MAC address of the AP and - 54 05:37.450 --> 05:40.270 c the MAC address of a client. 55 05:41.050 --> 05:55.000 I'm gonna take the first client and the name of the interface wlen0mon 56 05:55.180 --> 06:01.960 Look here: we see how the client was deauthenticated and then reauthenticated 57 06:01.960 --> 06:10.940 back to the network. I've captured the WPA2 handshake successfully. Take a closer look at airdump -ng. 58 06:10.950 --> 06:16.240 We notice at the top WPA handshake. 59 06:16.270 --> 06:25.480 This is the way it tells us we have successfully captured the encrypted password. I'm stopping airdump-ng 60 06:25.500 --> 06:35.600 by pressing Ctr C and if I execute a ls we'll see two files in the current working directory. 61 06:35.700 --> 06:45.180 These files contain the WPA 2 4-Way handshake; that was the second phase of the attack. 62 06:45.320 --> 06:51.370 The last phase consists of the attempt to crack the encrypted password offline. 63 06:52.010 --> 06:57.140 Now we'll take a short break and in the next lecture I'll show you how to do it.