WEBVTT 0 00:01.670 --> 00:08.960 In the last lecture we've seen how to capture the encrypted 4-way handshake of WPA2 that contains 1 00:08.990 --> 00:11.920 the password of the WiFi network. 2 00:12.100 --> 00:17.660 These are the files that contain the encrypted 4-way handshake. 3 00:17.660 --> 00:21.360 Now we'll go ahead and see how to crack it. 4 00:21.380 --> 00:24.550 Note that it's encrypted with AES 5 00:24.710 --> 00:31.940 and if the password is a strong one, which means at least 12 random characters, we will not be able to 6 00:31.940 --> 00:34.460 crack it in a reasonable amount of time. 7 00:35.030 --> 00:41.990 All we can do is to launch a dictionary or a hybrid attack on the encrypted password using a word 8 00:41.990 --> 00:42.880 list. 9 00:42.950 --> 00:49.130 There are lots of wordlists available online but I’ll use one that's already on Kali. 10 00:54.430 --> 00:59.720 The tool I'm going to use to crack the password is aircrack-ng. So aircrack-ng 11 00:59.800 --> 01:09.840 the name of the file that contains the handshake, there are two files so I'll put a star here, 12 01:11.490 --> 01:21.030 -w and the path to the worlist, to the dictionary file; and I'll use one that has come with 13 01:21.030 --> 01:30.100 Metaslpoit; it's in usr/share/ metaslpoit-framework/ data/ 14 01:30.200 --> 01:36.160 wordlists/password.lst and I'm hitting enter 15 01:39.340 --> 01:41.800 see how it's trying to crack the password. 16 01:42.160 --> 01:45.940 If the password is found it will be printed on the screen. 17 01:45.940 --> 01:49.220 Remember that the word list is critical. 18 01:49.630 --> 01:56.230 If the one you have chosen is not good advanced to a larger, more complete dictionary file. 19 01:58.120 --> 02:05.800 In this example I've set up a weak password on purpose so we can correct it easily; and we are waiting 20 02:05.950 --> 02:06.890 a few seconds. 21 02:25.200 --> 02:34.430 OK it was cracked and we can see it; the WiFi password is "sunriseview". 22 02:34.910 --> 02:38.780 It has 11 characters but it's a dictionary word, 23 02:39.170 --> 02:48.290 so it's not a good one! Use only random characters! Note that there could be other layers of encryption 24 02:48.290 --> 02:49.020 used 25 02:49.100 --> 02:55.790 and if you found the password it doesn't mean that you can sniff and see all traffic in clear text. 26 02:55.940 --> 03:00.240 If someone uses https or ssh 27 03:00.320 --> 03:05.060 the traffic will be encrypted by those protocols as well. 28 03:05.060 --> 03:12.650 In this lecture we've used aircrack but another excellent piece of software that I want you to be aware 29 03:12.650 --> 03:20.360 of is cowpatty, which seems a little bit faster and can implement an accelerated dictionary or hybrid 30 03:20.450 --> 03:28.950 attack against the WPA 2 networks using pre shared key based authentication. On Kali 31 03:29.060 --> 03:33.320 you install it by simply executing apt install 32 03:33.410 --> 03:34.130 cowpatty 33 03:37.260 --> 03:42.410 Check that you have a running Internet connection before executing this command. 34 03:43.480 --> 03:49.870 If you have only one connection to the Internet using the WiFi card in it's put in monitor mode it won't 35 03:49.870 --> 03:50.480 work. 36 03:50.500 --> 03:58.920 So put the card back into managed mode and then run this command. That was the classical approach to 37 03:58.920 --> 04:04.390 cracking WPA2. Note that it has two downsides! 38 04:04.420 --> 04:12.060 The first is that someone is required to be connected to the network to attack it. The network password 39 04:12.280 --> 04:15.000 might be weak and very easy to crack 40 04:15.100 --> 04:22.570 but without a device connected to kickoff briefly there is no opportunity to capture the 4-Way Handshake 41 04:22.720 --> 04:26.120 thus no chance to try cracking it. 42 04:26.170 --> 04:31.830 The second downside of this tactic involves actively sending packets. 43 04:31.840 --> 04:38.210 This is in fact a denial of service attack that can cause legal problems. 44 04:38.420 --> 04:43.330 There is also another new method available to crack WPA 2 45 04:43.430 --> 04:49.520 that doesn't require a connected device to the network you want to attack. 46 04:49.530 --> 04:58.020 The process consists of obtaining a single year Paul Frame to capture the needed information to attempt 47 04:58.140 --> 04:59.870 a brute force attack. 48 04:59.910 --> 05:08.010 This attack can be launched using Bettercap, which is presented in detail in this course or using 49 05:08.070 --> 05:17.520 Hashcat. I'll attach some resources to this lecture if you want to go deeper into it. As a positive conclusion 50 05:17.700 --> 05:19.010 of this lecture 51 05:19.020 --> 05:25.530 we can say that as long as we have a very strong passphrase, WPA2 is extremely secure and we don’t 52 05:25.530 --> 05:26.850 have to worry too much.