1
00:00:00,540 --> 00:00:06,510
Now one of the major obstacles that you might find while trying to gain access to a network is if the

2
00:00:06,510 --> 00:00:09,070
network does not broadcast its name.

3
00:00:09,090 --> 00:00:15,150
So if the network is hidden if the network is hidden then you won't be able to connect to the network

4
00:00:15,210 --> 00:00:17,790
even if it does not use any password.

5
00:00:17,940 --> 00:00:22,950
And if it uses a password then you won't be able to use the attacks that we're going to talk about in

6
00:00:22,950 --> 00:00:24,490
future lectures.

7
00:00:24,510 --> 00:00:30,110
So you literally want to be able to do anything until you know the name of the network.

8
00:00:30,600 --> 00:00:36,590
So just to show you an example here I have my own network and I've said it to be hidden.

9
00:00:36,630 --> 00:00:40,580
So I checked this box which says Musk SS ID.

10
00:00:40,650 --> 00:00:44,480
Now this could be called something else for you again but for me that's the name of it.

11
00:00:44,970 --> 00:00:47,310
And I've called the network test AP.

12
00:00:47,610 --> 00:00:53,190
So the network actually has a name but it just doesn't broadcast the name in the air.

13
00:00:53,190 --> 00:00:56,640
I've also set the network to not to use any security.

14
00:00:56,730 --> 00:01:00,750
So people can connect as long as they know what the network name.

15
00:01:00,750 --> 00:01:04,140
So if we go here on the Windows machine I just want to show you an example.

16
00:01:04,350 --> 00:01:10,330
If we go on Wi-Fi networks you'll see that there is a hidden network around us.

17
00:01:11,090 --> 00:01:17,510
But if we try to connect to this network if I click on it and click on Connect the first thing that

18
00:01:17,570 --> 00:01:21,240
it's going to ask me is to enter the name of the network.

19
00:01:21,500 --> 00:01:25,170
Therefore we can't actually connect to it if we don't know its name.

20
00:01:25,340 --> 00:01:27,080
And if the network is using encryption.

21
00:01:27,080 --> 00:01:32,660
So if it's using a password for the network then we want to be able to launch the crack in attacks if

22
00:01:32,660 --> 00:01:34,040
we don't know the name.

23
00:01:34,040 --> 00:01:40,300
So if your target network is hidden the first step is always to try and determine the name of that network

24
00:01:40,550 --> 00:01:46,280
regardless of whether it uses encryption if it uses a password or if it does not use a password.

25
00:01:46,280 --> 00:01:51,470
So in this lecture I'm going to cover how to determine the name of hidden networks and how to connect

26
00:01:51,470 --> 00:01:53,060
to the network.

27
00:01:53,060 --> 00:01:58,460
Now I'm going to go to my coffee machine and I'm there on a dump and you on my wireless card in monitor

28
00:01:58,460 --> 00:01:58,840
mode.

29
00:01:58,970 --> 00:01:59,930
So we did this before.

30
00:01:59,930 --> 00:02:01,110
All I do is error.

31
00:02:01,220 --> 00:02:01,990
Don't be angry.

32
00:02:02,030 --> 00:02:07,340
And then I put the name of the wireless card which is mon's your.

33
00:02:07,510 --> 00:02:13,450
And if I hit enter as you can see I can see all my networks around me and we can see any hidden network

34
00:02:13,450 --> 00:02:14,010
around us.

35
00:02:14,080 --> 00:02:17,780
And the hidden network is actually this one.

36
00:02:18,250 --> 00:02:23,780
So you can see that we can actually get all the information of that network so we can get its MAC address.

37
00:02:23,860 --> 00:02:29,740
We can see its distance we can see the beacons we can see the data if there was a lot of data and we

38
00:02:29,740 --> 00:02:30,780
can see the encryption.

39
00:02:30,790 --> 00:02:35,860
So in our case it's open it's not using encryption but if it was using encryption then you'll see it

40
00:02:35,860 --> 00:02:38,890
uses WEP or WPA or whatever its use.

41
00:02:39,220 --> 00:02:43,180
The only thing that's hidden is the name of the network so you can see and here.

42
00:02:43,210 --> 00:02:46,330
We actually don't have the name of the network.

43
00:02:46,350 --> 00:02:49,180
So basically what the network is configured to be hidden.

44
00:02:49,370 --> 00:02:54,460
It only hides the network name but it's still broadcast and its existence.

45
00:02:54,540 --> 00:02:57,620
It still Telen all the devices around did that exist.

46
00:02:57,660 --> 00:02:58,980
My mac addresses this.

47
00:02:59,010 --> 00:03:02,350
My channel is this and it's given all the information except the name.

48
00:03:02,370 --> 00:03:07,610
And basically what I'm saying is if you know my name then you can connect to me.

49
00:03:07,620 --> 00:03:13,320
So what we're going to do now is we're going to run a dump and against this specific network because

50
00:03:13,320 --> 00:03:14,630
that's our target.

51
00:03:14,850 --> 00:03:16,890
And we have done this in previous lectures again.

52
00:03:16,890 --> 00:03:18,750
But I'm just going to do it real quick here.

53
00:03:18,930 --> 00:03:26,680
So I'm going to copy its MAC address and on their own Aradigm punji and I'm going to specify the SS

54
00:03:26,700 --> 00:03:29,140
ID of the target network which is the MAC address

55
00:03:32,360 --> 00:03:35,990
and then I'm going to specify the channel which is 6 for this target network

56
00:03:39,180 --> 00:03:43,940
and then I'm going to give as my wireless card and monitor mode which is zero.

57
00:03:44,390 --> 00:03:46,390
So again we run this command a lot of times.

58
00:03:46,520 --> 00:03:47,170
It's a dump.

59
00:03:47,170 --> 00:03:52,690
And you were given at the MAC address of the target network and they were given a channel which is six.

60
00:03:52,850 --> 00:03:56,450
And then we give it the wireless card name in monitor mode.

61
00:03:56,450 --> 00:03:59,630
I'm going to hit enter and you can see now a dump.

62
00:03:59,630 --> 00:04:02,470
And he is running against this specific network.

63
00:04:02,600 --> 00:04:08,180
Now in many cases if the target network is a bit active you'll actually be able to get the name of it

64
00:04:08,270 --> 00:04:11,240
simply by running a dump and be against it.

65
00:04:11,600 --> 00:04:14,110
And our case we can see that the network is not active.

66
00:04:14,300 --> 00:04:17,690
So we don't know and he is not able to determine its name.

67
00:04:19,970 --> 00:04:25,010
But what we can also see is we can see that there is a client connected to the network right here because

68
00:04:25,010 --> 00:04:30,830
we said the second section of dump G Show us the connected devices so we can see that there is a device

69
00:04:30,830 --> 00:04:38,750
connected to this network and the device has this MAC address so what we're going to do now is we're

70
00:04:38,750 --> 00:04:44,060
going to use audio authentication attack like we did it before and we're going to disconnect this device

71
00:04:44,060 --> 00:04:45,640
from this network.

72
00:04:45,740 --> 00:04:50,960
But the difference is we're actually going to disconnected for a very short period of time so that it

73
00:04:50,960 --> 00:04:56,780
automatically reconnects to the target network and when it does that it's going to send the network

74
00:04:56,780 --> 00:04:58,090
name in the air.

75
00:04:58,550 --> 00:05:04,760
Since we have a dump and just running it will be able to capture that name and it will show it to us

76
00:05:04,760 --> 00:05:07,580
here and then we'll know the name of the network.

77
00:05:08,000 --> 00:05:12,740
So again the attack is going to be very simple or we're going to do is we're going to do the authentication

78
00:05:12,740 --> 00:05:14,980
attack for a very short period of time.

79
00:05:15,110 --> 00:05:19,120
That's going to disconnect the target device for a split second.

80
00:05:19,160 --> 00:05:24,440
So they won't even feel it and the operating system will automatically connect back to the network when

81
00:05:24,440 --> 00:05:28,620
it does that it's going to send the network name in the air and we're Sniffen on that channel.

82
00:05:28,640 --> 00:05:32,690
So we'll be able to capture that name and we'll know the network name.

83
00:05:32,690 --> 00:05:37,540
So I'm going to split the screen and you've actually run this attack before.

84
00:05:37,720 --> 00:05:41,950
So I'm just going to do it here again and it will be a chance for you to revise it.

85
00:05:41,980 --> 00:05:43,540
So we're going to do airplane ngi

86
00:05:46,160 --> 00:05:56,380
Diot and then we're going to put the MAC address of the target network after the argument and then I'm

87
00:05:56,380 --> 00:06:01,940
going to do mine a C and then I'll give the MAC address of the client that I want to disconnect.

88
00:06:01,960 --> 00:06:03,110
And it's this one right here

89
00:06:08,360 --> 00:06:16,000
and finally I'm going to put the name of the wireless card in monitor mode which is Montsoreau Now I

90
00:06:16,010 --> 00:06:22,890
actually forgot to specify the number of the authentication packets to send in the previous videos we

91
00:06:22,890 --> 00:06:23,660
actually used.

92
00:06:23,660 --> 00:06:30,970
A really big number in here so that we can keep the target computer disconnected for as long as possible.

93
00:06:31,050 --> 00:06:34,580
In this video we actually want them to be disconnected for a split second.

94
00:06:34,680 --> 00:06:38,880
So I'm going to use four packets usually two is sufficient.

95
00:06:38,880 --> 00:06:43,050
But I'm just going to use for just to make sure that the target device will get disconnected.

96
00:06:43,110 --> 00:06:45,880
So it's all because we're using a very small number.

97
00:06:45,880 --> 00:06:49,080
It'll be disconnected for a very short period of time.

98
00:06:49,200 --> 00:06:53,100
And the target person who is using that network will not even feel that.

99
00:06:53,550 --> 00:06:59,040
So the same command that we did before nothing different airplanes we were doing the authentication

100
00:06:59,040 --> 00:07:04,920
attack and we're using a very small number of packets because we don't want the target person to feel

101
00:07:04,920 --> 00:07:06,510
that they got disconnected.

102
00:07:06,810 --> 00:07:13,590
We gave the MAC address of the target network after the option and then we gave the MAC address of the

103
00:07:13,590 --> 00:07:16,580
client that we want to disconnect after the C option.

104
00:07:16,930 --> 00:07:17,760
I'm going to hear Antar

105
00:07:21,360 --> 00:07:27,030
and as you can see nearly after sending two packets we were able to determine the name of the network.

106
00:07:27,030 --> 00:07:32,680
So right here in Arizona and it's so not other than the name of the network is test a.p.

107
00:07:32,970 --> 00:07:38,970
And now if the network is open like in our case we can just go ahead and connect to that network or

108
00:07:38,970 --> 00:07:44,850
if the network is using encryption like WEP WPA or WPA to then we actually know the name of the network

109
00:07:44,850 --> 00:07:50,520
now and you'll be able to launch the attacks that you're going to learn in the next lectures against

110
00:07:50,520 --> 00:07:53,850
that network and then determine its key.

111
00:07:54,200 --> 00:07:56,120
So the attack was very simple.

112
00:07:56,120 --> 00:08:02,180
All we had to do is run aero dump energy against our specific target network and then the authenticate

113
00:08:02,180 --> 00:08:07,340
one of the clients for a very short period of time and they'll automatically get connected to the network

114
00:08:07,550 --> 00:08:09,960
when they do that we'll know the network name.