1
00:00:00,300 --> 00:00:04,080
Welcome to part one of this module in this module.

2
00:00:04,090 --> 00:00:11,080
We're going to be covering various methods of Wi-Fi hacking breaking into networks is obviously a very

3
00:00:11,080 --> 00:00:17,320
important part of penetration testing since once you're on a network you can attack other machines locally

4
00:00:17,650 --> 00:00:21,340
or perform men in the middle attacks and what have you.

5
00:00:21,340 --> 00:00:28,930
However many of the tools we're going to be using will be requiring the same starting prerequisites

6
00:00:29,350 --> 00:00:35,320
that is to say there are several tools we need to learn about first before we look at these specific

7
00:00:35,320 --> 00:00:37,720
methods of attacking networks.

8
00:00:37,780 --> 00:00:44,110
So rather than cover these setup tools multiple times in every video in this section I've decided to

9
00:00:44,110 --> 00:00:48,070
present them as one single video at the start of the module.

10
00:00:48,280 --> 00:00:58,600
We'll be looking specifically at IFR config IOW config airman N.G. aero dump N.G. and Mach changer also

11
00:00:58,600 --> 00:01:01,480
touch briefly on the wash command.

12
00:01:01,600 --> 00:01:05,430
These tools are all important for what we will be doing next.

13
00:01:05,440 --> 00:01:11,500
And none of them are so complicated as to justify doing a video on each one.

14
00:01:11,500 --> 00:01:17,890
Since all of these are terminal based commands will open up our terminal window and we will begin by

15
00:01:17,890 --> 00:01:24,790
typing I f config This command will show all of the network interfaces that are available and give you

16
00:01:24,790 --> 00:01:31,930
details about each one the names of these interfaces may vary depending on certain factors such as your

17
00:01:31,930 --> 00:01:42,160
operating system but in Cali you should see at least w land 0 and EF 0 which are your wireless card

18
00:01:42,190 --> 00:01:44,950
and Ethernet capability respectively.

19
00:01:44,950 --> 00:01:49,000
Don't worry if your system calls these interfaces something else.

20
00:01:49,120 --> 00:01:56,540
Just remember the name and use it when it's called for I actually have two wireless cards working on

21
00:01:56,540 --> 00:01:58,010
this computer.

22
00:01:58,010 --> 00:02:05,780
One is the built in Broadcom that is W and 0 and the other is an alpha card which is capable of packet

23
00:02:05,780 --> 00:02:11,420
injection and that's a subject we'll be covering a bit further down the line in this module for this

24
00:02:11,420 --> 00:02:19,450
demonstration I'll be using just w and 0 so to begin we're going to bring our wireless interface devices

25
00:02:19,450 --> 00:02:24,120
down they need to be down in order for us to tweak them.

26
00:02:24,460 --> 00:02:25,170
So we're gonna do.

27
00:02:25,180 --> 00:02:31,810
I have config w lan 0 down and just for good measure I'm going to bring w lan one down as well

28
00:02:36,450 --> 00:02:38,900
and this is Mac changer.

29
00:02:39,090 --> 00:02:46,440
So what we're gonna do is we're going to type Mac change or tack a W lan 0 that's uppercase a and of

30
00:02:46,440 --> 00:02:55,140
course substitute w lan 0 for whatever the name of your interface device is and note that I am using

31
00:02:55,140 --> 00:02:57,380
the TAC uppercase a switch.

32
00:02:57,510 --> 00:03:01,620
So this tells Mac changer that we want a random Mac.

33
00:03:01,770 --> 00:03:05,910
We could also input a specific Mac if we wanted to.

34
00:03:06,030 --> 00:03:13,770
For example some networks block all but specifically authorize devices from associating with them.

35
00:03:13,980 --> 00:03:20,400
If we happened to spot a mac address of an associated device using the tool that we'll be looking at

36
00:03:20,400 --> 00:03:26,880
in a few moments which is arrow dumping G we might use packet injection to kick that device off the

37
00:03:26,880 --> 00:03:32,130
network and spoof its Mac so that we can associate with it in its place.

38
00:03:32,140 --> 00:03:36,660
This is a bit advanced though and we'll be covering that later for right now.

39
00:03:36,660 --> 00:03:43,820
I just want you to be aware that you can specify your Mac and I'm going to do this with you land one

40
00:03:43,830 --> 00:03:45,370
just for good measure.

41
00:03:45,630 --> 00:03:51,270
So by changing the MAC address what we're effectively doing is we're changing the fingerprints of this

42
00:03:51,270 --> 00:03:52,660
device.

43
00:03:52,680 --> 00:03:54,590
I'll speak about this a bit more later.

44
00:03:54,600 --> 00:04:01,680
So now we need to bring our device back up and into monitor mode.

45
00:04:01,700 --> 00:04:04,300
Now there are two ways of doing this.

46
00:04:04,370 --> 00:04:16,800
We could use the command ie w config w land 0 mode monitor and after pressing Enter we would follow

47
00:04:16,800 --> 00:04:29,350
that command up with I f config w land 0 up but there is another way of doing this and in my opinion

48
00:04:29,350 --> 00:04:30,100
a better way

49
00:04:33,420 --> 00:04:36,510
we're going to use the Arum on N G command

50
00:04:40,010 --> 00:04:47,120
airmen and G lists are wireless interfaces and what we're doing here by the way is switching the mode

51
00:04:47,150 --> 00:04:50,820
that our wireless card is functioning in by default.

52
00:04:50,840 --> 00:04:53,590
Most cards are in standard mode.

53
00:04:53,600 --> 00:05:00,740
The difference is that in monitor mode a wireless card will accept packages that are not necessarily

54
00:05:00,740 --> 00:05:03,980
intended for that card.

55
00:05:04,290 --> 00:05:11,670
So we need to bring our card into monitor mode but before we do that we need to check and see if any

56
00:05:11,670 --> 00:05:17,270
system processes are currently running that are going to interfere with our efforts here.

57
00:05:17,310 --> 00:05:25,370
So to do that we're going to run em on energy check and we can see that there are some network processes

58
00:05:25,370 --> 00:05:28,880
currently running that will cause us problems.

59
00:05:28,910 --> 00:05:35,780
Now we could kill these one by one using the kill command followed by the IED but the problem with doing

60
00:05:35,780 --> 00:05:43,210
that is that these these processes have a funny habit of responding themselves.

61
00:05:43,280 --> 00:05:51,590
It's much more efficient to just use airmen in G check kill and kill all processes simultaneously.

62
00:05:51,590 --> 00:05:53,360
That will cause any kind of a problem

63
00:05:56,680 --> 00:06:04,840
once this is done we'll do airman G check again to verify that they are killed and now we'll do airman

64
00:06:04,850 --> 00:06:08,240
engine start w land zero

65
00:06:13,490 --> 00:06:14,660
now our interfaces.

66
00:06:14,660 --> 00:06:20,780
Up I Want to explain something about how Kelley handles this because it tends to throw a lot of people

67
00:06:20,780 --> 00:06:21,830
for a loop.

68
00:06:22,100 --> 00:06:29,930
The interface device in this instance is called W. land zero and now that Kelly has put it into monitor

69
00:06:29,930 --> 00:06:35,230
mode it is being listed as W land zero Morn.

70
00:06:35,270 --> 00:06:42,860
Basically what Kelly is doing is signifying that the device is in monitor mode by putting Mohn at the

71
00:06:42,860 --> 00:06:44,600
end of the device name.

72
00:06:44,600 --> 00:06:51,230
Now in previous versions of Kelly the operating system used to simply change this to mourn and drop

73
00:06:51,230 --> 00:06:53,960
the original name at the device itself.

74
00:06:53,960 --> 00:07:00,020
In other words if you are using an older version of Kelly or if you're reading anything written before

75
00:07:00,020 --> 00:07:09,920
2016 or so about the operating system and its commands you'll always see this listed as 1 0 1 1 1 2

76
00:07:10,160 --> 00:07:12,590
1 3 cetera.

77
00:07:12,740 --> 00:07:23,650
Now it's going to be w when zero mourn w land 1 1 w land to on W and 3M on and so on and so forth.

78
00:07:23,780 --> 00:07:28,410
It's confusing but I understand why they changed it.

79
00:07:28,580 --> 00:07:34,670
It makes it more clear which device you're working with and in what mode that device is currently set

80
00:07:34,670 --> 00:07:35,500
to.

81
00:07:35,660 --> 00:07:46,250
For example if I do airmen in G start w land one which takes a minute it's now clear that w land 1 is

82
00:07:46,310 --> 00:07:50,430
also in monitor mode so we don't have to mourns.

83
00:07:50,440 --> 00:07:59,830
We have w land zero on and W land one more on just to give you some idea and I also wish to point out

84
00:08:00,340 --> 00:08:09,030
that if we do I f config again and look at the interface devices we can see that the Macs have been

85
00:08:09,030 --> 00:08:15,890
changed when we used Mac change the when you updated Cally Linux after you installed it either to a

86
00:08:15,890 --> 00:08:23,210
partition or to a U.S. B device you were most likely prompted as to whether or not you wanted Mac changer

87
00:08:23,480 --> 00:08:31,750
to assign a random Mac automatically to all interface devices every time you boot the system if you

88
00:08:31,750 --> 00:08:37,780
chose to enable this feature you don't need to run Mac change or every single time because it's already

89
00:08:37,780 --> 00:08:42,520
being done for you behind the scenes when you boot the system.

90
00:08:42,520 --> 00:08:49,570
That being said I personally don't tend to enable this feature because associating with a network several

91
00:08:49,570 --> 00:08:57,370
times and leaving a different fingerprint every time even when you don't intend to is sometimes a dead

92
00:08:57,400 --> 00:09:01,540
giveaway to a system administrator that something odd is going on.

93
00:09:01,540 --> 00:09:08,920
So in my opinion it's better to simply develop the habit of running Mac change for yourself as a prerequisite

94
00:09:08,920 --> 00:09:11,890
to whatever you're doing it is up to you.

95
00:09:12,010 --> 00:09:18,070
But if you decide not to make it automatic be extra sure that you don't forget to use it.

96
00:09:18,490 --> 00:09:28,490
In any case now that our devices are ready we're going to use the arrow dump engine command and we're

97
00:09:28,490 --> 00:09:37,300
going to specify which device we want to use for this demonstration I'll use w land one mine now what

98
00:09:37,300 --> 00:09:43,900
we are basically doing is scanning for all networks that are within range of our interface device.

99
00:09:43,900 --> 00:09:51,220
We can get more specific with our scan looking for certain networks or focusing on just one network

100
00:09:51,490 --> 00:09:53,980
to capture particular information.

101
00:09:53,980 --> 00:10:00,000
For right now though we're just doing a general scan to see what's out there.

102
00:10:00,040 --> 00:10:05,210
It should be noted that arrow dump in G will not reveal hidden networks.

103
00:10:05,230 --> 00:10:12,060
That is something that we'll be looking at later but it will show all networks that are publicly broadcasting.

104
00:10:12,340 --> 00:10:14,770
This is perfectly legal by the way.

105
00:10:14,770 --> 00:10:20,530
All we're doing here is seeing what networks are available and reading the information that they are

106
00:10:20,530 --> 00:10:28,570
freely sending us if we let this program run long enough we can sometimes even see devices listed below

107
00:10:28,570 --> 00:10:29,760
the networks.

108
00:10:29,980 --> 00:10:37,420
These devices will have their own mac addresses power rating relative to our location and in some cases

109
00:10:37,420 --> 00:10:40,600
we will see which access point they are associated with.

110
00:10:41,020 --> 00:10:43,990
So let's break this down step by step.

111
00:10:43,990 --> 00:10:52,300
The B SS I.D. is the MAC address of the device itself which is a wireless access point a router the

112
00:10:52,330 --> 00:10:55,870
P.W. R is the strength of the signal.

113
00:10:55,960 --> 00:11:00,380
The closer this number is to zero the better the signal strength.

114
00:11:00,400 --> 00:11:05,440
In other words minus 20 is a lot better than minus 50.

115
00:11:05,470 --> 00:11:14,560
Generally speaking networks that are minus 70 or below tend to be so far out of practical range that

116
00:11:14,590 --> 00:11:19,730
even if you managed to associate with them you'll be getting connection drops constantly.

117
00:11:19,780 --> 00:11:22,550
There are several ways of improving this number.

118
00:11:22,660 --> 00:11:28,960
You can move closer to the router in question or you can get a better antenna and train it in the direction

119
00:11:28,960 --> 00:11:30,280
of the router.

120
00:11:30,280 --> 00:11:36,880
You could get a more powerful wireless card and if you were living in countries outside of the United

121
00:11:36,880 --> 00:11:43,690
States that allow you to do so legally you can increase the power of your wireless card by bringing

122
00:11:43,690 --> 00:11:50,350
the interface down and then using a few simple commands to change the country code in the operating

123
00:11:50,350 --> 00:11:54,070
system and adjust the T X power as you please.

124
00:11:54,070 --> 00:12:00,790
Unfortunately this is not legal in the United States due to FCC regulations since a signal strength

125
00:12:00,910 --> 00:12:06,340
boosted beyond a certain threshold may potentially interfere with other devices.

126
00:12:06,340 --> 00:12:12,520
But if you live somewhere like Bolivia double check that it is still legal and then feel free to boost

127
00:12:12,520 --> 00:12:14,970
your cards to X power to the max.

128
00:12:15,010 --> 00:12:20,860
Of course if you do decide to do that make sure your device makes sure that your device doesn't put

129
00:12:20,860 --> 00:12:26,850
out any harmful radiation or overheat in any kind of a dangerous way.

130
00:12:26,950 --> 00:12:34,390
At any rate beacons beacons are just the number of responses we are getting from the router itself.

131
00:12:34,390 --> 00:12:43,250
The faster this number adds up the better in terms of signal strength the c h is what channel the router

132
00:12:43,250 --> 00:12:44,810
is operating on.

133
00:12:44,810 --> 00:12:51,430
You won't always need to know the channel number but not all tools will scan by method of channel hopping.

134
00:12:51,440 --> 00:12:59,360
So when you need it that's where the info is the N C and cipher are basically the encryption form being

135
00:12:59,360 --> 00:13:09,310
used such as WPP WPA or WPA to we will be looking at methods to attack all of these in this module.

136
00:13:09,350 --> 00:13:19,070
P.S. K under authentication means password or passkey some routers for example only use pin authentication

137
00:13:19,090 --> 00:13:26,210
although why I have no idea since it's way less secure but whatever the case may be that information

138
00:13:26,210 --> 00:13:27,810
is listed here.

139
00:13:27,830 --> 00:13:36,110
Finally the ISIS I.D. is whatever the router has been named when you're done simply press control C

140
00:13:36,530 --> 00:13:43,570
to bring yourself back to the command prompt over the course of this module we'll be looking at how

141
00:13:43,570 --> 00:13:51,250
to attack routers directly with river how to grab handshakes and crack them with air crack how to attack

142
00:13:51,340 --> 00:13:58,960
older forms of encryption such as WPP in a matter of minutes how to deal authenticate targets from networks

143
00:13:59,020 --> 00:14:06,580
and even methods of detoxing that's distributed denial of service attacks against specific access points.

144
00:14:06,790 --> 00:14:11,440
All of these tools and techniques will be using arrow dump as a starting point.

145
00:14:11,620 --> 00:14:16,000
So we'll be performing more specific scans in the future.

146
00:14:16,120 --> 00:14:21,120
For now I just want you to be acquainted with the tool and the basics of how it works.

147
00:14:21,990 --> 00:14:25,930
Now the cousin of Arrow dump energy is the wash command.

148
00:14:26,120 --> 00:14:33,470
It's not quite as useful in that it can't be used to get as much information as aero dump provides but

149
00:14:33,470 --> 00:14:36,620
it does tell us a few useful things.

150
00:14:36,710 --> 00:14:43,580
So I'm going to do wash tech I lowercase i for interface w lan one on

151
00:14:47,380 --> 00:14:53,220
and we'll be talking a bit more about this command when it becomes relevant we'll see it a bit more

152
00:14:53,220 --> 00:14:59,950
in the next video which we'll be covering attacks against access points using a river.

153
00:15:00,000 --> 00:15:02,180
And those will be radio based.

154
00:15:02,220 --> 00:15:09,090
For now it's just worth it to know that Walsh tells you if a router is currently in a state of lockdown

155
00:15:09,540 --> 00:15:15,240
no means a router is not locked and will accept association attempts.

156
00:15:15,330 --> 00:15:18,540
And yes simply means that it won't.

157
00:15:18,600 --> 00:15:26,130
You can see the chipset used under the vendor entry and this can be handy when you're researching methods

158
00:15:26,130 --> 00:15:34,290
of fine tuning your attacks against a particular model of router control see as always brings us back

159
00:15:34,290 --> 00:15:35,370
to the command prompt

160
00:15:38,520 --> 00:15:40,080
the last prerequisite command.

161
00:15:40,080 --> 00:15:49,530
I want to touch on is the I w config command this command tells us things like what mode or interface

162
00:15:49,530 --> 00:15:56,670
devices are in their frequency and their overall power which is listed as t x power.

163
00:15:56,670 --> 00:16:02,490
I mentioned that it is illegal in the United States to boost a wireless cards power beyond a certain

164
00:16:02,490 --> 00:16:03,290
threshold.

165
00:16:04,230 --> 00:16:11,360
However you need to be aware that this can be done and with only a few simple keyboard commands as well.

166
00:16:11,430 --> 00:16:19,140
Black Hat Hackers rarely care about the law and will adjust their operating system control and then

167
00:16:19,140 --> 00:16:23,970
use IOW config to adjust their tax power ratings.

168
00:16:23,970 --> 00:16:31,880
This is possible because as I said in many countries this is perfectly legal as a system administrator.

169
00:16:32,040 --> 00:16:37,890
You need to be aware that this can happen because if you notice repeated brute force attempts in your

170
00:16:37,890 --> 00:16:45,330
router logs such as are generated by river based attacks you can't make the mistake of assuming that

171
00:16:45,330 --> 00:16:51,030
the hacker is physically present in the building or right outside in the parking lot.

172
00:16:51,060 --> 00:16:54,810
There are many techniques to boost radio based attacks.

173
00:16:54,960 --> 00:17:02,710
Black hats frequently adjust their t x power to the max by alternating the country code and then attach

174
00:17:02,740 --> 00:17:10,090
a very powerful antenna like a Yagi to their USP card and then conduct their attacks from a range that

175
00:17:10,090 --> 00:17:12,190
can be measured in miles.

176
00:17:12,460 --> 00:17:18,100
Because I live in the United States I cannot legally demonstrate this very simple technique but it is

177
00:17:18,100 --> 00:17:23,580
not hard to find this information online and bad actors will use it.

178
00:17:23,590 --> 00:17:27,870
This is also a factor for distributed denial of service attacks.

179
00:17:27,880 --> 00:17:35,080
Criminals can attack corporate routers or bump individual computers often network using injection capable

180
00:17:35,080 --> 00:17:41,020
cards which again is something that we'll be looking at how to do in the following videos.

181
00:17:41,050 --> 00:17:46,990
So boosting their signal strength using these techniques that I'm alluding to gives them more options

182
00:17:46,990 --> 00:17:54,280
about how to position themselves physically relative to their target when performing radio based attacks.

183
00:17:54,280 --> 00:17:58,120
So one more thing I want to mention and that's about Mac change the

184
00:18:00,910 --> 00:18:03,920
Mac changer is an excellent little program.

185
00:18:04,090 --> 00:18:11,920
How ever there have been some rather disturbing bugs with it in the past as relates to older versions

186
00:18:11,920 --> 00:18:14,860
of Calleigh and certain chipsets.

187
00:18:14,860 --> 00:18:20,740
So I don't know which specific versions and which specific chipsets are affected.

188
00:18:20,800 --> 00:18:29,200
It is a small number but in some cases when you use Mac changer it will say that your Mac has been changed.

189
00:18:29,350 --> 00:18:36,130
But as soon as you associate with a network the Mac will switch back immediately to whatever the default

190
00:18:36,130 --> 00:18:37,680
value would be.

191
00:18:37,720 --> 00:18:44,920
And obviously this is a very bad thing for concealing your fingerprints and covering your tracks.

192
00:18:45,010 --> 00:18:56,780
So before you rely on Mac changer run it yourself and then log into your own router and check the router

193
00:18:56,780 --> 00:19:04,100
logs and make sure that what you're seeing in the router logs as the connected to as the connected device

194
00:19:04,640 --> 00:19:12,630
is in fact the spoofed mac address and not the real MAC address if it's the real MAC address.

195
00:19:12,800 --> 00:19:19,250
I'm afraid that Mac changed or may not be effective for your current version of Carly or possibly the

196
00:19:19,250 --> 00:19:21,950
chipset of the card that you're using.

197
00:19:21,950 --> 00:19:25,640
So this is something that's important and you need to be aware of it.

198
00:19:25,700 --> 00:19:32,510
A lot of people have blind faith in Mac changer and it can definitely blow up in their face.

199
00:19:32,510 --> 00:19:34,610
So that covers the basics.

200
00:19:34,610 --> 00:19:41,270
I realized this was not a very exciting way to start out the Wi-Fi penetration module but it makes more

201
00:19:41,270 --> 00:19:46,570
sense than explaining each of these steps at the start of each subsequent video.

202
00:19:46,580 --> 00:19:53,060
So once you're comfortable using these tools to change your interface change your mac address and find

203
00:19:53,060 --> 00:19:57,320
targets you'll be ready for the real attack procedures.

204
00:19:57,320 --> 00:20:03,380
Our next video is going to be on Weaver and we'll be looking at just such attack methods using radio

205
00:20:03,380 --> 00:20:04,700
based attacks.

206
00:20:04,700 --> 00:20:09,350
And we'll be using what we've learned here to target those attacks.

207
00:20:09,350 --> 00:20:11,050
So I hope to see you then.

208
00:20:11,090 --> 00:20:11,510
Thank you.