1 00:00:00,210 --> 00:00:08,030 Welcome to part two of this module I'm rather excited because we finally made it to the first tool that 2 00:00:08,030 --> 00:00:18,440 I ever used the legendary River back in the ancient days of the early to late 2000s River was a master 3 00:00:18,440 --> 00:00:24,140 key that would allow you to hack into any Wi-Fi network pretty much without fail. 4 00:00:24,380 --> 00:00:32,000 It came prepackaged with backtrack the precursor operating system to Cali Linux and many kids who had 5 00:00:32,030 --> 00:00:39,500 no knowledge of penetration testing or ethical hacking fired up this application and got themselves 6 00:00:39,500 --> 00:00:41,200 some free Wi-Fi. 7 00:00:41,240 --> 00:00:48,650 It was a golden age for black hats as it required virtually no skill or finesse to use but the commands 8 00:00:48,650 --> 00:00:55,890 used were arcane enough that it made you kind of feel like the real deal fortunately River is no longer 9 00:00:55,890 --> 00:00:58,680 the instant win that it once was. 10 00:00:58,680 --> 00:01:05,940 In fact your odds of hacking into a router with it are actually pretty low even though it can't possibly 11 00:01:05,940 --> 00:01:08,450 fail against Most routers. 12 00:01:08,490 --> 00:01:15,030 Did I just contradict myself as we'll see router security has come a long way since the old days and 13 00:01:15,060 --> 00:01:22,350 now things are just a bit more complicated River is a good starting point for this module because it 14 00:01:22,350 --> 00:01:28,590 was the starting point for many of us in the penetration business but in all honesty you may find its 15 00:01:28,590 --> 00:01:31,020 usefulness somewhat limited. 16 00:01:31,020 --> 00:01:36,360 I'm going to explain about how this works but first I want to get it started because this is one of 17 00:01:36,360 --> 00:01:39,800 those tools that you just sort of start and allowed to run 18 00:01:42,580 --> 00:01:47,810 in the last video we went over how to setup our Wi-Fi card in the monitor mode. 19 00:01:47,830 --> 00:01:54,150 Change the MAC address and use aero dump energy to scan the area for access points. 20 00:01:54,220 --> 00:01:59,280 For this reason I'm not going to reiterate all of those instructions here. 21 00:01:59,410 --> 00:02:03,820 Please see the prior video for more details if you need to. 22 00:02:04,120 --> 00:02:11,620 However briefly put I'm going to do airman G and this will show that I have two wireless cards for my 23 00:02:11,620 --> 00:02:13,380 interface devices. 24 00:02:13,450 --> 00:02:21,250 You don't really need to for this particular exercise but I'm going to be using the real tech w land 25 00:02:21,250 --> 00:02:23,500 one which is the alpha card. 26 00:02:23,500 --> 00:02:27,020 It has a better signal and it will perform a little bit better. 27 00:02:27,220 --> 00:02:32,590 So I'm going to start out by doing I have config and I'm going to bring both interfaces down 28 00:02:37,250 --> 00:02:42,860 and next I'm going to do Mac changer and this is absolutely something you should always do. 29 00:02:43,010 --> 00:02:50,710 It's just a good habit to be in Mac changer TAC a for a random mac address. 30 00:02:50,860 --> 00:02:58,410 You could assign any mac address you please but I'm just going to do a random one. 31 00:02:58,410 --> 00:02:59,130 There we go. 32 00:02:59,130 --> 00:03:00,960 The Alpha has a random MAC address 33 00:03:03,680 --> 00:03:10,650 and now I'm gonna go ahead and I'm going to put the card into monitor mode. 34 00:03:10,650 --> 00:03:13,540 But first men do Arum on energy check. 35 00:03:13,800 --> 00:03:21,260 We can see that we have got some potentially problematic processes running so now. 36 00:03:23,100 --> 00:03:24,460 Do airman Angie. 37 00:03:24,480 --> 00:03:25,020 Check. 38 00:03:25,020 --> 00:03:27,840 Kill to eliminate all of those 39 00:03:30,890 --> 00:03:38,810 this might take a moment. 40 00:03:39,150 --> 00:03:43,810 OK you didn't list that it was killing all the processes but they're not showing up. 41 00:03:43,810 --> 00:03:46,730 Sometimes you need to check twice but it seems to have been done. 42 00:03:46,750 --> 00:03:49,950 OK we're almost ready. 43 00:03:49,950 --> 00:03:54,090 There are a couple of things I need to point out before we begin. 44 00:03:54,090 --> 00:04:01,800 First and foremost many of these techniques demonstrated in this module will not work properly in virtual 45 00:04:01,800 --> 00:04:03,090 box. 46 00:04:03,090 --> 00:04:09,790 Realistically you need to have Calleigh installed on a partition or you need to be running it off a 47 00:04:09,790 --> 00:04:12,240 U.S. B device with persistence. 48 00:04:12,240 --> 00:04:14,060 You can also use a live C.D.. 49 00:04:14,130 --> 00:04:19,140 But if you don't have persistence you won't be able to resume your attack with river. 50 00:04:19,140 --> 00:04:23,880 Should it be interrupted after you reboot or shut down your system. 51 00:04:23,880 --> 00:04:32,100 Virtual Box unfortunately gets really quirky about network adapters and it just doesn't play well with 52 00:04:32,100 --> 00:04:34,410 a lot of these Wi-Fi tools. 53 00:04:34,440 --> 00:04:41,040 So if you do airman Angie in virtual box and you don't see your adapters listed. 54 00:04:41,110 --> 00:04:41,820 Well I'm sorry. 55 00:04:41,830 --> 00:04:43,240 That's a virtual box. 56 00:04:43,240 --> 00:04:45,010 It's very problematic. 57 00:04:45,010 --> 00:04:46,950 There may be ways around it. 58 00:04:47,020 --> 00:04:49,010 It would really derail the class. 59 00:04:49,030 --> 00:04:50,580 So I'm just going to proceed. 60 00:04:50,590 --> 00:04:56,180 But keep this in mind you can't do this with virtual box for all practical purposes. 61 00:04:56,230 --> 00:04:57,400 Second thing. 62 00:04:57,670 --> 00:05:04,150 Many videos in this module will require you to have an injection capable card and I'll be speaking more 63 00:05:04,150 --> 00:05:06,650 about this in the next video. 64 00:05:06,700 --> 00:05:08,350 River does not require this. 65 00:05:08,350 --> 00:05:16,990 However that being said having a strong card with a good range boosted by a powerful antenna will significantly 66 00:05:16,990 --> 00:05:19,800 improve your capability with a river. 67 00:05:19,810 --> 00:05:21,840 This is a radio based attack. 68 00:05:22,000 --> 00:05:26,650 So the more powerful your radio the the better your performance is going to be. 69 00:05:27,650 --> 00:05:33,410 Last thing it is illegal to use river to hack into your neighbor's Wi-Fi. 70 00:05:33,410 --> 00:05:39,650 Never use this tool or any other tool to hack into anything that you do not personally own or have written 71 00:05:39,650 --> 00:05:43,550 permission from the owner to penetration test in this module. 72 00:05:43,550 --> 00:05:49,730 I'll be using an old net gear router that I inherited when we upgraded the office for demonstration 73 00:05:49,730 --> 00:05:51,160 purposes. 74 00:05:51,170 --> 00:05:54,110 So with all of that out of the way let's get started 75 00:05:58,070 --> 00:06:04,710 whoops. 76 00:06:05,110 --> 00:06:11,360 I've just brought up w land one into monitor mode two cards like I said are not required for this. 77 00:06:11,470 --> 00:06:18,520 I'm just using the alpha for the stronger signal in older versions of Cowley and in backtrack a card 78 00:06:18,520 --> 00:06:28,820 in monitor mode used to show up as either 1 0 or more on one or more on two et cetera in newer versions 79 00:06:28,820 --> 00:06:34,180 of Cowley Mohn is simply appended to the name of the card. 80 00:06:34,250 --> 00:06:42,920 In other words instead of more on one it is now w land one more on your exact interface name may vary. 81 00:06:42,920 --> 00:06:56,680 For example it may be w land zero Mohn or w land to mourn or even something else entirely. 82 00:06:56,690 --> 00:07:03,670 Now we're running arrow dump n g just as we did in the previous video we'll be pulling up our targets 83 00:07:03,670 --> 00:07:06,430 mac address I.D. and channel 84 00:07:09,520 --> 00:07:10,610 and there it is. 85 00:07:12,030 --> 00:07:20,100 The demonstrations target in this video is named Sanjay Al please notice the power rating next to each 86 00:07:20,100 --> 00:07:21,070 target. 87 00:07:21,270 --> 00:07:24,560 The closer this number is to zero the better. 88 00:07:24,600 --> 00:07:35,350 Generally speaking if your number is at minus 70 or below your attack will be significantly less effective. 89 00:07:35,370 --> 00:07:42,420 In fact anything below minus 70 is pretty much guaranteed to be ineffective although it's not completely 90 00:07:42,420 --> 00:07:46,050 impossible to succeed with a bad power level. 91 00:07:46,110 --> 00:07:51,180 What it really means is you'll be dropping signal a lot and Reeva is going to have to reassess -- 92 00:07:51,210 --> 00:07:59,160 constantly with the access point and it will take a lot of extra time it'll it'll really drag the process 93 00:07:59,160 --> 00:08:00,270 down. 94 00:08:00,270 --> 00:08:06,360 If your signal strength is poor and you cannot get closer to your target use a more powerful wireless 95 00:08:06,360 --> 00:08:14,670 card and or a better antenna such as for example a Yagi which can improve your signal strength considerably. 96 00:08:14,670 --> 00:08:21,180 So we're going to copy the target MAC address now open another terminal just in case we need that information 97 00:08:21,180 --> 00:08:22,230 again. 98 00:08:22,360 --> 00:08:23,800 I'm going to call up river. 99 00:08:23,820 --> 00:08:30,690 Here are all the switches that can be used with River and a use case example of how to initiate it. 100 00:08:30,720 --> 00:08:34,680 I'll be starting a river and allowing it to run while I speak. 101 00:08:34,680 --> 00:08:42,410 The first thing we want to do is try the simplest form of attack first which is the pixie dust attack. 102 00:08:42,450 --> 00:08:49,350 This can be accomplished with either tack capital K or tack capital Z. 103 00:08:49,350 --> 00:08:57,790 This attack almost never works against modern routers and it won't even work against this old net gear. 104 00:08:58,020 --> 00:09:06,540 But I have seen it work more than I would like to see and if it does work you will get the router password 105 00:09:06,570 --> 00:09:09,210 and the PIN number in a matter of seconds. 106 00:09:09,270 --> 00:09:12,930 So always try the simplest approach first. 107 00:09:12,930 --> 00:09:19,470 So to that end we're going to do River and we're going to use tack lowercase i to specify specify the 108 00:09:19,470 --> 00:09:29,610 interface which is w land one mine in this case we're going to do tech B for the B SSI D that's lowercase 109 00:09:29,610 --> 00:09:39,640 b and paste in the target's mac address and I will use Tak uppercase K and actually we could do it this 110 00:09:39,640 --> 00:09:40,230 way. 111 00:09:40,360 --> 00:09:47,410 But to save time I want to see with channel it's on channel 1. 112 00:09:47,530 --> 00:09:47,790 Yeah. 113 00:09:47,800 --> 00:09:58,570 Channel 1 so we will do Tak lowercase c and specify Channel 1 Tak F to prevent channel hopping and Tak 114 00:09:58,730 --> 00:10:09,220 V V which is double verbose briefly stated you can use 1 v for just basic output that's called verbose 115 00:10:09,550 --> 00:10:16,300 to these will give you extra information although it might be a little spammy and 3D will give you the 116 00:10:16,300 --> 00:10:23,530 most output but it's usually a lot of unnecessary information and it tends to clutter up the screen 117 00:10:23,890 --> 00:10:25,500 I'll just use to these for the moment 118 00:10:28,660 --> 00:10:30,400 I'm not going to restore the previous session 119 00:10:33,560 --> 00:10:39,180 as I said this attack will fail against this router right. 120 00:10:39,250 --> 00:10:46,600 What river is doing here with pixie dust is attempting to exploit a WP s vulnerability that is present 121 00:10:46,600 --> 00:10:49,750 in certain router models when it works. 122 00:10:49,810 --> 00:10:57,460 It is an instant win for the hacker as both the router password and the pin number will be displayed. 123 00:10:57,460 --> 00:11:06,670 Generally speaking pixie dust tends to be somewhat effective against rail link and real tech chipsets 124 00:11:06,730 --> 00:11:10,120 although it rarely ever works against Broadcom. 125 00:11:10,210 --> 00:11:17,740 As I said you can set it up so that this attack repeats several times or even loops and times you'll 126 00:11:17,740 --> 00:11:25,600 succeed after multiple failures more often if it doesn't work on the first or second try. 127 00:11:25,600 --> 00:11:29,630 It isn't going to although signal strength does play a role. 128 00:11:29,710 --> 00:11:36,160 So repeating this attack multiple times will cause most modern routers to lock down which is something 129 00:11:36,160 --> 00:11:37,760 I'll speak about more in a minute. 130 00:11:37,780 --> 00:11:40,220 That's why I don't really recommend it. 131 00:11:40,270 --> 00:11:46,150 I suggest you try pixie dust and if it doesn't work after one or two attempts it's just probably not 132 00:11:46,150 --> 00:11:47,760 going to. 133 00:11:47,840 --> 00:11:53,550 So now that our pixie dust attacks failed it's time to begin the brute forcing procedure. 134 00:11:53,930 --> 00:12:01,340 So we're going to begin with Reaper attack lowercase i for interface w lan one morn we'll give it our 135 00:12:01,340 --> 00:12:02,330 OBSS I d 136 00:12:05,400 --> 00:12:11,800 and in this case I'm just going to do verbose in order to keep the amount of spam on the screen to a 137 00:12:11,800 --> 00:12:13,030 minimum. 138 00:12:13,030 --> 00:12:17,900 We don't really need to see every single NAC request and so forth. 139 00:12:18,190 --> 00:12:22,220 So we hit enter not going to restore the prior session. 140 00:12:24,010 --> 00:12:32,440 I did not specify a channel just to demonstrate that if you don't River will channel hop until it finds 141 00:12:32,500 --> 00:12:39,460 your target it's only really worth remembering if you stop the attack and resume it later only to find 142 00:12:39,460 --> 00:12:43,680 that your access point is no longer broadcasting on the same channel. 143 00:12:43,690 --> 00:12:51,080 I've seen it happen of course in this case we were already it was already broadcasting on channel 1. 144 00:12:51,260 --> 00:12:54,340 All right so let's break this down a bit. 145 00:12:54,420 --> 00:12:57,150 So what is actually happening here. 146 00:12:57,150 --> 00:13:03,250 Well as you can see this is yet another brute forcing method of breaking through security. 147 00:13:03,270 --> 00:13:12,150 However it is really not possible to try to brute force every possible combination of the WPA to pass 148 00:13:12,150 --> 00:13:12,970 key. 149 00:13:14,070 --> 00:13:20,460 Well I should rephrase it's technically possible but doing so would be extremely time consuming. 150 00:13:20,490 --> 00:13:24,740 We'll be looking at doing exactly that when we get to air crack energy. 151 00:13:24,840 --> 00:13:31,370 But remember in penetration testing you always want to try the fastest and most direct method first. 152 00:13:31,740 --> 00:13:34,280 So why is River faster. 153 00:13:34,290 --> 00:13:44,430 Well some genius decided to include pin authentication into the security of most wireless routers. 154 00:13:44,540 --> 00:13:50,830 If you have the PIN number for the router you basically own the network and can even obtain the passkey 155 00:13:50,890 --> 00:13:52,010 in plain text. 156 00:13:52,940 --> 00:13:56,060 So why was this Neolithic Li stupid. 157 00:13:56,060 --> 00:13:58,870 Well the PIN code is just numbers. 158 00:13:59,000 --> 00:14:06,140 This dramatically reduces the amount of time you have to spend guessing a password that could in theory 159 00:14:06,140 --> 00:14:11,520 be over 20 characters long and completely random. 160 00:14:11,620 --> 00:14:19,390 It reduces the number of combinations possible from the millions down to approximately 11000. 161 00:14:19,540 --> 00:14:26,560 Considering that river splits the length of the pin code into two once it finds the first half finding 162 00:14:26,560 --> 00:14:28,960 the second becomes even easier. 163 00:14:28,960 --> 00:14:33,310 In all likelihood you won't even have to do eleven thousand combinations at all. 164 00:14:35,810 --> 00:14:40,670 That being said this attack will not be quick. 165 00:14:40,850 --> 00:14:45,290 The attack itself is not taking place locally on our system. 166 00:14:45,290 --> 00:14:47,630 We aren't trying to crack a file. 167 00:14:47,630 --> 00:14:55,100 Rather we are conducting this attack remotely river associates with the target wireless access point 168 00:14:55,520 --> 00:15:05,370 and then proceeds to attack it in real time by trying to pass the pin codes one by one if any of them 169 00:15:05,370 --> 00:15:12,990 walk out Reeva will tell us the successful pen and the password for the WPA key for that access point. 170 00:15:12,990 --> 00:15:21,540 It's slow because it happens one code at a time but allowing it to run uninterrupted. 171 00:15:21,720 --> 00:15:26,400 The process should only take between about ten to twelve hours. 172 00:15:26,400 --> 00:15:33,270 Unfortunately I said at the start of this video that river is no longer the automatic win that it once 173 00:15:33,270 --> 00:15:40,630 was for hackers and that is because router manufacturers have become a bit more savvy. 174 00:15:40,920 --> 00:15:48,540 While pin codes remain enabled by default some routers particularly high end corporate models do allow 175 00:15:48,540 --> 00:15:53,260 administrators to change or even outright disable pin codes. 176 00:15:53,310 --> 00:15:59,730 Manufacturers have also instituted defense mechanisms against this sort of brute force approach in the 177 00:15:59,730 --> 00:16:01,750 form of lockdowns. 178 00:16:01,800 --> 00:16:10,380 Basically updated modern commercial routers tend to lock down after so many failed pin attempts per 179 00:16:10,380 --> 00:16:16,050 so many minutes of real time these lockdowns prevent further pin guesses. 180 00:16:16,140 --> 00:16:22,260 These lockdowns are automatic and generally lasts for a certain length of time which varies from router 181 00:16:22,260 --> 00:16:23,310 to router. 182 00:16:23,340 --> 00:16:28,480 Sometimes a lockdown will only last about 10 or 15 minutes. 183 00:16:28,500 --> 00:16:31,680 Other times it can be over an hour. 184 00:16:31,680 --> 00:16:38,070 I once came across a router that locked down for two full days although we have heard of a certain model 185 00:16:38,100 --> 00:16:39,890 that locked down permanently. 186 00:16:39,970 --> 00:16:45,900 I've yet to actually see this happen as it would be a major problem in terms of legitimate users authenticating 187 00:16:45,900 --> 00:16:54,100 with the network and would make detoxing a network as easy as failing to associate with it a few times. 188 00:16:54,210 --> 00:17:01,170 So the long and short of it is if your target locks down you're going to see the following message warning 189 00:17:01,560 --> 00:17:06,440 detected AP rate limiting waiting 60 seconds before rechecking. 190 00:17:06,470 --> 00:17:12,030 Now this old router isn't going to lock down in that way but this is what the message would look like 191 00:17:12,030 --> 00:17:13,040 if it happened. 192 00:17:13,290 --> 00:17:15,980 And this is basically the kiss of death. 193 00:17:15,990 --> 00:17:23,610 It means that a direct guest by guests brute force attack against the target is going to be mind bogglingly 194 00:17:23,610 --> 00:17:30,420 slow because if you only managed to get in let's say 5 to 10 guesses and then you'd have to wait out 195 00:17:30,420 --> 00:17:37,670 the routers locked down which let's say lasts for an hour while you get the idea. 196 00:17:37,800 --> 00:17:39,570 The process will take so long. 197 00:17:39,570 --> 00:17:40,920 It's not going to be worth it. 198 00:17:41,920 --> 00:17:50,430 And you may notice that Riva tries the same pin multiple times even if a lockdown has not happened and 199 00:17:50,430 --> 00:17:59,230 this has to do with various factors including signal strength and the router just being finicky see 200 00:17:59,260 --> 00:18:04,050 10 failed connections in a row it's trying the same number over and over again. 201 00:18:04,180 --> 00:18:06,120 Now it will get past this eventually. 202 00:18:06,370 --> 00:18:10,230 So I'm going to use control C and I'm going to stop River for the moment. 203 00:18:11,480 --> 00:18:20,760 If you suspect that a router may have locked down on you because you see the same pin being tried over 204 00:18:20,760 --> 00:18:21,540 and over. 205 00:18:21,720 --> 00:18:25,140 You can use the wash command to check out its status 206 00:18:29,180 --> 00:18:40,600 whoops sorry that's wash tech lowercase i w land one on interesting it hasn't locked down and controls 207 00:18:40,600 --> 00:18:46,910 C will exit the wash scan here you can see the router status no. 208 00:18:46,970 --> 00:18:47,890 Under lock. 209 00:18:49,490 --> 00:18:52,280 Means that the router is still unlocked. 210 00:18:52,310 --> 00:18:57,380 If this said yes that means you're out of luck for the moment and you're gonna have to wait out the 211 00:18:57,380 --> 00:18:58,690 lock. 212 00:18:58,700 --> 00:19:05,840 The question now becomes what can you do with River if you're up against an up to date router with proper 213 00:19:05,840 --> 00:19:13,230 defenses that has the annoying habit of locking down on you fortunately River has a lot of options that 214 00:19:13,230 --> 00:19:20,270 you can try to sidestep this and the best approach is going to vary from router router. 215 00:19:20,370 --> 00:19:28,050 It's a good idea to look up the model of router you're up against to see which tactics work the best. 216 00:19:28,050 --> 00:19:36,090 I can't cover every possible approach but we can look at this in broad terms as you see there are loads 217 00:19:36,090 --> 00:19:38,350 of options that come with river. 218 00:19:38,550 --> 00:19:45,000 These switches allow you to customize your attack and you will have to do this against most routers. 219 00:19:45,270 --> 00:19:52,590 Even if you're able to find exact details online for a particular router model and find exactly what 220 00:19:52,590 --> 00:19:58,800 worked for someone else against a particular chipset you may find that you still have to play around 221 00:19:58,800 --> 00:20:05,310 a bit and fine tune things and how painful this ends up being will depend a great deal on the amount 222 00:20:05,310 --> 00:20:08,520 of time your target stays locked down. 223 00:20:08,560 --> 00:20:16,450 For one thing you may want to hide your attacks and I need to clarify and say that I don't mean you 224 00:20:16,450 --> 00:20:19,270 need to hide who you personally are. 225 00:20:19,300 --> 00:20:26,140 It is virtually impossible to track the source of a river attack as long as Mach changer has been used 226 00:20:26,410 --> 00:20:28,390 to change your mac address. 227 00:20:28,390 --> 00:20:34,720 As long as you're not associated with the network but just using your card for radio based attacks it's 228 00:20:34,780 --> 00:20:39,630 functionally impossible to figure out who you are. 229 00:20:39,640 --> 00:20:48,610 However masking the attack may help in the case of access points that have paranoia level security configurations. 230 00:20:48,610 --> 00:20:57,460 One example might be to use the TAC lowercase w switch so as to mimic a Windows 7 registrar or use the 231 00:20:57,490 --> 00:21:05,560 TAC capital N to specify that you don't want river to send a knack for any out of order packets which 232 00:21:05,620 --> 00:21:13,310 in a very few instances has been known to tip off certain models that hey maybe where we are under attack. 233 00:21:13,330 --> 00:21:20,590 This process that we're seeing looks automated better locked down so the real trick is going to be setting 234 00:21:20,590 --> 00:21:28,000 up a delay between our pin guesses if we know that an access point will lock down after five failed 235 00:21:28,000 --> 00:21:32,560 guesses per 60 seconds and stay locked down for an hour. 236 00:21:32,710 --> 00:21:37,450 Then it makes sense to set a limit of two or three guesses per minute. 237 00:21:37,450 --> 00:21:43,710 This will greatly increase the amount of time it takes to find the correct PIN. 238 00:21:43,750 --> 00:21:49,660 As I said the delay for each model of router is going to be different and if you can't find a specific 239 00:21:49,660 --> 00:21:52,820 number on line you're going to have to guess. 240 00:21:52,840 --> 00:22:00,490 That being said black hat hackers have been known to use extremely cheap little devices such as a five 241 00:22:00,490 --> 00:22:09,910 dollar Raspberry Pi loaded with Kali and attach a simple USP Wi-Fi dongle and leave it hidden somewhere 242 00:22:10,000 --> 00:22:17,340 at a pen testing site to care or an attack site to carry out just such a process over a longer time 243 00:22:17,340 --> 00:22:18,360 scale. 244 00:22:18,460 --> 00:22:24,640 And of course the next door neighbor who's trying to steal your Wi-Fi is probably perfectly happy to 245 00:22:24,640 --> 00:22:28,760 leave his computer on for a week until he gets the right pin number. 246 00:22:29,170 --> 00:22:37,090 So to do this we're gonna do River interface that's tack lowercase i w land one more on tech B for the 247 00:22:37,090 --> 00:22:40,690 B SSI D just the same we'll paste that in there 248 00:22:43,830 --> 00:22:52,530 we're going to do tech R and we're gonna do two colon 60 so what this is doing is we're specifying two 249 00:22:52,530 --> 00:23:00,270 guesses every 60 seconds notice that river gives us the the option to resume our prior session even 250 00:23:00,270 --> 00:23:06,420 though we've changed the exact nature and structure of the command we're gonna do so again the delay 251 00:23:06,420 --> 00:23:12,870 required is going to vary from router router but one of the points I want you to be aware of is that 252 00:23:12,870 --> 00:23:17,790 there is always going to be a specific set delay. 253 00:23:17,790 --> 00:23:25,590 Eventually this has to work because every router out there has a hard coded limitation on these things. 254 00:23:25,590 --> 00:23:33,150 You have to basically say you have X number of tries in X amount of time before a lockout it's an if 255 00:23:33,150 --> 00:23:37,100 then statement hardcoded into the firmware. 256 00:23:37,140 --> 00:23:44,700 If X number of failed tries then locked down for X amount of time and they have to have a limit they 257 00:23:44,700 --> 00:23:50,180 can't use infinite values as long as you are above those stated values. 258 00:23:50,190 --> 00:23:52,240 This will work for you. 259 00:23:52,260 --> 00:23:59,610 Some people have reverse engineered certain models of router and posted this information online. 260 00:23:59,670 --> 00:24:04,810 If you can't find it then I'm sorry you're stuck with some trial and error. 261 00:24:04,950 --> 00:24:11,730 See when it works when it does not work and tweak your settings up or down accordingly until you find 262 00:24:11,730 --> 00:24:15,700 the fastest possible timing that works for your target. 263 00:24:15,750 --> 00:24:18,640 Like I said eventually you will succeed. 264 00:24:18,660 --> 00:24:24,750 However the amount of time this method requires and the requirement that your attacking system and card 265 00:24:24,780 --> 00:24:32,040 be within a certain proximity to the target may render this entire approach in viable in certain cases 266 00:24:32,490 --> 00:24:35,140 and I forgot to save verbose song. 267 00:24:35,170 --> 00:24:44,240 Stop this I'm going to add verbose and I'm going to resume because that made for a boring screen and 268 00:24:44,240 --> 00:24:45,680 I apologize. 269 00:24:45,680 --> 00:24:52,370 We can see that it is in fact working of all the possible eleven thousand combinations zero point three 270 00:24:52,370 --> 00:24:55,370 six percent have been tried so far. 271 00:24:55,370 --> 00:24:59,440 If I stop it and put it into double verbose 272 00:25:02,710 --> 00:25:05,930 it'll make for more interesting spam. 273 00:25:06,070 --> 00:25:12,940 So in the old days black hat hackers would actually park outside of financial institutions that had 274 00:25:12,940 --> 00:25:23,040 weak routers and run river from the comfort of their car since the attack could be resumed they could 275 00:25:23,040 --> 00:25:29,250 do this on their lunch hour then resume the attack the next day and the next and the next and so on 276 00:25:29,700 --> 00:25:32,640 until eventually they got the correct PIN. 277 00:25:32,670 --> 00:25:41,100 As I said uninterrupted eleven thousand combinations will take about 10 to 12 hours in total although 278 00:25:41,100 --> 00:25:45,800 it can get lucky and hit the correct PIN on the very first try. 279 00:25:45,870 --> 00:25:54,160 You never know but when the required delay becomes gargantuan it may not be realistic to conduct such 280 00:25:54,270 --> 00:25:58,950 an attack over a timescale of weeks or even months. 281 00:25:58,950 --> 00:26:05,250 Remember also that many routers allow a system administrator to change their PIN number as easily as 282 00:26:05,250 --> 00:26:12,390 pushing a button and and a protracted attack over a long timescale is a lot more likely to be detected 283 00:26:12,420 --> 00:26:18,340 in the router logs even if they can't zero in on the attacker through any conventional method. 284 00:26:18,420 --> 00:26:25,500 A security professional who knows how river works and sees the same person within range of the access 285 00:26:25,500 --> 00:26:36,170 point every day with a laptop can often put two and two together this is why a river while still a powerful 286 00:26:36,170 --> 00:26:42,740 and dangerous tool is no longer ideal for all penetration testing scenarios. 287 00:26:43,070 --> 00:26:50,330 All security professionals should acquaint themselves with how it works because if the attack is detected 288 00:26:50,360 --> 00:26:52,870 they need to know what to do next. 289 00:26:52,910 --> 00:26:59,510 Disabling pin authentication is a sure fire defense against river though many routers do not allow that 290 00:27:00,080 --> 00:27:03,760 changing the pin every single day or even every hour. 291 00:27:03,770 --> 00:27:06,530 And yes I have seen some administrators do that. 292 00:27:07,270 --> 00:27:10,690 Can also make river attacks pretty pointless. 293 00:27:10,850 --> 00:27:17,020 Then of course if you are an administrator and you see all of these failed Penn attempts you might start 294 00:27:17,020 --> 00:27:24,510 looking through security cameras to see who is nearby with a laptop and maybe a wireless card. 295 00:27:24,550 --> 00:27:31,360 You might also look around for small devices like Raspberry Pis or cheap little Android devices hidden 296 00:27:31,360 --> 00:27:39,930 behind desks or near concealed power outlets and remember that having the PIN code means that you have 297 00:27:39,930 --> 00:27:46,950 the password until the pin for that router is changed or removed completely. 298 00:27:46,950 --> 00:27:55,640 All you need to do if the password is changed is run river using the already guessed pin. 299 00:27:55,640 --> 00:28:00,830 Now I could let river finish its at zero point fifty five percent but I don't think we want to sit here 300 00:28:00,830 --> 00:28:07,600 for 10 hours so I'm going to stop this session and I'm I'm going to use river tech. 301 00:28:07,820 --> 00:28:17,200 I specify the interface and give it the target once again and this time we're gonna say TAC lowercase 302 00:28:17,210 --> 00:28:23,150 P for the pin and this one is for 3 4 1 3 7 7 5. 303 00:28:23,150 --> 00:28:29,800 I've cracked this before loops double verbose and I'll take just a minute. 304 00:28:31,300 --> 00:28:36,850 I think I mistyped the pin number because it jumped to ninety point nine one percent. 305 00:28:36,850 --> 00:28:38,700 Let's stop this. 306 00:28:39,040 --> 00:28:41,120 Which by the way is what happens. 307 00:28:41,170 --> 00:28:50,170 It can go from 5 percent to ninety nine percent if it gets close to the correct PIN c 4 3 4 and there 308 00:28:50,170 --> 00:28:58,020 we go the password gave us the plain text passkey and it's just as simple as that. 309 00:28:58,030 --> 00:29:04,480 And no matter what the password is changed to as long as the pin number remains the same. 310 00:29:04,640 --> 00:29:11,440 And as long as you have that pin you can always get the password in plaintext or even log in directly 311 00:29:11,440 --> 00:29:17,170 to the router itself so River does still work. 312 00:29:17,320 --> 00:29:24,810 It's no longer the master key that it used to be it's more like a set of really good luck picks. 313 00:29:24,820 --> 00:29:32,530 It requires a bit of finesse to get it to work right but given enough time and patience eventually it 314 00:29:32,530 --> 00:29:34,800 will work for you. 315 00:29:34,900 --> 00:29:37,720 So I hope this tutorial was helpful. 316 00:29:37,900 --> 00:29:40,160 As I said river was my first tool. 317 00:29:40,330 --> 00:29:48,820 It's an excellent one but as we approach 2020 and beyond it probably won't be your first choice for 318 00:29:49,240 --> 00:29:55,870 Wi-Fi hacking as we continue with this module we'll be looking at other methods of Wi-Fi hacking some 319 00:29:55,870 --> 00:30:02,680 of which can be done off line without having to remain in protracted contact with the access point. 320 00:30:02,740 --> 00:30:09,870 So have fun penetration testing your own personal router that you own and I'll see you in the next video. 321 00:30:09,880 --> 00:30:10,590 Thank you.