1
00:00:00,390 --> 00:00:05,160
Welcome to part three of this module in this video.

2
00:00:05,160 --> 00:00:11,870
We're going to be looking at capturing WPA handshakes in real time and then cracking them for plain

3
00:00:11,870 --> 00:00:15,770
text passwords using air crack energy.

4
00:00:15,930 --> 00:00:22,470
The advantage of this approach to what we saw in the last video on river is that once you have the handshake

5
00:00:22,470 --> 00:00:26,570
file you no longer need to be anywhere near your target.

6
00:00:26,610 --> 00:00:30,580
You could be a million miles away and you can still crack it.

7
00:00:30,600 --> 00:00:38,460
It is therefore possible to walk to an access point bump a client off of it using packet injection or

8
00:00:38,490 --> 00:00:45,090
just wait for a client to associate on its own and thereby grab the handshake and then walk away with

9
00:00:45,090 --> 00:00:45,760
it.

10
00:00:45,780 --> 00:00:50,620
Once you have the handshake cracking it is just a matter of time and computer power.

11
00:00:50,640 --> 00:00:57,120
Before we begin I do have to point out that what you are going to see here will not work correctly in

12
00:00:57,120 --> 00:00:58,860
virtual box.

13
00:00:58,860 --> 00:01:04,740
You therefore need to have Calleigh installed to a dedicated partition on your system or you need to

14
00:01:04,740 --> 00:01:10,230
be live booting it a USB B life boot with persistence will work.

15
00:01:10,230 --> 00:01:16,770
But if you live boot without persistence nothing you do will be saved between reboots.

16
00:01:16,770 --> 00:01:24,600
The other thing about virtual box is that it is a very poor choice for password cracking a virtualize

17
00:01:24,600 --> 00:01:31,350
system is going to be using a fraction of the available resources for a real system which is going to

18
00:01:31,350 --> 00:01:35,040
make an already slow process even slower.

19
00:01:35,040 --> 00:01:40,860
This video will also be covering the basics of packet injection in order to do this.

20
00:01:40,890 --> 00:01:47,720
You will need a wireless card with a chipset that is capable of packet injection.

21
00:01:47,820 --> 00:01:56,400
Not all of them are in fact the vast majority of Broadcom cards that come shipped with commercial laptops

22
00:01:56,880 --> 00:01:59,670
will not be capable of doing this.

23
00:01:59,670 --> 00:02:05,730
If you don't have the right card that's OK several steps of this tutorial will still work for you but

24
00:02:05,820 --> 00:02:10,810
you won't be able to perform any attacks that call for injection.

25
00:02:10,890 --> 00:02:18,720
In other words you can still capture the handshakes and crack the passwords but you won't be able to

26
00:02:18,720 --> 00:02:23,080
bump anyone off the network or D os a router.

27
00:02:23,100 --> 00:02:25,860
I'll speak more on this as we go along.

28
00:02:25,860 --> 00:02:32,370
Finally I'm going to skip over the basic setup for these attacks because if you've been following these

29
00:02:32,370 --> 00:02:36,190
modules in order you've already seen this information.

30
00:02:36,210 --> 00:02:42,000
If you have any questions about what I'm doing to get this process started please see video 1 of this

31
00:02:42,000 --> 00:02:43,020
module.

32
00:02:43,020 --> 00:02:52,470
OK so we're going to begin by opening a terminal window and Cally air crack in G comes prepackaged with

33
00:02:52,470 --> 00:02:55,410
Cally and it is located under applications.

34
00:02:55,440 --> 00:03:03,450
Wireless attacks so we don't actually need to install any packages or dependencies provided that we

35
00:03:03,450 --> 00:03:06,100
are using an up to date version of Cally.

36
00:03:06,120 --> 00:03:10,050
So at this point we're going to use Arum on energy

37
00:03:13,630 --> 00:03:21,730
to confirm that our cards are recognized and they are good because one particular step of this process

38
00:03:21,790 --> 00:03:25,890
is going to require the use of two cards at the same time.

39
00:03:26,320 --> 00:03:29,780
So I'm going to bring both of these into monitor mode.

40
00:03:29,890 --> 00:03:35,650
If you type airman energy in virtual box you won't see your cards displayed.

41
00:03:35,650 --> 00:03:40,660
If you aren't using virtual box and still don't see your cards displayed you may need to update your

42
00:03:40,660 --> 00:03:47,290
drivers in any case we'll begin by taking both of these cards down.

43
00:03:47,340 --> 00:03:55,230
I have config w Lancer a down I have config w land one down and once again the names of your interfaces

44
00:03:55,230 --> 00:04:01,190
may vary depending on your card and what specific operating system you're using.

45
00:04:01,260 --> 00:04:09,510
They will generally be w when 0 or w land 1 but if the name very is just use whatever name you see displayed

46
00:04:09,510 --> 00:04:13,070
under interface in airmen N G.

47
00:04:13,670 --> 00:04:19,510
So with that will change the MAC address on both cards because it is simply a good practice.

48
00:04:19,700 --> 00:04:24,110
And once again if you have configured Mac changer to do this automatically every time you boot your

49
00:04:24,110 --> 00:04:26,740
system you may not need to do this.

50
00:04:26,750 --> 00:04:32,210
But keep in mind the bug that I mentioned in the first video Mac change you can sometimes claim that

51
00:04:32,210 --> 00:04:38,050
the Mac was changed and then it will revert back the second your card associates with a network.

52
00:04:38,240 --> 00:04:41,510
So be sure to test it out before you put your trust in it.

53
00:04:43,270 --> 00:04:48,630
Mac change or tack a for random Mac w Len 0 Mac.

54
00:04:48,630 --> 00:04:51,890
Change your tack capital aid of you when one.

55
00:04:51,930 --> 00:04:58,780
There we go now we'll do airman energy check verify.

56
00:04:58,820 --> 00:05:06,410
There are indeed processes that are in operation that are going to mess things up so we will then do

57
00:05:06,440 --> 00:05:07,840
Aram on energy.

58
00:05:07,840 --> 00:05:08,510
Check.

59
00:05:08,510 --> 00:05:09,020
Kill

60
00:05:11,890 --> 00:05:15,520
again if this is new to you please see the first video in this module

61
00:05:18,310 --> 00:05:21,310
and we'll do airman energy check one more time.

62
00:05:22,000 --> 00:05:23,190
Excellent.

63
00:05:23,200 --> 00:05:25,720
All of these processes are now dead.

64
00:05:25,750 --> 00:05:31,300
We will now bring both of our cards back into monitor mode.

65
00:05:31,360 --> 00:05:34,630
Airman Angie start w land zero

66
00:05:37,660 --> 00:05:41,670
airman energy start w land 1.

67
00:05:41,800 --> 00:05:47,440
Now I know I said this in a prior video and I don't want to repeat myself too much but this confuses

68
00:05:47,440 --> 00:05:49,810
so many people I am going to repeat it.

69
00:05:50,290 --> 00:05:58,990
Older versions of Kali change the card name simply to mourn 1 0 Man 1 month 2 etc. newer versions of

70
00:05:58,990 --> 00:06:02,540
Kali will append mourn to the name of the card.

71
00:06:02,710 --> 00:06:10,420
In this case the built in Wi-Fi card on this laptop is now w n 0 Amon which signifies that W and 0 is

72
00:06:10,420 --> 00:06:11,870
now in monitor mode.

73
00:06:12,070 --> 00:06:18,590
The injection capable card which if you're wondering is an alpha by the way is w land one man.

74
00:06:18,640 --> 00:06:23,980
All right so both cards are now operating in monitor mode.

75
00:06:23,980 --> 00:06:33,220
Our goal is now going to be to capture a WP a handshake between the router that we wish to attack and

76
00:06:33,220 --> 00:06:37,750
a client using the correct password for this.

77
00:06:37,750 --> 00:06:45,760
We need to use aero dump energy first to find the correct network and then to scan it individually and

78
00:06:45,760 --> 00:06:49,960
capture the handshake in real time as it is taking place.

79
00:06:50,090 --> 00:06:58,850
Arrow dump n g w land zero on what arrow don't populate for just a moment and I think that's enough.

80
00:06:59,080 --> 00:07:06,080
We don't need to see every router within range so I'm going to quickly explain what it's about to happen.

81
00:07:06,140 --> 00:07:12,710
We've just used arrow dump in G in a very general way as we did in the first video in this module.

82
00:07:12,710 --> 00:07:17,150
This is simply giving us the lay of the land so to speak.

83
00:07:17,360 --> 00:07:23,720
Our demonstration target router is once again going to be Sanyal an old Wi-Fi router that I inherited

84
00:07:23,720 --> 00:07:26,000
when the office was upgraded.

85
00:07:26,000 --> 00:07:32,280
So when you're done running arrow dump energy just press control C to get back to the command prompt.

86
00:07:32,300 --> 00:07:39,230
The important thing here is that we now have the MAC address of our target as well as the e ss I.D.

87
00:07:39,350 --> 00:07:42,640
or name if we didn't already know what it was.

88
00:07:42,650 --> 00:07:49,070
This information is important along with the channel of our target not just to target our attack but

89
00:07:49,070 --> 00:07:51,750
also for the cracking process itself.

90
00:07:51,830 --> 00:07:57,830
So be sure to write it down if there's any danger that you'll forget it and be unable to get it again

91
00:07:57,830 --> 00:08:02,640
later copy pasting into leaf pad works great.

92
00:08:03,180 --> 00:08:08,100
In fact I will do just that

93
00:08:11,470 --> 00:08:13,290
remember to record this information.

94
00:08:13,300 --> 00:08:19,920
You will need the channel number the name and the MAC address later in this process.

95
00:08:19,930 --> 00:08:24,130
And if you're no longer near the access point you'll have to get that information again

96
00:08:26,860 --> 00:08:32,720
now as I said our goal is to capture the handshake between the client and the router in real time.

97
00:08:32,860 --> 00:08:38,940
Once the handshake once we have the handshake we can work on cracking it at our leisure.

98
00:08:39,040 --> 00:08:45,070
The cracking process can be done anywhere on any computer but the capture does require you to be within

99
00:08:45,070 --> 00:08:50,320
a reasonably close proximity to the target access point.

100
00:08:50,320 --> 00:08:57,490
As mentioned previously a P W R rating of minus 70 or below will probably make capturing the handshake

101
00:08:57,550 --> 00:09:01,000
very difficult if not impossible.

102
00:09:01,030 --> 00:09:09,040
Remember that what you are about to see is illegal in most countries unless you own both the target

103
00:09:09,040 --> 00:09:15,490
router and the computer that is logging into it or have written permission from the owner of both the

104
00:09:15,490 --> 00:09:19,090
network and the computer to conduct a penetration test.

105
00:09:19,720 --> 00:09:25,630
If you don't own it or have permission to do it don't do it or it could land you in really hot water

106
00:09:25,660 --> 00:09:26,710
legally speaking.

107
00:09:27,430 --> 00:09:38,770
So what we need to do now is make arrow dump energy scan just the target access point this skin varies

108
00:09:38,770 --> 00:09:46,240
from the generalized scan and then our card is just going to be focusing on picking up everything it

109
00:09:46,240 --> 00:09:51,480
can from our target while ignoring everything else going on around it.

110
00:09:51,490 --> 00:09:58,470
We also need to tell arrow dump in g to write the handshake into a file as soon as it captures it.

111
00:09:58,660 --> 00:10:01,570
Otherwise we're not going to have anything to crack later.

112
00:10:01,590 --> 00:10:03,520
Shelly I'm going to copy this first

113
00:10:09,040 --> 00:10:10,180
to get us started here.

114
00:10:10,180 --> 00:10:17,760
Arrow don't energy Disneyland 0 on Taxi.

115
00:10:19,320 --> 00:10:25,220
1 attack w handshake tack tack.

116
00:10:25,410 --> 00:10:26,620
The SSA D.

117
00:10:27,180 --> 00:10:33,870
And then we give it the MAC address of the router.

118
00:10:33,970 --> 00:10:38,640
So what we're doing here we are specifying our interface.

119
00:10:38,800 --> 00:10:43,670
And again yours may vary but in this case it's w n 0 man.

120
00:10:43,780 --> 00:10:47,070
Then we specify the channel that the target router is using.

121
00:10:47,070 --> 00:10:48,600
This is very important.

122
00:10:48,640 --> 00:10:55,780
That's tack lowercase c and then we're going to use tack lowercase W which is telling aero dumped to

123
00:10:55,780 --> 00:11:01,140
write the handshake file once it is captured and you can call it whatever you want.

124
00:11:01,150 --> 00:11:02,410
I named it handshake.

125
00:11:02,410 --> 00:11:08,290
Just to be simple but you could name it whatever your router is named.

126
00:11:08,290 --> 00:11:15,810
And then we specify Tak tak be SS I.D. followed by the MAC address of the target so we're going to press

127
00:11:15,900 --> 00:11:16,570
enter.

128
00:11:16,640 --> 00:11:23,520
Okay error dump is now conducting a focused scan against our target which again in this case is named

129
00:11:23,570 --> 00:11:28,290
Sanyal from here we have two choices right now.

130
00:11:28,320 --> 00:11:31,910
There are no computers associated with the target router.

131
00:11:31,950 --> 00:11:40,670
In other words nothing is logged in if we want to be stealthy or if we just don't have a wireless card

132
00:11:41,000 --> 00:11:43,470
that is capable of packet injection.

133
00:11:43,550 --> 00:11:51,860
What we can do is leave our computer on in the state let arrow dump energy run just like this for however

134
00:11:51,860 --> 00:11:53,090
long it takes.

135
00:11:53,210 --> 00:12:00,380
And hopefully sooner or later a computer will come along and associate with the target router.

136
00:12:00,380 --> 00:12:05,750
When that happens we will with a little luck capture the handshake.

137
00:12:05,750 --> 00:12:15,530
Now obviously this method takes a lot longer but it is very quiet and kind of sneaky now packet injection

138
00:12:15,530 --> 00:12:22,700
tends to be very noisy because it involves bumping a client off the network through brute force.

139
00:12:22,700 --> 00:12:29,000
Since most computers are configured to reconnect to the Wi-Fi automatically if the signal drops for

140
00:12:29,420 --> 00:12:34,910
any reason most target clients will do exactly that.

141
00:12:34,910 --> 00:12:40,970
Whether the target logs into the Wi-Fi on their own or whether we bump them off and they automatically

142
00:12:41,300 --> 00:12:44,020
re associate doesn't really matter.

143
00:12:44,150 --> 00:12:46,640
Either way we should get the handshake.

144
00:12:46,760 --> 00:12:53,330
So to start off I'm going to log into San all using a broken down laptop I picked up at a thrift store

145
00:12:53,330 --> 00:12:55,190
for these demonstrations.

146
00:12:55,190 --> 00:12:59,060
With luck we'll be able to capture the handshake immediately but be warned.

147
00:12:59,060 --> 00:13:02,510
Things aren't always that simple in real life.

148
00:13:02,510 --> 00:13:12,340
Signal strength and the quality of your card and or the antenna that you're using play a major role.

149
00:13:12,340 --> 00:13:17,590
And it is entirely possible for Arrow dump energy to miss the handshake on the first or even second

150
00:13:17,590 --> 00:13:18,850
try.

151
00:13:18,850 --> 00:13:24,550
If your signal strength is minus 70 or worse you might find that this is impossible or at the very least

152
00:13:24,850 --> 00:13:28,210
quite difficult and there we go.

153
00:13:30,890 --> 00:13:35,890
The WPA handshake is now visible in the upper right hand corner.

154
00:13:35,900 --> 00:13:41,720
Now I confess what seemed to happen immediately actually took several tries and it's only the magic

155
00:13:41,720 --> 00:13:47,710
of editing that it seemed to happen so seamlessly even with a strong signal.

156
00:13:47,780 --> 00:13:52,460
You're not guaranteed to capture the handshake on the very first try.

157
00:13:52,460 --> 00:13:58,940
In any case because we specified that we wanted the capture files to be written several capture files

158
00:13:58,940 --> 00:14:03,120
have now been created by Arrow dump for the handshake itself.

159
00:14:03,170 --> 00:14:09,710
These normally go into the root directory but since my root directory is very cluttered I've moved them

160
00:14:09,830 --> 00:14:12,260
to the desktop for simplicity's sake

161
00:14:16,230 --> 00:14:26,820
as we can see we now have a handshake zero dot one dot cap a dot CSP and another one for kismet and

162
00:14:26,820 --> 00:14:31,830
still another one for dot net experimental again for kismet.

163
00:14:31,830 --> 00:14:37,560
These are different formats that we can crack with various tools in this demonstration.

164
00:14:37,560 --> 00:14:44,700
We'll be using air crack in g to crack the DOT cap file either way because we have these files we no

165
00:14:44,700 --> 00:14:50,340
longer need to be in close proximity to our target nor do we even need to use the machine that we use

166
00:14:50,340 --> 00:14:58,080
to capture these files in the first place we could for example take these files to a computer lab somewhere

167
00:14:58,500 --> 00:15:05,610
and use a supercomputer with sixty five high end graphics cards for brute brute forcing procedure or

168
00:15:05,730 --> 00:15:08,800
even use just a regular computer.

169
00:15:08,880 --> 00:15:13,430
But several of them to divide up the load which is something I'll talk about a little later.

170
00:15:13,440 --> 00:15:18,030
The point is once you grab the handshake you can just walk away.

171
00:15:18,030 --> 00:15:24,510
Unlike with a river which requires you to remain routed to one spot for the duration of the attack before

172
00:15:24,510 --> 00:15:32,790
we load up air crack and go to town however it's time to talk about DDR blessing with packet injection.

173
00:15:32,790 --> 00:15:36,450
I realize that some of you were probably waiting for this.

174
00:15:36,480 --> 00:15:37,920
So here it is.

175
00:15:37,980 --> 00:15:45,720
Just remember that it is highly illegal to do distributed denial of service attacks against any target

176
00:15:46,040 --> 00:15:47,370
that you don't own.

177
00:15:47,370 --> 00:15:53,520
In fact if there's even the slightest chance of interfering with any system that you don't personally

178
00:15:53,520 --> 00:15:54,060
own.

179
00:15:54,180 --> 00:15:55,680
Don't do it.

180
00:15:55,680 --> 00:16:01,100
Of course as a network administrator in a defensive role you need to know how this works.

181
00:16:01,110 --> 00:16:02,640
So here it is.

182
00:16:02,790 --> 00:16:08,010
Now I mentioned that I'm using two wireless cards in this demonstration.

183
00:16:08,010 --> 00:16:14,210
The first card is the built in card that came with the laptop itself.

184
00:16:14,250 --> 00:16:19,670
It is not capable of packet injection but it's just fine for capturing a handshake.

185
00:16:19,740 --> 00:16:22,830
So we put this card into action with Arrow dump.

186
00:16:23,580 --> 00:16:25,580
Well that card is scanning.

187
00:16:25,710 --> 00:16:32,950
We use a second USP card that is capable to launch our distributed denial of service attack.

188
00:16:32,970 --> 00:16:43,240
In this case I'm using an alpha networks a W U S 0 3 6 h in a couple of demonstrations.

189
00:16:43,260 --> 00:16:52,800
I may also use in a W U S 9 3 6 and H which is a bit newer although I have found it to be slightly inferior

190
00:16:53,100 --> 00:16:55,180
in terms of reliability.

191
00:16:55,380 --> 00:17:03,100
In any case for a full list of cards with injection capable chipsets please look online.

192
00:17:03,120 --> 00:17:10,260
The Alpha series tends to be very popular and works out of the box with Cally but beware of counterfeits.

193
00:17:10,260 --> 00:17:17,010
A quick search will show that there is no real consensus about which model of card is the quote unquote

194
00:17:17,400 --> 00:17:20,140
best for Wi-Fi hacking.

195
00:17:20,220 --> 00:17:27,510
And while I have always found the alpha cards to be reliable they are somewhat old and I am aware that

196
00:17:27,510 --> 00:17:33,350
there are newer options out there that most potentially better specs.

197
00:17:33,360 --> 00:17:37,830
Ultimately you simply have to research it and decide what suits you the best.

198
00:17:38,220 --> 00:17:44,360
If you do invest in a card you should also consider investing in a good compatible antenna.

199
00:17:44,430 --> 00:17:51,460
I will recommend that you steer clear of the older net gear cards as I found these to be extremely unreliable

200
00:17:51,480 --> 00:17:57,060
and often require special drivers to make them work in both Cowley and windows.

201
00:17:57,060 --> 00:18:04,030
At any rate let's get started so I'm going to begin by running arrow dumping G again.

202
00:18:04,030 --> 00:18:12,590
Like I said we're not going to write the file this time.

203
00:18:12,720 --> 00:18:15,140
We're just watching the access point.

204
00:18:15,150 --> 00:18:21,180
I'm actually going to adjust the size of this terminal window a bit.

205
00:18:22,680 --> 00:18:28,110
We don't need it to take up the full screen and I actually want a second window open for the attack

206
00:18:28,110 --> 00:18:29,380
itself.

207
00:18:29,490 --> 00:18:30,770
That should be good all right.

208
00:18:30,780 --> 00:18:35,030
So we can see that there is a computer associated with our target network.

209
00:18:35,070 --> 00:18:37,760
Now there are two ways that we can do this.

210
00:18:37,830 --> 00:18:44,590
We can d authenticate a single client such as the laptop I just associated with the router.

211
00:18:44,760 --> 00:18:50,640
In this case we just bumped that one computer off the network for as long as the attack lasts.

212
00:18:50,640 --> 00:18:57,090
Once we stop flooding the target with packets it can re authenticate in the normal way.

213
00:18:57,090 --> 00:19:00,510
Alternatively we could attack the router itself.

214
00:19:00,510 --> 00:19:06,750
In this case all clients that are currently connected will be dropped and the router will be unable

215
00:19:06,750 --> 00:19:09,300
to function properly for the duration of the attack.

216
00:19:09,810 --> 00:19:12,330
So we're gonna do a replay Angie

217
00:19:16,520 --> 00:19:24,280
and I'll expand this briefly to show off the different features the different switches

218
00:19:30,360 --> 00:19:31,800
just to give you an idea

219
00:19:37,560 --> 00:19:37,870
OK.

220
00:19:37,890 --> 00:19:48,240
So to do this we're gonna do air play TAC n g Tac tac d off which specifies our attack method zero which

221
00:19:48,240 --> 00:19:50,030
I'll explain in a moment.

222
00:19:50,370 --> 00:19:51,280
A.

223
00:19:51,390 --> 00:20:02,540
For the access point which is going to be the BSN I.D. of the router that we are targeting TAC C for

224
00:20:02,550 --> 00:20:11,230
client which is the Mac address of the laptop or station associated with the router that we're targeting

225
00:20:13,130 --> 00:20:17,310
and then we need to specify our interface which in my case is W and one.

226
00:20:17,580 --> 00:20:24,180
So to start out will attack just the laptop will bump it off the network if we didn't already have the

227
00:20:24,180 --> 00:20:32,340
p cap file we'd run aero dump in another terminal window such as the one up here and capture the handshake

228
00:20:32,340 --> 00:20:37,180
when it reassume shifts although since we've already done that I'm not gonna bother doing it again.

229
00:20:37,230 --> 00:20:46,710
So the sequence here is every play energy Tac tac d off which is the D authentication attack 0 specifies

230
00:20:46,710 --> 00:20:54,030
the number of packets per burst the 0 doesn't really mean 0 but it tells airplay play that we can loop

231
00:20:54,060 --> 00:20:54,900
the attack.

232
00:20:54,900 --> 00:20:59,870
In other words it's going to keep broadcasting continuously until we interrupt it.

233
00:21:00,000 --> 00:21:05,910
And as long as it continues to broadcast our target should be unable to associate with the network

234
00:21:09,040 --> 00:21:09,830
right.

235
00:21:09,850 --> 00:21:15,270
So we are now D authenticating the client from the target router.

236
00:21:15,270 --> 00:21:21,040
Unfortunately there's no way to see in the video that this is actually working but the laptop is in

237
00:21:21,040 --> 00:21:24,080
fact unable to connect to the Internet.

238
00:21:24,310 --> 00:21:31,060
It still will show up as being connected to the router itself but that's only until it attempts to reach

239
00:21:31,060 --> 00:21:35,600
social aid when we in the attack it will attempt to re associate.

240
00:21:35,620 --> 00:21:41,710
And if we were recording the handshake we would capture it at this point for as long as the attack continues

241
00:21:41,710 --> 00:21:45,420
to loop the target will not be able to use the Internet.

242
00:21:45,430 --> 00:21:45,730
All right.

243
00:21:45,730 --> 00:21:47,620
So that should be good enough.

244
00:21:47,620 --> 00:21:54,910
You can let the attack run for as long as you want but it's definitely off the network.

245
00:21:54,910 --> 00:21:59,770
So to end the attack we just press control C and the laptop will re associate

246
00:22:03,010 --> 00:22:04,490
and there it goes.

247
00:22:04,630 --> 00:22:06,250
And to verify this

248
00:22:08,950 --> 00:22:10,360
and there it is.

249
00:22:10,360 --> 00:22:13,210
So now we'll show you how to attack the target router.

250
00:22:13,210 --> 00:22:21,180
It's essentially the same process we're simply going to remove the tax.

251
00:22:22,880 --> 00:22:30,240
And the MAC address for the client leaving TAC lowercase a and the MAC address for the router

252
00:22:36,390 --> 00:22:40,330
and once again there's no good way to see this arrow dump unfortunately.

253
00:22:40,590 --> 00:22:45,630
But all clients that are currently connected to the router have been dropped.

254
00:22:47,130 --> 00:22:52,380
They may still show up as being associated but they won't have internet connection and for as long as

255
00:22:52,380 --> 00:22:56,970
this attack continues the router will be effectively unusable.

256
00:22:56,970 --> 00:23:02,210
It's being jammed by all of the packets that we're sending when we stop the attack.

257
00:23:02,220 --> 00:23:08,660
All computers that were associated with the network will tend to resuscitate automatically.

258
00:23:08,730 --> 00:23:14,550
The only time this would not happen is when you have a computer where the user has specifically configured

259
00:23:14,550 --> 00:23:20,410
things to not automatically join an available network that it was just connected to.

260
00:23:20,430 --> 00:23:26,370
In other words to not reconnect in the event of a connection drop this by the way is how you would defend

261
00:23:26,370 --> 00:23:30,790
your own machine against such an attack if one were suspected.

262
00:23:30,870 --> 00:23:38,010
But obviously there is no way to enforce a policy of denying all users of a router the ability to automatically

263
00:23:38,010 --> 00:23:39,300
log back in.

264
00:23:39,300 --> 00:23:45,360
Since this is configured locally within the computer's operating system and unfortunately again there's

265
00:23:45,360 --> 00:23:50,890
no way to tell short of trying to log in you have successfully D authenticated the router.

266
00:23:51,090 --> 00:23:57,260
But if you're seeing what's currently being displayed on the screen it is being jammed.

267
00:23:57,360 --> 00:24:02,050
I can tell that my demonstration laptop is no longer connected to the Internet.

268
00:24:02,310 --> 00:24:06,010
But again sadly it won't be reflected in Arrow dump energy.

269
00:24:06,060 --> 00:24:12,450
That is why leaving the attack running for a while is a good idea since you usually can't see the targets

270
00:24:12,450 --> 00:24:14,670
drop off after a few minutes.

271
00:24:14,670 --> 00:24:18,810
Go ahead and cancel it and then most devices will reconnect.

272
00:24:18,810 --> 00:24:26,370
So to do that we just press control see this was how you did awesome a router or knock an individual

273
00:24:26,370 --> 00:24:28,380
client often network.

274
00:24:28,380 --> 00:24:32,390
It really is frighteningly and frustratingly simple.

275
00:24:32,550 --> 00:24:38,150
For as long as the attack continues the target will simply be unable to access the Internet.

276
00:24:38,430 --> 00:24:44,550
If you've configured arrow just dump energy to listen for and write the handshake to a file you should

277
00:24:44,550 --> 00:24:50,400
be able to easily and almost instantly capture the handshake of any router that you're that you are

278
00:24:50,400 --> 00:24:52,500
in close enough proximity to.

279
00:24:52,500 --> 00:24:56,650
So once you have the handshake cap file How do you crack it.

280
00:24:56,760 --> 00:24:57,220
OK.

281
00:24:57,270 --> 00:25:00,650
This is where air crack in G comes into play.

282
00:25:00,720 --> 00:25:04,980
So now we move on to the cracking part of the presentation.

283
00:25:04,990 --> 00:25:10,170
There are a couple of ways that we can do this over the course of this class.

284
00:25:10,240 --> 00:25:17,350
I've demonstrated many many examples of brute forcing using a password list and there isn't really a

285
00:25:17,350 --> 00:25:20,650
whole lot to say about it that is new information.

286
00:25:20,740 --> 00:25:29,560
Putting basic terms we can take a word list file usually called a dictionary and have air crack run

287
00:25:29,560 --> 00:25:35,290
through it from start to finish checking it against the captured handshake until hopefully it finds

288
00:25:35,290 --> 00:25:37,170
the correct password.

289
00:25:37,270 --> 00:25:44,340
Kelly Linux has several word lists pre installed that you can use such as the Iraq you word list.

290
00:25:44,680 --> 00:25:46,540
So please see the prior videos.

291
00:25:46,540 --> 00:25:48,810
For more information about that.

292
00:25:48,880 --> 00:25:54,820
And with that being said trying to crack a password in this way is going to be an extremely painful

293
00:25:54,820 --> 00:25:58,600
experience and the vast majority of cases.

294
00:25:58,840 --> 00:26:00,370
So we're going to get started here.

295
00:26:00,370 --> 00:26:03,830
We're going to do air crack in G.

296
00:26:03,870 --> 00:26:08,670
And I'm really just doing this to show you the syntax because we're not going to try to do it this way.

297
00:26:08,770 --> 00:26:19,090
We'll give it the path to the word list handshake dash 0 1 dot cap and we have to do tech e and specify

298
00:26:19,090 --> 00:26:20,310
the ESM.

299
00:26:21,380 --> 00:26:27,950
Now remember I said to write down the SS I.D. error crack does require you to supply it and if you don't

300
00:26:27,950 --> 00:26:32,400
supply the correct SS I.D. This won't work.

301
00:26:32,470 --> 00:26:38,350
I'm not even going to let this run this way because from this password file I already know that the

302
00:26:38,350 --> 00:26:42,470
correct password isn't there and it will take a million years.

303
00:26:42,550 --> 00:26:49,030
You see the problem here is that our hardware is limited even if you have a supercomputer State of the

304
00:26:49,030 --> 00:26:51,370
art and specially designed for cracking.

305
00:26:51,460 --> 00:26:55,660
This process is still going to be extremely slow.

306
00:26:55,720 --> 00:27:01,150
It is important to take into account the language being spoken in the region in which you captured the

307
00:27:01,150 --> 00:27:02,440
handshake.

308
00:27:02,440 --> 00:27:08,530
If you live in France for example then a word list of English words is quite possibly going to be a

309
00:27:08,530 --> 00:27:10,000
waste of time.

310
00:27:10,180 --> 00:27:15,280
You'll enjoy better results using a list of words in the appropriate language.

311
00:27:15,280 --> 00:27:19,820
The second problem is this method is just a straight brute force attack.

312
00:27:19,900 --> 00:27:23,140
It will read every word in the dictionary.

313
00:27:23,140 --> 00:27:26,440
And if the password is there then eventually you'll crack it.

314
00:27:26,950 --> 00:27:31,940
If not then you waste your time and that's when things get messy.

315
00:27:31,960 --> 00:27:39,160
So there are a number of ways to run air crack in such a way that we can tell it to combine characters

316
00:27:39,160 --> 00:27:45,880
and numbers up to certain predefined limits using crunch which I'll demonstrate here in a moment.

317
00:27:45,880 --> 00:27:52,990
There are also several services online that black hat sometimes upload capture files to anonymously

318
00:27:52,990 --> 00:27:58,600
of course and then crack the handshake for them using powerful computers.

319
00:27:58,600 --> 00:28:00,220
I'll talk about that a little later.

320
00:28:00,220 --> 00:28:05,920
Finally it is possible to divide the load between multiple different computer systems.

321
00:28:05,950 --> 00:28:07,080
If you have them.

322
00:28:07,250 --> 00:28:13,480
I'm getting ahead of myself though if we let this process run long enough with a strong enough dictionary

323
00:28:13,480 --> 00:28:18,250
file error crack will eventually gets the correct password.

324
00:28:18,280 --> 00:28:25,390
This is because I put the password into the file manually but in a real world situation trying to crack

325
00:28:25,390 --> 00:28:30,400
a decently long or complex password in this way is likely going to fail.

326
00:28:30,490 --> 00:28:34,240
And at the very least it's going to take tens of thousands of hours.

327
00:28:34,300 --> 00:28:36,100
It's really not worth it.

328
00:28:36,160 --> 00:28:38,740
So let's dive into this.

329
00:28:38,830 --> 00:28:44,770
One of the primary problems that we're going to run into here is that we're unable to generate vast

330
00:28:44,830 --> 00:28:53,860
amounts of passwords and character combinations a file containing all passwords and all possible combinations

331
00:28:53,950 --> 00:28:58,210
of words would take an impossible amount of disk space.

332
00:28:58,210 --> 00:29:00,910
Fortunately we don't need to do that.

333
00:29:01,030 --> 00:29:05,310
We don't need to rely on a password file at all.

334
00:29:05,350 --> 00:29:11,820
We can use crunch to pipe in predefined character sets right into air crack G.

335
00:29:11,950 --> 00:29:21,310
In other words if we give crunch one two three four as parameters it will feed air crack in g all combinations

336
00:29:21,310 --> 00:29:24,280
of one two three four that are possible.

337
00:29:24,340 --> 00:29:28,750
One by one without actually writing them to a file anywhere.

338
00:29:28,750 --> 00:29:35,020
The upshot of this is that you don't need a billion terabyte word list file and you don't need to monkey

339
00:29:35,020 --> 00:29:42,010
around with switches trying to get aircraft combined and break apart different combinations of things

340
00:29:42,010 --> 00:29:49,290
that are already in your word list the downside is that if this process is interrupted for any reason

341
00:29:49,320 --> 00:29:52,810
you can't resume it like you can with a river.

342
00:29:53,100 --> 00:29:59,730
And since nothing is written you can't see what word aircraft left off on go into a word list and delete

343
00:29:59,760 --> 00:30:05,460
everything before that word to get aircraft to pick up where you left off.

344
00:30:05,640 --> 00:30:12,070
This means you need to be fully prepared to leave your computer on for an extended length of time.

345
00:30:12,300 --> 00:30:18,540
So I could have let this run for a while and shown you how completely ineffectual it is to try to attack

346
00:30:18,900 --> 00:30:23,600
this particular file with a word list but I don't think we want to sit here for hours.

347
00:30:23,850 --> 00:30:29,460
Instead let's crack this password by combining the output of crunch with air crack in G.

348
00:30:29,520 --> 00:30:36,460
Now I believe I said in a crunch video that I'd be elaborating on this process when we got to this point.

349
00:30:36,480 --> 00:30:41,780
If you have questions about crunch itself please go back and see that entry again.

350
00:30:41,790 --> 00:30:48,180
In basic terms if you just want the process itself crunch is the tool that will generate character sets

351
00:30:48,180 --> 00:30:54,210
for us for the purpose of brute forcing it has a video dedicated to it already but full understanding

352
00:30:54,210 --> 00:30:59,110
of it is not required to get started using it in this way.

353
00:30:59,160 --> 00:31:04,320
So crunch comes prepackaged with Carly but if you're using a different operating system you might need

354
00:31:04,320 --> 00:31:14,690
to download it to begin with let's just type crunch 3 5 A B C D

355
00:31:17,580 --> 00:31:24,270
doing this gives us an idea of how long our parameters are going to be and how big they would be in

356
00:31:24,270 --> 00:31:26,440
terms of space.

357
00:31:26,520 --> 00:31:34,320
We type to crunch and the first number was the minimum character length the second number was the maximum

358
00:31:34,320 --> 00:31:39,140
character length and then we gave it a set of four characters to work with.

359
00:31:39,780 --> 00:31:43,520
If we just let this generate for us we can see the amount of data.

360
00:31:43,530 --> 00:31:50,010
This would translate out to in this case seven thousand six hundred eighty bytes worth or one thousand

361
00:31:50,010 --> 00:31:53,770
three hundred and forty four different possible passwords.

362
00:31:53,780 --> 00:32:00,690
Now obviously that's nothing major but if you play around with this you can see just how big these combinations

363
00:32:00,690 --> 00:32:01,400
can get.

364
00:32:02,270 --> 00:32:04,310
For example let's try.

365
00:32:04,310 --> 00:32:17,530
Crunch 3 7 and we will specify the alphabets and wow look at that so the file size has grown exponentially

366
00:32:18,820 --> 00:32:26,870
and the amount of passwords that crunch will generate to be used as guesses has become much larger that

367
00:32:26,870 --> 00:32:30,950
being said this is still not a very big pool of possibilities.

368
00:32:31,100 --> 00:32:37,520
If the correct password is among them it will still fall very quickly provided you are using a modern

369
00:32:37,520 --> 00:32:44,630
computer 60 to 70 gigabytes or so is fairly trivial.

370
00:32:44,630 --> 00:32:46,940
So what happens if we specify a length of

371
00:32:49,530 --> 00:32:50,900
10.

372
00:32:50,950 --> 00:32:52,240
Just look at what happens

373
00:32:54,900 --> 00:32:56,870
now in the petabytes range.

374
00:32:56,890 --> 00:33:04,370
Now let's see what happens if we add numbers 2 3 4 5 6 7 8 9 and 0.

375
00:33:04,930 --> 00:33:14,960
Yeah 36 petabytes and this is the number of possible password combinations so I'm sure you get the point

376
00:33:15,020 --> 00:33:21,320
and I promise I'll stop belaboring it but let's just go hog wild and pretend that we set a maximum of

377
00:33:21,320 --> 00:33:32,010
30 possible just to be crazy almost 7000 petabytes and I don't even want to attempt to say this number.

378
00:33:32,020 --> 00:33:38,320
So unless you're working for the National Security Agency you probably don't have this much storage

379
00:33:38,320 --> 00:33:39,740
on your computer.

380
00:33:39,910 --> 00:33:46,090
The bottom line is no matter what you do you just can't generate this kind of information as a file

381
00:33:46,360 --> 00:33:52,920
to be stored locally and then to be used as a word list it is a practical impossibility.

382
00:33:53,020 --> 00:33:58,990
But what you can do is pass this information directly through air crack energy as it is being generated

383
00:33:59,620 --> 00:34:02,010
that way no space is being used.

384
00:34:02,410 --> 00:34:05,120
So let's do that now.

385
00:34:05,710 --> 00:34:07,000
Clear the skirt.

386
00:34:07,000 --> 00:34:13,950
Clear the screen first crunch three 8.

387
00:34:18,210 --> 00:34:25,710
So what we're doing here is running crunch and specifying a minimum password length of three.

388
00:34:25,950 --> 00:34:29,970
The second number specifies a maximum length of eight.

389
00:34:30,060 --> 00:34:37,050
The pipe symbol tells Linux that we want to pipe the output of crunch into the next command which of

390
00:34:37,050 --> 00:34:40,080
course is going to be air crack in G.

391
00:34:40,080 --> 00:34:48,090
After that we use tack lowercase W but instead of specifying a word list we just do a space and then

392
00:34:48,090 --> 00:34:52,550
put another tack or dash if my calling it a dash helps.

393
00:34:52,800 --> 00:34:55,740
And then we specify our capture file.

394
00:34:55,740 --> 00:35:00,290
You may recall that I named handshake just to keep things simple.

395
00:35:00,390 --> 00:35:08,220
So it's going to be handshake dash 0 1 dot cap your file name will probably vary.

396
00:35:08,220 --> 00:35:12,690
Lastly we need to specify the e ss I.D. of the target.

397
00:35:12,690 --> 00:35:18,780
Remember I said to write that information down without the SS I.D. aircraft won't be able to run so

398
00:35:18,780 --> 00:35:20,190
make sure that it's correct.

399
00:35:21,930 --> 00:35:23,980
After that we just hit enter.

400
00:35:24,020 --> 00:35:30,950
You may have noticed that I set a character limit at 8 our password is still Hanako 20 with an asterisk

401
00:35:30,950 --> 00:35:31,970
at the end.

402
00:35:31,970 --> 00:35:38,550
Now keep in mind that we have given it the entire alphabet but only in lowercase letters.

403
00:35:38,550 --> 00:35:44,870
This is fine for this demonstration but if the password contained uppercase characters or symbols we

404
00:35:44,870 --> 00:35:47,090
would need to include those as well.

405
00:35:47,120 --> 00:35:53,450
I did include the asterisk but if I was doing this blind I'd want to include all of their possible symbols

406
00:35:53,450 --> 00:35:54,980
as well.

407
00:35:54,980 --> 00:36:00,380
And this is going to take a while so I'll be doing a little bit of editing magic here to bring this

408
00:36:00,380 --> 00:36:02,990
process to a speedy conclusion.

409
00:36:02,990 --> 00:36:06,180
I do suggest researching your target a bit.

410
00:36:06,470 --> 00:36:12,530
If you're doing penetration testing against a company for example use the company name in the character

411
00:36:12,530 --> 00:36:15,230
set that you provide for this process.

412
00:36:15,290 --> 00:36:20,270
Use the names of offices try different things tailor your attack.

413
00:36:20,270 --> 00:36:26,810
If you have a lot of possibilities use cool to generate a word list instead of crunch please see the

414
00:36:26,810 --> 00:36:35,160
video on cool for instructions on how to do this because you can just go through all possible combinations.

415
00:36:35,480 --> 00:36:43,580
But regardless of your hardware it's going to take a prohibitively long time billions of years narrowing

416
00:36:43,580 --> 00:36:47,720
things down in any way possible is really going to help you.

417
00:36:47,720 --> 00:36:54,650
One example I can give is that if you know your target is a Comcast router and you have reason to think

418
00:36:54,740 --> 00:37:01,670
that the user stuck with the default password and a lot of users do because older Comcast routers don't

419
00:37:01,670 --> 00:37:08,420
let you change your password very easily then you might know that the password is going to be all capital

420
00:37:08,420 --> 00:37:15,980
letters and numbers and there are going to be 10 characters with no symbols that Comcast thinks that

421
00:37:15,980 --> 00:37:17,560
is a strong random password.

422
00:37:17,570 --> 00:37:25,330
But by being so predictable they make it pretty easy you just tell crunch to try guessing all capital

423
00:37:25,330 --> 00:37:31,050
letters in the alphabet all numbers and set the min max length to 10 10.

424
00:37:31,210 --> 00:37:38,080
That's still a lot of possible combinations but far far less than a minimum length of three and a maximum

425
00:37:38,080 --> 00:37:42,890
length of 10 with lowercase letters and symbols thrown in.

426
00:37:43,030 --> 00:37:48,580
And even less when you consider that they don't use any kind of symbology and the default passwords.

427
00:37:48,580 --> 00:37:49,870
Sorry I'm repeating myself.

428
00:37:49,990 --> 00:37:56,140
I did mention before that it is possible to divide the load if you have a lot of different computers

429
00:37:56,170 --> 00:37:57,790
at your disposal.

430
00:37:57,790 --> 00:38:05,500
You could tell your first computer to try all lowercase alphanumeric combinations from 1 to 5 your second

431
00:38:05,560 --> 00:38:15,200
all alpha numeric from 2 to 2 your third 3 to 3 your fourth 4 to 4 or whatever attack combination that

432
00:38:15,200 --> 00:38:22,880
you devise in this way your covering more ground for less time spent and you will avoid redundancy.

433
00:38:22,880 --> 00:38:29,750
But just remember coming at this entirely blind means you won't know going in how long this might take

434
00:38:30,170 --> 00:38:35,790
leaving several computers devoted to this task for days at a time may not be viable.

435
00:38:35,990 --> 00:38:42,710
Either way the captured handshake file is portable so nothing stops you from using multiple computers

436
00:38:42,710 --> 00:38:46,490
with different sets of parameters to attack it simultaneously.

437
00:38:46,490 --> 00:38:49,070
I also mentioned online services.

438
00:38:49,070 --> 00:38:54,680
I'm not going to recommend any that is not the purpose of this tutorial and many of them are rather

439
00:38:54,680 --> 00:39:03,650
sketchy anyway but you need to be aware that there are services offered online some free some not that

440
00:39:03,650 --> 00:39:11,200
allow penetration testers to upload handshake capture files and then crack it on their own super servers.

441
00:39:11,540 --> 00:39:18,170
If they are successful the penetration tester pays the cracked for the cracked password usually with

442
00:39:18,170 --> 00:39:22,440
cryptocurrency like bitcoin turn to retain anonymity.

443
00:39:22,430 --> 00:39:28,010
I'm not advocating the use of these services please don't misunderstand me I'm simply letting you know

444
00:39:28,010 --> 00:39:30,100
that such things do exist.

445
00:39:30,140 --> 00:39:37,230
It might be worth it to someone with a very old computer to use one of these services.

446
00:39:37,460 --> 00:39:44,100
They don't have a lot of free time to spend cracking the password and pay maybe 5 dollars worth of cryptocurrency

447
00:39:44,150 --> 00:39:47,100
instead of trying to crack it themselves.

448
00:39:47,150 --> 00:39:49,930
In any case through the magic of editing.

449
00:39:50,090 --> 00:39:56,060
Here is our successfully cracked password and didn't actually take that long just a little under six

450
00:39:56,060 --> 00:39:56,820
minutes.

451
00:39:56,930 --> 00:40:00,220
But then again this was a very weak password.

452
00:40:00,380 --> 00:40:06,590
Knowing the exact length the password that you're trying to crack is supremely helpful.

453
00:40:06,590 --> 00:40:13,820
So if you have physical access you should note the number of concealing dots used to hide a password

454
00:40:14,510 --> 00:40:19,010
on systems where the dots correspond to characters which is most systems.

455
00:40:19,040 --> 00:40:26,180
This can tell you the exact password length setting the min max to the exact length is really going

456
00:40:26,180 --> 00:40:31,190
to make this go smoothly and this holds true of all brute force cracking really.

457
00:40:31,430 --> 00:40:39,350
Just knowing passwords length reduces the total number of combinations massively so I highly recommend

458
00:40:39,410 --> 00:40:44,660
reading through the man pages of both crunch and error crack.

459
00:40:44,660 --> 00:40:51,500
For more information on the various switches and the ways in which you can customize your attack the

460
00:40:51,500 --> 00:40:55,480
more you know about your target the easier this is going to be.

461
00:40:55,490 --> 00:41:02,690
Just remember that doing it completely blind you are going to be in for a rough time or maybe you'll

462
00:41:02,690 --> 00:41:07,580
get lucky and the password will be something short and stupid that gets guessed immediately.

463
00:41:07,580 --> 00:41:11,210
In either case I hope you found this tutorial helpful.

464
00:41:11,210 --> 00:41:18,960
Keep in mind that you can always try this technique along with river provided your computer has decent

465
00:41:18,960 --> 00:41:20,070
resources.

466
00:41:20,070 --> 00:41:28,140
Grab the handshake then set air crack to work cracking it using either crunch or a word list while you

467
00:41:28,140 --> 00:41:31,300
run river simultaneously in another window.

468
00:41:31,350 --> 00:41:37,380
That way the time spent waiting for a router lockout to expire will still be well spent trying to crack

469
00:41:37,380 --> 00:41:44,450
the password and the handshake file again remember never to use these techniques in an unlawful way.

470
00:41:44,460 --> 00:41:50,820
I hope you now feel confident enough to work with this tool and you have an idea of how to use it without

471
00:41:50,820 --> 00:41:53,150
it taking a million years.

472
00:41:53,160 --> 00:41:59,790
Just keep in mind this sort of brute forcing is usually a last resort when all else fails.

473
00:41:59,880 --> 00:42:03,080
It can take seconds or it can take years.

474
00:42:04,040 --> 00:42:04,400
Thank you.