1
00:00:00,150 --> 00:00:08,500
Welcome to part four of this module in the last video we looked at how to grab WPA a two handshakes

2
00:00:08,500 --> 00:00:10,020
and cracked them.

3
00:00:10,030 --> 00:00:18,790
Now it's time to look over beside Angie a useful tool for attacking WPP networks and cracking them in

4
00:00:18,790 --> 00:00:22,370
around 5 to 15 minutes or so.

5
00:00:22,390 --> 00:00:29,830
Wired equivalent privacy or WPP is a standard of encrypting wireless networks that has been around since

6
00:00:29,830 --> 00:00:31,570
1997.

7
00:00:31,780 --> 00:00:38,800
It was cracked back in 2001 and rendered essentially worthless as a security measure at least.

8
00:00:38,800 --> 00:00:43,880
But in spite of this it still turns up in the strangest of places.

9
00:00:44,080 --> 00:00:48,390
You might think that by now WPP would be gone completely.

10
00:00:48,430 --> 00:00:55,240
But if you run arrow dump in G over a large enough scale you'll still see the occasional network pop

11
00:00:55,240 --> 00:00:55,690
up.

12
00:00:55,690 --> 00:01:02,860
These are usually a case of someone mis configuring their router or more likely an extremely old router

13
00:01:02,950 --> 00:01:05,920
such as your grandma and grandpa's router.

14
00:01:05,920 --> 00:01:13,000
That being said it can still pop up in major financial institutions which never fails to astonish me

15
00:01:13,750 --> 00:01:14,560
in this video.

16
00:01:14,560 --> 00:01:19,240
We'll see just how easy it is to crack a few years ago.

17
00:01:19,270 --> 00:01:27,950
Award driver using arrow dump or an equivalent program detected in WPP in use in some of the terminals

18
00:01:27,950 --> 00:01:30,170
used by T.J. Max.

19
00:01:30,170 --> 00:01:36,230
The result was one of the largest credit card breaches in U.S. history as the hacker was able to siphon

20
00:01:36,230 --> 00:01:39,800
credit card data off the network for years.

21
00:01:39,810 --> 00:01:47,940
Beside energy comes prepackaged with Cally and will load it from the terminal so we start out with all

22
00:01:47,940 --> 00:01:54,270
the usual stuff we're going to bring down our interface device or devices change the Mac kill off any

23
00:01:54,270 --> 00:01:59,850
processes that are causing problems and then bring them back up into monitor mode.

24
00:01:59,850 --> 00:02:05,460
You've seen this all before so I'll go through this quickly but if you have any questions please go

25
00:02:05,460 --> 00:02:08,510
back and watch the first video in this module.

26
00:02:08,670 --> 00:02:19,890
So I have config to be land zero down the same either card or run Mac changer and assign a random Mac

27
00:02:20,040 --> 00:02:29,650
just because it's a good practice to do it and then we'll do airman and G check usual usual culprits

28
00:02:30,100 --> 00:02:35,740
airmen energy check kill and as soon as this is done we'll bring up our wireless devices and we'll be

29
00:02:35,740 --> 00:02:41,530
ready.

30
00:02:41,720 --> 00:02:44,010
We don't need two cards for this.

31
00:02:44,150 --> 00:02:50,450
So I'm in this case I'm just going to use the slightly more powerful alpha card.

32
00:02:50,450 --> 00:02:54,800
So next we're going to run aero dump energy to grab our target info

33
00:02:58,290 --> 00:03:00,720
and there's our target router.

34
00:03:00,720 --> 00:03:02,020
It's still Sanyal.

35
00:03:02,040 --> 00:03:06,890
I just went into the router and changed the encryption to WPP.

36
00:03:06,940 --> 00:03:13,390
It's an older router so it was available as an option gonna grab the BSA side.

37
00:03:13,580 --> 00:03:14,120
Copy it.

38
00:03:14,300 --> 00:03:18,780
OK there we go now let's open up a fresh window.

39
00:03:18,790 --> 00:03:23,770
I think that would be wise.

40
00:03:23,900 --> 00:03:28,060
We'll bring it beside Angie.

41
00:03:28,170 --> 00:03:31,420
This is an extremely dangerous program.

42
00:03:31,440 --> 00:03:35,300
The program itself is deceptively simple and very straightforward.

43
00:03:35,460 --> 00:03:43,680
As you can see there aren't a lot of switches but be very careful beside has a couple of different modes

44
00:03:43,680 --> 00:03:45,100
of operation.

45
00:03:45,150 --> 00:03:49,290
Now the one that we'll be using today will be to attack WPP.

46
00:03:49,830 --> 00:04:01,860
But what you must absolutely not do is type B side in G and then supply your interface device now were

47
00:04:01,890 --> 00:04:11,220
we to do this if you were to type this command and press enter beside would then proceed to attack every

48
00:04:11,250 --> 00:04:19,920
single Wi-Fi network within range it would scan gather targets and attempt to systematically and automatically

49
00:04:20,190 --> 00:04:22,030
hack all of them for you.

50
00:04:22,170 --> 00:04:28,440
WPP networks would be attacked automatically one after another in exactly the same way as we're about

51
00:04:28,440 --> 00:04:33,120
to see demonstrated WPA networks would also be attacked.

52
00:04:33,240 --> 00:04:39,810
And if you have an injection capable card beside will attempt to deal authenticate and grab handshakes

53
00:04:40,110 --> 00:04:48,420
for every single access point in range it will then collect these handshakes into a single WPA dot cap

54
00:04:48,420 --> 00:04:55,200
file which will be stored in the root directory and it will log all of its resources and results to

55
00:04:55,350 --> 00:05:00,150
the beside dot log file which is also stored in the root directory.

56
00:05:00,150 --> 00:05:06,520
You'd check that file for the specific ESFs I.D. of the network you wish to attack then run air crack

57
00:05:06,520 --> 00:05:15,600
in G against the WPA cap specifying the correct SS I.D. but the problem with that is that it is basically

58
00:05:15,600 --> 00:05:22,590
impossible to do that legally unless you personally own every single network and every single device

59
00:05:22,620 --> 00:05:29,430
that is within range or or you have written permission from the owners to conduct that sort of a test

60
00:05:30,030 --> 00:05:36,890
you will absolutely be breaking the law beside attacks literally everything it can.

61
00:05:36,900 --> 00:05:43,680
So even if you did own every single thing in range of your Wi-Fi card you may still end up breaking

62
00:05:43,680 --> 00:05:44,280
the law.

63
00:05:44,280 --> 00:05:49,490
If a cell phone or a foreign device comes within range during the attack.

64
00:05:49,590 --> 00:05:53,640
In short just don't do this period.

65
00:05:53,640 --> 00:06:03,150
Instead we will use it more selectively by typing beside energy supplying our interface text C for channel

66
00:06:03,150 --> 00:06:10,050
which in this case is one tack B for B SSI D which is our target information we'll just paste that in

67
00:06:10,050 --> 00:06:12,130
there the MAC address of the router.

68
00:06:12,180 --> 00:06:17,550
Simple and straightforward program name interface device taxi for channel.

69
00:06:17,650 --> 00:06:19,360
Give it a target.

70
00:06:19,360 --> 00:06:21,260
And from there we can enter now.

71
00:06:21,280 --> 00:06:29,290
We could use the TAC V or TAC v v for verbose or double verbose but honestly we really don't need to

72
00:06:29,290 --> 00:06:31,270
see every single ping attempt.

73
00:06:31,510 --> 00:06:39,340
So we hit enter and that will start the attack exactly how long this will take will vary but generally

74
00:06:39,340 --> 00:06:42,970
speaking it shouldn't take longer than about 15 minutes.

75
00:06:43,090 --> 00:06:49,460
I found that when I cracked this network earlier it took about five minutes.

76
00:06:49,630 --> 00:06:56,820
But on the second attempt it only took about two so factors like signal strength will play a role.

77
00:06:56,900 --> 00:07:02,170
Rest assured though if the encryption being used is WPP it will fall.

78
00:07:02,360 --> 00:07:11,990
Five minutes 15 minutes it will fall if you owned this network you'd really want to be concerned right

79
00:07:12,020 --> 00:07:14,170
now at how quickly this is going.

80
00:07:14,210 --> 00:07:20,300
Once a hacker breaks into a network they can conduct man in the middle attacks to manipulate the user

81
00:07:20,300 --> 00:07:23,920
experience on of connected machines.

82
00:07:24,020 --> 00:07:28,390
They can redirect them to fake Web sites and so on and so forth.

83
00:07:28,430 --> 00:07:34,370
We'll be looking at things like that a bit later in this series as well as directed attacks against

84
00:07:34,430 --> 00:07:38,680
other connected machines through met exploited and so on and so forth.

85
00:07:40,400 --> 00:07:47,050
But the takeaway never goes the takeaway here is it's just that quick.

86
00:07:47,220 --> 00:07:52,830
Some people in the security field joke that certain forms of protection are really just suggestions

87
00:07:52,830 --> 00:07:54,330
rather than defenses.

88
00:07:54,420 --> 00:07:57,180
WPP isn't even a suggestion.

89
00:07:57,360 --> 00:07:59,490
It's an open invitation.

90
00:07:59,550 --> 00:08:02,190
So here's the hex version of the password.

91
00:08:02,400 --> 00:08:07,320
If we want the plain text we just need to use air crack N G

92
00:08:15,610 --> 00:08:17,780
that's gonna be air crack in G.

93
00:08:17,890 --> 00:08:22,090
Dot forward slash web dot cap.

94
00:08:22,090 --> 00:08:29,140
If you have multiple web captcha files you'll be presented with a list and asked to select by number

95
00:08:29,170 --> 00:08:30,940
which one you want to crack.

96
00:08:30,940 --> 00:08:33,760
But since I only have one this will happen instantly

97
00:08:39,060 --> 00:08:44,490
and there we go there's our password in plain text

98
00:08:47,160 --> 00:08:50,020
so that was cracking at WPP network.

99
00:08:50,130 --> 00:08:58,110
It took us really about an hour five minutes and could go even faster in some cases if people are on

100
00:08:58,110 --> 00:09:02,280
the network and doing things like streaming or heavy downloads.

101
00:09:02,280 --> 00:09:05,040
The process might run a little longer.

102
00:09:05,040 --> 00:09:13,560
The point is that WPP is no barrier against a hacker with even a modicum of skill who can then hijack

103
00:09:13,560 --> 00:09:19,440
your Internet experience with man in the middle attacks and do nasty things like reroute you to web

104
00:09:19,440 --> 00:09:24,270
pages that you think are safe but are in fact controlled by the attacker.

105
00:09:24,330 --> 00:09:33,480
So if you or anyone you know is still using WPP security please consider upgrading.

106
00:09:33,660 --> 00:09:37,670
Now with all that being said beware of honey pots.

107
00:09:37,920 --> 00:09:46,650
If during a penetration test you see a WPP network come up where you might think it is too good to be

108
00:09:46,650 --> 00:09:49,260
true that such a thing would exist.

109
00:09:49,410 --> 00:09:59,790
It probably is some system administrators will run WPP devices as a kind of a trip wire to catch overconfident

110
00:09:59,790 --> 00:10:01,200
attackers.

111
00:10:01,200 --> 00:10:05,030
Consider where you are seeing such a device pop up.

112
00:10:05,250 --> 00:10:10,150
If it is in the home of an old retired couple then it's probably what it seems.

113
00:10:10,170 --> 00:10:13,860
But if it shows up during a scan of a bank or something.

114
00:10:14,160 --> 00:10:20,530
Well at least consider the possibility that it might just be a trap and that is really all there is

115
00:10:20,530 --> 00:10:21,780
to say about it.

116
00:10:21,790 --> 00:10:28,390
I realise this was a rather short video but WPP can be cracked in your sleep and there isn't that much

117
00:10:28,390 --> 00:10:30,230
really to talk about.

118
00:10:30,250 --> 00:10:38,290
I suppose the last thing to point out is that beside keeps a log in your root directory of everything

119
00:10:38,650 --> 00:10:39,580
that you attack.

120
00:10:39,580 --> 00:10:48,810
Using the program you can open it with any old text editor or you can just cut the file like so.

121
00:10:49,210 --> 00:10:56,950
And remember that everything beside attacks gets put into one of two cap files WPA dot cap for any flavor

122
00:10:56,950 --> 00:11:04,390
of WPA and WPP dot cap for web related captures to crack WPA.

123
00:11:04,390 --> 00:11:06,870
You just run air crack and G.

124
00:11:06,970 --> 00:11:13,150
Exactly like you saw in the last video and you would specify which handshake you're trying to crack

125
00:11:13,450 --> 00:11:16,060
by using the appropriate SS I.D..

126
00:11:17,920 --> 00:11:20,600
Right here and that's really about it.

127
00:11:20,620 --> 00:11:27,520
Remember never to use this or any other program to attack any network or computer that you don't personally

128
00:11:27,520 --> 00:11:31,710
own or have written permission from the owner to penetration test.

129
00:11:31,720 --> 00:11:32,170
Thank you.