1
00:00:00,210 --> 00:00:07,270
Welcome to Part Five of this module in this module we'll be taking a look at Fern Wi-Fi.

2
00:00:07,270 --> 00:00:16,020
Cracker Fern is a wireless security auditing and attack tool that is written in pure Python and uses

3
00:00:16,020 --> 00:00:19,550
the python Kuti Ji UI library.

4
00:00:19,560 --> 00:00:29,550
The program is theoretically able to crack the W E P WPA and P S keys and also run other network based

5
00:00:29,550 --> 00:00:38,220
attacks on wireless and Ethernet based networks but all it really is is a graphical tool for doing things

6
00:00:38,220 --> 00:00:41,700
that you've already seen done in this module so far.

7
00:00:42,430 --> 00:00:50,260
Fern is located under applications wireless attacks we'll just click on it to load it.

8
00:00:50,310 --> 00:00:56,940
Now I say that this all works theoretically and that is because whether or not for her actually operates

9
00:00:56,940 --> 00:01:01,290
correctly seems to depend on its mood and maybe the weather.

10
00:01:01,350 --> 00:01:07,260
I've tested this tool on several different systems so I've ruled out hardware problems.

11
00:01:07,260 --> 00:01:12,930
I haven't gone through the code line by line because quite honestly I don't use Fern for actual pen

12
00:01:12,930 --> 00:01:20,970
tests but as near as I can determine Fern just kind of works properly whenever it wants to which isn't

13
00:01:20,970 --> 00:01:23,160
necessarily that often.

14
00:01:23,160 --> 00:01:28,430
So right away we are greeted with a pretty simple graphical interface.

15
00:01:28,500 --> 00:01:34,650
If you've watched the prior videos in this module and nothing about this is going to be mysterious or

16
00:01:34,650 --> 00:01:43,560
require a lengthy explanation but basically in a nutshell Fern does everything that you've seen so far.

17
00:01:43,560 --> 00:01:50,500
Again in theory you don't need to put your card into monitor mode or mess around with Arrow dump n g

18
00:01:50,820 --> 00:01:54,480
because all of that is actually built into Fern.

19
00:01:54,570 --> 00:02:01,080
It even allegedly changes your mac address for you although the bug with Mac changes still seems to

20
00:02:01,080 --> 00:02:07,430
apply on some systems so I wouldn't trust that it is in fact working as intended.

21
00:02:07,440 --> 00:02:13,170
Until you test it yourself we begin with Fern by selecting our interface device

22
00:02:16,500 --> 00:02:24,830
in this case it's going to be w land 1 and you can click the Refresh button if you insert a USP device

23
00:02:24,920 --> 00:02:26,790
after loading Fern.

24
00:02:27,110 --> 00:02:33,470
And here we get the tool tip saying to access the settings for the network scan preferences.

25
00:02:33,470 --> 00:02:40,820
Double click on any area of the main window scan for network button is used for scan for network based

26
00:02:41,210 --> 00:02:44,090
on the settings option of the settings dialog.

27
00:02:44,090 --> 00:02:52,880
Default is automated scan fake MAC address is always used OK but it said nothing about the fact that

28
00:02:52,880 --> 00:02:59,090
you need your Wi-Fi card to be capable of injection for injection based attacks to work.

29
00:02:59,120 --> 00:03:02,660
So maybe not the most useful tool tip ever.

30
00:03:02,660 --> 00:03:11,190
In any case if we double click on this screen we can see that it is possible to set what channels we

31
00:03:11,190 --> 00:03:15,040
scan for.

32
00:03:15,240 --> 00:03:19,980
In other words we can narrow that to a single channel from the drop down menu if we want to.

33
00:03:20,010 --> 00:03:24,210
Again this is exactly like using arrow dump from the command line.

34
00:03:25,530 --> 00:03:30,360
Where if we don't specify a single channel it'll just get everything in range.

35
00:03:31,900 --> 00:03:41,220
So now we're going to click scan for access points it's initializing and we'll take a second and once

36
00:03:41,220 --> 00:03:48,390
it does we'll see a number next to the Wi-Fi WPA which tells us how many routers have been detected

37
00:03:48,390 --> 00:03:50,010
within range.

38
00:03:50,040 --> 00:03:57,120
You might also see a few pop up next to the Wi-Fi WPP button although those are rare in this day and

39
00:03:57,120 --> 00:04:00,980
age and few people are really still using WPP.

40
00:04:01,080 --> 00:04:05,670
If we'd let this go for a while more than 8 should pop up but I think 8 will be good enough so I'm going

41
00:04:05,670 --> 00:04:08,780
to stop the scan by pressing the button again.

42
00:04:09,990 --> 00:04:19,300
And we're gonna go into WPA and this brings up a graphical readout of nearby access points this is basically

43
00:04:19,300 --> 00:04:22,300
a prettier version of aero dump energy.

44
00:04:22,450 --> 00:04:25,600
I'll click on the old router I've been using for these demonstrations.

45
00:04:25,600 --> 00:04:35,270
It's still Sanji all in here we see the SS I.D. be SS I.D. or Mac channel power rating and encryption

46
00:04:35,270 --> 00:04:36,240
style.

47
00:04:36,260 --> 00:04:44,120
We also see that it supports WP Yes basically everything we'd see an arrow dump from here we can select

48
00:04:44,120 --> 00:04:46,010
the attack method.

49
00:04:46,010 --> 00:04:54,470
I'm going to pick WP s first just to demonstrate that contrary to the access point details we will be

50
00:04:54,470 --> 00:05:00,290
told that Wi-Fi protected setup is not supported or distributed by the selected access point.

51
00:05:00,290 --> 00:05:04,370
This is what I mean about Fern being rather unreliable

52
00:05:09,790 --> 00:05:13,420
but it's always worth trying the WPA attack first.

53
00:05:13,480 --> 00:05:19,360
As I mentioned in the Reaper video earlier in this module although it is admittedly pretty rare that

54
00:05:19,360 --> 00:05:22,940
such a straightforward approach will actually provide results.

55
00:05:23,020 --> 00:05:30,590
It is much faster when it does work so to begin we need to give it a dictionary file for brute forcing

56
00:05:31,250 --> 00:05:37,510
assuming it successfully captures the handshake firm will immediately go to work to try to crack it.

57
00:05:37,550 --> 00:05:42,110
There are no fancy configuration methods here as we saw in prior videos.

58
00:05:42,110 --> 00:05:48,040
You can't piping characters or curtail the min max length of the password.

59
00:05:48,050 --> 00:05:51,090
This is a straight brute force cracker.

60
00:05:51,170 --> 00:06:01,630
We give it a word list file and it will try every word in that file so we click browse we're going to

61
00:06:01,630 --> 00:06:11,680
go to the desktop and we'll give it this file password and of course I I'm cheating here.

62
00:06:11,990 --> 00:06:15,140
You see it cracked the key earlier when I tested it.

63
00:06:15,170 --> 00:06:16,760
So it's displaying it.

64
00:06:16,820 --> 00:06:23,540
I'm going to go ahead and delete the key from the key base so that this scan process plays out as if

65
00:06:23,540 --> 00:06:24,280
I'd never done it

66
00:06:33,620 --> 00:06:35,170
and we'll try this again.

67
00:06:39,050 --> 00:06:39,710
OK.

68
00:06:39,810 --> 00:06:45,590
Now in a perfect world we select our access point which in this case is Sandhill.

69
00:06:45,780 --> 00:06:51,930
We select regular attack and then we just click the Wi-Fi attack button.

70
00:06:51,930 --> 00:06:58,800
So begins by probing the access point and launching D authentication attacks and Fern will now proceed

71
00:06:58,800 --> 00:07:03,930
to try to kick client off the access point through these d authentication attacks.

72
00:07:04,000 --> 00:07:09,510
Then it will grab the handshake when the client Client reach authenticates with the network.

73
00:07:10,200 --> 00:07:12,120
Well that went rather quickly.

74
00:07:12,190 --> 00:07:14,870
OK well that went faster than I expected.

75
00:07:16,180 --> 00:07:22,900
Basically what happened is Fern probed the access point.

76
00:07:22,900 --> 00:07:32,950
It found the target client in this case the laptop the junkie laptop that I had connected to the junky

77
00:07:32,950 --> 00:07:35,590
router and using for this demonstration.

78
00:07:35,590 --> 00:07:38,250
It does authenticated it with packet injection.

79
00:07:38,260 --> 00:07:46,390
Similar to what you saw in the prior modules then captured the handshake when the client was bumped

80
00:07:46,450 --> 00:07:52,860
off the network and then re authenticated automatically once it had the handshake.

81
00:07:52,870 --> 00:08:00,220
It began a brute force attack reading off every password in the password file that we provided it.

82
00:08:00,220 --> 00:08:06,640
Now of course I cheated and put the correct password Hanako 20 asterisk into that file to make sure

83
00:08:06,640 --> 00:08:08,530
that it would crack in a timely manner.

84
00:08:08,530 --> 00:08:15,910
I mean we don't want to be here all day and once it did that it successfully cracked the password it

85
00:08:15,910 --> 00:08:23,000
displayed it here and we'll be able to find it in the Keys database which I will show you in a moment.

86
00:08:23,020 --> 00:08:29,950
I think it's also a good idea to point out here that even though the probe access point phase of this

87
00:08:29,950 --> 00:08:36,730
attack is supposed to provide you with this MAC address right here in a in a dragged down menu form

88
00:08:37,450 --> 00:08:40,660
it doesn't always work that way.

89
00:08:40,660 --> 00:08:47,740
You may end up having to use aero dump in g to get the MAC address of a connected station because for

90
00:08:47,740 --> 00:08:52,960
the life of me I could not get this to work properly using firm Wi-Fi.

91
00:08:52,960 --> 00:09:00,900
I entered this MAC address myself so if that's a problem for you just go back and look at the prior

92
00:09:01,150 --> 00:09:08,000
videos in this module to see how aero dump engine works but basically we've got the password.

93
00:09:08,170 --> 00:09:18,610
So now if we close out of this and go into the Keys database we can see that the password is now stored

94
00:09:18,610 --> 00:09:19,970
in our database.

95
00:09:19,990 --> 00:09:27,500
Now if we want to keep this password the next time we load Fern we need to click save changes.

96
00:09:27,500 --> 00:09:33,800
We also have the option of inserting a key manually for a station where the password we already have

97
00:09:33,800 --> 00:09:34,280
it.

98
00:09:34,400 --> 00:09:38,130
Or we could delete an existing key.

99
00:09:38,150 --> 00:09:40,840
So now let's take a look at the tool box.

100
00:09:40,850 --> 00:09:41,330
Button

101
00:09:44,890 --> 00:09:52,690
will begin by clicking on the geo locator free tracker and if we click on this we get the unhelpful

102
00:09:52,690 --> 00:09:56,080
message telling us that this feature has been depreciated.

103
00:09:56,350 --> 00:09:59,060
In other words it just doesn't work anymore.

104
00:09:59,080 --> 00:10:07,540
From what I've been able to determine this feature used to make a handy real world map with pins showing

105
00:10:07,540 --> 00:10:09,990
the locations of access points.

106
00:10:10,060 --> 00:10:15,400
That's a very nice feature and I hope the designers consider bringing back in the future if we click

107
00:10:15,400 --> 00:10:23,740
on Wi-Fi attack options we can see that we have the option to specify a specific mac address to spoof

108
00:10:24,340 --> 00:10:31,470
again with the stated disclaimer that I don't entirely trust any Mac change or program in Cally Linux.

109
00:10:31,510 --> 00:10:37,450
And you really want to test them carefully to make sure that they work correctly with your hardware

110
00:10:37,450 --> 00:10:39,720
before you put your trust in them.

111
00:10:39,730 --> 00:10:45,670
Remember that just because Mac change your claims that your mac address has been changed doesn't always

112
00:10:45,670 --> 00:10:52,390
mean that it doesn't snap right back the second you associate with an access point so tested thoroughly

113
00:10:53,290 --> 00:11:00,020
and we can also specify our capture file settings if we want firm to store the captured hands handshake

114
00:11:00,040 --> 00:11:03,610
somewhere else if we click on font settings.

115
00:11:03,640 --> 00:11:09,860
This is exactly what you think it is and don't make the mistake I did earlier.

116
00:11:09,860 --> 00:11:17,450
If you click okay here to get out of this dialog box the next time you load Fern there will be no text

117
00:11:17,600 --> 00:11:19,730
anywhere on the screen.

118
00:11:19,730 --> 00:11:25,410
That's because it will switch Fern to font size 1 which is basically nonexistent.

119
00:11:25,460 --> 00:11:32,420
So make sure that your font size is 7 or bigger or you just you'll be stuck or you can just cancel out

120
00:11:32,420 --> 00:11:33,620
of the screen.

121
00:11:33,620 --> 00:11:39,890
So now we'll take a look at the last kind of selling point of fern at least back in the old days the

122
00:11:39,890 --> 00:11:41,780
cookie hijacker.

123
00:11:41,780 --> 00:11:43,730
And this will take a moment or two to load.

124
00:11:43,730 --> 00:11:44,300
Here we go.

125
00:11:44,690 --> 00:11:53,330
So for this I've plugged in the Ethernet connection to the router so I'm going to select that now in

126
00:11:53,330 --> 00:11:57,390
the form of at the zero if we were connected to the router.

127
00:11:57,410 --> 00:12:00,860
That is to say we were we entered the password and we associated with it.

128
00:12:00,860 --> 00:12:08,210
Normally we could use one of the Wi-Fi cards down here but Ethernet is a lot faster for this sort of

129
00:12:08,210 --> 00:12:16,760
thing which is already going to be a little bit slow and a little bit buggy.

130
00:12:16,770 --> 00:12:24,990
So now we need to give the default IP address of the router the default gateway which in this case is

131
00:12:24,990 --> 00:12:32,040
going to be one ninety two dot 168 dot one dot one your default gateway may vary.

132
00:12:32,160 --> 00:12:39,210
And we're going to start sniffing and this is engaging a man in the middle attack which is intended

133
00:12:39,240 --> 00:12:44,560
to grab cookies that are being exchanged over the network.

134
00:12:44,610 --> 00:12:54,970
So I'm going to briefly go into my other little laptop here and I'm going to click on some Web sites

135
00:12:55,270 --> 00:13:01,720
that I know to be insecure and hopefully the cookies will be grabbed immediately.

136
00:13:01,720 --> 00:13:04,340
However this doesn't always work quickly.

137
00:13:04,360 --> 00:13:11,080
And when you try this yourself on your own computer you'll see just how much these sorts of attacks

138
00:13:11,080 --> 00:13:18,160
will slow down the connection of the target machine in this case I'm getting a lot of DNS probes failed

139
00:13:18,160 --> 00:13:24,190
before the Web site actually comes up and that can be a giveaway to someone who's kind of savvy about

140
00:13:24,190 --> 00:13:31,500
these things that something odd is going on with the connection OK we've captured our first cookie for

141
00:13:31,500 --> 00:13:38,620
the machine on the network that has a dot eleven as the IP address the end so we click here.

142
00:13:38,970 --> 00:13:45,670
It's still loading that's why going to give this just a second to finish this just does not want to

143
00:13:45,670 --> 00:13:46,360
cooperate

144
00:13:48,950 --> 00:13:55,310
so I'm going to grab a few more cookies before I stop the sniffing.

145
00:13:55,340 --> 00:14:01,730
These are just random web sites I'm visiting on the computer that I'm using as a target for this man

146
00:14:01,730 --> 00:14:09,660
in the middle attack and what we're doing here is were stealing these cookies in real time unfortunately

147
00:14:09,660 --> 00:14:15,390
real time is very slow because man in the middle attacks really slow down the network connection.

148
00:14:15,420 --> 00:14:15,680
Okay.

149
00:14:15,690 --> 00:14:16,680
That should be good enough.

150
00:14:16,680 --> 00:14:19,120
I'm going to click stop sniffing.

151
00:14:19,340 --> 00:14:19,630
OK.

152
00:14:19,650 --> 00:14:20,670
Let's see what we've got.

153
00:14:22,800 --> 00:14:27,500
So I visited two Web sites here's the British Museum.

154
00:14:27,530 --> 00:14:29,180
Here's the cookie we captured for it

155
00:14:33,310 --> 00:14:39,880
no Cookie hijacker used to be a lot more effective in the old days it basically works like this.

156
00:14:39,890 --> 00:14:45,560
You connect to the access point that you just hacked select the interface that you're connected through

157
00:14:45,590 --> 00:14:51,800
which again in my case was at zero since I'm plugged into the router and then you supply the default

158
00:14:51,800 --> 00:14:53,240
gateway.

159
00:14:53,290 --> 00:14:56,150
Then you click the Start sniffing button.

160
00:14:56,330 --> 00:15:04,670
Once you do that you start gathering cookies from any insecure Web sites that the other clients on the

161
00:15:04,670 --> 00:15:11,780
network visit and we can right click on the cookie and click hijack session.

162
00:15:11,780 --> 00:15:17,390
If we wanted to that will eventually open a web browser or whatever you happen to have is the default

163
00:15:17,390 --> 00:15:24,410
browser and allows you to literally hijack the user's session if they're logged into Facebook.

164
00:15:24,500 --> 00:15:29,180
You'll be logged into their Facebook as though you were sitting at their computer.

165
00:15:29,180 --> 00:15:36,990
But on your computer but in reality that just doesn't happen anymore.

166
00:15:37,000 --> 00:15:44,350
I mean good luck finding any Web site that isn't each to CPS the security has to be really poor for

167
00:15:44,350 --> 00:15:45,600
anything to show up here.

168
00:15:45,610 --> 00:15:51,730
And honestly there are better ways of conducting man in the middle attacks enter cat better cap wire

169
00:15:51,730 --> 00:15:58,870
shark SSL strip just to name a few when you try this on your own target machine you'll also see just

170
00:15:58,870 --> 00:16:08,060
how much the internet connection of the target that you're using slows down and that pretty much covers

171
00:16:08,060 --> 00:16:08,770
it.

172
00:16:08,900 --> 00:16:16,090
First Wi-Fi cracker is just another way of doing what you've already been learning to do if you've been

173
00:16:16,090 --> 00:16:19,030
following this modules videos and order.

174
00:16:19,030 --> 00:16:26,160
But in my opinion it isn't the better approach because its functionality tends to be very spotty and

175
00:16:26,170 --> 00:16:32,470
because all you can do is a direct brute force attack which quite honestly is the worst way to crack

176
00:16:32,530 --> 00:16:38,250
anything and should always be the last choice because in reality it's always going to take about you

177
00:16:38,250 --> 00:16:45,210
know ten thousand years unless the person is very very dumb about their password.

178
00:16:45,460 --> 00:16:51,940
And another thing I have to mention and I know it seems like I'm really kind of ragging on firm Wi-Fi

179
00:16:51,940 --> 00:16:58,900
cracker but when I ran this initially and tried to record the capture of these cookies it not only crashed

180
00:16:58,900 --> 00:17:05,110
it crashed the entire operating system which I can honestly say has never happened before with any of

181
00:17:05,110 --> 00:17:06,560
these tools.

182
00:17:06,730 --> 00:17:13,890
So it is kind of spotty but it can be a useful tool as always.

183
00:17:13,900 --> 00:17:20,020
Never use this or any other tool shown in these videos to hack anything that you don't personally own

184
00:17:20,050 --> 00:17:23,270
or have written permission from the owner to penetration test.

185
00:17:23,290 --> 00:17:24,910
I hope you found this video helpful.