1
00:00:01,330 --> 00:00:08,850
Now from the previous lectures we learned in order to crack a WPA or a WPA to we need to first capturers

2
00:00:08,850 --> 00:00:09,920
the handshake.

3
00:00:10,060 --> 00:00:17,290
And second have a word list which contains a number of passwords that will go on to try and hopefully

4
00:00:17,410 --> 00:00:21,260
one of them will be the password for the target network.

5
00:00:21,790 --> 00:00:29,360
So right now I have both of these components and we are ready to go and crack the password to do this.

6
00:00:29,370 --> 00:00:35,900
Aircraft energy is going to unpack the handshake and extract the useful information.

7
00:00:36,190 --> 00:00:43,750
The M I see it right here or the message integrity code is what's used by the access point to verify

8
00:00:43,870 --> 00:00:46,640
whether a password is correct or not.

9
00:00:47,750 --> 00:00:54,590
So it's going to separate this and put it to the side and then go on to use all of the other information

10
00:00:54,590 --> 00:01:02,200
right here combined with the first password from the word list to generate.

11
00:01:02,420 --> 00:01:11,930
I see another message integrity code and then it's going to compare this I see to the one that's already

12
00:01:11,930 --> 00:01:13,350
in the handshake.

13
00:01:13,760 --> 00:01:21,330
If the ice you generated using this information plus the first password is the same.

14
00:01:21,740 --> 00:01:27,350
Then the password used to generate this am I see is the password for the network.

15
00:01:27,590 --> 00:01:30,330
Otherwise this password is wrong.

16
00:01:30,510 --> 00:01:32,930
And still more to the next password.

17
00:01:33,950 --> 00:01:35,300
Again it'll do the same.

18
00:01:35,310 --> 00:01:40,310
It'll use all of this information combined with this password generate and you.

19
00:01:40,310 --> 00:01:45,420
Am I see compared this new Am I see to the they want that or the handshake.

20
00:01:45,530 --> 00:01:47,940
If it's correct then this is the password.

21
00:01:48,020 --> 00:01:54,650
If it's nard then it's going to move on to the next password and it'll keep doing this through all of

22
00:01:54,650 --> 00:01:56,770
the passwords in my wordlist.

23
00:01:56,840 --> 00:02:02,070
If any of them generate the right am I see then this is the passwords for the network.

24
00:02:02,240 --> 00:02:05,980
Otherwise we won't be able to get the password.

25
00:02:05,990 --> 00:02:11,690
That's why the success of this attack really depends on your wordlist.

26
00:02:11,960 --> 00:02:14,840
So let's see how to do this and practice.

27
00:02:15,450 --> 00:02:17,930
Right now I have my wordless right here.

28
00:02:17,940 --> 00:02:24,450
It's called Person ticks to you and actually manually added my password to the end of the list right

29
00:02:24,450 --> 00:02:30,810
here just so that when I run the word list against her check I will actually find the password because

30
00:02:30,810 --> 00:02:34,130
the word list did not contain my password by default.

31
00:02:36,000 --> 00:02:42,750
I also have the handshake file right here as you can see and all of this is in my home directory which

32
00:02:42,750 --> 00:02:50,810
is my root directory so if I do else in here you'll see I have the word list and the check file.

33
00:02:51,730 --> 00:02:52,980
So we're ready to run.

34
00:02:52,990 --> 00:02:54,220
Electric energy.

35
00:02:54,250 --> 00:03:00,640
So we're going to type the name of the program as usual followed by the name of my capture file which

36
00:03:00,640 --> 00:03:04,700
is w.p. a handshake zero on the car.

37
00:03:04,990 --> 00:03:10,530
So so far it's identical to the way that we used to use it with the new epee.

38
00:03:10,600 --> 00:03:14,950
The only difference right now because this is a WPA to network.

39
00:03:14,980 --> 00:03:21,880
We have to specify a wordlist with a dash w option and the name of my word this is theirs.

40
00:03:21,990 --> 00:03:23,730
There are T S T.

41
00:03:24,310 --> 00:03:25,880
So very very simple.

42
00:03:25,900 --> 00:03:33,730
Crack is the name of my program WPA a 01 dot cub is the name of the file that contains my handshake

43
00:03:34,010 --> 00:03:38,520
and I'm using the W to specify my word this file.

44
00:03:38,950 --> 00:03:40,290
I'm going ahead and 10.

45
00:03:41,040 --> 00:03:46,490
And as he gets you know aircraft energy is running through the wordlist testing each word in the wordlist.

46
00:03:46,520 --> 00:03:54,210
One by one as shown in this diagram calculate in NYC based on this information and that wordlist.

47
00:03:54,350 --> 00:03:59,460
And then if the m s is quiroga It's going to tell me that this is the password.

48
00:03:59,990 --> 00:04:05,990
Now the speed of this depends on your processor and the size of your wordlist file so if you have a

49
00:04:05,990 --> 00:04:09,890
huge file obviously it'll take you longer time.

50
00:04:09,890 --> 00:04:13,050
There are also online services that you can try.

51
00:04:13,160 --> 00:04:20,510
Were you upload the handshake and they have huge lists and they have supercomputers to run through these

52
00:04:20,750 --> 00:04:23,370
lists and try to give you the password.

53
00:04:23,660 --> 00:04:29,210
Unfortunately I can't share their links with you but you can easily find them on Google if you search

54
00:04:29,210 --> 00:04:29,910
for them.

55
00:04:31,250 --> 00:04:33,380
Aren't perfect as you can see.

56
00:04:33,380 --> 00:04:38,400
We managed to find the key cell must the key is found and this is the key to the network.

57
00:04:38,560 --> 00:04:43,880
And this is the correct key because as you know this is the same key that we got when we exploited the

58
00:04:43,880 --> 00:04:45,740
WP s future.

59
00:04:45,740 --> 00:04:51,430
So now we can go ahead and connect to the network and we'll be able to run all of the cool stuff that

60
00:04:51,440 --> 00:04:53,300
I'm going to teach you in the post.

61
00:04:53,310 --> 00:04:55,520
Connection a tax section.

62
00:04:56,360 --> 00:05:00,010
Now this is the only practical way known soulfire to crack.

63
00:05:00,020 --> 00:05:03,260
WPA and WPA two keys.

64
00:05:03,620 --> 00:05:09,500
There are methods to speed up this process so you can use the GP you for a cracking because it's much

65
00:05:09,500 --> 00:05:11,060
faster than the see you.

66
00:05:11,240 --> 00:05:15,800
That's if you have a GP you you can also use rainbow tables.

67
00:05:15,800 --> 00:05:21,420
You can also pipe the wordlist as it's being created in crunch to air a.

68
00:05:21,430 --> 00:05:22,170
N g.

69
00:05:22,190 --> 00:05:27,620
This way you can create bigger word lists without using any storage on your computer.

70
00:05:27,620 --> 00:05:34,040
There are also methods so that you can cause you're a cracking process and then come back after a while

71
00:05:34,040 --> 00:05:36,160
without losing your progress.

72
00:05:36,170 --> 00:05:38,670
But the main ideas are the same.

73
00:05:38,690 --> 00:05:45,480
The only way right now to crack the beaupré and WPA too is through a short list attack.

74
00:05:45,890 --> 00:05:51,830
You can use social engineering however to get the password using an evil twin attack where you trick

75
00:05:51,830 --> 00:05:55,010
one of the users to give you the password.

76
00:05:55,010 --> 00:05:59,140
This is actually all covered in my advanced network attacking course.

77
00:05:59,240 --> 00:06:06,560
The cracking use in the depue Pipe in crunch to aircraft energy getting the password used in an evil

78
00:06:06,560 --> 00:06:13,400
twin attack and much more vast network kiking techniques if you're interested in that then I highly

79
00:06:13,400 --> 00:06:14,710
recommend you have a look.

80
00:06:14,710 --> 00:06:20,540
On my advice network a kiking kooris check out the bonus lecture of this kooris The Last Lecture of

81
00:06:20,540 --> 00:06:21,370
this course.

82
00:06:21,380 --> 00:06:26,600
It contains links to all of my other courses and the comparison between them.