WEBVTT

00:00.060 --> 00:06.570
Probably one of the biggest classic threats to any wireless network is its susceptibility to being cracked.

00:06.570 --> 00:16.650
So what we're going to be doing in this episode is we're going to be grabbing WPP WPA WPA too and WPX

00:17.130 --> 00:20.420
passwords using standard hacking tools.

00:20.430 --> 00:25.380
Now there is a lot of details that go into all of this so we're going to separate.

00:25.390 --> 00:29.370
So first let's go ahead and let's go through an old school web crack

00:33.720 --> 00:38.660
now the ability to crack WEP has been around for well a long long time.

00:38.670 --> 00:46.040
Close to 20 years now with that you would think that most wireless networks would be off of WPP.

00:46.050 --> 00:47.210
Well they're not.

00:47.280 --> 00:53.970
We can find up to 15 percent of all wireless networks are still running WEP encryption.

00:53.970 --> 00:59.420
So even though weapons old fashioned even though WEP is well-established in its ability to crack.

00:59.580 --> 01:01.370
Well we're going to go through it.

01:01.380 --> 01:08.850
The downside to Web is that the initialization vector the way it was being generated made it susceptible

01:08.850 --> 01:10.720
to mathematical rigor.

01:10.890 --> 01:17.640
And as a result we call this a IVI attack it's been around for a long time and it's actually kind of

01:17.640 --> 01:18.360
fun to do.

01:18.360 --> 01:21.180
So let me give you our set up so you know it's going on.

01:21.240 --> 01:24.810
Now first of all I've just got a rig or wireless access point here.

01:24.990 --> 01:26.610
I have hot rod it a little bit.

01:26.610 --> 01:27.530
It's running.

01:27.690 --> 01:32.400
Dash w r t firmware instead of the regular Linksys firmware.

01:32.400 --> 01:33.900
Now I've got a machine over here.

01:33.900 --> 01:39.870
Now this machine the only reason he's here is so I can show you what's happening on the wireless settings

01:39.930 --> 01:42.030
on this wireless access point.

01:42.180 --> 01:47.970
And over here I've got my good old colleague Linux box with my good Super-Duper network card on here

01:48.450 --> 01:54.600
and we're going to be using a tool called aircraft to go through the process of grabbing the WEP keys

01:54.900 --> 01:56.950
off of the system.

01:56.970 --> 02:01.350
So what you're looking at here I'm over on my good computer right now and I'm physically plugged into

02:01.350 --> 02:07.210
the back of this little router so you can see the router itself is set up as one entity 168 one out

02:07.210 --> 02:13.250
one it's going to be a D.H. server passing out 192 168 up one addresses.

02:13.530 --> 02:19.380
And what I'd like to do now is let's go over to the wireless side and you can see right now it's set

02:19.380 --> 02:25.610
up as an access point and I've given it the SS ID of not secure WPP.

02:25.620 --> 02:32.010
You need to remember that the next thing I want to do is head over to wireless security.

02:32.010 --> 02:37.080
Now if you look here we've got it set to WEP if I wanted to I could do a lot of other ones but right

02:37.080 --> 02:39.750
now i just because I want to show you how web works.

02:39.760 --> 02:45.270
Now web remember has two different sized keys 64 bit or 128 bit.

02:45.270 --> 02:51.840
Now I'm going to use 64 bit just because it cracks a little faster but it can crack 128 just as easily.

02:51.840 --> 03:00.470
Now what we do is we usually type in some word and that generates these 64 bit keys.

03:00.750 --> 03:04.150
So you can see the 64 bit keys are generated by this.

03:04.170 --> 03:06.170
So it's 10 hexadecimal digits.

03:06.330 --> 03:10.280
One two three four five six seven eight nine ten.

03:10.420 --> 03:12.910
I want to use the passphrase total.

03:13.090 --> 03:14.720
Let's generate on that.

03:15.010 --> 03:17.360
And you can see I have four different keys.

03:17.380 --> 03:22.240
Now normally we're just going to use the first key you can see the default transmit key is number one.

03:22.240 --> 03:25.040
The other three keys are there in case somebody wanted to come visit.

03:25.060 --> 03:29.500
Want to give a temporary key or something like that where you can generate that stuff.

03:29.500 --> 03:33.480
Let me go ahead and save all this.

03:33.530 --> 03:43.400
So we've got a little web enabled wireless access point that's running an SS ID of not secure WEP and

03:43.640 --> 03:46.040
we'd gone ahead and we know what that key is.

03:46.040 --> 03:47.810
So let's go and put the key down one more time.

03:47.810 --> 03:49.280
So we got it.

03:49.280 --> 03:49.550
All right.

03:49.550 --> 03:54.410
So remember that key because we're going to use this guy and we're going to take advantage of the power

03:54.710 --> 03:57.860
of the aircraft tool to actually make that crack.

03:57.860 --> 04:00.500
So what we're going to do is we're going to go through the steps to do this.

04:00.500 --> 04:05.060
Keep in mind that a lot of the steps that you're going to be looking at at the beginning are going to

04:05.060 --> 04:10.250
be things for just like finding the network card getting the network card turned on to start grabbing

04:10.250 --> 04:13.140
data sending it through a particular port.

04:13.220 --> 04:17.120
Then we're going to take that data and we're going to look at it for a while and then literally there's

04:17.120 --> 04:19.050
only one line that we're going to do that.

04:19.090 --> 04:22.910
OK go ahead and crack it go go out and get started.

04:22.910 --> 04:23.210
All right.

04:23.210 --> 04:29.120
So here I am at a terminal within my Cali Linux and we're going to start running aircraft.

04:29.120 --> 04:33.700
So air crack is actually a suite of different utilities.

04:33.710 --> 04:36.430
Aircraft is actually the only tool that does the cracking.

04:36.440 --> 04:37.880
We use other tools as well.

04:37.910 --> 04:46.180
Like for example what I want to do is I want to see what kind of network cards I have.

04:46.430 --> 04:53.030
So I'm going to use the command Ehrmann dash and G and you can see it has a W and 0 and that is my super

04:53.030 --> 04:54.230
duper network card.

04:54.260 --> 04:55.770
So that's what I want to use.

04:55.940 --> 05:00.980
So I'm going to tell the Ehrmann tool to start monitoring

05:03.310 --> 05:07.420
on that wireless device.

05:07.910 --> 05:13.100
So I'm just saying go ahead and get started on W in 0.

05:13.140 --> 05:26.530
So it's a little unhappy so I'm going to have to turn something off in.

05:26.580 --> 05:27.800
Let's try again.

05:32.360 --> 05:33.010
There we go.

05:33.140 --> 05:34.510
OK so now it's up and running now.

05:34.550 --> 05:40.730
What I want you to notice is right here you'll see where it says W land zero Mon that is in essence

05:41.090 --> 05:46.910
all of the monitoring that it's doing is going through this interface and it's it's an interface we

05:46.910 --> 05:47.680
can talk to it.

05:47.690 --> 05:49.890
We can write from it we do whatever we want.

05:51.200 --> 05:57.410
So now what I want to do is go out into the world and see what's out there for me to have some fun hacking

05:57.410 --> 05:59.910
on so I'm going to use

06:04.780 --> 06:05.440
arrowed dump

06:08.180 --> 06:17.400
and I'm going to say hey go look out on W. Landman and tell me what you see.

06:17.650 --> 06:22.330
And here are all the wireless networks in the area around here.

06:22.330 --> 06:25.010
Let me open this up a little bit so we can see it better.

06:25.390 --> 06:26.660
Ah that's better OK.

06:26.680 --> 06:28.870
Now now we've got to spread out a little bit.

06:28.870 --> 06:32.930
You can see that we have all of our IDs here nice.

06:32.950 --> 06:33.610
No it says.

06:33.620 --> 06:35.720
SS I.D. these are SS IDs.

06:36.010 --> 06:39.130
So if you take a look here it's going to say not secure web.

06:39.140 --> 06:41.200
So that is our target.

06:41.380 --> 06:43.060
Wireless access point.

06:43.060 --> 06:48.820
Now the other thing that's important here is we see the MAC address for that wireless access point so

06:48.820 --> 06:53.860
we're going to need that information to go ahead and start grabbing data.

06:53.980 --> 07:00.040
So what I'm going to do now is I'm going to use a tool called Aero dump and I'm going to say just grab

07:00.040 --> 07:00.550
data.

07:00.580 --> 07:06.310
But just from this one wireless access point so here's the MAC address.

07:06.550 --> 07:08.380
Here's the channel that is currently on.

07:08.380 --> 07:10.520
This is 2.4 gigahertz.

07:10.810 --> 07:16.800
And here's the SS ID so to do all this when you just let that keep running for all I care.

07:16.810 --> 07:17.850
Bring up a new window

07:21.960 --> 07:23.190
yes I'm running in route.

07:23.190 --> 07:24.770
Don't give me any trouble about that.

07:29.320 --> 07:35.340
All right so I'm going I have to type in this fairly long command I'm going to use arrowed dump

07:40.380 --> 07:44.600
and W means I'm going to have to write all the data that it's starting to grab.

07:44.640 --> 07:46.240
So I'm going to give it a name.

07:46.440 --> 07:48.600
Some of the really clever like dump file

07:52.210 --> 07:56.460
I'm going to tell them what channel to monitor that's Channel 6 for this guy.

08:03.050 --> 08:06.080
And now I have to type in the MAC address.

08:06.080 --> 08:30.370
I know it says VSS ID but it's actually the MAC address.

08:30.570 --> 08:35.160
And then I'm going to tell it which monitor do we want to use.

08:35.170 --> 08:38.750
It's good old w lands 0 1.

08:39.190 --> 08:40.810
So let's go and get that guy started

08:46.300 --> 08:47.590
and he's up and cooking.

08:47.620 --> 08:47.910
All right.

08:47.920 --> 08:54.910
So what's happening now is ERDA is grabbing all of the very specific packets that I've asked for and

08:54.910 --> 08:57.880
he's dumping that into this one file called dump file.

08:57.890 --> 09:04.470
Now in order to use an I.V. attack on weap we have to have quite a few frames.

09:04.530 --> 09:06.110
People will argue about the amount.

09:06.150 --> 09:09.360
My general rule of thumb is go outside.

09:09.360 --> 09:11.430
Go have a Coke and come back.

09:11.430 --> 09:12.540
And it usually has enough.

09:12.540 --> 09:18.090
So I'm going to let this run for about five 10 minutes probably about all I need and will come back

09:18.090 --> 09:21.340
in just a minute and we'll see aircraft in action.

09:27.270 --> 09:29.740
OK so we've let a little bit of time pass here.

09:29.850 --> 09:32.550
So let's take a look on the screen now if you take a look.

09:32.760 --> 09:40.110
As we've been running here this aero dump has been tracking this one particular wireless access point

09:40.470 --> 09:44.640
and you can see down here these are actually systems that are connecting to it.

09:44.640 --> 09:49.170
So we're actually getting information on systems that are making connections and we've got tons of frames

09:49.170 --> 09:50.990
here probably way too many.

09:51.360 --> 09:54.750
A lot of times they'll say as few as 5000 frames is all you need.

09:54.840 --> 09:57.310
But I believe in a little bit of overkill here.

09:57.480 --> 10:04.590
So what I'd like to do is go ahead and let's crack this guy so I'm going to stop that and we're going

10:04.590 --> 10:08.010
to actually run Eric before I do.

10:08.010 --> 10:11.400
Let me Backspacer it out before I do I want to show you something.

10:13.470 --> 10:17.700
Now if you remember I said we're going to put them into a file called dump file.

10:17.700 --> 10:22.500
Now you'll see that aero dump actually makes four different types of capture files.

10:22.500 --> 10:28.150
And the one I want is the dump file dash 0 1 c.a.p.

10:28.230 --> 10:30.910
Let's go ahead and run.

10:30.950 --> 10:31.550
Eric

10:49.410 --> 10:53.880
when we watch it for a second there it is.

10:53.890 --> 10:55.290
So take a look right here.

10:55.300 --> 10:57.700
There's the key that it's derived.

10:57.700 --> 11:05.590
Now let's put that key we brought up earlier back on screen and compare them with the exact same key

11:05.800 --> 11:07.220
we are officially cracked.

11:07.240 --> 11:13.720
All I need to do now to get onto this wireless access point is on any client that I want simply go in

11:14.260 --> 11:21.740
find that particular SS ID and type in that little bit of pass code and WEP is all over with now.

11:22.910 --> 11:26.030
Granted WEP is a little old fashioned although it is still out there.

11:26.030 --> 11:32.730
However that which replaced it WPA and WPA to also have some type of limitation.

11:32.750 --> 11:37.430
So let's do a little more cracking but let's shift into the WPA WPA to world.