WEBVTT

00:00.210 --> 00:08.280
WPA and WPA you are very good encryptions if you're using WPA you're using the for but you're using

00:08.290 --> 00:09.430
T-Clip with that.

00:09.570 --> 00:16.830
And if you're using WPA to while you're using a yes with CC MP and you are not going to be able to crack

00:16.860 --> 00:23.610
these passwords except for one little problem and the problem is is the initial connection between a

00:23.610 --> 00:32.130
wireless WPA or WPA to client to an access point has what we call a four way handshake and not that

00:32.130 --> 00:38.100
many years ago there was a small weakness discovered in this four way handshake that allows us to do

00:38.100 --> 00:39.480
something very interesting.

00:39.480 --> 00:46.440
Now I need to be careful here when you're cracking WEP you can mathematically derive the password just

00:46.440 --> 00:47.770
by looking at packets.

00:47.790 --> 00:55.740
You can't do that with WPA and WPA to with WPA and WPA to think more instead that you've got this guy

00:55.740 --> 01:00.700
who's really good at turning the numbers on a bicycle lock and then pulling on it.

01:00.930 --> 01:07.080
So you can go to this guy and say hey try 0 0 0 0 and he could do that real quick and pull on it.

01:07.080 --> 01:13.650
So if you wanted to you could tell this guy start with all zeros and then just keep going to go to 999.

01:13.650 --> 01:18.020
Now now if there was only that would be 10000 different permutations that would work great.

01:18.030 --> 01:26.700
But with WPA WPA to take that same bike lock analogy and turn it from four digits to like 128 digits

01:26.700 --> 01:32.990
so it would take that guy even if he was fast a very very long time to go through all these.

01:33.000 --> 01:39.750
Luckily for us we know that human beings don't use good randomized long passwords.

01:39.780 --> 01:47.070
We know that most human beings are going to use like a phrase and then a number or their pets name and

01:47.070 --> 01:54.750
then the date they were born or the number of kids they have in their wife's name and the date that

01:54.750 --> 01:55.560
they got married.

01:55.560 --> 01:57.260
Little simple things like that.

01:57.510 --> 02:01.710
And if we know that we can tell the guy who's spinning on that bicycle lock.

02:01.710 --> 02:03.720
No no no don't start at the zeros.

02:03.780 --> 02:11.340
Just try all of these first so we've got to get this WPA WPA to cracker what we call a dictionary file.

02:11.460 --> 02:18.570
Now a dictionary file is nothing more than a big text file that is full and I mean full of tens of millions

02:18.900 --> 02:24.620
of different types of permutations of well-known words with numbers and all kinds of different things.

02:24.630 --> 02:26.350
Now you think what tens of millions.

02:26.370 --> 02:35.370
Well compared to 128 power stuff 10 million even my laptop give it a day could knock all that stuff

02:35.370 --> 02:35.580
out.

02:35.580 --> 02:37.260
So that makes a big difference.

02:37.260 --> 02:45.030
So what we're going to be doing with WPA WPA too is we're going to go ahead and grab not a whole bunch

02:45.030 --> 02:45.860
of packets.

02:45.980 --> 02:51.990
What we're going to grab is those four way handshakes when people start to connect and using that we

02:51.990 --> 02:57.000
can derive the passwords by using a dictionary file basically saying try all these.

02:57.000 --> 02:59.240
And if people use it then we're going to have them.

02:59.250 --> 03:01.800
So let's go ahead and start off by.

03:01.800 --> 03:04.090
Let me show you how the setup works this time.

03:04.260 --> 03:07.020
So I've got my same wireless access point.

03:07.140 --> 03:14.790
Now he's still set to WEP at this moment so we're going to change him to regular old just WPA GSK and

03:14.910 --> 03:19.800
get him up and running and we'll put a really weak password on here then we're going to go back over

03:19.800 --> 03:26.700
to the Colley box and in this case what we're going to do is we're still going to monitor the traffic.

03:26.790 --> 03:30.490
But we're just going to wait for somebody to authenticate and we've got him.

03:30.510 --> 03:34.740
We'll run the cracker and with luck since it's a weak password we're going to be able to get it pretty

03:34.740 --> 03:35.550
easily.

03:35.550 --> 03:37.610
Let's take a look at the setup.

03:37.630 --> 03:37.930
All right.

03:37.930 --> 03:39.740
So let's go over here.

03:40.060 --> 03:48.810
And first of all instead of calling it non-secure weap let's call it non-secure WPA and let me apply

03:48.810 --> 03:49.580
that.

03:49.650 --> 03:50.960
Well wait a second.

03:51.300 --> 03:56.610
Now the next thing I'm going to do is go over to wireless security and we're going to take off weap

03:56.820 --> 03:59.400
And let's go to WPA personal.

03:59.400 --> 04:05.470
This type of attack will work with WPA or WPA to personal shared key.

04:05.490 --> 04:08.040
So I've already got a password in here and I want to keep it.

04:08.040 --> 04:09.940
Now the password is Timmy Timmy.

04:09.990 --> 04:15.780
So it's a pretty simple password it's just a very common word used twice.

04:15.780 --> 04:21.870
So let me go ahead and apply all this.

04:22.110 --> 04:25.170
I'll save it.

04:25.350 --> 04:27.000
And we're pretty much ready to go.

04:27.000 --> 04:30.810
So this guy is now WPA personal.

04:30.810 --> 04:35.030
He has a very simple password of Timmy Timmy.

04:35.190 --> 04:37.430
And now what we're going to do is go over here.

04:37.500 --> 04:38.990
We're going to grab a bunch of data.

04:39.000 --> 04:43.170
But in particular we're not just grabbing data we're looking for handshakes.

04:43.200 --> 04:44.970
And that's where arrowed dumped does a great job.

04:44.970 --> 04:51.960
Let me show you now what I've got here is I've got aero dump still running on my screen.

04:51.960 --> 04:56.990
Now if you take a look right here at top you're going to see there's not secure WPA.

04:57.180 --> 05:02.000
You can even see that it's WPA and it's running T-Clip no great surprise there.

05:02.100 --> 05:04.730
And there's the MAC address for it.

05:04.740 --> 05:30.240
So what we're going to do now is let's start aero dump and we're going to watch for hand-shakes.

05:30.480 --> 05:34.400
I'm going to put all the stuff that it finds into a file called WPA file

05:37.600 --> 05:39.250
and this guy is on Channel 6

05:43.110 --> 05:44.670
in the SS ID

05:50.510 --> 05:52.430
is 20 colon.

05:52.670 --> 06:07.130
They colon for the colon 42 colon for three colon the eight.

06:07.260 --> 06:09.350
And we're going to tell them to listen.

06:10.800 --> 06:16.980
W zero Oman.

06:17.000 --> 06:22.410
So what we're going to do now is just keep watching this and see if somebody comes in

06:25.180 --> 06:26.090
there it is.

06:26.500 --> 06:27.740
Wow that was really quick.

06:27.760 --> 06:30.090
Let's rewind that a little bit so we can see it.

06:32.620 --> 06:37.860
What we just saw there was a handshake it flashed really really quick so I kind of missed it.

06:37.930 --> 06:44.650
But what we now know is that we have a file of captures that include at least one if not two and shakes.

06:44.710 --> 06:48.060
I've got a bunch of people in the studio all trying to connect at the same time.

06:48.160 --> 06:49.680
So hopefully we've got a bunch.

06:49.720 --> 06:54.770
So let's go ahead and take a look at that file and go ahead and see if we can pull the password out.

07:00.410 --> 07:02.300
So we can go and just turn this off.

07:05.340 --> 07:10.980
And let me make sure I've got a dictionary file in there.

07:12.700 --> 07:13.810
There he is way up at the top.

07:13.810 --> 07:14.870
You see the word dictionary.

07:14.890 --> 07:17.230
That's a dictionary file that I've created.

07:17.320 --> 07:20.950
So to actually go about the cracking is we just go ahead and run

07:24.860 --> 07:25.570
aircraft.

07:31.120 --> 07:34.670
A2 means I'm doing a W P-A attack on this guy.

07:40.810 --> 07:44.430
So I got to tell him where my dictionary file is it's right here in the same folders.

07:44.440 --> 07:49.660
I just type in dictionary and then I tell it which file I want to crack.

07:49.660 --> 08:04.990
In this case it's going to be WPA file ash 0 1 c.a.p it ener.

08:05.150 --> 08:06.170
There it is right there.

08:06.170 --> 08:07.240
See it.

08:07.260 --> 08:07.650
Timmy.

08:07.650 --> 08:10.300
Timmy pretty easy stuff.

08:10.300 --> 08:15.730
Now you look at it this is going to wait a minute wait wait wait wait wait Mike you put the right password

08:15.730 --> 08:16.880
into your dictionary.

08:16.930 --> 08:20.080
Yeah I did but I did that just to speed up this demonstration.

08:20.080 --> 08:25.840
Trust me there are huge dictionary files and there they got to to me in there just as easily if you

08:25.840 --> 08:33.130
have a weak WPA or WPA to K odds are good that people will be able to crack it almost as quickly as

08:33.130 --> 08:34.460
what I've done right here.

08:34.510 --> 08:35.920
The right answer is simple.

08:36.040 --> 08:44.850
Use long complex private shared keys when you're dealing with WPA and WPA too a lot of people recommend

08:44.860 --> 08:50.230
don't use any human words and make sure you use at least 20 characters which can sometimes be long to

08:50.230 --> 08:52.610
remember but boy does it make it secure.

08:52.800 --> 09:01.780
OK so now that we've cracked WEP and WPA and WPA two we can actually make life a lot easier cracking

09:01.780 --> 09:03.240
with WPX.