WEBVTT

00:00.510 --> 00:07.080
There's a big challenge to configuring wireless devices in particular the whole idea for a person to

00:07.080 --> 00:14.070
have to type in a pre-shared key into their client and set it up on individual computers and on smart

00:14.070 --> 00:15.530
devices that's not a big deal.

00:15.540 --> 00:21.840
But when it comes to things like printers and things like that we don't have an easy Windows or OS 10

00:21.840 --> 00:25.530
interface or something to be able to go through this configuration process.

00:25.530 --> 00:31.980
So that's why many years ago they came up with something called Wi-Fi protected setup or WPA.

00:32.010 --> 00:38.240
Now for those of you who don't know WPX the whole idea behind WPX is push button configuration.

00:38.250 --> 00:44.040
So I've got a wireless access point and this wireless access point has a pre-shared key and nice big

00:44.040 --> 00:46.070
complicated pre-shared key in it.

00:46.080 --> 00:48.030
The idea the IWP is simple.

00:48.030 --> 00:52.910
Now if you look really close here can we get a photograph of this button right here.

00:53.520 --> 00:56.250
That button is how WPX starts.

00:56.250 --> 01:02.670
If I have a WPX wireless access point and I have a WPX capable device all I need to do is press this

01:02.670 --> 01:03.670
button.

01:03.810 --> 01:09.480
Then I go over to my printer whatever it is and I press and usually hold the button on that other device

01:10.240 --> 01:13.930
for a couple of minutes sometimes three minutes depends on the manufacturer.

01:14.010 --> 01:17.970
Then you let go and they automatically configure themselves.

01:17.970 --> 01:25.200
They make this configuration by having a built in key a hardware burned in key that they can use just

01:25.200 --> 01:30.420
to make that initial connection that it's never used again and the exchange the true pre-shared key

01:30.690 --> 01:32.580
and WPX is up and cooking.

01:32.580 --> 01:38.700
Now if you really need to you can actually go into like a Windows system and type in this eight digit

01:38.700 --> 01:41.530
number and you can configure that way as well.

01:41.880 --> 01:47.200
And WPX is great stuff except for one big problem and it has to do with.

01:47.360 --> 01:48.420
All right.

01:48.410 --> 01:52.530
You'll get one more photograph of this.

01:52.550 --> 01:59.590
OK so what you're looking at is an 8 digit key so every GPS enabled device has this eight digit keep

01:59.900 --> 02:05.240
this a digit key is only used for those few short moments while they're making the initial key exchange

02:05.660 --> 02:07.610
of the K.

02:08.060 --> 02:09.940
However there's a bit of a problem with it now.

02:09.980 --> 02:12.830
An 8 digit key would be two to the eighth power.

02:12.850 --> 02:17.600
So you know it's a pretty long chunk of data for a guy to be able to crack it just a couple of minutes.

02:17.600 --> 02:19.340
However there are some weaknesses.

02:19.340 --> 02:24.470
Weakness number one one of those eight digits is just use as a cyclic redundancy check for the other

02:24.470 --> 02:24.890
seven.

02:24.890 --> 02:27.160
So now we're down to two to the seventh power.

02:27.290 --> 02:31.030
Still pretty hairy in terms of a quick crack yet.

02:31.050 --> 02:38.180
There's another problem with WPX the actual process of the key exchange is done through first four bits

02:38.570 --> 02:44.060
and then three bits so really instead of two to the seventh power you have to to the fourth power and

02:44.060 --> 02:49.190
two to the third power which basically means you only need about eleven thousand iterations to be able

02:49.190 --> 02:50.150
to crack this stuff.

02:50.150 --> 02:57.380
So this was first discovered back in 2011 and it set everybody into a tizzy.

02:57.380 --> 03:02.660
So what we've seen since 2011 is number one.

03:02.720 --> 03:08.240
A lot of wireless access points where you can turn WPX off a lot of wireless access points that you

03:08.240 --> 03:08.970
could turn it off.

03:08.970 --> 03:14.660
However the right kind of tools could turn it back on a lot of wireless access points where they simply

03:14.690 --> 03:18.270
dumped WPX completely just not even a feature anymore.

03:18.530 --> 03:24.320
And now what we're starting to see especially in the Ayro to live in a sea world is a lot of wireless

03:24.320 --> 03:30.800
routers that are using WPX but they're using it very cleverly so before we get into how they're doing

03:30.800 --> 03:35.690
this I want to go through the process of actually cracking something so we're going to take a look at

03:35.690 --> 03:37.380
the Cisco box right here.

03:37.730 --> 03:44.150
And I know he is passing out on this total Wi-Fi SS ID.

03:44.160 --> 03:46.770
Now if you look right here on the screen it's red.

03:46.770 --> 03:51.810
And the reason it's red is this scanner is actually querying the wireless access point and the wireless

03:51.810 --> 03:56.560
access point has W.P. turned off and there is nothing we can do about it but if we keep look at here

03:58.990 --> 04:03.360
you see here is a wireless access point called aces and it's green.

04:03.430 --> 04:07.220
Well what we're actually doing right here is I knew this guy wasn't working.

04:07.360 --> 04:10.420
So I brought in another wireless access point

04:13.820 --> 04:16.580
and this guy I've got WPX turned on.

04:16.580 --> 04:20.290
Let me show you how WPX looks on this particular device.

04:20.300 --> 04:26.640
So if we take a look over here what I've got is I've set up I've got the SS I.D. as a default.

04:26.650 --> 04:32.170
Just called aces and I'm going to go ahead and give it like a WPA too personal.

04:32.470 --> 04:33.870
And I think I was using the password.

04:33.870 --> 04:37.710
Timmy Timmy before yet still remembers that great right.

04:37.720 --> 04:39.400
So what I'm going to do is go ahead

04:42.800 --> 04:46.120
like that up.

04:46.130 --> 04:51.980
Now keep in mind we're talking about a this is a pretty modern 1:52 11 AC wireless router here.

04:51.980 --> 04:57.530
So you know we're not talking about 2011 technology here this is pretty recent stuff.

04:57.560 --> 05:02.990
So if we come in here we'll see it does have a WPX tab that we can turn on and off and for the record

05:02.990 --> 05:06.710
with this particular router if I turn it off it really turns it off.

05:06.710 --> 05:15.890
There are some older routers from the 2011 to 2015 World where you can actually turn off WPX but a good

05:15.890 --> 05:19.960
cracker can literally turn it on remotely and that fun anyway.

05:20.090 --> 05:25.130
So what I've done here is I've gone ahead and turn this on and he's up and cooking now right here do

05:25.150 --> 05:29.480
you see the pin code now this pin code here let me pull up.

05:29.480 --> 05:33.550
This guy has his own pin code on the outside as well.

05:33.650 --> 05:35.420
So what I want to do one more time is go ahead.

05:35.430 --> 05:36.250
Just take a picture.

05:36.250 --> 05:40.010
Can we get a photograph of that OK.

05:40.030 --> 05:44.560
Now compare that photograph that we're we're looking at with this pin code in fact let's look at them

05:44.560 --> 05:45.460
together.

05:45.580 --> 05:47.130
You could see it's the exact same code.

05:47.140 --> 05:54.190
So we now know what exactly we're looking for now I'm going to go ahead and crack this because my survey

05:54.190 --> 05:59.260
tool said that WPX was on and cook and even though I turned off and back on again it's Rayder rock n

05:59.260 --> 06:05.350
roll and the tool I'm going to use is a wonderful well known tool called River which you get as part

06:05.350 --> 06:07.660
of the Kalli Linux tool kit.

06:07.660 --> 06:14.410
Now you can see that I've gone ahead and I ran my arrow dump one more time here so I can see who's out

06:14.410 --> 06:14.730
there

06:25.170 --> 06:29.030
and there's aces keeps popping in and out but he was there.

06:29.090 --> 06:33.700
The important thing is as I already had that SS ID so let me scroll up to the top here since you're

06:33.710 --> 06:35.980
a man that has been running for a while.

06:36.860 --> 06:38.710
So the.

06:38.930 --> 06:45.320
So you can see I started Reaver and I went to W. land 0 mon and I just typed in the MAC address for

06:45.320 --> 06:48.620
that particular access point and I've been letting this go for a while.

06:51.960 --> 06:53.260
Try to get to the bottom here.

06:54.930 --> 06:58.150
And you can see he's trying different iterations.

06:58.200 --> 07:01.620
So he's basically doing a brute force WPX attack.

07:01.620 --> 07:06.900
He started with seven zeros and he's going to go to seven nines until he gets the right answer.

07:06.900 --> 07:12.270
Now it's interesting as he's been at this for a while he's been at it for a while because I told him

07:12.270 --> 07:19.440
to one of the big problems we run into with especially the newer generation WPX capable wireless access

07:19.440 --> 07:24.900
points is that they know if somebody starts hitting on him really really fast keeps trying each iteration

07:25.110 --> 07:28.480
that that means they're being attacked and they will either shut down.

07:28.590 --> 07:30.490
They will turn off WPX.

07:30.500 --> 07:34.570
I've got particular routers that will literally factory reset themselves.

07:34.680 --> 07:41.150
Yipe if they get attacked too many times so what I'm doing with Reaver right now as I said just hit

07:41.150 --> 07:43.950
him very slowly very very slowly.

07:43.980 --> 07:51.420
So if you do it even one iteration per second you're talking about it's eleven thousand thirty six hundred

07:51.420 --> 07:57.990
iterations per hour so you're talking about a maximum of three hours and that's it if you hit it one

07:57.990 --> 07:58.560
per second.

07:58.560 --> 08:02.150
If I hit this guy one per second he's going to just cut off.

08:02.190 --> 08:04.770
He will literally turn off WPX on me.

08:04.770 --> 08:08.070
So what I'm doing is just I'm just going to let him run a little bit.

08:08.190 --> 08:12.230
And usually in this case I would consider letting him run as much as a week.

08:12.240 --> 08:13.300
Seriously.

08:13.530 --> 08:16.230
Just to make sure I don't set the routers.

08:16.230 --> 08:20.700
The end result is is that Reaver will work I guarantee it will work.

08:20.700 --> 08:23.770
It might take a couple of tries but it absolutely will work.

08:23.850 --> 08:28.190
So here let me put up what a successful Reaver attack is going to look like for you.

08:28.380 --> 08:32.580
So that's the beauty of WPX attacks now Reaver is not the only tool out there.

08:32.580 --> 08:33.680
There are zillions of them.

08:33.690 --> 08:40.810
It's just the one I am most comfortable with it's been around for a while if you want to stop WPX attacks

08:41.070 --> 08:43.220
you're going to have to be very very careful.

08:43.410 --> 08:49.530
Number one if you have older routers that are susceptible to this and there's great documentation online

08:49.530 --> 08:51.620
about this get rid of it.

08:51.720 --> 08:53.610
You can also consider a firmware update.

08:53.610 --> 08:59.850
One of the things I do love about the DD dash w r t firmware for all of these little home routers is

08:59.850 --> 09:06.900
that it almost invariably shuts off WPX in a way that it's very very difficult to turn it back on unless

09:06.900 --> 09:09.060
you intentionally want to do it yourself.

09:09.510 --> 09:14.570
And the last thing you want to do is consider a modern wireless router.

09:14.850 --> 09:17.180
They will have WPX on them.

09:17.190 --> 09:22.920
A lot of times but they come with so many tools it's very very difficult for a guy like me to be able

09:22.920 --> 09:23.360
to crack.

09:23.360 --> 09:27.020
Yeah unless I really really really have a lot of time.