1
00:00:00,890 --> 00:00:01,580
Welcome back.

2
00:00:02,120 --> 00:00:08,420
So we saw how we can put our wireless card in a monitor mode, but right now let's get to the real attack.

3
00:00:08,750 --> 00:00:10,590
So the steps go like this.

4
00:00:10,640 --> 00:00:13,230
We want to put our card in monitor mode.

5
00:00:13,670 --> 00:00:17,200
We didn't want to sniff all of the information around us.

6
00:00:17,510 --> 00:00:23,040
Then out of all of the wireless access points, we must pick the one that we want to attack.

7
00:00:23,060 --> 00:00:28,370
And in this video, I will be attacking my own wireless access point because attacking anyone else's

8
00:00:28,370 --> 00:00:29,550
would be illegal.

9
00:00:29,990 --> 00:00:32,720
So we'll be attacking my access point.

10
00:00:32,870 --> 00:00:36,190
You can attack yours if you're still following this section.

11
00:00:36,440 --> 00:00:43,340
And once we choose our target, we need to check out the channel on which the target is running on and

12
00:00:43,340 --> 00:00:46,760
the Mac address, which the target access point has.

13
00:00:47,540 --> 00:00:49,940
Then we must run our sniffing program.

14
00:00:50,210 --> 00:00:56,930
And simultaneously, while running that sniffing program, we must run our the authentication attack.

15
00:00:57,440 --> 00:01:02,270
Then we can authenticate the devices on that access point for a few seconds.

16
00:01:02,390 --> 00:01:07,970
And once we stop the authenticating, we should be able to sniff the four way handshake with the hash

17
00:01:08,030 --> 00:01:09,680
value of the password.

18
00:01:10,280 --> 00:01:16,340
Then we can move on to the clinic's machine and there we're going to try to crack that password.

19
00:01:17,100 --> 00:01:21,940
OK, there are a lot of steps in front of us, so let's get straight into it.

20
00:01:22,310 --> 00:01:29,030
So what I'm going to do is I'm going to put my wireless card in monitor mode, as I did in the previous

21
00:01:29,030 --> 00:01:29,410
video.

22
00:01:30,560 --> 00:01:32,450
Nothing really to explain too much here.

23
00:01:33,320 --> 00:01:42,050
And the next commander to want to run right after it is Airman Dash and G check W one, which is my

24
00:01:42,290 --> 00:01:43,650
wireless interface.

25
00:01:43,880 --> 00:01:47,550
Now, this program is something that you have inside of your Linux machines.

26
00:01:47,580 --> 00:01:50,030
You shouldn't have problem running this.

27
00:01:50,860 --> 00:01:55,310
The wireless interface is something that you want to change to the name of your wireless interface.

28
00:01:55,310 --> 00:01:59,600
And once you set the entire command, you can click enter.

29
00:02:00,470 --> 00:02:04,520
It will tell you that it found five processes that could cause some trouble.

30
00:02:05,240 --> 00:02:12,080
Now, this means that if we run into any problems during our process of gathering the four way handshake

31
00:02:12,080 --> 00:02:16,410
with the password, it could be due to these processes still running.

32
00:02:17,030 --> 00:02:22,110
So we're just not going to risk that and we're going to kill all of those processes straight away.

33
00:02:22,820 --> 00:02:23,730
How can we do that?

34
00:02:24,170 --> 00:02:26,630
Well, we can type airman.

35
00:02:27,730 --> 00:02:37,150
Dash and G and then check and then kill munchy type this press enter, it will also tell you that it

36
00:02:37,150 --> 00:02:43,090
found five processes, but down here it will also tell you that it is killing all those processes.

37
00:02:43,330 --> 00:02:47,280
So now we shouldn't have any problem running our other tools.

38
00:02:48,100 --> 00:02:54,640
Once you do that, what you want to check is whether your wireless card is still in monitor mode.

39
00:02:54,820 --> 00:03:02,260
And since it sometimes turns back to management, you must put it once again into the monitor mode after

40
00:03:02,260 --> 00:03:04,780
performing the Airmen Dash and G Command.

41
00:03:08,230 --> 00:03:14,050
After you put it back to monitor mode, the next command that we want to run is error, dump, Dash

42
00:03:14,050 --> 00:03:18,760
and G and then the interface that is currently in the monitor mode.

43
00:03:19,060 --> 00:03:25,510
Since the yellow one is inside of the monitor mode for me, I will press enter right here and this will

44
00:03:25,510 --> 00:03:28,630
start sniffing all of the information around me.

45
00:03:28,780 --> 00:03:34,780
Let me enlarge this terminal and we're going to be able to see all of the various access points that

46
00:03:34,780 --> 00:03:35,560
are around me.

47
00:03:36,130 --> 00:03:40,030
These are the names of the wireless access points under the column E.

48
00:03:40,030 --> 00:03:40,840
S side.

49
00:03:41,710 --> 00:03:47,050
The authentication and deciphering the encryption is type of the protection the device XPoint has.

50
00:03:47,060 --> 00:03:52,510
So you can see most of them will have WIPA two, which is currently the highest protection they can

51
00:03:52,510 --> 00:03:54,940
possibly get c h rate.

52
00:03:54,940 --> 00:04:00,790
Here is something that we want to remember because this column is actually the channel.

53
00:04:00,790 --> 00:04:06,690
And you remember Channel is one of the two things that we must need in order to perform this attack.

54
00:04:07,120 --> 00:04:12,700
The data can tell us if the access point is active currently or if it has some devices connected to

55
00:04:12,700 --> 00:04:14,440
it that are browsing the Internet.

56
00:04:14,710 --> 00:04:17,400
While the beacons would usually tell us the same thing.

57
00:04:17,410 --> 00:04:23,100
However, the P w are right here can tell us how far away is the access point.

58
00:04:23,110 --> 00:04:26,610
So the lower the number, the closer the access point is to you.

59
00:04:26,890 --> 00:04:30,560
And sometimes if you choose an access point, it is far, far away.

60
00:04:30,940 --> 00:04:33,190
This attack might not work.

61
00:04:33,550 --> 00:04:37,290
You have to be really close to the target in order for this to work.

62
00:04:37,300 --> 00:04:40,330
However, you do not have to be connected to the target.

63
00:04:40,330 --> 00:04:43,120
As you can see right now, I have no access to the Internet.

64
00:04:43,120 --> 00:04:50,560
I am not connected to any access point and I will be targeting this access point right here called Tachometer.

65
00:04:51,160 --> 00:04:53,020
This is my wireless access point.

66
00:04:53,020 --> 00:04:55,300
Therefore, I will be targeting that.

67
00:04:56,350 --> 00:04:59,650
Now, remember that we need to remember two things.

68
00:04:59,890 --> 00:05:02,920
So the channel for my XPoint is two.

69
00:05:03,460 --> 00:05:06,640
And by the way, once you choose your target, feel free to control.

70
00:05:06,640 --> 00:05:12,280
See this because sometimes the screen knows to move and you cannot really copy and paste different things

71
00:05:12,280 --> 00:05:12,850
that you need.

72
00:05:13,330 --> 00:05:20,950
So I have chosen this target right here and I need to remember the channel, which is two and the Mac

73
00:05:21,100 --> 00:05:21,670
address.

74
00:05:22,180 --> 00:05:24,070
Now, the channel is easy to remember.

75
00:05:24,070 --> 00:05:31,330
So therefore I'm just going to copy the Mac address right here and then we need to start the sniffing

76
00:05:31,330 --> 00:05:32,110
process again.

77
00:05:32,110 --> 00:05:36,940
However, we're going to write information inside of a file for this.

78
00:05:36,970 --> 00:05:40,000
We're only going to sniff one access point information.

79
00:05:40,300 --> 00:05:45,670
And to do that, we must specify the channel and the Mac address so we start the command.

80
00:05:45,670 --> 00:05:54,010
The same with Arrow Dump Dash, and then we use that C command for the channel and we specify the channel

81
00:05:54,010 --> 00:05:54,460
number.

82
00:05:54,460 --> 00:05:55,810
In my case, that is two.

83
00:05:56,200 --> 00:06:02,020
And Aradigm is also a program that you have Princetonian Kalinich so all of these programs that we use,

84
00:06:02,170 --> 00:06:04,990
you will already have in your colonics machine.

85
00:06:05,500 --> 00:06:11,500
If you don't or if you're using some other machine to perform this, I will link in the resources how

86
00:06:11,500 --> 00:06:13,240
you can download all of these tools.

87
00:06:13,240 --> 00:06:16,870
It is pretty simple, so you shouldn't have any problem downloading them.

88
00:06:17,380 --> 00:06:19,210
Nonetheless, let's get back to our command.

89
00:06:19,210 --> 00:06:23,830
So we got error, dump, dash and then dash C for the channel.

90
00:06:23,830 --> 00:06:25,750
We specify channel number two for you.

91
00:06:25,750 --> 00:06:30,970
It might be different channel and after that we use Dash, Dash B society.

92
00:06:31,240 --> 00:06:35,320
And what B side is is simply the Mac address.

93
00:06:35,470 --> 00:06:40,200
Since we can see that the column where Mac addresses are is called B side.

94
00:06:40,900 --> 00:06:42,970
So after this we must.

95
00:06:44,060 --> 00:06:50,540
Based on our Mac address to our target for this access point and the last parameter to this command

96
00:06:50,720 --> 00:06:58,310
is going to be Dasch w option, and this option simply stands for the filename that we're going to write

97
00:06:58,310 --> 00:06:59,150
all of this in.

98
00:07:00,460 --> 00:07:09,380
So let's call this Devadas XPoint name in capital underscore best, this is going to be our file name.

99
00:07:09,700 --> 00:07:15,190
And by the way, also once running this comment, remember in which destination are you running the

100
00:07:15,190 --> 00:07:17,900
comment because that is where it's going to save your files.

101
00:07:18,280 --> 00:07:25,330
I'm saving this estimator underscore test and the last thing that we must specify is Devadas Interface,

102
00:07:25,330 --> 00:07:27,730
which is currently in monitor mode for me.

103
00:07:27,740 --> 00:07:34,180
That is the one you specify your wireless interface and monitor mode and once you craft this document

104
00:07:34,540 --> 00:07:36,010
you can press enter.

105
00:07:37,060 --> 00:07:42,630
And you will notice right here, it will only sniff for this specific access point.

106
00:07:42,670 --> 00:07:48,130
We can see the name right here under the East Side and we can see its Mac address.

107
00:07:48,640 --> 00:07:54,860
But also we can see are the devices that are currently connected to this access point.

108
00:07:54,880 --> 00:07:57,790
And at the moment, it only has two of them.

109
00:07:58,420 --> 00:08:04,510
Now, what I'm going to do is I'm going to connect to the wireless XPoint over my mobile phone.

110
00:08:04,960 --> 00:08:10,480
And you can see that we already managed to capture the WPA handshake, which is all that we need in

111
00:08:10,480 --> 00:08:12,010
order to be able to crack the password.

112
00:08:12,050 --> 00:08:19,570
However, we're going to try to do that again just by performing the attack, because we can see the

113
00:08:19,570 --> 00:08:22,300
wait for someone to randomly connect our access point.

114
00:08:22,600 --> 00:08:25,870
We must disconnect everyone from the Texas point.

115
00:08:27,450 --> 00:08:34,470
And to do that, I'm going to enter the root terminal and I will enlarge this, of course, you can

116
00:08:34,470 --> 00:08:36,480
see everything better.

117
00:08:39,430 --> 00:08:47,380
And the comment that we must use to actually authenticate someone is using the airplane dash and Geto,

118
00:08:47,500 --> 00:08:55,050
so it is spelled like this and the options that it takes is dash zero and then space and zero.

119
00:08:55,090 --> 00:09:01,360
Once again, this means it will send it out indication Becket's indefinitely until we control see the

120
00:09:01,360 --> 00:09:04,270
program and then it will stop the authenticating.

121
00:09:05,020 --> 00:09:10,420
So what I advise you to do if you're following this attack is connect your mobile phone to the access

122
00:09:10,420 --> 00:09:15,940
point and you will notice as soon as we start running this command, your mobile phone will get disconnected

123
00:09:15,940 --> 00:09:17,770
from that far less access point.

124
00:09:18,040 --> 00:09:22,250
So once you type that zero and then zero, the next parameter is Dash eight.

125
00:09:22,270 --> 00:09:26,680
And after that comes the Mac address of the far less access point.

126
00:09:27,660 --> 00:09:34,350
At the end, we only specify the wireless interface in the monitor mode and we can start the authenticating

127
00:09:34,710 --> 00:09:40,770
and if we take a look at my phone, I am instantly being disconnected from this far less access point.

128
00:09:40,980 --> 00:09:45,210
And if I go to settings and try to connect back, it will not work.

129
00:09:45,600 --> 00:09:51,290
Nobody will be able to connect to this far less access point as long as I'm running this attack.

130
00:09:52,110 --> 00:09:57,480
But you only want to run this for a few seconds and once you run it for a few seconds, everyone will

131
00:09:57,480 --> 00:09:58,320
be disconnected.

132
00:09:58,590 --> 00:10:01,530
Then you control, see and hear.

133
00:10:01,530 --> 00:10:09,270
In just a few seconds, we will be catching WPA to handshakes with the hash value of the password from

134
00:10:09,270 --> 00:10:09,780
my phone.

135
00:10:09,790 --> 00:10:15,210
I already established connection to the wireless access point and once you do that in the upper right

136
00:10:15,210 --> 00:10:18,180
corner, you should see this WPA handshake.

137
00:10:18,420 --> 00:10:23,190
And as soon as you see that you can control see this program, you got everything that you need.

138
00:10:23,490 --> 00:10:25,050
You got the four way handshake.

139
00:10:25,050 --> 00:10:28,890
And inside of that four handshake is the password that you need.

140
00:10:29,490 --> 00:10:36,660
Once you finish all of this, you will notice that you got four different files on your desktop.

141
00:10:36,870 --> 00:10:41,490
As you can see, one, two, three and four.

142
00:10:42,270 --> 00:10:46,170
And you actually only need one out of these four files.

143
00:10:46,170 --> 00:10:48,120
And this is the dot cap file.

144
00:10:48,630 --> 00:10:51,480
All of the other three you don't need for this attack.

145
00:10:51,480 --> 00:10:57,240
So you can just save the dot kept file and you can delete the others once you have the dot kept file.

146
00:10:57,240 --> 00:10:59,400
Inside of this file is a four way handshake.

147
00:10:59,610 --> 00:11:04,710
And then in the next video, we're going to use different tools to extract the hash password from this

148
00:11:04,710 --> 00:11:05,520
that kept file.

149
00:11:05,700 --> 00:11:12,480
And then we're going to use massive word lists to try to crack this password from this file.

150
00:11:13,110 --> 00:11:18,720
But for this, I'm going to switch to my Linux machine so we can go back to our normal environment since

151
00:11:18,720 --> 00:11:21,640
I no longer need to run any program on my laptop.

152
00:11:22,050 --> 00:11:22,980
See you in the next video.