1
00:00:00,550 --> 00:00:07,090
All right, so a rogue access point is a wireless access point that's been installed on a secure network,

2
00:00:07,560 --> 00:00:14,110
but without explicit authorization from a local network administrator, whether added by a well-meaning

3
00:00:14,110 --> 00:00:17,410
employee or perhaps even a malicious attacker.

4
00:00:19,150 --> 00:00:26,680
So attackers can persuade clients to connect back to your attack system instead of attacking apps or

5
00:00:26,890 --> 00:00:28,480
trying to recover weap or.

6
00:00:30,250 --> 00:00:33,750
So this is where rogue access points come into play.

7
00:00:34,920 --> 00:00:41,850
So if an attacker installs an access point, they are able to run various types of vulnerability scanners

8
00:00:42,120 --> 00:00:47,040
and then rather than having to be physically inside the organization, they can just attack remotely.

9
00:00:48,400 --> 00:00:54,940
So we'll see how rogue access point attacks work using different tools such as air base energy and Wi-Fi

10
00:00:54,940 --> 00:00:55,540
pumpkin and.

11
00:00:58,590 --> 00:01:02,850
Kamata sport is also a great function within Métis boy.

12
00:01:04,380 --> 00:01:11,010
Allowing you to fake access points, but instead of that right now, I'm going to show you some newer

13
00:01:11,010 --> 00:01:16,170
tools such as flexion and Wi-Fi pumpkin developed for Roeg access points.

14
00:01:18,150 --> 00:01:21,120
Airbase energy, of course, is not new.

15
00:01:21,150 --> 00:01:26,970
It was developed way back in 2008, but it's still a powerful tool that's been added to some of the

16
00:01:26,970 --> 00:01:27,660
new tools.

17
00:01:28,680 --> 00:01:34,680
Eric Horng is a multipurpose tool designed to attack clients as opposed to attacking the access point

18
00:01:34,680 --> 00:01:35,110
itself.

19
00:01:36,610 --> 00:01:40,000
It also acts as an ad hoc or full access point.

20
00:01:41,530 --> 00:01:45,310
It has an ability to filter buyside or client Mac addresses.

21
00:01:46,630 --> 00:01:49,150
You can manipulate and resend packet.

22
00:01:50,130 --> 00:01:54,510
You can also capture the WPA, WPA to handshake.

23
00:01:55,780 --> 00:02:01,990
It also has an ability to encrypt sent packets and then decrypt received packets.

24
00:02:03,390 --> 00:02:09,990
But I'll tell you that the main purpose of the air base energy tool is to encourage wireless clients

25
00:02:09,990 --> 00:02:16,200
to associate with a fake AP and then prevent them from accessing legitimate ones.

26
00:02:17,340 --> 00:02:25,320
Airbase engie can easily spoil real nearby access points, so it's necessary to use filters so that

27
00:02:25,320 --> 00:02:26,820
you can minimize its impact.

28
00:02:28,450 --> 00:02:33,250
Sorry, go ahead and create a Web access point, Airbus Engie.

29
00:02:34,200 --> 00:02:34,920
Go to Kalli.

30
00:02:35,810 --> 00:02:41,240
Open in terminal screen and switch user to route with pseudo asou dash.

31
00:02:42,890 --> 00:02:45,500
Check the mode of your wireless adapters interface.

32
00:02:46,430 --> 00:02:48,160
OK, so it's in monitor mode.

33
00:02:49,090 --> 00:02:54,190
And let's use the arrow dump energy to capture packet's and find access points.

34
00:02:55,170 --> 00:03:01,200
Arrow dumping will display a list of detected access points and also a list of connected clients.

35
00:03:02,550 --> 00:03:06,240
So we'll run the arrow dump in GW Land Zero man.

36
00:03:07,960 --> 00:03:10,900
All right, so I connect to Hacker Academy.

37
00:03:11,950 --> 00:03:17,560
Now we can learn important information about the access point in this list, such as channel encryption

38
00:03:17,560 --> 00:03:18,730
type Mac address.

39
00:03:19,880 --> 00:03:23,510
Now, there's also a list that shows connected clients to access points.

40
00:03:25,440 --> 00:03:30,180
And now that we know the channel number, we can create a fake access point with air base and on the

41
00:03:30,180 --> 00:03:30,840
same channel.

42
00:03:32,450 --> 00:03:40,940
So we'll use the C parameter to give the channel number, the E parameter to give an SCD with the same

43
00:03:40,940 --> 00:03:42,740
name as the access point.

44
00:03:44,860 --> 00:03:48,520
Yes, parameter is used to force shared key authentication.

45
00:03:50,050 --> 00:03:55,720
Uppercase W. is used to set the Web flag in Beacon's.

46
00:03:57,330 --> 00:04:01,020
And then at the end of this command, we should add the wireless interface.

47
00:04:03,370 --> 00:04:07,210
All right, so now fake access point was created with his Mac address.

48
00:04:08,280 --> 00:04:10,020
So copy the blessed.

49
00:04:12,900 --> 00:04:19,170
Open a new terminal and run aero dumping to see only the information about this access point.

50
00:04:20,450 --> 00:04:23,840
I'll give the channel and the both sides of the access point.

51
00:04:35,350 --> 00:04:41,950
And as you can see, the encryption type of the fake access point is weap, and it is on Channel 11

52
00:04:42,820 --> 00:04:48,100
and of course, right now there are no data packets because there's no connected client to this access

53
00:04:48,100 --> 00:04:48,460
point.

54
00:04:50,470 --> 00:04:56,860
But it is propagating beacon signals, you can see it's associated with Web encryption on the other

55
00:04:56,860 --> 00:04:57,450
devices.

56
00:04:58,760 --> 00:05:03,530
So when a client attempts to connect to the fake access point, you can see the logs on the screen.

57
00:05:04,870 --> 00:05:12,520
Now, we didn't set a Web key and we don't know the shared key right now, so we could not authenticate

58
00:05:12,520 --> 00:05:14,370
to this particular access point.

59
00:05:14,380 --> 00:05:18,640
Therefore, there are broken shared key authentication errors in a log.

60
00:05:18,790 --> 00:05:19,060
Right.

61
00:05:19,970 --> 00:05:28,070
Now, in a Web cracking section, I'll set the Web key with the lowercase W. parameter to show you how

62
00:05:28,070 --> 00:05:29,360
to crack the Web key.

63
00:05:32,000 --> 00:05:35,360
So right now, let's look at the arrow dump energy screen.

64
00:05:36,650 --> 00:05:42,530
And although we could not authenticate with the fake access point, we can certainly see the Mac address

65
00:05:42,530 --> 00:05:45,710
of the device in this list when it attempts to authenticate.