1
00:00:01,580 --> 00:00:08,750
The handshake supertech attempts to retrieve two authentication hashes, which is otherwise known as

2
00:00:08,750 --> 00:00:16,520
a four way handshake, and then we can use that later by the captive portal attack for key verification.

3
00:00:17,570 --> 00:00:25,940
So the captive portal attack will require the handshake cap file from the target access point, we do

4
00:00:25,940 --> 00:00:30,770
not have the cap file, so we must first complete the handshake snooper attack.

5
00:00:31,490 --> 00:00:31,910
All right.

6
00:00:31,910 --> 00:00:32,570
So let's go.

7
00:00:33,820 --> 00:00:36,340
Go to Calli, open the terminal screen.

8
00:00:37,200 --> 00:00:45,210
And we can see the status of the adapter with the A.W. config command, so its mode is managed for now

9
00:00:46,020 --> 00:00:48,000
so we can enable monitor mode.

10
00:00:48,420 --> 00:00:50,790
I hope you've already done it right.

11
00:00:51,040 --> 00:00:54,570
Just enable with Chairman Engie, OK, and monitor mode.

12
00:00:56,050 --> 00:01:01,750
And we'll change a direct reflection, so execute the Basche file to run fluxing.

13
00:01:05,920 --> 00:01:08,230
And select a handshake snooper attack.

14
00:01:12,080 --> 00:01:19,070
Now select the channel of the access point that we want to create a fake access point for, so if you

15
00:01:19,070 --> 00:01:21,770
don't know the channel, then select three.

16
00:01:22,280 --> 00:01:28,820
It will list all the access points for channels between two and a half gigahertz and a five gigahertz

17
00:01:28,820 --> 00:01:29,330
bandwidth.

18
00:01:31,440 --> 00:01:33,450
My access point is on Channel 11.

19
00:01:35,090 --> 00:01:40,880
So if your target access point appears on this screen, just close the scanner with key command control,

20
00:01:40,880 --> 00:01:41,270
see?

21
00:01:44,470 --> 00:01:46,870
And are the number of the target access point.

22
00:01:48,860 --> 00:01:52,460
OK, so now we can select a wireless interface w land zero.

23
00:01:53,830 --> 00:01:57,460
And again, we'll select the same interface for our fake access point.

24
00:01:58,600 --> 00:02:05,140
Now, to force the client to reconnect to the access point flexion while perform a deep authentication

25
00:02:05,140 --> 00:02:12,250
attack, it's a passive method of attack and it forces the radiator to go completely silent, making

26
00:02:12,250 --> 00:02:16,540
the attack undetectable and then allows for better listening.

27
00:02:18,030 --> 00:02:22,950
So this method should work best in situations where the target is pretty far away.

28
00:02:24,330 --> 00:02:33,210
So an aggressive method of attack uses a de authenticator, either Airplay Engie or MDK and sends the

29
00:02:33,210 --> 00:02:36,860
authentication package to the target access points clients.

30
00:02:37,710 --> 00:02:41,940
So this method is cutting the connection between the client and the access point.

31
00:02:43,120 --> 00:02:48,830
Then once the connection has been broken, some devices will automatically attempt to reconnect, sending

32
00:02:49,010 --> 00:02:53,900
a four way handshake which elections radio could catch.

33
00:02:55,290 --> 00:02:57,120
Now, this method really.

34
00:02:58,950 --> 00:03:05,580
Legal disclaimer, this method really could be considered illegal, so I want you to make sure that

35
00:03:05,580 --> 00:03:09,010
you're following whatever governing laws apply to you.

36
00:03:09,270 --> 00:03:10,930
You need to be aware of all of that.

37
00:03:11,520 --> 00:03:14,720
We are not liable for your irresponsibility.

38
00:03:15,240 --> 00:03:21,410
So that being said, I am attacking my own access point for educational purposes.

39
00:03:21,420 --> 00:03:25,410
So I'll just select airplay and G as a D authenticator.

40
00:03:27,780 --> 00:03:34,110
So now we need to select a hash verifier and it'll be used when a valid hash is captured.

41
00:03:35,250 --> 00:03:38,190
So I select the recommended tool, which is Kalbarri.

42
00:03:39,080 --> 00:03:44,120
And I'll just select 60 seconds for this, you can always select the recommended option.

43
00:03:45,320 --> 00:03:52,280
So it sets how verification occurs in relation to capturing data either simultaneously asynchronously

44
00:03:52,790 --> 00:03:55,250
or back to back synchronously.

45
00:03:56,180 --> 00:03:58,610
And I will select synchronously.

46
00:04:00,950 --> 00:04:04,970
All right, so finally, the attack has started, so there are three screens.

47
00:04:06,460 --> 00:04:09,520
In the upper left strain, the handshake will be captured.

48
00:04:11,710 --> 00:04:17,800
In the lower left corner, there are a lot of messages about the activities performed by flexion in

49
00:04:17,800 --> 00:04:18,420
the background.

50
00:04:20,100 --> 00:04:26,100
And in lower right corner, Interplaying performs a deal authentication attacks to force her clients

51
00:04:26,100 --> 00:04:27,600
to reconnect to the access point.

52
00:04:29,950 --> 00:04:34,180
Now, yeah, at this stage, we have to be a little patient until the handshake gets quiet.

53
00:04:36,900 --> 00:04:39,630
The client connected to the access point right now.

54
00:04:43,620 --> 00:04:47,430
OK, great, so the handshake snooper attack is now complete.

55
00:04:48,530 --> 00:04:53,510
Looks like fluxing the court invalid hash and saved it to fluxes database.