1

00:00:00,690 --> 00:00:07,770

The third injection method we're going to talk about is the fragmentation attack the fragmentation attack



2

00:00:07,800 --> 00:00:10,240

is very similar to the previous one.



3

00:00:10,230 --> 00:00:17,790

But in this attack we have to obtain one thousand five hundred bytes of the R-Ga. the pseudo random



4

00:00:17,790 --> 00:00:26,250

generation algorithm because we need to order the full fifteen hundred bytes this attack is we need



5

00:00:26,250 --> 00:00:30,740

to be closer to the target network to successfully run this attack.



6

00:00:30,840 --> 00:00:34,420

But it's much quicker than the Korac chop chop attack.



7

00:00:35,600 --> 00:00:43,520

So again after we obtained the R-Ga. we can use it to create to forge a new packet and then we're going



8

00:00:43,520 --> 00:00:51,560

to inject this new force packet into the into the traffic to increase the number of Iberis very quickly.



9

00:00:51,710 --> 00:00:59,080

So the concept is very simple we're going to capture a packet determine its P R-GA create a forge in



10

00:00:59,080 --> 00:01:02,630

your pocket and then inject that packet into the air.



11

00:01:03,140 --> 00:01:04,910

So let's see how we can do this.



12

00:01:06,450 --> 00:01:10,820

Again first thing is going to be running aero dump against the target network.



13

00:01:11,130 --> 00:01:17,810

So I'm just going to change the name here from chop chop to fragmentation or just going to code fragment



14

00:01:18,750 --> 00:01:19,910

hit enter.



15

00:01:19,990 --> 00:01:20,760

And here we go.



16

00:01:20,790 --> 00:01:23,780

A dump is launched on our target network.



17

00:01:23,860 --> 00:01:31,600

Second step as always is fake authentication so that the access point doesn't ignore us and it starts



18

00:01:31,600 --> 00:01:33,490

communicating with us.



19

00:01:33,550 --> 00:01:40,870

So we do that and we see here we have successfully associated with the target network and the authentication



20

00:01:40,870 --> 00:01:42,220

has changed to open.



21

00:01:42,460 --> 00:01:44,440

So that's very good.



22

00:01:44,530 --> 00:01:49,380

Third step is going to be our fragmentation them.



23

00:01:49,570 --> 00:01:55,630

It's very similar to the chop shop attack so you can see here that's my chop shop code that I used the



24

00:01:55,630 --> 00:01:57,320

chapter come on.



25

00:01:57,370 --> 00:02:00,990

So it's exactly the same command just set up chop chop.



26

00:02:01,000 --> 00:02:04,180

I'm going to say fragment.



27

00:02:04,400 --> 00:02:12,410

So it's airplay and you fragment be the target address of my target network and then change the MAC



28

00:02:12,410 --> 00:02:18,290

address of my own network sort of my own network.



29

00:02:18,650 --> 00:02:23,990

So I'm just going to associate myself again and do the fragmentation attack.



30

00:02:28,200 --> 00:02:34,290

So it's waiting for a packet now wants to capture the packet it's going to try to terminate its p r



31

00:02:34,290 --> 00:02:37,110

g a.



32

00:02:37,180 --> 00:02:38,290

Here we go.



33

00:02:38,500 --> 00:02:39,500

We got a packet.



34

00:02:39,760 --> 00:02:41,840

So it's asking me do I want to use this.



35

00:02:41,860 --> 00:02:46,170

I'm going to say yes please.



36

00:02:46,200 --> 00:02:48,330

Now I was trying to determine the R-Ga.



37

00:03:05,670 --> 00:03:08,080

So the packet wasn't useful.



38

00:03:08,130 --> 00:03:11,490

I'm just waiting for another packet to use it's asking me do I want to use this.



39

00:03:11,490 --> 00:03:35,500

I'm going to say yes again.



40

00:03:35,620 --> 00:03:37,530

Again that packet wasn't too useful.



41

00:03:37,540 --> 00:03:40,010

So we're just waiting for another useful packet.



42

00:03:41,100 --> 00:03:45,420

I'm going to re associate myself in the meanwhile and I'm going to say yes



43

00:04:12,620 --> 00:04:15,870

OK now this time this package was useful.



44

00:04:18,410 --> 00:04:21,640

And the keystream is saved to this file.



45

00:04:23,930 --> 00:04:29,330

Okay now we're just going to need to again the same as we did in chop chop.



46

00:04:29,330 --> 00:04:35,670

We're going to use this keystream to create forced buckets.



47

00:04:35,720 --> 00:04:39,440

So I'm just going to copy it's name and I'm going to use the same amount.



48

00:04:39,440 --> 00:04:40,930

I'm just going to clear this for you.



49

00:04:42,230 --> 00:04:47,220

And I'm going to use the same command that we use with the chop chop attack.



50

00:04:47,360 --> 00:04:54,500

The only difference is I'm going to remove the y and I'm going to put the name of the new keystream



51

00:04:54,500 --> 00:04:59,280

that we captured and the name of the packet we're going to create.



52

00:04:59,360 --> 00:05:01,430

I'm going to call this fragment first packet.



53

00:05:04,620 --> 00:05:06,870

So we're just going to go over the commands again.



54

00:05:06,870 --> 00:05:12,050

It's Puckett's porridge minus zero to create an a.p packet.



55

00:05:12,120 --> 00:05:14,480

We put the target Mac address.



56

00:05:14,680 --> 00:05:17,280

Hey it's my own Mac address.



57

00:05:17,280 --> 00:05:23,180

And then K and L are the destination and the source IP address is.



58

00:05:23,520 --> 00:05:27,390

Why is the name of the keystream file.



59

00:05:27,540 --> 00:05:31,290

So it's the file that way that has been created from the previous step.



60

00:05:31,560 --> 00:05:33,140

And that's the name of it.



61

00:05:33,480 --> 00:05:37,030

And then W is the file name that's going to be created.



62

00:05:37,070 --> 00:05:41,790

That's going to contain the first packet and it's going to be called fragments.



63

00:05:42,040 --> 00:05:45,860

Fact and is still not stopped.



64

00:05:45,890 --> 00:05:48,470

It's been successfully read into this file.



65

00:05:48,830 --> 00:05:56,140

So again just like the chop chop I think we're going to inject this new packet into the air.



66

00:05:56,390 --> 00:06:01,870

And this is going to be done using airplay ngi with the minus to option the reply option.



67

00:06:02,190 --> 00:06:08,890

The repair option just going to paste the name of my new first bucket.



68

00:06:08,930 --> 00:06:18,370

So we got airplay and you minus two for a replay or the name of my first packet and zero is my wife



69

00:06:18,370 --> 00:06:21,540

I carried with monitor mode before I do this.



70

00:06:21,590 --> 00:06:26,740

I'm going to associate myself again and then I'm going to hit enter here.



71

00:06:26,850 --> 00:06:32,080

It's asking me do I want to use this because I'm going to say yes.



72

00:06:32,300 --> 00:06:35,460

And here we go we can see the data is flying.



73

00:06:35,660 --> 00:06:40,020

We're injecting around 400 packets per second.



74

00:06:41,100 --> 00:06:46,150

And what's that number is large enough we're going to be able to crack the key.



75

00:06:47,080 --> 00:06:50,850

I can just go here to crack ngi.



76

00:06:50,970 --> 00:06:52,700

So it's going to be a crack.



77

00:06:52,910 --> 00:06:53,240

Angie



78

00:06:56,210 --> 00:06:57,860

fragment test



79

00:07:05,680 --> 00:07:12,660

Cup here is here we go we can see the key that's the key.



80

00:07:12,930 --> 00:07:15,700

And we have 70000 Ivey's.



81

00:07:15,870 --> 00:07:18,950

So if we go back here probably even more 35000.



82

00:07:19,110 --> 00:07:23,370

And the numbers are increasing quickly.



83

00:07:23,610 --> 00:07:28,380

So that was the three methods to inject packets into the air.



84

00:07:28,380 --> 00:07:35,550

There is more methods but that's in my opinion the best three methods to increase the number of data



85

00:07:35,770 --> 00:07:39,320

into the networks.



86

00:07:39,330 --> 00:07:43,440

This way we're able to crack any WEP encrypted network.