1
00:00:00,630 --> 00:00:06,930
Now in this video I'd like to cover a configuration that might be used on the target router that could

2
00:00:06,930 --> 00:00:09,690
make a crack in it a little bit different.

3
00:00:09,840 --> 00:00:16,950
Now as we know WEP is very rare to see now anyway and this configuration is actually really really rare.

4
00:00:16,980 --> 00:00:22,260
And most routers don't even supported it is a bit different to crack it though.

5
00:00:22,300 --> 00:00:26,580
And usually people get confused when they see it and won't even know what to do.

6
00:00:26,800 --> 00:00:33,130
But it's actually kind of easier to crack this type of configuration than the normal web configuration.

7
00:00:33,130 --> 00:00:38,870
What I want to talk about is if the target router does not use open authentication.

8
00:00:39,070 --> 00:00:44,190
So we've seen in all the previous videos the first step was to do a fake authentication attack.

9
00:00:44,200 --> 00:00:51,940
We changed the oath and arrow don't ngi to open in this case the router can be configured to use a shared

10
00:00:51,940 --> 00:00:53,230
key authentication.

11
00:00:53,230 --> 00:00:59,650
So I have my router settings page here and you can see that I changed the setting here required and

12
00:00:59,800 --> 00:01:06,550
what this basically does is it prevents anybody from even associate with the router if they don't know

13
00:01:06,550 --> 00:01:07,340
the key.

14
00:01:07,690 --> 00:01:14,840
So usually routers use open authentication which basically means anybody can associate with the router.

15
00:01:15,100 --> 00:01:18,890
And then the router will check if you have the right password if you have the right key.

16
00:01:18,940 --> 00:01:20,380
If you do they let you connect.

17
00:01:20,380 --> 00:01:22,150
If you don't they won't let you to connect.

18
00:01:22,300 --> 00:01:28,420
So they actually allow you to associate and they'll communicate with you if a shared key is used then

19
00:01:28,420 --> 00:01:34,510
the router will not even allow you to associate unless you encrypt a challenge for it and send it to

20
00:01:34,510 --> 00:01:34,890
it.

21
00:01:35,020 --> 00:01:41,550
You won't even be able to associate with the router if you don't have this shared key.

22
00:01:41,560 --> 00:01:43,130
Let me show you an example here.

23
00:01:43,330 --> 00:01:47,560
So I'm just going to do first of all Aradigm engineman Zero to see all the networks around us

24
00:01:50,950 --> 00:01:57,460
and you can see that I have this network which I configured for this class and it's called S-K a test

25
00:01:57,510 --> 00:01:58,660
AP.

26
00:01:59,050 --> 00:02:06,490
So it's right on channel 1 and I'm going to copy its MAC address and we're going to run aero dump and

27
00:02:06,490 --> 00:02:14,060
G against this network only We're going to give the SS ID the channel

28
00:02:17,260 --> 00:02:24,940
and we're going to store the data to our file and we'll call the file as a test and then I'm going to

29
00:02:24,940 --> 00:02:28,340
put my wireless card in monitor mode which is Monsey.

30
00:02:28,810 --> 00:02:32,370
So it's the same command that we've always been do and don't Bengie the B side.

31
00:02:32,380 --> 00:02:36,030
SS idea of the target the channel and we're right in a file.

32
00:02:36,280 --> 00:02:41,570
We're going to hit enter and this is going to run against our target only.

33
00:02:41,700 --> 00:02:47,220
And now I'm just going to come in and do a fake authentication just to show you what happens in S-K

34
00:02:47,250 --> 00:02:48,060
networks.

35
00:02:48,090 --> 00:02:51,320
So we're going to do a fake authentication exactly like we did it before.

36
00:02:51,360 --> 00:03:00,200
So it's going to be airplay N.G. fake Auth. and we're going to put zero and then we're going to do minus

37
00:03:00,230 --> 00:03:09,210
a put the mac address of the router and then I'm going to do minus each and put my own MAC address which

38
00:03:09,270 --> 00:03:14,740
is now i'm doing all this real quick because you should know all of this by now because we covered it

39
00:03:14,800 --> 00:03:24,710
in previous lectures my own MAC address is ZERO ZERO ZERO see a 2 8 2 9 8.

40
00:03:25,120 --> 00:03:29,190
Then we're going to put our wireless card in monitor mode which is more than zero.

41
00:03:30,770 --> 00:03:36,470
So again same commando we always use for the fake authentication we're going to do play N-G fake of

42
00:03:36,950 --> 00:03:40,530
zero target MAC address my MAC address.

43
00:03:40,630 --> 00:03:41,410
I'm going to hit enter

44
00:03:44,330 --> 00:03:52,620
so I'm going to Control-C this so you can see that we have S-K here under the auth instead of open.

45
00:03:52,790 --> 00:03:56,320
And that means we can't really do all the attacks that we did previously.

46
00:03:56,320 --> 00:04:02,270
The three methods the three injection methods that we spoke about previously the way to fake authenticate

47
00:04:02,270 --> 00:04:09,020
yourself with S-K networks is you'll have to be authenticate one of the connected clients in here.

48
00:04:09,020 --> 00:04:09,980
So you actually need.

49
00:04:09,980 --> 00:04:15,380
You have to have a client connect to the network you're going to have to deal authenticated once you

50
00:04:15,380 --> 00:04:16,250
do that.

51
00:04:16,620 --> 00:04:18,750
Ngi will capture and.

52
00:04:18,920 --> 00:04:21,300
You can see that I have a broken S-K here.

53
00:04:21,470 --> 00:04:27,950
But if you do that properly you will get a normal Eskay and then you'll use that file with the minus

54
00:04:27,950 --> 00:04:32,140
y option to fake authenticate yourself to associate with the network.

55
00:04:32,270 --> 00:04:37,220
And then you can do all the attacks that we spoke about in the previous lectures the three methods.

56
00:04:37,220 --> 00:04:43,610
The thing is that's a bit too complicated and there is two better methods to do that because as I said

57
00:04:43,730 --> 00:04:50,030
if you want to associate and the target network uses as K.A. the network has to have a connected client

58
00:04:50,030 --> 00:04:52,640
has to have at least one connected client.

59
00:04:52,640 --> 00:04:58,130
So based on that fact there's actually better ways to crack that network and I'm going to show you the

60
00:04:58,130 --> 00:05:04,460
first method right now and that is use in an AARP replay attack.

61
00:05:04,480 --> 00:05:05,860
So let me close this first.

62
00:05:09,400 --> 00:05:17,450
And I'm going to clear this and I'm actually going to stop this and clear it and run the attack again

63
00:05:17,450 --> 00:05:22,060
because I want to show you that you actually don't even need to run a fake authentication for this.

64
00:05:22,340 --> 00:05:28,410
So we're just going to name something else we're going to call it as a test to and we're going to launch

65
00:05:28,430 --> 00:05:29,380
or don't punji.

66
00:05:29,650 --> 00:05:35,210
And as you can see right here you don't have authentication or anything on this network right now.

67
00:05:35,590 --> 00:05:40,210
And what I'm going to do is I'm going to do an hour peer or play attack.

68
00:05:40,390 --> 00:05:43,750
So we spoke about that and we actually did it in a previous lecture.

69
00:05:43,780 --> 00:05:49,480
The only difference is when we did it we did a fake authentication and we associated with the network

70
00:05:50,020 --> 00:05:56,680
and then we use the replay attack based on our mac address so we would play packets from our computer

71
00:05:57,070 --> 00:06:03,310
and injected them in the router and this lecture because we actually have a client when we did it in

72
00:06:03,310 --> 00:06:05,430
previous lectures there was no clients connected.

73
00:06:05,430 --> 00:06:12,310
So we had to associate our client showed up in here and then we use our client Mac address to replay

74
00:06:12,310 --> 00:06:17,650
one of the ERP packets and we managed to increase the number of data rapidly that way.

75
00:06:17,650 --> 00:06:21,080
What we're going to do today is because we already have a connected client.

76
00:06:21,220 --> 00:06:27,100
We're going to use this connect to the client in our replay attack and this method will work against

77
00:06:27,100 --> 00:06:33,960
both normal networks and against the network the web networks that use as a.

78
00:06:33,980 --> 00:06:37,960
So this attack is going to be exactly the same as the RPO play attack that we did.

79
00:06:37,970 --> 00:06:44,200
The difference is we're going to use the MAC address of a connected client instead of my own MAC address.

80
00:06:44,420 --> 00:06:54,350
So the command is going to be air and you AARP or play then we're going to do minus Beith and we're

81
00:06:54,350 --> 00:07:00,220
going to give it the MAC address of the target network then we're going to do minor stage.

82
00:07:00,530 --> 00:07:05,270
And instead of giving it my own MAC address like we did in previous videos I'm going to use the MAC

83
00:07:05,270 --> 00:07:08,750
address of one of the connected clients which is this one

84
00:07:13,330 --> 00:07:18,580
then I'm going to put my wireless card in monitor mode which is my 0 and we're ready to go.

85
00:07:18,580 --> 00:07:24,970
So again we're using airplay and we were doing an hour pure play attack exactly like we did before we're

86
00:07:24,970 --> 00:07:28,340
specifying the target network after the minus bit.

87
00:07:28,720 --> 00:07:35,110
And then we were specifying the MAC address of a connected client this time instead of specify in my

88
00:07:35,110 --> 00:07:43,570
own MAC address so I'm going to hit enter and all this is going to do is it's going to wait for appropriate

89
00:07:44,300 --> 00:07:50,000
packet and once it captures one of them it's going to injected into traffic more and when it's going

90
00:07:50,010 --> 00:07:55,840
to do that it's actually relying on disconnected the client and it's injecting it as if this packet

91
00:07:55,840 --> 00:07:59,110
is coming from this connected client.

92
00:07:59,110 --> 00:08:04,840
And as you can see the number of data is increasing very very fast right now and I can just run our

93
00:08:04,990 --> 00:08:08,490
ngi on the side and I should be able to crack the password.

94
00:08:09,330 --> 00:08:15,510
So again I'm going to run this like we did before and we named the file S.K. test.

95
00:08:15,530 --> 00:08:22,020
And we named it to and we have to append the minus zero 1 because the arrow dump.

96
00:08:22,030 --> 00:08:27,760
Does that automatically and that's going to be a dot com but we're going to hit enter

97
00:08:31,370 --> 00:08:36,870
now I'm going to stop this.

98
00:08:37,060 --> 00:08:39,330
As you can see we managed to get the key.

99
00:08:39,400 --> 00:08:45,100
Now we can use this we just remove these dots from it and connect to the target network and we'll be

100
00:08:45,100 --> 00:08:46,570
able to connect to it.

101
00:08:47,780 --> 00:08:54,500
So again this method works on both normal web networks and the ones that use shared key authentication

102
00:08:54,740 --> 00:08:56,580
or Eskay.

103
00:08:56,750 --> 00:09:01,750
The only thing that it requires is an existing connected client to the network.

104
00:09:01,790 --> 00:09:03,900
So it's not a client list cracking method.