1 00:00:00,510 --> 00:00:08,370 So cracking WPA or WPA to encrypted networks it's not simple especially that all the Pakistan are sent 2 00:00:08,370 --> 00:00:14,460 into the air are not useful for us as they do not contain any information that can help us determine 3 00:00:14,700 --> 00:00:17,040 the WPA key. 4 00:00:17,040 --> 00:00:23,640 Before we get into cracking WPA and WPA too there is a feature called WPX. 5 00:00:23,660 --> 00:00:29,390 It allows users and clients to connect to the network by a push of a button. 6 00:00:29,550 --> 00:00:36,780 So on Windows 8 if you look on so my wife my printers they have a W.P. as a button. 7 00:00:36,900 --> 00:00:43,800 So if you priced out the Spartan and you go to your router and personally WPX button there as well or 8 00:00:43,800 --> 00:00:51,900 go to the configuration page and press the spot on the client the printer or your windows device will 9 00:00:51,900 --> 00:00:55,220 connect to the network without having to enter the key. 10 00:00:55,380 --> 00:01:02,310 So the purpose of using WPA is it's a feature that allows clients to connect to the network easily without 11 00:01:02,310 --> 00:01:05,280 having to enter the WPA key manually. 12 00:01:05,280 --> 00:01:07,680 So it's just a feature in routers. 13 00:01:08,040 --> 00:01:14,230 This feature works and authenticates the client base using an eight digit PIN. 14 00:01:14,310 --> 00:01:17,540 So it doesn't use the actual WPA key. 15 00:01:17,580 --> 00:01:19,790 It uses an eight digit PIN. 16 00:01:19,830 --> 00:01:23,110 This is the only digits and it's only 8 bits long. 17 00:01:23,250 --> 00:01:27,190 So there isn't too many possibilities for this. 18 00:01:27,190 --> 00:01:31,870 And if we use a brute force attack we are guaranteed to get this pin. 19 00:01:32,310 --> 00:01:39,480 If we successfully get this plan then we can use a tool called River which would calculate the WPA key 20 00:01:39,660 --> 00:01:40,670 from this pen. 21 00:01:40,710 --> 00:01:46,470 So we're going to brute force the pin the digits on and that because it's only 8 digits we're guaranteed 22 00:01:46,470 --> 00:01:48,680 to be able to brute force it successfully. 23 00:01:48,840 --> 00:01:53,840 Once we do that we can calculate the WPA key use the river. 24 00:01:54,330 --> 00:01:57,110 Again this is only a feature in routers. 25 00:01:57,150 --> 00:02:01,080 This flaw is not in WPA or WPA to encryption. 26 00:02:01,080 --> 00:02:04,750 The problem is and the WPX feature. 27 00:02:04,770 --> 00:02:06,310 So let's see how we do this. 28 00:02:06,310 --> 00:02:11,980 First to look for access points that have WPX enabled. 29 00:02:12,090 --> 00:02:14,240 We're going to use a tool called wash. 30 00:02:14,400 --> 00:02:17,690 So I'm just going to put wash 1 0 31 00:02:21,030 --> 00:02:24,630 so we have our test a.p shown up here. 32 00:02:24,630 --> 00:02:27,430 That's the AP that we're going to use to crack. 33 00:02:27,600 --> 00:02:30,020 So this is actually running on WPA. 34 00:02:30,020 --> 00:02:33,390 Now it's not used in wet as we saw in the previous videos. 35 00:02:33,390 --> 00:02:36,870 I can confirm that for you here and we are just going to use arundo. 36 00:02:36,930 --> 00:02:38,490 This step is not important. 37 00:02:38,490 --> 00:02:44,820 I'm just going to use it to show you that test AP is actually used in the encryption. 38 00:02:44,820 --> 00:02:46,720 It's not easy. 39 00:02:46,800 --> 00:02:50,950 So as you can see here first is used in WPA encryption. 40 00:02:51,540 --> 00:02:52,520 Let's just go back. 41 00:02:52,650 --> 00:02:59,380 So these are the access points that have WPX enabled to have the Deputy PM feature enabled. 42 00:02:59,640 --> 00:03:05,190 And we can see the channel the RSS which is the distance between us and the access point. 43 00:03:05,400 --> 00:03:09,850 The WPX version and the WPA slug's. 44 00:03:09,890 --> 00:03:17,530 Now some routers when you try to brute force the WPA Espen they lock after a few failed attempts. 45 00:03:17,550 --> 00:03:23,550 So if you try for example for wrong pins they're going to lock and not accept any plans for a certain 46 00:03:23,550 --> 00:03:24,470 amount of time. 47 00:03:24,660 --> 00:03:30,930 So if the WPX law says yes here then you can't actually use this attack now so you need to wait for 48 00:03:30,930 --> 00:03:34,710 a little bit and come back to this access point. 49 00:03:34,770 --> 00:03:42,440 So to go on Schriever Now river is going to brute force BWP Espin and once it's able to find the WPI 50 00:03:42,440 --> 00:03:49,770 spin it's going to work out the WPA key ruber support to pause and resume. 51 00:03:49,770 --> 00:03:56,970 So if you reach if you for example brute force 30 percent of the possibilities and cancel the attack 52 00:03:57,240 --> 00:04:00,330 if you come back you've got to start again from 30000. 53 00:04:00,390 --> 00:04:02,350 You're not going to start from zero. 54 00:04:02,490 --> 00:04:09,290 So let's launch reverse we're going to put B to choose to be this idea or the Mac address of the target 55 00:04:09,290 --> 00:04:09,940 access point 56 00:04:12,830 --> 00:04:23,210 and then see to choose the channel which is 11 and then I choose the Wi-Fi card with my Intel mode and 57 00:04:23,210 --> 00:04:24,110 that's 1 0. 58 00:04:24,110 --> 00:04:30,220 So very simple reverse access point B as is the channel. 59 00:04:30,500 --> 00:04:39,860 And then the wife I had with my timeout atom and not ever associated with the target or sprint it tried 60 00:04:40,460 --> 00:04:42,440 to determine the WPA Spen. 61 00:04:42,440 --> 00:04:46,040 Now I have an easy pin which is 1 2 3 4 5 6 7 0. 62 00:04:46,280 --> 00:04:50,410 And from that it was able to calculate my WPA key. 63 00:04:50,450 --> 00:04:54,610 So that's WPA key you or you or them when you as X or. 64 00:04:55,040 --> 00:04:57,250 And that's just the name of the access point. 65 00:04:57,290 --> 00:05:04,430 So I can just come now and connect to my network and I put the key that we just found 66 00:05:08,030 --> 00:05:15,470 then I show the password is you a you or the X or next. 67 00:05:15,650 --> 00:05:19,480 As you can see we connected successfully to the network. 68 00:05:19,490 --> 00:05:22,670 Now there's a few options that I'd like to show you for either. 69 00:05:22,670 --> 00:05:29,890 I'm just going to go river help and that's all the options that you can use with reverb. 70 00:05:30,310 --> 00:05:36,080 So as I said some routers would look after a few failed attempts. 71 00:05:36,250 --> 00:05:42,100 Therefore you can use some of these other advanced options to make Kleber to get three more to work 72 00:05:42,160 --> 00:05:44,190 against these access points. 73 00:05:44,200 --> 00:05:51,340 For example you can use the delay option and specify the amount of time in seconds that reverse should 74 00:05:51,340 --> 00:05:55,590 wait between each brute force attempt or each pin attempt. 75 00:05:55,630 --> 00:05:59,400 You can also use the lock delay to tell revert to wait. 76 00:05:59,400 --> 00:06:06,580 For example 60 seconds after if the if the access points gets locked then wait for 60 seconds and then 77 00:06:06,580 --> 00:06:10,310 continue your brute force attempt. 78 00:06:10,360 --> 00:06:14,800 You can use the full weight as well to set the time that you should wait. 79 00:06:14,800 --> 00:06:23,590 After 10 failed attempts you can use the the option to revert to sleep after a certain amount just sleep 80 00:06:23,590 --> 00:06:27,800 for a certain amount of seconds after a certain number of tries. 81 00:06:28,060 --> 00:06:30,110 You can set up the timeout. 82 00:06:30,340 --> 00:06:36,360 You can play with these options the delay options and the time out the fairways and all that. 83 00:06:36,460 --> 00:06:41,660 If the access point was locking or was ignoring some of your brute force attempts.