1
00:00:01,560 --> 00:00:09,430
Previously we've seen how we can use river to crack the WPX spin and from it get the WPA key.

2
00:00:09,610 --> 00:00:14,560
We've seen the basic usage against a router that's not very secure.

3
00:00:14,610 --> 00:00:20,850
Now like I said that router was given to me by the Internet provider with these default settings so

4
00:00:20,850 --> 00:00:26,970
most people will actually leave it at the settings and it'll be as easy as that to exploit all the networks

5
00:00:26,970 --> 00:00:31,960
that use these routers unless the user went and manually changed the settings.

6
00:00:33,500 --> 00:00:38,040
Now with this lecture I want to show you another example of a more secure router.

7
00:00:38,060 --> 00:00:43,820
So this is another matter that I have in here and I want to run very very against it and we will see

8
00:00:43,940 --> 00:00:48,350
how we can crack it spin and get the password.

9
00:00:48,370 --> 00:00:53,930
So first of all we're going to have to run wash to see all the WPX enabled routers against me.

10
00:00:54,010 --> 00:00:59,120
So we're going to do wash I mean zero.

11
00:00:59,140 --> 00:01:04,570
So this is exactly the same command that we were running before my 0 is my wireless adapter in monitor

12
00:01:04,570 --> 00:01:05,210
mode.

13
00:01:05,440 --> 00:01:06,360
I'm going to hit enter

14
00:01:09,720 --> 00:01:14,820
and as you can see I have all the WPX enabled routers around me.

15
00:01:14,820 --> 00:01:23,760
Now my target in this video is going to be this one which is called Test AP 2 and it has this MAC address.

16
00:01:23,870 --> 00:01:25,000
So like we did before.

17
00:01:25,010 --> 00:01:31,990
I'm going to first copy this and I'm going to run the basic griever command that we used previously.

18
00:01:32,180 --> 00:01:33,710
So it's just going to be reversed.

19
00:01:34,980 --> 00:01:44,970
B.S. ID then divide the channel which is 11 and then we'll give it my wireless adapter in monitor mode

20
00:01:45,240 --> 00:01:47,000
which is 1 0.

21
00:01:47,520 --> 00:01:51,080
So a very basic command that we've seen before we're just doing River.

22
00:01:51,210 --> 00:01:58,600
We're given a society of the target network then we're giving it the channel of that network as well.

23
00:01:58,770 --> 00:02:02,330
And then we are given that my wireless card in monitor mode.

24
00:02:02,520 --> 00:02:08,410
I'm going to enter now I've actually executed this command before.

25
00:02:08,410 --> 00:02:14,090
So it's asking me do I want to continue from where I left in the last time do I want to restart my session.

26
00:02:14,200 --> 00:02:17,850
I'm going to say no because I want you to see what's going to happen.

27
00:02:18,100 --> 00:02:20,420
So we're assuming that we're starting from scratch.

28
00:02:23,610 --> 00:02:31,410
And as you can see it keeps saying failed to associate with my mac address and this message will keep

29
00:02:31,410 --> 00:02:33,440
continuing to show in here.

30
00:02:33,510 --> 00:02:38,460
So it will be it will basically just be stuck in here and we're just not going to get any results at

31
00:02:38,460 --> 00:02:39,080
all.

32
00:02:40,300 --> 00:02:49,040
So I'm going to first Control-C out of this now to fix this issue we're going to manually associate

33
00:02:49,370 --> 00:02:51,020
with this access point.

34
00:02:51,290 --> 00:02:56,900
So I actually covered before in a full lecture how to run a fake authentication attack.

35
00:02:57,230 --> 00:03:00,770
This is exactly what they mean here by association.

36
00:03:00,770 --> 00:03:07,430
So what we're going to do we're going to manually associate with the target use an airplay ngi and then

37
00:03:07,430 --> 00:03:12,410
we'll run river again and tell it not to associate because we're going to do that manually.

38
00:03:12,440 --> 00:03:18,860
So we'll just revert to do the rest of the things that we usually do but don't associate this time because

39
00:03:18,950 --> 00:03:23,020
I'm going to do that manually so I'm going to split the screen

40
00:03:26,320 --> 00:03:30,620
and I'm going to run airplay ngi here to associate with my target.

41
00:03:30,850 --> 00:03:38,370
So I'm going to do airplanes you I'm going to do dash dash fake Auth. to associate with the target to

42
00:03:38,370 --> 00:03:42,820
do a fake authentication attack then I'm going to have to give the delay.

43
00:03:42,990 --> 00:03:48,450
And previously we used to give this at zero because we don't do this for a long period of time so we

44
00:03:48,450 --> 00:03:54,050
usually don't need to stay associated with the target for a long period of time.

45
00:03:54,250 --> 00:04:02,490
And this example we want to be associated with the target for as long as the time when River is working.

46
00:04:02,490 --> 00:04:04,810
So I'm going to send this to 100.

47
00:04:05,370 --> 00:04:13,080
And what this is going to do it'll basically set a delay of 500 seconds between the association attempts

48
00:04:13,080 --> 00:04:20,560
between the time when airplay and you send the fake authentication packets next.

49
00:04:20,670 --> 00:04:25,220
I'm going to have to give the Mac address of the target access point.

50
00:04:25,290 --> 00:04:31,590
So we're going to do a dash 8 and give the Mac address then I'm going to have to give the Mac address

51
00:04:32,010 --> 00:04:40,230
of my own wireless card and we'll do that using the dash Hage option and to get my mac address.

52
00:04:40,500 --> 00:04:42,570
I'm going to have to split the screen again.

53
00:04:45,370 --> 00:04:47,670
And do ifconfig 1 0.

54
00:04:47,920 --> 00:04:53,630
So we're doing ifconfig followed by the name of your wireless adapter in monitor mode.

55
00:04:54,280 --> 00:05:00,430
I'm going to her and turn and under the UN spec this is your MAC address.

56
00:05:00,490 --> 00:05:05,030
So it's the first 12 digits of the unspayed field.

57
00:05:05,170 --> 00:05:15,100
So in here to type it this is going to be 0 0 0 see a 8 2 8 2 9 8.

58
00:05:15,100 --> 00:05:21,560
Finally we'll type the name of my wireless adapter in monitor mode which is zero.

59
00:05:21,740 --> 00:05:23,230
So I'm going to close this here.

60
00:05:26,120 --> 00:05:28,460
And I'm just going to go over the command one more time.

61
00:05:28,610 --> 00:05:35,480
So the whole idea of doing this command is so that I can manually associate with my target because as

62
00:05:35,480 --> 00:05:41,650
you can see here river is failing to associate it can't associate with my target therefore it can't

63
00:05:41,660 --> 00:05:44,660
go and start brute forcing the pin.

64
00:05:44,720 --> 00:05:46,880
So we're going to do this manually here.

65
00:05:47,030 --> 00:05:53,240
We're doing it use an airplay and you were told on G that I want you to do a fake authentication attack

66
00:05:53,240 --> 00:05:55,880
to associate with my target.

67
00:05:56,060 --> 00:06:00,980
I want you to use a delay of a hundred seconds between the association attempts.

68
00:06:00,980 --> 00:06:08,620
I want the MAC address of the target access point to be this one and my own MAC address is this one.

69
00:06:08,960 --> 00:06:12,420
And this is my wireless adapter and monitor mode.

70
00:06:14,220 --> 00:06:15,620
Now this is all good.

71
00:06:15,690 --> 00:06:21,030
Now we need to go back to River and whenever we're going to run river we're going to use the exact same

72
00:06:21,030 --> 00:06:23,130
command that we were on previously.

73
00:06:23,130 --> 00:06:27,220
The only thing is I'm going to do a dash till a.

74
00:06:27,780 --> 00:06:31,590
Now I didn't discover this myself if you just do reverse dash dash help.

75
00:06:31,680 --> 00:06:36,200
You'll see all the options that you can use with the river including the dash 8.

76
00:06:36,300 --> 00:06:43,220
And you'll see a description that you can use this to tell the lever not to associate with the target.

77
00:06:43,270 --> 00:06:45,660
So we're run river like that now.

78
00:06:47,570 --> 00:06:51,550
And this is asking me if I want to restart my session I'm going to say no.

79
00:06:51,920 --> 00:06:58,220
And then as soon as I hit Enter I'm going to go down here and start the fake authentication process.

80
00:06:58,370 --> 00:07:03,510
So I'm going to hit enter here go down here hit enter and let's see what's going to happen.

81
00:07:09,200 --> 00:07:10,140
And perfect.

82
00:07:10,140 --> 00:07:13,420
Now we managed to bypass this issue.

83
00:07:13,440 --> 00:07:18,690
We managed to bypass the association issue because as you can see it seemed that it's associated and

84
00:07:18,690 --> 00:07:22,100
it looks like it's trying to get trying to get it.

85
00:07:22,230 --> 00:07:24,450
But for some reason we're not moving ahead.

86
00:07:24,450 --> 00:07:28,170
We're still stuck at zero point zero zero percent.

87
00:07:28,860 --> 00:07:35,370
So for now we actually bypassed the association problem and in the next lecture I'll show you how to

88
00:07:35,370 --> 00:07:38,870
debug and tackle the other problem that we're facing.