1 00:00:01,330 --> 00:00:07,930 Okay now and the last video when the user logged into our network and put the username and password 2 00:00:08,590 --> 00:00:15,310 we only captured the username we didn't get the password but instead we got something called the challenge 3 00:00:15,880 --> 00:00:19,060 and we also got a response. 4 00:00:19,060 --> 00:00:24,820 Now the reason for this is because like I said the network that we created the fake network that we 5 00:00:24,820 --> 00:00:30,610 created uses a proper WPA enterprise authentication. 6 00:00:30,610 --> 00:00:36,490 Therefore when a user tries to connect to that network and authenticate they'll use what's known as 7 00:00:36,640 --> 00:00:39,520 a challenge response authentication. 8 00:00:39,520 --> 00:00:44,890 So in order to understand what we mean by a challenge and a response here let's have a look on this 9 00:00:44,890 --> 00:00:52,230 very simple diagram that I made I'm trying to keep this as simple as possible so that we don't get carried 10 00:00:52,230 --> 00:00:59,520 away talking about algorithms encryption and all of that because that on its own needs a full course. 11 00:00:59,520 --> 00:01:05,670 So basically what happens when a client tries to connect to a network that uses WPA enterprise. 12 00:01:05,670 --> 00:01:09,350 We said this is managed through a radius server. 13 00:01:09,840 --> 00:01:16,290 So what happens is the client sends a request saying I want to connect the server says OK no problem 14 00:01:16,530 --> 00:01:18,040 solve this challenge for me. 15 00:01:18,180 --> 00:01:21,350 So it gives the client a challenge to solve. 16 00:01:21,480 --> 00:01:23,490 And this is what you see in here. 17 00:01:23,730 --> 00:01:29,410 So we can see this is the challenge that the server that we are running because in this case we have 18 00:01:29,470 --> 00:01:30,870 fake access point. 19 00:01:30,930 --> 00:01:35,520 So that's the challenge that the server sent to the client to solve. 20 00:01:36,430 --> 00:01:40,630 The client goes ahead and solves the challenge it solves. 21 00:01:40,630 --> 00:01:46,790 It solves it by encrypt in the challenge used in the password that you put. 22 00:01:46,810 --> 00:01:52,130 So basically the password that you put in the log in box will never be sent to the server. 23 00:01:52,330 --> 00:02:00,220 What happens is that password is used in a certain manner so that it converts this challenge encrypts 24 00:02:00,230 --> 00:02:08,110 it and convert it into a response that the radius server will be able to understand and verify if the 25 00:02:08,110 --> 00:02:09,860 password was correct. 26 00:02:10,330 --> 00:02:14,450 So you say I want to connect server says no problem. 27 00:02:14,460 --> 00:02:20,530 So the challenge for me challenge is solved based on the password that you enter and it's sent to the 28 00:02:20,530 --> 00:02:23,090 radius server. 29 00:02:23,310 --> 00:02:28,270 Now when we look at this we can see the challenge and the response sent. 30 00:02:28,370 --> 00:02:34,220 Now this challenge is encrypted use and net and TLM version 1. 31 00:02:34,220 --> 00:02:41,780 Now this is strong encryption and for us we can't actually just encrypted based on the response on its 32 00:02:41,790 --> 00:02:42,150 own. 33 00:02:42,290 --> 00:02:48,200 So we actually to use the response and the challenge and we'll also need to run a dictionary attack 34 00:02:49,480 --> 00:02:55,320 the way this dictionary attack is going to work is it's going to go over a list of a lot of words. 35 00:02:55,510 --> 00:03:02,050 It's going to take each one of these words it's going to try to create a response based on these words 36 00:03:02,500 --> 00:03:09,070 and compared to this response if the response generated using the word and the word list is correct 37 00:03:09,490 --> 00:03:13,940 then the word used to generate that response is the password. 38 00:03:13,990 --> 00:03:16,920 Otherwise it will try the next word. 39 00:03:17,530 --> 00:03:22,420 So again the way the word this attack is going to work is it's going to go through a list of a lot of 40 00:03:22,420 --> 00:03:25,030 passwords that we're going to give to the program. 41 00:03:25,120 --> 00:03:27,380 It's going to take each one of these passwords. 42 00:03:27,730 --> 00:03:35,620 It's going to apply the formula and try to solve the challenge to generate a response the response generated 43 00:03:35,710 --> 00:03:42,460 is going to be compared to this response right here if the response is valid then the password used 44 00:03:42,460 --> 00:03:45,040 to generated is the valid password. 45 00:03:45,040 --> 00:03:48,730 Otherwise it's going to try the next password. 46 00:03:48,730 --> 00:03:55,420 Now there is a number of tools that can run a dictionary attack against net and TLM hushes the one that 47 00:03:55,420 --> 00:03:59,960 I want to use is called a s.l c.a.p. 48 00:04:00,010 --> 00:04:05,830 Now you can use hashcash and John for that but this tool is just simpler and that's why I'm going to 49 00:04:05,830 --> 00:04:09,100 go for it now before using this tool. 50 00:04:09,100 --> 00:04:11,400 Let's have a look on its Helpmann you. 51 00:04:11,410 --> 00:04:14,790 So we're going to do a cell UAP help 52 00:04:17,680 --> 00:04:23,710 so you can see the options here are very simple and you can see the usage is you literally just typing 53 00:04:23,710 --> 00:04:26,670 in the tool name followed by the options. 54 00:04:26,680 --> 00:04:32,070 So first of all let's type in the name of the tool which is a S L A P. 55 00:04:32,260 --> 00:04:37,790 Then we want to use the dash C option to give the challenge. 56 00:04:38,080 --> 00:04:39,830 So we have the challenge in here. 57 00:04:41,010 --> 00:04:44,670 I'm going to copy it and I'm going to do. 58 00:04:44,680 --> 00:04:55,300 Dicy and put the challenge next option that I want to use is the response which is dush or and here. 59 00:04:55,310 --> 00:05:02,910 So again I'm going to do a dash capital R and then I'm going to put the response that we got which is 60 00:05:02,910 --> 00:05:04,490 this one in here. 61 00:05:04,950 --> 00:05:09,710 So I'm just going to copy it and pasted. 62 00:05:10,000 --> 00:05:16,360 Finally we want to specify a dictionary to use to crack this harsh and to do that we're going to do 63 00:05:16,360 --> 00:05:21,380 that w and I've already created a dictionary using crunch. 64 00:05:21,380 --> 00:05:26,310 So you can create your own dictionary or download dictionary online. 65 00:05:26,420 --> 00:05:34,420 The dictionary that I have is stored in root and it's called wordlist and that's it. 66 00:05:34,420 --> 00:05:37,810 So the command is going to be a cell UAP. 67 00:05:37,930 --> 00:05:44,330 We're doing dashi to give the challenge followed by dush or to give the response. 68 00:05:44,500 --> 00:05:46,990 And finally we're given the wordlist. 69 00:05:47,500 --> 00:05:51,180 So again what's this still going to do is it's going to open this wordlist. 70 00:05:51,340 --> 00:05:59,470 It's going to go on it word by word generate a response based on this challenge and compare the response 71 00:05:59,680 --> 00:06:05,800 with this response right here if the response generated from the word and the word list is valid then 72 00:06:05,800 --> 00:06:07,730 that word is the password. 73 00:06:07,750 --> 00:06:11,380 Otherwise it's going to try the next word. 74 00:06:11,580 --> 00:06:17,960 So I'm going to hit enter and let this run until it gets me the password. 75 00:06:18,030 --> 00:06:23,040 And as you can see this was quite fast and it got me the password right here. 76 00:06:23,370 --> 00:06:29,140 The password is 1 2 3 4 A B C D and that's actually the password that I used. 77 00:06:29,460 --> 00:06:36,640 So right now we have the user name which is zayd and the password which is 1 2 3 4 for ABC the.