1
00:00:01,100 --> 00:00:06,350
Now before leaving this section and moving to the gaining access section where I'm going to teach you

2
00:00:06,350 --> 00:00:11,200
how to break the different encryption's and gain access to networks.

3
00:00:11,330 --> 00:00:18,610
I want to spend one more lecture talking about a really useful attack that still falls under the preconvention

4
00:00:18,620 --> 00:00:21,290
attacks under this section.

5
00:00:21,290 --> 00:00:26,650
The attack that I want to talk about is the authentication attack.

6
00:00:26,780 --> 00:00:33,350
This attack allows us to disconnect any device from any network before it connected to any of these

7
00:00:33,350 --> 00:00:34,090
networks.

8
00:00:34,160 --> 00:00:39,450
And we need to know the password for the network to do this.

9
00:00:39,470 --> 00:00:44,070
We go on to pretend to be the client we want to disconnect.

10
00:00:44,110 --> 00:00:50,750
Why change in our a MAC address to the MAC address of that client and tell them that I want to disconnect

11
00:00:50,750 --> 00:00:51,600
from you.

12
00:00:52,470 --> 00:00:58,140
Then we're going to pretend to be the writer again by changing our MAC address to their out there as

13
00:00:58,150 --> 00:01:03,350
MAC address until the client that you request requested to be disconnected.

14
00:01:03,360 --> 00:01:05,990
So I'm going to disconnect you.

15
00:01:06,090 --> 00:01:13,590
This will allow us to successfully disconnect or authenticate any client from any network.

16
00:01:14,750 --> 00:01:17,380
Now we're actually not going to do this manually.

17
00:01:17,450 --> 00:01:21,460
Were going to use a tool called aeroplane energy to do that.

18
00:01:22,690 --> 00:01:29,140
From the previous lecture we know that this MAC address right here belongs to an Apple computer.

19
00:01:29,140 --> 00:01:34,780
And like I said this Apple Computer is actually my computer right here.

20
00:01:35,380 --> 00:01:41,860
As you can see this host machine is connected to this network right here which is the same as the one

21
00:01:41,860 --> 00:01:43,510
that you see here.

22
00:01:43,670 --> 00:01:45,940
And it actually has Internet access.

23
00:01:46,030 --> 00:01:51,920
So if I just look for a test you'll see that I'm connected and I can look for things I can use Google.

24
00:01:52,000 --> 00:01:55,560
So I have a proper working Internet connection.

25
00:01:55,750 --> 00:02:02,530
Now we're going to come back here and we're going to use a tool called atripla energy to launch the

26
00:02:02,530 --> 00:02:04,170
authentication tag.

27
00:02:04,180 --> 00:02:08,520
And this Kinect this Mac computer from the Internet.

28
00:02:09,040 --> 00:02:13,310
So we're going to type the name of the program which is a replace energy.

29
00:02:13,810 --> 00:02:18,530
Well going to tell it that I want to run Eddie authentication attack.

30
00:02:19,470 --> 00:02:25,700
Then I'm going to give you the number of authentication packets that I want to send.

31
00:02:25,860 --> 00:02:33,060
So I'm going to give it a really large number so that it keeps sending packets to both thereafter and

32
00:02:33,060 --> 00:02:40,180
the target device therefore I'll disconnect my toungoo device for a very long period of time.

33
00:02:40,290 --> 00:02:46,750
And the only way to get it back to Connect is to control See and quit the play energy.

34
00:02:47,800 --> 00:02:53,770
Next I'm going to give it a play engy the MAC address of my target network.

35
00:02:53,980 --> 00:03:00,400
So I'm going to do a dash A and give it the MAC address which I'm going to copy from here.

36
00:03:02,390 --> 00:03:10,540
Then I'm going to use dash C to give it the MAC address of the client that I wanted this Kinect and

37
00:03:10,540 --> 00:03:15,640
the client that I wanted this Kinect is this client right here which is the Apple computer.

38
00:03:15,640 --> 00:03:16,750
Like we said.

39
00:03:16,920 --> 00:03:20,620
So I'm going to copied and pasted here.

40
00:03:22,020 --> 00:03:29,310
And finally I'm going to give it the name of my wireless adapter in monitoring mode and in my case it's

41
00:03:29,310 --> 00:03:31,170
called zero.

42
00:03:31,770 --> 00:03:35,890
So a very very simple command were type in a play n g.

43
00:03:35,910 --> 00:03:38,970
This is the name of the program that we're going to use.

44
00:03:38,970 --> 00:03:45,040
We're are doing that the Off to tell any play energy that I want to write edit authentication.

45
00:03:45,330 --> 00:03:52,380
I'm giving it a really large number off packets so that it keeps sending the authentication packets

46
00:03:52,410 --> 00:03:57,000
to both the writer and the client and keep the client disconnected.

47
00:03:57,010 --> 00:03:58,570
I'm using Dyche a.

48
00:03:58,650 --> 00:04:04,330
To specify the MAC address of the tarrega Throughout the target access point.

49
00:04:04,470 --> 00:04:10,230
Then I'm using by C to specify the MAC address of the client.

50
00:04:10,230 --> 00:04:16,420
Finally I'm giving it more than zero which is the name of my wireless adapter in wanting to mode.

51
00:04:17,470 --> 00:04:19,480
Now you can run the command like this.

52
00:04:19,480 --> 00:04:21,880
And in most cases it would work.

53
00:04:22,120 --> 00:04:29,460
But in very rare cases This command will fail unless air or dump energy is running against the target

54
00:04:29,470 --> 00:04:31,140
network.

55
00:04:31,150 --> 00:04:36,910
So what I'm going to do now is I'm going to go back to my first terminal in here and I'm going to run

56
00:04:36,940 --> 00:04:42,160
air or dump energy use and become mad that we've seen before and I don't want to write anything to our

57
00:04:42,160 --> 00:04:45,760
file so I'm going to remove the right argument.

58
00:04:47,350 --> 00:04:49,440
So just do one normal error.

59
00:04:49,500 --> 00:04:50,570
And you command.

60
00:04:50,570 --> 00:04:56,800
I'm literally just give it the obss idea of my target network and I'm giving it the tarrega channel

61
00:04:57,490 --> 00:04:59,340
and then I'm just going to hit enter.

62
00:04:59,350 --> 00:05:00,400
We see how to do this.

63
00:05:00,400 --> 00:05:01,980
We spent a full lecture on it.

64
00:05:02,080 --> 00:05:07,240
That's why I did it through the quake and then I'm going to go back to the command that we wrote so

65
00:05:07,240 --> 00:05:14,650
far and I'm going to hit enter now as you can see airplay energy its Tell me that it's sending the authentication

66
00:05:14,650 --> 00:05:15,730
packets.

67
00:05:15,850 --> 00:05:19,230
And if we go back here and look up.

68
00:05:20,230 --> 00:05:25,470
You can see that I actually lost my connection and I'm trying to connect back.

69
00:05:26,630 --> 00:05:29,180
So obviously if I try to look for anything.

70
00:05:29,180 --> 00:05:32,820
So let's say test too you'll see.

71
00:05:32,870 --> 00:05:36,360
I'll get stuck and nothing will load for me.

72
00:05:37,460 --> 00:05:41,830
So the only way for me to connect back is if I go by key.

73
00:05:41,990 --> 00:05:46,940
If I quit this by doing controlled C quit this again.

74
00:05:46,940 --> 00:05:52,050
And now my machine should be able to connect back and restore its connection.

75
00:05:53,070 --> 00:05:56,270
This is actually very very handy in so many ways.

76
00:05:56,310 --> 00:06:02,100
It's a very useful social engineer in cases where are you could this Kinect clients from the target

77
00:06:02,110 --> 00:06:09,480
network and then call the user and pretend to be a person from the i.t. department and ask them to install

78
00:06:09,480 --> 00:06:13,920
a virus or a back door tell them that this would fix their issue.

79
00:06:13,950 --> 00:06:19,800
You could also said create another fake access point and get them to connect to the fake access point

80
00:06:20,040 --> 00:06:23,370
and then start spying on them from that access point.

81
00:06:23,430 --> 00:06:26,200
And we'll see how to do that later on in the course.

82
00:06:26,350 --> 00:06:31,490
And you could also use this to capture the handshake which is what happened in here actually.

83
00:06:31,710 --> 00:06:35,690
And this is vital when it comes to WPA cracking.

84
00:06:35,790 --> 00:06:40,190
And we'll talk about this what we get to the WPA a crime section.

85
00:06:41,420 --> 00:06:48,650
So like I said this is a small attack that can be used as a clogging to other attacks or to make other

86
00:06:48,650 --> 00:06:50,050
attacks possible.