1
00:00:01,090 --> 00:00:08,260
OK now that we know what the bleep piece is and how it can be used to recover the password for a WPA

2
00:00:08,350 --> 00:00:10,370
and WPA to networks.

3
00:00:10,540 --> 00:00:16,660
Let's see how to do that in practice so right here I have my Kelly machine.

4
00:00:16,820 --> 00:00:21,720
I have already enabled monitor mode on my wireless adapter on 1 0.

5
00:00:21,720 --> 00:00:29,640
Now usually we use Arrow Energy to see all the networks around us but right now we want to see the networks

6
00:00:29,730 --> 00:00:37,970
that have WP enabled but because like I said it's just a feature and people can turn this feature off.

7
00:00:38,040 --> 00:00:46,150
So first of all I'm going to use a tool called wash to display all the networks around me that have

8
00:00:46,210 --> 00:00:47,830
WPA enabled.

9
00:00:48,340 --> 00:00:55,940
So we're gonna do a wash dash dash interface and give it my interface in monitor mode which is more

10
00:00:55,940 --> 00:00:56,610
mode zero.

11
00:00:57,220 --> 00:01:03,760
So all we're doing is wash is the name of the tool interface to give it the interface and more zero

12
00:01:03,820 --> 00:01:06,790
is my wireless adapter in monitor mode.

13
00:01:06,790 --> 00:01:12,100
If I hit enter now you'll see it'll list my network straight away.

14
00:01:12,100 --> 00:01:17,200
Now I press control city council this similar to aero dump engine because it'll keep running unless

15
00:01:17,200 --> 00:01:21,010
you cancel it and you can see this is my target network.

16
00:01:21,010 --> 00:01:22,600
It's called Test AP.

17
00:01:22,690 --> 00:01:29,550
It's given us the vendor of the hardware used in this network in this access point the LC case.

18
00:01:29,560 --> 00:01:32,950
Tell us whether WP is locked or not.

19
00:01:32,950 --> 00:01:37,790
Because sometimes WP slogs after a number of failed attempts.

20
00:01:37,840 --> 00:01:42,960
So right now this is no which means that we can actually go ahead and try to guess the pin.

21
00:01:43,150 --> 00:01:47,280
It's given us the version of WP as it's used in version 1.

22
00:01:47,350 --> 00:01:52,970
The signal strength is in here the channel and the society.

23
00:01:52,990 --> 00:01:57,000
Now I explain the meaning of all of these things before and why I wrote them.

24
00:01:57,040 --> 00:01:58,140
And Judy lecture.

25
00:01:58,240 --> 00:02:03,340
So I'm not going to talk about them now if you forgot the meaning of any of these terms please go back

26
00:02:03,340 --> 00:02:09,280
to the aero dump and G lecture now this network actually uses WPA too.

27
00:02:09,290 --> 00:02:16,950
So just to confirm this to you if I go here to my host machine and just try to connect to it you'll

28
00:02:16,950 --> 00:02:23,970
see that it's telling me that this uses a WPA to password but like I said we don't care if it's WPA

29
00:02:24,060 --> 00:02:32,860
or WPA 2 because we're going to be exploiting a feature in these encryption which is the WPA feature.

30
00:02:32,880 --> 00:02:39,240
So now that we know our target network uses WP as there is a good chance that this attack will work

31
00:02:39,240 --> 00:02:40,200
against it.

32
00:02:40,200 --> 00:02:47,370
The only reason it might fail is if the target uses PPC or push button authentication.

33
00:02:47,370 --> 00:02:53,940
Like I said if the target uses PPC then it will refuse all the pins unless the button is pressed on

34
00:02:53,940 --> 00:02:54,670
the router.

35
00:02:54,750 --> 00:02:57,170
And therefore this attack will fail.

36
00:02:57,270 --> 00:03:02,370
The only way to know is to literally tried this attack and see if it works.

37
00:03:02,570 --> 00:03:09,370
So I'm going to copy the MAC address of this network or the B.S. society on the first thing that I'm

38
00:03:09,380 --> 00:03:12,480
going to do similar to what we did with the blue E.P..

39
00:03:12,560 --> 00:03:17,850
I'm going to associate with the target network using a fake authentication attack.

40
00:03:17,900 --> 00:03:20,930
So basically I'll be saying I want to communicate with you.

41
00:03:20,990 --> 00:03:22,280
Please don't ignore me.

42
00:03:22,400 --> 00:03:28,550
So that when I run the attack the network will start accepting the pins and not ignore me.

43
00:03:28,550 --> 00:03:33,680
So to associate we're going to use the exact same command that we used when we did it with the blue

44
00:03:33,850 --> 00:03:34,270
chip.

45
00:03:34,610 --> 00:03:37,480
So we're going to use a replay energy.

46
00:03:37,520 --> 00:03:38,260
We're going to tell it.

47
00:03:38,270 --> 00:03:41,690
I want to run a fake authentication attack.

48
00:03:41,810 --> 00:03:43,550
We're going to give it a delay.

49
00:03:43,550 --> 00:03:50,270
So this is the time to wait between association attempts previously reset it to zero and we had to do

50
00:03:50,270 --> 00:03:52,400
this manually every now and then.

51
00:03:52,400 --> 00:04:00,800
Right now I'm going to set it to 30 so that we associate with the target network every 30 seconds then

52
00:04:00,950 --> 00:04:07,310
I'm going to do a dash 8 to give it the MAC address of my target and dash Hage to give it the MAC address

53
00:04:07,370 --> 00:04:16,090
of my wireless adapter in monitor mode and we see that we can get this by doing if config and copy it

54
00:04:16,090 --> 00:04:25,090
from here we said it's the first 12 digits and I'll just replace the miners with the coal on.

55
00:04:25,650 --> 00:04:32,750
And finally I'm going to give it the name of my wireless adapter in monitor mode which is Monza 0 so

56
00:04:32,750 --> 00:04:35,210
I explained this in details before.

57
00:04:35,210 --> 00:04:36,740
That's why I did it quickly.

58
00:04:36,770 --> 00:04:38,630
If you don't remember how I did this.

59
00:04:38,690 --> 00:04:45,220
Please go back to the fake authentication attack lecture so the command is ready now but I'm not going

60
00:04:45,220 --> 00:04:46,520
to execute it.

61
00:04:46,600 --> 00:04:52,300
I'm gonna go down to the bottom terminal and run River which is the program that will brute force the

62
00:04:52,300 --> 00:05:00,880
pin for me and only then I will associate with the target because otherwise a replay energy will fail

63
00:05:00,880 --> 00:05:02,800
to associate with my network.

64
00:05:04,230 --> 00:05:07,020
So I'm going to move to this terminal right here.

65
00:05:07,110 --> 00:05:13,870
I'm going to clear the screen and we're going to run River which is the program that's going to brute

66
00:05:13,870 --> 00:05:15,030
force the pin.

67
00:05:15,040 --> 00:05:19,210
So it's going to try every possible pin until I get the right pin.

68
00:05:19,270 --> 00:05:25,030
Once it has the right pin it will use it to compute the actual WPA key.

69
00:05:25,690 --> 00:05:30,910
So using river is very very simple it's very similar to everything we've been doing so far.

70
00:05:31,240 --> 00:05:38,370
So first of all we have to type the program name which is River then I'm going to do a dash dash B SSI

71
00:05:38,370 --> 00:05:41,630
D to give it the MAC address of my target network.

72
00:05:41,670 --> 00:05:49,270
So I'm just gonna paste it then I'm going to do a dash dash channel and give it the channel of the target

73
00:05:49,270 --> 00:05:57,670
network which is one then we're gonna do dash dash interface and give it my wireless adapter in monitor

74
00:05:57,670 --> 00:06:02,790
mode which is more in zero so very very simple command.

75
00:06:02,800 --> 00:06:03,730
We're using reverse.

76
00:06:03,730 --> 00:06:08,570
This is the name of the program that will do the brute forcing for us and give us the key.

77
00:06:08,650 --> 00:06:12,240
We're giving it the OBSS idea the MAC address of my target.

78
00:06:12,280 --> 00:06:15,140
We're doing dash dash channel to give it the channel.

79
00:06:15,160 --> 00:06:21,970
That's my target is running on and we're doing dash dash interface to give it the name of my wireless

80
00:06:21,970 --> 00:06:24,910
adapter in monitor mode.

81
00:06:24,910 --> 00:06:27,150
I'm also going to add two more options.

82
00:06:27,160 --> 00:06:32,970
I'm going to add dash v v v to show us as much information as possible.

83
00:06:32,980 --> 00:06:34,170
This is really helpful.

84
00:06:34,180 --> 00:06:40,760
If it fails or things go wrong we'll be able to know what's happening why things are going wrong.

85
00:06:40,960 --> 00:06:50,400
And I'm also going to do a dash dash no associate to tell river not to associate with the target network

86
00:06:50,640 --> 00:06:54,360
because we're already manually doing that in here.

87
00:06:54,360 --> 00:06:57,710
So River can automatically do this tap right here for you.

88
00:06:57,840 --> 00:07:00,190
But I've seen that it fills a lot.

89
00:07:00,330 --> 00:07:08,250
Therefore it's actually better to do it ourselves manually here and then tell the river not to associate.

90
00:07:08,310 --> 00:07:14,580
So now I'm going to hit enter to get the river to work and I'm going to go up to the top terminal and

91
00:07:14,580 --> 00:07:19,920
I'm going to hit enter to associate with the target network tell on it please don't ignore us.

92
00:07:20,100 --> 00:07:27,480
So that river at the bottom here can brute force the pin and try every possible pin until we get the

93
00:07:27,480 --> 00:07:31,210
correct PIN which will use to get the password.

94
00:07:31,290 --> 00:07:37,410
Now as you can see right now I'm getting an error and this is actually a bug with the latest versions

95
00:07:37,410 --> 00:07:38,850
of river.

96
00:07:38,850 --> 00:07:45,390
So if you get this bug this means they still haven't fixed it in the latest version so it's better to

97
00:07:45,390 --> 00:07:48,660
go back and use an older version.

98
00:07:48,660 --> 00:07:54,270
I'm going to include an older version that works perfectly in the resources of this lecture so you can

99
00:07:54,270 --> 00:08:00,090
access it from the top left of the lecture if you tried the river and got this error right here then

100
00:08:00,090 --> 00:08:03,310
go ahead and download this older version right now.

101
00:08:03,330 --> 00:08:08,490
I already have it in my downloads right here so you can see I mean home downloads and I have a right

102
00:08:08,490 --> 00:08:10,680
here called River.

103
00:08:10,680 --> 00:08:16,820
So what I'm gonna do is I'm going to clear this again and I'm going to navigate to my downloads so C.D.

104
00:08:16,880 --> 00:08:18,050
downloads.

105
00:08:18,510 --> 00:08:22,890
I'm going to list and you can see we have it right here now.

106
00:08:22,900 --> 00:08:30,060
It's already in green for me but for you you'd want to change the permissions of this file to an executable.

107
00:08:30,160 --> 00:08:31,090
So you'll have to do.

108
00:08:31,120 --> 00:08:36,010
Mod plus X river.

109
00:08:36,130 --> 00:08:40,220
This will make it an executable once it is an executable.

110
00:08:40,300 --> 00:08:44,620
You can run it by doing dot forward slash followed by its name.

111
00:08:44,680 --> 00:08:49,540
So river then you can do the exact same command.

112
00:08:49,550 --> 00:08:50,420
Exactly.

113
00:08:50,480 --> 00:08:54,640
Like I just did it with the one that comes pre installed in Cali.

114
00:08:54,980 --> 00:09:01,440
So I'm actually just gonna go back to what I had and I'm just gonna go to the start of the command and

115
00:09:01,440 --> 00:09:04,050
put dot forward slash.

116
00:09:04,320 --> 00:09:09,840
So when we put the DOT forward slash we're basically running the file that is in the current working

117
00:09:09,840 --> 00:09:10,450
directory.

118
00:09:10,470 --> 00:09:11,520
We're running this.

119
00:09:11,520 --> 00:09:16,940
We're not running the normal river file that is pre installed in Cali.

120
00:09:17,190 --> 00:09:22,290
Then we're using all of the options exactly the same way that we were using it with the built in one.

121
00:09:22,860 --> 00:09:28,230
I'm gonna hit enter and as you can see right now river is trying the pin.

122
00:09:28,230 --> 00:09:33,060
One two three four five six seven aren't perfect.

123
00:09:33,540 --> 00:09:37,490
You can see the pin was actually one two three four five six seven zero.

124
00:09:37,500 --> 00:09:38,880
So it's a simple pin.

125
00:09:39,090 --> 00:09:40,740
It actually came with this pin.

126
00:09:40,770 --> 00:09:47,850
So I did it manually set this pin my Rafter came from the factory with WPA enabled with this pin.

127
00:09:47,880 --> 00:09:54,660
So like I said this still works but again not against all the rafters from that it was able to discover

128
00:09:54,690 --> 00:10:02,550
the WPA key which is you a you are w as X R and the name of the router is test AP so I can literally

129
00:10:02,550 --> 00:10:08,700
go ahead and connect with this password and I'll be able to connect to the network and see and decrypt

130
00:10:08,940 --> 00:10:11,130
all of the packets sent in the air.