1
00:00:00,210 --> 00:00:04,660
Welcome to the wireless penetration testing section of our course.

2
00:00:04,710 --> 00:00:07,860
Before we begin the hacking we should cover a few things.

3
00:00:07,860 --> 00:00:11,910
One of the first things I want to cover is what is a wireless penetration test.

4
00:00:11,910 --> 00:00:14,270
What should you be expected to do.

5
00:00:14,280 --> 00:00:18,360
Well essentially it is the assessment of a wireless network.

6
00:00:18,360 --> 00:00:24,090
You probably guessed that but we are looking at two different types of networks usually there's WPA

7
00:00:24,120 --> 00:00:30,060
to appreciate key or what I like to call personal and you could think of this as what you would have

8
00:00:30,060 --> 00:00:30,930
in your house.

9
00:00:30,930 --> 00:00:35,120
Pretty much everybody and anybody uses WPA to appreciate key.

10
00:00:35,190 --> 00:00:36,450
As of now.

11
00:00:36,450 --> 00:00:41,170
And it's just that password that you type in when you go to log into a network.

12
00:00:41,190 --> 00:00:43,290
Everybody should be pretty familiar with that.

13
00:00:43,320 --> 00:00:49,800
We also have what's called WPA to enterprise that will use something called radius or some sort of credentials

14
00:00:49,800 --> 00:00:51,870
to log into that network.

15
00:00:51,870 --> 00:00:56,340
And that is in more advanced environments.

16
00:00:56,340 --> 00:01:00,330
So you're going to see a lot of homes mostly all homes use this.

17
00:01:00,330 --> 00:01:06,900
You're also going to see a lot of small businesses use pressure key and even some medium tiered sized

18
00:01:06,900 --> 00:01:13,290
businesses using appreciate key a lot of your large companies are on WPA to enterprise for the scope

19
00:01:13,380 --> 00:01:14,310
of this course.

20
00:01:14,310 --> 00:01:20,760
We are only going to be focusing on WPA to appreciate key if we move on to enterprise.

21
00:01:20,760 --> 00:01:24,310
The issue with enterprise is that enterprise is very difficult to set up.

22
00:01:24,360 --> 00:01:30,510
So if I was going to do an enterprise walkthrough there's so many different attacks and there's you

23
00:01:30,500 --> 00:01:35,790
know things that we would need to set up that are complicated and possibly out of budget for some people

24
00:01:35,790 --> 00:01:38,520
that I think it should be its own course.

25
00:01:38,520 --> 00:01:42,970
So what we're gonna do is we're gonna focus on the most common which is absolutely depreciate key.

26
00:01:42,990 --> 00:01:44,490
I'm going to show you how to do that.

27
00:01:44,820 --> 00:01:50,310
And then my suggestion is to just look up WPA to enterprise attacks get familiar with them.

28
00:01:50,460 --> 00:01:56,270
And honestly for for all wireless penetration testing I learned it through a blog post.

29
00:01:56,340 --> 00:01:58,360
I mean blog posts are the way to go.

30
00:01:58,380 --> 00:02:05,970
I do have a OSTP certification which is a wireless certification but that that didn't even teach enterprise

31
00:02:06,210 --> 00:02:10,010
in anything that you that I learned from that could've been learned in 10 minutes from blog post you're

32
00:02:10,010 --> 00:02:13,350
going to see how fast in the next video this attack really is.

33
00:02:13,350 --> 00:02:15,000
And it's it's really quick.

34
00:02:15,000 --> 00:02:17,880
So we're looking at these two types of networks here.

35
00:02:18,120 --> 00:02:24,180
And when we're on site or we send a box we're doing some activities where if we're going up against

36
00:02:24,180 --> 00:02:28,450
the appreciate key we're going to evaluate the strength of that appreciate key.

37
00:02:28,830 --> 00:02:33,660
What we're going to be doing or we're talking about is we're gonna be capturing this handshake and this

38
00:02:33,660 --> 00:02:40,650
handshake is going to allow us to take the file off line or the handshake off line and try to crack

39
00:02:40,650 --> 00:02:41,100
it.

40
00:02:41,220 --> 00:02:42,540
If your password is strong.

41
00:02:42,570 --> 00:02:43,910
Chances are we're not going to crack it.

42
00:02:43,920 --> 00:02:46,500
If your password is weak chances are we will crack it.

43
00:02:46,920 --> 00:02:49,340
So we're going to evaluate that strength.

44
00:02:49,410 --> 00:02:54,750
We're also going to look at nearby networks will do what is called a walk around.

45
00:02:54,750 --> 00:02:57,020
It's almost like if you've heard of war driving.

46
00:02:57,020 --> 00:03:02,770
I call it a war walking because you just walk around the environment and you take a.

47
00:03:02,970 --> 00:03:07,670
You basically have a G.P.S. device attached to you and you just get a feel for what's going on.

48
00:03:07,680 --> 00:03:12,660
But you can also evaluate what networks are around especially if they're not in a big office building

49
00:03:12,660 --> 00:03:20,250
if they're in their own standalone building then you can really evaluate okay wire x y z wireless devices

50
00:03:20,250 --> 00:03:25,140
showing up why are they broadcasting a network and you can see if there's possibly rogue devices in

51
00:03:25,140 --> 00:03:25,620
the network.

52
00:03:25,620 --> 00:03:27,600
This is a good one to evaluate.

53
00:03:27,600 --> 00:03:32,070
Another thing is you want to assess to get in the guest networks if there is a guest network and it

54
00:03:32,070 --> 00:03:36,920
has no password or even if it does have a password you want to see how hard that password is to crack

55
00:03:36,930 --> 00:03:43,860
1 and 2 you want to see if there are separation of networks when you're on the guest network.

56
00:03:43,860 --> 00:03:49,170
And I kind of put that under checking network access because it falls on the main one as well if the

57
00:03:49,170 --> 00:03:53,840
main network should not have access to certain aspects of the entire network.

58
00:03:53,850 --> 00:03:58,020
You want to check that but especially the guest network when you log in you should not have access to

59
00:03:58,020 --> 00:03:59,890
a lot of functionality inside the network.

60
00:03:59,890 --> 00:04:00,690
It's just for guest.

61
00:04:00,690 --> 00:04:01,350
Right.

62
00:04:01,350 --> 00:04:05,820
So you shouldn't be able to access employee things and you want to make sure that you check that that

63
00:04:05,850 --> 00:04:09,590
you can access certain IP addresses certain servers etc..

64
00:04:09,600 --> 00:04:10,890
That's very very important.

65
00:04:10,890 --> 00:04:15,810
So we're looking at not only the strength of the wireless but we're also looking at if there's any rogue

66
00:04:15,810 --> 00:04:21,950
devices and how well they're segmenting their networks on the guest and overall.

67
00:04:22,080 --> 00:04:28,000
So from there let's talk about what tools we're going to need to use for this.

68
00:04:28,010 --> 00:04:34,570
Specifically I'm using a wireless card and we're to talk about that a router and a laptop.

69
00:04:34,680 --> 00:04:36,860
This router is not connected to the Internet.

70
00:04:36,870 --> 00:04:42,900
This laptop is connected to this wireless network that's broadcasting and it is just not connected to

71
00:04:42,900 --> 00:04:45,270
the Internet either is just connected to this.

72
00:04:45,390 --> 00:04:49,980
You do not have to use either of these you can use your home router.

73
00:04:49,980 --> 00:04:54,870
The only reason I'm showing you is I don't want to have to change all my passwords and everything.

74
00:04:54,960 --> 00:04:58,440
And you know for demonstration purposes plus I had a router just sitting around.

75
00:04:58,470 --> 00:04:59,910
That's really easy to setup.

76
00:05:00,090 --> 00:05:03,880
If you have an extra router sitting around this is also very easy to setup.

77
00:05:03,960 --> 00:05:08,850
Otherwise feel free to just attack your home router it's not going to do anything malicious or or mess

78
00:05:08,850 --> 00:05:10,050
with anything I promise you.

79
00:05:10,590 --> 00:05:12,720
So let's go back to the wireless card.

80
00:05:12,720 --> 00:05:22,620
I'm using what's called an alpha and this alpha is basically what we do is it is a beefy card that is

81
00:05:22,620 --> 00:05:26,170
used to inject packets and listen to packets.

82
00:05:26,460 --> 00:05:26,910
OK.

83
00:05:26,910 --> 00:05:34,260
So usually the wireless card that is built into your machine or your computer is not good enough to

84
00:05:34,260 --> 00:05:35,160
do this.

85
00:05:35,190 --> 00:05:37,590
And let me pull up an article for you.

86
00:05:37,590 --> 00:05:42,820
So my card looks just like this and I will post this article in our reference guides.

87
00:05:43,230 --> 00:05:49,500
But this this is what my card looks like now unfortunately I've had this card for ever and it only does

88
00:05:49,500 --> 00:05:50,790
two point four gigahertz.

89
00:05:51,120 --> 00:05:55,020
I do recommend getting a card that does two point four and five gigahertz.

90
00:05:55,030 --> 00:05:59,360
Because a lot of people are in five gigahertz now so it's just advantageous.

91
00:05:59,710 --> 00:06:04,450
But what you want is you want one of these cards it's got this nice nice little antenna here you just

92
00:06:04,450 --> 00:06:10,900
plug it into your computer and then you're going to utilize this on top of whatever other wireless or

93
00:06:10,930 --> 00:06:14,640
Nick that you might have in your machine already.

94
00:06:14,650 --> 00:06:15,760
So here's an example.

95
00:06:15,760 --> 00:06:22,330
And another thing that I really need to stress please do not rely on what I'm telling you here for a

96
00:06:22,330 --> 00:06:23,460
wireless card.

97
00:06:23,470 --> 00:06:30,910
Mine has held true through through and through but you need to make sure that you go check a 20 19 or

98
00:06:30,910 --> 00:06:32,550
it's soon to be 20 20.

99
00:06:32,560 --> 00:06:35,320
Check the article for the time frame you're watching this.

100
00:06:35,320 --> 00:06:40,220
Find an article out there say Cally Linux compatible USP wireless cards.

101
00:06:40,240 --> 00:06:41,040
OK.

102
00:06:41,080 --> 00:06:43,510
Because these do change from time to time.

103
00:06:43,600 --> 00:06:48,660
You just want to make sure you don't buy the wrong card and not every single card out there is compatible.

104
00:06:48,670 --> 00:06:51,970
I do like the I like the alphas and I like the pandas.

105
00:06:51,970 --> 00:06:53,990
I think both of those are great.

106
00:06:54,400 --> 00:06:58,360
And you just have to look at the chipset and make sure whatever you're purchasing falls in line with

107
00:06:58,360 --> 00:06:59,050
this chipset.

108
00:06:59,050 --> 00:06:59,950
This article is great.

109
00:06:59,950 --> 00:07:04,870
It just kind of tells you about the different different types of cards that are out there which ones

110
00:07:04,870 --> 00:07:10,480
are the most popular you see mine right here the end age and I I mean I think they're great and has

111
00:07:10,480 --> 00:07:15,160
links on how to buy them and they're not affiliate links or anything so I think I think this is great.

112
00:07:15,160 --> 00:07:20,740
These pandas are good as well you know just again get one that's two point four and five gigahertz I

113
00:07:20,740 --> 00:07:22,690
think is is what's important nowadays.

114
00:07:22,690 --> 00:07:28,480
So go out there do your own research on what you buy but you will need to have a card like this to be

115
00:07:28,480 --> 00:07:31,370
able to perform this section.

116
00:07:31,390 --> 00:07:33,400
So that's one of the few limitations of this course.

117
00:07:33,400 --> 00:07:39,280
But you do need this car to be able to perform this otherwise just sit back watch take notes and then

118
00:07:39,280 --> 00:07:40,780
once you get your card in the mail.

119
00:07:40,870 --> 00:07:41,410
Have at it.

120
00:07:41,410 --> 00:07:41,980
Have fun.

121
00:07:42,820 --> 00:07:50,080
So lastly let's talk about the hacking process and what you're about to see when we get into this.

122
00:07:50,080 --> 00:07:56,980
Now we have we have to place the card into monitor mode so we get our card.

123
00:07:56,980 --> 00:08:01,390
We plug it in and we have to set it into monitor mode from there.

124
00:08:01,390 --> 00:08:03,890
We need to discover some information about the network.

125
00:08:03,910 --> 00:08:08,350
We know the SSA I.D. We're going to be attacking the client will give that to us and we're going to

126
00:08:08,350 --> 00:08:12,220
find what channel that's running on and what the MAC address is.

127
00:08:12,220 --> 00:08:16,240
It's also known as the B SS I.D. We will talk about this in the next video.

128
00:08:16,240 --> 00:08:19,130
Anything specific I'll cover in the next video.

129
00:08:19,180 --> 00:08:22,930
This is just a high level 10000 foot overview of how we're doing this.

130
00:08:22,960 --> 00:08:26,850
So once we discover the information about the network we capture a little bit of specifics.

131
00:08:26,980 --> 00:08:33,560
We're going to select that network using those specifics and we're going to capture data while we're

132
00:08:33,560 --> 00:08:38,390
capturing that data basically we're capturing anything that's what we're listening in when we're waiting

133
00:08:38,440 --> 00:08:40,960
for for something to happen right.

134
00:08:40,970 --> 00:08:46,180
We can also do a little bit of injection and we can perform what's called a d off attack.

135
00:08:46,190 --> 00:08:53,570
Now this d off attack is going to d authenticate a user from the network so that they have to re authenticate

136
00:08:53,630 --> 00:08:56,630
and that's going to cause a handshake to happen.

137
00:08:56,630 --> 00:08:59,360
Now this WPA handshake is what we're after.

138
00:08:59,450 --> 00:09:05,720
This actually this d off attack is optional but it just speeds the process along significantly.

139
00:09:05,720 --> 00:09:09,950
We could sit there and capture network data until we capture a handshake but this is really the way

140
00:09:09,950 --> 00:09:10,800
to go.

141
00:09:10,880 --> 00:09:12,050
So we perform this attack.

142
00:09:12,080 --> 00:09:19,520
We capture this handshake in this handshake is where WPA to pressure key is vulnerable.

143
00:09:19,520 --> 00:09:21,740
We can take this off line and we could try to crack it.

144
00:09:21,740 --> 00:09:26,210
It's just like a hash just like anything and everything you've seen in this course so far.

145
00:09:26,360 --> 00:09:27,580
We just upload this.

146
00:09:27,590 --> 00:09:30,290
We try to crack it and we go from there.

147
00:09:30,320 --> 00:09:32,050
So we tend to crack the handshake right.

148
00:09:32,060 --> 00:09:35,240
If the password is strong we're going to have a hard time.

149
00:09:35,300 --> 00:09:37,760
If it's weak we're gonna have an easy time.

150
00:09:37,760 --> 00:09:40,290
And I'll talk in the next video about strategies.

151
00:09:40,400 --> 00:09:43,100
What kind of passwords would like to target etc..

152
00:09:43,190 --> 00:09:49,010
So from here we're gonna go ahead and get a hands on make sure again you have everything that you need.

153
00:09:49,040 --> 00:09:51,230
So let's go back a couple slides.

154
00:09:51,230 --> 00:09:56,540
Make sure that you have this wireless card and have a router and some sort of device connected to that

155
00:09:56,540 --> 00:09:56,860
router.

156
00:09:56,870 --> 00:10:01,460
If you're using your home router then you should already have a device that you can do off attack against

157
00:10:02,140 --> 00:10:03,520
and you should be good to go.

158
00:10:03,560 --> 00:10:08,780
Otherwise if you want to do a router and you know not attack your own network you're going to need a

159
00:10:08,780 --> 00:10:11,990
router and some device connected to it so that you can do the attack.

160
00:10:12,020 --> 00:10:15,220
Otherwise just focus on the Alpha card in the link that I provided.

161
00:10:15,230 --> 00:10:20,760
Or you can go to Google and just search out for the best Kelly Linux compatible adapters.

162
00:10:20,840 --> 00:10:25,190
So I will catch over the next video and we actually get hands on with this and hack a wireless network.