1
00:00:00,480 --> 00:00:07,920
Welcome to our first bone section of the curse in this module, we will be covering how the crack of

2
00:00:07,920 --> 00:00:09,180
Arless password.

3
00:00:09,630 --> 00:00:14,630
Now this process can be complex because it requires a lot of tools to complete.

4
00:00:14,820 --> 00:00:21,450
But besides tools, it also requires something that all of you might not have, and that is a wireless

5
00:00:21,450 --> 00:00:23,790
card that supports monitor mode.

6
00:00:24,510 --> 00:00:28,130
Now, this is pretty much the reason why this is a bonus section.

7
00:00:28,620 --> 00:00:31,470
You need this in order to complete this attack.

8
00:00:31,470 --> 00:00:34,650
And not many of our cards support monitor mode.

9
00:00:35,490 --> 00:00:42,540
And what monitor mode allows us to do is to sniff data from access points around us, which then we

10
00:00:42,540 --> 00:00:47,200
will use to sniff the hashed password once someone tries to connect to our Wi-Fi.

11
00:00:48,030 --> 00:00:53,700
Most of the wireless cards are being ran in managed mode and managed mode is something you would normally

12
00:00:53,700 --> 00:00:56,890
use when you want to use Wi-Fi and surf the Internet.

13
00:00:57,420 --> 00:01:01,440
However, some wireless cards have this monitor mode option.

14
00:01:01,710 --> 00:01:07,560
And I will show you in the next video how you can check whether your wireless card can be put into monitor

15
00:01:07,560 --> 00:01:10,000
mode and how to do that anyway.

16
00:01:10,020 --> 00:01:13,910
Anyway, let's explain how the attack will work in greater details.

17
00:01:14,160 --> 00:01:22,590
So let's say we have a wireless access point and this wireless access point has two devices connected

18
00:01:22,680 --> 00:01:23,100
to it.

19
00:01:24,090 --> 00:01:26,460
We also have our Kleenex machine.

20
00:01:26,610 --> 00:01:33,930
However, Linux machine isn't connected to the wireless XPoint, it only has to be close to it to perform

21
00:01:33,930 --> 00:01:34,560
this attack.

22
00:01:35,500 --> 00:01:42,190
Once we get close to our wireless app, we turn our wireless card into monitor about.

23
00:01:43,100 --> 00:01:49,550
Once we have it in monitor mode, we will be able to see all of the wild fires around us as well as

24
00:01:49,550 --> 00:01:56,830
our target wi fi, once we choose out of all of those access points, which one we want to attack,

25
00:01:57,320 --> 00:02:01,100
we need to identify two things about that access point.

26
00:02:01,490 --> 00:02:07,760
Those two things are the channel on which it runs and its Mac address.

27
00:02:08,540 --> 00:02:12,920
Both of these we will be able to see with our tools that we will use now.

28
00:02:12,920 --> 00:02:19,190
Channel is just a digit and we already know what the Mac address is right now that we got our information

29
00:02:19,190 --> 00:02:19,760
that we need.

30
00:02:19,970 --> 00:02:22,430
The next step is to capture the password.

31
00:02:22,940 --> 00:02:25,580
But how can we do that for this?

32
00:02:25,700 --> 00:02:29,380
Otherwise must try to connect to that wireless access point.

33
00:02:29,580 --> 00:02:31,020
Right, correct.

34
00:02:31,310 --> 00:02:37,940
And once it tries to connect, it will initiate four different steps, also known as a four way handshake

35
00:02:38,270 --> 00:02:40,550
between the device and the access point.

36
00:02:41,240 --> 00:02:47,930
In those four steps, it sends the password value to the access point, and that is what we want to

37
00:02:47,930 --> 00:02:48,320
sniff.

38
00:02:49,100 --> 00:02:54,330
However, it could be a long, long time until someone tries to connect to that wi fi.

39
00:02:54,950 --> 00:02:59,220
So are we going to just sit there and wait for someone to connect?

40
00:02:59,810 --> 00:03:01,040
Well, of course not.

41
00:03:01,460 --> 00:03:08,390
If we are going to perform a different type of the attack to kick everyone off of the Wi-Fi, and that

42
00:03:08,390 --> 00:03:11,060
is called the authentication attack.

43
00:03:11,840 --> 00:03:18,350
Once we send the authentication packets, this will disconnect every device that was previously connected

44
00:03:18,500 --> 00:03:19,940
to that access point.

45
00:03:20,600 --> 00:03:24,020
The goal of this happens once we stop the authenticating.

46
00:03:24,380 --> 00:03:32,120
Then those devices that got kicked off wi fi a few seconds ago will try to reconnect back to that access

47
00:03:32,120 --> 00:03:32,480
point.

48
00:03:32,780 --> 00:03:38,560
And all that time we will be sniffing for that four way handshake with our password key.

49
00:03:39,080 --> 00:03:43,820
And as soon as they connect, we will get that password value that we want.

50
00:03:44,150 --> 00:03:48,080
At this point, we no longer need to be close to that wi fi access point.

51
00:03:48,350 --> 00:03:52,360
We can go on the other side of the world in order to crack that password.

52
00:03:52,970 --> 00:03:58,780
Now, you might be asking how well we wrote the hashed password inside of a file.

53
00:03:59,240 --> 00:04:03,770
Therefore, it is on our PC right after this.

54
00:04:04,160 --> 00:04:08,600
All we need is a little bit of luck that the password is easy and not complex.

55
00:04:08,600 --> 00:04:14,960
And then we use that hash password that we sniffed and we throw it into different tools that can help

56
00:04:14,960 --> 00:04:16,370
us crack this password.

57
00:04:17,290 --> 00:04:25,810
Most known tools used for this are air crack and Hashmat aircraft uses C.P.U power or processor power

58
00:04:25,810 --> 00:04:33,040
to crack the password, while Hashmat can use both CPU or processor power and your graphics card power.

59
00:04:33,190 --> 00:04:36,770
And it can sometimes crack a lot faster than aircraft.

60
00:04:37,270 --> 00:04:43,750
Now, the average speed of cracking passwords with these programs, depending on what CPU and GPU you

61
00:04:43,750 --> 00:04:48,090
have, would be around three hundred to one hundred thousand.

62
00:04:48,610 --> 00:04:55,030
And yes, of course, we're talking about three hundred two hundred thousand passwords per second.

63
00:04:55,940 --> 00:05:03,530
So this is a completely different story then, for example, brute forcing weblog and Page or SNH or

64
00:05:03,530 --> 00:05:04,280
something similar.

65
00:05:04,820 --> 00:05:07,310
This is a lot faster now.

66
00:05:07,310 --> 00:05:12,050
Of course, since we are running a virtual machine, the speed will be significantly lower.

67
00:05:12,050 --> 00:05:17,090
But compared to previous brute force attacks that we did, it will still be really fast.

68
00:05:17,900 --> 00:05:22,610
If the password is not complex and we managed to crack it, then you guessed it.

69
00:05:23,120 --> 00:05:25,910
We can connect to that far less access point.

70
00:05:26,480 --> 00:05:32,560
And if we want, we can attack the devices inside that network with all the previous attacks that we

71
00:05:32,590 --> 00:05:32,960
learned.

72
00:05:33,560 --> 00:05:38,070
But that is completely up to you, what you do after you gain access to the Wi-Fi.

73
00:05:38,540 --> 00:05:45,200
So now that we know how all of this works, let's see the practical side of it and let's crack up our

74
00:05:45,200 --> 00:05:46,400
less access point.

75
00:05:47,150 --> 00:05:48,110
See you in the next video.