1
00:00:00,900 --> 00:00:02,130
narrator: Welcome back.

2
00:00:02,130 --> 00:00:05,970
So, we saw how we can put our wireless card in monitor mode,

3
00:00:05,970 --> 00:00:08,760
but right now let's get to the real attack.

4
00:00:08,760 --> 00:00:10,650
So, the steps go like this:

5
00:00:10,650 --> 00:00:13,710
We want to put our card in monitor mode,

6
00:00:13,710 --> 00:00:17,520
We then want to sniff all of the information around us,

7
00:00:17,520 --> 00:00:20,790
then, out of all of the wireless access points,

8
00:00:20,790 --> 00:00:23,100
we must pick the one that we want to attack.

9
00:00:23,100 --> 00:00:25,170
And, in this video I will be attacking my own

10
00:00:25,170 --> 00:00:26,220
wireless access point,

11
00:00:26,220 --> 00:00:30,030
because attacking anyone else's would be illegal.

12
00:00:30,030 --> 00:00:32,880
So, we'll be attacking my access point.

13
00:00:32,880 --> 00:00:36,144
You can attack yours if you're still following this section.

14
00:00:36,144 --> 00:00:39,990
And, once we choose our target, we need to check

15
00:00:39,990 --> 00:00:42,870
out the channel on which the target is running on,

16
00:00:42,870 --> 00:00:47,550
and the MAC address, which the target access point has.

17
00:00:47,550 --> 00:00:51,840
Then we must run our sniffing program, and simultaneously

18
00:00:51,840 --> 00:00:53,334
while running that sniffing program,

19
00:00:53,334 --> 00:00:57,480
we must run our de authentication attack.

20
00:00:57,480 --> 00:00:59,670
Then, we can de authenticate the devices

21
00:00:59,670 --> 00:01:02,430
on that access point for a few seconds.

22
00:01:02,430 --> 00:01:04,022
And, once we stop de authenticating

23
00:01:04,022 --> 00:01:07,023
we should be able to sniff the four-way handshake

24
00:01:07,023 --> 00:01:10,290
with the hashed value of the password.

25
00:01:10,290 --> 00:01:13,200
Then we can move on to the Cal Linux MAChine,

26
00:01:13,200 --> 00:01:16,781
and there we're going to try to crack that password.

27
00:01:16,781 --> 00:01:19,501
Okay, there are a lot of steps in front of us

28
00:01:19,501 --> 00:01:22,013
so let's get straight into it.

29
00:01:22,013 --> 00:01:23,435
So, what I'm going to do

30
00:01:23,435 --> 00:01:25,543
is I'm going to put my wireless card

31
00:01:25,543 --> 00:01:29,583
in monitor mode, as I did in the previous video,

32
00:01:30,600 --> 00:01:33,360
nothing really to explain too much here.

33
00:01:33,360 --> 00:01:36,390
And, the next command that I want to run right after it

34
00:01:36,390 --> 00:01:39,030
is airmon dash N G

35
00:01:39,030 --> 00:01:41,370
check W L O one,

36
00:01:41,370 --> 00:01:43,920
which is my wireless interface.

37
00:01:43,920 --> 00:01:45,840
Now this program is something that you have

38
00:01:45,840 --> 00:01:47,580
inside of your Cal Linux MAChine so

39
00:01:47,580 --> 00:01:50,880
You shouldn't have problem running this.

40
00:01:50,880 --> 00:01:53,460
The wireless interface is something that you want to change

41
00:01:53,460 --> 00:01:55,290
to the name of your wireless interface,

42
00:01:55,290 --> 00:02:00,290
and once you set the entire command, you can click enter.

43
00:02:00,480 --> 00:02:01,950
It will tell you that it found

44
00:02:01,950 --> 00:02:05,250
five processes that could cause some trouble.

45
00:02:05,250 --> 00:02:07,470
Now, this means that if we run

46
00:02:07,470 --> 00:02:09,990
into any problems during our process

47
00:02:09,990 --> 00:02:13,170
of gathering the four-way handshake with the password

48
00:02:13,170 --> 00:02:16,751
it could be due to these processes still running.

49
00:02:16,751 --> 00:02:18,930
So, we're just not going to risk that

50
00:02:18,930 --> 00:02:20,310
and we're going to kill all

51
00:02:20,310 --> 00:02:22,830
of those processes straight away.

52
00:02:22,830 --> 00:02:23,880
How can we do that?

53
00:02:23,880 --> 00:02:26,680
Well, we can type airmon

54
00:02:27,750 --> 00:02:29,070
dash N G,

55
00:02:29,070 --> 00:02:31,893
and then check, and then kill.

56
00:02:33,690 --> 00:02:35,970
Once you type this, press enter,

57
00:02:35,970 --> 00:02:38,460
it will also tell you that it found five processes

58
00:02:38,460 --> 00:02:40,260
but down here it'll also tell you

59
00:02:40,260 --> 00:02:43,350
that it is killing all those processes.

60
00:02:43,350 --> 00:02:45,520
So, now we shouldn't have any problem running

61
00:02:45,520 --> 00:02:47,826
our other tools.

62
00:02:47,826 --> 00:02:50,700
Once you do that, what you want to check is

63
00:02:50,700 --> 00:02:54,870
whether your wireless card is still in monitor mode,

64
00:02:54,870 --> 00:02:58,290
and since it sometimes turns back to manage mode,

65
00:02:58,290 --> 00:03:01,860
you must put it once again into the monitor mode

66
00:03:01,860 --> 00:03:04,923
after performing the airmon dash N G command.

67
00:03:06,598 --> 00:03:08,280
(keys clacking)

68
00:03:08,280 --> 00:03:10,650
After you put it back to monitor mode

69
00:03:10,650 --> 00:03:14,787
the next command that we want to run is aero dump dash N G,

70
00:03:14,787 --> 00:03:17,168
and then the interface that is currently

71
00:03:17,168 --> 00:03:19,080
in the monitor mode.

72
00:03:19,080 --> 00:03:22,087
Since W L O one is inside of the monitor mode for me

73
00:03:22,087 --> 00:03:24,600
I will press enter right here,

74
00:03:24,600 --> 00:03:27,000
and this will start sniffing all

75
00:03:27,000 --> 00:03:28,800
of the information around me.

76
00:03:28,800 --> 00:03:30,780
Let me enlarge this terminal,

77
00:03:30,780 --> 00:03:32,850
and we are going to be able to see all

78
00:03:32,850 --> 00:03:36,120
of the wireless access points that are around me.

79
00:03:36,120 --> 00:03:38,730
These are the names of the wireless access points

80
00:03:38,730 --> 00:03:41,700
under the column E S I D.

81
00:03:41,700 --> 00:03:44,520
The authentication and decipher and the encryption is type

82
00:03:44,520 --> 00:03:47,130
of the protection that the wireless access point has.

83
00:03:47,130 --> 00:03:50,280
So you can see most of them will have W P A two,

84
00:03:50,280 --> 00:03:52,170
which is currently the highest protection

85
00:03:52,170 --> 00:03:54,150
they can possibly get.

86
00:03:54,150 --> 00:03:57,630
CH right here is something that we want to remember,

87
00:03:57,630 --> 00:04:00,810
because the CH column is actually the channel,

88
00:04:00,810 --> 00:04:02,760
and you remember, channel is one

89
00:04:02,760 --> 00:04:04,349
of the two things that we must need

90
00:04:04,349 --> 00:04:07,110
in order to perform this attack.

91
00:04:07,110 --> 00:04:10,260
The data can tell us if the access point is active currently

92
00:04:10,260 --> 00:04:12,540
or if it has some devices connected

93
00:04:12,540 --> 00:04:14,730
to it that are browsing the internet.

94
00:04:14,730 --> 00:04:17,339
While the beacons would usually tell us the same thing.

95
00:04:17,339 --> 00:04:20,940
However, the P W R right here can tell us how

96
00:04:20,940 --> 00:04:23,070
far away is the access point.

97
00:04:23,070 --> 00:04:24,510
So, the lower the number,

98
00:04:24,510 --> 00:04:26,940
the closer the access point is to you.

99
00:04:26,940 --> 00:04:29,940
And sometimes if you choose an access point that is far

100
00:04:29,940 --> 00:04:33,600
far away, this attack might not work.

101
00:04:33,600 --> 00:04:35,605
You have to be really close to the target

102
00:04:35,605 --> 00:04:37,230
in order for this to work.

103
00:04:37,230 --> 00:04:40,320
However, you do not have to be connected to the target.

104
00:04:40,320 --> 00:04:43,110
As you can see right now, I have no access to the internet,

105
00:04:43,110 --> 00:04:45,600
I am not connected to any access point,

106
00:04:45,600 --> 00:04:49,530
and I will be targeting this access point right here

107
00:04:49,530 --> 00:04:51,180
called Takmicar.

108
00:04:51,180 --> 00:04:52,980
This is my wireless access point,

109
00:04:52,980 --> 00:04:55,990
therefore, I will be targeting that one.

110
00:04:55,990 --> 00:04:59,940
Now, remember that we need to remember two things.

111
00:04:59,940 --> 00:05:03,510
So, the channel for my access point is two.

112
00:05:03,510 --> 00:05:05,640
And by the way, once you choose your target,

113
00:05:05,640 --> 00:05:07,170
feel free to control C this,

114
00:05:07,170 --> 00:05:09,660
because sometimes this screen knows to move

115
00:05:09,660 --> 00:05:12,000
and you cannot really copy and paste different

116
00:05:12,000 --> 00:05:13,350
things that you need.

117
00:05:13,350 --> 00:05:17,430
So, I have chosen this target right here and I need

118
00:05:17,430 --> 00:05:22,230
to remember the channel, which is two, and the MAC address.

119
00:05:22,230 --> 00:05:24,810
Now, the channel is easy to remember, so therefore,

120
00:05:24,810 --> 00:05:28,590
I'm just going to copy the MAC address right here.

121
00:05:28,590 --> 00:05:32,070
And then, we need to start the sniffing process again,

122
00:05:32,070 --> 00:05:36,270
however, we're going to write information inside of a file.

123
00:05:36,270 --> 00:05:37,907
For this, We're only going to sniff

124
00:05:37,907 --> 00:05:39,915
one access point information,

125
00:05:39,915 --> 00:05:42,577
and to do that we must specify the channel,

126
00:05:42,577 --> 00:05:44,580
and the MAC address.

127
00:05:44,580 --> 00:05:48,570
So we start the command the same with airodump dash N G.

128
00:05:48,570 --> 00:05:52,650
Then we use dash C command for the channel and

129
00:05:52,650 --> 00:05:54,450
we specify the channel number.

130
00:05:54,450 --> 00:05:56,250
In my case, that is two.

131
00:05:56,250 --> 00:05:58,770
And, airodump is also a program that you have pre-installed

132
00:05:58,770 --> 00:05:59,603
in Cal Linux.

133
00:05:59,603 --> 00:06:03,448
So, all of these programs that we use, you will already have

134
00:06:03,448 --> 00:06:05,520
in your Cal Linux MAChine.

135
00:06:05,520 --> 00:06:06,353
If you don't,

136
00:06:06,353 --> 00:06:09,099
or if you're using some other MAChine to perform this,

137
00:06:09,099 --> 00:06:11,190
I will link in the resources

138
00:06:11,190 --> 00:06:13,200
how you can download all of these tools.

139
00:06:13,200 --> 00:06:15,540
It is pretty simple so you shouldn't have

140
00:06:15,540 --> 00:06:17,370
any problem downloading them.

141
00:06:17,370 --> 00:06:19,200
Nonetheless, Let's get back to our command.

142
00:06:19,200 --> 00:06:21,362
So we got airodump dash N G,

143
00:06:21,362 --> 00:06:25,290
then dash C for the channel, we specify channel number two,

144
00:06:25,290 --> 00:06:27,065
for you it might be different channel.

145
00:06:27,065 --> 00:06:31,230
And, after that we use dash dash B S S I D.

146
00:06:31,230 --> 00:06:35,460
And, what B S I D is, is simply the MAC address,

147
00:06:35,460 --> 00:06:38,310
since we can see that the column where MAC addresses are

148
00:06:38,310 --> 00:06:40,537
is called B S S I D.

149
00:06:40,537 --> 00:06:43,060
So, after this we must

150
00:06:44,070 --> 00:06:45,750
paste our MAC address

151
00:06:45,750 --> 00:06:47,582
to our target wireless access point.

152
00:06:47,582 --> 00:06:50,320
And, the last parameter to this command

153
00:06:50,320 --> 00:06:53,730
is going to be dash W option.

154
00:06:53,730 --> 00:06:56,250
And, this dash W option simply stands

155
00:06:56,250 --> 00:06:59,253
for the file name that we're going to write all of this in.

156
00:07:00,480 --> 00:07:04,260
So, let's call this the wireless access point name,

157
00:07:04,260 --> 00:07:07,410
in capital, underscore test.

158
00:07:07,410 --> 00:07:09,750
This is going to be our file name.

159
00:07:09,750 --> 00:07:12,300
And, by the way, also once running this command

160
00:07:12,300 --> 00:07:15,480
remember in which destination are you running the command,

161
00:07:15,480 --> 00:07:18,330
because that is where it's going to save your files.

162
00:07:18,330 --> 00:07:20,627
I'm saving this is as Takmicar underscore test.

163
00:07:20,627 --> 00:07:23,850
And, the last thing that we must specify is

164
00:07:23,850 --> 00:07:27,330
the wireless interface, which is currently in monitor mode.

165
00:07:27,330 --> 00:07:29,130
For me that is W L O one.

166
00:07:29,130 --> 00:07:31,637
You specify your wireless interface in monitor mode,

167
00:07:31,637 --> 00:07:34,223
and, once you craft this entire command,

168
00:07:34,223 --> 00:07:36,678
you can press enter.

169
00:07:36,678 --> 00:07:40,050
And, you will notice right here it will only sniff

170
00:07:40,050 --> 00:07:42,690
for this specific wireless access point.

171
00:07:42,690 --> 00:07:44,220
We can see the name right here,

172
00:07:44,220 --> 00:07:48,660
under the E S I D, and we can see its MAC address.

173
00:07:48,660 --> 00:07:51,480
What also we can see, are the devices that are

174
00:07:51,480 --> 00:07:54,930
currently connected to this access point.

175
00:07:54,930 --> 00:07:58,440
And, at the moment it only has two of them.

176
00:07:58,440 --> 00:08:01,110
Now what I'm going to do, is I'm going to connect

177
00:08:01,110 --> 00:08:05,010
to the wireless access point over my mobile phone,

178
00:08:05,010 --> 00:08:07,620
and you can see that we already managed to capture

179
00:08:07,620 --> 00:08:10,320
the WPA handshake, which is all that we need

180
00:08:10,320 --> 00:08:12,000
in order to be able to crack the password.

181
00:08:12,000 --> 00:08:15,330
However, we're going to try to do that again just

182
00:08:15,330 --> 00:08:18,510
by performing the de authentication attack,

183
00:08:18,510 --> 00:08:19,740
because we can't really wait

184
00:08:19,740 --> 00:08:22,620
for someone to randomly connect our access point.

185
00:08:22,620 --> 00:08:26,013
We must disconnect everyone from that access point.

186
00:08:27,540 --> 00:08:30,873
And to do that, I'm going to enter the route terminal.

187
00:08:32,070 --> 00:08:33,990
And, I will enlarge this of course,

188
00:08:33,990 --> 00:08:36,602
so you can see everything better.

189
00:08:39,480 --> 00:08:41,912
And, the command that we must use to actually

190
00:08:41,912 --> 00:08:46,912
de authenticate someone is using the aireplay dash N G tool.

191
00:08:47,550 --> 00:08:49,860
So it is spelled like this,

192
00:08:49,860 --> 00:08:52,050
and the options that it takes is dash zero,

193
00:08:52,050 --> 00:08:55,680
and then space and zero Once again,

194
00:08:55,680 --> 00:08:57,810
this means it'll send de authentication

195
00:08:57,810 --> 00:09:01,860
packets indefinitely until we control C the program

196
00:09:01,860 --> 00:09:04,586
and then it'll stop de authenticating.

197
00:09:04,586 --> 00:09:06,592
So what I advise you to do,

198
00:09:06,592 --> 00:09:08,370
if you're following this attack,

199
00:09:08,370 --> 00:09:10,407
is connect your mobile phone to the access point.

200
00:09:10,407 --> 00:09:13,860
And you will notice as soon as we start running this command

201
00:09:13,860 --> 00:09:15,960
your mobile phone will get disconnected

202
00:09:15,960 --> 00:09:18,090
from the wireless access point.

203
00:09:18,090 --> 00:09:20,460
So once you type dash zero and then zero,

204
00:09:20,460 --> 00:09:22,260
the next parameter is dash A,

205
00:09:22,260 --> 00:09:24,990
and after dash A comes the MAC address

206
00:09:24,990 --> 00:09:26,793
of the wireless access point.

207
00:09:27,690 --> 00:09:30,450
At the end, we only specify the wireless interface

208
00:09:30,450 --> 00:09:34,770
in the monitor mode, and we can start de authenticating.

209
00:09:34,770 --> 00:09:37,920
And if I take a look at my phone, I am instantly

210
00:09:37,920 --> 00:09:41,040
being disconnected from this wireless access point.

211
00:09:41,040 --> 00:09:42,450
And, if I go to settings,

212
00:09:42,450 --> 00:09:45,600
and try to connect back, it'll not work.

213
00:09:45,600 --> 00:09:48,810
Nobody will be able to connect to this wireless access point

214
00:09:48,810 --> 00:09:51,416
as long as I am running this attack.

215
00:09:51,416 --> 00:09:55,080
But you only want to run this for a few seconds,

216
00:09:55,080 --> 00:09:56,910
and once you run it for a few seconds

217
00:09:56,910 --> 00:10:00,720
everyone will be disconnected, then you control C.

218
00:10:00,720 --> 00:10:02,880
And, here in just a few seconds,

219
00:10:02,880 --> 00:10:06,600
we will be catching W P A two handshakes

220
00:10:06,600 --> 00:10:09,030
with the hashed value of the password.

221
00:10:09,030 --> 00:10:11,190
From my phone I already established connection

222
00:10:11,190 --> 00:10:12,780
to the wireless access point.

223
00:10:12,780 --> 00:10:15,750
And, once you do that in the upper right corner

224
00:10:15,750 --> 00:10:18,450
you should see this WPA handshake.

225
00:10:18,450 --> 00:10:21,750
And, as soon as you see that you can control C this program,

226
00:10:21,750 --> 00:10:23,520
you got everything that you need.

227
00:10:23,520 --> 00:10:25,860
You got the four-way handshake, and inside

228
00:10:25,860 --> 00:10:29,179
of that four-way handshake, is the password that you need.

229
00:10:29,179 --> 00:10:32,310
Once you finish all of this, you will notice

230
00:10:32,310 --> 00:10:36,930
that you got four different files on your desktop.

231
00:10:36,930 --> 00:10:40,350
As you can see one, two, three,

232
00:10:40,350 --> 00:10:42,330
and four.

233
00:10:42,330 --> 00:10:46,170
And, you actually only need one out of these four files,

234
00:10:46,170 --> 00:10:48,630
and this is the dot cap file.

235
00:10:48,630 --> 00:10:51,450
All of the other three, you don't need for this attack,

236
00:10:51,450 --> 00:10:53,340
so you can just save the dot cap file,

237
00:10:53,340 --> 00:10:55,215
and you can delete the others.

238
00:10:55,215 --> 00:10:57,240
Once you have the dot cap file,

239
00:10:57,240 --> 00:10:59,670
inside of this file is our four-way handshake.

240
00:10:59,670 --> 00:11:01,230
And then, in the next video,

241
00:11:01,230 --> 00:11:02,790
we're going to use different tools

242
00:11:02,790 --> 00:11:05,126
to extract the hash password from this dot cap file,

243
00:11:05,126 --> 00:11:08,777
And then we are going to use massive word lists to

244
00:11:08,777 --> 00:11:13,140
try to crack this password from this file.

245
00:11:13,140 --> 00:11:16,260
But for this, I'm going to switch to my Cal Linux MAChine

246
00:11:16,260 --> 00:11:18,420
so we can go back to our normal environment

247
00:11:18,420 --> 00:11:22,050
since I no longer need to run any program on my laptop.

248
00:11:22,050 --> 00:11:23,350
See you in the next video.