1
00:00:00,180 --> 00:00:05,160
Hello everybody and welcome back to the next section of our ethical hacking course.

2
00:00:05,190 --> 00:00:10,800
Now in the previous section we cover the weapon contagion testing attacks and some of the basic and

3
00:00:10,800 --> 00:00:13,500
some of the more advanced attacks.

4
00:00:13,740 --> 00:00:20,010
But in this section we will cover the some of the attacks used to gather the access to the wireless

5
00:00:20,010 --> 00:00:21,980
access point network.

6
00:00:21,990 --> 00:00:28,170
Now we will cover two types of the attacks for this part which is the brute force dictionary attack

7
00:00:28,290 --> 00:00:32,370
on the advance access point and the uh evil twin attack.

8
00:00:32,370 --> 00:00:39,150
We will use the VBA and we P to a type of wireless access points we play 3 is the new with one but it

9
00:00:39,150 --> 00:00:40,470
is still not widely used.

10
00:00:40,470 --> 00:00:49,250
It came out last year I believe in June 2018 and it is still not used in in regular places.

11
00:00:49,320 --> 00:00:56,340
BPA 3 basically will be the most secured one and it will prevent some of the attacks that were able

12
00:00:56,550 --> 00:01:02,660
that we were able to perform on the BP two and the BP type of wireless access points.

13
00:01:02,670 --> 00:01:10,440
So what I have right here is the a little bit bad drawing of a dictionary based attack on a dictionary

14
00:01:10,440 --> 00:01:16,140
based basically the type of attack where we actually sniff the four way handshake of a wireless access

15
00:01:16,140 --> 00:01:17,090
point.

16
00:01:17,190 --> 00:01:24,270
Now the four way handshake is basically a process that the client performs in order to connect to the

17
00:01:24,270 --> 00:01:26,040
wireless access point.

18
00:01:26,040 --> 00:01:30,930
It is called a four way handshake because it is consisted from four parts

19
00:01:33,880 --> 00:01:42,940
now in order for us together the four way handshake we would need to uh basically the entire process

20
00:01:42,970 --> 00:01:44,800
can be summed up in one sentence.

21
00:01:44,800 --> 00:01:51,880
So basically we need to disconnect the client from the from the wireless access point and sniff the

22
00:01:51,910 --> 00:01:55,850
four way handshake as soon as he tries to connect back.

23
00:01:56,080 --> 00:02:02,020
That will be the entire process that we will be doing so to process in detailed would be that we need

24
00:02:02,020 --> 00:02:06,080
to send something called the D authentication frames.

25
00:02:06,080 --> 00:02:12,250
Now the authentication frame is a frame sent from a station uh wishing to terminate connection from

26
00:02:12,340 --> 00:02:13,340
another station.

27
00:02:13,360 --> 00:02:18,630
So basically the authentication frame is something that the client sends to the violence access point

28
00:02:18,670 --> 00:02:21,090
when he wants to disconnect from it.

29
00:02:21,620 --> 00:02:28,090
And the thing is that we can spoof the MAC address of all of the clients that are connected to the pilot's

30
00:02:28,090 --> 00:02:30,140
access point and make them connected.

31
00:02:30,140 --> 00:02:31,660
It's of us.

32
00:02:31,720 --> 00:02:37,510
So basically if you wanted to on any wireless access point you can send the authentication frames and

33
00:02:37,510 --> 00:02:42,970
disconnect all of the other clients from the wireless access point without you even having the access

34
00:02:42,970 --> 00:02:44,710
to it.

35
00:02:44,710 --> 00:02:51,220
Now we will do that in detail and impractical in the next lectures but for now on you should just know

36
00:02:51,220 --> 00:02:57,310
that that we will basically put the MAC address and send the authentication frames in order to disconnect

37
00:02:57,400 --> 00:03:00,290
a client from a wireless access point.

38
00:03:00,340 --> 00:03:03,130
The thing is we can do that for as long as we want.

39
00:03:03,130 --> 00:03:09,220
If we wanted to we could authenticate them for 24 hours but most likely we will only be wanting to do

40
00:03:09,220 --> 00:03:11,380
that for a few seconds.

41
00:03:11,380 --> 00:03:17,320
So as soon as we talk stop there the authentication attack the client will automatically connect back

42
00:03:17,320 --> 00:03:24,100
to the wireless access point and when he does that when the client automatically connects back we basically

43
00:03:24,100 --> 00:03:30,160
gather something called a four way handshake which is the handshake where the client will send the passwords

44
00:03:30,190 --> 00:03:32,530
to the party's access point.

45
00:03:32,530 --> 00:03:38,530
Now the problem is that the password that we will gather from the four way handshake will be encrypted

46
00:03:39,340 --> 00:03:48,520
and that's what comes the dictionary based attack which is basically after this we only want to uh brute

47
00:03:48,520 --> 00:03:58,240
force the hash that we received with a dictionary but we will talk about that in detail later on the

48
00:03:58,300 --> 00:04:04,600
we would basically just need to find out the word that is corresponded to that has that we received

49
00:04:04,600 --> 00:04:06,840
from the four way handshake.

50
00:04:07,930 --> 00:04:14,380
But that process doesn't really have anything to do with the far less hacking and the far less hacking

51
00:04:14,380 --> 00:04:20,560
is basically on consisted from the authenticating the client and then gathering the form a handshake

52
00:04:20,740 --> 00:04:23,170
basically that is the first attack that we will do.

53
00:04:23,770 --> 00:04:28,840
Now the second attack that we will do is basically we will create a de.

54
00:04:28,930 --> 00:04:32,870
We will recreate the same access point that we want to hack.

55
00:04:32,970 --> 00:04:35,620
That's called the evil twin access point.

56
00:04:35,620 --> 00:04:41,630
Uh that is main purposes of that is also one of the main purposes why we use the authentication.

57
00:04:42,040 --> 00:04:48,160
Uh basically we want to force clients to connect to our evil twin access point which then can be used

58
00:04:48,220 --> 00:04:53,360
to capture net packets transfer Bitcoin between the client and our access point.

59
00:04:53,380 --> 00:04:54,310
Now how we do that.

60
00:04:54,310 --> 00:05:00,790
Well we basically try to make the identical access point as the one that we are attacking and then once

61
00:05:00,790 --> 00:05:05,980
we do that we basically send in the authentication packets to the clients connected to device access

62
00:05:05,980 --> 00:05:15,010
point and then we hope that they will connect back to our access point instead of the uh real uh and

63
00:05:15,010 --> 00:05:18,790
legit exploit that they will connect it to before.

64
00:05:19,000 --> 00:05:24,010
Now in order for us to perform both of these attacks you will need two things.

65
00:05:24,010 --> 00:05:30,320
And the first one is the monitor mode and enabled on the your wireless network card.

66
00:05:30,340 --> 00:05:37,060
Now if you don't have the monitor mode uh option on your network already you will basically need to

67
00:05:37,630 --> 00:05:43,680
buy a cheap natural color that has the monitor mode enabled on it basically anywhere you like.

68
00:05:43,690 --> 00:05:46,810
You can go to your local store and try to find it.

69
00:05:46,900 --> 00:05:52,350
Just ask you see this card it has the monitor mode the option on it.

70
00:05:53,140 --> 00:05:59,110
Uh that is also the reason why I will be recording all of these attacks on my laptop instead of the

71
00:05:59,380 --> 00:06:02,490
clinic's machine or basically only the first part of the attack.

72
00:06:02,530 --> 00:06:08,560
Will record on the laptop and then after that we will go on to our clinic's machine.

73
00:06:08,560 --> 00:06:13,530
Since I have monitored mode enabled on my laptop and I don't have a wireless card for my Kelvin it's

74
00:06:13,560 --> 00:06:22,070
machine and the second thing that you might need is the antenna for a stronger signal an evil twin attack.

75
00:06:22,100 --> 00:06:24,200
Now that is not uh a must.

76
00:06:24,200 --> 00:06:30,620
You do not need it if you don't want it but it can make your attack perform better.

77
00:06:30,620 --> 00:06:36,590
Since if you have a stronger signal after you do authenticate these two clients they will most likely

78
00:06:36,590 --> 00:06:42,890
connect back to you instead of the real access point but you do not need it.

79
00:06:42,920 --> 00:06:48,830
We will we can perform the evil twin attack even without the antenna for a stronger signal.

80
00:06:49,370 --> 00:06:53,380
So but the first thing that I said You will need uh.

81
00:06:53,390 --> 00:06:58,560
You cannot perform any of these attacks without the monitor remote on your network card.

82
00:06:58,760 --> 00:07:04,800
So make sure you get that to work before you continue with this action.

83
00:07:05,120 --> 00:07:10,730
That would basically be some of the theory behind all these attacks.

84
00:07:10,810 --> 00:07:16,040
We will of course cover them in greater detail and impractical in the next lectures.

85
00:07:16,040 --> 00:07:19,850
Now some of you might ask why aren't we also attacking we pay three.

86
00:07:19,860 --> 00:07:27,990
Well as I said basically BP 3 is newer version and it is not widely used yet in the world uh.

87
00:07:28,310 --> 00:07:33,990
And there is no point to attack something that basically doesn't have a vulnerability yet.

88
00:07:34,250 --> 00:07:34,690
Uh.

89
00:07:34,740 --> 00:07:36,920
And basically isn't used yet.

90
00:07:36,940 --> 00:07:38,270
Now they did discover.

91
00:07:38,300 --> 00:07:46,160
Do you want ability I believe last year when it came out which is also more ability for BP to uh basically

92
00:07:47,270 --> 00:07:53,570
I believe some hacker developer found a way to crack the network without involving the four way handshake.

93
00:07:53,570 --> 00:08:00,380
So basically we did lead to this attack I believe the attacker sends a single April frame to the access

94
00:08:00,380 --> 00:08:01,430
point.

95
00:08:01,430 --> 00:08:07,840
They didn't get back the airways master key and use hash get to generate the PRICHEP Turkey now hash

96
00:08:07,840 --> 00:08:13,700
get is a program that we will use in order to crack the hash of the password that we received from the

97
00:08:13,700 --> 00:08:14,770
following handshake.

98
00:08:14,810 --> 00:08:18,040
I will show you that program later on and how to use it.

99
00:08:19,250 --> 00:08:25,820
And we tell reasonably cheap you cracking infrastructure many systems could you could crack many systems

100
00:08:25,880 --> 00:08:28,700
in just a few days or even less.

101
00:08:28,700 --> 00:08:34,040
Some of some of the systems you could basically crack in just a few seconds.

102
00:08:34,130 --> 00:08:40,670
Now the dictionary based attack for some of you that are wondering is not possible on the PPA three

103
00:08:40,880 --> 00:08:44,090
which is the new wireless access point security measures.

104
00:08:44,090 --> 00:08:50,690
Basically the replay to for handshake uh was suitable to offline dictionary based text which we will

105
00:08:50,690 --> 00:08:57,890
cover especially when short passwords under 16 characters were employed but we pay three handshake protocol

106
00:08:57,900 --> 00:09:03,590
forces of real time attacks essentially eliminating the dictionary attack techniques which basically

107
00:09:03,590 --> 00:09:06,230
means in DPP to attack which we will cover.

108
00:09:06,230 --> 00:09:12,130
Basically once you get ready for a handshake you do not even need to be near the pilot's access point.

109
00:09:12,140 --> 00:09:18,830
You can just go on the other side of the world and still perform the dictionary brute force since you

110
00:09:18,830 --> 00:09:23,900
have a four way handshake captured in the packet that you have saved on your calendar machine for example

111
00:09:24,470 --> 00:09:29,030
and then later on you do not need to be any we need the pilots at this point in order to try to brute

112
00:09:29,030 --> 00:09:37,640
force that hash but that type of attack won't be able to we won't be able to do on the BP three and

113
00:09:37,730 --> 00:09:46,550
also the BP three uses these simultaneous authentication of equals or as a e to replace the BP 2s appreciate

114
00:09:46,550 --> 00:09:54,080
key which is key exchange protocol which is also the four way handshake the as a is a more secure protocol

115
00:09:54,080 --> 00:09:56,480
for handling the initial key exchange.

116
00:09:57,350 --> 00:09:57,810
Uh.

117
00:09:57,830 --> 00:10:04,790
And SAIC also known as the dragon's key exchange uses former secrecy and is resistant to offline decryption

118
00:10:04,790 --> 00:10:05,260
attacks

119
00:10:08,280 --> 00:10:11,200
so that's about it for the theoretical part.

120
00:10:11,220 --> 00:10:17,560
Uh we will of course cover it in greater detail later on but for now on this is just some of the basics

121
00:10:17,610 --> 00:10:23,460
that you should know in order to more easily understand the attackers will perform.

122
00:10:23,850 --> 00:10:31,380
And also you need to gather as you said the money network card with monitor mode option uh on it and

123
00:10:31,500 --> 00:10:33,570
then you will be set to go.

124
00:10:33,630 --> 00:10:38,760
So that is put it for the fury part in the next lecture.

125
00:10:38,760 --> 00:10:44,940
I will start with putting our network called in monitor mode and starting our dictionary based attack.

126
00:10:45,660 --> 00:10:49,550
So I hope I see you in the next lecture and taker by.