1
00:00:00,150 --> 00:00:05,270
Hello everybody and welcome back to the wireless penetration testing section.

2
00:00:05,370 --> 00:00:14,090
Now in the previous video we saw how we can actually put our wireless networking card into monitor mode.

3
00:00:14,310 --> 00:00:21,480
Now that we know how to do that we will continue with the usage of the crack program that is being installed

4
00:00:21,480 --> 00:00:26,220
in cabinets and it is used in order to capture the four way handshake.

5
00:00:26,220 --> 00:00:34,310
And in order to crack the format handshake so open up your terminal and let's before we begin.

6
00:00:34,390 --> 00:00:38,320
As I said we need to put our card into my remote now that we know how to do it.

7
00:00:38,320 --> 00:00:45,970
I will just go over it briefly so I have config I have config.

8
00:00:46,010 --> 00:00:54,200
And then my Mac one of this network interface then I put it down then I w config my wireless interface

9
00:00:54,290 --> 00:01:02,870
and then mode monitor in order to put it into the monitor mode since as I already said it is by default

10
00:01:02,870 --> 00:01:08,950
set in the managed mode and in the monitor mode we can inspect all of the packets around us.

11
00:01:08,990 --> 00:01:10,760
So we need a monitor mode.

12
00:01:10,760 --> 00:01:17,340
So let me just put my interface back up now and we are good to go.

13
00:01:17,510 --> 00:01:20,450
Now the first thing that I want to use.

14
00:01:20,720 --> 00:01:27,990
Let me just make this a little bit bigger so you can see it.

15
00:01:28,090 --> 00:01:36,350
The first thing that I want to use or that I want to show you is simple command.

16
00:01:36,660 --> 00:01:38,740
It looks something like this airman.

17
00:01:38,960 --> 00:01:41,600
So just type in your account in its terminal.

18
00:01:41,630 --> 00:01:50,240
If you're using these clinics airmen and G and then check and then the name of your wireless network

19
00:01:50,240 --> 00:01:51,380
interface.

20
00:01:51,380 --> 00:01:57,530
Now what this will do is basically it will list all the processes that could potentially cause some

21
00:01:57,530 --> 00:02:01,260
trouble in the process of capturing the four way handshake.

22
00:02:01,280 --> 00:02:05,520
Now these are all processes connected to your networking map network manager.

23
00:02:05,540 --> 00:02:08,830
So as it says right here we can read it.

24
00:02:08,840 --> 00:02:15,830
It says found for process that could cause trouble if aero dump and G airplane G or AirTran and G stops

25
00:02:15,830 --> 00:02:18,250
working after a short period of time.

26
00:02:18,530 --> 00:02:20,660
You may want to kill some of them.

27
00:02:21,050 --> 00:02:28,880
Now this basically means that it can cause trouble in this process of capturing the former handshake.

28
00:02:28,880 --> 00:02:35,690
Now in if you probably have a now you will probably have all this process as well.

29
00:02:35,690 --> 00:02:42,020
And since my own experience you can only actually put down the network manager and the VBA supplicant

30
00:02:42,500 --> 00:02:49,030
the dame on a process basically come back they respond after you kill them.

31
00:02:49,130 --> 00:02:53,450
Now in order to kill you now you can use two methods to kill this process.

32
00:02:53,450 --> 00:02:59,660
You can just type here kill and then the process idea which would be which would be a six one and then

33
00:02:59,720 --> 00:03:02,270
you run this again.

34
00:03:02,270 --> 00:03:07,400
That is one way to kill the process and the other way is to kill them all at once.

35
00:03:07,400 --> 00:03:18,110
So just type here airmen and G check kill and then your network interface and it will kill all the process

36
00:03:18,140 --> 00:03:20,330
that could cause you trouble.

37
00:03:20,330 --> 00:03:28,220
So now if we run once again the probe to see if there are any processes there are not any at the moment

38
00:03:28,280 --> 00:03:34,280
but you the some of them might respawn later on but you shouldn't really worry that much about it.

39
00:03:34,280 --> 00:03:37,030
They probably won't cause you trouble then.

40
00:03:37,070 --> 00:03:45,290
So now that we did it we want to basically set our network card once again into monitor mode since after

41
00:03:45,290 --> 00:03:51,170
you can after you finish this process of killing all this process as you can see your card will be put

42
00:03:51,170 --> 00:03:53,410
back into managed mode.

43
00:03:53,660 --> 00:03:59,990
So after you kill all of this process you want to set your card once again into monitor mode.

44
00:03:59,990 --> 00:04:12,460
So the same three commands that we used before and I have config as w 0 1 now up pardon me up and now

45
00:04:12,460 --> 00:04:20,430
if we check with I w config our card is currently as you can see in monitor mode which is good.

46
00:04:20,470 --> 00:04:28,060
So the next thing you want to do is basically now you want to inspect all of the countless networks

47
00:04:28,150 --> 00:04:29,530
around you.

48
00:04:29,530 --> 00:04:37,270
Now you do that that you do that with the commercial aero dump minus energy and all you need to do right

49
00:04:37,270 --> 00:04:41,350
now is basically specify your networking wireless interface.

50
00:04:41,350 --> 00:04:50,110
So in my case that is w 0 1 and in your case it will be basically anything that you output with this

51
00:04:50,110 --> 00:04:50,560
command.

52
00:04:50,560 --> 00:04:55,890
So as we can see it's right here don't use the same as I use.

53
00:04:56,040 --> 00:04:59,010
I need to repeat once again or this won't work.

54
00:04:59,010 --> 00:05:08,490
So let us just run aero dump and G and then w l 0 1 and as you can see it will start listing all of

55
00:05:08,490 --> 00:05:15,950
the wireless networks around me now as we can see right here it prints out bunch of other options as

56
00:05:15,950 --> 00:05:16,830
well.

57
00:05:16,860 --> 00:05:21,390
Now the first thing you might notice and that is familiar to you are these right here.

58
00:05:21,440 --> 00:05:27,440
Which stands under the column of SS I.D. which is basically just the names of the wireless.

59
00:05:27,470 --> 00:05:33,140
So for example if you were to take your mobile phone and turn on a list you would be seeing all of these

60
00:05:33,140 --> 00:05:34,950
names right here.

61
00:05:34,990 --> 00:05:40,710
Now the violence that we will be testing will be this one right here.

62
00:05:40,810 --> 00:05:47,950
Since it is my own Marlies and I have permission to test on it you should not be testing this method

63
00:05:48,040 --> 00:05:50,950
or any other method of attack on anyone else.

64
00:05:51,240 --> 00:05:54,460
You do not own or do not have permission to attack.

65
00:05:54,550 --> 00:05:58,300
So that's why I will use my own wireless.

66
00:05:58,630 --> 00:06:05,110
Now let's start off with the next column next to the name of the outlets which is which is basically

67
00:06:05,200 --> 00:06:11,470
off and stands for authentication and we can see the there are a bunch of these escapees K which is

68
00:06:11,470 --> 00:06:18,610
private Shirky which is just the method of authentication and the cipher is which cipher it uses.

69
00:06:18,610 --> 00:06:26,200
Now my mother's use uses the key IP and most of the others use CCN IP that is not really that relevant

70
00:06:26,230 --> 00:06:28,640
to our attack right now.

71
00:06:28,640 --> 00:06:31,200
And encryption is as we can see we pay too.

72
00:06:31,220 --> 00:06:37,420
Or in some cases it is we pay which also doesn't really matter in our case since we will be attacking

73
00:06:37,510 --> 00:06:43,750
with the same method both of these and also we can see that there really isn't a tree yet.

74
00:06:43,780 --> 00:06:53,620
So there is really no point in trying to exploit that for now on we will stick to the BP to the channel

75
00:06:53,620 --> 00:06:58,360
is also something important the channel is something that you will specify in the next command.

76
00:06:58,360 --> 00:07:06,280
It is the channel or basically on which your wireless access point is running on this data is basically

77
00:07:06,280 --> 00:07:14,250
as it says data that is flowing beacons now beacons is basically our network frame for the as part pardon

78
00:07:14,380 --> 00:07:19,830
me for the wireless access point which basically shows others that it is present.

79
00:07:19,870 --> 00:07:23,150
It is basically just there to show its presence.

80
00:07:23,500 --> 00:07:32,980
And these BW Are column right here is basically showing you how far away your access access your wireless

81
00:07:32,980 --> 00:07:34,040
access point is.

82
00:07:34,060 --> 00:07:41,920
So basically the much smaller the number the closer to you the wireless access point is now in my personal

83
00:07:41,920 --> 00:07:42,570
case.

84
00:07:42,610 --> 00:07:49,600
Uh this method won't work on any exploit that is a larger than minus seventy five because that means

85
00:07:49,600 --> 00:07:55,840
that that access point is too far from us and we will not be able to capture the four way handshake

86
00:07:55,870 --> 00:07:58,660
or the authentically anyone at that distance.

87
00:07:58,690 --> 00:08:04,750
So if you wanted to for example test any of these lower uh wireless access points you would need to

88
00:08:04,750 --> 00:08:14,350
get closer to them in order to perform the attack and the last column right here is the B SSA D which

89
00:08:14,350 --> 00:08:21,700
is basically the MAC addresses the physical addresses of d of the other access points which is also

90
00:08:21,700 --> 00:08:29,440
really important and which you will use in our attack so in order to stop this since as we can see this

91
00:08:29,440 --> 00:08:36,220
is in live mode which means it updates every second the state of these five six points you just procedural

92
00:08:36,220 --> 00:08:42,960
C and you can also expected in static mode as we can see right here which is good when you want to call

93
00:08:43,020 --> 00:08:47,160
it something if it's running in light mode you really can't copy anything.

94
00:08:47,160 --> 00:08:53,480
Now the next command we want to do now that we decided which wireless access point are we attacking

95
00:08:54,030 --> 00:09:01,260
and now that we saw the options for it which this one are we attacking which is dark matter the channel

96
00:09:01,350 --> 00:09:07,980
is three for that fathers access point and the MAC address is this one for our wireless access point

97
00:09:08,910 --> 00:09:17,140
now that we know all of that we want to type next command which is aero dump minus and G then minus

98
00:09:17,200 --> 00:09:20,520
C and D minus C stands basically for channel.

99
00:09:20,520 --> 00:09:26,110
So after that you just type your space and see on which channel is your access point funding in my case

100
00:09:26,110 --> 00:09:28,350
that is channel number three.

101
00:09:28,360 --> 00:09:34,370
And once you do that you type after that space and then minus minus B as society.

102
00:09:34,450 --> 00:09:40,900
Now as we can see from the table right here d b as I say d is basically this column right here so after

103
00:09:40,900 --> 00:09:48,890
this we need to specify the MAC address of our wireless access point which in my case is this one so

104
00:09:49,610 --> 00:09:55,350
I copy it i paste it right here and now.

105
00:09:55,580 --> 00:10:01,460
Now basically that we did it we can actually run this command and it will only focus on our own wireless

106
00:10:01,460 --> 00:10:08,780
access point and it will also see which uh which our devices are connected to it or basically the MAC

107
00:10:08,840 --> 00:10:14,030
addresses of the devices that are connected to it now it gave me the error because I didn't specify

108
00:10:14,330 --> 00:10:20,450
the w l 0 1 which is my borderless network interface so you need to specify it in every command as I

109
00:10:20,450 --> 00:10:20,780
said.

110
00:10:20,810 --> 00:10:28,480
So basically just enter now and you can see that right now we only see our wireless access point that

111
00:10:28,480 --> 00:10:34,310
we are penetrated that we are testing and soon we should see some of the MAC addresses popping up right

112
00:10:34,310 --> 00:10:41,330
here which basically shows the devices that are connected to the access point as we can see there is

113
00:10:41,330 --> 00:10:49,670
one which is basically my I believe the phone mobile phone now not traditionally there is any other

114
00:10:49,670 --> 00:10:56,300
connected at the moment I mean I am not connected on my laptop and I am not connected on my P.C. so

115
00:10:56,300 --> 00:11:00,210
it's probably it which is enough.

116
00:11:00,250 --> 00:11:07,090
Basically one user on the virus is enough for us to authenticate it and make him reconnect and capture

117
00:11:07,090 --> 00:11:07,960
the four way handshake.

118
00:11:08,740 --> 00:11:09,980
But how do we do that.

119
00:11:10,000 --> 00:11:15,940
Now that we know how to specify a single wireless access point in order to scan it now we will use the

120
00:11:15,940 --> 00:11:20,650
same command here and we will write the output to a file.

121
00:11:20,830 --> 00:11:22,790
So just please proceed here.

122
00:11:22,840 --> 00:11:26,760
See and you can basically just throw up.

123
00:11:26,820 --> 00:11:29,400
So the same command right here.

124
00:11:29,670 --> 00:11:35,520
And before we specify the wireless network interface we want to type here minus V.

125
00:11:35,540 --> 00:11:41,820
Command and which stands for basically right to a file and then the name of the file we can name the

126
00:11:41,820 --> 00:11:42,620
file.

127
00:11:42,720 --> 00:11:46,130
Basically anything we want.

128
00:11:46,140 --> 00:11:46,910
What.

129
00:11:47,200 --> 00:11:50,370
Let me just now to the desktop first.

130
00:11:50,380 --> 00:11:56,050
So it saves it there and let us just run the same command once again or not the same.

131
00:11:56,050 --> 00:12:01,390
We want to specify minus W and then name of the file which is named my file scan.

132
00:12:01,390 --> 00:12:06,370
So now that we named our file now we need to specify the network interface.

133
00:12:06,370 --> 00:12:15,550
So w 1 and we run the same comment and as we can see right here it is now writing the stuff that it

134
00:12:16,060 --> 00:12:17,560
captures in the file.

135
00:12:17,560 --> 00:12:25,770
So the next thing we want to do now that is writing it in the file is basically the authenticate let

136
00:12:25,770 --> 00:12:33,480
me just zoom this in the authenticate everyone on the wireless access point as we can see we can actually

137
00:12:33,890 --> 00:12:37,290
perform that without being able to actually

138
00:12:39,980 --> 00:12:44,150
be connected without being connected to the palace access point.

139
00:12:44,150 --> 00:12:48,410
So how do we run the authentication attack.

140
00:12:48,410 --> 00:12:56,270
We run it with the airplay minus and G and then we specify minus zero and then zero which basically

141
00:12:56,270 --> 00:13:04,020
stands to authenticate said the authentication packets forever basically until we close the program.

142
00:13:04,040 --> 00:13:11,780
The next thing we want to do is type here minus a and after minus say we paste the MAC address of our

143
00:13:11,780 --> 00:13:19,100
wireless access point which you can also copy from right here now that we specify that only thing that

144
00:13:19,100 --> 00:13:23,050
we need to specify right now is the wireless network interface.

145
00:13:23,060 --> 00:13:30,160
So in my case w LR one now that we did that just press here enter and you will see that it is running

146
00:13:30,170 --> 00:13:34,680
the the authentication attack.

147
00:13:34,860 --> 00:13:41,940
Now this will run until we stop it and all the devices are now disconnected from the violence access

148
00:13:41,940 --> 00:13:43,130
point.

149
00:13:43,470 --> 00:13:48,810
My mobile phone you can't see it but it currently got disconnected and as soon as I stop this right

150
00:13:48,810 --> 00:13:56,250
here with serial C it will connect back to the wireless access point and it right here we should see

151
00:13:56,250 --> 00:13:59,130
the replay handshake as we can see it right here.

152
00:13:59,130 --> 00:14:06,630
So we successfully successfully got the BP a four way handshake and we can now control see this program

153
00:14:06,630 --> 00:14:16,590
as well so it Britain written the four way handshake into the file now that we got the file.

154
00:14:16,790 --> 00:14:22,030
We will basically continue in the next two Corio and I will cut the tutorial short right here and I

155
00:14:22,030 --> 00:14:28,020
will explain all the four files that we got and what we can do with it and what we should do with it

156
00:14:28,230 --> 00:14:28,970
now.

157
00:14:29,130 --> 00:14:30,770
That's about it for this editorial.

158
00:14:30,780 --> 00:14:35,030
I hope you enjoyed it and I hope I see you in the next one.

159
00:14:35,230 --> 00:14:35,490
By.