1
00:00:00,210 --> 00:00:06,380
Hello everybody and welcome back to the next lecture in Wi-Fi penetration testing section.

2
00:00:06,720 --> 00:00:12,840
We in the previous video we saw how we can capture our four way handshake and how we can crack it with

3
00:00:12,840 --> 00:00:17,210
the aircraft program using our CPO power now.

4
00:00:17,240 --> 00:00:24,200
Now that we did that what we want to do is basically try to run this process a lot faster or not a lot

5
00:00:24,200 --> 00:00:28,570
faster but basically a few times faster with our GPO.

6
00:00:28,640 --> 00:00:29,900
So how do we do that.

7
00:00:29,900 --> 00:00:35,840
Well basically we will use a program called hash cat as we can see if you type your hash get it is already

8
00:00:35,840 --> 00:00:39,340
installed in the calendar so you won't have to install it again.

9
00:00:39,410 --> 00:00:47,240
All you need to do is run one simple command but you can do that only after you uh basically convert

10
00:00:47,330 --> 00:00:53,750
the DOT cap file we have it to dot H S.C. AP exe file.

11
00:00:53,750 --> 00:00:55,140
Now how we do that.

12
00:00:55,400 --> 00:01:01,180
Well there are some tools on Linux or on the clinics that you can install in order to do that.

13
00:01:01,340 --> 00:01:07,470
But I prefer to use other method which is basically on their website on hash get website.

14
00:01:07,490 --> 00:01:14,450
We want to open new window and we want to go to the website that we will use in order to convert our

15
00:01:14,450 --> 00:01:20,030
file to the DOT HCC AP exe file.

16
00:01:20,030 --> 00:01:24,770
Now to go to that uh Web site you just type your a.

17
00:01:24,920 --> 00:01:37,490
Yes two dots then two slashes hash get dot net slash cap to HCC AP X and then you press enter.

18
00:01:37,490 --> 00:01:44,000
So this is the link right here and it will lead you to a simple Web site which is basically only used

19
00:01:44,000 --> 00:01:52,580
to convert these files between each other so let's let this just load for a second.

20
00:01:52,600 --> 00:01:53,370
Here it is.

21
00:01:53,410 --> 00:01:55,780
And right here you should see the same thing.

22
00:01:55,780 --> 00:02:02,800
You can see that the maximum size of our file is 20 megabytes which can cause sometimes a problem.

23
00:02:02,800 --> 00:02:07,290
Hopefully our file right now isn't larger than 20 megabytes.

24
00:02:07,330 --> 00:02:15,640
If it is I will have to redo basically the attack and capture the former handshake faster uh or basically

25
00:02:15,640 --> 00:02:17,600
you can shoot the file with some of the programs.

26
00:02:17,590 --> 00:02:23,340
But I believe it is not a larger than 20 megabytes right now.

27
00:02:23,500 --> 00:02:25,680
Let's just find our file.

28
00:02:25,930 --> 00:02:29,700
It is on home handshake.

29
00:02:29,740 --> 00:02:30,900
And here it is.

30
00:02:31,030 --> 00:02:33,450
It is only one point six megabytes large.

31
00:02:33,940 --> 00:02:42,220
So if you open it and then click here on cover convert Uh this will take a few seconds and it'll basically

32
00:02:42,250 --> 00:02:44,130
prompt you with a weird name.

33
00:02:44,210 --> 00:02:46,200
Well that is consistent Oh bunch of numbers.

34
00:02:46,210 --> 00:02:51,770
And then with the exception not HCC Apex now it doesn't matter.

35
00:02:51,880 --> 00:02:55,870
They basically just numbered these files with that as we can see right here.

36
00:02:55,870 --> 00:02:59,430
This is the name of our file that we need to download right now.

37
00:02:59,510 --> 00:03:07,260
Uh it converted it to the get to the base PD type of file not really sure what it even is.

38
00:03:07,270 --> 00:03:11,530
It is HCC AP ex and we can just download it right here

39
00:03:14,630 --> 00:03:16,050
as we just opened this

40
00:03:18,780 --> 00:03:20,940
and let's copy it.

41
00:03:20,940 --> 00:03:27,500
Copy and move it to the same file which is the same folder which is the handshake folder so I paste

42
00:03:27,500 --> 00:03:35,040
it right here and now we have the DOT cap and Dot HCC AP exe file which we believe is now in order to

43
00:03:35,130 --> 00:03:37,030
crack it with hash.

44
00:03:37,320 --> 00:03:46,590
Now if we type here Hachette minus minus well you will see it comes a bunch of the options that we will

45
00:03:46,590 --> 00:03:49,020
use some of them not all of them.

46
00:03:49,080 --> 00:03:57,570
The most important one is to specify the type of hash that we are cracking which you can see is uh labeled

47
00:03:57,570 --> 00:04:00,450
with these numbers on the left.

48
00:04:00,510 --> 00:04:08,100
Now as we can see there is the empty five empty foreshore one shot two shot Wall twenty to 256 bit and

49
00:04:08,100 --> 00:04:10,350
they're all labeled with this number right here.

50
00:04:10,410 --> 00:04:12,120
That's how it will specify that.

51
00:04:12,390 --> 00:04:20,330
But we want to find BPA a private room key password and it should be somewhere here.

52
00:04:20,400 --> 00:04:22,800
I believe it is somewhere around here.

53
00:04:22,800 --> 00:04:25,380
Here it is uh BPA.

54
00:04:25,390 --> 00:04:26,840
Uh April.

55
00:04:27,120 --> 00:04:28,950
And this one we will use right here.

56
00:04:29,160 --> 00:04:37,250
So it is under the number of twenty five hundred so let us use that option.

57
00:04:37,250 --> 00:04:48,620
Let me see if there is anything up that we need to use it basically just shows uh the the syntax for

58
00:04:48,620 --> 00:04:50,300
this uh tool.

59
00:04:50,450 --> 00:04:55,730
Uh we will use these two options which is minus M which is hash type and then we will specify twenty

60
00:04:55,730 --> 00:05:00,120
five hundred in order specify that we're cracking BPA password.

61
00:05:00,350 --> 00:05:04,880
And we will use the attack mode which basically minus 3.

62
00:05:04,880 --> 00:05:10,730
I B I believe this is used in order to specify how fast you want this attack to go.

63
00:05:10,730 --> 00:05:14,630
Now they have some examples down here.

64
00:05:14,660 --> 00:05:15,350
Here they are.

65
00:05:15,800 --> 00:05:18,980
And this is for the minus say which is a.

66
00:05:19,070 --> 00:05:20,450
It can go from one to four.

67
00:05:20,480 --> 00:05:29,180
So attack mode can go from low to nightmare which basically I would really recommend using the four

68
00:05:29,300 --> 00:05:30,740
option right here.

69
00:05:30,740 --> 00:05:36,620
Since this process of cracking which are cheap you can actually exhaust your graphics card and it can

70
00:05:36,620 --> 00:05:40,310
also make it crash if it passes the certain temperature.

71
00:05:40,310 --> 00:05:47,840
But I believe that Hachette has been installed in the tool itself to abort the process once the GPO

72
00:05:48,080 --> 00:05:54,310
temperature reaches over a hundred degrees I believe or something like that.

73
00:05:54,410 --> 00:06:01,970
You want to make sure that you check it and you do not let it reach over 85 degrees since 100 is a lot

74
00:06:02,030 --> 00:06:03,500
of the graphics card.

75
00:06:03,740 --> 00:06:05,420
You do not want to wait for 100.

76
00:06:05,420 --> 00:06:09,770
You want to basically aborted at for example 85 degrees.

77
00:06:09,890 --> 00:06:15,900
So you can see right here the device type you can choose if you want to crack you or see you.

78
00:06:15,920 --> 00:06:18,040
Right now we are cracking with you.

79
00:06:18,140 --> 00:06:21,230
So let us run our full command right now.

80
00:06:21,230 --> 00:06:24,890
We have the file right here which is this one.

81
00:06:25,110 --> 00:06:26,000
You can rename it.

82
00:06:26,000 --> 00:06:30,620
So let's just rename it to something that we can use.

83
00:06:30,630 --> 00:06:38,700
So this is for example you you that is EVP X. And now we will just specify these three letters instead

84
00:06:38,700 --> 00:06:40,370
of all of these numbers.

85
00:06:40,410 --> 00:06:47,880
So what we want to do right now is type your hash get minus 8 which stands for the attack mode of all

86
00:06:47,880 --> 00:06:49,860
specify right here too.

87
00:06:50,010 --> 00:06:56,830
Doesn't really matter you can use one two three or even four if you want to then minus 10 which stands

88
00:06:56,830 --> 00:06:58,260
for the hash type.

89
00:06:58,570 --> 00:07:05,810
We saw previously that BPA is two hundred and fifty basically twenty five hundred.

90
00:07:06,490 --> 00:07:17,040
And now what we want to specify is basically the name the name of our file that we are cracking or basically

91
00:07:17,040 --> 00:07:21,060
the name of our file that has the hash password which is not our case.

92
00:07:21,060 --> 00:07:28,710
GP You thought HTC E.P. X and one more thing we want to specify after all of this is the password that

93
00:07:28,740 --> 00:07:31,110
we will use in order to crack that file.

94
00:07:31,110 --> 00:07:33,440
Now right here we will use the.

95
00:07:33,690 --> 00:07:35,880
Let me just find you.

96
00:07:35,910 --> 00:07:43,320
I believe it was user share or it lists right now let us use the rock you dot the extreme password list

97
00:07:45,310 --> 00:07:45,890
invalid.

98
00:07:45,900 --> 00:07:47,020
Attack Mode.

99
00:07:47,060 --> 00:07:54,450
Value specified how is invalid no device's phone left.

100
00:07:54,450 --> 00:07:59,040
Oh yeah I forgot that I am running this on a virtual machine we uh.

101
00:07:59,310 --> 00:08:04,520
Without having the proper drivers installed for my graphics card.

102
00:08:04,530 --> 00:08:12,450
So you would need to uh basically install the graphics the drivers for your graphics card depending

103
00:08:12,450 --> 00:08:15,540
from which graphics card you have in order to perform this attack.

104
00:08:15,540 --> 00:08:20,340
If you are running on clinics or to machine if you're not running if you are running on any other Linux

105
00:08:20,340 --> 00:08:25,270
distribution you should not have this problem and you should be able to run this attack.

106
00:08:25,270 --> 00:08:31,410
Now I will not install it right now since there is no point in showing you that since we all have different

107
00:08:31,410 --> 00:08:32,540
graphics card right.

108
00:08:32,550 --> 00:08:37,530
What I will do is I will switch to my laptop in order to show you how the process of attacking will

109
00:08:37,530 --> 00:08:38,050
work.

110
00:08:38,670 --> 00:08:43,030
So let me just switch to my laptop real quick.

111
00:08:45,820 --> 00:08:48,140
So here I am on my laptop.

112
00:08:48,340 --> 00:08:53,090
And right now we will run the same command that we tried to run before.

113
00:08:53,140 --> 00:08:56,260
I don't really know why I thought that it would work there.

114
00:08:56,380 --> 00:08:59,060
I thought I was on my laptop for a second.

115
00:08:59,290 --> 00:09:02,600
But you want to let me just this.

116
00:09:02,680 --> 00:09:03,540
A little bit.

117
00:09:03,760 --> 00:09:05,640
As we can see I transferred my file.

118
00:09:05,650 --> 00:09:12,640
Here it is cheap you that ATC AP X and what we want to do is basically run the same element so hash

119
00:09:12,640 --> 00:09:20,660
get minus a day in the attack mode for example zero doesn't even matter.

120
00:09:20,700 --> 00:09:21,390
Uh.

121
00:09:21,550 --> 00:09:22,450
Attack Mode zero.

122
00:09:22,450 --> 00:09:28,950
Then we want to use the minus M option I believe two for uh twenty five hundred.

123
00:09:29,280 --> 00:09:33,920
After that the name of the file which is keep you that HCC CCP x.

124
00:09:34,170 --> 00:09:40,290
And after that what we want to do is specify the path to our world list which on my laptop isn't the

125
00:09:40,290 --> 00:09:40,910
same pad.

126
00:09:40,920 --> 00:09:46,020
Now it is desktop or at least and the rock you that the exceed.

127
00:09:46,350 --> 00:09:49,330
Now now that I run this let me just.

128
00:09:49,490 --> 00:09:51,570
It you can see that it started running.

129
00:09:51,570 --> 00:09:54,290
It says temperature about three or said to ninety degrees.

130
00:09:54,320 --> 00:09:55,020
So that is good.

131
00:09:55,020 --> 00:09:56,860
I thought it was 100 degrees.

132
00:09:57,420 --> 00:10:01,770
And you can see that it found the password relatively fast.

133
00:10:01,770 --> 00:10:10,470
Since I have it in my regular to exceed uh the regular text uh file or what is now you can see some

134
00:10:10,470 --> 00:10:16,140
of the options right here hash type which we did specify is VPN we to it cracked it.

135
00:10:16,140 --> 00:10:21,080
You can see it less than a second and it's all the speed right here.

136
00:10:21,180 --> 00:10:25,110
Is this one now as you can see on my laptop.

137
00:10:25,110 --> 00:10:31,480
This is one hundred and one and twelve point one thousand passwords per second.

138
00:10:31,650 --> 00:10:39,810
So this is let's say a hundred thousand passwords per second with cracking with my GP you you can see

139
00:10:39,840 --> 00:10:42,360
how many passwords it finished.

140
00:10:42,360 --> 00:10:48,910
So progress it finish four hundred fifty seven thousand passwords out of 14 million passwords.

141
00:10:48,990 --> 00:10:51,890
Now let me show you the.

142
00:10:51,960 --> 00:10:53,360
Let me just find it.

143
00:10:53,430 --> 00:10:54,030
The

144
00:10:56,980 --> 00:10:59,220
word lists.

145
00:10:59,270 --> 00:11:00,430
No it's not there.

146
00:11:00,570 --> 00:11:04,100
Now this.

147
00:11:04,400 --> 00:11:05,720
Let me just delete.

148
00:11:05,810 --> 00:11:06,860
I have a bunch of these.

149
00:11:06,910 --> 00:11:09,740
Rob you the 60s save passwords

150
00:11:15,660 --> 00:11:17,820
most such file or directory.

151
00:11:17,820 --> 00:11:20,460
What do you mean no such followed directory.

152
00:11:20,460 --> 00:11:21,520
I see it right here.

153
00:11:21,660 --> 00:11:25,740
Oh it is a dot dot too and thought one

154
00:11:33,640 --> 00:11:35,830
Okay doesn't matter now.

155
00:11:35,890 --> 00:11:46,660
But we want to do is turn it or basically comes up it the Iraq you know one I unzip it on my laptop

156
00:11:46,690 --> 00:11:49,720
it won't have.

157
00:11:50,350 --> 00:11:52,210
What do you mean it doesn't want to.

158
00:11:52,330 --> 00:11:54,680
So let me just.

159
00:11:54,720 --> 00:11:55,690
No no never mind.

160
00:11:55,690 --> 00:12:03,040
Let me just let's just use another password based.

161
00:12:03,430 --> 00:12:08,060
Not really sure how many passwords are here but let's see how fast it will finish with this password.

162
00:12:08,070 --> 00:12:11,380
This just comment at the extreme.

163
00:12:11,430 --> 00:12:13,670
But let me just try once again if I can.

164
00:12:15,870 --> 00:12:16,260
Zip

165
00:12:22,200 --> 00:12:25,200
not sure why it won't find.

166
00:12:25,200 --> 00:12:28,080
So let's try comes up once again

167
00:12:32,230 --> 00:12:35,790
Oh it's actually okay.

168
00:12:35,880 --> 00:12:40,020
Maybe it will work like this but let's just run it once again.

169
00:12:40,040 --> 00:12:44,570
So we changed to our directory where we have our hash Cat.

170
00:12:44,670 --> 00:12:50,430
Uh dot A.S.A.P. x file and let us run it once again.

171
00:12:52,930 --> 00:13:04,270
Hash get minus say 0 minus M twenty five hundred and then the name of the file and then the path to

172
00:13:04,270 --> 00:13:09,550
the list all hash is found in Port file.

173
00:13:09,760 --> 00:13:12,850
Okay so it found.

174
00:13:13,750 --> 00:13:13,980
Yeah.

175
00:13:13,990 --> 00:13:21,250
It gives me this because the it already cracked the hash with these past four days.

176
00:13:21,400 --> 00:13:27,160
So let's just use the common dot to see that we have in the same folder or basically you can use any

177
00:13:27,210 --> 00:13:28,200
pastoralists you want.

178
00:13:28,570 --> 00:13:34,240
Uh right now I'm using the ones I have in order to show you uh all hash is found in the portfolio.

179
00:13:34,300 --> 00:13:37,780
Now it won't work because once you crack the password.

180
00:13:37,780 --> 00:13:45,100
The password hash in the dot is ATC AP exe file it wont really allow you to crack it once again since

181
00:13:45,190 --> 00:13:47,980
it it already has it cracked.

182
00:13:47,990 --> 00:13:56,680
Um we saw we directly got to see it ran over one hundred thousand passwords per second and it managed

183
00:13:56,680 --> 00:14:00,130
to crack it in less than a second.

184
00:14:00,190 --> 00:14:04,010
That is how powerful your GP you is in this process of tracking.

185
00:14:04,150 --> 00:14:10,380
Now even though the speed may sound really fast to you.

186
00:14:10,470 --> 00:14:14,350
Uh the one hundred thousand passwords per second may sound really fast to you.

187
00:14:14,560 --> 00:14:20,560
It is still nothing compared to the possible combinations of the password that you might have.

188
00:14:20,710 --> 00:14:27,360
Now I will show you how you can create some of the more precise password lists that you might need.

189
00:14:27,430 --> 00:14:31,100
Which two for which two programs one is crunch and the other one.

190
00:14:31,250 --> 00:14:32,840
I'm not really sure how it's called.

191
00:14:32,840 --> 00:14:40,520
I'll have to check it out and then you might have a slightly bigger chance in cracking the password

192
00:14:40,520 --> 00:14:47,820
for the violence network so that would be about it for this tutorial.

193
00:14:47,830 --> 00:14:48,320
Uh.

194
00:14:48,340 --> 00:14:50,790
And I will show you the passwords.

195
00:14:50,830 --> 00:14:54,940
The list making in the next tutorial and I hope I see you there.

196
00:14:55,170 --> 00:14:55,480
Bye.