1
00:00:00,120 --> 00:00:06,000
Hello everybody and welcome back to another lecture in the wireless penetration testing section.

2
00:00:06,270 --> 00:00:12,300
Now in the previous lectures I showed you how to capture the former handshake and how to brute force

3
00:00:12,300 --> 00:00:19,920
it with your view and Jeep you will use to tools called Air crack and hash and we used some of the already

4
00:00:20,040 --> 00:00:25,150
installed loyalists basically in clinics.

5
00:00:25,490 --> 00:00:32,690
But now let's say you want to create some of your own world lists or you want to target a specific person

6
00:00:32,790 --> 00:00:38,400
that you know and you basically know something about them and you wanted to create for example more

7
00:00:38,410 --> 00:00:43,050
data that could help you brute force it could force the password faster.

8
00:00:43,190 --> 00:00:50,320
Now there is a simple program in clinics which comes pre installed.

9
00:00:50,430 --> 00:00:51,930
It is called crunch.

10
00:00:51,930 --> 00:00:58,430
So let me just show you let me just to leave you as we do not need it anymore.

11
00:00:58,710 --> 00:00:59,600
The crunch.

12
00:01:00,160 --> 00:01:02,760
Let's open the manual for crunch.

13
00:01:02,790 --> 00:01:08,310
It is basically a program that is used to create the world list as we can see right here.

14
00:01:08,310 --> 00:01:13,470
Crunch can create a board list based on criteria you specify the output form a crunch can be sent to

15
00:01:13,470 --> 00:01:18,330
the screen while a file or to another program which is really important.

16
00:01:18,330 --> 00:01:25,170
This paper here to another program and I will show you why in just a second but before we begin let

17
00:01:25,170 --> 00:01:32,660
me just show you that it has a bunch of options that you basically if you want to you can learn.

18
00:01:32,940 --> 00:01:35,110
I don't know most of these options.

19
00:01:35,120 --> 00:01:39,800
I basically just open manual and then I specify what I want to make.

20
00:01:39,800 --> 00:01:47,030
Now the simplest use of this would be to let me just with this would be pulled for example type here

21
00:01:47,450 --> 00:01:58,130
crunch and the syntax would be to specify the minimal letters or numbers that you want in the word and

22
00:01:58,130 --> 00:02:00,400
the maximum letters or numbers that you want in the world.

23
00:02:00,390 --> 00:02:07,670
So for example let's say I want to make five sit all the words that I buy I basically want to make a

24
00:02:07,670 --> 00:02:11,270
file with the words that have six characters.

25
00:02:11,270 --> 00:02:18,800
So if I just I right typically this you will notice that it will start printing all of these words right

26
00:02:18,800 --> 00:02:25,070
here that are consistent from six characters and it will basically go to all of the all of the combinations.

27
00:02:25,070 --> 00:02:31,220
There are for these six character words now that will take a long time so let's just close this.

28
00:02:31,220 --> 00:02:36,740
Let me just show you before it starts once again that right here it says crunch will now generate the

29
00:02:36,740 --> 00:02:42,380
following amount of data and you can see how many bytes it will create the size of the file will be

30
00:02:42,950 --> 00:02:50,390
two thousand megabytes or basically two gigabytes and the number of the of the basically passwords or

31
00:02:50,390 --> 00:02:56,390
lines that you would have in that file is this one which is I believe three hundred and eight million

32
00:02:57,170 --> 00:03:04,720
close to 309 million which is a lot it would take a lot a lot longer.

33
00:03:04,720 --> 00:03:10,250
The normal pull up I'm going to take a lot of time to create this password list and it would also take

34
00:03:10,250 --> 00:03:16,130
a lot of time to complete this password rest in a brute forcing especially if use aircraft and your

35
00:03:16,410 --> 00:03:22,810
view and also especially if you use it on a virtual machine as we saw that the speed of where crack

36
00:03:22,820 --> 00:03:27,280
on our cat Linux machine was only 350 passwords per second.

37
00:03:27,290 --> 00:03:32,010
Now imagine running that with running that speed with this password.

38
00:03:32,030 --> 00:03:34,280
It would take you months to finish.

39
00:03:34,570 --> 00:03:37,040
Loretta just the simple use of this password list.

40
00:03:37,040 --> 00:03:39,620
You can also change the numbers.

41
00:03:39,620 --> 00:03:45,860
For example let's say we want to make all the passwords that contain between three and five letters

42
00:03:45,920 --> 00:03:47,250
or characters.

43
00:03:47,390 --> 00:03:50,170
We can see that this is a lot smaller.

44
00:03:50,330 --> 00:03:56,420
It will basically print out all the passwords with three to five characters as we can see it really

45
00:03:56,420 --> 00:04:01,630
fast in the first three character words and the fourth character words.

46
00:04:01,640 --> 00:04:07,580
And now it is onto the five character words which will actually take the most of the the most of the

47
00:04:07,610 --> 00:04:08,130
file.

48
00:04:08,680 --> 00:04:10,150
Let me just see the size of it.

49
00:04:10,160 --> 00:04:17,600
It was 70 megabytes and it has around 20 million passwords right here which is basically somewhere a

50
00:04:17,600 --> 00:04:25,580
little less than the rock you got the password that you will be for just in the Iraqi you that the password

51
00:04:25,580 --> 00:04:31,880
list there are a bunch of passwords that were already I believe hacked before and they were put in that

52
00:04:31,880 --> 00:04:36,810
file as the passwords that were mostly used by other users online.

53
00:04:36,830 --> 00:04:46,180
So those are legit passwords used at some point by some user on some Web site let's say we want to specify

54
00:04:46,240 --> 00:04:50,060
something else in greater detail with crunch.

55
00:04:50,230 --> 00:04:56,290
So let's open manual crunch and let's go to some of the examples that they have right here as we can

56
00:04:56,290 --> 00:04:56,600
see.

57
00:04:56,620 --> 00:04:57,680
Example one.

58
00:04:57,850 --> 00:04:58,980
Crunch 1 2 8.

59
00:04:58,990 --> 00:05:03,580
And it gives you the explanation which is basically crunch will display our list that starts at 8:00

60
00:05:03,610 --> 00:05:05,300
and ends at this easy.

61
00:05:05,410 --> 00:05:11,710
Which means it will create the list of all the words contained and containing between 1 and 8 characters.

62
00:05:12,100 --> 00:05:21,730
The crunch 1 2 6 A B C D E F G will create the port lists and the orders that that contains are words

63
00:05:22,360 --> 00:05:30,840
between 1 and 6 characters that only have these seven characters right here which is ABC D and E F G.

64
00:05:30,990 --> 00:05:33,720
Example 3 would create.

65
00:05:33,720 --> 00:05:34,200
You can.

66
00:05:34,490 --> 00:05:37,080
Let's not create let's not read all of them.

67
00:05:37,380 --> 00:05:41,990
Let's just go down here and see there is anything interesting that we might need.

68
00:05:45,610 --> 00:05:47,590
Size file this is not.

69
00:05:47,650 --> 00:05:51,540
You can also specify the size of the file as we can see right here.

70
00:05:51,940 --> 00:05:56,840
The first three files are 20 megabytes.

71
00:05:56,930 --> 00:06:00,110
These are just bunch of the options that you can specify.

72
00:06:00,110 --> 00:06:09,000
We do not want to actually bother with all of them but you can't specify however but not specify what

73
00:06:09,090 --> 00:06:11,560
is important to you are these characters right here.

74
00:06:12,060 --> 00:06:16,410
Once you specify them let me just find where exactly are they

75
00:06:19,470 --> 00:06:27,060
are they written they all represent saying Ah here they are with the minus this is option that you want

76
00:06:27,060 --> 00:06:33,450
to know or not know that you want to know that it exists the minus command and then these three or four

77
00:06:33,450 --> 00:06:37,890
symbols specify a pattern where the only.

78
00:06:39,400 --> 00:06:45,300
Yeah well we specified a pattern where you have for example a word in that bathroom and all the other

79
00:06:45,300 --> 00:06:50,280
symbols will change as we can see the at symbol insert lowercase letters.

80
00:06:50,280 --> 00:06:52,930
So let's say that someone specified this password.

81
00:06:53,010 --> 00:07:00,330
They know that because the word is actually consisted in the entire password of that wireless network.

82
00:07:00,330 --> 00:07:09,330
So he specifies the at will insert lowercase characters the comma will insert uppercase characters the

83
00:07:09,360 --> 00:07:11,670
percentage sign will insert numbers.

84
00:07:11,670 --> 00:07:16,720
And the upper this upper arrow right here will insert symbols.

85
00:07:16,770 --> 00:07:18,050
Now let me show you.

86
00:07:18,060 --> 00:07:19,870
Let's actually try that.

87
00:07:19,950 --> 00:07:23,970
So we press Q and let's say we type here something like this.

88
00:07:24,000 --> 00:07:34,360
We want the seven word the seven character passwords that basically have let's say lower letters then

89
00:07:34,360 --> 00:07:42,620
the word for example word and then come up for the number I believe it is.

90
00:07:42,620 --> 00:07:45,220
No so let's try to see what it will print.

91
00:07:45,220 --> 00:07:48,520
It only has 300000 passwords.

92
00:07:52,080 --> 00:07:52,950
It wasn't a word.

93
00:07:52,950 --> 00:07:53,850
It was only a comma.

94
00:07:53,910 --> 00:07:59,460
Oh yeah I forgot I specified I forgot to specify the minus three options.

95
00:07:59,460 --> 00:08:02,060
So after that you need to specify minus t option.

96
00:08:02,460 --> 00:08:04,830
And only then you can use this.

97
00:08:04,980 --> 00:08:08,890
And right now it will print all the words as we can see right here.

98
00:08:08,940 --> 00:08:11,500
Now the comma was a capital letter not a number.

99
00:08:11,520 --> 00:08:18,430
As we can see by the last letter here they are all capital then the first two are smaller characters.

100
00:08:18,450 --> 00:08:25,980
They that went to all of the combinations and we can see in the middle there is a word that we specified

101
00:08:26,140 --> 00:08:31,630
it to be their so you can also specify let's say a bigger pass for this.

102
00:08:31,640 --> 00:08:33,020
So let's use the same.

103
00:08:33,090 --> 00:08:37,820
But right now let's use the upper arrow and another upper arrow in here.

104
00:08:37,820 --> 00:08:40,770
What we want to do is minus or not minus.

105
00:08:40,880 --> 00:08:45,980
We want to specify nine letter carrier nine character models.

106
00:08:46,000 --> 00:08:52,570
This will be a lot larger as we can see and we can see that those upper arrows represent symbols.

107
00:08:52,630 --> 00:09:00,460
So we said the the at the end there should be two symbols and there really are no I'm not really sure.

108
00:09:00,650 --> 00:09:06,090
There is a zero at the end of every you can see right here.

109
00:09:06,090 --> 00:09:07,720
Word yo yo.

110
00:09:07,920 --> 00:09:10,100
Let me just check something out.

111
00:09:10,110 --> 00:09:15,290
It's not zero it is no it is zero.

112
00:09:15,380 --> 00:09:20,930
I'm not really sure why is it there but it doesn't really matter as we can see these are the symbols

113
00:09:20,930 --> 00:09:26,410
that we specify at the end and the capital characters and the smaller letter characters.

114
00:09:26,450 --> 00:09:35,090
Now the thing that you need is to write this to file for basically you do not want to just output it

115
00:09:35,090 --> 00:09:40,100
in the terminal like this you want to write it somewhere to a file so you can use it later on.

116
00:09:40,100 --> 00:09:44,330
Now in order to do that basically just type your crunch.

117
00:09:44,370 --> 00:09:51,190
You know for example let's say you want all the five letter words and then crunch it into passwords

118
00:09:52,080 --> 00:09:54,400
not to exceed.

119
00:09:54,550 --> 00:10:01,140
And as you can see it will basically put all of these I believe 11 million or even more.

120
00:10:02,020 --> 00:10:08,980
Yeah around 11 million passwords into these passwords that the far if we had the password to the file

121
00:10:08,980 --> 00:10:15,080
right now you will see all of these five letter passwords stored in their.

122
00:10:15,150 --> 00:10:21,600
So now that we know that you did that you can basically just run a simple error crackdowns does that

123
00:10:21,660 --> 00:10:31,630
and G minus W. And then your password list and then the the file that contains your handshake.

124
00:10:31,670 --> 00:10:33,940
Now I'm not really sure what happened right here.

125
00:10:35,980 --> 00:10:45,260
You see it like is so keen up phone the dates specify something wrong.

126
00:10:45,540 --> 00:10:48,480
Let me just check it once again.

127
00:10:48,480 --> 00:10:49,260
If I run it

128
00:10:56,400 --> 00:10:57,030
just check.

129
00:10:57,110 --> 00:10:57,890
Let me just.

130
00:10:58,510 --> 00:11:01,250
I'm not too sure why isn't it outputting it right here.

131
00:11:01,260 --> 00:11:07,920
So let us use users share more of this common

132
00:11:10,620 --> 00:11:15,850
knowledge skills like you did the extra and let's see.

133
00:11:16,360 --> 00:11:16,700
OK.

134
00:11:16,700 --> 00:11:19,330
So right now it wants to work.

135
00:11:19,340 --> 00:11:24,380
I'm pretty sure it could be because of the passwords that are only five letters long.

136
00:11:24,530 --> 00:11:26,030
It could be something like that.

137
00:11:26,040 --> 00:11:32,750
Not really sure why it doesn't even matter what we will do right now is I will show you how you can

138
00:11:32,750 --> 00:11:37,080
use crunch in order to pipe that into the air crack.

139
00:11:37,130 --> 00:11:44,270
Now by pipe I mean you know produce the output of the crunch command and use it as the input in the

140
00:11:44,270 --> 00:11:50,900
aircraft and therefore you do not need to have any password list and you can use as many passwords as

141
00:11:50,900 --> 00:11:54,210
you want as long as you have time to finish it.

142
00:11:54,320 --> 00:12:01,880
Now in order to do that basically you know once you type a basic command which is crunch three three

143
00:12:02,240 --> 00:12:06,430
this will not write all of these passwords to any file it will only output it.

144
00:12:06,500 --> 00:12:12,770
Right here we want to use that and pipe it to the aircraft programs of the aircraft program reads from

145
00:12:12,770 --> 00:12:18,060
our output right here and uses that in order to compare the hashed password.

146
00:12:18,140 --> 00:12:21,390
Now how we do that we do that simply like this.

147
00:12:21,410 --> 00:12:30,540
So crunch and let's actually try to attack my password or my Wi-Fi.

148
00:12:30,560 --> 00:12:33,320
We know that my password is this one.

149
00:12:33,320 --> 00:12:35,730
This is the password on my wireless network.

150
00:12:36,140 --> 00:12:39,680
And let's actually do an attack on it and pipe it.

151
00:12:39,710 --> 00:12:46,130
So crunch twelve twelve since that has twelve characters I believe.

152
00:12:46,400 --> 00:12:48,310
Let me just count.

153
00:12:48,320 --> 00:12:48,490
Yeah.

154
00:12:48,590 --> 00:12:51,670
It has both characters minus the option.

155
00:12:51,760 --> 00:13:01,110
Let's say for example we know that the that the first four letters for example yeah let's say we only

156
00:13:01,110 --> 00:13:06,540
know the first four letters of the password or let's say the first six letters so it performs faster

157
00:13:07,700 --> 00:13:16,240
so we know that this has the this is a part of the password and what we want to do after that is basically

158
00:13:16,240 --> 00:13:23,970
to specify I believe it was this one for the smaller characters and this one is for the numbers.

159
00:13:24,010 --> 00:13:33,700
Now this will run all this will run all of the all of the combinations with two characters on the two

160
00:13:33,700 --> 00:13:35,280
characters that you just see.

161
00:13:35,820 --> 00:13:36,070
Yeah.

162
00:13:36,070 --> 00:13:39,700
Two smaller characters and four different numbers.

163
00:13:39,700 --> 00:13:42,320
And we want to type that and pipe it.

164
00:13:42,320 --> 00:13:47,860
We could use this command right here or not command this character right here which is the basically

165
00:13:47,860 --> 00:13:51,090
straight line up upward straight line.

166
00:13:51,130 --> 00:13:53,860
And you type here with the program where you want to pipe it.

167
00:13:53,860 --> 00:13:54,800
So we want to fight it.

168
00:13:54,820 --> 00:13:57,240
Pipe it to care crack the dash.

169
00:13:57,250 --> 00:14:05,800
And G minus W and then minus and then the name of your docket file and if you

170
00:14:08,640 --> 00:14:10,360
Yeah I want to show you this as well.

171
00:14:10,380 --> 00:14:14,450
It will say please specify a society or b as say D.

172
00:14:14,490 --> 00:14:21,030
We know that T E SSA D is the name of the virus and the B as say D is the Mac address of the virus.

173
00:14:21,090 --> 00:14:27,310
Now it would be easier for us to specify the E as say D which would be just the name of your wireless.

174
00:14:27,360 --> 00:14:28,550
In my case it is.

175
00:14:28,680 --> 00:14:35,430
It is this one you specify it with minus E command for the SSA D and then you just type here the name

176
00:14:36,990 --> 00:14:38,270
of your virus network.

177
00:14:38,280 --> 00:14:41,490
Basically a simple name that you can check out on your mobile phone.

178
00:14:41,670 --> 00:14:47,830
Once you do that and you have this command right here aircraft minus and G minus W and then minus and

179
00:14:47,850 --> 00:14:54,540
pastes scan and then one another on or any name of the file that you've written and then minus E and

180
00:14:54,540 --> 00:15:03,330
then the name of your pilots network and if you're on this it will give us this uh it will stop running

181
00:15:03,330 --> 00:15:08,670
it and you can see it is basically trying all of the combinations right here as we can see it is using

182
00:15:08,670 --> 00:15:11,530
currently the first letters which is which is a.

183
00:15:12,030 --> 00:15:15,000
And then it is brute forcing it with different numbers.

184
00:15:15,000 --> 00:15:18,930
Now as we can see this will take a lot longer than I thought it would take.

185
00:15:18,930 --> 00:15:23,940
So we will just close it right here if I can't close it

186
00:15:28,510 --> 00:15:30,980
now I'm not really sure why it isn't closing.

187
00:15:31,120 --> 00:15:31,930
Let me just

188
00:15:34,870 --> 00:15:41,650
weird let me just close it like this so we'll close it once again and then we will run it

189
00:15:45,730 --> 00:15:47,060
let me just enlarge this.

190
00:15:47,060 --> 00:15:51,430
You can see it better and that's from the same command.

191
00:15:51,460 --> 00:15:54,690
But right now we do not want to run it with numbers.

192
00:15:54,700 --> 00:15:56,560
Let's say we know the.

193
00:15:56,590 --> 00:16:01,270
For the all of the characters that are consistent in our password and we do not know the numbers that

194
00:16:01,270 --> 00:16:02,380
come after.

195
00:16:02,380 --> 00:16:06,010
So let's see how fast this will take.

196
00:16:06,010 --> 00:16:07,990
It should only put forth the number about

197
00:16:15,770 --> 00:16:17,200
I believe it should have pulled it.

198
00:16:17,230 --> 00:16:22,010
Guess the password but for some reason it didn't.

199
00:16:22,050 --> 00:16:27,060
It went through it let us see.

200
00:16:27,100 --> 00:16:28,450
We can wait for me to finish.

201
00:16:28,450 --> 00:16:33,280
It will take only a few more seconds as it is already on the number six.

202
00:16:33,280 --> 00:16:38,070
If it doesn't find it I'm not sure why it didn't find it

203
00:16:43,340 --> 00:16:48,630
let's just wait for this.

204
00:16:48,720 --> 00:16:49,970
We did find a key.

205
00:16:50,850 --> 00:16:52,880
But why did it say it at the end.

206
00:16:52,890 --> 00:17:00,480
I'm not sure how it could possibly be that the key that the number zero was at the end of the list that

207
00:17:00,480 --> 00:17:01,220
it used.

208
00:17:01,230 --> 00:17:05,140
Not really sure why but we now see that it did find the password.

209
00:17:05,610 --> 00:17:07,920
So our attack was successful.

210
00:17:08,070 --> 00:17:13,830
We were able to pipe the output of cache command into the aircraft command and actually brute force

211
00:17:13,830 --> 00:17:14,100
it.

212
00:17:14,100 --> 00:17:17,220
With this we didn't need any pass for this.

213
00:17:17,250 --> 00:17:25,570
So for example if you wanted to you could use twelve character passwords you use it just like this and

214
00:17:25,570 --> 00:17:29,480
then specified to try all of the twelve character passwords.

215
00:17:29,560 --> 00:17:37,270
But the problem is that this will take thousands and millions and billions of years to finish as passionate

216
00:17:37,270 --> 00:17:38,770
with this speed right here.

217
00:17:39,280 --> 00:17:46,080
So it wouldn't really be smart for you to try to brute force twelve character passwords like this but

218
00:17:46,170 --> 00:17:48,870
if you want to there is an option right here.

219
00:17:48,930 --> 00:17:49,760
It won't work though.

220
00:17:49,770 --> 00:17:50,990
But it is there.

221
00:17:51,180 --> 00:17:55,670
So that will be about it for these crunch command.

222
00:17:55,770 --> 00:18:01,820
We will continue with another tool in the next lecture where I will show you how to make a password

223
00:18:01,830 --> 00:18:07,410
based that could be specifically used for a single person that you might know.

224
00:18:08,220 --> 00:18:13,770
It doesn't have to use only a modest network it can be used to force any account you want from that

225
00:18:13,770 --> 00:18:15,120
person.

226
00:18:15,270 --> 00:18:19,440
And we will do that in the next story though and I hope I see you there by.