1
00:00:00,120 --> 00:00:05,240
Hello everybody and welcome back to the wireless penetration testing session.

2
00:00:05,370 --> 00:00:12,360
Now in the previous videos I showed you how you can brute force the handshake with the catch catch the

3
00:00:12,540 --> 00:00:19,020
catch get tool and with the aircraft tool we both use CPO and GPO in that process and we also saw how

4
00:00:19,020 --> 00:00:28,410
we can create some of our own world lists in over to the make our attack more possible to work.

5
00:00:28,600 --> 00:00:35,710
Now the next thing that I want to show you is also very important thing which is how you can actually

6
00:00:35,740 --> 00:00:40,430
make your process of cracking even more faster than we did before.

7
00:00:40,480 --> 00:00:48,100
Now you remember that we actually had only around 350 passwords per second on our clinic's machine with

8
00:00:48,100 --> 00:00:56,500
our CPO and on my laptop we had of around 4000 passwords per second with the G we DCP.

9
00:00:56,800 --> 00:01:00,120
Now the GPL was around 100 thousand pastors per second.

10
00:01:00,160 --> 00:01:05,230
But we can even make it faster if we wanted to like a lot faster.

11
00:01:05,710 --> 00:01:09,790
So open up your terminal.

12
00:01:09,830 --> 00:01:14,990
I am currently on the clinics but I will switch to my laptop when I need to show you something.

13
00:01:15,220 --> 00:01:21,920
But right now what I want to do is actually find our handshake that we captured it is in the handshake

14
00:01:21,920 --> 00:01:24,510
folder as we can see it is right here.

15
00:01:24,520 --> 00:01:31,880
Can 0 wondered cap and we also have a password that the file let me just see which password list is

16
00:01:31,880 --> 00:01:35,950
that it is a password list that we created with the crunch.

17
00:01:35,960 --> 00:01:36,780
OK.

18
00:01:36,920 --> 00:01:43,640
Now what I want to show you is basically how you can make a rainbow table out of your password list.

19
00:01:43,640 --> 00:01:50,900
Now what is a rainbow table or basically rainbow tables are huge sets of pre computed tables filled

20
00:01:50,900 --> 00:01:55,780
with hashed values that are pretty much two possible plaintext passwords.

21
00:01:55,820 --> 00:02:00,520
Now it allows us to crack the passwords even faster.

22
00:02:00,680 --> 00:02:07,340
Basically it allows hackers to reverse the hashing function and to determine what the plaintext password

23
00:02:07,340 --> 00:02:08,330
might be.

24
00:02:08,330 --> 00:02:13,640
So let us let me show you how we can actually create a rainbow table.

25
00:02:13,640 --> 00:02:18,480
It can take some time so I will find it on github.

26
00:02:18,530 --> 00:02:23,060
Our password list that isn't larger than 100000 passwords per second.

27
00:02:23,060 --> 00:02:25,990
So this doesn't take long to create.

28
00:02:26,030 --> 00:02:36,360
Let me just open up my Firefox and I will basically just search and get her password lists and let's

29
00:02:36,360 --> 00:02:37,700
see how many.

30
00:02:37,850 --> 00:02:40,790
And let's see what we can actually find on github.

31
00:02:41,250 --> 00:02:44,710
Maybe we can find a good password list that we can use for this.

32
00:02:44,760 --> 00:02:46,320
You can use any password if you want.

33
00:02:46,380 --> 00:02:54,480
If you want to for example you can use the uh the rock your password list.

34
00:02:54,600 --> 00:02:58,980
Basically it can be any pastoralists want but it depends.

35
00:02:58,980 --> 00:03:03,720
The larger the password the more time it will take to create a rainbow table.

36
00:03:03,720 --> 00:03:18,030
So let me just find right here pass list let's go with the one hundred thousand.

37
00:03:18,220 --> 00:03:25,250
Let's wait for this to open up then we will get clone this site.

38
00:03:26,250 --> 00:03:28,130
It has 100000 passwords.

39
00:03:28,140 --> 00:03:37,100
So let us just clone this copy then go to our terminal in our handshake folder and not type and keep

40
00:03:37,100 --> 00:03:41,490
clone and paste the file.

41
00:03:41,490 --> 00:03:43,970
So now that we are downloading this.

42
00:03:44,070 --> 00:03:47,490
It says fatal repository not found.

43
00:03:48,120 --> 00:03:56,800
Well that's unfortunate but there is another thing that we can do we can go to the raw section right

44
00:03:56,800 --> 00:04:02,770
here and it should load up the page with basically all the passwords and we will just select all of

45
00:04:02,770 --> 00:04:08,510
them just my Firefox is currently a little bit slow.

46
00:04:08,520 --> 00:04:11,550
We could have used a smaller password list if we wanted to.

47
00:04:12,210 --> 00:04:13,200
And basically we will.

48
00:04:13,200 --> 00:04:20,340
If this doesn't want to copy itself but there really isn't no point in making a rainbow table out of

49
00:04:20,340 --> 00:04:24,750
a password list that isn't at least 1 million passwords large.

50
00:04:24,750 --> 00:04:33,000
Now I am using one hundred thousand passwords so this doesn't take too long to make me see what is happening

51
00:04:33,000 --> 00:04:35,030
with this at the moment.

52
00:04:37,450 --> 00:04:38,590
It is holding something.

53
00:04:38,590 --> 00:04:41,270
Not really sure what is it holding.

54
00:04:41,300 --> 00:04:41,840
You know what.

55
00:04:41,840 --> 00:04:43,500
It basically.

56
00:04:43,590 --> 00:04:44,740
Oh okay.

57
00:04:44,770 --> 00:04:45,190
Finished.

58
00:04:45,200 --> 00:04:50,450
So let us copy all of the passwords right here.

59
00:04:52,000 --> 00:05:02,050
And let me nano parceled out to 60 and I will basically paste all the passwords that I just copied.

60
00:05:02,090 --> 00:05:09,080
Now since this is a virtual machine this will probably lag out a little bit but as soon as it finishes

61
00:05:09,080 --> 00:05:12,140
we will be able to continue working with it.

62
00:05:14,880 --> 00:05:16,980
Well never mind that Id like out.

63
00:05:16,980 --> 00:05:20,060
I will just use a password list that they already have right here.

64
00:05:21,210 --> 00:05:25,830
So let me just create a new one with crunch that has eight

65
00:05:28,470 --> 00:05:37,800
characters at least and that's pasted into the file not the sixty four for example.

66
00:05:37,890 --> 00:05:44,130
Now since this is one terabyte large I will not really uh paste the entire password list.

67
00:05:44,130 --> 00:05:46,920
I will basically control C soon enough.

68
00:05:46,950 --> 00:05:55,430
So let me just control C right now and basically in the file not the 60 we should have some passwords

69
00:05:55,440 --> 00:05:56,340
at least.

70
00:05:56,370 --> 00:05:58,850
I believe there is around million passwords right here.

71
00:05:59,040 --> 00:06:00,410
Which is more than enough.

72
00:06:00,600 --> 00:06:04,970
I will show you how you can create the rainbow table now with that password.

73
00:06:04,980 --> 00:06:11,130
So let me just delete the ones we do need so pass that the 60 to save.

74
00:06:11,190 --> 00:06:17,670
And we do need passwords not to exceed and let us actually rename the file that extends into passwords

75
00:06:17,670 --> 00:06:21,690
at the extremes so you don't actually get confused right here.

76
00:06:22,290 --> 00:06:29,370
So these are the only two things we need a password list and the DOT kept file that we call the handshake

77
00:06:29,370 --> 00:06:29,940
with.

78
00:06:29,940 --> 00:06:34,320
So the two that we will use is called Arrow lib.

79
00:06:35,970 --> 00:06:40,770
Let's just type error early minus minus help in order to see our available options.

80
00:06:40,770 --> 00:06:43,490
Now as we can see right here there are a few options.

81
00:06:43,510 --> 00:06:43,860
No.

82
00:06:43,860 --> 00:06:49,050
One is the ask you out of the clean the badge verifies that we will use most of them.

83
00:06:49,050 --> 00:06:55,890
So since we need to import the password list and we also need to import the e ss I.D. which is just

84
00:06:55,890 --> 00:06:58,180
the name of our access point.

85
00:06:58,180 --> 00:07:06,270
Now in order to import the e ss I.D. you basic need to create a simple text file so you just name it.

86
00:07:06,280 --> 00:07:12,810
Nano e as this I.D. dot the extreme and what you need to do right now is basically just search your

87
00:07:12,810 --> 00:07:18,950
violence access point and see what the name of it is for my SO for my access point.

88
00:07:18,960 --> 00:07:21,750
It is basically this one.

89
00:07:21,750 --> 00:07:29,240
So I'll just paste the name of my wireless access point in this file now I control o enter and then

90
00:07:29,250 --> 00:07:35,700
control C or pandemic control X to exit and you can see that in this folder in this file I only have

91
00:07:35,700 --> 00:07:37,680
the name of my wireless access point.

92
00:07:37,890 --> 00:07:46,440
Now that you made this we can start using the arrow leave the minus n G2 so first thing we need to do

93
00:07:46,440 --> 00:07:53,190
right here is basically uh create the rainbow table itself and import the E SSD in it.

94
00:07:53,190 --> 00:07:59,390
Now how we do that we do that with air lib minus N G.

95
00:07:59,410 --> 00:08:03,770
Now after that you specify the name of your rainbow table you can emit anything you want.

96
00:08:03,770 --> 00:08:14,540
I will just name it rainbow table or let's just do all small letters and then you want to minus minus

97
00:08:14,570 --> 00:08:21,860
import and then import as I.D. and the basically after this you need to specify the name of our files

98
00:08:22,010 --> 00:08:28,340
which is only the e ss I.D. So just type your import dsa d and then the name of the file which is e

99
00:08:28,430 --> 00:08:29,860
as decided on the.

100
00:08:30,440 --> 00:08:35,300
Now once you do that you can click your enter and you can see it will finish relatively fast since we

101
00:08:35,300 --> 00:08:37,160
only imported one word.

102
00:08:37,160 --> 00:08:41,370
The next thing that you want to do is import the password list.

103
00:08:41,390 --> 00:08:47,720
Now we import the password list with these similar comments or type your l m minus N G and then you

104
00:08:47,720 --> 00:08:54,120
specify the name of your rainbow table or whatever you name it then you specify minus minus or tell

105
00:08:54,140 --> 00:09:02,090
Dash import pass W D and after the pass WD You need to specify the password list that you are using

106
00:09:02,450 --> 00:09:11,100
in my case that is the past not the extreme so once you do that just click here enter and it will read

107
00:09:11,160 --> 00:09:15,660
all of the passwords from the file and it will import them into different pool table.

108
00:09:15,660 --> 00:09:19,820
Now we can see right here how many passwords are there in my file.

109
00:09:19,890 --> 00:09:21,540
So over a million already.

110
00:09:22,170 --> 00:09:23,810
Hopefully it will stop soon.

111
00:09:27,310 --> 00:09:28,590
They should have control.

112
00:09:28,620 --> 00:09:30,970
See it a little bit earlier.

113
00:09:31,020 --> 00:09:34,200
So we do not have this much passwords but it doesn't matter.

114
00:09:34,200 --> 00:09:36,900
This shouldn't take too long to load.

115
00:09:36,900 --> 00:09:43,710
The process that will take too long if you use a huge password list will be the next command which will

116
00:09:43,720 --> 00:09:47,790
be minus minus or dash dash batch since it will import.

117
00:09:47,790 --> 00:09:52,950
And it will hash all of the private share keys or all of the passwords from plaintext to hashed versions

118
00:09:53,250 --> 00:09:56,640
so it can compare them faster once you run the attack.

119
00:09:56,640 --> 00:10:01,730
Now here we can see that we are running over five that we are reading over five million passwords but

120
00:10:01,860 --> 00:10:08,700
those are just passwords in plain text and that it will compute those passwords into hashed version

121
00:10:08,700 --> 00:10:14,520
of those passwords so let's see how long this will take.

122
00:10:14,520 --> 00:10:20,560
This is already over 7 million soon now.

123
00:10:20,570 --> 00:10:26,630
It will also go onto the entire process of this will also go a lot faster if you have a stronger virtual

124
00:10:26,630 --> 00:10:35,970
machine or basically if you are running this on your main P.C. now I remember on my laptop I did the

125
00:10:35,970 --> 00:10:41,070
same thing a few minutes ago with the rainbow and with the rocket at 60 pass for this which is around

126
00:10:41,070 --> 00:10:42,000
14 million.

127
00:10:42,030 --> 00:10:48,810
And this process right here of importing the password list took a lot took a lot shorter time to process

128
00:10:48,840 --> 00:10:56,160
these lines that it reads than these 10 million passwords right here but I will just wait for this to

129
00:10:56,160 --> 00:11:04,120
finish and I will get back to you as soon as it does.

130
00:11:04,290 --> 00:11:05,710
Well this took a lot longer.

131
00:11:05,800 --> 00:11:10,410
I basically control see this since it went over 20 million passwords.

132
00:11:10,410 --> 00:11:15,900
There is no need to wait for that and you can see right now if you're importing your password list is

133
00:11:15,900 --> 00:11:21,450
finished that you will have a file called rainbow table if you name it like that.

134
00:11:21,540 --> 00:11:27,150
Now what you can do with is basically you can check out the stat which is the option in error lib.

135
00:11:27,150 --> 00:11:28,470
So just type here.

136
00:11:28,650 --> 00:11:30,840
Rainbow table minus minus stat

137
00:11:36,740 --> 00:11:43,130
and here we can see there are 1 and after it finishes here we can see that there is one SS I.D. which

138
00:11:43,130 --> 00:11:48,650
we specified with this command right here once we reported the name of our wireless access point and

139
00:11:48,830 --> 00:11:57,300
there are also 20 million passwords in the database now zero out of 20 million possible combinations

140
00:11:57,300 --> 00:11:58,800
have been computed.

141
00:11:58,800 --> 00:12:05,420
So what we want to do right now is Randy command cold.

142
00:12:05,430 --> 00:12:07,520
Minus minus batch.

143
00:12:07,650 --> 00:12:13,890
Now that command will compute these passwords and there will no longer be zero out of 20 million possible

144
00:12:13,890 --> 00:12:15,840
combinations computed.

145
00:12:15,840 --> 00:12:17,070
So how do we do that.

146
00:12:17,070 --> 00:12:22,670
Well we run the airplane minus energy so and then minus minus latch.

147
00:12:22,740 --> 00:12:28,890
So once you do that basically let me just add the name of the rainbow table on or it won't work.

148
00:12:28,890 --> 00:12:35,940
So name your rainbow table then minus minus batch and when you will at this front this process will

149
00:12:35,940 --> 00:12:42,780
take the longest out of all of the previous processes since it basically has to compute all the passwords

150
00:12:42,840 --> 00:12:44,790
in this rainbow table.

151
00:12:44,790 --> 00:12:50,900
Now I will not wait for it to compute the 20 million passwords since that will take around a week time.

152
00:12:50,990 --> 00:12:51,240
How.

153
00:12:51,240 --> 00:12:57,440
Basically let compute a few passwords or basically first ten or twenty thousand or something like that.

154
00:12:57,600 --> 00:13:04,860
And then after that I will control C this program and we will run the attack with our error crack program

155
00:13:06,140 --> 00:13:11,600
if you use the SMART password list you can wait for it to finish computing it.

156
00:13:11,690 --> 00:13:20,860
Uh basically the fact the process of computing is dependent on your basically hardware so as you can

157
00:13:20,860 --> 00:13:28,810
see right here it computes around 10000 passwords in 45 seconds while as on my laptop it computes around

158
00:13:28,930 --> 00:13:32,240
I believe a hundred thousand passwords in 45 seconds.

159
00:13:32,240 --> 00:13:39,100
So but once again this is our virtual machine so that is why it is so slow.

160
00:13:40,400 --> 00:13:48,150
If you use a smaller password list it shouldn't take that much to finish but after this once it computes

161
00:13:48,420 --> 00:13:55,200
computes around 20000 passwords you will see how much faster the aircraft program will run compared

162
00:13:55,260 --> 00:14:04,070
to the previous attack that we did where it only were able to guess around 350 keys per second while

163
00:14:04,080 --> 00:14:08,580
as right now I believe that number will grow over two or three thousand.

164
00:14:08,880 --> 00:14:09,950
Now we will see.

165
00:14:10,470 --> 00:14:11,190
Let me just.

166
00:14:11,190 --> 00:14:13,020
It might even be larger than that.

167
00:14:13,050 --> 00:14:14,600
So let's just control.

168
00:14:14,610 --> 00:14:17,250
See this program once it hits 25000.

169
00:14:17,470 --> 00:14:19,970
So controls here right now.

170
00:14:20,010 --> 00:14:26,630
That is just not really sure why I'm not able to control see this.

171
00:14:28,930 --> 00:14:29,280
OK.

172
00:14:29,280 --> 00:14:30,390
Here it is.

173
00:14:30,450 --> 00:14:38,310
We closed it and now if we run the stats right here it will say that 25000 out of 20 million possible

174
00:14:38,310 --> 00:14:46,960
combinations have been computed which is around zero point point twelve percent so let us just let me

175
00:14:46,960 --> 00:14:54,190
just show you that you can also watch or watch you can also do with this tool which is eerily minus

176
00:14:54,190 --> 00:14:54,850
energy.

177
00:14:54,940 --> 00:14:59,800
You can basically make arrow live.

178
00:14:59,890 --> 00:15:05,220
You can basically make the SVR queries to the database or to your rainbow table with the minus minus

179
00:15:05,280 --> 00:15:09,150
you all and then you specify the Eskil query you want to use.

180
00:15:09,280 --> 00:15:13,690
Now we cover ask you basics so you should know what for example this means.

181
00:15:13,720 --> 00:15:16,930
So select start from key as this idea.

182
00:15:17,430 --> 00:15:23,500
Basically it will select the ESD that we important in to our rainbow table.

183
00:15:23,500 --> 00:15:31,560
You can also select all from passwords but I believe that this will take a lot longer since there are

184
00:15:31,560 --> 00:15:33,710
a lot of passwords in our password list.

185
00:15:33,810 --> 00:15:38,420
Now I will control see if it good.

186
00:15:38,430 --> 00:15:38,760
OK.

187
00:15:38,760 --> 00:15:39,700
There it is.

188
00:15:39,720 --> 00:15:42,950
You can also select all private shared keys.

189
00:15:42,960 --> 00:15:43,630
All right.

190
00:15:43,640 --> 00:15:47,690
Or basically your encrypted versions of the password with this comment.

191
00:15:47,700 --> 00:15:53,280
So right now you can see that there are a bunch of random characters being printed out right here.

192
00:15:53,280 --> 00:16:00,480
Uh those are basically your pre computed the passwords that it hashed in the process where we run minus

193
00:16:00,480 --> 00:16:04,370
minus batch now after we do that.

194
00:16:04,370 --> 00:16:13,640
We only want to run one more comment before we start the attack which is error lib minus and G then

195
00:16:13,670 --> 00:16:18,330
the name of our rainbow table and then minus minus clean all.

196
00:16:18,770 --> 00:16:25,790
Now this will clean all of the unnecessary things in our rainbow table and possibly make it work even

197
00:16:25,790 --> 00:16:26,360
faster.

198
00:16:29,120 --> 00:16:31,880
So I'm not really sure how long this could take.

199
00:16:31,880 --> 00:16:34,400
Shouldn't take too long but we will see.