1 00:00:01,100 --> 00:00:05,270 Now, the final airplay attack is the AAFP request replay attack. 2 00:00:05,840 --> 00:00:10,490 I tell you, this attack is the most effective way to generate new initialization vectors. 3 00:00:11,710 --> 00:00:19,060 The initialization vector is a continuously changing number used in combination with a secret key to 4 00:00:19,060 --> 00:00:19,960 encrypt data. 5 00:00:21,560 --> 00:00:27,830 So the attack listens for an ARP packet and then retransmit it back to the access point. 6 00:00:28,890 --> 00:00:36,210 So this causes the access point to repeat the packet with a new initialization vector, and by collecting 7 00:00:36,210 --> 00:00:41,930 enough of these Ivey's aircraft, engie can then be used to crack the Web key. 8 00:00:42,660 --> 00:00:49,410 The address, resolution, protocol, or ARM, is used to convert an IP address into a physical address 9 00:00:49,410 --> 00:00:56,310 such as a Mac address, right to a host that wishes to obtain the physical address of another machine 10 00:00:56,490 --> 00:01:00,080 sends an ARP request broadcast on the network. 11 00:01:00,690 --> 00:01:06,930 The host, with a matching address, replies with a unicast transmission and reveals its physical hardware. 12 00:01:07,960 --> 00:01:10,580 All right, so that sounds simple enough, so let's get started. 13 00:01:12,270 --> 00:01:17,790 For this attack, your wireless card needs to be in monitor mode and you will need a fake authentication 14 00:01:18,210 --> 00:01:21,360 with the access point, as I showed you in the previous lecture's. 15 00:01:22,460 --> 00:01:29,240 So I said the fake authentication, time to 60 seconds and it will associate again every 60 seconds. 16 00:01:30,960 --> 00:01:31,310 All right. 17 00:01:31,400 --> 00:01:32,910 My fake access point is up. 18 00:01:34,070 --> 00:01:38,660 Now I'll open a new terminal screen and start AARP replay attack. 19 00:01:43,270 --> 00:01:45,760 So give our replay attack parameter. 20 00:01:51,710 --> 00:01:53,900 VSS idea of the access point. 21 00:02:02,060 --> 00:02:06,050 And the Mac address of the associated client from fake authentication. 22 00:02:11,640 --> 00:02:12,650 And let's run it. 23 00:02:18,610 --> 00:02:22,030 So right now, it's sending our request packets to the access point. 24 00:02:23,490 --> 00:02:29,610 After launching the requests replay attack, you might have to wait a couple of minutes or even longer 25 00:02:29,610 --> 00:02:31,970 until an hour request shows up on the network. 26 00:02:33,800 --> 00:02:36,240 Then once one is received. 27 00:02:37,490 --> 00:02:43,070 The AAP requests replay attack will jump into action and start replaying the packet over and over and 28 00:02:43,070 --> 00:02:47,750 over again, forcing the access point to generate new initialization vectors. 29 00:02:49,380 --> 00:02:51,840 So, yeah, their process usually takes some time. 30 00:02:53,030 --> 00:02:55,930 So this is where the authentication attack comes into play. 31 00:02:57,410 --> 00:03:03,560 When a client is dedicated and then reconnects to the wireless network was very high likelihood that 32 00:03:03,560 --> 00:03:06,210 it will send an art packet as it reconnect. 33 00:03:07,010 --> 00:03:11,170 So let's start the authentication attack to speed up the process. 34 00:03:15,050 --> 00:03:16,280 And we can wait for a bit. 35 00:03:23,950 --> 00:03:25,900 Now, stop the deal, authentication attack. 36 00:03:28,050 --> 00:03:31,620 And let's try to crack the whip key with air cracking. 37 00:03:34,040 --> 00:03:39,440 So we need to provide the file captured by arrow dump, engie to air, crack engie. 38 00:03:41,540 --> 00:03:46,820 And now run aircraft and jet and we will give the captured file. 39 00:03:49,890 --> 00:03:54,060 An aircraft engine is trying to crack the key with the initialization vectors. 40 00:03:55,530 --> 00:03:58,760 Yeah, this process also takes some time, so please be patient. 41 00:04:03,900 --> 00:04:04,590 We'll look at that. 42 00:04:04,610 --> 00:04:12,680 The he has been found, you're cracking found the Web key by using 38000 730 initialization vectors, 43 00:04:12,720 --> 00:04:13,710 not too shabby.