1
00:00:01,340 --> 00:00:07,200
So now it's time to crack the whip key for client list networks, because I know what you were thinking.

2
00:00:07,520 --> 00:00:09,170
OK, fine, this works.

3
00:00:09,170 --> 00:00:11,480
But what about client was networks?

4
00:00:11,660 --> 00:00:18,560
Well, air crack energy has two attacks, the chop chop and the fragmentation attack.

5
00:00:19,040 --> 00:00:24,290
And these can be used to crack the whip key of a wireless client with no associated clients.

6
00:00:25,380 --> 00:00:33,270
Now, both of these attacks are used to obtain updegrave file from the wireless network, so Piguet

7
00:00:33,270 --> 00:00:39,810
is the pseudo random generation algorithm that's used to generate the key stream that's used in Web.

8
00:00:40,850 --> 00:00:46,660
It's not the Web key, right, so it cannot be used to decrypt packets.

9
00:00:47,090 --> 00:00:53,210
It can, however, be used to create new packets that can later be used for injection.

10
00:00:54,080 --> 00:00:56,020
There's a method to our madness.

11
00:00:57,080 --> 00:01:04,310
So the first technique we're going to use to obtain the file is the fragmentation attack.

12
00:01:06,050 --> 00:01:13,550
Fragmentation attack requires at least one data packet to be received from the AP in order to initiate

13
00:01:13,550 --> 00:01:14,300
the attack.

14
00:01:15,490 --> 00:01:21,730
But before getting started with this attack, I want to make sure that there are these known assumptions

15
00:01:21,730 --> 00:01:22,930
in your minds.

16
00:01:25,160 --> 00:01:31,640
First off, maybe obvious that you were close enough to the AP to send and receive packet's.

17
00:01:32,660 --> 00:01:37,880
But just because you're close enough to receive package doesn't necessarily mean you'll be able to transmit

18
00:01:37,880 --> 00:01:39,500
packets to the access point.

19
00:01:40,180 --> 00:01:43,200
You can work that out on your own work practice.

20
00:01:44,390 --> 00:01:51,290
Now, there are some data packets coming from the AP, so a quick way to check for data packets is to

21
00:01:51,560 --> 00:01:56,180
run arrow dumping and then see if the data field is increasing.

22
00:01:57,470 --> 00:02:01,820
And of course, the AP needs to be using web open authentication.

23
00:02:04,300 --> 00:02:05,380
Great, so let's start.

24
00:02:06,720 --> 00:02:11,730
And as usual, our wireless card first needs to be placed in a monitor mode on that channel number of

25
00:02:11,730 --> 00:02:18,540
the access point and a fake access point with weap and open authentication needs to be running.

26
00:02:20,920 --> 00:02:29,220
Now we need to start an arrow dump energy session and we're filtering on the access point channel and

27
00:02:29,230 --> 00:02:33,310
be abscessed so that we can save the capture to a final.

28
00:02:35,360 --> 00:02:41,270
Now, notice in the dump output, there are no clients associated with the access point.

29
00:02:43,140 --> 00:02:48,540
So in order to be able to communicate with the access point, we need to conduct a fake authentication

30
00:02:48,540 --> 00:02:49,480
attack against it.

31
00:02:55,570 --> 00:03:03,220
And we will run the fake authentication with a free association timing of 6000, so it does not time

32
00:03:03,220 --> 00:03:04,730
out you with me.

33
00:03:06,160 --> 00:03:06,460
Cool.

34
00:03:06,520 --> 00:03:09,340
So now airplay will keep the session alive.

35
00:03:09,340 --> 00:03:14,320
So we don't need to worry about relaunching the attack every time the fake association times out.

36
00:03:16,870 --> 00:03:23,260
So the fragmentation attack requires at least one data packet to be received from the AP in order to

37
00:03:23,260 --> 00:03:31,210
initiate the attack, and we have one data packet now, so let's open up a new term window.

38
00:03:32,120 --> 00:03:38,150
And we will launch the fragmentation attack against our app using the basic syntax.

39
00:03:39,220 --> 00:03:46,480
I'll give both sides of the access point with the B parameter and the Mac address of the W Landsborough

40
00:03:46,480 --> 00:03:47,710
with each parameter.

41
00:03:51,780 --> 00:03:55,350
OK, so airplane engine is starting to send packet.

42
00:03:57,210 --> 00:04:03,240
So the attack sends out a large number of packets, all of which must be received by the AP in order

43
00:04:03,240 --> 00:04:04,470
for it to be successful.

44
00:04:04,570 --> 00:04:11,430
OK, so therefore you have to have a good quality connection like I was in before and be reasonably

45
00:04:11,430 --> 00:04:12,510
close to the AP.

46
00:04:14,120 --> 00:04:19,760
All right, so once we launch the attack, airplane starts listening for a packet use and then when

47
00:04:19,760 --> 00:04:23,270
a candidates found, we are prompted to use it for the attack.

48
00:04:24,740 --> 00:04:30,470
OK, so now candidate packet is found just in her, why, and wait for it.

49
00:04:39,860 --> 00:04:46,340
OK, so sometimes this happens, unfortunately, the fragmentation attack did not work, and naturally,

50
00:04:46,340 --> 00:04:48,830
there are several reasons why this could be.

51
00:04:50,040 --> 00:04:56,830
Attack may fail against access points that do not properly handle fragmented packets, but do not give

52
00:04:56,830 --> 00:05:01,880
up because there is an alternative way to crack client was swept networks.

53
00:05:02,650 --> 00:05:07,690
That's where the chop chop attack may work, where the fragmentation attack may not.