1 00:00:02,520 --> 00:00:05,210 A denial of service attack is another matter. 2 00:00:05,940 --> 00:00:10,390 What is the easiest method for blocking out a Wife Network. 3 00:00:10,450 --> 00:00:13,470 It's removing a magnetron from a microwave oven. 4 00:00:14,460 --> 00:00:18,620 After dismantling a microwave you will find the device pictured above. 5 00:00:18,870 --> 00:00:20,490 It's the heart of the microwave. 6 00:00:22,690 --> 00:00:29,250 The magnetrons shown in the picture is ready for sale on a Chinese website this option works for people 7 00:00:29,250 --> 00:00:32,940 who don't want to dismantle their microwaves. 8 00:00:32,970 --> 00:00:36,120 It's enough to plug the device in and move away quickly. 9 00:00:37,540 --> 00:00:41,470 All wireless networks within hundreds of meters will be shut down. 10 00:00:41,710 --> 00:00:47,400 Easy and effective. 11 00:00:47,450 --> 00:00:51,240 What are the protection measures with regard to infrastructure attacks. 12 00:00:53,080 --> 00:00:58,730 All in all given the outlined attack cases need to remember about several key points 13 00:01:02,010 --> 00:01:08,580 don't use the word protocol and try not to use the first version of WPA. 14 00:01:08,670 --> 00:01:12,800 If you are using WPA or better still WPA too. 15 00:01:12,990 --> 00:01:18,150 This doesn't eliminate all potential threats. 16 00:01:18,190 --> 00:01:25,410 If you don't have a radius server ensuring that your pre-shared key cannot be cracked is vital the key 17 00:01:25,410 --> 00:01:27,190 shouldn't be found in any dictionary. 18 00:01:27,210 --> 00:01:33,600 That would make you a prime target for known types of cracking. 19 00:01:33,680 --> 00:01:37,940 The key also has to be relatively long. 20 00:01:38,070 --> 00:01:44,540 The longer it is the longer it would take an attacker to brute force it attacks can be automated using 21 00:01:44,540 --> 00:01:51,770 professional tools like wireless security auditor developed by l.com soft a Russian company that specializes 22 00:01:51,770 --> 00:01:56,630 in cracking tools of all sorts. 23 00:01:56,650 --> 00:01:59,450 We've already talked about PMK attacks. 24 00:01:59,710 --> 00:02:06,840 We'll see an example of this attack soon. 25 00:02:07,030 --> 00:02:13,450 Summing up these two modules I can risk saying that efficient Wi-Fi protection is relatively easy to 26 00:02:13,450 --> 00:02:14,110 implement 27 00:02:18,330 --> 00:02:23,700 a good solution is authenticating users to the ATO to daddle 11 x standard. 28 00:02:23,930 --> 00:02:30,570 For example radius server and protecting transmitted data using the ATO to 11 I's standard. 29 00:02:30,680 --> 00:02:32,440 For example WPA to 30 00:02:38,950 --> 00:02:42,420 let's see what could happen if we don't implement these recommendations. 31 00:02:44,120 --> 00:02:50,160 Our access points use the old web protocol or the first version WPA. 32 00:02:50,210 --> 00:02:59,760 Moreover they operate in the pre-shared key DSK mode and don't use a radius server authentication. 33 00:02:59,760 --> 00:03:04,720 This means that we're ripe for a simple computer network attacks. 34 00:03:04,880 --> 00:03:09,650 The programs that facilitate these attacks have been the basic component of the BackTrack distribution 35 00:03:09,650 --> 00:03:11,230 for many releases now. 36 00:03:14,210 --> 00:03:21,290 The usage of these tools has recently become even easier previously you had to type in about 4 commands 37 00:03:21,290 --> 00:03:25,810 in the command line terminal. 38 00:03:25,880 --> 00:03:30,740 If your operation required turning the interface off and starting it in the listening mode. 39 00:03:30,740 --> 00:03:36,970 This took six instructions in total. 40 00:03:37,140 --> 00:03:45,180 Now breaking into a badly configured vlan is as easy as launching Fearn Wi-Fi cracker. 41 00:03:45,330 --> 00:03:49,800 The tool is planned to be a component of the newest backtrack. 42 00:03:49,810 --> 00:03:53,970 This is a small application with an intuitive interface. 43 00:03:54,010 --> 00:03:58,040 There's even an update button for checking the current version. 44 00:03:58,090 --> 00:04:03,160 It'll help us break into a weekly protected wireless network. 45 00:04:03,180 --> 00:04:05,620 I'd like to show you how this is done. 46 00:04:05,730 --> 00:04:08,880 The program is probably already available for Windows systems 47 00:04:11,480 --> 00:04:17,230 will use its Linux version though because Wi-Fi car drivers that run on Windows don't allow active data 48 00:04:17,230 --> 00:04:21,550 exchange with networks you're not yet connected to. 49 00:04:21,710 --> 00:04:26,420 The basic scenario of some of the attacks is forcing a client to disconnect. 50 00:04:26,610 --> 00:04:29,130 We'll talk about it more during the demonstration. 51 00:04:31,330 --> 00:04:37,940 We'll start with switching to backtrack Here's Fearn why firecracker installed configured and running 52 00:04:39,500 --> 00:04:47,070 this toy is the aircraft an aero dump ngi suite of tools. 53 00:04:47,300 --> 00:04:51,360 Other than these two dependencies will also need running Python scripts. 54 00:04:53,700 --> 00:05:03,270 To launch an attack we need to select an interface a network card interface here is called VLAN 1. 55 00:05:03,420 --> 00:05:08,370 After selecting the interface you can select channels that are to be scanned by double clicking anywhere 56 00:05:08,370 --> 00:05:11,650 in the main window. 57 00:05:11,740 --> 00:05:14,400 The tool is set to scan all channels by default. 58 00:05:15,870 --> 00:05:19,550 Will want to scan for the access points with active connections instead. 59 00:05:22,600 --> 00:05:27,670 After clicking on toolbox settings you can enable the feature that locates the output as geographical 60 00:05:27,670 --> 00:05:29,590 coordinates. 61 00:05:29,600 --> 00:05:32,070 You can also set the Wi-Fi attack options there. 62 00:05:34,430 --> 00:05:40,400 If mac addresses are filtered you can type here the MAC address that had been in a separate earlier 63 00:05:40,610 --> 00:05:45,210 or admit any mac address if you don't want your real answer has to be saved in the access point. 64 00:05:45,210 --> 00:05:49,300 Administrators logs. 65 00:05:49,500 --> 00:05:50,800 Let's start this scan. 66 00:05:51,930 --> 00:05:58,530 Note that two monitors appeared for an y firecracker scans for networks protected with WEP in the first 67 00:05:58,530 --> 00:06:00,910 window while in the second. 68 00:06:00,910 --> 00:06:06,130 The search applies to villans protected with WPA. 69 00:06:06,160 --> 00:06:07,620 Let's start with the web scan. 70 00:06:08,650 --> 00:06:13,200 You can see here the BSA ID of an access point. 71 00:06:13,250 --> 00:06:18,220 This is simply the physical MAC address of the AP. 72 00:06:18,280 --> 00:06:23,380 We need it for checking whether there is any active connections to an access point. 73 00:06:23,480 --> 00:06:30,400 The tool is detected one web protected network which means that looking at a MAC address we know that 74 00:06:30,400 --> 00:06:33,360 it's connected to the phone network. 75 00:06:33,410 --> 00:06:37,050 There are no other networks around. 76 00:06:37,180 --> 00:06:42,820 We've managed to detect a weekly protected network that is actively used at the moment at the bottom 77 00:06:42,820 --> 00:06:48,490 of the window you can see the number of the ethernet frames sent and received by a client. 78 00:06:48,710 --> 00:06:50,990 We'll need now to choose from the main window. 79 00:06:51,020 --> 00:06:54,880 The option you can see below. 80 00:06:55,110 --> 00:07:00,360 We need to select an identifier of the targeted network in our case. 81 00:07:00,390 --> 00:07:03,380 This is default. 82 00:07:03,600 --> 00:07:08,120 You can select one of the three listed attacks on what networks that can be seen below. 83 00:07:09,870 --> 00:07:16,250 You can also use default options and click on attack. 84 00:07:16,500 --> 00:07:22,800 Since we've selected R.P. request replay as the attack we have an opportunity to see the communications 85 00:07:22,800 --> 00:07:25,100 between our computer and an access point. 86 00:07:26,500 --> 00:07:33,060 The point is obtaining a sufficient number of initialization vectors. 87 00:07:33,150 --> 00:07:39,820 If we manage to do this we'll try cracking the key data encrypted with the same RC for protocol. 88 00:07:39,860 --> 00:07:41,490 It always looks the same 89 00:07:49,650 --> 00:07:50,430 as you can see. 90 00:07:50,430 --> 00:07:55,920 We found out that an attack that consists of forcing an access point to generate initialization packets 91 00:07:56,340 --> 00:08:04,040 by responding to our ERP requests has managed to gather an appropriate number of packets to be able 92 00:08:04,040 --> 00:08:04,980 to crack the key. 93 00:08:05,010 --> 00:08:12,610 We needed twenty nine thousand 362 packets in total after gathering and saving the packets to pick up 94 00:08:12,750 --> 00:08:14,070 both monitors close 95 00:08:17,340 --> 00:08:23,700 at the bottom of the above window you can see the hexadecimal value of the key this key will enable 96 00:08:23,700 --> 00:08:31,670 us to connect to an access point to a weekly protected web encrypted wireless LAN. 97 00:08:31,700 --> 00:08:38,390 The whole attack took less than two minutes while configuring a well-protected access point. 98 00:08:38,390 --> 00:08:45,360 You can submit a password in two formats or there in a hexadecimal notation or as an ASCII string. 99 00:08:46,510 --> 00:08:50,730 The attack we've run produced the first format output. 100 00:08:50,790 --> 00:08:54,530 If you don't want to use this format you can convert it to ASCII code. 101 00:08:58,720 --> 00:09:01,680 We've connected an online converter. 102 00:09:01,930 --> 00:09:07,140 It's a converter we've been redirected to by a search engine. 103 00:09:07,230 --> 00:09:10,980 After typing in the key correct by Fearn why fire cracker. 104 00:09:11,080 --> 00:09:14,730 It turns out that the password protected network is Hakam.