1
00:00:00,630 --> 00:00:06,360
So in the previous lecture we've seen if we run a river against this particular network the network

2
00:00:06,360 --> 00:00:13,710
will get locked and we won't be able to brute force the WPA spin because the network will just refuse

3
00:00:13,710 --> 00:00:14,990
any requests.

4
00:00:15,390 --> 00:00:23,430
So we said one of the ways to try and reset or get the network to get unlocked is to just run the authentication

5
00:00:23,430 --> 00:00:29,700
attack like we did before and hope that one of the users will just go in and physically turn off the

6
00:00:29,700 --> 00:00:31,890
router and then turn it back on.

7
00:00:32,220 --> 00:00:36,480
And we said this is not a great way because we actually were relying on a person to go and turn off

8
00:00:36,480 --> 00:00:43,140
the router but it has a high chance of success because what would you do when you lose internet connection.

9
00:00:43,140 --> 00:00:48,840
Most people will just go and turn off their now a router and turn it back on.

10
00:00:48,840 --> 00:00:55,320
So in this lecture were going to use a tool called MBK 3 and we're going to use it to run a didoes attack

11
00:00:55,680 --> 00:01:02,490
a denial of service attack basically on the target network and in some routers this attack will just

12
00:01:02,490 --> 00:01:03,580
flood the router.

13
00:01:03,660 --> 00:01:09,600
And then it will cause the router to reset automatically and then when it resets it will get unlocked

14
00:01:09,630 --> 00:01:10,350
as well.

15
00:01:10,350 --> 00:01:15,450
So we'll be able to run river and start guessing the WPA Espen again.

16
00:01:15,450 --> 00:01:21,870
And since reverse supports pause and rescue this cat can work really well so even if you're at 60 percent

17
00:01:22,110 --> 00:01:27,690
and then the router locks you can just control Siri either run the attack get the router to be unlocked

18
00:01:27,900 --> 00:01:31,350
and then run the attack again and it all starts from 60 percent.

19
00:01:31,350 --> 00:01:33,260
It's not going to start from zero.

20
00:01:33,900 --> 00:01:36,200
So I'm just going to split the screen here.

21
00:01:40,050 --> 00:01:43,060
And I'm just going to run the tool that we're going to be using.

22
00:01:43,060 --> 00:01:50,420
Is called M.D K3 and I'm going to type in help just to see the options that this tool gives us.

23
00:01:52,560 --> 00:01:59,100
And we consider this to actually let us run a number of attacks and test modes are listed in here.

24
00:01:59,340 --> 00:02:02,800
So the way the tool works is you specify the name of the tool.

25
00:02:03,000 --> 00:02:09,420
You follow it up with your interface and monitor mode and then you follow it with the test mode which

26
00:02:09,420 --> 00:02:11,130
are listed in here.

27
00:02:11,130 --> 00:02:17,460
And then you give it the options for each of these test mode for this lecture we're going to be using

28
00:02:17,760 --> 00:02:22,290
the option which is the authentication DOS mode.

29
00:02:23,310 --> 00:02:29,460
So to see all the options and get more information about this attack we're going to do the K3 minus

30
00:02:29,460 --> 00:02:33,780
minus help and then put the test mode which is a.

31
00:02:33,870 --> 00:02:44,150
So I'm just going to do K3 minus minus help and I'm going to put a and this will give us more information

32
00:02:44,150 --> 00:02:50,240
about the attack that we want to do so it's going to be an authentication those mood that's going to

33
00:02:50,240 --> 00:02:53,360
send authentication frames to the AP.

34
00:02:53,360 --> 00:03:00,380
So basically what it's going to do is we're going to specify a MYF address for our target and the K-3

35
00:03:00,560 --> 00:03:06,890
will create fake mac addresses and get all of these MAC addresses to pretend as if their computers are

36
00:03:06,890 --> 00:03:13,730
clients and these clients are trying to connect to that network when there is a very large number of

37
00:03:13,730 --> 00:03:17,000
clients trying to connect to one network to one router.

38
00:03:17,240 --> 00:03:23,180
Some routers will not be able to handle all this demand and they'll actually just restart and reset

39
00:03:23,210 --> 00:03:24,010
everything.

40
00:03:24,260 --> 00:03:30,840
And when they do that they'll unlock WPX and we'll be able to run river again.

41
00:03:30,860 --> 00:03:36,410
So if you're on it if you're on indicator you with the option to do that on all the networks around

42
00:03:36,410 --> 00:03:36,500
you.

43
00:03:36,500 --> 00:03:40,850
So it's going to create a very large number of clients and it's going to get all of these clients to

44
00:03:40,850 --> 00:03:43,110
connect to all the networks do you.

45
00:03:43,280 --> 00:03:44,090
And we don't want that.

46
00:03:44,090 --> 00:03:45,920
We only want to target one network.

47
00:03:46,070 --> 00:03:52,540
So we're going to specify the target network with the minus option to specify the target mark.

48
00:03:52,940 --> 00:04:00,080
And we're also going to use minus m to tell it that we want you to use valid Maxo marks of actual devices

49
00:04:00,290 --> 00:04:06,430
instead of using a Mac that looks like it's fake like 000 000.

50
00:04:06,470 --> 00:04:08,050
So let's run the command.

51
00:04:08,060 --> 00:04:11,150
Let me show you the command that we're going to use and things are going to get more clear.

52
00:04:11,420 --> 00:04:16,880
So the programs that we're going to use is called M.D K3.

53
00:04:17,210 --> 00:04:21,320
Then we're going to give it the interface in monitor mode and it's 1 0.

54
00:04:21,320 --> 00:04:28,680
In my case then we're going to give it the test mode or the attack mode and that's the authentication

55
00:04:28,680 --> 00:04:29,450
DOS mode.

56
00:04:29,460 --> 00:04:36,410
So that's going to be a and then we want to run that against only one specific router.

57
00:04:36,470 --> 00:04:37,610
Not all routers.

58
00:04:37,640 --> 00:04:47,110
So we're going to specify the minus a and give it the MAC address of my target's router which is the

59
00:04:47,110 --> 00:04:49,270
same MAC address in here.

60
00:04:49,420 --> 00:04:57,490
It's the same MAC address that's locked in here right here and then we're going to give it minus and

61
00:04:57,690 --> 00:05:02,200
to tell it to use valid MAC addresses instead of just ones that look wrong.

62
00:05:02,450 --> 00:05:04,770
So we're going to do minus.

63
00:05:05,300 --> 00:05:06,740
And that's it we're ready to go.

64
00:05:06,740 --> 00:05:09,410
So we're just going to go over the command one more time.

65
00:05:09,410 --> 00:05:11,970
We're using a tool called M.D K3.

66
00:05:12,060 --> 00:05:14,240
We're given at the interface in monitor mode.

67
00:05:14,240 --> 00:05:20,930
In my case it's mon's euro Wartelle and we want to use the attack that's referred to with the option

68
00:05:20,930 --> 00:05:27,400
which is the authentication DOS mode we're given it my target access point after the minus.

69
00:05:27,890 --> 00:05:32,320
And then I'm giving it minus to use valid MAC addresses.

70
00:05:32,510 --> 00:05:38,480
I'm going to hit enter and I actually misspelled M.D K-3 I said M-K D-3.

71
00:05:38,540 --> 00:05:39,590
I do that a lot.

72
00:05:39,830 --> 00:05:42,560
So it's MBK three hit enter

73
00:05:45,390 --> 00:05:51,180
and you might see a result like this saying that the target computer see the target router does not

74
00:05:51,180 --> 00:05:54,140
seem to be vulnerable but just let it work.

75
00:05:54,360 --> 00:05:58,370
Sometimes you might have to let it work up to 50000 clients.

76
00:05:58,530 --> 00:06:03,510
You can see that it's creating fake clients and it's trying to get them to connect to the router so

77
00:06:03,510 --> 00:06:09,600
you can try to associate with the router really not connect and you can see that we reached 5000 clients

78
00:06:09,600 --> 00:06:11,780
right here.

79
00:06:11,830 --> 00:06:14,530
This could be different from one router to another.

80
00:06:14,530 --> 00:06:17,910
So sometimes I had to let this go up to 50000.

81
00:06:18,040 --> 00:06:24,370
In this case with my home router right here it usually resets between 5000 and 10000.

82
00:06:24,400 --> 00:06:27,430
So I'm just going to let it go up to 10000 in this case.

83
00:06:28,660 --> 00:06:36,160
And once it's 10000 like this I'm going to Control-C at the same time to get out of this and we're going

84
00:06:36,160 --> 00:06:41,290
to run wash again to see if the network is still locked so you can see the last time around wash the

85
00:06:41,290 --> 00:06:42,980
network was locked.

86
00:06:43,030 --> 00:06:48,040
So I'm just going to give it some time to reset and then I'm just going to be run and wash the same

87
00:06:48,040 --> 00:06:51,110
command that we always use this just wash minus.

88
00:06:51,150 --> 00:06:58,530
I want zero and keep in mind this doesn't work against all routers but it works against a lot of routers

89
00:06:58,530 --> 00:07:00,050
really but not all.

90
00:07:00,060 --> 00:07:02,990
So it might not just work for you.

91
00:07:03,300 --> 00:07:06,120
So I'm going to hit Enter now to look for networks around me.

92
00:07:09,150 --> 00:07:11,900
Looks like something went wrong with my wireless card.

93
00:07:12,000 --> 00:07:16,710
So I'm just going to disconnected reconnected enable monitor mode and run wash again.

94
00:07:18,170 --> 00:07:23,020
OK so I'm just going to run wash again here.

95
00:07:23,430 --> 00:07:31,130
And as you can see now our target network got reset and you can see that WPX is not locked anymore.

96
00:07:31,610 --> 00:07:37,300
So I can actually start Rivara again and it will be able to pick up from where it left the last time.

97
00:07:38,130 --> 00:07:45,480
So last time the pin count was left at 0 and right now if I run it again I'll be able to go to pin count

98
00:07:45,480 --> 00:07:48,160
1 so I'll actually be able to test one more pin.

99
00:07:48,390 --> 00:07:56,020
So if we just do revert again using the same command that we did before you can see that it's asking

100
00:07:56,020 --> 00:08:04,160
me if I want to continue from where I left the last time I'm going to say yes please.

101
00:08:04,170 --> 00:08:05,930
Now again the router got locked again.

102
00:08:05,970 --> 00:08:13,370
Now what you can see that we managed to go ahead with one more pin to test one pin right now.

103
00:08:13,530 --> 00:08:18,550
And if we do the same now get the router to unlock and do the same.

104
00:08:18,600 --> 00:08:20,790
You'll be able to go to the next pin.

105
00:08:20,790 --> 00:08:26,940
Now this network is actually a quite stubborn one usually networks lock after four or sometimes even

106
00:08:26,940 --> 00:08:27,960
10 attempts.

107
00:08:27,990 --> 00:08:30,810
Very rarely they lock after one attempt only.

108
00:08:30,960 --> 00:08:34,010
But again this just serves with our examples.

109
00:08:34,020 --> 00:08:39,300
The main thing is you can unlock most networks using this method use an empty K-3.