1
00:00:01,120 --> 00:00:10,010
Okay so far we know WPA enterprise is an authentication method that can be used with WPA or WPA to networks.

2
00:00:10,280 --> 00:00:19,220
So it uses encryption and it each user have to use their own unique username and password to authenticate

3
00:00:19,640 --> 00:00:21,350
and connect to the network.

4
00:00:21,650 --> 00:00:27,250
And we said all of this is managed using a radius or a central server.

5
00:00:27,680 --> 00:00:33,950
Now let me show you an example of a network that uses WPA enterprise just so you get an idea of how

6
00:00:33,950 --> 00:00:34,920
it works.

7
00:00:35,300 --> 00:00:42,390
So if I go to Wi-Fi here you'll see that I have a network here called company network.

8
00:00:42,840 --> 00:00:49,830
If I try to connect to this you'll see it won't even try to establish a connection.

9
00:00:49,830 --> 00:00:54,880
The first thing that it's going to do is it's going to ask me to enter a username and password.

10
00:00:55,960 --> 00:01:00,400
Now the same happens here if I go to an OS X machine.

11
00:01:00,610 --> 00:01:07,040
So if I just connect to it in here you'll see that I'm going to be asked for a username and password.

12
00:01:07,060 --> 00:01:10,550
The only difference is the log in box looks a little bit different.

13
00:01:11,840 --> 00:01:18,710
Now if you think of the idea it's very similar to what happens with captive portals it's just implemented

14
00:01:18,860 --> 00:01:22,590
in a much more secure manner as shown before.

15
00:01:22,680 --> 00:01:27,530
Captive for tools also ask the users to enter a username and password.

16
00:01:27,710 --> 00:01:31,190
And if they're correct they'll allow them to use the password.

17
00:01:31,220 --> 00:01:35,180
The only difference is captive portals are open networks.

18
00:01:35,180 --> 00:01:37,570
They do not use any encryption.

19
00:01:37,730 --> 00:01:44,390
Therefore we were able to go in monitor mode sniff all the data and if a user authenticates will be

20
00:01:44,390 --> 00:01:47,280
able to capture their username and password.

21
00:01:47,330 --> 00:01:54,260
Not only that because it's an open network we were able to connect run an AARP spoofing network redirect

22
00:01:54,260 --> 00:01:56,810
the flow of packets through our computer.

23
00:01:56,810 --> 00:02:00,900
And that way we were able to read the usernames and passwords as well.

24
00:02:02,170 --> 00:02:09,160
Now both of these methods will not work with WPA enterprise enterprise first because like I said it

25
00:02:09,160 --> 00:02:10,520
uses encryption.

26
00:02:10,660 --> 00:02:16,780
Therefore even if we go in monitor mode and sniff data that the data is going to be encrypted and because

27
00:02:16,780 --> 00:02:22,370
we don't have the key then we won't be able to find the passwords that's entered by the users.

28
00:02:23,840 --> 00:02:30,320
The other problem because as we see in we can't connect to the network without having a key.

29
00:02:30,320 --> 00:02:36,590
Therefore we can't run an IP spoofing attack because we can only do that attack after we connect to

30
00:02:36,590 --> 00:02:37,880
the network.

31
00:02:38,450 --> 00:02:42,400
Therefore both of these methods are useless against WPA enterprise.

32
00:02:42,650 --> 00:02:47,750
And the only way to attack it is use in an evil to an attack.

33
00:02:47,750 --> 00:02:49,610
Now there are two ways to do that.

34
00:02:49,640 --> 00:02:54,420
You can create a traditional evil IP just like I showed you before.

35
00:02:54,470 --> 00:03:00,530
The only thing is you want to make sure that the log in page that you automatically display to the person

36
00:03:00,530 --> 00:03:01,640
when they connect.

37
00:03:01,640 --> 00:03:09,050
Looks like a logon box because with captive portals We've seen by default users log in use a page using

38
00:03:09,050 --> 00:03:11,960
the hashtag M-L web page with this.

39
00:03:11,960 --> 00:03:13,550
We've seen that in Windows.

40
00:03:13,580 --> 00:03:20,100
You get you have to log in here and OS X you get a box or log in box like this one.

41
00:03:20,660 --> 00:03:28,550
So you're going to have to fool your target to think the DML page is what they usually use with OS X

42
00:03:28,560 --> 00:03:33,280
that this might be easier because like we've seen with captive four toes.

43
00:03:33,410 --> 00:03:37,400
OS X will still show in the hasty M-L page inside the window.

44
00:03:37,400 --> 00:03:42,860
So you'll just have to style your fake log and page a little bit to make it look like a system log and

45
00:03:42,860 --> 00:03:46,160
box when it comes to Windows.

46
00:03:46,160 --> 00:03:51,200
It's going to be a little bit more challenging because as we see in Windows automatically opens the

47
00:03:51,200 --> 00:03:54,210
log in page and the default web browser.

48
00:03:54,380 --> 00:03:58,780
So the user will feel that there is something suspicious in there.

49
00:03:58,790 --> 00:04:03,740
Another problem you'll see in here you can see that it says secured.

50
00:04:03,990 --> 00:04:11,800
Also and OS X if you look at the network name here on the top you'll see there is a lock beside it.

51
00:04:13,170 --> 00:04:18,870
Now as you remember when we were creating our fake access point it has to be an open network so they

52
00:04:18,870 --> 00:04:21,850
can connect to it and then authenticate.

53
00:04:21,960 --> 00:04:29,530
Therefore the traditional method of doing this is good but it might not fool all users.

54
00:04:30,700 --> 00:04:36,460
The advantage of this method is that the user is going to send the passwords through the DML form which

55
00:04:36,460 --> 00:04:42,510
is sent in our fake log in page and therefore it will be very easy for us to capture it and read it.

56
00:04:42,550 --> 00:04:50,370
As I showed you before now executing this method is identical to target in a captive portal.

57
00:04:50,440 --> 00:04:56,270
So I covered all of these steps before in details and therefore I'm not going to be covering it in here.

58
00:04:56,350 --> 00:05:02,880
I'm just simply mentioning that you can actually use that method to target this type of networks.

59
00:05:02,890 --> 00:05:09,740
What I'm going to show you though the next method which is a little bit more advanced now this is also

60
00:05:09,740 --> 00:05:16,100
an evil twin attack will be also creating a fake access point but will actually configure this access

61
00:05:16,100 --> 00:05:19,140
point to use WPA enterprise.

62
00:05:19,580 --> 00:05:24,410
So when the user connect to it they'll get a log and box a system log in box.

63
00:05:24,410 --> 00:05:27,920
So in Windows they'll get something like this in OS X.

64
00:05:27,980 --> 00:05:34,520
They'll get something like this but once they put the password obviously the password will be sent to

65
00:05:34,520 --> 00:05:39,710
us because we will be running the radius server the central authentication server that I was talking

66
00:05:39,710 --> 00:05:40,710
about.

67
00:05:40,790 --> 00:05:47,690
And that way it will be much easier to fool your target to connect to your network because these networks

68
00:05:47,690 --> 00:05:50,020
are usually used in large enterprises.

69
00:05:50,030 --> 00:05:56,330
So again like I said similar to fake access points the users are used to connect to a number of routers

70
00:05:56,600 --> 00:05:59,380
and are used to see a number of routers around them.

71
00:05:59,390 --> 00:06:05,420
So what we'll be doing is we will be authenticating them from the router and we'll be creating a router

72
00:06:05,420 --> 00:06:09,010
that looks identical to the router it's going to have the same name.

73
00:06:09,050 --> 00:06:12,930
It's going to be used in the exact same configuration that so they'll be logging in.

74
00:06:12,940 --> 00:06:15,820
Exactly the same way that they usually log in.

75
00:06:15,950 --> 00:06:20,650
Therefore they're not going to be suspicious of the whole process.

76
00:06:20,660 --> 00:06:28,220
The only problem with this method is the data sent to us or the password is going to be encrypted and

77
00:06:28,220 --> 00:06:34,130
therefore will actually have to use a wordlist attack to try and crack this password.

78
00:06:34,130 --> 00:06:39,080
Now in the next lectures I'm going to talk in details about how to execute this attack how to create

79
00:06:39,080 --> 00:06:42,440
a fake access point with WPA enterprise.

80
00:06:42,440 --> 00:06:47,300
And I'll also be discussing why the password is going to be encrypted and how to decrypt it.