1 00:00:06,520 --> 00:00:07,880 - [Narrator] An attacker can cause 2 00:00:07,880 --> 00:00:09,220 legitimate wireless clients 3 00:00:09,220 --> 00:00:14,220 to de-authenticate from legitimate wireless access points 4 00:00:14,340 --> 00:00:16,390 or from wireless routers. 5 00:00:16,390 --> 00:00:17,223 And they do that 6 00:00:17,223 --> 00:00:19,760 to either perform and denounce a risk condition, 7 00:00:19,760 --> 00:00:24,460 or to make those clients connect to a rouge access point, 8 00:00:24,460 --> 00:00:26,447 or to an evil twin. 9 00:00:26,447 --> 00:00:29,080 Now, let's actually define 10 00:00:29,080 --> 00:00:31,690 how wireless networking actually works 11 00:00:31,690 --> 00:00:34,670 in just a few seconds. 12 00:00:34,670 --> 00:00:37,830 Now within wireless networking, there's this concept 13 00:00:37,830 --> 00:00:42,830 of a Service Set Identifier, or the SSID. 14 00:00:43,400 --> 00:00:44,760 And basically that is the name 15 00:00:44,760 --> 00:00:47,410 or identifier that is associated with the 16 00:00:47,410 --> 00:00:50,590 92.11 wireless local internet network. 17 00:00:50,590 --> 00:00:54,660 Now SSID's are included in plain text 18 00:00:54,660 --> 00:00:56,720 in many different wireless packets 19 00:00:56,720 --> 00:00:59,010 and many different beacons. 20 00:00:59,010 --> 00:01:02,450 Now, a wireless client needs to know the SSID 21 00:01:02,450 --> 00:01:06,083 in order to associate with a wireless access point. 22 00:01:06,940 --> 00:01:11,690 It is possible to configure wireless passive tools 23 00:01:11,690 --> 00:01:16,450 like Kismet and Airmon or Airmon-ng, 24 00:01:16,450 --> 00:01:17,820 which is actually by the way, 25 00:01:17,820 --> 00:01:21,880 part of a very popular suite of tools called 26 00:01:21,880 --> 00:01:23,163 Aircrack-ng. 27 00:01:24,030 --> 00:01:25,750 Basically you can use Airmon 28 00:01:25,750 --> 00:01:27,970 to perform this type of reconnaissance 29 00:01:27,970 --> 00:01:32,080 and to obtain the SSID's of the wireless networks 30 00:01:32,080 --> 00:01:33,593 that are adjacent to you. 31 00:01:35,090 --> 00:01:39,680 In this case, actually I'm sniffing wireless network traffic 32 00:01:39,680 --> 00:01:43,570 to obtain the SSID's that are associated, 33 00:01:43,570 --> 00:01:46,740 or are available within the environment, 34 00:01:46,740 --> 00:01:50,300 along with the channels that they are operating. 35 00:01:50,300 --> 00:01:52,310 Many corporations and individuals actually 36 00:01:52,310 --> 00:01:54,450 configure their wireless access points 37 00:01:54,450 --> 00:01:59,190 not to advertise or broadcast their SSID's. 38 00:01:59,190 --> 00:02:00,550 And also not to respond 39 00:02:00,550 --> 00:02:03,440 to broadcast probe requests as well. 40 00:02:03,440 --> 00:02:06,870 However, if you sniff on a wireless network long enough 41 00:02:06,870 --> 00:02:09,590 you will actually, eventually catch a client 42 00:02:09,590 --> 00:02:14,590 trying to associate with the IP, or the access point. 43 00:02:14,680 --> 00:02:17,623 And then you actually can get that SSID. 44 00:02:19,030 --> 00:02:20,370 But now let's take a look 45 00:02:20,370 --> 00:02:23,413 at how to perform a de-authentication attack. 46 00:02:24,420 --> 00:02:26,850 You can actually see here two terminal windows. 47 00:02:26,850 --> 00:02:30,420 The terminal window here, is actually displaying 48 00:02:30,420 --> 00:02:34,130 the output of the error dump utility on a specific channel, 49 00:02:34,130 --> 00:02:36,150 in this case, channel 11. 50 00:02:36,150 --> 00:02:40,940 And then one ESSID that is actually configured 51 00:02:40,940 --> 00:02:43,850 with the name Corp-net. 52 00:02:43,850 --> 00:02:45,330 Now, in that same terminal window, 53 00:02:45,330 --> 00:02:46,163 you can actually see 54 00:02:46,163 --> 00:02:49,290 a wireless client station in the bottom, 55 00:02:49,290 --> 00:02:54,290 along with a BSSID, which is connected to this access point, 56 00:02:56,070 --> 00:02:58,113 as you can see in this screen. 57 00:02:59,160 --> 00:03:03,210 So now, I'm launching a tool called error replay, 58 00:03:03,210 --> 00:03:05,970 also part of the same suite, 59 00:03:05,970 --> 00:03:08,198 part of the Aircrack-ng suite. 60 00:03:08,198 --> 00:03:11,940 After the error replay command is actually used, 61 00:03:11,940 --> 00:03:15,730 the de-authentication message from the attacker, 62 00:03:15,730 --> 00:03:17,020 in this case from me, 63 00:03:17,020 --> 00:03:21,070 is sent to the BSSID that I'm highlighting on the screen. 64 00:03:21,070 --> 00:03:23,530 Now, the attack can actually be accelerated 65 00:03:23,530 --> 00:03:26,220 by sending the de-authentication packets to the client 66 00:03:26,220 --> 00:03:30,740 with the C option, so, -C. 67 00:03:30,740 --> 00:03:32,490 There are several mitigation's 68 00:03:32,490 --> 00:03:34,380 against these types of attacks. 69 00:03:34,380 --> 00:03:38,710 The 802.11w standard, basically defines 70 00:03:38,710 --> 00:03:40,783 the management frame protection, 71 00:03:41,650 --> 00:03:44,610 which is a feature that wireless devices 72 00:03:44,610 --> 00:03:47,410 can actually detect these type of attacks 73 00:03:47,410 --> 00:03:52,410 and also protect against spoof management frames 74 00:03:52,570 --> 00:03:54,960 from other wireless devices 75 00:03:54,960 --> 00:03:59,643 that might otherwise de-authenticate a valid client. 76 00:04:01,010 --> 00:04:04,360 Now let's go over what is the preferred network list, 77 00:04:04,360 --> 00:04:06,980 and how to actually hack and attack 78 00:04:06,980 --> 00:04:08,870 the preferred network list. 79 00:04:08,870 --> 00:04:12,170 Basically, operating systems and wireless supplicants, 80 00:04:12,170 --> 00:04:13,003 or clients. 81 00:04:13,003 --> 00:04:15,230 So, that means your laptop, your phone, 82 00:04:15,230 --> 00:04:17,950 your tablet, in many cases, 83 00:04:17,950 --> 00:04:20,950 maintain a list of trusted or preferred 84 00:04:20,950 --> 00:04:22,770 wireless networks. 85 00:04:22,770 --> 00:04:25,590 This is also referred to as the preferred network list 86 00:04:25,590 --> 00:04:27,150 or PNL. 87 00:04:27,150 --> 00:04:27,983 And basically, 88 00:04:27,983 --> 00:04:32,940 PNL includes a list of the wireless network SSID's, 89 00:04:32,940 --> 00:04:37,940 the plain text passwords and WAP and wpa passwords 90 00:04:38,380 --> 00:04:40,970 of the networks that you actually have authenticated before. 91 00:04:40,970 --> 00:04:44,380 So let's say you're in a hotel, 92 00:04:44,380 --> 00:04:47,010 or in an airport, or at a coffee shop, 93 00:04:47,010 --> 00:04:49,970 when a reader device connects to a wireless network 94 00:04:49,970 --> 00:04:52,610 most definitely, it's going to put that network 95 00:04:52,610 --> 00:04:54,340 in a preferred network list, 96 00:04:54,340 --> 00:04:58,200 and whenever the client actually is not connected 97 00:04:58,200 --> 00:05:00,450 to a network and is trying to connect, 98 00:05:00,450 --> 00:05:02,440 it will actually look into the list 99 00:05:02,440 --> 00:05:06,800 and try to connect to all those wireless networks 100 00:05:06,800 --> 00:05:11,020 when they are not connected to an IP or wireless router. 101 00:05:11,020 --> 00:05:12,540 It is possible for attackers 102 00:05:12,540 --> 00:05:14,830 to listen to this client request 103 00:05:14,830 --> 00:05:18,070 and then impersonate the wireless networks 104 00:05:18,070 --> 00:05:19,590 in order to make the clients 105 00:05:19,590 --> 00:05:22,233 connect to the attackers wireless device. 106 00:05:23,200 --> 00:05:24,433 Then, form there, 107 00:05:25,448 --> 00:05:28,360 the attacker can eavesdrop to the conversation 108 00:05:28,360 --> 00:05:32,160 or manipulate any type of transactions 109 00:05:32,160 --> 00:05:35,353 from the client to the rest of the network.