1 00:00:06,387 --> 00:00:09,475 - In the previous lesson we covered some of the wireless 2 00:00:09,475 --> 00:00:13,742 standards, in this lesson we will go over a few examples 3 00:00:13,742 --> 00:00:17,909 on how to crack WEP and WPA, but before we go into 4 00:00:18,919 --> 00:00:21,628 the demonstrations let me first define 5 00:00:21,628 --> 00:00:23,285 what are these actually protocols. 6 00:00:23,285 --> 00:00:27,463 So the first one is WEP or W-E-P, and WEP stands for 7 00:00:27,463 --> 00:00:30,227 wired equivalency protocol, and this 8 00:00:30,227 --> 00:00:32,353 is a protocol you should definitely avoid. 9 00:00:32,353 --> 00:00:33,913 It is full of vulnerabilities, 10 00:00:33,913 --> 00:00:37,046 and it is extremely easy to crack nowadays, right. 11 00:00:37,046 --> 00:00:39,456 We will actually go over a demonstration on how 12 00:00:39,456 --> 00:00:43,623 easy it is to crack this protocol in just a few minutes. 13 00:00:44,839 --> 00:00:48,821 Now, WEP uses a weak and reusable initialization vector, 14 00:00:48,821 --> 00:00:52,988 or an IV, that's what we use to crack the wireless 15 00:00:54,332 --> 00:00:56,595 infrastructure password in our example 16 00:00:56,595 --> 00:00:58,144 in a few minutes, right. 17 00:00:58,144 --> 00:01:00,139 I'm including here every presentation of 18 00:01:00,139 --> 00:01:04,306 the initialization vector of WEP for your reference, right. 19 00:01:05,538 --> 00:01:10,104 Now how this actually helps us, right so, the thing about 20 00:01:10,104 --> 00:01:12,712 WEP is like, what if we actually know the contents of a 21 00:01:12,712 --> 00:01:17,596 packet right, and you can actually predict what the contents 22 00:01:17,596 --> 00:01:21,208 of the packet is by using things like ARP. 23 00:01:21,208 --> 00:01:25,183 Using ARP packets you can definitely predict what the 24 00:01:25,183 --> 00:01:27,670 contents of a packet is because ARP packets 25 00:01:27,670 --> 00:01:30,337 are always 68 bytes long, right. 26 00:01:31,319 --> 00:01:35,486 And WiFi ARP packets have a 40 byte RC4 encrypted part, 27 00:01:38,832 --> 00:01:42,815 so the first 15 bytes are always at this representation, 28 00:01:42,815 --> 00:01:46,760 so AAAA03 and you know you can read the rest. 29 00:01:46,760 --> 00:01:50,927 And it also extort these bytes with the extort cyber 30 00:01:52,245 --> 00:01:55,688 text to recover, and then the first 15 bytes of plain 31 00:01:55,688 --> 00:01:59,853 text right, so definitely if you can collect enough 32 00:01:59,853 --> 00:02:03,588 AR packets with different initialization vectors, 33 00:02:03,588 --> 00:02:06,995 or different IVs, then you can actually find the key 34 00:02:06,995 --> 00:02:10,959 through statistical analysis and statistical attacks, right. 35 00:02:10,959 --> 00:02:15,500 Now WPA is a little bit more secure than WEP, 36 00:02:15,500 --> 00:02:17,954 but you can also crack its password. 37 00:02:17,954 --> 00:02:20,621 For WPA and especially for WPA1, 38 00:02:21,572 --> 00:02:26,193 using TKIP it is actually fairly easy to crack the password 39 00:02:26,193 --> 00:02:28,366 and we will see that in a few minutes as well because I'm 40 00:02:28,366 --> 00:02:30,858 actually going to do a demonstration of that, right. 41 00:02:30,858 --> 00:02:35,329 Now another protocol that is also fairly insecure is WPS, 42 00:02:35,329 --> 00:02:39,496 right, it is also easy to brute force and also it has 43 00:02:40,515 --> 00:02:42,549 actually a short pin that only takes a few hours to 44 00:02:42,549 --> 00:02:45,873 actually of course brute force or crack. 45 00:02:45,873 --> 00:02:49,000 And it all depends on your CPU or GPUs of course if you 46 00:02:49,000 --> 00:02:53,167 use GPUs you will obtain much better results than if you 47 00:02:54,417 --> 00:02:58,388 just use CPUs, so dependent on how the capacity that you 48 00:02:58,388 --> 00:03:01,424 actually have and the environment that you have, 49 00:03:01,424 --> 00:03:05,634 whether you're using CPUs or GPUs or in some cases 50 00:03:05,634 --> 00:03:09,505 A6 to actually do the password cracking, that's how 51 00:03:09,505 --> 00:03:11,230 long it's actually going to take you to do this. 52 00:03:11,230 --> 00:03:15,397 But again, even with the modern standard base computers 53 00:03:16,755 --> 00:03:19,901 nowadays, it will actually only takes a few hours. 54 00:03:19,901 --> 00:03:24,671 And the difference between WEP, and WPS, and WPA, 55 00:03:24,671 --> 00:03:28,405 is the way they actually do the steps to actually crack 56 00:03:28,405 --> 00:03:30,813 the password right, and we will 57 00:03:30,813 --> 00:03:32,849 go over this in a few minutes. 58 00:03:32,849 --> 00:03:35,913 Now, again if you actually use preshared keys, that means 59 00:03:35,913 --> 00:03:38,795 that basically dictionary attacks will be possible. 60 00:03:38,795 --> 00:03:42,082 Right, so you can actually brute force your way in by 61 00:03:42,082 --> 00:03:44,365 using dictionary attacks, and again you're going to 62 00:03:44,365 --> 00:03:45,915 see this in a few minutes. 63 00:03:45,915 --> 00:03:50,082 Now in WPA, each user receives a unique session key, 64 00:03:51,330 --> 00:03:55,234 and this is actually done to prevent decryption from 65 00:03:55,234 --> 00:03:58,438 a packet capture, right so if you actually recover, 66 00:03:58,438 --> 00:04:03,073 and then you know the PPSK or the preshared key, 67 00:04:03,073 --> 00:04:06,456 then of course this makes it a little bit difficult. 68 00:04:06,456 --> 00:04:10,623 However, if you capture all four handshakes of the initial 69 00:04:11,574 --> 00:04:15,741 WPA in negotiation then you can actually obtain the WPA 70 00:04:16,951 --> 00:04:19,967 preshared key and that's how you're actually going to see it 71 00:04:19,967 --> 00:04:24,134 in our demo, using the air crack NG toolset, right. 72 00:04:25,195 --> 00:04:27,571 So now that I have actually given you an introduction of 73 00:04:27,571 --> 00:04:30,015 this protocols, let's actually go over how to crack them. 74 00:04:30,015 --> 00:04:34,063 Right, so for these example, this is the topology that 75 00:04:34,063 --> 00:04:36,997 I'm using, do you have a wireless router in the corporate 76 00:04:36,997 --> 00:04:41,177 network that is configured with the SSID that is called 77 00:04:41,177 --> 00:04:45,559 corp-net, right so corp-net, and then the wireless network 78 00:04:45,559 --> 00:04:49,797 for this example that is configured VIDHTP is in the 79 00:04:49,797 --> 00:04:53,047 192.168.1.0 network with a 24 bit mask. 80 00:04:54,195 --> 00:04:56,949 Now that writer is actually connected to a firewall, 81 00:04:56,949 --> 00:04:59,424 and then that firewall is connected to an interior router, 82 00:04:59,424 --> 00:05:01,615 and then of course to the internet right. 83 00:05:01,615 --> 00:05:04,604 So this is a very simplistic topology in the real world 84 00:05:04,604 --> 00:05:07,113 enterprise you may actually have numerous access points 85 00:05:07,113 --> 00:05:11,459 controlled by wireless LAN controller or by cloud service 86 00:05:11,459 --> 00:05:15,826 like Meraki for example, however, in essence the procedure 87 00:05:15,826 --> 00:05:19,956 that I'm actually going to explain here, it doesn't matter. 88 00:05:19,956 --> 00:05:23,593 The environment if you're actually using WEP or WPA, 89 00:05:23,593 --> 00:05:26,218 this topology will be more than enough. 90 00:05:26,218 --> 00:05:29,593 And also by the way in this topology, I'm also showing our 91 00:05:29,593 --> 00:05:32,952 Kali attack laptop you know here. 92 00:05:32,952 --> 00:05:34,844 So let's go over how to crack WEP. 93 00:05:34,844 --> 00:05:39,779 The first thing is that I want to cover is a tool that is 94 00:05:39,779 --> 00:05:44,191 fairly cool to monitor all the available SSIDs in the air, 95 00:05:44,191 --> 00:05:47,211 right and that tool is KISMIT, right. 96 00:05:47,211 --> 00:05:51,827 Now KISMIT as we went in previous lessons, this tool is 97 00:05:51,827 --> 00:05:54,917 actually not only used for of course penetration testing, 98 00:05:54,917 --> 00:05:57,628 but it's actually used by many people to 99 00:05:57,628 --> 00:05:59,676 actually do troubleshooting as well, right. 100 00:05:59,676 --> 00:06:04,247 Now as you can actually clearly see here, the corpnet SSID 101 00:06:04,247 --> 00:06:06,801 is actually running WEP right. 102 00:06:06,801 --> 00:06:09,430 You can also see a graph of packets going over the air, 103 00:06:09,430 --> 00:06:13,942 and information about the actual router itself right there. 104 00:06:13,942 --> 00:06:16,893 You can do similar things with a series of tools, 105 00:06:16,893 --> 00:06:19,726 part of the NG aircrack framework. 106 00:06:20,648 --> 00:06:23,361 Some people prefer this as a tool, but it's actually 107 00:06:23,361 --> 00:06:27,348 a toolset right, you learn about these tools in previous 108 00:06:27,348 --> 00:06:30,435 lessons right, but let's actually see it in action, right. 109 00:06:30,435 --> 00:06:33,591 So let's see how you can use it to crack WEP. 110 00:06:33,591 --> 00:06:37,909 First, just like KISMIT, you can use aerodump, which is 111 00:06:37,909 --> 00:06:41,389 one of the tools included in this toolset to monitor, 112 00:06:41,389 --> 00:06:44,709 and then view all SSIDs available near you, right. 113 00:06:44,709 --> 00:06:48,591 So, in this case, I'm actually using the aerodump NG 114 00:06:48,591 --> 00:06:52,066 command, and it's specifying WLAN zero which is actually 115 00:06:52,066 --> 00:06:54,883 my interface, and in this example I'm actually using a 116 00:06:54,883 --> 00:06:58,896 laptop with a NALFA external adaptor, and you learn 117 00:06:58,896 --> 00:07:03,001 about these adapters in previous lessons as well, right. 118 00:07:03,001 --> 00:07:06,834 So now as you can see here, you can view all the available 119 00:07:06,834 --> 00:07:10,262 wireless SSIDs near you, and there you go. 120 00:07:10,262 --> 00:07:13,964 You can see that actually corp-net is of course, present, 121 00:07:13,964 --> 00:07:16,044 and is actually using WEP right. 122 00:07:16,044 --> 00:07:21,033 So you want to remember a few things, the SSID of course 123 00:07:21,033 --> 00:07:25,200 right, corp-net, also the BSSID hex number that I'm 124 00:07:27,027 --> 00:07:29,916 highlighting right here, and the channel number, 125 00:07:29,916 --> 00:07:33,054 and in this case the channel is channel 11, right. 126 00:07:33,054 --> 00:07:36,611 Now that you have that information, let's actually launch 127 00:07:36,611 --> 00:07:40,365 the aerodump again, but only to collect packets for that 128 00:07:40,365 --> 00:07:43,702 BSSID and for that channel specifically. 129 00:07:43,702 --> 00:07:45,792 So, for channel 11 specifically. 130 00:07:45,792 --> 00:07:49,959 So, we're actually capturing all packets for channel 11, 131 00:07:51,082 --> 00:07:55,249 and then we're also entering the hex number for the BSSID, 132 00:07:56,285 --> 00:07:58,731 and specifying our wireless interface, 133 00:07:58,731 --> 00:08:01,747 which in this case is W LAN zero. 134 00:08:01,747 --> 00:08:05,463 Then, we use aircracking G to actually crack the WEP 135 00:08:05,463 --> 00:08:08,678 preshared key, and now this is a command you actually need, 136 00:08:08,678 --> 00:08:13,177 you know aircrack-ng-a, and then minus a specifies, 137 00:08:13,177 --> 00:08:17,260 actually minus a one, rather specifies that we're actually 138 00:08:17,260 --> 00:08:20,264 cracking WEP right, and you specify the target, 139 00:08:20,264 --> 00:08:23,746 BSSID, and the capture file that we actually associate 140 00:08:23,746 --> 00:08:26,661 it before, so the one we actually create before. 141 00:08:26,661 --> 00:08:30,747 And in this case I capture, you know these few times, 142 00:08:30,747 --> 00:08:33,110 so you actually, that's why you see the zero 143 00:08:33,110 --> 00:08:35,177 four at the end of the file name. 144 00:08:35,177 --> 00:08:39,263 Then you need anywhere between 20,000 to 60,000 145 00:08:39,263 --> 00:08:43,430 initialization vectors to actually crack the web password 146 00:08:44,496 --> 00:08:48,909 for any router right, now you can also use air replay 147 00:08:48,909 --> 00:08:53,305 to actually spoof an associated station and then replay 148 00:08:53,305 --> 00:08:57,512 the ARP frames and do you do this to actually increase 149 00:08:57,512 --> 00:09:00,345 the data rate, right so if you want to be faster, 150 00:09:00,345 --> 00:09:05,004 and collect more initialization vectors then you can use 151 00:09:05,004 --> 00:09:08,475 the air replay to spoof an associated station, 152 00:09:08,475 --> 00:09:10,748 and then of course replay the r-frames, 153 00:09:10,748 --> 00:09:12,594 and increase the data rate. 154 00:09:12,594 --> 00:09:14,944 So, this is actually what I'm doing here, 155 00:09:14,944 --> 00:09:18,165 specifying the of course target BSSID, 156 00:09:18,165 --> 00:09:20,652 the spoof station address, and also 157 00:09:20,652 --> 00:09:23,183 the interface that we are actually using. 158 00:09:23,183 --> 00:09:26,177 So, once you launch air crack and depending on how many 159 00:09:26,177 --> 00:09:29,387 initialization vectors you actually have, you will then see 160 00:09:29,387 --> 00:09:32,601 the WEP key, and there you go, that's the WEP 161 00:09:32,601 --> 00:09:36,953 key for that wireless router and the corp- net SSID, right. 162 00:09:36,953 --> 00:09:40,615 So this is actually how you crack in a few steps a WEP key. 163 00:09:40,615 --> 00:09:43,675 So you can see it's actually a fairly insecure protocol 164 00:09:43,675 --> 00:09:48,093 that you should avoid, and very easy to crack. 165 00:09:48,093 --> 00:09:51,081 Now let's go over how to crack WPA, right. 166 00:09:51,081 --> 00:09:55,350 So in this case you see that now I'm actually running the 167 00:09:55,350 --> 00:09:59,960 corp-net using WPA preshared key or PSK, right. 168 00:09:59,960 --> 00:10:04,267 Now, we use the aerodump NG just like we did before 169 00:10:04,267 --> 00:10:08,900 to capture the WPA handshake, corresponding to a target 170 00:10:08,900 --> 00:10:13,807 network, so again we wait until the WPA handshake appears 171 00:10:13,807 --> 00:10:17,012 in the top line here, and then of course this is the 172 00:10:17,012 --> 00:10:20,420 command that I'm actually using, the aerodump NG, 173 00:10:20,420 --> 00:10:21,849 and then we write that to a file. 174 00:10:21,849 --> 00:10:25,196 Very similar to what we did for a WEP. 175 00:10:25,196 --> 00:10:26,843 Right, so we specified a channel, 176 00:10:26,843 --> 00:10:29,967 we specified the BSSID and the interface. 177 00:10:29,967 --> 00:10:33,060 Now if you do not see a handshake, you can also use 178 00:10:33,060 --> 00:10:37,577 air replay to de-authenticate, so basically to kick out 179 00:10:37,577 --> 00:10:42,461 an associated client or station, and this will force 180 00:10:42,461 --> 00:10:45,573 a handshake to occur, and then of course you can actually 181 00:10:45,573 --> 00:10:49,740 get that handshake to use aircrack NG to find the WPA 182 00:10:52,404 --> 00:10:55,681 preshared key using a dictionary, right. 183 00:10:55,681 --> 00:10:58,651 Now in my example here, the dictionary name that I'm 184 00:10:58,651 --> 00:11:01,295 actually using is called words, right. 185 00:11:01,295 --> 00:11:03,181 So that's the actually file name. 186 00:11:03,181 --> 00:11:05,668 And then depending on your compute power again, 187 00:11:05,668 --> 00:11:09,104 whether you use GPUs or you can use CPUs, right. 188 00:11:09,104 --> 00:11:12,250 You can make it either faster or slower of course 189 00:11:12,250 --> 00:11:13,553 depending on your environment, right. 190 00:11:13,553 --> 00:11:15,931 So it can take either minutes or hours, 191 00:11:15,931 --> 00:11:17,679 right depending on your environment. 192 00:11:17,679 --> 00:11:20,437 Now in this example, I actually cheated a little bit, 193 00:11:20,437 --> 00:11:24,170 right because I don't want to wait hours for it to 194 00:11:24,170 --> 00:11:26,277 actually associate all of the different words, 195 00:11:26,277 --> 00:11:27,997 and different phrases and everything. 196 00:11:27,997 --> 00:11:32,727 So I actually put the preshared key within the first 1000 197 00:11:32,727 --> 00:11:36,843 lines, but as you can see here, that you can see the WPA 198 00:11:36,843 --> 00:11:39,015 key here for the corp-net, and it only took 199 00:11:39,015 --> 00:11:40,684 you know not even a second right. 200 00:11:40,684 --> 00:11:43,750 Now there's another tool that automates this process, 201 00:11:43,750 --> 00:11:45,388 definitely in seconds, right. 202 00:11:45,388 --> 00:11:47,356 So instead of actually you remembering all of these 203 00:11:47,356 --> 00:11:50,289 commands, and doing all the capture files and everything, 204 00:11:50,289 --> 00:11:52,837 it actually automates everything for you. 205 00:11:52,837 --> 00:11:55,083 The tool is actually called Fern. 206 00:11:55,083 --> 00:11:58,617 And you can see here it actually uses the aircrack 207 00:11:58,617 --> 00:12:02,947 underlying framework as well, and it completely automates 208 00:12:02,947 --> 00:12:05,387 you know all of the steps that we followed a moment ago. 209 00:12:05,387 --> 00:12:08,479 So once we launch the attack, you can see that it actually 210 00:12:08,479 --> 00:12:11,530 uses a dictionary, and in this case of course we're 211 00:12:11,530 --> 00:12:13,635 using the same dictionary that we used before, 212 00:12:13,635 --> 00:12:17,802 and then that it finds the key of the WPAs SSID corp-net, 213 00:12:19,299 --> 00:12:21,781 and again you can actually automate these and brute force 214 00:12:21,781 --> 00:12:25,161 more than one SSID, right so here I'm just concentrating, 215 00:12:25,161 --> 00:12:29,435 and only scoping that SSID, and you can actually automate 216 00:12:29,435 --> 00:12:32,644 every single SSID that actually exists, right. 217 00:12:32,644 --> 00:12:35,877 Now there's actually a commercial version of this tool, 218 00:12:35,877 --> 00:12:38,866 that has additional features, so you know there you go. 219 00:12:38,866 --> 00:12:41,673 I mean, that's actually how you crack WEP and WPA keys, 220 00:12:41,673 --> 00:12:45,235 in just a few steps right, again, some of these tools 221 00:12:45,235 --> 00:12:49,664 can be fairly simple and fast, dependent on your processing 222 00:12:49,664 --> 00:12:52,541 power, depending on your compute power, but you know 223 00:12:52,541 --> 00:12:54,586 any type of computer, so in your laptop 224 00:12:54,586 --> 00:12:57,151 you can actually launch these tools 225 00:12:57,151 --> 00:13:00,818 and have fun cracking WPA and WEP passwords.