1 00:00:06,750 --> 00:00:08,420 - One of the most often tools 2 00:00:08,420 --> 00:00:09,920 for attacking wireless networks 3 00:00:09,920 --> 00:00:12,493 is a suite of tools called aircrack-ng. 4 00:00:13,660 --> 00:00:16,580 It comes with many, many applications 5 00:00:16,580 --> 00:00:18,610 for interacting with wireless networks. 6 00:00:18,610 --> 00:00:23,550 I've highlighted two here in red, aircrack and airodump. 7 00:00:23,550 --> 00:00:27,550 Aircrack for cracking and airodump for capturing frames. 8 00:00:27,550 --> 00:00:30,330 These are often used to capture the initial frames. 9 00:00:30,330 --> 00:00:31,990 Like, if you're trying to crack WPA, 10 00:00:31,990 --> 00:00:34,140 you wanna see that message integrity check, 11 00:00:34,140 --> 00:00:35,263 the MIC message. 12 00:00:36,740 --> 00:00:37,860 You're dumping the frames. 13 00:00:37,860 --> 00:00:40,100 If you wanna do it entirely passively, 14 00:00:40,100 --> 00:00:42,320 airodump pointed at the interface. 15 00:00:42,320 --> 00:00:45,810 Capture, capture, capture until you see that MIC. 16 00:00:45,810 --> 00:00:47,960 You can stop your capture, run aircrack, 17 00:00:47,960 --> 00:00:49,483 try to get the pre-shared key. 18 00:00:50,494 --> 00:00:52,770 I have an example of this coming up. 19 00:00:52,770 --> 00:00:57,770 Finding SSIDs to attack airmon-ng start 20 00:00:58,280 --> 00:01:01,620 and then the interface name in this case, wlan0. 21 00:01:01,620 --> 00:01:03,690 You'll see a screen that looks similar to this. 22 00:01:03,690 --> 00:01:05,960 This is an old screenshot from backtrack. 23 00:01:05,960 --> 00:01:07,800 Still looks the same, just, you know 24 00:01:07,800 --> 00:01:09,170 run it on Colleen's Desk. 25 00:01:11,300 --> 00:01:12,730 A MAC spoofing attack, 26 00:01:12,730 --> 00:01:15,180 we've talked about this in previous lessons. 27 00:01:15,180 --> 00:01:17,150 Listen to the air, find a MAC address, 28 00:01:17,150 --> 00:01:21,320 change your MAC address and try to have the same access. 29 00:01:21,320 --> 00:01:24,350 A Deauthetication attack, this is attacking 30 00:01:24,350 --> 00:01:27,610 that availability in the CIA triad. 31 00:01:27,610 --> 00:01:32,450 With a deauth attack, we are going to start monitoring 32 00:01:32,450 --> 00:01:35,270 or turn on monitor mode on our network interface card, 33 00:01:35,270 --> 00:01:38,160 look for an SSID, wait for a client to connect 34 00:01:38,160 --> 00:01:41,950 and then send our deauth message with aireplay. 35 00:01:41,950 --> 00:01:45,550 So, we walked through this example on our previous lesson. 36 00:01:45,550 --> 00:01:47,650 We're gonna send deauthentication attack. 37 00:01:47,650 --> 00:01:49,890 Here's our access point, SSID 38 00:01:49,890 --> 00:01:52,423 and the client we're going to deauthenticate. 39 00:01:54,080 --> 00:01:56,270 We can also do the Evil Twin Attack. 40 00:01:56,270 --> 00:01:57,580 Recall from our previous lesson, 41 00:01:57,580 --> 00:01:58,630 with the evil twin attack 42 00:01:58,630 --> 00:02:00,370 we are going to impersonate 43 00:02:00,370 --> 00:02:01,820 an existing wireless network. 44 00:02:01,820 --> 00:02:03,063 Maybe at a coffee shop. 45 00:02:04,040 --> 00:02:09,000 This can be done with a wireless card on the laptop itself. 46 00:02:09,000 --> 00:02:12,310 It can be done with this suite of tools as well. 47 00:02:12,310 --> 00:02:13,650 Start monitor mode. 48 00:02:13,650 --> 00:02:16,440 Look for the SSID that you want to mimic, 49 00:02:16,440 --> 00:02:18,660 create a soft access point. 50 00:02:18,660 --> 00:02:21,300 Soft access point is, you know, the opposite 51 00:02:21,300 --> 00:02:23,280 of a hardware access point. 52 00:02:23,280 --> 00:02:26,740 It is an access point that is running based 53 00:02:26,740 --> 00:02:28,830 on software coming off a laptop. 54 00:02:28,830 --> 00:02:30,530 So, here we're running airbase-ng. 55 00:02:31,740 --> 00:02:34,400 Here's the SSID that we wanna broadcast, 56 00:02:34,400 --> 00:02:35,943 the channel we wanna use. 57 00:02:36,878 --> 00:02:39,470 Deauth the client and hope that they reconnect 58 00:02:39,470 --> 00:02:41,600 to our evil twin. 59 00:02:41,600 --> 00:02:43,640 If we're sitting closer to the person, 60 00:02:43,640 --> 00:02:45,880 there's a good chance that their computer 61 00:02:45,880 --> 00:02:48,120 is going to connect to you instead 62 00:02:48,120 --> 00:02:50,880 of the actual valid access point. 63 00:02:50,880 --> 00:02:53,570 And you can modify your transmit power 64 00:02:53,570 --> 00:02:57,410 so that you can win over that valid access point. 65 00:02:57,410 --> 00:02:59,460 Wait for the client to join your network 66 00:02:59,460 --> 00:03:01,870 and then do your machine in the middle attacks 67 00:03:01,870 --> 00:03:06,283 'cause you will see the data post Wi-Fi at that point. 68 00:03:07,530 --> 00:03:08,460 Rogue Access Point. 69 00:03:08,460 --> 00:03:11,690 We also discussed this method in the previous lesson. 70 00:03:11,690 --> 00:03:14,370 If you can get into the environment 71 00:03:14,370 --> 00:03:16,630 and have access to a physical port, 72 00:03:16,630 --> 00:03:18,830 whether that's actually in an IDF 73 00:03:18,830 --> 00:03:21,340 or under someone's desk that is connected 74 00:03:21,340 --> 00:03:26,340 to the wired ethernet network, plug in your access point 75 00:03:26,610 --> 00:03:28,540 and then connect to it from somewhere 76 00:03:28,540 --> 00:03:32,083 outside the building provided the signal will make it. 77 00:03:33,810 --> 00:03:36,530 For cracking WEP, as I mentioned, 78 00:03:36,530 --> 00:03:38,890 you do still see WEP networks out there 79 00:03:38,890 --> 00:03:43,530 and they are easily compromisable. 80 00:03:43,530 --> 00:03:45,350 Simply start monitor mode. 81 00:03:45,350 --> 00:03:46,560 Look for the SSID, 82 00:03:46,560 --> 00:03:47,910 find something running WEP. 83 00:03:49,030 --> 00:03:52,500 Capture the packets, capture about 10,000 of 'em 84 00:03:52,500 --> 00:03:55,650 and then try to crack it with aircrack. 85 00:03:55,650 --> 00:03:57,270 Here's a fast way to do it. 86 00:03:57,270 --> 00:03:58,860 You're still gonna do the monitor mode, 87 00:03:58,860 --> 00:04:03,010 pick target network, inject some frames into that network 88 00:04:03,010 --> 00:04:06,400 to cause that initialization vector collision. 89 00:04:06,400 --> 00:04:08,700 Once you see that IV collision, 90 00:04:08,700 --> 00:04:11,743 here's our injection, capturing packets then crack it. 91 00:04:13,140 --> 00:04:17,360 For WPA pre-shared key cracking, this is also possible 92 00:04:17,360 --> 00:04:20,930 but you need to capture that message integrity check. 93 00:04:20,930 --> 00:04:24,580 As a client associates, the MIC flows across. 94 00:04:24,580 --> 00:04:25,830 You need to capture that. 95 00:04:26,710 --> 00:04:28,270 Here we start monitor mode, 96 00:04:28,270 --> 00:04:32,860 find our target BSSID, capture packets, send our deauth 97 00:04:32,860 --> 00:04:35,050 and then we look for the captured handshake, 98 00:04:35,050 --> 00:04:38,740 that MIC message and run it against a wordlist 99 00:04:38,740 --> 00:04:39,893 in this example. 100 00:04:42,110 --> 00:04:45,610 Here is a screenshot of actually doing that. 101 00:04:45,610 --> 00:04:48,190 So, we see we're trying 10 million. 102 00:04:48,190 --> 00:04:49,410 This is a dictionary file 103 00:04:49,410 --> 00:04:52,200 with 10 million potential passphrases in it. 104 00:04:52,200 --> 00:04:54,020 And it's doing it on one by one, 105 00:04:54,020 --> 00:04:55,590 and it is comparing it to the MIC 106 00:04:55,590 --> 00:04:59,170 to try to find the passphrase for this network. 107 00:04:59,170 --> 00:05:03,723 And here is the successful compromisation. 108 00:05:05,325 --> 00:05:06,820 Is that a word? (chuckles) 109 00:05:06,820 --> 00:05:09,930 So, we know that the passphrase 110 00:05:09,930 --> 00:05:13,163 for this particular network is, this is a secret key. 111 00:05:14,220 --> 00:05:17,360 I also wanna point out some purpose-built hardware 112 00:05:17,360 --> 00:05:20,120 for auditing Wi-Fi networks. 113 00:05:20,120 --> 00:05:21,250 This particular device 114 00:05:21,250 --> 00:05:23,630 from an organization called Hak5. 115 00:05:23,630 --> 00:05:27,150 They sell this hardware device called Wi-Fi Pineapple. 116 00:05:27,150 --> 00:05:29,320 You can see what it looks like here. 117 00:05:29,320 --> 00:05:31,990 And it does have a nice interface 118 00:05:31,990 --> 00:05:34,350 for interacting with the device, 119 00:05:34,350 --> 00:05:36,550 and it is cloud configurable. 120 00:05:36,550 --> 00:05:39,580 So, you could deploy these worldwide 121 00:05:39,580 --> 00:05:41,330 provided they can get internet access. 122 00:05:41,330 --> 00:05:45,153 Then you could configure them all from your web browser. 123 00:05:47,250 --> 00:05:49,070 Also, Kismet. This is a tool that's been around 124 00:05:49,070 --> 00:05:52,020 for a long time, runs on Linux. 125 00:05:52,020 --> 00:05:55,820 You can get to it at kismetwireless.net. 126 00:05:55,820 --> 00:05:58,810 Wardriving, sniffing, it does a lot of cool stuff. 127 00:05:58,810 --> 00:05:59,850 Also has a framework 128 00:05:59,850 --> 00:06:02,023 for wireless intrusion detection built in. 129 00:06:03,920 --> 00:06:06,560 And CowPatty. CowPatty, similar to aircrack, 130 00:06:06,560 --> 00:06:11,460 it will do offline dictionary attacks on pre-shared keys. 131 00:06:11,460 --> 00:06:12,773 In this screenshot here, 132 00:06:12,773 --> 00:06:16,570 it's the same capture file from the previous example. 133 00:06:16,570 --> 00:06:18,630 And we see here, the pre-shared key. 134 00:06:18,630 --> 00:06:21,570 This is a secret key and we're running it against 135 00:06:21,570 --> 00:06:26,330 a plain text file of 10 million possible passwords. 136 00:06:26,330 --> 00:06:31,330 Now, in all truth to be transparent, 137 00:06:32,980 --> 00:06:35,190 I may or may not have modified 138 00:06:35,190 --> 00:06:39,220 this password file to include, this is a secret key. 139 00:06:39,220 --> 00:06:42,340 Right around 560,000 lines down. 140 00:06:42,340 --> 00:06:44,760 So, I wanted to see how long it took. 141 00:06:44,760 --> 00:06:48,090 So, this one, I put it at 1000. 142 00:06:48,090 --> 00:06:50,630 In the previous one that took about five minutes to run, 143 00:06:50,630 --> 00:06:52,680 I had it right in the middle of the file.