1 00:00:06,430 --> 00:00:09,350 - [Teacher] There are many wireless specific attacks. 2 00:00:09,350 --> 00:00:12,450 Here we will cover some of the most common ones 3 00:00:12,450 --> 00:00:14,460 and the most popular ones. 4 00:00:14,460 --> 00:00:15,780 So the first type of attack, 5 00:00:15,780 --> 00:00:19,800 is when an attacker installs a rogue access point 6 00:00:19,800 --> 00:00:21,740 and can create a back door, 7 00:00:21,740 --> 00:00:25,110 specifically if one is not conversant, 8 00:00:25,110 --> 00:00:29,010 with it and have complete management of it, right so, 9 00:00:29,010 --> 00:00:32,140 after this rogue access point is installed, 10 00:00:32,140 --> 00:00:33,560 the attacker can then scan 11 00:00:33,560 --> 00:00:37,180 and launch other attacks within the corporate network right. 12 00:00:37,180 --> 00:00:41,360 Another attack is the jamming actually the wireless signal 13 00:00:41,360 --> 00:00:42,910 to actually cause interference 14 00:00:42,910 --> 00:00:44,670 and the purpose of this attack is actually 15 00:00:44,670 --> 00:00:48,810 to cause a full or a partial denial service condition 16 00:00:48,810 --> 00:00:51,050 in the wireless network. 17 00:00:51,050 --> 00:00:53,150 Now, another popular attack is 18 00:00:53,150 --> 00:00:57,220 that Evil Twin attack or an attack called Evil Twin. 19 00:00:57,220 --> 00:00:59,260 And this is done when the attacker is trying 20 00:00:59,260 --> 00:01:01,960 to create a rogue access point 21 00:01:01,960 --> 00:01:05,080 to gain access to the network or steal information 22 00:01:05,080 --> 00:01:06,210 and basically what they do 23 00:01:06,210 --> 00:01:08,850 is actually just purchase a wireless access point 24 00:01:08,850 --> 00:01:10,000 or a wireless router 25 00:01:10,000 --> 00:01:12,410 and then plug them in into the network. 26 00:01:12,410 --> 00:01:14,550 Then, you know, they configure them 27 00:01:14,550 --> 00:01:19,550 as exactly as the one that assists in the corporate network. 28 00:01:19,900 --> 00:01:22,440 And that's done so that your client connects 29 00:01:22,440 --> 00:01:23,670 to the access point 30 00:01:23,670 --> 00:01:26,530 and then they can actually steal your information. 31 00:01:26,530 --> 00:01:28,200 As a matter of fact there are actually many tools 32 00:01:28,200 --> 00:01:30,980 and devices that allow you to do this type of attack. 33 00:01:30,980 --> 00:01:35,980 A simple one is a multi-use wireless exploitation tool 34 00:01:36,270 --> 00:01:39,710 or also hardware called the Pineapple. 35 00:01:39,710 --> 00:01:42,320 That's actually made by a company called Hak5 36 00:01:42,320 --> 00:01:44,430 or an organization called Hak5 37 00:01:44,430 --> 00:01:47,210 and it's very popular among a lot of, 38 00:01:47,210 --> 00:01:49,720 penetration testing individuals, 39 00:01:49,720 --> 00:01:52,690 and of course, you know, attackers as well. 40 00:01:52,690 --> 00:01:56,670 You can also use other tools like Airman 41 00:01:56,670 --> 00:02:00,090 and Aircrack to actually perform all these type of attacks. 42 00:02:00,090 --> 00:02:01,790 And there are many more out there, 43 00:02:01,790 --> 00:02:02,623 as matter of fact, 44 00:02:02,623 --> 00:02:07,393 Airman and Aircrack are part of the Kali Linux distribution. 45 00:02:08,250 --> 00:02:09,803 And basically Kali Linux, 46 00:02:10,710 --> 00:02:12,450 is a framework, 47 00:02:12,450 --> 00:02:15,170 you know, basically a Linux distribution that has tons 48 00:02:15,170 --> 00:02:16,690 of penetration testing tools 49 00:02:16,690 --> 00:02:18,240 and tons of attack tools, 50 00:02:18,240 --> 00:02:21,440 all into one environment. 51 00:02:21,440 --> 00:02:24,920 Another one is another attacker is Bluejacking, 52 00:02:24,920 --> 00:02:28,120 and this is when the attacker sends unsolicited messages 53 00:02:28,120 --> 00:02:31,030 to another device via Bluetooth, right so, 54 00:02:31,030 --> 00:02:32,940 you know, this can actually be done 55 00:02:32,940 --> 00:02:36,990 to attack any Bluetooth enabled device. 56 00:02:36,990 --> 00:02:41,450 Another one is the Initialization Vector attack 57 00:02:41,450 --> 00:02:42,632 and that's when the attacker, 58 00:02:42,632 --> 00:02:46,110 can cause some modifications to the IV 59 00:02:46,110 --> 00:02:48,010 or Initialization Vector 60 00:02:48,010 --> 00:02:49,080 of a wireless packet, 61 00:02:49,080 --> 00:02:51,520 that is actually encrypted during transmission. 62 00:02:51,520 --> 00:02:53,760 And basically the goal of the attacker 63 00:02:53,760 --> 00:02:57,440 is to obtain as much information about the plaintext 64 00:02:58,410 --> 00:03:01,670 of a single packet and generate another encryption key 65 00:03:01,670 --> 00:03:04,800 that then can be used to decrypt other packets 66 00:03:04,800 --> 00:03:07,480 with the same Initialization Vector. 67 00:03:07,480 --> 00:03:09,360 Now we also have, 68 00:03:09,360 --> 00:03:12,050 you know, protocols and implementations 69 00:03:12,050 --> 00:03:13,570 that are full of you know, 70 00:03:13,570 --> 00:03:14,610 different vulnerabilities, 71 00:03:14,610 --> 00:03:16,880 a perfect example is WEP. 72 00:03:16,880 --> 00:03:20,180 So the WEP protocol, you know, 73 00:03:20,180 --> 00:03:22,180 is susceptible to different vulnerabilities, 74 00:03:22,180 --> 00:03:25,010 as well as several versions of WPAs. 75 00:03:25,010 --> 00:03:28,520 And these protocols again are susceptible to vulnerabilities 76 00:03:28,520 --> 00:03:31,540 and are considered weak, right so, 77 00:03:31,540 --> 00:03:32,827 there are many attacks against WEPs 78 00:03:32,827 --> 00:03:35,370 and many versions of WPAs, 79 00:03:35,370 --> 00:03:37,810 so you should avoid using WEP 80 00:03:37,810 --> 00:03:38,643 and, you know, 81 00:03:38,643 --> 00:03:42,100 those versions of WPA whenever possible. 82 00:03:42,100 --> 00:03:44,160 Now another wireless feature that is susceptible 83 00:03:44,160 --> 00:03:45,260 to attacks, 84 00:03:45,260 --> 00:03:48,960 is the Wi-Fi protect setup or WPS. 85 00:03:48,960 --> 00:03:51,320 And in this screen I'm actually showing a link 86 00:03:51,320 --> 00:03:53,640 to a document from the Wi-Fi Alliance, 87 00:03:53,640 --> 00:03:56,080 that explains what is actually WPS 88 00:03:56,080 --> 00:03:58,280 and how it works in case that, 89 00:03:58,280 --> 00:03:59,540 you know, of course you're not familiar 90 00:03:59,540 --> 00:04:02,470 with that feature or that implementation. 91 00:04:02,470 --> 00:04:05,330 Now most of the attacks that affect WPS, 92 00:04:05,330 --> 00:04:08,640 are password guessing and brute force attacks, right so, 93 00:04:08,640 --> 00:04:11,820 they're aimed to obtain the WPS passwords 94 00:04:11,820 --> 00:04:16,430 and then use those to gain access to the network, 95 00:04:16,430 --> 00:04:17,963 and of course it's data.