1
00:00:00,660 --> 00:00:06,540
Now the attacks that we've seen in the previous video worked perfectly because the pin was really simple

2
00:00:06,550 --> 00:00:12,210
it was set to 1 2 3 4 5 6 7 0 and it actually came from the factory like this.

3
00:00:12,210 --> 00:00:14,560
So most people will not be modify that.

4
00:00:14,630 --> 00:00:20,130
And if your target is using the same router that I got from my internet provider then you'll be able

5
00:00:20,130 --> 00:00:23,220
to crack their password very very easily.

6
00:00:23,220 --> 00:00:28,320
Right now I just want to show you an example I actually modified the router settings and I set the pin

7
00:00:28,320 --> 00:00:29,960
to be something more random again.

8
00:00:29,970 --> 00:00:34,610
It still has to be eight digits and still has to be made out of digits on the.

9
00:00:34,620 --> 00:00:38,660
So you'll still be able to cover all possibilities and crack it.

10
00:00:38,790 --> 00:00:41,880
And I just want to show you that this still works.

11
00:00:41,910 --> 00:00:46,740
If the pin was more complicated than just one two three four five six seven.

12
00:00:47,100 --> 00:00:48,770
So I'm just going to run Washington

13
00:00:53,780 --> 00:00:59,030
and we can see that I have my target here the taste a.p and I'm just going to run a river against it

14
00:00:59,030 --> 00:01:01,230
exactly like I did in the previous lecture.

15
00:01:03,350 --> 00:01:08,810
Get with the SS ID on the channel and my wireless interface.

16
00:01:08,810 --> 00:01:15,070
I'm going to hit enter and river actually supports pause and resume.

17
00:01:15,080 --> 00:01:21,260
So if you were a crack in a network and you reached 50 percent for example and then you wanted to stop

18
00:01:21,260 --> 00:01:27,110
that attack for some reason you can just press control-C at the same time go do whatever you want it

19
00:01:27,110 --> 00:01:33,290
to do and come back even weeks after and just launch Schriever again against that network and river

20
00:01:33,290 --> 00:01:38,640
will know where it stopped and it'll start from 50 percent so it's not going to start from scratch.

21
00:01:38,660 --> 00:01:39,880
So with this I'm going to tell it.

22
00:01:39,890 --> 00:01:40,760
Yes please.

23
00:01:40,780 --> 00:01:46,610
Reassume and it's going to start with me so you can see that so far I tried 25 and it's just going

24
00:01:46,610 --> 00:01:50,830
to keep going and it's going to try to brute force all possibilities.

25
00:01:50,930 --> 00:01:57,620
And if we look at the start you'll remember that it said there is eleven thousand possibilities so it

26
00:01:57,620 --> 00:02:00,620
can actually cover all these possibilities it's not a huge number.

27
00:02:00,680 --> 00:02:06,260
And then when it covers all of them it will definitely be able to get the pin and then calculate the

28
00:02:06,260 --> 00:02:08,110
key from the pin.

29
00:02:08,120 --> 00:02:12,560
Now I'm going to Control-C out of this because this is actually working properly and I just wanted I

30
00:02:12,560 --> 00:02:16,550
just want to show you what it would look like while it's working.

31
00:02:16,550 --> 00:02:23,900
If the pin was a bit more complicated so you can see right here it is zero point 37 percent and it's

32
00:02:23,900 --> 00:02:30,500
saying that the estimated maximum time is 6 hours five minutes to cover all possibilities.

33
00:02:30,560 --> 00:02:35,520
So you might actually be able to get the to guess the pain before that time and get the key.

34
00:02:35,630 --> 00:02:40,340
But the maximum time that you're going to have to wait is six hours five minutes and 18 seconds.

35
00:02:40,340 --> 00:02:48,350
Now if I go up now notice that it 0.37 percent if I go up you'll see that I was at zero point three

36
00:02:48,350 --> 00:02:49,010
three percent.

37
00:02:49,010 --> 00:02:54,350
So it's actually work in it's stride and the pins it's going through the pins and trying them one by

38
00:02:54,350 --> 00:02:56,430
one individually so everything is working.

39
00:02:56,450 --> 00:03:02,280
All I have to do in this case is just wait for it to get the pin and then give me the key.

40
00:03:02,290 --> 00:03:09,040
Now this router is configured in a way that it's going to accept failed attempts and it will never lock.

41
00:03:09,040 --> 00:03:13,030
So when we run wash I'm just going to go and run wash again like I did

42
00:03:16,710 --> 00:03:19,970
you'll see the WPX locked here.

43
00:03:19,980 --> 00:03:28,900
And for my test AP It's still sad to know what this basically means is some routers lock after a number

44
00:03:28,900 --> 00:03:30,070
of failed attempts.

45
00:03:30,070 --> 00:03:35,240
So when you try to authenticate with them use an Iraq pin after four or five six.

46
00:03:35,320 --> 00:03:40,270
However the router is configured they will lock and they'll stop accepting any requests.

47
00:03:40,270 --> 00:03:42,260
Even if we try the right pin.

48
00:03:42,280 --> 00:03:46,250
So rather than trying against right now the test AP never locks.

49
00:03:46,270 --> 00:03:49,560
Even if I try a thousand wrong pins it'll never lock.

50
00:03:49,570 --> 00:03:50,830
So that's really handy.

51
00:03:50,830 --> 00:03:52,730
And that's why it's very easy to crack.

52
00:03:53,440 --> 00:03:58,630
While you were testing you might face some routers that are configured to lock after a number of failed

53
00:03:58,630 --> 00:03:59,590
attempts.

54
00:03:59,740 --> 00:04:04,300
And once the router locks basically you won't be able to do anything and you'll have to wait for it

55
00:04:04,330 --> 00:04:07,000
until it unlocks some routers unlock.

56
00:04:07,000 --> 00:04:13,600
After a minute some writers lock after five minutes and some routers take days to unlock.

57
00:04:13,600 --> 00:04:18,170
So it's not really a good idea to just sit down and wait for the router to unlock.

58
00:04:19,280 --> 00:04:25,850
Now my other router the updated one that's sent from the company actually does lock after failed attempts

59
00:04:26,240 --> 00:04:30,710
and I'm going to show you now I'm just going to run Rivara against it and I'm going to show you how

60
00:04:30,710 --> 00:04:32,930
the router looks like if it's locked.

61
00:04:32,930 --> 00:04:36,110
So my other router is actually the one that I'm using currently.

62
00:04:36,110 --> 00:04:41,260
So it's still named the default name and it's this one.

63
00:04:41,570 --> 00:04:46,880
So I'm going around revolt against it again using the same command that we did in the previous lecture.

64
00:04:46,880 --> 00:04:52,310
I'm not going to do anything fancy So it's just going to be I'm going to clear this first and then I'm

65
00:04:52,310 --> 00:05:01,190
going to do Reverchon minus B and thrown in on channel 6 and then I'm going to give him my wireless

66
00:05:01,190 --> 00:05:03,510
card and monitor mode hit enter.

67
00:05:04,720 --> 00:05:06,310
Sorry I had to give it after mine.

68
00:05:06,320 --> 00:05:06,530
I

69
00:05:09,500 --> 00:05:14,650
and again is asking me if I wanted to continue from the last time I'm going to say no to start from

70
00:05:14,650 --> 00:05:15,460
scratch.

71
00:05:17,470 --> 00:05:21,450
And I can see that it works for a bit and then it just completely locks.

72
00:05:21,460 --> 00:05:25,420
It doesn't really do anything it just sits down there.

73
00:05:25,450 --> 00:05:29,990
Now if I press control-C and greenwash again

74
00:05:33,890 --> 00:05:39,950
you'll see that the writer got locked right here and it won't accept anymore requests right now so we

75
00:05:39,950 --> 00:05:44,020
can't really do anything at the moment because WPX is locked.

76
00:05:45,610 --> 00:05:52,990
Now the simplest way to get the router to unlock is to just the authenticate all the connected computers

77
00:05:53,320 --> 00:05:59,500
and keep doing that for a long period of time until the user one of the users will just think that there

78
00:05:59,500 --> 00:06:05,080
is something happening in the network and just goes in and turn off the router and turn it back on when

79
00:06:05,080 --> 00:06:10,670
they do that the router will get unlocked and then you'll be able to run revert again.

80
00:06:10,690 --> 00:06:14,900
So to do that all you have to do is the authentication attacked like we did before.

81
00:06:14,950 --> 00:06:22,180
So we're going to do airplane Engy the Auth. if we're going to give it the access point

82
00:06:25,240 --> 00:06:30,100
and you're not going to specify a client because you wanted to connect all the clients and then you're

83
00:06:30,100 --> 00:06:33,660
going to give it the card in monitor mode which is zero.

84
00:06:34,270 --> 00:06:41,050
And don't forget to specify a really large number after the deal with no we spoke about this before

85
00:06:41,060 --> 00:06:45,920
and I'm not going to run this attack right now because it actually requires physical interaction of

86
00:06:45,920 --> 00:06:49,740
the user to go and restart the router.

87
00:06:49,750 --> 00:06:54,390
So again it's not the best way but it is a way to get the router to restart.

88
00:06:54,480 --> 00:06:56,700
There is better methods to do that.

89
00:06:56,770 --> 00:07:01,790
We're going to do them using a tool called MBK 3 and we'll talk about them in the next lecture.