1
00:00:01,140 --> 00:00:09,600
Now if WPX is disabled on your target network or if it's enable but configure to use push button or

2
00:00:09,600 --> 00:00:15,080
P B C then the method that I showed you in the previous lecture will not work.

3
00:00:15,480 --> 00:00:22,630
Therefore you will have to go and crack the actual WPA or WPA to encryption.

4
00:00:22,630 --> 00:00:28,560
And like I said when these encryption's were designed the developers knew about the weaknesses in their

5
00:00:28,570 --> 00:00:33,440
new epee and they made sure that they properly fix these weaknesses.

6
00:00:33,690 --> 00:00:36,120
They actually did a pretty good job at this.

7
00:00:36,120 --> 00:00:43,510
Therefore we can not use the same method used in the epee to crack their beaupré and WPA too.

8
00:00:44,660 --> 00:00:47,850
So in WPA through the key is are unique.

9
00:00:47,940 --> 00:00:48,910
They're temporary.

10
00:00:48,950 --> 00:00:52,300
They're much longer than what they wear in the epee.

11
00:00:52,430 --> 00:01:01,840
Therefore the packets sent in the air contained no information that is useful for us so it doesn't matter

12
00:01:01,850 --> 00:01:04,130
even if we capture one million packets.

13
00:01:04,220 --> 00:01:07,620
We can't use them to crack the key.

14
00:01:07,940 --> 00:01:13,090
The money packets that contain useful information are the handshake packets.

15
00:01:14,120 --> 00:01:18,570
These are four packets transferred between a client and the rafter.

16
00:01:18,680 --> 00:01:21,360
When the client connects to the network.

17
00:01:22,070 --> 00:01:26,500
So in this lecture I'm going to show you how to capture this packets.

18
00:01:26,540 --> 00:01:33,720
And in the next lectures we'll see how to use them to crowd the WPA or a WPA to keep.

19
00:01:34,610 --> 00:01:40,300
First of all as usual you had one Iran Iraq Dungey against all the networks around you.

20
00:01:40,340 --> 00:01:41,700
I've already done that.

21
00:01:41,820 --> 00:01:44,510
And as you can see this is my target right here.

22
00:01:44,540 --> 00:01:46,420
It's use in WPA too.

23
00:01:47,240 --> 00:01:49,050
And this is the MAC address.

24
00:01:49,150 --> 00:01:50,330
I'm going to copy it.

25
00:01:51,830 --> 00:01:57,380
And the first thing we'll do is just run air or dump energy on this network and study the data in a

26
00:01:57,380 --> 00:02:02,300
file exactly the same way that we used to do it with their blue epee.

27
00:02:02,810 --> 00:02:10,880
So we're just going to do error dump energy dash dash B s s idea and give it the BSA idea of my target

28
00:02:11,750 --> 00:02:13,090
dash dash Channel.

29
00:02:14,060 --> 00:02:17,300
And give it the channel of my target which is one.

30
00:02:18,350 --> 00:02:24,410
That that's right to specify a file name to store all the data that were going to capture em.

31
00:02:24,590 --> 00:02:29,230
And let's call this WP a handshake.

32
00:02:30,260 --> 00:02:32,730
Because we're going to capture the handshake.

33
00:02:32,900 --> 00:02:38,770
And finally we're going to give it my wife said that after in monitoring mode which is morning zero.

34
00:02:39,260 --> 00:02:40,830
So very simple command.

35
00:02:40,840 --> 00:02:43,160
We've done this multiple times now.

36
00:02:43,250 --> 00:02:49,420
We use an error on energy were it given the MAC address of my tarrega it after the B.S. aside the UM

37
00:02:49,430 --> 00:02:55,870
given it dash dash channel to specify the channel of my target and use in dash dash right to store all

38
00:02:55,880 --> 00:02:56,700
the data.

39
00:02:56,750 --> 00:03:03,670
File this file contains everything that we capture so we captured how Chegg it'll be in this file.

40
00:03:04,070 --> 00:03:08,930
And finally I'm giving it the name of my wireless adapter in waiter mode.

41
00:03:09,320 --> 00:03:10,950
So now I'm going to hit enter.

42
00:03:11,240 --> 00:03:16,170
And as you can see error Energy is working against my Target's network.

43
00:03:16,520 --> 00:03:23,210
Right now all we have to do is literally sit down and wait for the handshake to be captured.

44
00:03:23,210 --> 00:03:28,310
Like I said the handshake is sent when a client connects to the network.

45
00:03:28,400 --> 00:03:34,370
So we literally have to sit down and wait until a new client connected the network wants a new client

46
00:03:34,420 --> 00:03:40,550
connects we will capture the handshake and you will see in here is a them telling us that the handshake

47
00:03:40,550 --> 00:03:41,930
has been captured.

48
00:03:42,900 --> 00:03:50,550
Tentatively we can use something that we learned before which is the authentication attack we know we

49
00:03:50,550 --> 00:03:56,430
use in that attack we can disconnect the client from the network so we can do this for a very short

50
00:03:56,430 --> 00:03:57,380
period of time.

51
00:03:57,390 --> 00:04:00,330
We can disconnect this client from the network.

52
00:04:00,330 --> 00:04:02,550
He will automatically Kinect.

53
00:04:02,610 --> 00:04:04,310
Once we stop the attack.

54
00:04:04,680 --> 00:04:10,710
Therefore when he automatically connects the handshake will be sent in the air and we will be able to

55
00:04:10,710 --> 00:04:11,910
capture it.

56
00:04:11,910 --> 00:04:17,790
This way we will not have to sit down and wait for someone to voluntarily connect to the network.

57
00:04:19,320 --> 00:04:24,560
So we see now to do this before is this going to be exactly the same command as we did it before.

58
00:04:24,590 --> 00:04:26,360
Were you in a play and you.

59
00:04:27,640 --> 00:04:28,540
We did that.

60
00:04:28,550 --> 00:04:29,660
They actually are.

61
00:04:31,050 --> 00:04:38,060
Then we specified a really low number of packets to keep the client disconnected for a long period of

62
00:04:38,060 --> 00:04:39,100
time.

63
00:04:39,140 --> 00:04:44,940
This time I'm going to send this to for two of you send Florida authentication packets.

64
00:04:45,080 --> 00:04:49,360
This way my client will be disconnected for a very short period of time.

65
00:04:49,400 --> 00:04:52,170
They won't even feel that they got this connected.

66
00:04:52,310 --> 00:04:56,530
But this is enough for the handshake to be sent because they will be disconnected.

67
00:04:56,570 --> 00:05:01,260
They will automatically connect and when they do that we will capture the handshake.

68
00:05:02,400 --> 00:05:06,840
Now the next argument we want to set is the MAC address of my target.

69
00:05:06,930 --> 00:05:11,160
So we're going to do a dash a followed by the MAC address of my target.

70
00:05:11,250 --> 00:05:17,130
Then were going to do dashi followed by the MAC address of the client that we want to disconnect.

71
00:05:17,220 --> 00:05:20,780
So as this client right here I'm going to copy.

72
00:05:21,700 --> 00:05:22,930
Pasted here.

73
00:05:23,110 --> 00:05:27,770
And finally we are going to give it the name of my wireless adapter in I you to.

74
00:05:27,770 --> 00:05:29,850
Mode which is more than zero.

75
00:05:31,050 --> 00:05:33,130
And we are done again.

76
00:05:33,150 --> 00:05:35,430
I've spent a full lecture on this command.

77
00:05:35,430 --> 00:05:38,080
Explain what a authentication attack is.

78
00:05:38,190 --> 00:05:39,920
So it's a bit confusing.

79
00:05:39,930 --> 00:05:40,850
Please go back.

80
00:05:40,940 --> 00:05:42,750
Why's that lecture.

81
00:05:42,840 --> 00:05:47,910
Basically all we're doing is where are you as an aeroplane and you two are on the authentication at

82
00:05:47,920 --> 00:05:52,240
work to disconnect this device for a very short period of time.

83
00:05:52,290 --> 00:05:58,620
That's why I'm setting this too ONDI number four then I'm using dash 8 to specify the MAC address of

84
00:05:58,620 --> 00:05:59,610
my target.

85
00:05:59,830 --> 00:06:06,690
I see specified the MAC address of the client connected to this network and then given it my wireless

86
00:06:06,690 --> 00:06:09,520
adapter in monitor mode.

87
00:06:09,570 --> 00:06:13,580
Now I'm going to hit enter and keep an eye on this side right here.

88
00:06:13,590 --> 00:06:16,570
You'll see the high check will be captured in here.

89
00:06:17,030 --> 00:06:24,540
So go ahead and tell the authentication packets being scanned and perfect as you can see you wants the

90
00:06:24,540 --> 00:06:25,780
client connected.

91
00:06:25,800 --> 00:06:28,720
Again we receive the handshake.

92
00:06:29,820 --> 00:06:31,310
So now we can quit.

93
00:06:31,350 --> 00:06:32,480
Ere are done and you.

94
00:06:32,490 --> 00:06:36,090
So controller see you because we have the handshake now.

95
00:06:36,220 --> 00:06:43,600
It is in the file that we set after the right option which is called WPA a handshake and the next lecture.

96
00:06:43,680 --> 00:06:48,700
I'll show you how this had she can be used to get the key for the network.