WEBVTT 1 00:00:00.080 --> 00:00:02.279 Have you ever really stopped to think about it? This 2 00:00:02.520 --> 00:00:06.000 invisible world of wireless networks? 3 00:00:06.040 --> 00:00:10.199 It's everywhere, absolutely, your home, Wi Fi, the office, coffee shops. 4 00:00:10.679 --> 00:00:12.119 It's just part of life now. 5 00:00:12.000 --> 00:00:15.359 So convenient, right, seems totally seamless. But what if that 6 00:00:15.439 --> 00:00:20.239 security isn't really a solid wall, more like a thin screen. 7 00:00:20.719 --> 00:00:23.079 That's the uncomfortable truth, Isn't it something people maybe don't 8 00:00:23.120 --> 00:00:26.239 want to think about too much? Yeah, So our mission 9 00:00:26.280 --> 00:00:28.960 today really is to pull back that curtain. We're talking 10 00:00:29.079 --> 00:00:31.000 wireless penetration testing. 11 00:00:30.760 --> 00:00:32.920 Finding the weak spots before the bad. 12 00:00:32.759 --> 00:00:35.840 Guys do exactly, and we're digging into a really foundational 13 00:00:35.840 --> 00:00:40.640 text for this Backtrack five Wireless Penetration Testing Beginner's Guide. 14 00:00:40.840 --> 00:00:44.960 AH. Backtrack five takes me back a whole Linux distribution 15 00:00:45.359 --> 00:00:46.799 packed with security tools. 16 00:00:46.560 --> 00:00:49.560 Right, hundreds of them, And this book it wasn't just theory. 17 00:00:49.600 --> 00:00:52.479 It was designed to help people actually do security audits 18 00:00:52.520 --> 00:00:53.920 on real wireless networks. 19 00:00:54.200 --> 00:00:59.039 And even though Backtrack itself is older now, the principles 20 00:00:59.240 --> 00:01:02.280 in this book about how Wi Fi in security works 21 00:01:02.280 --> 00:01:06.120 still incredibly relevant. These vulnerabilities haven't just vanished, even with 22 00:01:06.200 --> 00:01:08.000 things like WPA three coming along. 23 00:01:08.200 --> 00:01:12.159 Definitely, and the author Vik Arwamachandra, and he's fascinating. He's 24 00:01:12.159 --> 00:01:14.680 been deep in Wi Fi security since what two thousand 25 00:01:14.680 --> 00:01:16.400 and three. Wow, Yeah, he's the one who came up 26 00:01:16.439 --> 00:01:19.760 with the Cafe Latte attack, remember that vaguely? 27 00:01:19.879 --> 00:01:21.840 Yeah, I wasn't that about getting the key just from 28 00:01:21.879 --> 00:01:23.840 the client device, not even kneading the. 29 00:01:23.799 --> 00:01:27.760 Router nearby, precisely super clever. And he also showed back 30 00:01:27.799 --> 00:01:30.439 in twenty eleven how malware could actually use Wi Fi 31 00:01:30.599 --> 00:01:33.599 to create back doors, spread itself like a worm, even 32 00:01:33.599 --> 00:01:34.439 build botnets. 33 00:01:34.519 --> 00:01:38.319 So this isn't just academic stuff. It's real world, practical 34 00:01:38.319 --> 00:01:39.480 threat analysis exactly. 35 00:01:39.560 --> 00:01:41.400 It shows how these attacks actually happen. 36 00:01:41.680 --> 00:01:44.799 Okay, so let's get into this. There's that saying often 37 00:01:44.879 --> 00:01:47.480 link to Lincoln. Give me six hours to chop down 38 00:01:47.480 --> 00:01:50.000 a tree, and I will spend the first four sharpening 39 00:01:50.040 --> 00:01:53.959 the acts. M I feel spot on for wireless pentesting. Right. 40 00:01:54.200 --> 00:01:56.000 Preparation is everything. You can't just dive in. 41 00:01:56.159 --> 00:01:59.719 Oh, absolutely, preparation is key. You need a controlled space, 42 00:01:59.760 --> 00:02:03.079 like a digital sandbox to even start exploring these things safely. 43 00:02:03.280 --> 00:02:05.239 And the book actually lays out how to build a. 44 00:02:05.200 --> 00:02:08.000 Basic lab, yeah, using stuff you can basically just buy 45 00:02:08.039 --> 00:02:11.520 off the shelf. Theressing too exotic needed at least to start. 46 00:02:11.800 --> 00:02:13.560 So what are we talking hardware wise? 47 00:02:13.599 --> 00:02:16.400 Okay, so two laptops. One's your attacker machine, the other's 48 00:02:16.439 --> 00:02:20.120 the victim right. Then, crucially, you need a specific kind 49 00:02:20.120 --> 00:02:23.439 of USB Wi Fi adapter. The book mentions the Alpha 50 00:02:23.520 --> 00:02:26.240 AWS zero three six h. 51 00:02:25.800 --> 00:02:28.479 The Alpha card famous for packet injection, right. 52 00:02:28.360 --> 00:02:31.719 Exactly, packet injection and sniffing, and it worked great with 53 00:02:31.800 --> 00:02:33.759 backtrack right out of the box. Plus you need an 54 00:02:33.800 --> 00:02:37.400 access point, you know, a router that supports WFWPA, WPA 55 00:02:37.479 --> 00:02:40.479 two something simple like a dealing DR six fifteen would do. 56 00:02:40.479 --> 00:02:42.439 And an Internet connection presumably. 57 00:02:42.000 --> 00:02:45.759 Yep for research downloads. The usual. Software wise, it's Backtrack 58 00:02:45.800 --> 00:02:48.560 five itself and then Windows on the victim machine XP 59 00:02:48.840 --> 00:02:50.360 Vista seven that kind of era. 60 00:02:50.520 --> 00:02:54.159 Setting up backtrack is pretty easy. Boot from USB or DBD, yeah. 61 00:02:54.039 --> 00:02:58.120 Standard Linux install, boot into the graphical mode, pretty straightforward. 62 00:02:58.319 --> 00:03:03.680 Okay, backtracks running, mix up the access point. 63 00:03:03.159 --> 00:03:05.439 The router, right, so you can figure it. Let's say 64 00:03:05.439 --> 00:03:09.000 you create a network an SSID and wireless lab and 65 00:03:09.039 --> 00:03:11.680 you set the authentication to open. 66 00:03:11.680 --> 00:03:15.240 Open authentication, and the book warns you about that immediately, 67 00:03:15.240 --> 00:03:15.639 doesn't it. 68 00:03:15.680 --> 00:03:18.400 Oh yeah, big warning. It says, look, this is the 69 00:03:18.479 --> 00:03:21.840 least secure mode. Don't connect this test network to the 70 00:03:21.919 --> 00:03:23.360 actual Internet. 71 00:03:22.960 --> 00:03:25.879 Because anyone nearby could just jump on anyone. 72 00:03:26.039 --> 00:03:28.400 It's like leaving your front door unlocked and wide open. 73 00:03:28.560 --> 00:03:30.439 That's a pretty stark warning for just setting up a 74 00:03:30.479 --> 00:03:33.319 test lab makes you think about real world open networks, 75 00:03:33.400 --> 00:03:34.080 It really does. 76 00:03:34.120 --> 00:03:36.639 How many people connect without a second thought. So access 77 00:03:36.680 --> 00:03:39.080 points set up. Then you get the alpha card working 78 00:03:39.120 --> 00:03:40.199 with backtrack. 79 00:03:39.800 --> 00:03:41.919 Which is easy because the built in support mm hmm. 80 00:03:42.840 --> 00:03:45.199 Then a few commands to check things, a list, a 81 00:03:45.319 --> 00:03:49.520 scan ping to test connectivity. Make sure your attacker machine 82 00:03:49.560 --> 00:03:52.719 can see and talk to your new very insecure wireless 83 00:03:52.759 --> 00:03:53.360 lab network. 84 00:03:53.439 --> 00:03:57.719 Okay, sandbox built, the lab is ready. Now thinking like 85 00:03:57.759 --> 00:04:01.719 an attacker. Do you even see what's happening in these 86 00:04:01.719 --> 00:04:02.919 invisible radio waves? 87 00:04:03.280 --> 00:04:07.840 You listen, you sniff see w a lands wireless local 88 00:04:07.840 --> 00:04:12.599 area networks. They communicate using these basic units called frames frames, right, 89 00:04:12.639 --> 00:04:14.759 and there are three main types. You've got management frames 90 00:04:14.800 --> 00:04:17.319 that's all the admin stuff joining the network. 91 00:04:17.639 --> 00:04:21.480 Beacons probes like devices saying I'm here or are you 92 00:04:21.600 --> 00:04:22.560 there exactly? 93 00:04:22.920 --> 00:04:26.199 Then control frames they're like the traffic signals, making sure 94 00:04:26.319 --> 00:04:29.920 data flows okay, rts cts ACKs, request. 95 00:04:29.600 --> 00:04:31.680 To send clear to sand acknowledgment, got it. 96 00:04:31.759 --> 00:04:34.519 And finally data frames. That's the actual payload. You are 97 00:04:34.560 --> 00:04:38.639 web traffic emails. You know the content, So how do. 98 00:04:38.600 --> 00:04:41.040 You capture these? That's the sniffing part, right. 99 00:04:41.240 --> 00:04:43.920 You put your special Wi Fi card, like that Alpha card, 100 00:04:44.040 --> 00:04:47.879 into monitor mode. There's a tool called AIRMoN that helps 101 00:04:47.920 --> 00:04:50.759 create this special listening interface often. 102 00:04:50.480 --> 00:04:53.800 Called man rate monitor mode. So it's not connecting, just. 103 00:04:53.800 --> 00:04:56.600 Listening passively listening to everything. It's like giving yourself Wi 104 00:04:56.600 --> 00:05:00.000 Fi X ray vision. You can literally sniff wireless package 105 00:05:00.079 --> 00:05:01.199 it's off the air, and. 106 00:05:01.120 --> 00:05:02.800 Then you need something to make sense of all that 107 00:05:02.920 --> 00:05:03.639 raw data. 108 00:05:03.759 --> 00:05:07.759 That's where wire shark comes in. Powerful tool. It captures 109 00:05:07.759 --> 00:05:10.439 the packets and lets you analyze them. You can filter too, 110 00:05:10.720 --> 00:05:14.279 like show me only management frames or only data frames. 111 00:05:14.439 --> 00:05:18.160 And what does this sniffing reveal? What's the big takeaway? 112 00:05:18.399 --> 00:05:22.319 The big one? If the traffic isn't encrypted, it's completely exposed. 113 00:05:22.600 --> 00:05:25.839 Sniffing unencrypted data is trivially easy. 114 00:05:25.560 --> 00:05:27.199 So anyone listening can just read. 115 00:05:27.040 --> 00:05:29.920 Your stuff pretty much, which is exactly why we need 116 00:05:30.000 --> 00:05:33.240 encryption on wireless networks. It's not optional, it's essential. For 117 00:05:33.360 --> 00:05:34.439 any kind of privacy. 118 00:05:34.519 --> 00:05:37.720 Okay, so listening is powerful, but you mentioned injection too, 119 00:05:38.439 --> 00:05:39.600 sending your own messages. 120 00:05:39.800 --> 00:05:44.079 Yeah, packet injection tools like airplane. They let you craft 121 00:05:44.240 --> 00:05:46.720 and send your own packets onto the network. 122 00:05:46.399 --> 00:05:49.839 Even if you're not actually connected, like authenticated. 123 00:05:49.959 --> 00:05:52.279 Even then it's like shouting into the room without being 124 00:05:52.279 --> 00:05:54.639 invited to the party. You can still be heard, and 125 00:05:54.680 --> 00:05:56.759 you can disrupt things or trick devices. 126 00:05:56.920 --> 00:05:59.759 But there are limits, right, You can't just blast signals anywhere. 127 00:06:00.480 --> 00:06:03.439 First hardware limits. Your card has to support the right 128 00:06:03.480 --> 00:06:07.240 frequency bams two point four gigaberts maybe five gigahertz, and 129 00:06:07.279 --> 00:06:09.519 the specific channel the target network is. 130 00:06:09.519 --> 00:06:12.519 Using, and you can only listen or inject on one 131 00:06:12.639 --> 00:06:13.399 channel at a time. 132 00:06:13.600 --> 00:06:15.879 Exactly. Think of your car radio. You tune it to 133 00:06:15.879 --> 00:06:18.519 one station, right, same idea here, You pick a channel 134 00:06:18.720 --> 00:06:21.879 and that's where you operate. Can't monitor all eleven or 135 00:06:21.920 --> 00:06:24.120 fourteen channels at once with one card? 136 00:06:24.279 --> 00:06:26.399 Makes sense? What about rules and regulations? 137 00:06:26.519 --> 00:06:30.519 Ah? Yes, regulatory domains. Every country sets rules for these 138 00:06:30.600 --> 00:06:35.199 unlicensed radio bands, things like maximum power output, which channels 139 00:06:35.240 --> 00:06:37.839 are allowed, and this varies a lot hugely. The book 140 00:06:37.879 --> 00:06:40.040 gives a great example in the US, maybe you're limited 141 00:06:40.079 --> 00:06:42.839 to twenty seven dBm, which is five hundred milliwatts. But 142 00:06:43.399 --> 00:06:46.199 if you were in Bolivia, you could set your cards 143 00:06:46.279 --> 00:06:50.079 regulatory domain to BO and transmit at one wat thirty dBm, 144 00:06:50.319 --> 00:06:53.319 double the power, and use channels banned in the US. 145 00:06:53.399 --> 00:06:56.600 Wow. So the same hardware could behave very differently legally 146 00:06:56.639 --> 00:06:58.839 depending on where you are. That raises questions for you, 147 00:06:58.879 --> 00:07:02.319 the listener, doesn't it? How might these geographical rule differences 148 00:07:02.439 --> 00:07:05.319 affect wireless security across borders? 149 00:07:05.360 --> 00:07:07.399 Definitely something to think about. Okay, so we know how 150 00:07:07.439 --> 00:07:10.319 the signals work, how to listen, how to inject the 151 00:07:10.360 --> 00:07:12.759 next step for an attacker trying to break the security 152 00:07:12.800 --> 00:07:14.879 itself authentication and encryption. 153 00:07:15.319 --> 00:07:17.439 And this is where a lot of common security measures 154 00:07:17.439 --> 00:07:18.399 start to look pretty weak. 155 00:07:18.480 --> 00:07:22.000 Oh yeah, like hidden sads. People think hiding the network 156 00:07:22.120 --> 00:07:24.079 name adds security. 157 00:07:23.600 --> 00:07:25.519 Security through obscurity, right. 158 00:07:25.720 --> 00:07:29.199 But the book just dismantles that idea Legitimate clients when 159 00:07:29.199 --> 00:07:32.720 they connect, they broadcast the SSID name in probe requests 160 00:07:32.720 --> 00:07:35.120 and responses unencrypted. 161 00:07:34.560 --> 00:07:35.839 So you just listen for those. 162 00:07:35.759 --> 00:07:39.079 YEP or even sneakier, you can force clients off the 163 00:07:39.120 --> 00:07:43.240 network using de authentication packets when they try to reconnect boom, 164 00:07:43.439 --> 00:07:45.759 they reveal the hidden SSID. 165 00:07:45.720 --> 00:07:49.639 So basically useless as a security feature. What about MP 166 00:07:49.759 --> 00:07:52.759 filtering locking it down to specific devices. 167 00:07:52.920 --> 00:07:55.759 That's another age old technique, as the book calls it, 168 00:07:55.839 --> 00:07:58.439 that fails miserably in the wireless world. 169 00:07:58.560 --> 00:08:01.399 Why because the MP address are also sent unencrypted. 170 00:08:01.519 --> 00:08:04.519 Exactly, you sniff the MP address of a legitimate client, 171 00:08:04.560 --> 00:08:06.680 then you use a tool like a changer to spoof 172 00:08:06.720 --> 00:08:10.519 your MP address to match THEIRS filter bypass. 173 00:08:10.000 --> 00:08:13.040 Just like that. More security. Theater then makes you feel safe, but. 174 00:08:13.279 --> 00:08:17.800 Doesn't actually stop a determined attacker. And open authentication, the 175 00:08:17.800 --> 00:08:21.000 book is blunt, provides no real authentication at all. 176 00:08:21.199 --> 00:08:26.160 Okay, so hidden SSIDs and C filters open off not 177 00:08:26.319 --> 00:08:30.879 real security. What about shared key authentication? That sounds more secure. 178 00:08:30.920 --> 00:08:32.399 It was used with WP, right. 179 00:08:32.559 --> 00:08:35.720 It was, but it has a fundamental flaw. The whole 180 00:08:35.720 --> 00:08:39.840 process relies on a challenge response using the shared WEP key. Okay, 181 00:08:39.919 --> 00:08:42.559 but an attacker can just listen to this exchange. They 182 00:08:42.600 --> 00:08:45.440 capture the plain text challenge sent by the access point, 183 00:08:45.440 --> 00:08:48.480 and they capture the encrypted response sent back by the client, And. 184 00:08:48.440 --> 00:08:50.759 Because they have both the original and the encrypted. 185 00:08:50.440 --> 00:08:53.639 Version, they can use a simple mathematical operation xor to 186 00:08:53.720 --> 00:08:57.039 figure out the keystream the secret sauce used for encryption 187 00:08:57.159 --> 00:08:58.519 for that specific exchange. 188 00:08:58.519 --> 00:09:01.840 WHOA, so they don't need the actual WP key itself. 189 00:09:01.919 --> 00:09:04.360 Nope, they get the keystream and they can use that 190 00:09:04.399 --> 00:09:07.240 to authenticate themselves to the network. It completely breaks the 191 00:09:07.279 --> 00:09:08.360 shared secret idea. 192 00:09:08.600 --> 00:09:13.519 That's bad, which leads us nicely into encryption flaws. Particularly 193 00:09:13.679 --> 00:09:15.159 we put itself. 194 00:09:14.759 --> 00:09:19.679 Ah, WEP wired equivalent privacy famously broken. The book states 195 00:09:19.679 --> 00:09:22.840 it very clearly, WEP can always be broken, no matter 196 00:09:22.879 --> 00:09:25.720 what the key used is or which access point is running. 197 00:09:25.519 --> 00:09:27.200 It always that's a strong statement. 198 00:09:27.440 --> 00:09:30.919 It's because the underlying crypto RC four as used in WP, 199 00:09:31.159 --> 00:09:34.600 and especially the way it used initialization vectors I THEES, 200 00:09:35.080 --> 00:09:38.240 was fundamentally flawed. It leaked information about the key over time. 201 00:09:38.519 --> 00:09:40.519 So how does an attacker actually crack it? 202 00:09:40.799 --> 00:09:44.200 In practice, it's a multi step process. Usually, first find 203 00:09:44.200 --> 00:09:47.919 the network, usually with AERODUMPA yeah. Then you need lots 204 00:09:47.919 --> 00:09:51.480 of data packets encrypted with that WEP key, tens or 205 00:09:51.600 --> 00:09:52.559 hundreds of thousands. 206 00:09:52.600 --> 00:09:54.120 How do you get those if you're not connected? 207 00:09:54.360 --> 00:09:57.720 Packet injection Again, you capture a specific type of packet 208 00:09:57.759 --> 00:10:00.200 like an ARP request and then replay it over and 209 00:10:00.240 --> 00:10:04.519 over using airplane. The access point responds, generating more encrypted 210 00:10:04.519 --> 00:10:06.120 traffic for you to capture. 211 00:10:05.799 --> 00:10:06.919 Even though you don't know the key. 212 00:10:06.960 --> 00:10:10.080 Yeah, clever, yep. Once you have enough captured data, you 213 00:10:10.120 --> 00:10:12.799 feed it into a tool like air cracking. It analyzes 214 00:10:12.840 --> 00:10:17.080 the weak ivs and pretty quickly usually recovers the WEEP key. 215 00:10:17.200 --> 00:10:21.120 So WEP is just a non starter for security today. 216 00:10:21.200 --> 00:10:21.440 Yeah. 217 00:10:21.480 --> 00:10:25.399 What about WPA and WPA two using PSK pre shared 218 00:10:25.480 --> 00:10:27.360 key that's what most home networks use. 219 00:10:27.399 --> 00:10:31.399 Yeah, much better, much much better than WAP, but still vulnerable, 220 00:10:31.600 --> 00:10:34.600 specifically to dictionary tax if and this is the big 221 00:10:34.919 --> 00:10:36.320 if people use a weak. 222 00:10:36.159 --> 00:10:39.799 Passphrase, the human element the password problem exactly. 223 00:10:40.399 --> 00:10:44.000 The attack targets the four way WPA handshake. This happens 224 00:10:44.039 --> 00:10:46.960 every time a device connects. It's a cryptographic exchange to 225 00:10:47.039 --> 00:10:48.960 prove both sides know the shared key. 226 00:10:49.279 --> 00:10:51.120 So you capture that handshake YEP. 227 00:10:51.000 --> 00:10:53.039 Sniff it out of the air. Then you take that 228 00:10:53.159 --> 00:10:56.159 captured handshake data and run air cracking again, but this 229 00:10:56.279 --> 00:10:58.879 time you give it a dictionary file, a big list 230 00:10:58.919 --> 00:11:00.440 of potential passwords, and. 231 00:11:00.360 --> 00:11:03.799 It tries every password in the list against the handshake data. 232 00:11:03.639 --> 00:11:05.960 Until it finds a match. The book puts it perfectly, 233 00:11:06.519 --> 00:11:08.600 You are just as good as the dictionary you have. 234 00:11:08.919 --> 00:11:11.440 If the real passphrase isn't in your list, you won't 235 00:11:11.440 --> 00:11:12.200 crack it this way. 236 00:11:12.600 --> 00:11:16.879 So a really long, complex unique passphrase makes this kind 237 00:11:16.879 --> 00:11:18.200 of attack much. 238 00:11:17.960 --> 00:11:22.200 Harder, exponentially harder, maybe impossible in a practical timeframe, but 239 00:11:22.320 --> 00:11:25.559 people reuse passwords, use dictionary words. 240 00:11:25.279 --> 00:11:29.320 Birthdays, making the dictionary attack feasible. Are there ways to 241 00:11:29.360 --> 00:11:30.000 speed it up? 242 00:11:30.240 --> 00:11:33.960 Oh? Yeah, Tools like gen click or pirate. They can 243 00:11:34.000 --> 00:11:36.559 pre calculate parts of the process, especially if you know 244 00:11:36.600 --> 00:11:41.320 the network name SIE and Pirate uses GPU's graphics cards 245 00:11:41.559 --> 00:11:45.240 to crunch the possibilities way faster than a standard CPU. 246 00:11:45.440 --> 00:11:48.960 Okay, so let's say you've cracked the key WEP or WPA. 247 00:11:49.080 --> 00:11:51.480 What next? Can you read the data you captured earlier? 248 00:11:51.600 --> 00:11:55.320 Yes, tools like airty cap. You feed it the cracked 249 00:11:55.440 --> 00:11:58.360 key and the capture file the dot cap file, and 250 00:11:58.360 --> 00:12:01.159 it decrypts the packets. You can see the actual data 251 00:12:01.200 --> 00:12:02.039 that was flying. 252 00:12:01.799 --> 00:12:05.039 Around in the final step the proof connecting to the network. 253 00:12:05.159 --> 00:12:08.000 Right for a pen tester, that's the goal. Use standard 254 00:12:08.039 --> 00:12:11.000 tools like i canfig for WP or EP A supplicant 255 00:12:11.000 --> 00:12:13.879 for WPP two. Plug in the key you just cracked, 256 00:12:13.879 --> 00:12:16.279 and connect to the network just like a legitimate user. 257 00:12:16.480 --> 00:12:19.000 That's the ultimate validation. Okay, let's shift gears a bit 258 00:12:19.320 --> 00:12:22.720 beyond cracking keys. How else can attackers target the network? 259 00:12:23.000 --> 00:12:24.720 The infrastructure itself well? 260 00:12:24.759 --> 00:12:28.039 Access points? The routers themselves are often overlooked. The book 261 00:12:28.080 --> 00:12:31.279 says they're sometimes the most neglected in terms of security. Also, 262 00:12:31.960 --> 00:12:36.720 default passwords BINGO, default admin user names, and passwords that 263 00:12:36.840 --> 00:12:41.039 never get changed. That's often an instant full system compromise, 264 00:12:41.480 --> 00:12:43.399 easy access to the router's settings. 265 00:12:43.720 --> 00:12:46.320 And even if they are changed, maybe they're weak. 266 00:12:46.120 --> 00:12:50.840 Yep, vulnerable to dictionary attacks using tools like Hydra against 267 00:12:50.879 --> 00:12:53.480 the router's web inner face or other management protocols. 268 00:12:53.519 --> 00:12:55.679 What about just disrupting the network. 269 00:12:55.360 --> 00:12:59.600 Denial of service dough attacks We mentioned deauthentication packets earlier. 270 00:12:59.639 --> 00:13:00.840 You can last those out. 271 00:13:00.720 --> 00:13:03.200 Continuously forcing everyone off the network. 272 00:13:03.039 --> 00:13:08.080 Kicking clients off repeatedly, making the network basically dysfunctional, very 273 00:13:08.120 --> 00:13:10.679 annoying and can be used as part of other attacks too. 274 00:13:10.879 --> 00:13:14.000 And then there's the evil twin that sounds ominous it is. 275 00:13:14.080 --> 00:13:16.399 It's a really potent attack. An attacker sets up their 276 00:13:16.440 --> 00:13:19.320 own access point, maybe using their laptop and that alpha card, 277 00:13:19.720 --> 00:13:21.960 and they give it the exact same name, the same 278 00:13:22.120 --> 00:13:24.919 SSID as the legitimate network you want to connect to, 279 00:13:25.440 --> 00:13:28.440 maybe even the same MOC just using spoofing, so. 280 00:13:28.480 --> 00:13:31.279 Your devices two identical networks. 281 00:13:31.159 --> 00:13:33.679 Or it might just see the attackers twin, especially if 282 00:13:33.679 --> 00:13:36.960 its signal is stronger. Users might accidentally connect to the 283 00:13:36.960 --> 00:13:37.440 fake one. 284 00:13:37.679 --> 00:13:40.120 And if the attackers spoost the MAC address. 285 00:13:39.799 --> 00:13:42.960 Too, it becomes even more difficult to detect and deter. 286 00:13:43.720 --> 00:13:46.720 The book notes that even tools like aero dumping might 287 00:13:46.759 --> 00:13:50.399 struggle to visually distinguish the real AP from the evil twin. 288 00:13:50.840 --> 00:13:52.440 If the mac's match, so. 289 00:13:52.399 --> 00:13:55.080 You connect to the attackers network thinking it's legit. 290 00:13:56.279 --> 00:13:58.879 What happens Then the attacker is now sitting in the middle. 291 00:13:59.320 --> 00:14:03.240 They can see your traffic, potentially steal credentials, redirect you 292 00:14:03.360 --> 00:14:05.919 to fake websites. We'll get more into that with man 293 00:14:05.919 --> 00:14:06.360 in the middle. 294 00:14:06.440 --> 00:14:09.600 Okay, before that, what about rogue access points? Is that 295 00:14:09.639 --> 00:14:10.679 different from an evil twin? 296 00:14:11.159 --> 00:14:14.720 Yeah, slightly different concept. A rogue AP is an unauthorized 297 00:14:14.759 --> 00:14:17.240 access point connected to the authorized network. 298 00:14:17.519 --> 00:14:20.679 So someone plugs a cheap wireless router into the company's 299 00:14:20.679 --> 00:14:22.440 wired network jack under. 300 00:14:22.279 --> 00:14:25.480 Their desks exactly. It creates a backdoor entry. It bypasses 301 00:14:25.480 --> 00:14:28.519 all the corporate firewall rules and security because it's connecting 302 00:14:28.559 --> 00:14:30.879 from the inside out wirelessly. 303 00:14:30.480 --> 00:14:33.600 A bridge from the untrusted wireless world directly into the 304 00:14:33.600 --> 00:14:35.000 trusted wired network. Yep. 305 00:14:35.320 --> 00:14:37.960 An attacker could even set up a wifey bridge to 306 00:14:38.039 --> 00:14:42.320 relay traffic. It's described as a really serious security threat. 307 00:14:42.600 --> 00:14:46.320 Definitely sounds like it. Okay, so that's attacking infrastructure. What 308 00:14:46.399 --> 00:14:50.200 about going directly after the clients, the laptops the phone's connecting. 309 00:14:50.360 --> 00:14:54.519 Absolutely. Misassociation attacks are one way. Imagine a client that's 310 00:14:54.559 --> 00:14:57.879 not connected, but it's probing looking for networks that knows, 311 00:14:58.080 --> 00:15:00.799 like wireless lab or my home WiFi. 312 00:15:01.039 --> 00:15:02.799 Right devices do that automatically. 313 00:15:02.919 --> 00:15:05.879 An attacker can set up a fake AP with that 314 00:15:06.000 --> 00:15:08.879 name and lure the client into connecting to them instead 315 00:15:08.879 --> 00:15:09.120 of the. 316 00:15:09.080 --> 00:15:11.759 Real network, especially if the fake signal is stronger. 317 00:15:12.039 --> 00:15:15.799 Precisely, you can even force a client off a legitimate 318 00:15:15.840 --> 00:15:18.799 network with death packets, and then when it tries to reconnect, 319 00:15:18.799 --> 00:15:22.159 it sees your stronger fake AP first and connects. 320 00:15:21.759 --> 00:15:25.039 To you sneaky. And this ties into the cafe latte 321 00:15:25.080 --> 00:15:27.600 attack you mentioned earlier. The author's discovery. 322 00:15:27.759 --> 00:15:32.240 It does that attacks specifically targeted WP clients. The genius 323 00:15:32.279 --> 00:15:35.159 part was realizing you could get the WEP key by 324 00:15:35.159 --> 00:15:37.799 interacting only with the client, even if the real access 325 00:15:37.840 --> 00:15:39.120 point wasn't anywhere nearby. 326 00:15:39.200 --> 00:15:40.120 How does that even work? 327 00:15:40.320 --> 00:15:43.039 It involves setting up a fake AP, getting the client 328 00:15:43.080 --> 00:15:46.320 to connect to you, and then cleverly manipulating the ARP 329 00:15:46.440 --> 00:15:50.519 packets the client sends after it connects. By bitflipping and 330 00:15:50.559 --> 00:15:53.519 replaying these packets, you could trick the client into generating 331 00:15:53.639 --> 00:15:55.759 enough specific kinds of traffic. 332 00:15:55.519 --> 00:15:57.039 That leak information about the. 333 00:15:57.080 --> 00:16:00.919 Wep key, exactly enough data for Airing to work its 334 00:16:00.960 --> 00:16:04.399 magic and recover the key, all without the original AP 335 00:16:04.559 --> 00:16:06.879 being involved. Purely client side exploitation. 336 00:16:07.120 --> 00:16:10.919 It's really clever. Does anything similar exist for WPA? Can 337 00:16:10.960 --> 00:16:13.879 you attack the client without the AP? For WPA keys? 338 00:16:14.039 --> 00:16:18.840 Surprisingly yes to some extent. For WPA personal PSK, you 339 00:16:18.879 --> 00:16:20.759 can perform an apless crack. 340 00:16:20.639 --> 00:16:22.559 Meaning you don't need the real router present. Right. 341 00:16:22.759 --> 00:16:25.600 Remember the four way handshake needed for a dictionary attack. 342 00:16:25.639 --> 00:16:28.840 You actually only need the first two packets of that handshake. 343 00:16:28.519 --> 00:16:29.200 Just the first two. 344 00:16:29.639 --> 00:16:34.200 Yeah, those first two messages contain enough information the cryptographic 345 00:16:34.279 --> 00:16:38.120 nonss the MAAC addresses for air cracking to run a 346 00:16:38.159 --> 00:16:41.080 dictionary attack. So if you can somehow capture just those 347 00:16:41.120 --> 00:16:44.519 first two packets exchanged between a client and any AP, 348 00:16:44.919 --> 00:16:48.039 even a fake one, or just passively sniff them when 349 00:16:48.080 --> 00:16:49.960 the client connects, normally. 350 00:16:49.720 --> 00:16:52.960 You can try to crack the password offline later without 351 00:16:52.960 --> 00:16:54.279 ever interacting with the real. 352 00:16:54.120 --> 00:16:57.720 AP again exactly, it broadens the attack surface significantly if 353 00:16:57.720 --> 00:16:59.840 you don't need the AP. Where else could you capture 354 00:16:59.840 --> 00:17:03.159 these initial packets? Maybe just by being near someone when 355 00:17:03.159 --> 00:17:04.720 they connect their phone at a cafe. 356 00:17:05.960 --> 00:17:09.440 Interesting possibility. What's why fishing sounds like fishing kind of is? 357 00:17:09.519 --> 00:17:13.079 Yeah? An attacker sets up multiple fake access points or honeypots. 358 00:17:13.119 --> 00:17:16.279 They all have the same name SSID as a target network, 359 00:17:16.599 --> 00:17:20.799 maybe different security settings one open one, WP one WPA two. 360 00:17:21.000 --> 00:17:23.319 Why different security settings to act as bait. 361 00:17:24.039 --> 00:17:26.720 When a client probes for that network name, the attacker 362 00:17:26.759 --> 00:17:29.880 sees which fake AP the client tries to connect to first. 363 00:17:30.279 --> 00:17:33.400 That reveals what security configurations the client has stored and 364 00:17:33.440 --> 00:17:34.839 trusts for that SSID. 365 00:17:35.160 --> 00:17:38.799 Ah, so you learn if the client expects WB or 366 00:17:39.039 --> 00:17:42.720 WPA two, or maybe even connects to an open network 367 00:17:42.720 --> 00:17:44.559 with that name if one is available. 368 00:17:44.799 --> 00:17:49.039 Intelligence gathering precisely helps tailor the next stage of the attack. 369 00:17:49.200 --> 00:17:52.119 Okay, this leads us into the really advanced stuff man 370 00:17:52.119 --> 00:17:55.720 in the middle attacks. You mentioned the Evil Twins setup, right. 371 00:17:55.640 --> 00:17:59.960 That's a classic way to achieve MITM. On wireless, attackers 372 00:18:00.039 --> 00:18:03.519 sets up a fake AP, victim connects to the fake AP. 373 00:18:04.359 --> 00:18:07.920 The attackers machine is usually also connected to the legitimate network, 374 00:18:08.440 --> 00:18:12.039 maybe via the wired land or another wireless card, so. 375 00:18:12.000 --> 00:18:15.440 The attacker's machine is physically sitting between the victim and 376 00:18:15.480 --> 00:18:16.839 the real internet or network. 377 00:18:17.160 --> 00:18:20.279 Correct because all the traffic is being relayed from the 378 00:18:20.279 --> 00:18:23.839 wireless interface victim side to the wired side Internet side, 379 00:18:23.960 --> 00:18:26.039 we have full control over the traffic. 380 00:18:26.160 --> 00:18:28.720 Full control meaning they can see everything. 381 00:18:28.480 --> 00:18:31.960 Everything passing through them, even traffic not specifically addressed to 382 00:18:31.960 --> 00:18:34.960 the attackers machine. They can just peer into the bridge traffic, 383 00:18:35.000 --> 00:18:38.200 as the book says, eavesdrop on web browsing, chats, whatever 384 00:18:38.279 --> 00:18:39.640 isn't encrypted end to end. 385 00:18:40.000 --> 00:18:42.640 So HTTPS would still protect the content, but they'd see 386 00:18:42.640 --> 00:18:43.279 where you're going. 387 00:18:43.480 --> 00:18:46.480 Generally, yes, but they can do more than just watch. 388 00:18:46.640 --> 00:18:49.680 They can manipulate. Session hijacking is a big one. 389 00:18:49.759 --> 00:18:50.480 How does that work? 390 00:18:50.640 --> 00:18:53.880 DNIS hijacking is a classic example with n MITM. Your 391 00:18:53.880 --> 00:18:57.039 computer asks what's the IP address for Google dot Com. 392 00:18:57.559 --> 00:19:00.720 The attacker intercepts that request and send back a fake 393 00:19:00.839 --> 00:19:02.200 DNS response. 394 00:19:01.880 --> 00:19:04.480 Pointing Google dot Com to their own machine instead of 395 00:19:04.519 --> 00:19:05.319 Google servers. 396 00:19:05.480 --> 00:19:07.880 Exactly. So when your browser tries to go to Google, 397 00:19:07.920 --> 00:19:09.960 it connects to the attackers machine, and. 398 00:19:09.960 --> 00:19:12.680 The attacker can then serve up whatever they want, a 399 00:19:12.720 --> 00:19:14.559 fake login page. 400 00:19:14.359 --> 00:19:18.799 Malware, anything. The book mentions just serving the default Apache 401 00:19:18.880 --> 00:19:21.759 it works page as a simple proof of concept, but yeah, 402 00:19:21.799 --> 00:19:24.759 fake log in pages are common. It highlights a key point. 403 00:19:25.119 --> 00:19:27.759 Once we have full control of the lower layers layer 404 00:19:27.799 --> 00:19:30.200 two in this case, it is easy to hijack applications 405 00:19:30.240 --> 00:19:33.200 running on higher layers, such as DMS clients and web browsers. 406 00:19:33.319 --> 00:19:36.400 Layer two control gives you power over layer seven applications. 407 00:19:36.480 --> 00:19:40.000 That's scary, Okay, what about the big enterprise networks WPA 408 00:19:40.200 --> 00:19:43.480 enterprise radius servers. Surely that's more secure. 409 00:19:43.720 --> 00:19:47.599 It definitely should be. But the book challenges the idea 410 00:19:47.720 --> 00:19:52.319 that WPA enterprise has this aura of unbreakable around it. 411 00:19:52.319 --> 00:19:54.920 It suggests nothing could be further from the truth if 412 00:19:54.960 --> 00:19:58.559 it's misconfigured, miscontigured. How a common protocol used is PEEP 413 00:19:59.200 --> 00:20:02.640 If the clients. The employee's laptop maybe is set up 414 00:20:02.799 --> 00:20:05.799 not to properly validate the server's certificate. 415 00:20:05.319 --> 00:20:07.319 So it doesn't check if the Radius server it's talking 416 00:20:07.319 --> 00:20:08.200 to is legitimate. 417 00:20:08.359 --> 00:20:10.640 Right, an attacker can perform a man in the middle, 418 00:20:11.200 --> 00:20:13.839 present a fake certificate for the Radius server and the 419 00:20:13.880 --> 00:20:15.079 client might just accept it. 420 00:20:15.160 --> 00:20:16.680 Okay. What happens then the. 421 00:20:16.559 --> 00:20:21.079 Inn authentication protocol often ms chap v two proceeds. Even 422 00:20:21.119 --> 00:20:23.920 though the attacker doesn't get the user's password directly, they 423 00:20:23.960 --> 00:20:27.039 can capture the username and the challenge response hashes exchange 424 00:20:27.119 --> 00:20:28.839 during that ms chap v two. 425 00:20:28.720 --> 00:20:31.000 Process, and those hashes can be cracked. 426 00:20:31.160 --> 00:20:34.559 Yes, tools like a SLEEP are specifically designed to crack 427 00:20:34.680 --> 00:20:38.440 ms chap v two hashes, potentially revealing the user's password. 428 00:20:38.839 --> 00:20:43.240 So even WPA enterprise isn't fool proof if not configured correctly, 429 00:20:43.400 --> 00:20:46.680 especially on the client side. What about other enterprise methods. 430 00:20:46.960 --> 00:20:50.680 Eap TTLs is mentioned as similar. If it uses ms 431 00:20:50.720 --> 00:20:54.319 chap v two inside the secure tunnel and certificate validation 432 00:20:54.480 --> 00:20:57.000 is weak, it's vulnerable to the same kind of hash 433 00:20:57.039 --> 00:20:57.759 cracking attack. 434 00:20:57.960 --> 00:21:02.400 Wow, so configuration details absolutely critical. Okay, stepping back, we've 435 00:21:02.440 --> 00:21:09.519 covered sniffing injection cracking, WVPWPA, evil twins, MITM, even enterprise attacks. 436 00:21:10.039 --> 00:21:12.559 How does this all come together in a real penetration test? 437 00:21:12.599 --> 00:21:13.359 Is there a method? 438 00:21:13.680 --> 00:21:17.440 Yes, definitely, it's systematic. The book outline stages similar to 439 00:21:17.480 --> 00:21:21.359 a wired network test. Planning, discovery, attack, and reporting. 440 00:21:21.680 --> 00:21:24.680 So planning what you're testing, discovering the networks and clients right. 441 00:21:24.880 --> 00:21:29.319 Discovery involves identifying access points, clients their security settings using 442 00:21:29.359 --> 00:21:30.400 tools like aer dumping. 443 00:21:30.480 --> 00:21:33.200 In the attack phase, using the techniques we discuss, and 444 00:21:33.240 --> 00:21:35.279 finally reporting the findings exactly. 445 00:21:35.440 --> 00:21:38.119 And a key part of discovery and reporting is identifying 446 00:21:38.119 --> 00:21:40.920 specific threats like rogue access points. 447 00:21:41.160 --> 00:21:44.160 How do you find those? Definitively we said they bypass firewalls. 448 00:21:44.359 --> 00:21:47.319 It's tricky. You can try matching as the addresses seen 449 00:21:47.400 --> 00:21:50.519 on the wireless side with non EMICs on the wired network. 450 00:21:50.920 --> 00:21:53.680 If you find a wireless ap whose MS isn't on 451 00:21:53.720 --> 00:21:56.559 the wired switch tables, it might be rogue. But more 452 00:21:56.599 --> 00:22:01.559 advanced tools like wireless intrusion prevention systems WAS are better 453 00:22:01.640 --> 00:22:01.880 at this. 454 00:22:02.359 --> 00:22:06.319 What about unauthorized clients someone bringing their personal lapsop onto 455 00:22:06.359 --> 00:22:07.319 the corporate Wi Fi? 456 00:22:07.640 --> 00:22:10.079 Aero dumpin can help there too. You map out all 457 00:22:10.079 --> 00:22:12.880 the clients connected to your authorized access points. If you 458 00:22:12.880 --> 00:22:15.359 see a device connected that isn't on your approved list, 459 00:22:15.400 --> 00:22:18.440 that's an unauthorized client, a potential breach right there. 460 00:22:18.559 --> 00:22:21.440 It really sounds like a continuous battle. The tech evolves, 461 00:22:21.599 --> 00:22:23.200 attacks evolve absolutely. 462 00:22:23.319 --> 00:22:26.680 The book stress is that Wi Fi security is constantly evolving. 463 00:22:27.160 --> 00:22:30.559 New attacks, new tools, new defenses appear all the time. 464 00:22:30.799 --> 00:22:32.759 It's a journey, not a destination. 465 00:22:33.000 --> 00:22:35.680 So how do you keep learning? What's next? After mastering 466 00:22:35.720 --> 00:22:36.839 the basics in this guy. 467 00:22:36.880 --> 00:22:39.880 Build a more advanced lab. The book suggests getting directional 468 00:22:39.880 --> 00:22:43.400 antennas for focused attacks, different types of access points eight 469 00:22:43.400 --> 00:22:46.920 oh two point one ABGM, more Wi Fi cards, maybe 470 00:22:46.920 --> 00:22:49.119 smartphones and tablets to test against. 471 00:22:49.279 --> 00:22:51.279 Keep experimenting and keep reading. 472 00:22:51.400 --> 00:22:55.240 Definitely stay updated. The author points to specific resources mailing 473 00:22:55.319 --> 00:22:59.480 lists like wifisec at, SecurityFocus dot com, okay, websites like aircrack, 474 00:22:59.599 --> 00:23:03.440 dash dot org itself. Rale Siles maintains a huge list 475 00:23:03.480 --> 00:23:07.319 of wireless security resources. Joshua Wrights blog is great for 476 00:23:07.519 --> 00:23:11.200 WPA enterprise attacks and conferences. Big ones like Defcon and 477 00:23:11.279 --> 00:23:14.839 black Hat. Many talks and materials end up online for free. 478 00:23:15.160 --> 00:23:17.480 Constant learning is crucial, so. 479 00:23:17.759 --> 00:23:21.160 Bringing this all together, we've gone pretty deep into the 480 00:23:21.359 --> 00:23:25.759 vulnerabilities hiding in plain sight in wireless networks, from just 481 00:23:25.920 --> 00:23:30.319 listening in to actively breaking encryption to impersonating networks. 482 00:23:30.400 --> 00:23:33.440 It's quite the landscape. And these aren't just theoretical attacks. 483 00:23:33.440 --> 00:23:35.680 The book shows how practical they are, with readily available 484 00:23:35.720 --> 00:23:39.599 tools exploiting everything from obvious week passwords to subtle flaws 485 00:23:39.599 --> 00:23:40.599 and protocol design. 486 00:23:40.720 --> 00:23:43.279 And understanding this For you, the listener, it's not just 487 00:23:43.279 --> 00:23:46.200 about learning how to hack Wi Fi. It's about defense. 488 00:23:45.960 --> 00:23:49.160 Right absolutely, Knowing the offense informs the defense. It helps 489 00:23:49.200 --> 00:23:52.119 you make much smarter choices about your own security, whether 490 00:23:52.160 --> 00:23:54.920 it's locking down your home network properly or understanding the 491 00:23:55.000 --> 00:23:58.880 risks in an enterprise environment. It's about seeing that invisible 492 00:23:58.920 --> 00:23:59.920 world more clearly. 493 00:24:00.519 --> 00:24:02.519 So here's a final thought to leave you with. Wi 494 00:24:02.519 --> 00:24:06.240 Fi security evolves so fast. We've talked about WEP, WPA, 495 00:24:06.480 --> 00:24:10.359 WPA TWOWPA three is out there now, but history suggests 496 00:24:10.359 --> 00:24:13.720 something new will emerge. What's the next unexpected vulnerability going 497 00:24:13.720 --> 00:24:16.400 to be and how will our ever increasing reliance on 498 00:24:16.559 --> 00:24:19.720 wireless everything amplify its impact when it hits. 499 00:24:20.039 --> 00:24:23.680 It's a fascinating and maybe slightly worrying question, as the 500 00:24:23.680 --> 00:24:26.319 book implies, you really do have to remain a student 501 00:24:26.400 --> 00:24:27.279 forever in this field.