If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
In this tutorial we will continue covering signal jamming and denial of service (DoS) using Kali Linux. We will write our own BASH script to automate the process.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
In this tutorial we we cover signal jamming and denial of service (DoS) using Kali Linux. I will show you how to conduct a scan of surrounding networks, how to troubleshoot any issues you may be having with your network card, and the measures you can take to protect yourself.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
In this tutorial we will continue with our Reaver use case. I will demonstrate how to find the WPS pin authentication for your router, and how to use an algorithm to reverse engineer your routers pin number. We will also cover how to avoid the AP rate limiting error.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
In this tutorial we will continue with our Reaver use case. I will demonstrate how to scan for networks, how to choose a network, and how to begin the process of exploiting the router pin authentication process.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
In this tutorial we will begin a tutorial on how to obtain access to WPS router pins using Reaver. We will briefly discuss the setup process, how to access your routers administration interface, and the arguments you will need to use when using Reaver. This video will serve as an introduction.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to the continuation of this tutorial. Anyway, today we’re going to do the actual cracking of the captured file, which is basically a follow up tutorial on the previous one. Make sure you watch these in the proper order, as they are usually tied to one another.
Anyway, we have aircrack-ng, so I’m just going to go ahead and type that in, aircrack-ng. We need -w for either the password or word list that we will be using. You can find these online and download them, and I’ve seen some pretty good ones. It will be around 48 gigabytes, something like that, however you will need to keep certain things in mind. First of all, the region where you’re performing this. For example, if you’re doing this in the US, or Canada, or any other English-speaking area, you will be able to find some relatively good word lists that you can use. If you are in a region such as mine where people mainly speak Slavic languages, an English word list is not going to be very helpful. Or, if you’re, for example, in Russia, or perhaps in France, or something of a kind, there are specified word lists for those particular languages. But, more often than not, they don’t tend to work. As I said, if you’re in an English-speaking region, try out a word list. People tend to either repeat passwords, or they tend to use fairly similar ones, so the likelihood of the password being in the word list is pretty high. This is what is referred to as a dictionary attack. You literally take a dictionary from somewhere, you type the name of the file here after download, and then you pass it to aircrack-ng, and then you start cracking, which is a fairly difficult process to do. But, over a certain period of time, it will practically finish trying all of the possible combinations, within the dictionary, in a reasonable amount of time. It might take a day or two, or something like that, but if you’re sitting next to a Wi-Fi you can spread this attack out. Once you begin cracking the password, you can sit in your house without a connection to the internet. The capture process requires being connected to the network, the cracking process is conducted on your local machine. This is very important, it is completely different from an online attack.
However, I am in a region where word lists are not very useful, and therefore I’m going to take a different approach. I’m going to say -w for a file to be read in, but I will also tell it to read in from standard output. Now I do need to specify the actual capture file, so SCAN_test-01.cap, let’s just expand this to full screen, excellent! So, I have SCAN_test-01.cap, and the final thing that I need to put in is the ESSID, which is Something. Now in front of it all I’m going to use crunch and pass it to a list of arguments. With -F you can actually specify what sort of characters will be assigned to which positions. So, for example, I would strongly advise looking through the man pages of crunch, let me just show you. Clear, and man crunch, excellent! So we have the man page for crunch, and you have these arguments, and so on and so forth. And if we go down below, this is f /path/to/charset.list which we might actually use as well. I’ve showed you that, but we’ll see whether that is convenient for our purpose. Sorry, it’s not -f, it’s -t. All of these symbols present certain types of characters. So, for example, the @ represents lowercase letters. The % sign represents numbers. The ^ I believe is capital letters, etc. You don’t need to memorize the syntax. Just take a look at the man page and figure out how to write the command.
So, keep in mind that the @ sign is an option, comma is an option, percentage sign is an option, and the caret sign is an option. Look at what it says, the explanation is practically perfect. Specifies a pattern, an example of a pattern, says your god. Believe it or not, people actually use that in their passwords. And he has two @ signs at the front, and four @ signs in the back. Look at what the @ sign represents, will insert lowercase characters. It will use this word, and it will insert lowercase characters in front and behind. If he had placed a comma in there it would insert uppercase characters. If he had inserted a percentage sign somewhere in there, it would insert numbers, not a caret sign, a percentage sign. And the caret sign is down below, it will insert symbols. That is why it is very important to acquaint yourselves with the sort of password that you are breaking. You cannot just walk in and break a password, brute-force it, without knowing anything about it previously. That’s just highly unlikely to happen. I mean, even with the best of machines out there, it will not work as well as you want it to. I’m running a few virtual machines in the background, so perhaps my CPU usage will be a bit lower, but I’ve managed to turn everything off and max it out. It was on 1,700 passwords per second. I think I could have gotten to 2,200 if I overclocked my processor, but I don’t have the proper cooling system.
That is a very important aspect to this. You will need to watch the temperature of your processor. If you’re using an Intel Core processor it will shut down by default, it will not allow you to destroy it by overheating it. On the right side of the screen here I have a temperature meter. You will see that the current temperature is around 61 degrees Celsius. When I begin the brute force attack with aircrack, it will load the CPU to ridiculous extent, and you will see how the CPU temperature will increase. When you’re performing this attack, you may wish to consider employing some extra cooling systems in order to reduce the temperature of your processor. That will not only decrease the chance of something malfunctioning, but it also increase the amount of attempts it can perform per second.
Anyway, without further ado, I’m going to type in crunch -t. I want you to use four numbers in front, and I know that the word is thunder so I’m going to type it in. I’m going to say, 123456789, and 0. Also, I need a pipe. A pipe is simply saying, whatever comes out of this, pass it to this. And this argument here is saying, read from whatever is passed, or from standard output. Press ENTER, and there we go. This is going to take a while. Actually, this is not going to work because I am a genius who failed to actually pass the proper length. Once passing length, and in combination with what we did here, you absolutely need to make sure that it’s exactly the same length. 11, 11, excellent! Press ENTER, and the scan is in progress. There we go, key found in a ridiculously short amount of time. Primarily because, I already knew a good portion of it. Let’s try something different. Let’s remove this, and if I remember correctly hat was for capital letters, I believe it was a comma? Let’s verify that because I’m not all-knowing, and comma will insert uppercase letters. Yes, it will. My memory still serves me well. I will remember to treat my brain with something later. Press ENTER, and the amount of possible combinations is not that large. I wanted to make sure that you had the opportunity to see the maximum amount of tries here.
Let me go ahead and close all of my other virtual machines. Once I do that, I will have more CPU power to spare, that I can devote to this brute-forcing method. I remember getting up to 1700. Once again, it’s found it within a reasonable amount of time. Let’s try passing a character set. So, it’s a lowercase f, /path/to/charset.lst charset-name. I need to go ahead and type in cd Desktop/crunch-3.6/, excellent! ls, and we have a charset somewhere in here. I’m pretty sure it’s crunch.c, Makefile, crunch.1, charset.lst, excellent! Here we go, let’s type in less charset.lst, and here we have the names as I stated before for pretty much all the charsets in existence. We can specify these manually, but it’s better to use these charsets as there is a much smaller probability of an actual mistake. Let’s use mixalpha-numeric-space, and this is going to significantly increase the amount of possible combinations. It will probably take until tomorrow to actually guess it, but oh, well. Press ENTER, and it’s still giving me a relatively small number of combinations. Let’s remove this one to say @@, and this one as well, @, press ENTER, it’s 726 gigabytes. Now this will take a significant amount of time. Let’s see what else we can close in order to increase it. Oh, I know why it’s so low. I am recording my screen for this tutorial. That is eating up my memory and CPU time as well.
I would like to show you something else before I wrap this tutorial up, because I have a feeling I’ve already breached the allotted time. If you have some sort of temperature meter on your computers, you will notice that after an hour, or something like that, the temperature will begin to rise. What you can do here in order to alleviate the stress on a single machine, and in order to increase the number of possible attempts, you can actually use this command and specify either a list of characters. For example, you can tell one machine, okay, I want you to do all of the combinations for 9 9. Of course, then this option would not be possible any longer. We would need to delete this, and another machine could do, for example, 10 10. Another one could do 11 11. This technique is especially useful for laptops, because a single laptop doesn’t have a ton of processing power. Laptops weren’t actually amazing. So we actually merged not just a few laptops but also desktop computers. I remember merging 10-20 computers together to conduct a brute-force attack. They were all generating passwords. You can give different parameters to different computers to execute it on the captured file. Because this captured file is portable, you can conduct a brute forcing attack offline. In the follow up tutorials, I will show you some other methods for how you can attack wireless access points, and what you can do with them. In any case, I bid you farewell, and I hope to see you in the next tutorial.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Let’s continue from where we left off in the previous video.
I have a live capture here in progress, I’m going to go ahead and cancel it, and now I will take the information that I need. So, the next command that we’re going to use, again, is airodump-ng. We will use it in combination with a few aditional arguments in order to conduct a more precise scan, so that we can capture the four-way handshake which we need in order to continue with the exercise. Go ahead and type in airodump, and you don’t need to memorize the full command. You can type in air, and then press Tab twice. If it doesn’t work after Tabbing twice, press it how ever many times until you find the command you need. The terminal will tell you what your possibilities are. What we need is airodump, and this is the command that we need. Go ahead and type in O, Tab it again, it will give you fewer options, dump-ng, and that’s it. One of the first things that we’re going to need to do is specify the channel on which my wireless is functioning. For this particular exercise I will be using channel 6. So, channel 6, and what is the BSSID? This is the BSSID. Don’t attempt to retype it, copy/paste it just to be sure it is entered in correctly. If you miss a single a single character here, nothing will be achieved. Now we need a file to write to. I will name mine SCAN_test. The final thing that I’m going to need is this BSSID. Go ahead and copy it, and we’ll just reformat this a bit. I’m fairly certain it would work like this as well, but we always want to make our code nice and clean so that it can be read and understood for troubleshooting purposes. When you have commands, text, and code spread around, it can be difficult to figure out what is where. Maybe you can in that moment, but try doing it the next day and it can be difficult to pick up where you left off. Go ahead and press Enter.
Okay, so what does it say? No interface specified. Every time you do this you actually do need to specify an interface. Mine is wlp2s0, that is my wireless interface that is currently in monitor mode, so press ENTER, and there we go. Our scan is now in progress. I have another device that is connected to the network, that’s this device, it’s BSSID, and station. A station is a device that is connected to this access point. You will not be able to perform this exercise if you do not have any stations that are connected to your access point. This is because you have nothing to deauthenticate, there is nothing conducting the authentication process which you can capture. We will be deauthenticating this device, and this is also a method that you can use in order to perform a DoS attack on a wireless network. It is nearly guaranteed to work. Pretty much any public wireless network will be vulnerable to this, and you will be able to deauthenticate every device on the network. This, of course, is susceptible to misuse. I would like to ask you, since I am doing this for educational purposes, not to do that.
Anyway, that being said, we need to use aireplay-ng, and this is used for deauthentication purposes. We’ll just go ahead and type it in, air, and once again I will use Tab to complete the command, replay-ng. What I want to do is pass an argument of -0, and then I’m going to give it the 0 again. I will explain in a moment what these are, – a, and the MAC address of the access point. We don’t need the BSSID flag there. These two arguments state the number of deauthentication transmissions that you wish to send. If you put a 0 in it sends it into an infinite loop. You will permanently be deauthenticating pretty much every device on this particular MAC address. For example, if you wish to temporarily disrupt connections you can type in 10, or 9, or something like that. There are even options to deauthenticate particular clients. But, for the time being, I’m going to send a general deauthentication request transmission. This will deauthenticate everybody on this particular wireless access point. Since it is my wireless access point, I don’t really care. I only one device associated with it, and that device will be disconnected shortly. If you wish to verify this, you can connect your cell phone, and you can connect them to your Wi-Fi access points, and then you can try performing a DoS attack on yourself to see how it works. If you have any troubles, feel free to ask me in the question section. The procedure is exactly the same as what I’m doing now. You will then notice that the Wi-Fi connection on your phone is breaking. When that starts happening, when the deauthentication request start being sent, try accessing a website through your cell phone. You will see that you can’t because there is something obstructing your connection, and you are no longer associated with that access point. I would recommend trying this as it’s a fantastic exercise. You cannot cause any damage to your network or devices. As soon as the deauthentication requests stop your connection will be restored.
Let’s go ahead and execute our command. One of the downsides of aircrack is that you need to type in the interface every single time. Excellent! I am now broadcasting the deauthentication signal. Sure enough, I have lost connection to the network on all of my devices. Leave it running for a while just to make sure that you have deauthenticated the device, because you cannot see the device that you are deauthenticating. At a certain point of time, after a couple of minutes, maybe less, you can cancel it. Due to the proximity I can go ahead and cancel it now, and my device will automatically try to reconnect. Once it does, I will capture that authentication, and it should work just fine. In a moment, we should get a four-way handshake in the upper right corner, and there we go. It says WPA handshake for this MAC address. At this point of time, you can go ahead and stop the capture process as there is really no longer a point to do it. We have captured the information that we needed. It’s all here.
In the next tutorial we will take apart the file which we have captured, and see what we can do with it, and how we can actually crack it. That is the difficult part of this process. Capturing traffic is not a problem, finding the
wireless access point is not a problem, the problem is cracking the encryption itself. Now, keep in mind you must absolutely have at least one device that is associated with this access point, and the BSSID. If there are several devices you may want to consider a different denial of service attack. You shouldn’t deauthenticate them all. Select a few and leave them running. So, if you have 10 or 20 devices, you can select 5 of them. If just 5 of them don’t work they’ll usually look to the person next to them, or something like that, and they’ll see that it’s working for them. So, the general conclusion that pretty much everybody draws from that is, oh, it has to have something to do with my device. Let me just attempt to reconnect to the network. We will go over this in great detail when we cover denial of service attacks, but for the time being just know that it is an option. In any case, I bid you farewell, and I sincerely hope to see you in the follow-up tutorial where we will actually crack the code.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, we will cover how to crack Wi-Fi. Now that we have finished setting up all of the necessary tools, we can begin with the demonstration.
The first thing that we will need to do is set our network wireless card in to monitor mode. Type in ifconfig, press Enter, and this will display all of the network interfaces that are available. My wireless interface is called wlp2s0. A bit of a strange name, I know, but Fedora has a custom of assigning strange names. For example, my wired connection is called p8p1, which is kind of weird, but OK, never mind. Just identify the name of your interface and adapt accordingly. Anyway, I’m going to use wlp2s0. We have two ways of configuring monitor mode. The first method is what I usually use to set it in monitor mode, and the second one is what I use to check for problems. Go ahead and type in ifconfig. Again, wlp2s0, which is the name of my wireless network card, and type in down. Let’s shut our wireless card down completely. Now we can make some modifications to it. Type in ipconfig wlp2s0, mode monitor. Again, ifconfig wlp2s0 up, and now our network card is configured to function in monitor mode. Before it was functioning in the promiscuous mode. There are several names for it, but promiscuous mode is the most common. The difference between the two modes is that in monitor mode network cards are configured to accept packages, regardless if it is meant for them or not, and in promiscuous mode they will only accept packages that are meant specifically for them.
I’m going to go ahead and clear the screen, and I’m finally going to start using some of the software packages that come with aircrack. I have a list of commands here which we will use today on the right side of my screen, and we’re going to use a few other ones, but these are the basic ones that you absolutely need to know. So, let me go ahead and type in airmon-ng check wlp2s0. I want to see if there are any possible processes that could cause interference, and I see that there are quite a few of them. One of the first things that you need to kill is the network manager. Even though it doesn’t actually directly interfere with the functioning of our software, it does spawn some other processes that might interfere, like your active internet connection here, the dhclient. For example, if your network manager is configured to automatically connect to a certain network, or to a wired network that you plug into your computer. So, let’s just go ahead and kill the process. I’m not going to take any chances, today. I’m going to go ahead and kill the network manager, and then I will begin killing the rest. So, let’s repeat the airmon-ng check, excellent! I have a few more of these. You will need to kill them in a certain order because they tend to spawn each other. Even though you’ve killed it as root, it will kill it, but it will restart it as well. I’ll just go ahead and kill the dhclient as well in order to prevent any interference, and the rest of killing can be done in any way you like. So, kill, let’s just go ahead and kill 1556, 1215, and 1216. Excellent! Let’s do a check one more time, something is still up. This is what I meant, it is highly annoying. Avahi-demons are the only ones running. Apparently, I have to kill the WPA supplicant first, and then I can kill these. It can be frustrating because you can’t kill them all at once. You will have to type in the commands time and time again. Let me just go ahead and clear the screen, and always perform an extra check. You see here that nothing is active, nothing should present any problems now.
Let me go ahead and clear the screen. The next thing that we need to do is perform a scan of our environment here to see what sort of networks are available, and who is connected to which networks. Now you cannot see with the network manager. With the network manager we can only see the visible wireless access points around us. While on the other hand, with one of the tools that comes with the aircrack, you can actually see wireless access points around you and who is connected to them, which is a very nice feature. I’ll go ahead and type in the first command from my selected list here, it’s airodump-ng wlp2s0, and press Enter. You can now see all of the wireless access points. This one is mine, it’s called Something. I’ve created this network specifically for the purposes for this tutorial. It has a good, strong password, and we are going to be cracking it today. Okay, let me cancel the scanning process, and I would like to explain a few of the things that you can see here during the scanning process itself. The BSSID is the MAC address of the wireless access point. The PWR is the strength of the signal. So, the smaller this negative number is, so let’s say -30, -15 is a stronger signal than -30. -57 will not be the greatest of connections. -78 or -84, yeah, you might be able to connect to them, but this will certainly result in a poor connection. However, even though the signals here are weak, if you have a good enough wireless card you will be able to perform the authentication, and therefore I will be able to render any of these networks that you see here inoperable. But, that we will save for the later tutorials.
For the time being, I would like to show you one of the ways in which you can crack the WPA2 encryption. DoS attacks are very useful. I mean, they can practically render almost any WiFi network out there useless. Nobody will be able to connect to it, or you can deauthenticate a specific client on the network which is also extremely useful. So, let’s go ahead and clear the screen. Once again, I will run airodump, and I will expand this terminal window so we can see some other things as well. It says something, it’s 90:F6. I am looking for something to be associated with 90:F6, and that is what I shall use in order to actually deauthenticate, because we are looking for a four-way handshake. It will appear in the top right corner. There we will be able to see all of the packets that are coming in, and there we will be able to actually capture a file and see what is going on. However, that is not possible to do at the time being because we are scanning for pretty much every single network available, and I just wanted to show you what it looks like.
The next thing that we need to do is perform a targeted scan. We will be targeting this network here, as it has a good signal. More importantly than that, I have permission to do whatever I want with this network, as it is mine. These down below are not mine. Also, keep in mind that we are not doing anything illegal here. Everything that you see here is public information. This is simply what all of the Wi-Fi routers around me are broadcasting. They are broadcasting their MAC address, and they are are broadcasting the name of the network, basically. The SSID name is not a technical term. ESSID is the term, but everybody refers to it as the name of a wireless access point. Anyway, as I said, all of this is public information. You will see that it’s WPA2 encryption, you will see the MAC address, and you will see the ESSID. The ESSID will be the first thing that you see on the network. Also, you will see the channels as well. Anyway, I will call the tutorial here, and in the next one we will be performing a specific scan where we will capture information, and use that capture file in order to crack the encryption. Until then I bid you farewell, and I hope to see you in the next tutorial.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will show you how you can install aircrack on a Windows system.
First off, you will need to go to the aircrack’s official website, www.aircrack-ng.org, and download the necessary file. After it is finished downloading, you will need to unzip the package, and then you will be able to run the program. So, let’s go ahead and right click on the package, and I’m going to use 7-zip to extract the files. Feel free to use WinRAR, or any other extraction program available to you. I’m going to select aircrack-ng, extract it, and select the folder to extract the files to. I’m going to extract to desktop. As you can see, I’ve already extracted it twice. Yes to all, it will copy over it, it will not prompt you with this question. It has successfully extracted to the desktop. As I said previously, there is no installation procedure. Go ahead and open the folder, select bin, and there is, it says aircrack-ngGUI.exe. That is the one that you need, excellent!
We have three programs here, you actually have four of them, but we’re not going to be using these two for the time being. You have airdump-ng and aircrack-ng. Airdump is used for collecting information, and you use aircrack-ng in order to brute force the password, or brute force the encryption key. As I said, I do not recommend that you use Windows. This is the procedure to run aircrack-ng on Windows, but I don’t recommend it. Now we’re going to switch back to our Linux partition and continue with the exercise.
One of the primary problems that we will encounter is the fact that we are unable to generate vast amounts of passwords manually. Have you ever tried typing a million words? That wouldn’t be too much fun. So, one of the first tools that we will need here is crunch, which we will use in order to generate password lists. It’s very flexible and easy to use. We can pass it the number of characters we are looking for, the password length, or a minimum/maximum length of the password. If we know fractions of the password, we can even pass those fractions to crunch. First, we first need to download crunch. Crunch is available on sourceforge.net. Just type in crunch password generator, and we should receive a link to SourceForge. Go ahead and select to download this, your download will start in a few seconds, and the whole download process will last just a few seconds. We will need to extract the file once again. Feel free to use the default extractor. Choose a destination folder, I’m going to go ahead and pick desktop because I’m going to delete it later, as I already have it installed and configured. There we go, it should finish quickly. You don’t even have the time to see what’s going on. So, let’s just go ahead and close these things, excellent! Crunch is here. If I open the folder, there are some things in here which we will use later on in the course, but I will explain them once we actually start using them.
For the time being, I would like to show you how to install Crunch. Let’s go ahead and open up our terminal, navigate over to the folder where it is located, so cd /home/Chronic/Desktop/crunch, excellent, and type ls. Now, you don’t have an instruction file here on how install the program, but you see that here we have a makefile. Whenever there is a makefile, all you need to do is type in make. You will need to be logged in as root or have a sudo password. So, just type in make, excellent, there we go. make install, press enter again, and there we go. The installation process is done and we can now use the program. Crunch is now installed, you can see that the the man pages for it are functional, and this is the syntax. You will type in one number here, and another number here, the minimal and maximal length. Character set here, you could type them in manually or use predefined ones, and then you can pass a bunch of other options if you wish. You don’t need to actually read through all of this, but skim through it. Just scroll through it and see if anything catches your eye.
Let me clear the screen, type in crunch, and then I will tell it to generate a certain password length, let’s say from 3 to 9. I’ve seen people type in from 0 to 9. You can, of course, exclude 0 immediately. I’ll type in from 3 to 5. Now I can pass in abcd123, and I can pipe this to aircrack-ng, and all of the passwords that are generated here will be passed to aircrack-ng to be used immediately. I need to add a few more commands here, of course, and we will do that in the next tutorial. I just wanted to explain the significance of this, because let’s say I do this, 3 to 5, press Enter, and I’m going to cancel it before it manages to finish. It says crunch will now generate the following amount of data, so 7680 bytes. That’s hardly any data. It says this is the amount of passwords it’s going to generate, 1,344, not very many. Okay, let’s try another input. Let’s try abcdefghijklmnopqrstuvwxyz, press Enter, now look at what happens. The number, the file size, has grown exponentially. The amount of possible combinations has grown exponentially, and it says 73 megabytes. Still, this is a relatively small number of potential passwords. This will get cracked in a couple of seconds. What if I specify a length of 9? Look at what happens. It says that it will produce 51 terabytes of data, and this is the number of possible combinations there will be. OK, this is a very large number, and with my CPU it would take me a very long amount of time to do that. Okay, let’s go ahead and type in 1234567890. See what happens? It says almost 1,000 terabytes just by adding the numbers from 0 to 9. You get where I’m going with this, but let’s try expanding this once more for fun. Let’s try a password length of 29. Okay, this is going to be ridiculous. Basically, it tells me that it will generate 6,998 petabytes of data. Yeah, you simply will not have enough room on your hard-drive. A petabyte of storage is one thousand terabytes.
What you would do with aircrack, generally, is aircrack-ng -w, and then you would pass a passwordlist.txt file to it in order to crack a certain file with it. However, these password lists, as long as they are, as good as they are, they do not guarantee that the password will be cracked. You simply cannot generate this amount of information, with this many combinations, and put them in a file on your local computer. Even if you were to store it in the cloud somewhere, it would cost you a ridiculous amount of money. What you can do, however, is pass an argument, -w -. Now, crunch will not save an output file, the passwords will simply go to standard output, and then aircrack will pick up the passwords from standard output and utilize them, in order to break the encryption of a captured.
So, this was a simple example of why we needed to install Crunch. There’s also a way to install Crunch on Windows, however I could not find a safe source to download it on the internet. Again, using Windows is not recommended for this course. In any case, I bid you farewell. In the next tutorial I will demonstrate the cracking process, and you will see how we can crack a WiFi network.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will show you how you can install aircrack and Reaver.
The aircrack setup is pretty simple. Just type in yum install aircrack-ng, and it’s going to pick up the right version by default. Go ahead and press Enter. In Fedora it runs through checks every time you call yum, you can pass the -c argument in order for the system not to do that. It says package aircrack-ng is already installed and is the latest version. You might be prompted for a question along the way. If you wish to skip that type in -y, that’s it. With this command that I am selecting you won’t be prompted for any questions, and you will have aircrack-ng installed on your system without any problems.
However, Reaver is quite a different story. Reaver cannot be found in Fedora’s repositories, and therefore it has to be downloaded from the internet. There are many places to download it, I have chosen to download it from Google code. Google code is one of the safest sources on the internet. Let’s go ahead and open up my favorite browser, which is Firefox, you can open whatever you wish. Type in “reaver google code.” Now we are on the Google code website where we have reaver-wps, you have a description here, and you have a pro version here. The difference between the pro version and the free one that we will be using is this graphical user interface. I mean, let’s face it, if you’re a pen-tester, or a white hat hacker, you’re not going to be using that many GUIs. Optimized PIN sequencing, this means that it’s going to try pins in a certain order, which is more likely to succeed than the default one, according to some but not necessarily true, and integrated WEP cracking. As I said, you don’t really need WEP support. You’re not going to be able to find this protocol these days pretty much anywhere. If you do, as I said before, those people don’t deserve to use WiFi. It’s basically and open WiFi network, regardless of how complex your password is. Make sure you are not one of the people using the WEP protocol. It’s a good idea to switch to WPA or WPA2.
Anyway, I’m going to go ahead and click on downloads in the upper left corner, and there are different versions here that can be downloaded. There are no fundamental differences in the way that Reaver works in between these versions, but there are bug fixes, definitely, and that is very nice. Reaver is maintained, there’s support for it, and so on. So, go ahead and click on Reaver 1.4.tar.gz, and it says reaver.tar.gz here, file description, etc. This is a checksum, you can use this in order to verify that your file is intact, but I’m not going to do that now. I’m going to go ahead and download it. Once it is downloaded, you can go ahead and open up the folder in which it actually exists. Go ahead and double click on this file, you can extract it through the GUI method, it’s far simpler. You can also extract it through the terminal, but I’m going to go ahead and use the GUI on this occasion. This is one of the advantages of Linux over Windows. By default, it will be able to unpack pretty much anything zip, tar, winrar, whatever, it’s going to be able to unpack it without any problems, which is fantastic! No extra installation is needed, this is all installed by default. Let’s go ahead and click on extract. Where would I like to extract the file to? Let’s say to desktop because I’m going delete it anyway, as I already have it installed. So, just go ahead and press OK, and give me desktop. Let’s go back to our terminal, navigate over to desktop, and I imagine I have a lot of things there. OK, so, cd /home/Chronic/Desktop, Enter, ls, and do I have it here? Yep, there we go. So, clear, let me just show you that I do in fact have it, ll. It’s much neater if I do it like this, and there we go, reaver-1.4. Let’s navigate over to that folder, reaver-1.4, clear the screen, list the contents of the directory. Go to docs first and let’s see what is in there.
You might think that I am some sort of an expert, and that I just do these things off of the top of my head, but no. People create readme files for a reason. They are there to be read because the developer has left specific instructions on how to do something within the software. So, let’s go ahead and cat it. Excellent! The following are Reaver source files. It has the description of what is located in each one of these files. You have 802.11.c functions for reading, sending, and parsing 802.11 management frames. 802.11 is a standard, as I said before, but look at this. The developer has actually left the entire installation process here. You have every single command that you need to run, explained in detail what it does, and how you can type it in and execute it. This is wonderful! That’s why when you download a new piece of software, check out the readme file. People do tend to leave instructions there on how to do essential tasks within the software. They’ve most likely encountered the same problems that you might have encountered so you can even see possible solutions. Reaver is only supported on Linux platforms. It requires libpcap, this libsqlite3, and one more, I can’t really pronounce this, and it can be built and installed by running the following command. So, execute the configuration script, and that’s it. It even tells you how to uninstall it.
Anyway, ls, of course you cannot run the configuration file from here. We need to reverse course, and go to source from, yep, src. Let’s see what is in there, there we go. We have configure, and you can see by default here it’s executable. If I give you a longer listing, configure, there you go. It has an x permission here, here, and here. So the user has it, and the group has it as well. Anyway, type in ./configure. So, now it’s checking for stuff, it has its dependencies, without which it cannot function. Type in make, there we go, it’s running through. I want to reiterate that I didn’t do any of this from memory. I just went on the internet, I found the safest place to download the code from, and I’m compiling it here as the developer of the code instructed me to do it. The instructions aren’t complicated, just three commands, and the final command is make install. It’s going to give me several errors here, well not errors but warnings, because I already have it installed. Here it says rm, I need to clear this out, and then I will be able to install Reaver. I will now abort the installation because Reaver is already installed on my machine. If you have any problems feel free to post it in the discussion section.
Lastly, let’s check to see if Reaver is functioning properly. So, type in reaver –help, excellent! It is installed, it is functional, it is responsive to our commands, and here is the syntax for reaver. This is the basic syntax. Of course, you can pass all of these arguments to it, and there are quite a lot of them. Basically, you can say -i for the network interface, and -b for BSSID, or for the MAC address, and of course we even have reaver -vv for double verbose output, which is fantastic! I’ll go ahead and clear the screen. That is how you install aircrack and Reaver on Linux. We will cover the Windows procedure in the next tutorial. Until then, I bid you farewell!
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing: