How do hackers attack wifi
networks? Are you safe? Is yours vulnerable in this
video? We'll break that down. I'll show you how three levels
of hackers, a noob, a hipster, and a pro will attack a wifi network. We're going to simulate
this at Bear Cave Coffee, a delightful coffee shop in
downtown Mesquite, Texas. We'll break down every attack showing
you how it works and how you can keep yourself safe. Get your coffee
ready. Let's do this again. Three levels of hackers, noob, hipster, and pro will waltz in and
try to attack their targets, the wifi network and the individual
people in that coffee shop. Just try to sit there and enjoy their
coffee PORs schmucks. Now, disclaimer, I will be displaying and
demoing real wifi attacks. You should not use any of these on
anyone without explicit permission. Now, if you want to test
them out in your house, on your friends and family
with permission, go for it.
Have fun practice, teach. Otherwise, don't do this to anybody. You
will get in trouble. This is illegal. Now the first attack is stupid,
easy to do, but super effective. It's called a man in the
middle attack and honestly, you'll never even know what's
happening. So check this out, the noob, he walts into the coffee
shop, happy go lucky, not even shy about what he's about to do. All he needs for this attack
is a laptop and that's it. He watched a few YouTube videos and
learned how to install Cali Linux, a professional hacking operating
system, which is pretty cool. Now, like most public places in
coffee shops, there's free wifi. No need to hack into it, which by the way, you can hack into a wifi
network and get the password. I'll show you how to do
that here in a moment. But the wifi password's
right there on the wall. He connects to it and begins to find
his victims. Again, this is stupid easy. He fires up, call Linux and with one
command launches a tool called Better Cat. Now the new hacker's going
to start with a bit of recon. The first stage of any good hack,
they'll turn on net probing, enabling him to scan the current
wifi network and find targets. And then he'll type in net show to see
what he's found. It's his lucky day. There's his target right there. Now it's
time for the man in the middle attack. Again, scary, effective. Here's
what's happening on the wifi network. At the coffee shop, we have our target just sitting there
chilling on his laptop, drinking coffee. His laptop is connected
to the wifi router, and every time he wants to visit
a website, I tell the router, Hey, I want to go to network chuck.com,
and the router connects it, focusing on the fact that
the conversation's happening
right now between the target and the wifi
router, how it should be. But the new hacker wants to get in
the middle of this conversation, and that's exactly what
he does. Check this out. What the new packer wants to do here is
first he wants to trick the wifi router. Is he going to tell him, Hey, the
target, we'll call the target Bob, because I'm getting tired of saying the
target. Bob's not over there anymore. I'm Bob. Anything you had to say to Bob,
you say to me, and that's what he does. This is called arp spoofing. ARP is what devices use in a network
to discover where things are. So if the wifi router
is in a crowded room, let's say a party and he wants to find
Bob, he'll send an art message. Bob, where are you? And Bob
hearing that message will say, I'm by the bathroom. So now the wifi router knows where Bob
is and he can send Bob a message or keep talking to him or whatever.
But in this situation, the hacker's going to mess
with the ARP communication. The wifi router thinks
Bob's in the bathroom, but the hacker's going to come in
and just yell, Hey, wifi router, I'm Bob and I'm by the stairs
and the router, let's face it, he's kind of a dumb dumb. So he
is like, okay, you're Bob now. And then the attacker does the same
thing to Bob. He goes, Hey Bob, I'm the router. I'm by the stairs. And he sends his a malicious art
packet to Bob and your device. It's kind of a dumb dumb,
so it's going to believe it. So now do you see what's happened? The
target thinks the hacker is the router. So when he wants a website, he's going to send it to the hacker
and the hacker will forward it along. No big deal. He'll send it to the router. That way things seem to work like
usual, and that's kind of the goal here. You don't want the target to know he's
being hacked. Now, on the flip side, when the wifi router is
ready to send the network, chuck.com webpage back to Bob, he thinks Bob is the attacker and the
attacker has effectively placed himself right in the middle. He's the man in
the middle. Let's do that right now. The attacker will set up his ARP by
setting it to full duplex mode and then he'll specify his target. The guy
identified in his probing earlier. So now with that said, all he has to do is turn ARP spoofing on
with one command. And before I do that, I want to open up a packet
capture program called Wire Shark. What this will do is actually capture
everything it's seeing going across the network. And because all the network between the
target and the router are going through the hacker here, we're going to see a lot. So I'm going to start tracking
or capturing on WLAN zero, the interface he is working on. I'm going to look for an IP source
address of what was the IP address again? 1 9 6. You'll watch this flood in as I
take over turning on our spoofing. Boom. Did you see that? Now
I'm seeing everything. Every bit of internet this
person's visiting is coming
through me. I can see it. I'm the hacker. Now, in case you didn't
know if I changed my filter to DNS, I'll just go to network chuck.com. You can see right there all
the requests coming through. I can see every website being visited. Now what's scary is the new hacker didn't
have to know what ARP spoofing is or how a man in the metal attack works. He just had to follow a tutorial online
and hit a few keys on his keyboard. That's it. But honestly, kind of harmless if he doesn't have
the correct skills to take it further, because while he does have control of
your traffic and he can do some crazy stuff to you, he probably
doesn't know how to do that. But in the hands of a real
hacker, better watch out. Now, I'm going to stop this real quick and
show you what happens if nor VPN is being used. I'm going to reset my capture here.
So no spoofing, I can't see anything. Just a few messages
going across the network. The target will connect to nor VPN,
and this is kind of crazy. Watch this. We'll turn our spoofing back on
at a hundred percent is working. Notice here on Wireshark, every
message kind of looks the same. It's between my target and one
destination, which is nor VPN, and then the protocol is wire guard. What's happening here is every bit of
the target's traffic is being encrypted and hidden from the attacker. The hacker
can't see anything. This is nonsense. You can't do anything with it. The wire guard protocol encrypts it
to where you can't see inside of it. So even though you may be the target
of a man in the middle attack, if you're connected to VPN, you
kind of foil the attacker's. Plants can't touch it.
Connect to VPN. Now, this right here is probably
the scariest attack. It's called an evil twin attack,
and twins are already scary. You add an evil one, I'm done. But
seriously, this one is crazy effective. And again, not that hard to do as
an attacker even for a new that. Here's what makes the evil twin attacks
so evil and why pretty much anyone can fall for it, including me
without even knowing it. How it works is you have
your standard wifi network. So let's say a bear cave
coffee. The evil is simply that. It's a copy of it that looks just
like it operating on the same wireless channel, and if the hacker's really good, we'll have the same wireless password
that's coming up in a moment. And the goal is to try and get you to
connect to the evil one instead of the good one. And looking at
these two wireless networks, how would you know they're going to show
up the same way on your phone in your laptop? You wouldn't know. That's
the evil part. Now, for the nube, it is a bit more difficult. He'll need a few more YouTube
tutorials and a special wifi adapter, one that can go into monitor mode
like this alpha network adapter. The good news for humanity is that
getting that set up is kind of hard, if not just frustrating. So the
Nube will sit there for a while, maybe get frustrated trying
to install the drivers. So we'll let him figure that out and we'll
move on to the hipster hacker and how he might set up an evil twin attack.
Now, the hipster, he's cool, man. He doesn't need any special wifi hacking
gear. In fact, he's always carrying, he always has wifi hacking gear with
him in the form of a flipper. Zero. It can do a lot, including hacking your
wifi. And look at this hipster hacker, you would never know, right? He's just there to sip some coffee and
read a novel or so you think The hipster nonchalantly walks into the coffee shop
and finds a place where he can hide his flipper zero. He connects his ES ESP 32 dev board or
a wifi dev board flash with the Marauder firmware, enabling the flipper
zero to do crazy wifi attacks, and he simply just kind of hides it on
a bookshelf somewhere behind some stuff. No one's going to notice
this. He then sits down, pulls out his phone and remotely
controls the flipper Zero. Now the hipster hacker's already done
the hard work of getting the flipper zero set up to be able to do wireless
hacks. Once it's set up, it's super easy to just do it.
It goes through a simple menu, turns on an evil twin, and even
adds a captive portal. What is that? You've seen it before. You go to a coffee shop like Starbucks
or an airport and you connect to the wifi, immediately a webpage pops up prompting
you to either accept terms before you connect or maybe even log
in, or if you're at a hotel, you put your hotel room number in,
and once you finish that process, you're connected to the wifi. It's a
normal thing used for good purposes. Not here though. The flipper zero can spin up a captive
portal pretending to be anything. Maybe Google may be Facebook and you not
realizing you're connecting to an evil twin network will put in your credentials, which are immediately fed
to the hipster hacker, and he's got your password and your email, and he can do whatever
he wants with it. Now, the downside with the flipper zero is if
a target connects to the wifi network, it's broadcasting the evil twin, it
can't give it internet. So as the target, you'll know immediately like, oh my
gosh, this wifi network is not working. It can't go to anything.
So you disconnect. This is where the pro comes in and
this, oh my gosh, the pro is so scary. So the pro, he walks into the
coffee shop and he orders coffee, got his hoodie on, doesn't want to
be seen, doesn't want to be known. This is the first time he's
been outside in three years. So naturally he finds a shadowy dark
corner in the coffee shop to hang out and prepare his wireless attack. He pulls out this crazy spider
looking contraption called a wifi, pineapple enterprise, a device tailor made to hack wifi
networks and its specialty is evil twin attacks. The professional hacker will start with
screwing in the million antennas it uses to attack. He'll then connect to its
very nice friendly web
interface and start doing a bit of recon, scanning the entire
wireless network around it, literally catching everything.
And with one click, you can identify the network he wants to
impersonate and become an evil twin of, and it becomes an evil twin
just like this. The scary. Part, this is that devices do sometimes
a loose connection to the wifi router, go to the bathroom, come
out, it reconnects leave,
come back, it reconnects. And as long as the wifi pineapple
is broadcasting a stronger signal, you're going to connect to hemp. That's
what your devices are built to do. Prioritize a stronger signal. So it's really easy for that massive
spider looking device to have a stronger signal than anything else around
it. Now, it's not just that. Maybe you don't connect to wifi. Maybe
your 5G on your cell phone is good. You don't have to worry about
that. You don't connect to wifi. You're too smart for that,
not with the wifi pineapple. It can make you connect to a
wifi even when you don't want to. Here's a scenario. Last year you
were at a conference in Vegas, no cell signal in that conference,
but they did have free wifi. Let's say it was a coffee convention.
Obviously I go to those, not really. It was called coffee, wifi, whatever.
It was open. You connected to it, you used it, you left Vegas, you're
done. Now, what you don't know, what you don't realize is that wireless
network, your phone remembers it, and everywhere you go, your phone
is sending out probes saying, Hey, coffee conference network. Are you here?
Because it's always wanting to connect. That's how it auto connects to your
home network and your work network. It's sending out probes and when it's
like, oh, I found one, it auto connects, if you have that setting configured. Okay,
Chuck, what's your point? Okay, well, a year later you come
into Bear Cave coffee. Your phone still remembers that Vegas
conference coffee, wireless thing, and it's sending out probes. The wifi
pineapple listens for those probes, all the probes, every wireless connection your phone
remembers and is looking for the wifi pineapple grabs it makes an evil twin of
it and broadcast it. I don't know why. Just this, the wifi pineapple
movement. So your phone, if it's configured to
automatically connect to a network, we'll see that network and go, Hey,
buddy, long time, no see, let's connect. And it connects. Did you do it?
No, your phone did the wifi, pineapple took care of it for you, and now you're connected
to a hacker's network. You're compromised without even
trying. How terrifying is that? That probing feature is insane, and it literally grabs all the wifi
networks it can find and broadcast those casting a wide net catching whatever
it can. And once you're connected, the hacker can do whatever he
wants, especially a pro hacker, the captive portal. Yeah, I can do that. What's crazy is the pro hacker that
took him five minutes, not even that, it was a few clicks. It's automated. Often they have a script that runs
a little playbook. They come in, they click and it just
goes and it does it. And then looking back at the new hacker, he eventually figured out how to install
the drivers for his alpha network adapter, and he installed a few
tools to get this thing going. He uses a tool called
DNS Mask to run DHCP, which will hand out IP
addresses and to run DNS, which will help his targets actually
reach websites on the internet. And then he'll launch host a PD,
another really fun Linux tool, which will just launch a wireless
network, not a thin air, in this case, it's evil. He's matching the SSID and
a channel name to be the exact same. So you'll accidentally connect to
it. And for the pro and new packer, once you're connected to their network, I'm telling you they can
do whatever they want. One of the cool things they
can do, and when I say cool, I mean terrifying is they can spoof
your DNS. Now we just talk about DNS. It stands for domain name system and it's
essential with how the internet works. When you go to visit a
website, let's say target.com, your computer has no idea how to get to
target.com because it's looking for an IP address somewhere in a data
center, somewhere else in the world. target.com is just like a
nickname, a friendly name. So we don't have to type in
IP addresses in our URL bar. So to make that thing easier for us,
have DNS servers. So we say, Hey, DNS server, I want to go to
target.com. And he says, okay, let me look up where that IP address is.
And then he tells your computer, Hey, this is the IP address for that thing,
that thing your owner wanted to visit. That happens for every single thing
you visit target.com, facebook.com, google.com. It has to do a DNS lookup, find out what the IP address
is and then it can go to that. The scary part about this is that the
DNS server is the hacker's computer. It's the nubes computer. It's
the wifi pineapple sitting there, and the hacker can make that DNS
server respond in any way it wants. So you try to go to target.com, the
DNS server can go, you know what? Target's not over there
where it actually is. target.com is actually on a
server. I just made a fake website. I even used a tool to clone the
website. So it looks just like Target. And when you visit that, you won't
even realize you type in target.com, I tell you, it's here. You get there, it
looks the same. You think you're fine, right? No. Now this attack
is called DNS spoofing. It's very common and
often hard to notice. Now, it's unique about this site is that
it's running the beef framework, meaning that I now have control
as the hacker of your browser. And I can do some crazy things like send
you weird messages, I can rickroll you. And these are all just fun things. More nefarious things would be
like controlling your webcam, getting all your website
logins escalating, and getting more access to your PC
and the hands of a skill hacker. That's a lot. And while some of
these attacks are more advanced, what I've just kind of demonstrated
isn't that hard to learn and do so what's your protection nor
VPN? Use the VPN please. Because even if you connect
to an evil twin network, a wifi network owned and operated
by a hacker trying to get you, if you're connected to nor VPN, you're
traffic's encrypted, they can't see it. And if you're really paranoid, you can do double VPN onion over VPN
and the attacker can't spoof your DNS. All your DNS queries are encrypted and
secure when you're connected to nor VPN. Now, what if you're not connected? What if you forget nor VPN still has
your back for the worst case scenarios, they got some new threat protection.
So like this option right here, I'm going to enable it right now.
Even when you're not connected to VPN, it'll protect you from cyber threats.
So things like malware trackers, even has file protection prevents you
from downloading malicious things. So even if the attacker is trying to get
you to download malware and get a more serious foothold in your system, having more VPN there and present on your
computer with this setting enabled can help protect you. But best case scenario, you're connecting to nor v pn and
you're protected all across the board. If you head on over to
nor vpn.com/network chuck, they get a crazy deal insane discount
and for bonus months for free. Now, let's talk about wifi password cracking. How can a hacker get access to your
wifi network and figure out your wifi password? Because maybe they
just want to steal your wifi. Maybe they're your neighbor and they're
on your wifi, you don't even know it. Or they're trying to get access to your
network so they can do more things like a man in the middle attack, or maybe it's a business network and they
want to attack your servers and stuff. That's a real thing. And for the professional hacker who's
trying to really do some crazy evil twin attacks, having that wifi password for your
network is going to make it a lot more effective. So how does a hacker crack a
password? It's actually not too crazy. Check this out. We'll start
with the new. He'll come in. He's going to use what's
called the Air Crack NG suite. He'll first put his alpha network adapter
into monitor mode by doing airon NG WN zero start. This allows his wifi adapter instead of
just connecting to a wireless network, it can now listen and even
do kind of attacking things. I'll show you here in a bit
something called a D off attack. It's kind of awesome. He'll type an IW config just to make
sure it is up and running and in monitor mode. Now, sometimes other processes on your Calli
Linux computer can interfere with that typing in air mode, NG check kill will check and kill those
processes if there is something there. Now it's time to start the monitoring
with one command arrow dump NG WLAN zero using the switch dash a BG to monitor
all types of wireless channels, 2.4 and five gigahertz. He'll start
monitoring and he can see everything, all the wireless networks in the
vicinity, everything he can reach. And since he is at Bear Cave Coffee, he immediately recognizes
and locates Bear Cave Coffee, the wireless network with
that network identified, he wants to go deeper and research
more. Using the same command as earlier, arrow dump ng, he'll specify the Mac address or the
station address of the AP or the wireless router, the channel it's operating on, and to specify a file to dump
that information at. And finally, the wireless interface, WN zero. Now, he is going to keep this up and running
and capturing for a while because what he's looking for is this a four-way
handshake, capturing the special four-way. Handshake will give him all he needs
to crack the wireless password. Now, what is that? Whatever your device
connects to a wireless access point, or when you walk into a new place you
see wireless and you try to connect, it's going to do a little howdy do
between itself and the wireless network. Four separate messages. It's this exchange of the four messages
that authenticate your phone to the ap, the access point. They're also called
E APO messages or E-A-P-O-L. And again, once captured, the hacker can take that
information and find out your password. Maybe now he could just sit there and
wait for someone to come in and try to connect. And this is also assuming the wireless
password isn't broadcasted on the wall or something he's trying to crack into it. So if he's not patient and
he doesn't want to wait, he can use what's called a
de authentication attack. And this attack is kind of crazy.
He can actually force any phone, laptop or device on the wireless network
to lose its connection to authenticate from the wireless network. He
doesn't have to be connected to it, he just has to be adjacent to it. Now, this is abusing something that
is common in a wireless network. The wifi router often might send a D
off message to its clients to say, Hey, you need to reconnect. For
whatever reason, it's a real thing. But the hacker can abuse that by sending
his own DO messages pretending to be the wifi router to the clients.
And what are they going to do? They're going to listen. They're like,
oh, I'm just going to disconnect. And then reconnect. So if the airplay
and G command, the nube does that, he can either target one individual
person that he scanned and recon or the entire network and all clients
get authenticated all at once. And when he does that, bam, he does capture a four-way handshake
when they try to reconnect. And then he ends his capture.
He sees the EA poll message, I think I'm saying that right. He stops it and now he can go
about cracking it for the hipster. It's even easier. He's got his flipper
zero. He places it down somewhere. He scans the network around him with a
few simple button presses on his phone, right? It's so crazy easy.
He chooses his target. He runs a de authentication attack, immediately starts capturing raw
package from the network. And hopefully, fingers crossed, he also captured
a four-way handshake. Now again, shutting light on the fact that
the flipper zero is so compact, it looks like a toy. No one's going
to notice you're hacking anything. I love that about the flipper zero. It's also the most terrifying thing about
the flipper zero. And then of course, the professional hacker, he's a
bit more obvious, but he's hiding. So it doesn't matter. He's professional
and his attack is a lot easier. When he enables scanning for
his wifi pineapple enterprise, it automatically is set to start
receiving all the handshakes it can. And with a few clicks, he can just
say, Hey, deauth, this network, deauth this client, and it captures
it seamlessly within moments. It's super easy for the professional.
Now, whether you're a noob, hipster or pro, we're
all going to end up here. You're going to have a packet capture
file with a four-way handshake. Now, just so you know, having the four-Way handshake doesn't
mean you have the wifi password, but it doesn't mean you have
the ingredients to figure
it out. So for example, let's say we have our four messages,
the four-way handshake, 1, 2, 3, 4. The way the hacker might try to figure
out the password with this four-way handshake is guessing a
lot. Let's take a password, like password 1, 2, 3 and combine it
with the ingredients and the four-way handshake and see if that password can
successfully decrypt one of the messages and the four-way handshake that we
know that's the correct password. Now, it's a lot more complex than this, but
that's essentially what we're doing. And the software we're about to use is
going to guess lots of passwords over and over and over and over and over again
until we finally find one that does the job. It's like you got to lock and you're
trying a bunch of different keys to see which one will unlock it. And of course, the first thing we'll need is a big
bag of keys or a big bag of passwords. Otherwise, no one has a word
list or a password word list. A list filled with hundreds, sometimes thousands of passwords that
will try and try and try over time. And depending on how strong
and powerful your computer is, is how fast we can try these
passwords. Now, the new packer, he's going to try this. What he's not
very experienced, and he'll probably fail. He's going to use a default word list. A list of passwords previously may be
used by people in the wild discovered through other hacks and things. It's
actually a popular list called Rock U, and it does contain a ton of
passwords. So he'll extract that, try to crack it with the
air crack command. I notice
it's going to take a while, and there's no guarantee the password
actually exists in that database. That's a finite list of passwords. This is where the hipster
and the professional hacker
are going to differ a bit. They're more experienced. They know that the password will probably
be uniquely pertinent to the place they're trying to attack, and
they'll use that to their advantage. And this is a bunch of
super cool tools. First, they'll use a tool called Well cool,
and that I did not do that on purpose. I promise they'll use Cool to crawl the
website of the coffee shop to find all the keywords that might be used in a
password, and it'll output that to a list. How cool is that? We'll then
use a tool called Pi Pal, which will look through that word list
and find words that'll probably really be used in a password.
Identifying the top 10. And I'll use some special Linux food to
put that into a nice and neat list that we can use with our next tool. And this is a custom tool that we
built ourselves or the hipster and professional hacker did. It's a Python script that's going to go
through this list and combine all the words in different ways. And
finally, with our word list, we'll do the same thing as a new hacker
did, just with a more targeted list, taking less time and giving us higher
odds of discovering the password. And within half a second, we find the
password is mesquite coffee. We got it. Now, this is very simplistic
what I showed you here, but it's an example of how someone
might discover a if they can do the same thing, like profiling your house,
discovering more about you. And once they have that wifi password,
they can connect to your wifi, use it all they want, or connect to it
and do some bad stuff. Making a really, really, really evil twin or doing lots of other
things like gaining footholds in your servers, getting all your files.
You name it, it can be done. So let's talk about safety and security. What can you do to protect yourself
first and foremost as an individual, as a user, protecting your own internet
traffic and your own data? VPN nor VPN? Check it out. Link below beyond VPN. What about your own wifi network
or your business' network? The first thing you can do is just
have a strong wifi password randomly generated characters that have
nothing to do with you. Yeah, it's a pain to share it, I get it.
But you got to do what you got to do. Security does come at a price, but it's a lot cheaper than
the consequences of not
having it. Now, beyond that, there's really not much else you can do, especially against evil twin attacks
or a man in the middle attacks, unless you have more enterprise hardware. There are enterprise wifi networks
out there that can do some cool stuff. One thing is they can do host isolation
for all the host connecting to your networks. So man in the middle
attack can't even happen. They can't talk or connect to
anyone else on that network. Can't happen as far as evil twin
attacks, much harder to deal with, but a lot of these smart
enterprise wireless networks
can actually look out for its similar SSIDs or the same SSD as the
networks they're broadcasting and alert you or try to stop them with their
own kind of wifi mitigation attacks. It's very cool. Anyways, that's wifi. I'm about to travel
with my family to Japan. I'm using these techniques to protect
myself and look out for people. Mainly just connecting all my kids and
my family and myself to VPN while I'm traveling. That's all I got.
I'll catch you guys next time.
