(techno music) - And boom, we're into
our first spaceship. There will be more. (energetic techno music) - It's mad, just like that? - Yeah, you can just see
into this invisible spectrum. (energetic techno music) It's a framework that allows you to use all these cool wifi hacking tools and techniques that are out there without actually needing to do
the command line work on pretty much any of that. Look at all the stuff you can do. (energetic techno music) - [David] We do not
advocate anything illegal. This is for educational
purposes only. Hey, everyone. David Bombal back with
Kody. Kody, welcome. - Glad to be back. That last
interview was really fun. - Yeah, it was brilliant and just for people who don't know Kody is the co-creator of these
fantastic little devices. He's also really well known for being on the Null Byte channel. - Hi, I'm Kody, the editor of Null Byte. - You've got a new channel, is that right? Give us a bit of an update. - That's right, so I go live every week, twice a week on the
Security Forward channel. Welcome to another episode
of "Hacking With Friends." I also am on the Hak5 channel, today we're gonna learn
how to fish Windows users on this episode of "Hak Byte." If you like what was
going on on Null Byte, you can always see the same thing on Hak5. - [David] In our previous
video, which I've linked below, we spoke about the wifi
nugget and the USB nugget. So, if you wanna see
more details about these, have a look at the video below. Kody's gonna demonstrate a whole bunch of tools in this video. We've put a menu below, so if you want to jump to a specific tool then go directly to
that part of the video. But tease us, what are you
gonna show us in this video? - [Kody] We're gonna go over
a lot of different things you can do with wifi
hacking and we're gonna start out with the
cheapest and most passive. They're very sneaky attacks that really don't cost that much money to do. We're gonna go all the way up to attacks that are much more noisy and sophisticated and could potentially even manage to break into a vulnerable wifi
network in about 15 seconds. - You're gonna show some of your tools. I think Airgeddon is one
of your favorites, right? - Yes, I have a complicated
relationship with Airgeddon, but it is definitely one of my
favorite wifi hacking tools. In addition to that, we're also gonna show some micro controller
based wifi hacking tools. So, we'll be covering both ones that require like a Linux computer, like this Raspberry PI and also ones that you can pick up for about $1.80 and you can do on virtually any computer. - We had feedback on our previous video where people were saying
like some of the devices that we showed, you were showing some like big alpha adapters that
cost a lot of money. People always complaining, you know, they wanna do five gigahertz,
but like you said, you know, for beginners, it's a
pain to get them to work. (dramatic music) So, yeah, let me ask you a
nasty question while we're here, but you can definitely
buy this kind of stuff for like $1.80 if you
buy it from Ali Express, but you can also get it
like for $4 from Amazon. So, I'm really, really glad
that you're showing us, you know, low cost solutions
and low cost options to hack. - And some of the juiciest
things we're gonna be covering today can run on these
really low cost solutions. So, you know, we're gonna
be talking about things like finding out where people have
been based on the devices, the wifi devices stored in their phones. So, it's gonna be a really
interesting adventure through what you can do
with a very small amount of money and then kind of ramping it up to more advanced attacks. - Cool. Let's get started. (techno music) - There's lots of
different things you can do for wifi hacking and when people are like, "Hey, can you hack wifi?" Or "Can you hack my wifi?" Or "Can you hack my neighbor's wifi?" They often mean totally different things. Some people mean, "Can you
kick my neighbor's devices off so it doesn't work for them anymore? 'Cause they're like playing music on a wifi connected speaker and I hate it." Another might mean,
"Oh, I wanna break into this wifi network or I've been locked out, I forgot my password or whatever. Can you get into the wifi network?" And then other people might mean, "Can you actually break into devices or start messing with devices individually rather than messing with
an access point at all?" So, when people say "I wanna hack wifi," they might be talking about
a device like a cell phone that uses wifi or they
might be talking about like a router or something
like an access point. Yeah, I would say in
80% of the cases people are talking about how do
I get a wifi password? That's what most people want, right? You know, like access to a
wifi or to a wifi network. One of the cheapest
ways that I know in 2022 of doing this is to be
able to fish a user. - Oh no, Mr Krabs told me all about you. - There's a reason that
fishing is so popular in literally everything,
it's fishing for you know, your corporate accounts,
your email accounts. Fishing is so easy to do. So, in this case if you can
take something super cheap like this little ESP-8266,
these cost about $1.80, you can get them on Ali Express. They come super easy to flash
with these pre-made projects and what they basically
do is allow you to mimic an access point, and you can
see on this GitHub repository, this is a free project that
somebody made in our Arduino. I actually have it up and I've
made some modifications to it for a video we're going to be
doing soon on war shipping. Our war shipping episode is
what would happen if you decided to attack a company by trying
to get their wifi credentials by mailing something to
them that's to the wrong, like a wrong name or
something and it stayed in their mail room for like five
days or something like that. And any employee who was like, "Hey look, there's a free guest
network. That's convenient." The signal's pretty strong
and tries to connect to it, possibly be thinking they're
supposed to log in in order to use that guest network
and maybe giving up their corporate credentials
or the wifi credentials to the network they already know. It's surprising how effective these sorts of attacks can be even
though they're passive. And this is a completely
passive attack we're gonna talk about first because there's
actually an active version of this that is much more nefarious
and also arguably illegal. So, is it illegal to send
a package to a company that contains a little
access point like this that really looks like
an open wifi network? It's really incredible how
realistic this looks, right now, if I were to take a look
at the various networks that are available, I would see I have a Varonis Guest network,
that's interesting. I don't remember being
near a Varonis office, like isn't that in New York? Turns out that I am
running this very program in Arduino IDE and this
is the code that I'm using and I've just very lightly modified this and added kind of like
fishing veneer over it to make it look as though
this is a real guest network that if you were in the
office for something you could connect to to get easy access, maybe you're new and
you know you don't have the wifi credentials yet or
there's some other reason why maybe the signal strength is stronger and you're having difficulty
with the normal network. This is a totally passive
attack that just spins up an access point and waits for
people to misidentify this and potentially put in information. I'm gonna attempt to connect
to it, Varonis Guest Wifi, and we can see this is an
insecure network and boom, this fishing page just popped up. This is $1.80 and this looks
pretty good, I have to say. I worked all weekend on this. It has terms and conditions,
looks very legit, looks as though this is
the kind of access point you would see for any
open like guest network where it's presumed
that like you work there or you have permission to be using it, but if you were to put
in your credentials here, I can just type this in, click Sign In and it's like congratulations, it's validating, your
account is being validated. Please allow up to five minutes. That's so mean because this is never gonna give you wifi access. But if I were then to go to, you know, this access point slash creds, I could see all the different credentials that had been logged to this device. It's also possible to make this persistent so it stores those credentials. So, even if this the battery were to die and to run out over time, as soon as this box were shipped back to me, I would have every different
employees credentials that had accidentally logged into this. In order for this episode to
be like pretty well researched, we shipped out a bunch of
trackers, like tile trackers, to a variety of different companies to see what they would do and the average was to leave it in the mail
room for several days. We set this to an auto
manufacturer and it still there, it has been like five weeks
or so since we sent it. It might have been that
they just like destroyed it for some reason, the
last time it was spotted was inside their mail room
and it appears as though they just brought it in
and kind of left it there. If this was an attack that was relying on a long duration of being out there, then this is the most passive
and kind of sneaky thing I can think of that might
lure the average person or the average employee
who's having a little bit of trouble with the normal wifi network to try this other wifi network that seems to have a trusted proximity. It's inside the office
with them, you know, why would there be a malicious
network inside the office? (dramatic music) Who would get in there
and plug in a router? But it doesn't work that way anymore. These tiny little microcontrollers
are capable of making these really convincing
fishing access points and fishing pages that
come along with them. So, before we even get into
like wireless network adapters and Linux and stuff, you
can just download Arduino, download this program,
change a couple things and make a really good fishing page. We're not even talking about the computer science stuff here. We're really just talking about what is the lowest hanging fruit when
it comes to wifi hacking. Well if you're talking
about getting a password, probably fishing with a really, really simple low cost device
that you know is so cheap that it doesn't really matter
if you never see it again. I would under these terms,
not wanna send a Raspberry PI that cost me $150 on
eBay today to, you know, a company and have them like rip it open and be like, "Hmm, what's this?" Whereas if it were this little thing, this actually costs less
than the tile tracker when fully assembled with a
lithium polymer ion battery. I was really impressed
by this little prototype. I have to say this is
probably as far as I know, the cheapest way of getting a
wifi password that I know of. - We had some comments on
our previous video like, "David, where can I get
such a cheap wifi adapter?" And I'm glad you did this update and show- - Oh, yeah.
- You know, how it actually works. You literally buy it from Ali Express and then you just flash
it from GitHub, right? - Yep, that's correct. It's gotten so simple that
you can do the flashing through a Chrome web browser and I actually did the presentation at the Hope Conference on
exactly how this works. What's the bests ESP-8266
base board to buy? You can check that out on
my Twitter to anybody who's looking to buy their first ESP-8266, the D1 mini is probably
the way you wanna go. That's the one I'm talking
about when I'm talking about this being available for a dollar. There's cheaper ones that don't involve like a USB connector, but good luck as a beginner trying to connect to something that just requires you to connect via a bunch of pins or something. Much, much easier to get
the integrated board. - So, you could buy that
from Amazon but it's cheaper to you to buy from Ali
Express kind of thing, right? - You pay for your time, you know, like if you're in a major
city you can probably get one delivered tomorrow on Amazon but you'll expect to pay
maybe like $4 for it. But if you get one on Ali Express, you'll get it in three
weeks but it'll be $1.80. So, we talked about this passive attack and I want to use the same platform but upgrade it a little
bit to be like, all right, what if you are a more advanced user and you're just like,
ah, this is baby stuff. I know I can create a fake access point. I wanna get to more active attacks where I'm actually able to like shepherd people from a trusted access point
over to a fake access point and do some other really advanced thing. So, I had the pleasure
of working with a creator named Space Huhn, AKA Stefan who created the ESP-8266 Deauther. Now you'll typically see this in like it's wristwatch implementation and we actually support
it on our wifi nugget. In fact, I have one in front of me that has been flashed with this right now and it's really cute to
be able to use the screen and buttons to be able
to select access points and either attack them or clone them or do some other basic wifi attacks using just a button and screens. And in fact that's the basis
of our wifi nugget is to be able to do most of that
just using a button and screen. But what if you wanna move
beyond that and you're just like, okay, you know, I know that
I can clone wifi network, I know I can kick devices off, but like can I do more interesting things? Can I do like wifi research
with this thing the same way that I might want to do with
a wireless network adapter? And the answer is yes, absolutely. When I was working with Stefan, I made a specific request
that I really wanted to be able to do some
cool like fishing things. And even though it was awesome that the original wifi deauther has a web access point that
you can connect to, that gives you a menu to be able to do all this interesting stuff
on any device with wifi. So, you can connect with your
phone to this little ESP-8266 and do some more advanced attacks. If you get rid of that kind of like friendly, beginner friendly, like helpful wifi interface
and instead have it available as a fishing interface or
as an attack interface, suddenly you can do much
more advanced things than the original version of the
wifi deauther allows for. So, the V3 or version three
of the ESP-8266 deauther I think is one of the
best wifi hacking tools that people don't know about. I had the pleasure of
working on this project and trying to make it as
mean and as interesting as possible based on research
that I was actively doing. This has some features packed
into it that you cannot do in the original version
of the wifi deauther. To get here, it's kind of sneaky. There is a a dropdown menu on the GitHub for the wifi deauther and the V2 is the default version of this and this is the one that most people know. You know, it's maintained, but you can see there is a difference
here in the two versions. In the version two you
have a web interface, display support, serial command line, that's great, a scanner deauth attack, beacon attack and probe
attack, that's great. Like all those things are very wonderful, but the V3 has these additional features. It can also do support for a
serial command line interface, signal strength scanner. So, you can use this
as a fox hunting tool. So, let's say that you detect somebody on your network that's
not supposed to be here. You could use this tool
to hunt down exactly who is connecting to your network
without authorization. So, if that's one of your
neighbors for example, you could use this tool
to hunt down exactly who is behind that
intrusion into your network. Or if you're at like an
Airbnb and you're scanning and you're like, "Huh,
that's an unusual device, like I don't remember that being connected to this network," or like, you know, maybe that manufacturer's
a little suspicious, maybe it's a camera. You would be able to
track down every device that's connected to the main access point by proximity and signal strength. So, this has real value
as a fox hunting tool and for again, $1.80,
it gives you the ability to find the location or localized location of basically any access
point or any client of any access point around you. And that I think is super
cool because it means that there's no more
mystery as to the location of one of these wifi devices. You can walk around until
the signal strength spikes up and gets really, really
strong and know, okay, I've found approximately
where this thing is. There's also an authentication scanner. This means that you can
get different wifi devices to give up the secret of where
they've been in the past. And this is research I worked on with a technique called a beacon swarm. In the previous version
of the wifi deauther, you were able to create fake
wifi networks or the appearance of fake wifi networks by
sending out beacon frames. Beacon frames are basically
a giant billboard that says, "Hi, I'm this wifi
network, this is my name, I am on this channel and I
support these various speeds." And that is why your phone
when you're in a new place is able to tell you what
wifi networks are around you. Any device that's wifi capable
can put out beacon frames and they don't need to be truthful. There's no validation,
there's nothing to prove that it's actually a real wifi network. The previous version of
the wifi deauther was able to create up to a hundred fake networks and originally they were a Rick Roll. So, Stefan had programmed it to be like, never gonna give you up, never gonna- ♪ Gonna let you down ♪ ♪ Never gonna run around and desert you ♪ - And I thought that was really
funny but I was like, hmm, what if instead I programmed
in 100 of the most common open wifi networks in an area,
so that's gonna be like Starbucks wifi, any like
major chains, McDonald's wifi. First I war drove around
the Los Angeles area, I got like tens of
thousands of wifi networks and then I went through
that list and I found the most common open wifi networks and made a list of those and
started broadcasting them. And what I found is that nearby devices that had been connected
to those open networks before would attempt
spontaneously to connect to them. Now this serves two important purposes. It allows me to identify where
they've been in the past. Each user's experience
is like a fingerprint. So, if you've been to like
McDonald's and then like you know KFC and then Motel 6
and then a couple other ones, that's probably gonna be unique
to your device and I can use that to build a fingerprint
and de-anonymize devices around me by being able
to track them by which open networks they've
connected to in the past. So, if I find five open networks that you've connected to in the past, I can build a profile where if I ping out those five fake networks
and your device responds to all of them, I know pretty
assuredly that that's you. Even though your device
might be doing things like Mac address randomization
and trying to hide, I can continue to track you
by putting out all these fake wifi networks and
paying very careful attention to which networks your
individual device responds to. That also means if there's
any sensitive places you've been to, let's
say you're an employee at a defense contractor,
let's say you've been to a strip club and
you're not supposed to, if you've connected to the wifi there and somebody starts
broadcasting a fake version, your phone is gonna sell
you out and the only way to prevent that is to go into your phone and delete those stored
networks that are in there. - I'm not sure about
the defense contractor and then the strip club. I don't know what those are
got to do with each other, but I'll take your word for it, Kody. - All right, so the second
important thing here is if I am able to probe your device, your phone or your
laptop for open networks you've joined in the past,
that means that I can force you to basically
join that open network. 'Cause if I present a real
version of that network, not just these beacon frames that say hey, I'm a network with nothing behind it but a real network that's
possible to be joined, then I can start doing some
real interesting attacks. So, if I'm a hacker and
I have a Raspberry PI or something that like can do DNS spoofing and all this like advanced stuff, all I need to do perhaps
is probe a target device for any open network
they've joined in the past, hotel networks, guests set up networks, generic places that you would be in public like concerts, like that sort of thing. If you can find these
sorts of open networks in someone's phone, you
can force them to join that network and you
can own their data flow, which means you can redirect
them to fishing pages, you can make popups
appear on their screen. You can do all sorts of bad stuff because you own their data connection. When they try to navigate
to a website you can be like no, no, no, and then
navigate them elsewhere. If you use these attack tools together, for example like a V3 deauther
running on an ESP-8266, this super, super cheap
thing with a Raspberry PI that's capable of more advanced attacks, once you can herd someone onto
your malicious fake network, you can actually pick a device, probe it for vulnerable networks that
it's connected to in the past and then spin up that exact
network and start doing interesting attacks to find out like, what applications are they
running on their phone? Can I redirect a web request? Can I downgrade a web request and start like sending
fishing pages instead? All this stuff becomes
possible once you identify open networks that somebody's
connected to in the past. So, it's not just about
like tracking someone by which networks
they've seen in the past, it's not just about
identifying them specifically if they've maybe been
somewhere interesting like a, like they work somewhere really
important that I'm targeting or they've been somewhere that
they're not supposed to go. It's also about can I spin
up a fake malicious network and then seize control
of their data connection from whatever access
point they were on before. So, the last thing
really here that I think is cool is the rogue access point. Being able to create an
actual joinable access point. I can take the final step in this attack and initiate a fishing attack. So, this is the official
way of connecting to it. I also pushed very hard
for a demo mode so I think we probably will still have
to blur like a little bit of something but this is
what it actually looks like. If you've never heard of this, then I'm connected over serial
right now to an ESP-8266 with the V3 deauther flash to
it and I can just type "Help" and see all the various things that I'm able to access on this. Look at all the stuff you can do. One of the best commands is just chicken, which just does this to make sure that everything's working properly, and I always say this is for morale. All the other commands here
are really, really cool. So, the demo mode is supposed
to hide the Mac addresses here and make it a little easier for people that are using this for
research to show off what they're doing
without doxing themselves. But this actually does really
cool things like identifying the device by Mac address
so it can identify the hardware vendor and look
it up and present that to you. So, as the researcher or the
hacker you're able to see more information about which
device you're targeting. Is it a printer, is it a
camera, is it a HP laptop? Depending on what it is,
you're probably gonna wanna approach this a
little bit differently. You can target different types of scans so you can target on a specific channel and for now this only
covers 2.4 gigahertz. So, that's the big
limitation of all the attacks we've talked about so far is only 2.4. If your target migrates over
to a five gigahertz network, you're pretty much done. There's not really much you
can do with this attack. But let's go ahead and run a scan. So, if I wanna run a scan
and I'm not specific, it'll do a scan for access points and it will do a scan also for clients. And you can see here it's
coming up with Apple devices, a Roku device and I can also
start seeing probe requests. So, I can see the various
networks that nearby wifi clients like phones or other pieces of a wifi equipment are reaching out for. We used to have a long time ago Starlink and these devices remember that and they're still reaching
out for that Starlink network. So, if I wanted to, I could
create a fake Starlink network with the same kind of
setup as the old ones and I know that these devices
would automatically connect. So, already this scan has told me more information about
my wireless environment, which is really cool and
you can see like some of this has been like
starred out which makes it a little bit harder for
people to dox themselves. So, when I look at stations,
these are wifi clients, these are things that are
connecting to access points. I can see we have Espressif devices. So, this is actually one of the various devices we have around here. I think it's probably
one of our light setups, but I'm able to pick out
like IOT devices versus like Tp-Link devices which
would be like a router or a switch or something
versus an intel device just by looking at the MAC
address and running a scan here. So, if I'm a hacker that
wants to attack one device that leaves all the other devices alone, this means I can run a
surgical attack that all of this again is command
line is over the serial. If I'm somebody who's
graduated from you know, just using the screen
interface on the wifi deauther, I've had my like deauther
wristwatch and like I'm over it. This is a whole new world of
different attacks you can do in order to lure a device in. The wifi fishing attack that we showed before was passive and we can totally do
that on this as well. If I type "Help," so if I wanna learn more information about a specific command, in this case the access point command, I can type "Help AP" and I can see if I wanna make a specific access point I can type AP and then
add the value that I want the SSID to be or the
name of the wifi network. And then if I don't add anything else, if I don't specify the
channel or the security or anything, it'll just
be an open wifi network. And I've basically done
the exact same thing that the other, the first
tool we showed was doing 'cause this will by default
display a little fishing page. So, if I wanted to spice this up and make this not the
passive attack anymore, then what I can do is I can make this look as though it is a router that is updating and I can make an open version
of an existing wifi network and then kick everybody
off of that wifi network. In their confusion
they're gonna, you know, look to see like, why can't
I join the wifi network? Why am I being kicked off? And see an open network with the same name as the network they
were just connected to, they're, you know, router
and when they click on that, they're going to be
directed to a fishing page that says "Hey, we've
just downloaded an update, please enter your password to reboot the router and apply the update." They'll enter their password and what this will actually be able to do if I want to is have it take that
password and attempt to use it to connect to the real router, the real access point
and if it doesn't work the access point will come back and say "Sorry, that's
the wrong password." And because it seems
like this fishing page knows the difference
between the real password and a fake password, they're like, "Oh well, I'm just being paranoid. Obviously this thing is just the router, you know, applying an update or whatever and it's not like someone attacking me 'cause it knows when I
give it a fake password." I actually got a hit
by this attack one time and I was very surprised
and I typed in you know, a totally random password
and it didn't work. So, I just assumed oh,
this is really the router. But that's kind of the trick
about this attack is the ability to validate whether
or not that password was real. This is a more advanced or active way of doing the prior
attack that we just did. But by using the command line
we're able to deauthenticate devices as well as
create that fishing page. And that's really the
difference between an active and a passive fishing
attack is this active attack really pushes clients
from the safe network they were already connected
to, to this fake network by denying them the ability
to access the router or the access way they were using for work or for whatever they were doing. I love this attack
because it's so diabolical and it really does use all the abilities of this little micro controller. It's using the ability to
create that wifi interface where, you know, it
pops up a web interface and makes it look really good. It's using its ability
to send arbitrary packets to create the access point
and also to kick the user off of the access point they were on prior. This is my number one I think
underrated wifi hacking tool that people don't know about
because if you use this, for example, in
conjunction with Wire Shark on like a Raspberry PI, then we get into some really advanced attacks. What you can do is you can start out by having a device that is
an unknown wifi device, hit it with a bunch of fake networks, get it to try to connect
back with you to one of these access points
that you're advertising and then when it tries
that you can use Wire Shark to capture the hashed
version of the password that's stored inside the device. This is called a half handshake attack. In Wire Shark, when the victim device attempts to connect, I capture that, run it through a cracking
program and if the password is weak or if I just have a lot
of power behind that attack, I can get like your home wifi password or your office wifi password
just by advertising it on this little micro controller
and then listening in on a system that maybe it
can't do packet injection, it can just do listening. - Could you show us the help again? Is there a specific command to do this attack that you just mentioned? - Yep, so the AP command
is the one that creates the access point that's actually joinable and will automatically
route whoever joins it to a little fishing page
and then the deauth command is the one that will kick
devices off the network, so you can actually
make compound commands. And if you are interested in this, we actually did an hour
long deep dive into this. It's called "Wifi Fishing for Passwords with Cheap Micro Controllers" and I believe I have here
the command that I use to actually run this
attack and it is deauth and then whatever the station number is, when it does the scan, it gives you a number for each device. In this case I was attacking
target number zero, the first one, two semicolons allows you to do compound command. So, basically run two commands
at the same time on this, which again is super
cool and very scriptable. So, if you have an attack you really like, you can often script it
with these semicolons and introduce like pauses or delays that I think is really interesting that you can script these sorts of attacks and make them very predictable. So, in this case, yes by using the AP and the deauth command together
I can kick a device off of one network while
advertising a second network. In this case it just says "fakenet," and this would have no password on it, it would just be designed to entice them to into joining and
thinking that their router was, you know, doing some sort of update. - That's great. So, I'll
link that video below. So, in that video you
show all those commands? - Oh yeah, it's an hour
long but don't worry, it has chapters so if you just wanna skip to the interesting parts of getting the fishing page live, it's very
easy to go through that, thanks to our editor, Michael. - These attacks that you've
shown up to this point, that's like $1.80 thing or
$4 if you bought on Amazon. So, it's really cheap to do this right? - Yep, so there's a lot
of different devices that will support this attack. Anything that has an ESP-8266
in it and has the ability to flash to, you're
pretty much good to go. Of course there's various other tools you can get that also help support us. So, if you wanna help
support our content creation, we don't have a Patreon, we
actually just make hardware and our wifi nugget does in
fact support the V3 deauther or if you wanna make this yourself, the designs are open source, however it is an absolute pain in the ass. So, good luck with that,
like dedicate at least two months of pain and suffering to it. But yes, it is open source so
if you wanna make it yourself and you think that the price is too high, you can always do it
yourself and find out, find out where the money goes. - If I want to save money I
can get it for $1.80 or $4 or so, but it's gonna be
a bit of pain to set it up or I can get a wifi nugget and that. It just makes it easier, right? - Exactly, and what I think
is cool is like there's a dichotomy here when you
have this micro controller, if you connect it to
something like the wifi nugget that has like this screen and buttons and like all this other nice stuff, then it really means that you have the ability to use this on the go. You can plug it into your computer and without doing any of
this command line stuff, do 80% of the stuff that this
can do with the exception of the more advanced
things like the fishing and like detecting what access points someone's connected to before. But if you're a researcher,
if you're advanced, if you wanna like take the next step then you can take this tool, flash it with a community
project that allows you to go even further and
then suddenly be able to do these advanced
attacks that, you know, don't involve the screen and buttons because frankly like with four buttons and a tiny little screen, there's just not enough
information to do some of these more dense attacks like creating the fake access point or like figuring out if some someone's been to the strip club when they're not supposed to. I keep bringing that
example, it's actually- - I'm a bit worried about you, Kody. Yes. - Yeah like, it's the
only time I've really run this live was, I used it
as a JPL employee detector so anytime somebody from
NASA's Jet Propulsion Lab showed up it would like set
off a little like light show and like do a little noise
and I thought it was, they're just like how does
it know that I work there? And then I got to do a presentation on how I was unmasking
them as JPL employees. So, I've never actually used
it for that but I do use that example a lot cause
I think it's funny, it's like a common man
example where they're like, well I've never been anywhere
people would, you know, worry about and it was
like, wait, I did connect to that strip club network that one time. - Tell me, do you have videos
covering the wifi nugget 'cause we kind of spoke
about it in high level terms, but do you have like
detailed videos showing like a whole bunch of these attacks or is it in a Hak5 where
can people find stuff? I'll put links below but
if you can just tell us where you know, where if you've got videos going through the different attacks. - Hak5 is the best place to go for videos on the wifi nugget and the USB nugget. Also some call sometimes
called the rubber nugget, that's where we put out
our tutorial style videos. They're the best way to
get introduced to most of these topics 'cause
they're like an eight to 10 minute long video
on how to get started, get set up on one of these projects from basically square one. If you are freshly getting a wifi nugget or if you wanna see
what they're capable of, I highly recommend Hak5 as your source. We've done a couple streams where we cover the nugget but they're much longer. So, if you're somebody that
wants to just you know, get to the features and
like see how they work and see how long it takes to get set up, then we have plenty of different projects that do involve the nugget on Hak5. - So, now let's take it a step up. (energetic music) - This setup is a Raspberry
PI 400 which is basically just a Raspberry PI
crammed into a keyboard and I've also attached a gaming mouse. My biggest complaint
about the Raspberry PI 400 is it doesn't come with a
track pad so you cannot use it just by itself with an
operating system on it unless you wanna just
do command line only. I think you can actually
find Raspberry PI 400 still available with a big disadvantage besides the lack of a
track pad is the fact that it doesn't support
native wifi like capture or any of the monitor mode things you would want to do for wifi hacking. So, a lot of the other Raspberry PI's do, it's just that it is harder
to find them right now. So, I'm using an example
that does not support wifi capture with the Nexmon driver, which typically allows
anything even included the Raspberry PI 0-W
in order to put itself into modern mode and do some
really interesting cool things. I'm going to be using an external
wireless network adapter, as you mentioned a lot of
people will so that way you can have any sort of Linux
device that has a USB port and follow along provided that you can put that wireless network
adapter into monitor mode. Today I'm gonna be using a
Panda Wireless, it's a PAU09. This I like because it
is not subtle at all. I have been actually
almost kicked out of a like a coworking space because I was using this plus another wireless network adapter that looked equally
conspicuous and some tech bro sitting next to me ratted me out for using too many wireless network adapters and thought I was up to
some sort of hacking. So, I actually had to talk to the person at the coworking space and
explain myself over this thing. So, if you are looking to go with a subtle option, this is not it. If you are looking for a dual
band meaning 2.4 gigahertz and five gigahertz
wireless network adapter that has two antennas that you can also plug into like a directional antenna, like a parabolic grid
or like a panel antenna in order to track devices
down, this is absolutely it. The versatility of this
tool I think is really great because you know it hits
both the five gigahertz and the 2.4, people ask for that a lot, and it also has the ability to attach the directional antennas which people also ask for all the time. So, I would say this is
probably one of my favorite like low cost wireless network adapters that I would not really mind if it got smashed because it's very cheap. While I prefer Alpha Wireless
for a lot of reasons, this is one that I use as like
a kind of a throwaway device that I throw in my luggage
so often that it's what I'm gonna be using today
because the drivers are actually really good for it and it allows you to
just kind of get started with a plug and play sort of deal. So, I'm gonna plug it
in so it's plugged in, very subtle, and I am using Manjaro, it's an arch based operating
system that you can run on the Raspberry PI if you
want to completely stay out of the fight of whether Cali,
Ubuntu or Raspberry PI OS are the best operating
system for the Raspberry PI. I hate that fight. So, I decided to pick something that was like relatively obscure
but I find I actually love my experience with the
Manjaro on a Raspberry PI. It generally works pretty well for all the things I need to do. I can run attacks on it
when I'm doing simulations and it tends to be very, very stable. The only thing is it is arch based so the package manager is different, it's Pacman instead of like
APT and there's a couple other things you need
to get used to as well. Linux commands will work, you know, pretty universally again except
for the installing commands for just about anything
and most of the tools I'm gonna cover today
are very easy to install. The first one that I wanna
kind of show is Kismet. So, Kismet has gone
through multiple evolutions and it's something that
is like I would consider to be like a wireless intelligence or like a signals intelligence platform that lets you get very
interesting information about wireless devices around you. So, it also has a number
of built in like alerts that are looking for
very common wifi attacks. So, as a signals intelligence tool, it is also capable of war driving. So, if you're running Kismet
and you add a GPS unit, then boom, you suddenly have the ability to record everything
on a very minute scale. So, that means you can
record Bluetooth devices, you can record people's, you know, wifi clients like their
cell phones and stuff. Whereas there is a way to
do this with the devices we were talking about before,
the micro controllers, it just means that you're
not able to typically record as much detail about
these sorts of devices. So, it is possible to do war
driving on a smaller platform, but I find the Kismet, it really shines because there's built in analytics and you can really drill down on what a specific device is doing. - Would you use a Raspberry
PI as you're doing war driving would just take your Mac or? - Ah, depends on the platform. So, if I'm war flying then, Alex and I recently did a video on how you can use an ESP-8266 and like a $3 little GPS unit
that's connected to it plus an SD card to fly
around and do war driving. And we were actually able to geo locate a single person's device as they were walking around
like a really big park. - When you say flying around, are you in a plane or you in
a drone? What do you mean? - Yeah, so a little DGI Mini 2 is what we're flying around with and being able to attach like a super, super small device to the bottom of that and fly
around is really, really cool. But you don't get as much detail as you would with the Raspberry PI. So, if I was driving around, I would say a Raspberry PI
combined with the USB GPS unit is by far the easiest way to get started with war driving,
there's no like soldering or attaching the way that you would with our little like drone flying thing. So, for a beginner, a
Raspberry PI with just a very, very simple, very
cheap USB based GPS unit is the easiest thing to do. The Raspberry PI typically
supports Bluetooth as well, means that you can also start doing things like tracking vehicles by, you know their, they're connecting Bluetooth or some of these other things that are very easy to track but a little micro controller wouldn't be able to do. - You said you got videos
on those topics, right? - Yep, we have videos on
using the micro controller to do war flying and actually track the location of a device. And we also have using a Raspberry PI as a war driving or war flying tool. The main Raspberry PIs you would see like the Raspberry PI three, Raspberry PI four, like they will support
just having their own internal card go into monitor mode and do a lot of the attacks
we're gonna cover today. But the Raspberry PI 400 doesn't, which is another reason why
I don't like it that much, but, we're using it as an example today. So, let's go ahead and first take a look at the wireless cards that are available. I can use IPA or I
actually prefer IF Config. We can see that we have
the internal WLAN zero, but we also have the one
that we just plugged in. So, I'm gonna take
this, I'm gonna copy it, I'm gonna do sudo airmon
NG start and then paste. And what I'm doing here is I'm taking the wireless network adapter and I'm putting it into monitor mode. So, it's gonna stop listening
for wireless networks to join and instead it's
gonna do what I say to do. All right, this is now in the proper mode so we can do sudo Kismet
and it's gonna hate that. It doesn't like it when you sudo it, but I like to sudo things because I like them to
work when we do demos. So, that's what we're gonna do. For anybody who's used to
the old version of Kismet, it was command line only. So, like a big string of
like kind of characters would be kind of going through. But that's not the way it works anymore. Now it has a web interface
and that web interface is really cool and interesting. We're gonna try to open
it up on the Raspberry PI but actually, if I don't want to, there's a very cool trick here that I kind of wanna show off. Let me see if I can do that. So, if I do IF Config again, I can see that I am actually
connected over internet here. So, if I were to type in "1921680200" and then this port over here, I could actually access this from any different device on the same network. So, if I have my Raspberry PI running and doing capturing and
stuff and it's being slow, like my Raspberry PI is being slow, I can go over to my Mac OS system and if I go to Firefox, go to 1921680200 and then the port number
2501, boom, look at that. So, I'm actually accessing
my Raspberry PI over the network through this
really clean web interface. So, let's go ahead and add a source so that we can actually start pulling data. So, I'm gonna go to the menu here, I'm going to go to data sources and then I should have a bunch of built in data sources that I can
just start capturing from. Let's do something weird. So, we have some available
interfaces like Bluetooth. So, that's one that I wasn't
even planning on capturing, but if we enable the source, so it's now starting to display things, I'm gonna show all devices and I can see these are all Bluetooth devices, it's actually picking up
the names of some of them. It's attempting to
identify the manufacturer and I can zoom in to see
more individual information and if I wanna click on one
of these Bluetooth devices, I can click on them and see
more information about it. You know, like I can see
it's made by Ubiquiti, it's type BTLE, I can see
the channel, the frequency, all this interesting stuff
as well as a packet graph. It's a really interesting
way of being able to take a peak into the wireless spectrum. So, right now we're just
looking at Bluetooth. Let's go ahead and add wifi as well. So, I'm gonna go to the data sources and we're gonna select our
wireless network adapter that we just put into monitor mode. I'm gonna select this, I'm
gonna click Enable Source and then boom, we now
have tons of wifi data that's coming in and I'm going to start filtering this for just wifi so we can just see things that are more relevant. Now we have wifi access
points and these are all graphed in ways that
we can make customized. So, if I wanna see only things
that are very close to us, I can do the sorting by
signal strength and see, oh this is outside, this
is my outside project that's broadcasting
the current temperature as a wifi network and I'm able to see that that's relatively close by signal strength and I can see that
that's made by Espressif, which is the micro controller I'm using to run this project in our backyard. So, I'm able to very quickly
learn information that okay, it's not connected to
another access point, it's its own client, it
doesn't have security, it is using an Espressif
micro controller to make it. That's a lot of information
to be able to get from just starting up your
wifi card and listening in. So, as we get to the
more complicated things, we can look at some of these networks that are being broadcast and
start learning about them. So, if I choose to click on
one of these networks here, I can learn more information about it. So, I can see the channel that they're on, I can see how much data they're exchanging and I'll click on this one and I can see it's called Nexus V. I can see information about
what frequency it's on, but if I click on Wifi,
this is where things start getting kind of cool so I can see that it's probed for other SSID's. So, it's looked around for other networks. I can see it has a
fingerprint for its beacons and right now it looks like
there are associated clients. This means that I can basically see that there's shared hardware uptime. So, that means that this
is actually broadcasting two access points at the same
time from the same device. So, that's actually true. This is a router that's broadcasting on two different antennas. So, that's really cool
that I can group together two access points that
might actually be different by studying their packet uptime. So, what this means, and
there's a little question mark here that explains it is
wifi access points advertise a high precision timestamp
and beacons multiple devices with similar timestamps are typically part of the same physical access point, that could be multiple
different like name wifi names, but it's actually the same router that's broadcasting them
and that's really cool that you can use this
tool to identify that. So, then we can see associated clients, so we can see every device
that is currently connected to that access point and
we can see what it is. So, we can see an Intel
Corporation device, we can see a Vizio, we
can see another Intel and we can then break out
and start analyzing any of these individual networks
that we wanna learn more about. Let's say that we want to learn more about as I keep going through these. Oh, an Apple device. Yeah, let's see this. So, we now have identified an Apple device and I wanna know more
about this Apple device that is connected to our Nexus V network. So, I'm gonna click on client
details and it opens up a new window that lets me start probing into what this client has been up to. So, I can also go here and see different access points that it
has joined in the past. So, I can see here it's actually a member of two different networks. It has switched between these two different access points in the past. So, I know that this
individual Apple device has the password for
both of these networks stored inside of it
'cause it's been observed connecting to both of
them, isn't that crazy? That like as somebody,
- Just like a- - That yeah, you can just see into this invisible spectrum
and start understanding the relationships between these different clients and access points. So, instead of just having
like it all via text and trying to like see which ones line up with which ones, this makes it so much of a more rich interface to
understand that sort of thing. It also comes with
alerts and this is where you can see, for example, alerts about like a Hak5 product running nearby. I scared myself so badly
using Kismet one time when I plugged into wifi pineapple and it automatically started running a Karma attack because
that's one of the attacks that this automatically detects. So, currently it's just
telling me like you shouldn't use this as root, I told
you it would complain, but if I actually start
running an attack then I should be able to detect it using
Kismet and get an alert that something sketchy is happening. So, I'm gonna take the wifi
nugget and what I'm gonna do is I'm gonna target one of these
networks first by scanning and then by selecting the
access point and I'm going to start kicking a specific
device off of the network. Now if Kismet's doing its job,
it should generate an alert and tell me that some
nefarious activity is going on. Unknown attack is underway. So, let's say I'm some kid
that has a deauther wristwatch, I've selected an access point to attack and I am now gonna go for it. So, I've selected the attack, I have deauthentication
selected and I'm firing. So, at this point I'm sending
deauthentication attacks and this is very noisy. This is an attack that's
super easy for most people to detect because it
involves sending a bunch of like packets that are not
typically exchanged in a network if everything is going fine, there we go. We got an alert. So, that
didn't take very long. Access point, blah blah blah, broadcast to the authentication or
disassociation of all clients. Either an AP is shutting
down or is this is indicative of a possible denial of service tech. That's 'cause it is. I am denying service. So, let's go ahead and try another one. I'm gonna start trying
a beacon frame attack. So, what that's gonna do is it is actually going to broadcast a bunch of different access points all from the same Mac. Well it actually might not do
it from the same Mac address, but it's gonna broadcast a
bunch of fake access points and let's see if maybe
Kismet is able to detect it. Now this is typically able to
detect like a wifi pineapple that's doing the same type of behavior. But in this case I believe
that this program is designed to create a new fake MAC
address for every fake network. And that will probably get
around the alerts here, which I don't see an alert. So, I think that we're we're
flying under the radar here, even though as you can see,
never gonna give you up, never gonna say goodbye. ♪ Never gonna run around and desert you ♪ These are obviously fake
networks that we're creating and Kismet isn't really sure
that these are fake networks because they all have a
different Mac address. This attack looks like
it's going pretty well and we're able to make
it pretty convincing that Kismet's not able to
to see what's going on. But we were able to
prove pretty definitively that Kismet can detect some
of these common attacks like the deauthentication attack. And that's what that alert
right here was talking about. So, very cool to see Kismet being on top of these sorts of attacks. So, if you're curious
that maybe your neighbor or something is attacking you, you could very quickly see whether or not you were really under attack by running Kismet on a Raspberry PI. And like I said, I'm on my
MacBook Pro connected over the same network just looking
at this over a browser. So, that's really how far these sorts of signals intelligence
platforms have come. - Kismet can also do attacks, right? - No, Kismet is completely passive. - Okay. So, Kismet is best described as like, a passive signals intelligence
platform that allows you to see relationships and some
types of attacks in progress. Although it, so it can do a lot, but it is not a active platform, meaning it's not actually sending out any platforms in order to do what it does, which is great because if
you're somebody who's worried about getting caught
running Kismet for example, on a Raspberry PI while
you're walking through like a sensitive area
is not gonna be detected because that's the Raspberry PI isn't putting out any packets. - So, it's just passively listening. - Exactly, exactly.
- I think a lot of people will be interested in seeing how to attack. So, have you got like another tool up your sleeve that can
show us how to attack? - Yeah, so all right. The next tool that we're going to focus on is an offensive tool. (energetic music) We are going to run a
tool called Airgeddon. It's a framework that allows you to use all these cool wifi hacking
tools and techniques that are out there
without actually needing to do the command line work
on pretty much any of them. It's something that allows you to very, very easily kind of like fill in the form depending on what kind of
attack you want to use. And it is so beginner friendly. I really like it for doing
all sorts of demonstrations. So, this is alien themed
and it's important to know that because
the person who made it is very consistent and particular. You'll see the alien theme pretty consistently
throughout this entire program and I think it's really funny. The easiest way to do
this is just install it via like SNAP or APT
Install or Pacman Install if you're on Cali or something else that has all the offensive
sources installed. It's really easy to install
because it's been around so long that it's been
added to these repositories, although it has a lot of dependencies because it's just using these tools that are very well
established like Hashcat and some of the other
things that you would have experience with
if you've been working with wifi hacking stuff. So, let's show it off and see
what exactly it looks like. Just do sudo Airgeddon and boom, we're into our first spaceship. There will be more. So, it's gonna do a quick scan and try to detect the resolution. In this case they can't find it. It'll try to find out
what I'm on and it sees that I'm on Arch Linux
and I'm gonna press Enter. In order for it to go through and identify every different sub tool
that it's going to need to have installed in order to do its job. So, this is where the first
list of things you have to have and the second list is optional tools. In this case I worked very
hard and long into the night to get all of these to say
okay before this presentation, the typical installation will have most of the required things but not very many of the optional tools which allow you to do some of these really
interesting and cool attacks. So, if you want to get this fully working, you're gonna have to go
through and you know, APT install T shark, APT install MBK4 or some of these other ones you see on the screen in order to
get everything working the way that you see I have it working, but let's go through and
see what happens next. So, we already put our
card into monitor mode, we can see that that is card number four. So, I'm gonna select that as
the card we're working with and this is really cool
'cause you can just go through this process,
you know, select the card you wanna work with and then
select the attack you want. It's very, very easy,
very straightforward, it works the same for virtually any attack flow that you're working on. So, here we go. We have
our main attack window. We can select a different
network interface if we messed it up, we
can put our interface into monitor mode if it's not already, or we can put our interface
into managed mode. So, if I wanted to switch this over so it can connect to a wifi network again, I can select option
three and boom we have it back into the standard
mode that it starts out in. So, then we have our denial
of service attack menu, which is where we can decide
if we want to basically jam, do a protocol based
jamming attack on someone's wifi network by sending deauthentication or disassociation attacks
that go to option number four. We can see the complete list here and we can see we can do amok in MDK4, which is a script that
I've previously downloaded. And what this is doing is
basically pre-formatting the command lines that you need in order to run these tools and then
running them under the script. So, it's basically an organizing script that has all these tools
installed and we'll run them for you depending on this
very user friendly kind of questionnaire that
it leads you through. So, we can do the
deauthentication/dissociation on deauth aireplay, WID,
WIPS, WDS confusion attack. Those are the ones that that tend to work. And then we have the not
very effective attacks like the beacon flood
attack, the Auth DoS attack and the Michael shut
down exploitation attack, which I have to point out has nothing to do with our editor
Michael, I'm sorry Michael. So, those are all the
deauthentication attacks. And of course these will light up Kismet like a Christmas tree. So, if you start using any
of these you can expect to be discovered in
pretty short order just because yeah they are not quiet attacks. All right, so if I press
zero then I can go back to the main menu and I can
see we have some offline like cracking attacks, for
once we go grab a handshake. But we need to grab a
handshake in order to do that. So, if we wanna see
how one of these works, we can do a standard
handshake grabbing attack, we press five and we can see if we wanna do it via PMKID or handshake. The value of a PMKID attack is that we can grab a wifi networks handshake without actually needing a client present. So, let's go ahead and try that one because it's by far the easiest one to do. And if that doesn't work, we can always do a
standard handshake capture, but that means a client
needs to be present for us to deauthenticate and often
not the case, which is no fun. All right, so here we are
exploring for targets. So, what it's going to
do is quickly look around and attempt to find any access points or any clients that we can
target with this attack. And once it is done with that, then we'll be able to select one. So, I'm gonna press Control C. All right, we now have a list of various access points
that we can attack. There's one that's marked with an asterisk and it's called Michael's Net. I'm gonna attack that one
because the asterisk means that it would be a very
easy network for us to attack and get a client handshake from. If I select option number
seven and then press Enter, it will confirm that I have a valid target and confirm that I have
the attack ready to go. I'll press Enter again in
order to enter a timeout for when the script should stop attacking. I'm gonna say 25 seconds
and then I should be able to press Enter to begin the PMKID attack. So, we see this little tiny
window open up in the side, it is now executing the attack and of course like this
is part of another script. So, this script is just
controlling, you know, a PMKID based attack that
I've also had installed. And the value here is
that it's doing it for me. You know, it looks great, it looks as though it is doing a good job at attempting the attack
without any intervention once I put in the necessary information. So, what this is really
doing is just walking you through each step and
making sure that you know, you get a pretty good shot at grabbing it. In this case, we failed. So, if that is the case
and we did in fact fail, we can go back and we can
attempt a handshake capture, we can see it's actually
auto selected the target. So, now it's still up at the top. I don't need to go through
the process of selecting the target again unless
I wanna change targets. So, if I wanna do a
handshake capture instead, I can try number six because
our PMKID attack didn't work. I can say I want to do a
deauthentication attack against it. So, I'll select option number one. That's the actual tool
we're gonna be using in order to kick devices
off of that network. And we'll use a timeout
of 25 seconds again. So, we're gonna press Enter,
we'll see some windows pop up. It's going to start listening
and attacking simultaneously. And this is the attack that I love to do if people are looking over my shoulder, it looks very scary to
have all these like, like red and white
windows be like popping up and attempting to do things. It's gonna run for about 25 seconds and if it doesn't get a handshake then that's okay, it's served its purpose. But anyway, so this is the process that you go through in
order to use Airgeddon to launch an attack like
grabbing a handshake. And once we have that handshake we could then select another tool in the module. - You said that you installed
stuff in the background. Those are the like the
required and optional stuff that it was saying "Okay, okay, okay," to. Is that right?
- Exactly, yeah. So, it'll tell you what
the name of the package that needs to be installed is, in general, that is the best way to
go through and make sure all the installed things are present before running and doing any
of the more advanced attacks. So, it looks like it actually
worked, it was just lagging. So, I'm gonna press no to not cancel, I'm going to write it actually did get a handshake look at that. So, that's great. I'm gonna press Enter to
accept the default script and we can see that we
now have a valid handshake and I can go back to the main menu. So, just like that we were
able to capture a handshake on this network and if I wanted to do an offline decryption of the
password, I can press six. We can see that we have the
handshake file already selected. Now I would need to have a password list. We have a number of
different options of how we can attack this, since
I've installed all of them, we can do a dictionary attacks or we can do a rules based attack. Rules based attacks allow
you to generate passwords, we're not gonna try that. So, we're gonna select option one 'cause I know that's installed and works. We're going to use the
selected capture file and then it's going to ask for the
path to a dictionary file. So, if I have a dictionary
file, what I can do is just drop the text file that I want to run the attack with in here. So, I'm gonna take the
top 4,800 passwords, I'm going to extract this password list and then that is what
I will be feeding into this script here in order
to do a very standard password tracking attack
against this network. And I'm assuming this network
has a crazy hard password so it's not going to be able to get it, but that's okay because it still shows the way that this works. So, I'm going to extract it, I'm gonna show the files
and then I'm gonna drag and drop it into the terminal window. All right, there we go. So, just like that super
easy we were able to drag and drop a list of 4,800 probable
passwords into the script. We're gonna press Enter to
start it going and look at that. Just within this tool we've
been able to grab a handshake and then throw it into Aircrack
NG and use a password list I previously downloaded
to attempt to get it. Now we didn't get this password because this is Michael's Net. It's just not gonna be some easy password, I'm sure something super hard that he's never used anywhere else before. So, we're not gonna actually try to go any further with
this particular network. (energetic music) I'm gonna go with option number seven in order to access the
evil twin attack menu. Now there's a number of
different options here, but we are going to go
with my all time favorite and that is option number nine. Now this will make someone
think that their access point is malfunctioning and it'll
spawn up an access point with the exact same name but no password. When the victim connects,
they will be presented with a screen that makes
it look like their router is undergoing an update and if they put in the wrong password it will continue to deny them access to their old network. It'll only allow them to get back online when they put in the correct password. First, we're going to select option nine and perform an exploration where we start looking for different
targets to attack. We'll need to be looking in particular for different networks that have somebody actually on them because
nobody can type in the password to our rogue
access point if nobody's actually using the
internet on this network. So, I'm gonna let this
go for a little bit here and I can also see more information about the different networks that are being detected if I want
to expand this window. But when it's done, what I can do is press the X up here in order to generate a list of all the different networks
that I've discovered. - [Narrator] A few moments later. - [Kody] Okay, now I can see at number 12 there's an option called
Mytesty and I think that is the network that we are
going to be attacking today. So, I'm selecting option
number 12 and the first thing it's going to ask is whether or not I want to attack it in a variety
of different ways. And in this case I'm
gonna select option one, which is going to be
doing a deauthentication and disassociation attack
using a tool called MDK4. The second option is whether or not I want to do denial service pursuit mode. So, that means that if this
network starts changing channels to try to avoid me, I
can actually follow it. And for the demo I'm gonna select no, but this is a very handy option. Next up it's gonna ask
me if I want to spoof my Mac address and if I
want to hide my identity, this is a really good
idea, but in this case I'm not going to do it just
for the simplicity of the demo. Now it's asking us whether or not we have a handshake file for our target. This is important because if they give us the wrong password, we
won't know otherwise. So, this is what I think
makes this script so advanced, the ability to grab and
compare to this handshake while the victim is putting in passwords. I'm going to select N because
I don't have a handshake yet, I'll have to select a value in seconds for how long I want this to run. So, I'm gonna select
about, let's say 25 seconds and then it is going to
attempt to grab a handshake from kicking the device
off that is currently on this network, which
is actually my computer. It looks like it's got a handshake I can see over in the
corner, so that's good news. This attack is now underway
and I've gained the ability to verify whether my victim is giving me the correct password
when I fish them later. So, I've got a little
congratulations here. I can press Enter to save
that handshake and then I can press Enter again in order
to proceed to the next step. And this is interesting
because it's set to channel 44, which is a five gigahertz network channel. So, we are actually attacking a five gigahertz network channel right now. So, a little bit of five
gigahertz hacking right here. The path is valid, I
have write permissions, I can continue with the script
and now the real fun begins. This script gives me the ability to select any language I want to
attempt to fish my victim. So, depending where I am, I might wanna select maybe
Portuguese if I'm in Brazil or maybe I want French if I'm in France, it's really up to you. So, I'm gonna go ahead and select English 'cause I'm gonna be boring today. I'm gonna press Enter and this is going to kick off a flurry of activity. Lots of windows are going to
be opened and we're gonna see all sorts of reactions and
such as soon as I put this up. So, let's go ahead and see what happens. It's going to open all these windows. I feel very cool and
hacker-ish every time I do this because it has to create an access point, manage the access point and everything that happens when a client connects to it and then start a deauthentication attack, which is going to absolutely decimate the wifi for anybody who is using Mytesty. So, on my victim computer,
I am now kicked off of Mytesty, I cannot join
it, something is wrong. But I can also see that
there is an access point, an open access point
that has the same name. So, I'm gonna go ahead and
connect to that access point and we're gonna see exactly
what happens when I do that on the screen of
our hacking computer. Okay, we can see that we've
got some activity here and in fact on my victim
device I am now seeing wireless network Mytesty, enter your wireless network password
to get internet access. This is a pretty simple fishing page, there's not a lot of fanciness here, but as a victim I'm gonna go ahead and type in something wrong. So, I'm just gonna type in some gibberish and then I'm going to hit Submit and let's see what happens
on our attacker computer. When the victim is just
giving you a random password, the password is incorrect,
redirecting to the main screen. So, it actually knew this, it was able to figure out that this
was the wrong password. Let's say I've given up, alright, that convinced me this
thing actually is my router. It knows when I give it the fake password. So, I'm gonna put in the real
one. Let's see what happens. The password is correct, the connection will be reestablished. Oh, and then the network shuts down. I'm redirected back to my old connection and I'm able to connect normally. And just like that I can see here that I've managed to gain the password, which is password123. I managed to successfully get the password for this network and I was able to do that by just actually like
kind of listening here while presenting a situation
that seemed likely. And that was all it took
to convince someone who'd been kicked off of their
network from accepting that, hey, my router is just doing this update, it needs my help in order
to improve the security. And it even has that
special advanced twist where if a victim gets wise to the attack and tries to put in a wrong
password or a fake password, the script is so smart it will be able to tell the difference
between the real password and the fake one by
grabbing a wifi handshake in advance and having it ready to compare. So, we'll try an evil twin
AP attack with sniffing. So, this is gonna be a
much more simple attack, creates a fake access
point and then allows you to sniff on that access
point by doing DNS spoofing. So, we're gonna select option number six. So, we're going to kick the victim off of the real network while
we set up this fake one. So, rather than just relying on somebody getting curious
about a wifi network, we're actually gonna kick
them off the old one. So, we'll select option number one for a disassociation attack. We are going to also be able to do denial of service pursuit mode, which means if a device starts switching
over to other networks, we can follow it by
tracking its Mac address. So, yeah, hell yeah. If it starts running from us, we're gonna track it and start
attacking it persistently. We're going to select
our adapter that is going to be used to host an
access point as well. This card is being put into monitor mode and we need another interface
with internet access and this is necessary for allowing kind of like a pass through. So, I'm gonna select the ethernet 'cause we're plugged into ethernet. And again this is going to be
acting as an evil twin network that's like sniffing for
like what the user is doing. So, we're providing them a
real internet connection but we are also trying to sneakily
watch over their shoulder. Here we have a summary of
everything that's going on. We are attacking the SSID Michael's Net. The card is in monitor mode,
we are on DoS pursuit mode, which means we'll be able
to like track it around, let's see if this actually works. So, sometimes it'll also
ask us if we were doing like a fishing attack, whether
we want a specific language. So, that is a feature that you
can do here if you're looking to attack like people
who don't specifically speak English within the Airgeddon suite. Unfortunately, of course
it's not working this time, but let's go ahead and try to
also spoof our Mac address. We're going to store a file
with any captured passwords and confirm that this is
where we wanna save it. The thing that I don't
like about Airgeddon is it asks you so many damned questions. You know, like it's really
like it's persistent about like checking and
making sure and here we have all right, multiple
windows are gonna be open, the attack's ready and then
when you're done press Enter on this window and the script
will automatically close. So, we're gonna try a kind
of like a fishing attack and boom, it has hard
crash, battery subscript and it is completely failed. So, as you can see, Airgeddon
sometimes has issues when you're trying more
complicated attacks. What it was trying to do
there was like start up an access point and then
do DNS spoofing on it and then like listening in on everything while routing everything
through the legitimate traffic and the poor little Raspberry
PI just couldn't handle it. Or alternatively, Airgeddon
just needs to be updated. Again, the script is like quite old, but you can see that there's a variety of different things that'll work on it. With one last one being the
one that I wanna show off. So, let me show one
that's a little cooler. So, if this is installed correctly, this is probably the fastest attack that you can execute that can possibly get you a password on a
Raspberry PI running Airgeddon. So, running back through
this really quickly, yes, I still have everything installed. It's gonna ask me what card I want to use. We're gonna use the one we've put into, well that was previously in monitor mode. I'm going to put it into monitor again by selecting option number two. And this time we're going to be looking at a pixie dust attack. So, option number eight
is the WPS attack menu. WPS is a convenience feature
that is baked into a lot of wifi routers that can be
inherently vulnerable in ways that allows an attacker to
break in in a matter of seconds. So, what we're going to do is
perform a quick network scan and try to identify some
targets here and see if any of them might be
vulnerable to this attack. Let's go ahead and press Enter. It's gonna go ahead and start scanning and looking for any
vendors that are vulnerable to the WPS setup pin attack. And once we get that
list we can select one of them and try launching this. Now I would say about
between 40 and 60% of routers are vulnerable to this
attack depending on location. If you're in in an area that has a lot of very recently updated
or recently issued routers from an internet service provider, it'll probably be disabled. If they haven't been
refreshed in quite some time, this attack will probably be valid. So, I'm gonna go ahead and press Control C in order to move on to the next step. And I can see we have a
number of different targets that might be vulnerable to this attack. So, I'm going to select
the one with the strongest signal strength and it looks
like it's a direct wifi network from a like a printer
or something like that. So, we're going to an attempt
an attack here using first, we're gonna try the pixie
dust attack using Bully. So, we can use Bully or Reaver. We'll probably try both
and see if they work. So, we're going to go ahead and set a timeout for maybe 30 seconds. We're going to set a path to store the saved passwords if
we do manage to get it and we can see all parameters are set. Let's start the attack. So, this little red script will come out, we can see there's data being
exchanged with the router and if this data exchange
leaks critical information, and this is actually
via bad randomization, the developers here picked
all zeros as a random seed when they were making this program. So, if that is the case, then we can use that bad
random seed to actually guess the password based on what's
being exchanged right here. So, this attack again typically works very quickly if it's going to work. So, my indication is it might
not work on this target. So, our options then are we've, all right, so we've timed out on this one, we can see that it is not going to work. So, press Control C or just
press Enter here to end the attack and we can then
select a different method. Okay, so when we select the Reaver attack, we can try the WPS pixie
attack from a different program and sometimes I'll find that
it works better or not at all on one where it'll completely
work around the other. So, it's always worth
trying both attack methods. So, if we're able to
successfully launch this attack, then when it runs, it will be
able to retrieve the password, which allows us access to the router. And basically if we get this pin, no matter what the user does, changes the router password or tries to kick us out, it will not work. We will always be able to log
in with this hard coded pin that is literally on the
bottom of the router. Now it is actually possible
to disable this by going into the settings and making
sure that it is turned off. But often I found the
different routers will say that they've disabled this
pin but not actually do it, which means a hacker could
still get access even if you changed the password repeatedly. For the amount of time and the
sophistication of this attack I would say this is
probably the best attack out there for quickly
getting a wifi password via just straight up hacking. But I would say for
investment it would probably be not as effective all the time versus something like a fishing attack, which over time will have a
much more positive result. - That's brilliant, Kody. I know demos are so hard and I mean, we've edited the video
to make it like hide some of the hassle that you've gone through. And I mean, I know you stayed up to like 4:00 AM to get this demo done. So, just from me and the,
you know, my point of view, I just really wanna thank
you for putting this together and making it easy for us the
audience just to watch you. You make it look so easy
and I know it's not. - Yeah, I love wifi hacking tools and I've been working
with them for a long time. A lot of them do have downsides
like Airgeddon managed to crash the Raspberry PI
when it was totally fine running Kismet and some other tools, I've even run Wire Shark
on this Raspberry PI and it's worked just fine. So, there's definitely
some trade offs here when it comes to some of
these wifi hacking tools. But some of the more
advanced ones that typically would be run on like a,
yeah, a laptop bare metal, like Airgeddon will definitely
suffer in performance when they're done on a low cost
device like a Raspberry PI. So, I appreciate everybody sitting through these demonstrations and also,
you know, opening your mind to what's possible with
these low cost devices, even though again they
definitely have some trade offs compared to a speedy laptop
with a lot of horsepower that's able to do these
same things a lot faster. - That's brilliant, Kody. Just wanna say thanks and you know, appreciate you spending
all this time with us. Please go and follow Kody on Twitter. Please subscribe to his YouTube channel. Kody, thanks so much. - Absolutely. Pleasure to be here and
I hope I'll be back soon. (energetic music)
