- In this video I'm gonna show you how to use airmon-ng to discover wireless networks around you. Then I'm gonna show you how
to deauthenticate clients from a specific wireless network so that you can capture
the four-way handshake, open up the four-way
handshake within Wireshark but also decrypt or
hack the WiFi password. Now before we continue, please consider subscribing
to my YouTube channel if you enjoy this type of
technical hacking content. I cover a whole bunch of
hacks on my YouTube channel and a whole bunch of other
technical information. So please consider subscribing
to my YouTube channel, please like this video
if you enjoy the content and click on the bell
to get notifications. Okay, let's get started. (upbeat music) Now the first thing you need
is a WiFi network adapter that supports monitor mode. I often get asked the question, why can't I just use my
built-in WiFi adapter? And you could if it supports monitor mode and injection mode. But this is my recommended, one of my recommended
WiFi network adapters. It's an Alfa network adapter. I recommend this WiFi adapter because it works seamlessly with Kali. Please note that Alfa are not sponsoring me to say that, this is just one of the
WiFi network adapters that I find really useful. Okay, so the first thing you
need is a WiFi network adapter. In this example, I'm using Kali Linux or Kali Linux if you prefer within a virtual machine running
on this Windows 10 laptop. Now you could run Kali
natively if you preferred, but in this example I'm simply running it within a virtual machine on Windows. First thing you need to do is plug in the WiFi network adapter. Okay, so now that it's plugged in, I'm asked by VMware, where
do I wanna connect it? In my example, I wanna connect it to the Kali virtual machine. Now in a separate video which I've linked here and below, I showed you how to
get Kali up and running within VMware Player,
that's what I'm using here. So if you don't have Kali
Linux installed and running, then have a look at that video. Now that the network adapter's plugged in, I'm gonna open up a terminal window and I'm gonna use a command IP address to see IP addresses and interfaces
on this virtual machine. This is what we wanna see, we've got a wireless LAN adapter, at the moment the state is down but it's important that we
see a WiFi network adapter. You can also use the command
iwconfig if you prefer and that shows us that we
have a WiFi network adapter, at the moment the mode is managed. We're gonna change that to
monitor mode in a moment but the first thing you wanna make sure is that you've got a WiFi network adapter that's recognized by Kali. Next thing we need is a
WiFi network to attack. So for this demonstration
I've got a TP-Link router which I've purchased. This is a TP-Link router that I'm gonna use simply
for demonstration purposes. So this is a network that I own, I'm not attacking someone else's network. Please do not use the information that I'm sharing in this video
for non-ethical purposes. What I'm sharing here is for
educational purposes only, I have to say this,
otherwise I get into trouble. So please bear with me. Only use this for
ethical hacking purposes, only attack networks that you own or have permission to attack. Once again, I'm attacking
my own network here for demonstration and
educational purposes only. Okay, so once again, iwconfig shows us that a
WiFi adapter is connected. What I will show you here is I do have this release of Kali. So cat /etc/os-release shows
me that I'm using Kali 2020.4. You could also use uname -a to see details of the Linux version. So once again I'm using
Kali in this example. Okay, so the next step is to run sudo, that gives us root privileges. We're gonna use airmon-ng to check for any conflicting
processes and kill them. We can see that this process was killed. Now, in your example, you may see a whole
bunch of other processes that get discovered and
get killed and that's fine. Just make sure that you type this command so that you don't have
any conflicting processes that interfere with
what we're trying to do. Now to make this easier for you I've put all the commands
below this video. So if you wanna follow
along with what I'm doing, then please watch the full video. But if you need the
commands as a reference, I've put them below. Okay, so once again, iwconfig shows us that the wireless network
interface is in managed mode but what we wanna do is
put it into monitor mode by using the command sudo
airmon-ng start wlan0. We can see that monitor
mode is now enabled. Iwconfig shows us that
the mode has changed from managed mode to monitor mode. You can also confirm that by using the command sudo airmon-ng, notice the wireless
interface is now wlan0mon. Before it was wlan0 but now
it's changed to wlan0mon. Okay, so now let's
discover the access points and hopefully I'll discover
that access point behind me. To do that we use the command
sudo airodump-ng wlan0mon. And as you can see a whole bunch of a wireless
networks are discovered. So here are the various SSIDs or MAC addresses of the wireless networks. I'll make this a little bit smaller. And as you can see at the bottom here various stations have been discovered. I've made the font really small, I'll press Control + C to cancel that, so Control + C to break, and I'll zoom in. The network that I'm interested in is this network, TP-Link_F3FC. Notice it's using channel two and that's the MAC address
of the access point. So you're gonna wanna take a note of that. I've added that information to my script. So channel is two, BSSID is that. Scrolling up, we can see
once again channel is two for this access point,
MAC address is that. I'll clear the screen
and what you could do is use the command sudo airodump-ng -d and the MAC address to display
only that access point. So we can see the BSSID, we can see how many
beacons are being sent, we can see the ESSID or the name that we as a human would use. Now I could use a phone as an example to connect to that network. So I'll connect to that network and hopefully what we'll see is that a client has
connected and there you go. We can see that this client
has connected to that network. Okay, so I'm gonna cancel that and we're gonna use the
command sudo airodump-ng -w. This is the name of the file that we're gonna store the captures in. So I'm gonna store the
cap file as an example to open with Wireshark
in a file called hack1, the channel that we're
gonna attack is two, the BSSID that we're gonna attack is this and the interface we're
gonna use is wlan0mon. So in one window open that up, and then in a second window deauthenticate clients from the network. So just before I press
Enter at the moment, notice we haven't got
anything displayed here. We haven't captured the four-way handshake but as soon as I deauthenticate clients and this deauth 0 means
we're not gonna stop the number of deauthentications used against that access point. Notice a whole bunch of deauths are sent. On my phone, it's moved from
one access point to the other. I'll try and connect back
to the TP-Link network and hopefully what we should see is that a four-way handshake is captured. Okay, so there you go. You can see the WPA
handshake was captured. Client is not able to
connect to the network but we captured the handshake, Control + C allows me
to stop this process. So you could simply use
that script as an example to deauthenticate everyone off
a network if you wanted to, so that's another attack. You could do a denial-of-service attack against an access point just to stop anyone connecting to it. But in this example, if I type ls, what you'll notice is we've
got this hack file captured and what I could do now is use Wireshark to open up that cap file. So a whole bunch of
information has been captured but I'm gonna search for the handshake, and notice here we can see
message one, message two, message three, message four. So we've captured the
WPA four-way handshake. We had some additional messages but here's the full four-way handshake between a TP-Link device and my iPhone. So you could open up the
Wireshark capture and have a look, but notice in message
two we see WPA key data sent from the iPhone to
the TP-Link access point and that's what we wanna crack. So the iPhone is sending
authentication information to the access point, we're capturing that and that's
what we're going to decrypt. Okay, so I'll close that down. Now at the moment, the WiFi interface is
still in monitor mode. So what I'll do is stop monitor mode. Iwconfig shows me that the interface is
back in managed mode. Be aware that when you put an
interface into monitor mode, it'll break your Internet connection, you won't be able to use that interface for connections onto the
Internet or other places because it's monitoring traffic. Another reason to use a VM perhaps is in this example I've
got two network adapters, the Kali Linux virtual machine is actually using the
WiFi adapter of Windows to give it Internet connectivity but the external Alfa
adapter is in monitor mode. Okay, so let's clear the screen. So ls, once again, shows me the files, hack1-01.cap is the file that
we wanna use for cracking. And to do that, we're gonna use this command,
aircrack-ng hack1-01.cap, and the wordlist that I'm gonna use is stored in /usr/share/wordlists/rockyou. So just to show you what that is, if I go to /usr/share/wordlists, various wordlists are
stored in this directory. In Kali you can actually
just search for wordlists and it will show you the various wordlists available in Kali. And one of those is the rockyou file. Now this needs to be unzipped, so you can use Gzip to unzip it and that's what I've done here. I showed you how to do that in this video. So have a look at that video if you wanna see how to unzip the file and use that wordlist. But that's the wordlist
that I'm gonna use. So let's try and crack that
password with the wordlist. And there it is. The password that I used was hellohello. Now you might say, well, David,
that password is too simple. This is just for demonstration purposes. The rockyou wordlist has
millions of passwords in it, actual passwords used by people. So what I did is just find
a password in that wordlist and I configured this TP-Link
network with that password. In separate videos such as this one, I showed you how to use a GPU to crack a non-standard password. I'll also create additional videos where I use a very powerful GPU to crack WPA pre-shared keys that are non-standard passwords, but in a lot of cases
people use password stored in the rockyou wordlist. Just because people are
supposed to do something doesn't mean that that's what they do. Hopefully you're using
a much better password than something simple like this, but this is a password
in the rockyou wordlist. For this demonstration,
I once again configured that TP-Link router behind
me with this password. So you can see this
network has this password. This is the password of the 5G network, but that password I cracked using a GPU in two minutes as an example. So a password like that could be cracked. You should be using very long passwords. So try and use very long passwords
with a mix of characters, that makes it really, really difficult and almost impossible to crack if your passwords are very long and they're a mix of a
whole bunch of characters. Okay, but there you go. I've now shown you how to
discover WiFi networks, how to select one to attack, how to implement an attack to disconnect clients
from that WiFi network so that you can capture
the four-way handshake, and then I showed you how to
crack the four-way handshake. There are better ways, for instance, using a GPU and Hashcat to crack pre-shared keys. But again, I've shown you
that in a separate video. I'm David Bombal, hope
you enjoyed this video. If you did, please like it. Please consider subscribing
to my YouTube channel and clicking on the bell
to get notifications. I wanna wish you all the very best. (upbeat music)
