1

00:00:00,466 --> 00:00:02,965

<v ->So, we've talked about securing our wireless networks.</v>



2

00:00:02,965 --> 00:00:04,882

Let's now spend a few minutes talking about



3

00:00:04,882 --> 00:00:06,870

the different types of attacks that focus



4

00:00:06,870 --> 00:00:08,326

on our wireless networks.



5

00:00:08,326 --> 00:00:10,082

The first is war driving.



6

00:00:10,082 --> 00:00:12,359

War driving is the act of searching for wireless networks



7

00:00:12,359 --> 00:00:14,778

by driving around until you find them.



8

00:00:14,778 --> 00:00:16,017

You could try this tonight.



9

00:00:16,017 --> 00:00:17,808

You can go sit in the backseat of your car,



10

00:00:17,808 --> 00:00:19,734

have your friend or your wife



11

00:00:19,734 --> 00:00:21,217

drive you around the neighborhood



12

00:00:21,217 --> 00:00:23,226

and see which networks you can connect to.



13

00:00:23,226 --> 00:00:24,298

That's the idea here.



14

00:00:24,298 --> 00:00:26,576

They're simply going to drive around and hunt for networks.



15

00:00:26,576 --> 00:00:28,070

Now, the attackers here are going to use



16

00:00:28,070 --> 00:00:29,611

different tools to do this.



17

00:00:29,611 --> 00:00:31,033

They can use wireless survey tools



18

00:00:31,033 --> 00:00:32,622

or other open source attack tools,



19

00:00:32,622 --> 00:00:34,316

but the common theme here is just finding out



20

00:00:34,316 --> 00:00:38,071

what networks are around and where you can access them from.



21

00:00:38,071 --> 00:00:40,316

Why would an attacker want to find open wireless networks



22

00:00:40,316 --> 00:00:41,970

or networks that they can get on to?



23

00:00:41,970 --> 00:00:44,197

It's not necessarily to attack your network,



24

00:00:44,197 --> 00:00:46,621

but it's to attack other networks through your network.



25

00:00:46,621 --> 00:00:47,772

So, that way, if they are doing some hacking



26

00:00:47,772 --> 00:00:48,912

or something like that,



27

00:00:48,912 --> 00:00:52,201

it traces back to your home and your home network,



28

00:00:52,201 --> 00:00:54,888

as opposed to tracing it back to them.



29

00:00:54,888 --> 00:00:57,454

The next type of attack is called war chalking.



30

00:00:57,454 --> 00:00:59,838

War chalking is the act of physically drawing symbols



31

00:00:59,838 --> 00:01:02,629

in public places to denote the open, closed,



32

00:01:02,629 --> 00:01:04,671

or protected networks that are in range.



33

00:01:04,671 --> 00:01:06,686

It gets its name because in the early days,



34

00:01:06,686 --> 00:01:08,146

people would actually take chalk



35

00:01:08,146 --> 00:01:10,160

and draw on a telephone pole different symbols



36

00:01:10,160 --> 00:01:12,029

to tell other people what it is.



37

00:01:12,029 --> 00:01:13,271

Now, an example of this might be



38

00:01:13,271 --> 00:01:14,481

as you're doing a war driving,



39

00:01:14,481 --> 00:01:16,165

you might find an open network.



40

00:01:16,165 --> 00:01:18,486

If you did, you could find a telephone pole nearby,



41

00:01:18,486 --> 00:01:20,580

you can mark it down with a symbol like this.



42

00:01:20,580 --> 00:01:23,112

We have two open half circles faced back to back



43

00:01:23,112 --> 00:01:25,323

with the SSID of it written above them



44

00:01:25,323 --> 00:01:27,566

and the number below to signify the bandwidth



45

00:01:27,566 --> 00:01:28,623

of the network.



46

00:01:28,623 --> 00:01:30,948

After all, attackers can be nice people too.



47

00:01:30,948 --> 00:01:32,884

And they like to share their findings with others



48

00:01:32,884 --> 00:01:34,251

and they wouldn't want somebody else wasting



49

00:01:34,251 --> 00:01:35,517

their time looking for a network,



50

00:01:35,517 --> 00:01:37,387

only to find it has low bandwidth.



51

00:01:37,387 --> 00:01:38,524

So, by marking that down,



52

00:01:38,524 --> 00:01:40,691

you can help other people avoid that network.



53

00:01:40,691 --> 00:01:42,421

Now, in addition to open networks,



54

00:01:42,421 --> 00:01:43,874

you may find closed networks.



55

00:01:43,874 --> 00:01:45,119

If you find a closed network,



56

00:01:45,119 --> 00:01:47,637

it's going to be a closed circle with an SSID



57

00:01:47,637 --> 00:01:49,727

written above it and bandwidth written below it.



58

00:01:49,727 --> 00:01:52,168

This tells us that that network has some kind of encryption,



59

00:01:52,168 --> 00:01:53,150

it's closed,



60

00:01:53,150 --> 00:01:55,141

but we haven't quite figured out the password yet.



61

00:01:55,141 --> 00:01:57,006

Now, if we do figure out the password,



62

00:01:57,006 --> 00:01:58,655

we can actually use this other symbol.



63

00:01:58,655 --> 00:02:00,264

We have the closed circle,



64

00:02:00,264 --> 00:02:01,964

we have the SSID on the top left left,



65

00:02:01,964 --> 00:02:03,458

we have the password on the top right,



66

00:02:03,458 --> 00:02:04,947

and the bandwidth below it.



67

00:02:04,947 --> 00:02:06,796

Inside the circle, we might write something like



68

00:02:06,796 --> 00:02:08,213

W or WEP or WPA2,



69

00:02:09,408 --> 00:02:10,963

so people know what type of encryption



70

00:02:10,963 --> 00:02:12,601

they need to connect to that network.



71

00:02:12,601 --> 00:02:15,534

Now, as I said, war chalking is not nearly as popular



72

00:02:15,534 --> 00:02:16,482

as it used to be.



73

00:02:16,482 --> 00:02:18,807

In fact, we don't really see a lot of these symbols



74

00:02:18,807 --> 00:02:20,479

around in the city anymore.



75

00:02:20,479 --> 00:02:22,750

Instead, most of this is being done digitally.



76

00:02:22,750 --> 00:02:24,073

This is being done as part of websites



77

00:02:24,073 --> 00:02:27,237

or other apps that hackers use and share their finds,



78

00:02:27,237 --> 00:02:29,649

so people know what other kind of Wi-Fi is out there.



79

00:02:29,649 --> 00:02:32,913

The next attack we have is known as an IV attack.



80

00:02:32,913 --> 00:02:34,548

An IV attack occurs when an attacker



81

00:02:34,548 --> 00:02:36,822

observes the operation of a cipher being used



82

00:02:36,822 --> 00:02:38,876

with several different keys and they find



83

00:02:38,876 --> 00:02:41,524

this mathematical relationship between those keys



84

00:02:41,524 --> 00:02:43,400

to determine the clear text data.



85

00:02:43,400 --> 00:02:45,015

Now, I know that sounds really complicated,



86

00:02:45,015 --> 00:02:47,164

but the good news is you don't have to do the math to do it.



87

00:02:47,164 --> 00:02:49,271

There's programs that do it for you.



88

00:02:49,271 --> 00:02:51,233

This happened with WEP because of that 24-bit



89

00:02:51,233 --> 00:02:52,681

initialization vector.



90

00:02:52,681 --> 00:02:54,638

It makes it very easy to crack WEP



91

00:02:54,638 --> 00:02:56,663

because there's programs that do it for us.



92

00:02:56,663 --> 00:02:58,683

In the next lesson, as I've been promising,



93

00:02:58,683 --> 00:03:00,303

I'm going to show you how we break WEP



94

00:03:00,303 --> 00:03:01,946

in just a couple of minutes.



95

00:03:01,946 --> 00:03:03,252

The next attack we have



96

00:03:03,252 --> 00:03:05,876

is known as a Wi-Fi disassociation attack.



97

00:03:05,876 --> 00:03:07,952

This is going to target an individual client



98

00:03:07,952 --> 00:03:09,876

that's connected to the wireless network.



99

00:03:09,876 --> 00:03:11,221

It's going to force it offline



100

00:03:11,221 --> 00:03:13,044

by sending deauthentication packets to it,



101

00:03:13,044 --> 00:03:15,169

and then it's going to capture the handshake that



102

00:03:15,169 --> 00:03:17,873

that client makes when it attempts to reconnect.



103

00:03:17,873 --> 00:03:21,544

This is used as part of an attack on WPA or WPA2.



104

00:03:21,544 --> 00:03:24,420

Our final attack is known as a brute force attack.



105

00:03:24,420 --> 00:03:26,245

A brute force attack occurs when an attacker



106

00:03:26,245 --> 00:03:28,699

continually guesses at a password until they finally



107

00:03:28,699 --> 00:03:30,124

get the correct one.



108

00:03:30,124 --> 00:03:31,810

So, an example of this might be



109

00:03:31,810 --> 00:03:33,405

that you have the password of dog,



110

00:03:33,405 --> 00:03:35,697

and I know that your password is three characters long.



111

00:03:35,697 --> 00:03:38,864

So, I start out guessing AAA, AAB, AAC,



112

00:03:41,396 --> 00:03:46,396

and I keep going until I get to DOF and finally DOG,



113

00:03:46,479 --> 00:03:48,303

dog, I've found your password.



114

00:03:48,303 --> 00:03:49,908

That's what a brute force does.



115

00:03:49,908 --> 00:03:52,541

Now, eventually, you'll find every password out there.



116

00:03:52,541 --> 00:03:54,344

Any password can be brute forced.



117

00:03:54,344 --> 00:03:55,919

It's just a matter of how much time



118

00:03:55,919 --> 00:03:57,640

and power it's going to take.



119

00:03:57,640 --> 00:04:00,299

If you have a three-letter password like dog,



120

00:04:00,299 --> 00:04:01,578

it's not going to take me very long.



121

00:04:01,578 --> 00:04:03,443

But, if you use the passwords like I tell you,



122

00:04:03,443 --> 00:04:06,467

14 characters, upper case, lower case, special characters,



123

00:04:06,467 --> 00:04:09,575

and numbers, that's a long, strong, complex password.



124

00:04:09,575 --> 00:04:10,881

It can take a million years



125

00:04:10,881 --> 00:04:13,049

or more with current processing power,



126

00:04:13,049 --> 00:04:14,401

and that way you can prevent



127

00:04:14,401 --> 00:04:17,401

a brute force attack from happening.