Pass Your ECCouncil CEH 312-50v11 Exam Easy!

ECCouncil 312-50v11 Certified Ethical Hacker v11 Exam exam dumps vce, practice test questions, study guide & video training course to study and pass quickly and easily. ECCouncil 312-50v11 Certified Ethical Hacker v11 Exam exam dumps & practice test questions and answers. You need avanset vce exam simulator in order to study the ECCouncil CEH 312-50v11 certification exam dumps & ECCouncil CEH 312-50v11 practice test questions in vce format.

Network Hacking - Pre Connection Attacks

4. Deauthentication Attack (Disconnecting Any Device From The Network)

Now, before leaving this section and moving into the Gaining Access section, where I'm going to teach you how to break the different encryptions and gain access to networks, I want to spend one more lecture talking about a really useful attack that still falls under the preconnection attacks under this section. The attack that I want to talk about is the deauthentication attack. This attack allows us to disconnect any device from any network before connecting to any of these networks, and without the need to know the password for the network to do this, we're going to pretend to be the client that we want to disconnect by changing our Mac address to the Mac address of that client and telling the router that I want to disconnect from you. Then we're going to pretend to be the router again by changing our Mac address to the router's Mac address, and tell the client that you requested to be disconnected. So I'm going to disconnect you. This will allow us to successfully disconnect or de-authenticate any client from any network. Now, we're actually not going to do this manually. We're going to use a tool called Airplay NG to do that. From the previous lecture, we know that this Mac address right here belongs to an Apple Computer. And like I said, this Apple computer is actually my computer right here. And as you can see, this host machine is connected to this network right here, which is the same as the one that you see in here, and it actually has Internet access. So if I just look for "test," you'll see that I'm connected and that I can look for things. I can use Google, so I have a proper working Internet connection. Now, we're going to come back here, and we're going to use a tool called ArippleNg to launch the de-authentication attack and disconnect this Mac computer from the Internet. So we're going to type the name of the program, which is Arupayng. We're going to tell it that I want to run a de-authentication attack. Then I'm going to give it the number of deauthentication packets that I want to send. So I'm going to give it a really large number so that it keeps sending these packets to both the router and the target device. Therefore, I'll disconnect my target device for a very long period of time, and the only way to get it back connected is to hit Ctrl-C and quit a replay ng. Next, I'm going to give a replay of the Mac address of my target network. So I'm going to do A and give it the Mac address, which I'm going to copy from here. Then I'm going to use C to give it the Mac address of the client that I want to disconnect. And the client that I want to disconnect is this client right here, which is Apple Computer, like we said. So I'm going to copy it and paste it here. If your target network operates at 5 GHz, you must add a capital D to the command in this section. But my target, as you can see, uses 2.4 GHz. Therefore, I don't need to do this, and I'm simply going to add my wireless card in waiter mode, which is mon 0. Now, it's very important to understand that this command will only disconnect the target client from the specified network. So if there are other networks that the target client can connect to, it will automatically connect to them. So in many cases, it might connect to the 5 GHz version of the network, or it might connect to a completely different network that it already knows the password to. And if it's a mobile device, it might even continue to have Internet access through its mobile data plan. So it might seem like the attack did not work, but it actually worked. And the client just disconnected from this network and is using another network to solve this. All you have to do is simply open up a new terminal window and run the exact same command, but this time targeting the new network that the client connected to. I actually covered that along with more advanced topics in my Advanced Network Hacking Course. Check out the bonus lecture, the last lecture ofthis course, for more information about my Advanced NetworkHacking course and all of the other courses thatyou can take along with this course. So, a very, very simple command We're typing a to play ng. This is the name of the programme that we're going to use. We're doing DAUTH to tell a replay engine that I want to run a de-authentication attack. I'm giving it a really large number of packets so that it keeps sending the deauthentication packets to both the router and the client and keeps the client disconnected. I'm using A to specify the Mac address of the target router or the target access point. Then I'm using a dash () to specify the Mac address of the client. Finally, I'm giving it 10, which is the name of my wireless adapter in monitor mode. Now you can run this command like this, and in most cases it will work, but in very rare cases, this command will fail unless Aerodyp is running against the target network. So what I'm going to do now is go back to my first terminal in here, and I'm going to runarrow dump Ng using the command that we saw before. And I don't want to write anything to a file, so I'm going to remove the right argument. So I'm just doing a normal Aerodyne ng command. I'm literally just giving it the BSSID of my target network, and I'm giving it the target channel, and then I'm just going to hit enter. We've seen how to do this; we spent a full lecture on it. That's why I did it really quick. And then I'm going to go back to the command that we wrote so far, and I'm going to hit Enter. Now, as you can see, Airplay NG is in the process of sending deauthentication packets. And if we go back here and lookup, you can see that I actually lost my connection, and I'm trying to connect back. So obviously, if I try to look for anything, so let's say test two, you'll see that I'll get stuck, and nothing will load for me. So the only way for me to connect back is if I go back here, if I quit this by doing CTRL C, quit this again, and now my machine should be able to connect back and restore its connection. This is actually very, very handy in so many ways. It's very useful in social engineering cases where you could disconnect clients from the target network and then call the user and pretend to be a person from the IT department and ask them to install a virus or a backdoor, telling them that this would fix their issue. You could also create another fake access point and get them to connect to the fake access point, and then start spying on them from that access point. We'll look at how to do that later in the course. And you can also use this to capture the handshake, which is what happened here, actually. And this is vital when it comes to WPA cracking. And we'll talk about this once we get to the WPA cracking section. So, like I said, this is a small attack that can be used as a plug-in to other attacks or to make other attacks possible.

Network Hacking - Gaining Access - WEP Cracking

1. Gaining Access Introduction

Everything we've done so far can be done without needing to connect to the target network. Now, once we connect to the network, we can do so many cool things. We'll be able to gather so much more information. We'll be able to intercept the connections and see everything that the people send, whether it's usernames, passwords, URLs, or really anything else. We'll also be able to modify the data. And you'll see all of this in the next section of this course. Now, if your target does not use encryption,then you can just connect to it. If your target is a wired network, then you can just use a cable to connect to it and move to the next section. The only problem is if your target is using encryption. So in this section, I'm going to show you how to break that encryption and gain access to WiFi networks, whether they use WP, WPA, or WPA Two. Once we get the key, we'll be able to connect to the network, and you'll be able to do all of the things that you'll learn in the next section in the post connection section.

2. Theory Behind Cracking WEP Encryption

The first encryption that we'll learn how to break is called WEP, or Wired Equivalent Privacy. This is an old encryption that can be easily broken. The reason why I'm still covering it in this course is, first of all, because, like I said, it's very simple, so it's a good starting point. It's also still used on occasion in some networks. Therefore, you can't really call yourself a hacker. And then if you see a network that uses Web, you'll get stuck, and you won't even be able to break into it. So in this lecture, I'm going to explain how the web works and what the weaknesses are that we can use to break it. And in the next lecture, you'll see how we can use this weakness in order to break WEP and get the key for any network that uses WEP. So basically, WEP uses an algorithm called RC4 to encrypt its data. So the way this works is that basically, if a client wants to send something to the router, let's say this text data, it will first encrypt it using a key. Therefore, this normal text will be converted into gibberish. As you can see here, this encrypted packet will be sent into the air. So if a hacker captures this packet, as we've seen before, if we open it, we'll see that it's full of gibberish. Even though it actually contains useful information, we won't be able to read it because it's encrypted. The access point will receive this encrypted packet and will be able to transform it back to its original form because it has the key. Therefore, it will actually be able to read the contents, which is data to send to the router. The same happens if the router wants to send something back to the client. It will first encrypt it using a key and send it to the client. The client will be able to decrypt it because it has the key. So the concept is always the same. The transmitter encrypts the data using a key and sends it to the receiver. The receiver is able to decrypt it because it also has the key. Therefore, anybody who captures the packet in the middle will get the packet, but they won't be able to see the contents because they do not have the key. So the algorithm and the way RC4 works are actually fine. The problem is with the way that WEP implements this algorithm. And to understand this, let's zoom in a little bit more on each step. So, going back to the first step, we have the client trying to send data to the router, and the data that it wants to send is data to send to the router. So in order to encrypt this, WEP tries to generate a unique key for each packet. So literally, each packet that's sent into the air tries to create a new unique key for it. To do that, it generates a random 24-bit initialization vector. The initialization vector is then added to the password of the network to form the actual key that people use to connect to the network. This generates a key stream, and then this key stream is used to encrypt this packet and transform it into gibberish. So basically, we have the keystream plus the data that we need to encrypt, which gives us the gibberish, and then the gibberish is sent into the air. But before sending this into the air, WEP will also append the initialization vector. This is the 24-bit random number that I said it creates in order to make sure that each packet has a unique key. The reason why it adds the initialization vector to the packet is because once the router receives this packet, it needs to be able to decrypt it. And to decrypt it, it needs the key and the ivy. But the router already has the key, so there is no need to send that. Therefore, we just need to send it by IV. So when the router receives the packet, it has the IV, it has the password, or it has the key. So it can generate a key stream and then use that key stream to transform this gibberish into its original form and read the packet. So if you think about what I said, you can probably guess what the weakness is. Basically, the Ivy is sent in plain text. So if you look at this, you can see the packet content is encrypted. So if someone captures this packet, they won't be able to read this, but they will be able to read the IV in plain text. Also, the size of the IV is only 24 bits. Now, considering the huge amount of traffic that can be generated on a WiFi network, this number is not big enough, and the IVs will start getting repeated in a busy network. This makes Weap vulnerable to statistical attacks. So we can use a tool called Aircrack NG to determine the key stream once we have enough repeated IVs. And from there, it will also be able to crack Weap and give us the key to the network.

3. WEP Cracking Basics

So, from the previous lecture, we know in order to crack WEP, we need to first capture a large number of packets. This means that we will capture a large number of IVs, and because the IVs are short, they will be repeated. Therefore, we'll be able to use a tool called Aircrack-NG to run statistical attacks and crack the web key. So we're using Aerodompi to capture the data, and we've seen how to do this before. Then we're using Aircrack NG to analyse this data and break the key. Let's see how to do this in practice. So I already have my wireless adapter in monitor mode, and it's called Mon Zero. I've also already run AndroDynam to list all the networks around me. And as you can see, I have only one network using WEP. This is called Test AP Three, and this is my actual network that I use every day. I just configured it to use Web to make this lecture the main reason why I'm targeting the network that I use daily, because, like I said, for this to work, we need to capture a large number of packets, and therefore, we need a busy network, a network that gets used constantly to capture a large number of packets. If the network is idle, then the process is a little bit complex, and I will cover that in the next lecture. So for now, let's focus on the simplest form, which is how to break into a busy network. So I'm going to copy the BSSID of this network, and I'm going to run arrow dump NG against this network only. So I showed you how to do this before. I'll perform Arrow Dump. I'm going to do BSSID to specify the BSSID of the network. Then I'm going to do channel to specify the channel of the network, and we can see it running on number one. And I'm going to use Write to store everything that we capture in a file. And let's call this file Basic Web. And then I'm going to specify my wireless adapter in Monitor Mode, which is Mon Zero. So we run this command before the targeted sniffing lecture. All we're doing is running Aerodome against a specific network with this Mac address and this channel, and we're storing everything in a file called Basic Web. I'm going to hit Enter, and as you can see, Aerodynamic Ng is working against my target network. And if you notice, you'll see the data in here is increasing really fast. So this is something that I told you I'd talk about later when we were talking about aerodynamo-NG, because I didn't want to talk about IVs at that early stage. So basically, what you see under the data column is the number of useful packets that contain a different ivy that we can use in order to crack the key. So the higher this number is, the more likely we will be able to crack the key. As you can see, this number is increasing very fast because, like I said, this is a busy network that is being used at the moment by my own computers and my own devices. If yours isn't increasing fast, then don't worry; we will tackle this problem in the next lectures. So for now, we're capturing a lot of data, and this should actually be enough to crack the key. So what I'm going to do is go down to my other terminal in here, and if we actually list the files, you'll see that we have the capture file that we specified in the right argument. And like I said, we're always interested in the CAP file. So all we have to do right now is do step two in here and run Aircrack NG against the file that we captured in order to crack the key. So I'm going to type "Aircrackengi," followed by the file name, which is "basicweb One Cap." I'm going to hit Enter, and as you can see, it's telling us that the key was found. So let me cancel this here. And right now, we can connect to the target network, which is called TESTAP 3, using this ASCII password. So you can literally just copy this and paste it, or you can connect using this key. Now, in some cases, you will not see this as a key password. That's why I'm going to show you how to connect using this key right here, because you'll always get this. So I'm going to copy this, and I'm just going to paste it here. You can paste it anywhere in a normal text editor or anywhere else you want. and all you have to do is remove the columns that we see in here between the numbers. So I'm going to remove this one, and I'm going to remove this one, this one, and this one. And now we can just copy this. And just to show you, I'm actually going to connect from my host machine. You can connect from Kali, but when we enabled Monitor Mode, we killed a lot of processes. And sometimes, even after you restart these processes, getting connected to your target will be a little bit buggy. So it's best to literally just restart Kali and connect again. So just to save all of this time, I'm going to connect from here. I'm just going to click here. I'm going to connect to Test AP Three, and I'm going to paste the password. So I'm just going to click on "Show the Password" to show it to you again with the same password. We just removed the columns. I'm going to click on "Join." And as you can see, we managed to connect, and we can test this connection by going to Google. And perfect. As you can see, it's working. And we managed to break the DEV EP encryption.

4. Fake Authentication Attack

In the previous lecture, we saw how easy it is to crack. WEP, all we had to do was capture enough data and then run Aircrack NG to crack the encryption and give me the key. Now, one problem that we could face is if the network is not busy; if it's not busy, then the number of data points will be increasing very, very slowly. Therefore, we are going to have to wait for awhile before we have enough data to crack the key. So let me show you an example. I'm just going to run Arrow Dump here and list all the networks around me. And as you can see, I have my test network and AP in Web. And if you look under the data, you'll see that it's at zero and not increasing. And even if it's going to increase, it's going to increase very slowly, which means that I'm going to have to wait for hours before I can crack this network. So a solution to this is to force the AP to generate new packets with new IVs. Now, before doing this, we need to associate with this network. So what I mean by "associate" is that we need to tell this network that we want to communicate with it because, by default, access points ignore any requests they get unless the device has connected to this network or is "associated" with it. So don't get this mixed up with connecting. We're still unable to connect to the network because we need the password to be able to connect to the network. But what we're doing right now is literally just telling the target network, Look, I want to communicate with you. Don't ignore my requests. That's all we're doing. So it's something similar to what happens when you just click on the network when you want to connect to it. You still haven't put in the password. You're just telling the target network: I want to communicate with you; please don't ignore me. So in this lecture, I'm going to show you how to associate with the target networks so we can communicate with them. And in the next lecture, I'm going to show you how, once associated, we can inject packets into the network and force the number of data items to increase very quickly. First, I'm going to run Arrow Dump N against my target network, which has this BSSID. So I'm going to copy it, and we're going to use the exact same command that we've been using so far. So we're going to do arrow dump BSSID, followed by the Mac address of my target channel, followed by the channel that my target is running on, which is six. And we're going to store all of this. So we're going to do it right, and we'll call this file ARP Replay, because that's the name of the attack. Then I'll put my wireless adapter into monitor mode, which is mon 0. So a very simple command that we've done before We're using AeroDOMP to capture data from a network with this Mac address running on this channel. We're storing everything in a file called ARP Replay. I'm going to hit Enter, and as you can see, it's running against my target. And notice that the data is increasing really slowly, or it's actually not increasing at all right now. Now, to associate with this network, we're going to use a programme called Air Replay NG. So we're going to type "airplay ng" followed by "fakeauth." Because we want to do a fake authentication attack. We're going to enter zero because we only want to do this once. We're going to do A to specify the MAC address of the target network. So I'm going to paste it. I've already copied it. Then we're going to do it to specify the Mac address of my wireless adapter. And to get the Mac address of my wireless adapter, I'm going to do if-config, and it's the first twelve digits of the unspecified field. Usually you'd see it after the Ether, but when you enable Monitor Mode, it will show up like so. So I'm going to copy this, I'm going to paste it here, and I'm going to replace the minuses with columns. And that's it. It's done. And finally, I'm just going to give the name of my wireless adapter in Monitor Mode. So a very simple command We're using AirPlay NG, which is a tool that can be used to run a number of attacks. And we've seen this used with the deauthentication attack; we tell it we want to run a fake authentication attack. We want to do this once we've given it the Mac address of my target network after the A. Then I'm giving it the Mac address of my wireless adapter after the h. And finally, I'm giving it my wireless adapter in monitor mode. Now, before I run this notice in here, we have nothing, and we don't have any clients showing up in here at the bottom. Now, if I hit Enter, you can see under the Auth that it's showing up as "open." And as you can see, we have a new client here associated with the network. If you look in here, you'll see this is the Mac address of my target network. And right here is the MAC address of my wireless adapter. So right now, I am associated with the target network. And if I send it anything, it's going to accept it, and it's going to communicate with me. Again, I am not connected to the network. I still can't use the Internet. I'm literally just associated with the network so I can communicate with it. Now, in the next lecture, I'm going to show you how we can communicate with this network in a way to force it into generating new packets with new IVs, which will allow us to crack the key very, very quickly. You.

Go to testing centre with ease on our mind when you use ECCouncil CEH 312-50v11 vce exam dumps, practice test questions and answers. ECCouncil 312-50v11 Certified Ethical Hacker v11 Exam certification practice test questions and answers, study guide, exam dumps and video training course in vce format to help you study with ease. Prepare with confidence and study using ECCouncil CEH 312-50v11 exam dumps & practice test questions and answers vce from ExamCollection.