1 00:00:00,440 --> 00:00:04,280 OK, welcome to the man in the middle section. 2 00:00:05,150 --> 00:00:12,110 This is where we can relax a little bit since we covered all the important things that an ethical hacker 3 00:00:12,110 --> 00:00:19,610 must know from scanning from exploitation to gaining access with Trojans and Web application penetration 4 00:00:19,610 --> 00:00:20,150 testing. 5 00:00:20,630 --> 00:00:25,040 Now we can lay back and cover something that you won't need that much. 6 00:00:25,040 --> 00:00:30,740 But it is a cool attack that allows you to sniff information inside of a local area network. 7 00:00:31,580 --> 00:00:38,720 Now, in network penetration testing, this is something that you also want to try in some networks, 8 00:00:38,750 --> 00:00:41,600 there will be protection that blocks these type of attacks. 9 00:00:41,930 --> 00:00:49,370 However, to this date, many home networks, schools and company networks don't have this applied anyway 10 00:00:49,430 --> 00:00:51,960 before we actually get to run this type of the attack. 11 00:00:52,280 --> 00:00:54,730 Let's first talk about how does it work? 12 00:00:55,560 --> 00:01:03,450 Let's start like this now imagine a home network with many devices say we have two computers and also 13 00:01:03,450 --> 00:01:11,040 our Caledonius machine inside of that network networks also have routers that routed traffic to different 14 00:01:11,070 --> 00:01:11,670 websites. 15 00:01:12,270 --> 00:01:19,380 And every time you, for example, communicate with a Web page, you do that through your after you 16 00:01:19,560 --> 00:01:25,050 request a Web page and a router will forward your request to that server. 17 00:01:25,290 --> 00:01:30,840 And when the server sends a response to you, the router will send it to your machine inside of the 18 00:01:30,840 --> 00:01:31,310 network. 19 00:01:31,710 --> 00:01:35,000 But how does it know which machine to send to? 20 00:01:35,520 --> 00:01:38,820 How does it know to whom to forward which packet? 21 00:01:39,820 --> 00:01:46,450 Well, let's explain it like this, let's go back to our three machines and let's mark them with A, 22 00:01:46,810 --> 00:01:47,980 B and C. 23 00:01:49,090 --> 00:01:56,980 All of these machines, including our routers, also have an IP address, so we can say a has one or 24 00:01:56,990 --> 00:02:04,360 two the 168 that one to 10 be has one right to that 168, that one that five hour Linux machine has 25 00:02:04,360 --> 00:02:06,610 190, that 168, that one that seven. 26 00:02:06,610 --> 00:02:09,280 And our router has 192. 27 00:02:09,430 --> 00:02:10,540 That 168. 28 00:02:10,570 --> 00:02:11,020 That one. 29 00:02:11,020 --> 00:02:11,440 That one. 30 00:02:12,270 --> 00:02:19,650 Besides having an IP address, all of these machines also have their Mac address and these to help them 31 00:02:19,650 --> 00:02:26,370 communicate with each other over the network, our router knows how to forward the packets to thanks 32 00:02:26,370 --> 00:02:29,200 to our packets and our tables. 33 00:02:29,800 --> 00:02:33,030 Now, we're going to talk about our packets in just a second. 34 00:02:33,030 --> 00:02:40,830 But what I want to mention for now is that our router has our tables that map every IP address inside 35 00:02:40,830 --> 00:02:43,470 of the network with their MAC addresses. 36 00:02:43,810 --> 00:02:48,060 Then it uses the machines Mac address to forward the packet to them. 37 00:02:49,010 --> 00:02:54,730 We know by now that Mac addresses are unique, therefore by knowing them, you know, the idea of that 38 00:02:54,730 --> 00:02:58,000 machine and then you can communicate with that machine. 39 00:02:58,750 --> 00:03:00,010 Now, let's explain. 40 00:03:00,010 --> 00:03:01,300 Those are packets. 41 00:03:01,660 --> 00:03:04,980 What are they and how they allow us to communicate with each other? 42 00:03:05,530 --> 00:03:10,660 Well, to explain this, I will remove one machine just for the simplicity. 43 00:03:11,230 --> 00:03:14,290 OK, so there are two types of our packets. 44 00:03:14,590 --> 00:03:20,320 We have our requests and ARP replies or our responses. 45 00:03:20,890 --> 00:03:28,390 Now with requests, we find out what machine has, what Mac address, and with our replies we reply 46 00:03:28,390 --> 00:03:35,140 to that machine that ask the question with our response request would look something like this. 47 00:03:35,560 --> 00:03:39,370 Let's say Machine A wants to communicate with our Linux machine. 48 00:03:40,090 --> 00:03:43,000 To do that, it must know our Mac address. 49 00:03:43,000 --> 00:03:49,240 So it sends the our request to the broadcast address, which simply means every machine on the network 50 00:03:49,240 --> 00:03:50,890 will get that our request. 51 00:03:51,310 --> 00:03:53,110 And with that our request. 52 00:03:53,110 --> 00:03:59,150 The Machine A asks who has an IP address or one to that 168. 53 00:03:59,150 --> 00:03:59,970 That one that seven. 54 00:04:00,730 --> 00:04:05,410 And it tells send me your address if this is your IP address. 55 00:04:05,950 --> 00:04:11,620 In this scenario, our Linux machine receives the request and it gives an answer. 56 00:04:12,340 --> 00:04:15,880 It says, I want to add to the 168 that one, that seven. 57 00:04:16,130 --> 00:04:17,990 And here is my Mac address. 58 00:04:18,670 --> 00:04:21,650 Now, this is just normal communication in any network. 59 00:04:22,300 --> 00:04:27,940 This is how machines and our router figures out to who they should forward a certain packet. 60 00:04:28,340 --> 00:04:31,900 However, there are ways that this can be abused. 61 00:04:32,320 --> 00:04:40,120 For example, what if I from my Linux machine craft and our response and send it to Machine A saying 62 00:04:40,120 --> 00:04:42,520 that I am one to that one state. 63 00:04:42,520 --> 00:04:48,490 That one, that one, which is the router, if we know that machine, a user's router to communicate 64 00:04:48,640 --> 00:04:49,660 with the Internet. 65 00:04:49,690 --> 00:04:55,600 Therefore, once we send the machine and our response and tell it that we have an IP address of the 66 00:04:55,600 --> 00:05:00,310 router, it will start sending its packets to us instead of the router. 67 00:05:01,160 --> 00:05:07,430 For example, let's say Machine A wants to visit Facebook, in this case, it would send that Facebook 68 00:05:07,430 --> 00:05:11,840 request to us instead of directly sending it to the real router. 69 00:05:12,170 --> 00:05:14,360 Well, you might be asking what now? 70 00:05:14,570 --> 00:05:18,430 We just managed to redirect the traffic of machine to go to us. 71 00:05:18,440 --> 00:05:24,020 And now that machine won't be able to access Internet because the packets are not being forwarded to 72 00:05:24,020 --> 00:05:27,380 Facebook or any other page that they want to visit. 73 00:05:28,070 --> 00:05:29,350 Well, not exactly. 74 00:05:29,690 --> 00:05:36,980 We can also send and our response to the router in this response, we tell the router that we are the 75 00:05:36,980 --> 00:05:43,790 machine AI now, machine AI believes that we are the router and router believes that we are machine 76 00:05:43,790 --> 00:05:44,090 A. 77 00:05:44,910 --> 00:05:49,740 All we are left to do in this case is forward the packets to keep the connection going. 78 00:05:50,430 --> 00:05:55,440 So in this scenario, instead of communication websites going like this. 79 00:05:56,900 --> 00:06:01,910 Instead, we proved the network and now the communication is being done like this. 80 00:06:02,940 --> 00:06:09,690 In this case, if Machine eight tries to visit Facebook dot com, for example, it will send that request 81 00:06:09,690 --> 00:06:16,590 to us, which we then forwarded to the router and router forwarded to Facebook like this, we can sniff 82 00:06:16,590 --> 00:06:22,350 the data if it is unencrypted and we can also see what websites is machine a visiting. 83 00:06:22,770 --> 00:06:25,780 And this communication works both ways. 84 00:06:26,640 --> 00:06:31,890 Once Facebook receives machines a request, it sends the response that comes to our router. 85 00:06:31,890 --> 00:06:38,340 And then since Trotter is also being spoofed, it thinks that we are machine AI and it sends back the 86 00:06:38,340 --> 00:06:39,570 response to us. 87 00:06:40,520 --> 00:06:47,240 Then we forward the response to machine, a snow machine A has no idea that it is being spoofed since 88 00:06:47,240 --> 00:06:50,340 it is able to visit any pages and websites. 89 00:06:51,140 --> 00:06:55,760 This attack is called Man in the Middle with the help of our spoofing. 90 00:06:55,940 --> 00:07:03,410 And of course, when we perform this attack and we spoof our router and targets there, our tables will 91 00:07:03,410 --> 00:07:04,970 look something like this. 92 00:07:05,720 --> 00:07:13,310 The Mac Kagiso machine, a changes to our Mac address inside of the routers are taped and that is while 93 00:07:13,310 --> 00:07:14,210 it's being spoofed. 94 00:07:14,720 --> 00:07:19,730 Once we stopped spoofing, the Mac address changes back to its real Mac address. 95 00:07:20,420 --> 00:07:21,410 OK, great. 96 00:07:21,590 --> 00:07:27,320 Now that we know how exactly the attack works, let's mention a few things that we might want to get 97 00:07:27,320 --> 00:07:29,120 once performing this attack. 98 00:07:29,480 --> 00:07:36,380 The goal of it would most likely be to overall be able to save the data going from other machines on 99 00:07:36,380 --> 00:07:37,170 the same network. 100 00:07:37,730 --> 00:07:43,340 We also want to be able to check out what websites are other machines visiting and if possible, in 101 00:07:43,340 --> 00:07:45,350 case some communication is not encrypted. 102 00:07:45,830 --> 00:07:50,120 We would want to save passwords if someone tries to login to some page. 103 00:07:50,690 --> 00:07:54,440 Just most of these things depend on which websites are they visiting. 104 00:07:55,160 --> 00:08:01,040 Nonetheless, now that we know theory behind the attack, let's see how we can perform it using different 105 00:08:01,040 --> 00:08:01,490 tools. 106 00:08:02,540 --> 00:08:03,140 The next video.