1
00:00:00,670 --> 00:00:01,360
Welcome back.

2
00:00:01,600 --> 00:00:08,130
In this video, we're going to take a look at cool way that we can actually perform our spoofing or

3
00:00:08,130 --> 00:00:09,860
are poisoning manually.

4
00:00:10,630 --> 00:00:16,180
We're going to do that using our huge library that comes with Python three, and that is called this

5
00:00:16,180 --> 00:00:17,520
kepi library.

6
00:00:18,070 --> 00:00:24,850
Now, Skype allows us to manipulate different networking packets, and we can also send and receive

7
00:00:24,850 --> 00:00:26,110
the packets as well.

8
00:00:26,620 --> 00:00:31,900
Now, we could do something like this with the help of a socket library, but that would be much, much

9
00:00:31,900 --> 00:00:37,870
harder because with the help of Skype, we have all of the packets already predefined and we can just

10
00:00:37,870 --> 00:00:39,460
craft them to our liking.

11
00:00:40,380 --> 00:00:47,220
Now, the same way that you can open Python inside of the terminal, you can also open escape inside

12
00:00:47,220 --> 00:00:51,020
of the terminal, and this will allow you to write the code line by line.

13
00:00:51,510 --> 00:00:54,120
So it will take a few seconds to open this framework.

14
00:00:54,300 --> 00:00:59,700
And once it opens up, you will see this escape banner and then you will be able to run the commands

15
00:00:59,700 --> 00:01:00,180
right here.

16
00:01:01,170 --> 00:01:07,890
Skype works similarly to Python, so you can use the print statements to print Hello World, for example,

17
00:01:08,040 --> 00:01:10,450
and it will also run that code as well.

18
00:01:10,920 --> 00:01:13,410
However, we're not going to use it for this.

19
00:01:14,020 --> 00:01:16,550
We're going to use it to craft packets.

20
00:01:17,010 --> 00:01:23,520
For example, there are better headers inside of a packet and to see all of the fields that and Aitor

21
00:01:23,520 --> 00:01:30,150
header as we can type URLs and then Aitor the same way we can do for our packets.

22
00:01:30,160 --> 00:01:37,260
For example, if I type AAFP inside of the brackets, it will give me all of the fields that an ARP

23
00:01:37,260 --> 00:01:38,340
packet has.

24
00:01:38,760 --> 00:01:41,360
And you can do that for any packet that you want.

25
00:01:41,370 --> 00:01:47,280
For example, you can also do it for DCP Packet and it will give you all the fields that the TCP header

26
00:01:47,280 --> 00:01:51,380
has and then you can change each of these fields to your liking.

27
00:01:52,110 --> 00:01:58,920
But as I already mentioned, the goal for this video is for us to craft an art packet that will poison

28
00:01:58,920 --> 00:02:04,070
the ARP cache of Windows 10 machine and that will tell our Windows 10 machine that we are the router.

29
00:02:04,890 --> 00:02:05,990
So how can we do that?

30
00:02:06,330 --> 00:02:12,630
Well, first, if you remember, we must know the Mac address of our Windows 10 machine to be able to

31
00:02:12,630 --> 00:02:14,640
send the poisoning packet to it.

32
00:02:15,240 --> 00:02:20,310
Now, we are not going to cheat and check out the Mac address inside of the command prompt on Windows

33
00:02:20,310 --> 00:02:20,630
10.

34
00:02:20,640 --> 00:02:22,680
We're going to get it using Skype.

35
00:02:23,130 --> 00:02:29,100
To do that, we must send our request that we request the Mac address of the Windows 10 machine.

36
00:02:29,970 --> 00:02:36,000
To do that, we must also send that request to the broadcast Mac address, which, if you remember,

37
00:02:36,000 --> 00:02:39,420
means that every machine on the network will receive that request.

38
00:02:39,660 --> 00:02:44,120
And then hopefully our Windows 10 machine will reply with its Mac address.

39
00:02:44,940 --> 00:02:49,050
So to do that, let me see if I can use clear command right here.

40
00:02:49,050 --> 00:02:49,740
OK, great.

41
00:02:49,740 --> 00:02:51,450
I can use it to do that.

42
00:02:51,570 --> 00:03:00,240
We are going to combine the other header that we just checked out with the AAFP header or the art packet.

43
00:03:00,420 --> 00:03:06,120
The reason we need the letter, Heather, is so we can specify the destination Mac Field to be the broadcast

44
00:03:06,120 --> 00:03:07,080
Mac address.

45
00:03:07,530 --> 00:03:11,640
Therefore our our packet will be received by anyone on the network.

46
00:03:12,240 --> 00:03:13,050
Let's do that.

47
00:03:13,050 --> 00:03:19,440
So let's create a variable called broadcast and this variable will be equal to atter header and the

48
00:03:19,440 --> 00:03:21,540
best field, which is the destination.

49
00:03:21,870 --> 00:03:30,840
We can set the broadcast Mac address, which is for everyone six times f f separated by two, that once

50
00:03:30,840 --> 00:03:32,520
you do that you can close the brackets.

51
00:03:32,520 --> 00:03:38,550
And now we've got our broadcast packet ready to check out whether everything is selected correctly.

52
00:03:38,570 --> 00:03:44,760
We can type broadcast that show and this will show all of the fields that we have right here.

53
00:03:45,090 --> 00:03:49,280
And you will notice that it will automatically set the other two fields.

54
00:03:49,470 --> 00:03:54,900
This is the Mac address of our Linux machine, which is the source Mac address, because we are sending

55
00:03:54,900 --> 00:04:00,600
the packet from our Linux machine and the destination is to who we are sending the packet.

56
00:04:00,600 --> 00:04:03,300
In this case, we are sending the packet to everyone.

57
00:04:04,080 --> 00:04:07,950
Now, what we must do is we must also create the R player to this packet.

58
00:04:08,250 --> 00:04:16,470
And to do that we can type s our first to check out all of the fields and we want to target the Windows

59
00:04:16,470 --> 00:04:19,500
Ten machine because we want to get its Mac address.

60
00:04:20,010 --> 00:04:26,970
So what we must do is we must type the P destination to be equal to the IP address of Windows Ten Machine.

61
00:04:27,920 --> 00:04:33,560
All the other fields will be set automatically for us, except this hard for destination field, which

62
00:04:33,560 --> 00:04:37,400
is the Mac address of our target, which we get from the ARP response.

63
00:04:38,240 --> 00:04:46,910
So to craft the player, we can type our player equals and then AAFP and inside of the brackets we specify

64
00:04:46,910 --> 00:04:48,380
the fields that we want to use.

65
00:04:48,500 --> 00:04:54,380
In this case, we only specify the destination to be equal to one and to that 168 that fund at seven.

66
00:04:54,950 --> 00:04:59,710
Or you can just specify the IP address of your target machine press enter.

67
00:04:59,990 --> 00:05:06,350
And before I explain this, I can just type out that show to show you how the packet looks like so it

68
00:05:06,350 --> 00:05:09,740
will select the hardware source to be our Mac address.

69
00:05:10,040 --> 00:05:13,010
It will select the IP source to be our IP address.

70
00:05:13,310 --> 00:05:19,110
It will select the IP destination to be the target's IP address, which in our case is 190, the 168

71
00:05:19,110 --> 00:05:19,820
Advanta seven.

72
00:05:20,120 --> 00:05:24,590
And the hardware destination will be empty because this is the value that we want to get back.

73
00:05:25,040 --> 00:05:29,750
This packet is essentially saying who has one eye to that 168 font, that seven?

74
00:05:29,990 --> 00:05:31,670
Give me your Mac address.

75
00:05:32,330 --> 00:05:41,900
And to combine this packet with our broadcast layer, we can type in to underscore packet equals broadcast

76
00:05:42,020 --> 00:05:47,960
slash AAFP layer and this will put our two layers together.

77
00:05:48,110 --> 00:05:54,980
If I type and underscore packet to show you will see we have both the Ethernet layer and the AAFP layer.

78
00:05:55,790 --> 00:06:00,170
Only thing we must do right now is we must send this packet to our network.

79
00:06:00,350 --> 00:06:05,120
We can do that using SRP function and this function takes arguments of entire packet.

80
00:06:05,480 --> 00:06:10,830
We can also set the time out to be too, and we can set the verbose to be equal.

81
00:06:10,850 --> 00:06:11,330
The true.

82
00:06:12,370 --> 00:06:14,880
Now, this is not something that we want to send.

83
00:06:15,010 --> 00:06:20,680
We want to stop the response inside of the answer, because if the Windows 10 machine answers, we will

84
00:06:20,680 --> 00:06:25,290
have our answer with the Windows Ten's Mac address right here in this variable.

85
00:06:25,810 --> 00:06:30,010
We also want to only get the answers and not the unanswered packets.

86
00:06:30,010 --> 00:06:36,130
And we can do that by specifying right here zero to select the first element inside of the list.

87
00:06:36,550 --> 00:06:41,970
Once we do that, we can press, enter and we get operation not permitted.

88
00:06:41,980 --> 00:06:46,600
And that could be because we are not through to count.

89
00:06:47,050 --> 00:06:51,640
So what I'm going to do is I'm going to run this real quick as route.

90
00:06:52,240 --> 00:06:55,180
So I'm just going to write all the commands that we just did.

91
00:06:55,180 --> 00:06:58,700
And I will get back to you as soon as it gets to the SRP command.

92
00:06:59,320 --> 00:07:01,230
OK, so here we are now.

93
00:07:01,270 --> 00:07:03,400
We made a mistake that I already talked about.

94
00:07:03,400 --> 00:07:05,650
We must run all of this as a vote count.

95
00:07:05,650 --> 00:07:07,990
Otherwise, some of these comments will not work.

96
00:07:08,230 --> 00:07:13,090
And I just typed all of the previous commands that we did, such as setting the broadcast layer our

97
00:07:13,090 --> 00:07:14,950
player and creating the entire packet.

98
00:07:15,340 --> 00:07:21,610
Now we're sending the entire packet with this command and we're storing the response in the answer variable.

99
00:07:21,610 --> 00:07:28,390
So let's press enter and it will tell us finished sending one packet, received one packets back and

100
00:07:28,390 --> 00:07:32,100
got one answers not to get this answer.

101
00:07:32,110 --> 00:07:33,540
It's a little bit tricky.

102
00:07:33,550 --> 00:07:37,800
So if I print answer, we will get this response right here.

103
00:07:38,290 --> 00:07:44,740
And since all of these are empty, we want to select this other part right here and print just that

104
00:07:44,740 --> 00:07:45,100
part.

105
00:07:45,730 --> 00:07:52,000
To do that, we can type print answer and then the first element, which will be the answer packets.

106
00:07:52,000 --> 00:07:55,600
So in the brackets we specify zero press enter.

107
00:07:55,870 --> 00:07:59,050
And this is our response from the Windows 10 machine.

108
00:07:59,650 --> 00:08:05,020
If we take a look at the response rate here, we're going to see the Mac address of Windows 10 machine.

109
00:08:05,030 --> 00:08:07,540
So we successfully received it with our packet.

110
00:08:07,840 --> 00:08:14,050
Now we can either keep it from here and store it in a variable or we can select it like this.

111
00:08:14,050 --> 00:08:15,880
So we're going to print the answer.

112
00:08:16,660 --> 00:08:20,950
And from the answer, we are selecting the first element and from the second list we are selecting the

113
00:08:20,950 --> 00:08:25,180
second element and we are going to type dot h w.

114
00:08:25,390 --> 00:08:31,840
S our C and the reason we are using H WASC is because this is the field that has the Mac address of

115
00:08:31,840 --> 00:08:35,220
our Windows time machine or of our target machine.

116
00:08:35,770 --> 00:08:41,020
Then if I print this, it should print just the Mac address and here it is.

117
00:08:41,740 --> 00:08:44,200
And all we need to do right now is copy this.

118
00:08:46,970 --> 00:08:55,370
And stored that in a variable that we can name Target Mac address equals, and then our answer with

119
00:08:55,370 --> 00:08:57,900
the H w sauce felt great.

120
00:08:58,060 --> 00:09:03,360
Now we got our target's Mac address and we're ready to craft the malicious art packet.

121
00:09:03,740 --> 00:09:07,220
So what we can do is we can type something like this.

122
00:09:07,250 --> 00:09:13,730
The packet will be equal to our packet and we're going to select the open field to be equal to two.

123
00:09:14,480 --> 00:09:17,660
Now, if you type Alsup, you're going to see the open field.

124
00:09:17,660 --> 00:09:24,500
And this open field is simply just asking, are we sending our request or our reply once we select the

125
00:09:24,500 --> 00:09:24,770
field?

126
00:09:24,770 --> 00:09:32,240
To be equal to this means we are sending an ARP response and remember to send a malicious R packet.

127
00:09:32,240 --> 00:09:37,850
It must be an ARP response, telling the router that we have Windows 10 machine or something similar

128
00:09:37,850 --> 00:09:38,270
to that.

129
00:09:38,630 --> 00:09:43,880
Once we set the OP to be equal to do, we must set the hardware destination to be equal to target,

130
00:09:43,880 --> 00:09:45,740
underscore Mac, underscore address.

131
00:09:46,430 --> 00:09:53,250
And from here we are selecting two more fields which are destination to be the IP address of our target.

132
00:09:53,690 --> 00:09:57,320
So this simply means that we are sending this packet to our target.

133
00:09:57,680 --> 00:10:05,210
And the last part is where we add the malicious thing here under the P source in a real packet, in

134
00:10:05,210 --> 00:10:06,140
real communication.

135
00:10:06,140 --> 00:10:09,490
We would specify right here the IP address of our clinics machine.

136
00:10:09,920 --> 00:10:12,770
But in this case we want to pretend that we are routers.

137
00:10:12,770 --> 00:10:16,370
So we're just going to specify the IP address of the router.

138
00:10:16,650 --> 00:10:21,230
And this right here is our malicious packet.

139
00:10:21,230 --> 00:10:25,670
If we type packet that show, you will see it right here.

140
00:10:26,090 --> 00:10:33,710
We have the Mac address of our Linux machine, but we also pretend to be the router type diverters IP

141
00:10:33,710 --> 00:10:35,150
address instead of our own.

142
00:10:35,690 --> 00:10:38,550
And this packet is being sent to this destination.

143
00:10:39,410 --> 00:10:44,990
Now, before I send it, I'm going to open the command prompt on my Windows 10 machine and I'm going

144
00:10:44,990 --> 00:10:50,660
to run the Ardeche, a command from the previous video just to see how the ARPA tables are currently

145
00:10:50,660 --> 00:10:51,350
being set.

146
00:10:51,440 --> 00:10:58,490
So we can see that the router, which is in my case, 192 DOT 168, that one that one has this Mac address.

147
00:10:59,470 --> 00:11:06,340
Our clinics machine, which is 190 to 160, added one to 10, has this Mac address, and you will notice

148
00:11:06,340 --> 00:11:12,940
once we send this packet, this IP address, which is our clinics and the routers IP address, will

149
00:11:12,940 --> 00:11:15,220
have the same MAC address.

150
00:11:15,550 --> 00:11:21,240
And that is an indication that they are spoofing attack is taking place at that specific time.

151
00:11:22,000 --> 00:11:25,390
So let's send the packet and to do that we can use the function.

152
00:11:25,720 --> 00:11:31,960
The first argument is going to be the packet and we can said they were both to be equal to false and

153
00:11:32,110 --> 00:11:33,160
press enter.

154
00:11:33,490 --> 00:11:41,800
If I go back to command prompt and type Aatish again, we can see now Sprouter has the same Mac address

155
00:11:41,800 --> 00:11:44,200
as our Cal Linux machine right here.

156
00:11:45,490 --> 00:11:52,570
So we successfully are poisoned, our cash of our target machine now that we did this, you probably

157
00:11:52,570 --> 00:11:55,720
now fully understand how our poisoning works.

158
00:11:56,020 --> 00:12:00,670
And you can also take a look at different tools online to see if there are some better tools that you

159
00:12:00,670 --> 00:12:02,800
can use to perform an intermediate attack.

160
00:12:03,130 --> 00:12:04,750
Some of them have more options.

161
00:12:04,750 --> 00:12:06,430
Some of them have less options.

162
00:12:06,850 --> 00:12:11,380
But nonetheless, this is all it is about this attack.

163
00:12:11,560 --> 00:12:16,200
You simply just send a malicious are packets and redirect the connection to you.

164
00:12:17,050 --> 00:12:18,490
So thank you for watching this video.

165
00:12:18,490 --> 00:12:21,070
And I will see you in the next section.