1
00:00:00,480 --> 00:00:01,500
Instructor: Okay,

2
00:00:01,500 --> 00:00:05,130
welcome to the man in the middle section.

3
00:00:05,130 --> 00:00:07,590
This is where we can relax a little bit

4
00:00:07,590 --> 00:00:10,710
since we covered all the important things

5
00:00:10,710 --> 00:00:13,140
that an ethical hacker must know,

6
00:00:13,140 --> 00:00:16,650
from scanning, from exploitation to gaining access

7
00:00:16,650 --> 00:00:20,640
with Trojans and web application penetration testing.

8
00:00:20,640 --> 00:00:23,850
Now, we can lay back and cover something that

9
00:00:23,850 --> 00:00:25,020
you won't need that much

10
00:00:25,020 --> 00:00:27,330
but it is a cool attack that allows you to

11
00:00:27,330 --> 00:00:31,620
sniff information inside of a local area network.

12
00:00:31,620 --> 00:00:34,410
Now, in network penetration testing

13
00:00:34,410 --> 00:00:37,590
this is something that you also want to try.

14
00:00:37,590 --> 00:00:40,560
In some networks there will be protection that blocks

15
00:00:40,560 --> 00:00:41,940
this type of attacks.

16
00:00:41,940 --> 00:00:45,510
However, to this date, many home networks, schools

17
00:00:45,510 --> 00:00:48,870
and company networks don't have this applied.

18
00:00:48,870 --> 00:00:51,300
Anyway, before we actually get to run this type

19
00:00:51,300 --> 00:00:55,530
of the attack, let's first talk about how does it work.

20
00:00:55,530 --> 00:00:56,970
Let's start like this.

21
00:00:56,970 --> 00:01:01,200
Now, imagine a home network with many devices.

22
00:01:01,200 --> 00:01:04,670
Say we have two computers and also our Cal Linux machine

23
00:01:04,670 --> 00:01:06,690
inside of that network.

24
00:01:06,690 --> 00:01:10,320
Networks also have routers that route their traffic

25
00:01:10,320 --> 00:01:12,330
to different websites.

26
00:01:12,330 --> 00:01:14,490
And every time that you, for example

27
00:01:14,490 --> 00:01:18,960
communicate with a webpage, you do that through your router.

28
00:01:18,960 --> 00:01:23,960
You request a webpage and a router will forward your request

29
00:01:24,210 --> 00:01:27,930
to that server, and when the server sends a response to you

30
00:01:27,930 --> 00:01:30,240
the router will send it to your machine

31
00:01:30,240 --> 00:01:31,710
inside of the network.

32
00:01:31,710 --> 00:01:35,520
But how does it know which machine to send to?

33
00:01:35,520 --> 00:01:38,943
How does it know to who to forward which packet?

34
00:01:39,840 --> 00:01:42,330
Well, let's explain it like this.

35
00:01:42,330 --> 00:01:44,400
Let's go back to our three machines

36
00:01:44,400 --> 00:01:48,093
and let's mark them with A, B, and C.

37
00:01:49,110 --> 00:01:51,510
All of these machines, including our routers,

38
00:01:51,510 --> 00:01:54,720
also have an IP address.

39
00:01:54,720 --> 00:01:59,340
So we can say A has 192.168.1.10,

40
00:01:59,340 --> 00:02:02,820
B has 192.168.1.5.

41
00:02:02,820 --> 00:02:06,600
Our Cal Linux machine has 192.168.1.7

42
00:02:06,600 --> 00:02:11,600
and our router has 192.168.1.1.

43
00:02:12,270 --> 00:02:14,490
Besides having an IP address,

44
00:02:14,490 --> 00:02:17,880
all of these machines also have their MAC address

45
00:02:17,880 --> 00:02:20,250
and these two help them communicate

46
00:02:20,250 --> 00:02:22,410
with each other over the network.

47
00:02:22,410 --> 00:02:26,010
Our router knows who to forward the package to

48
00:02:26,010 --> 00:02:29,820
thanks to ARP packets and ARP tables.

49
00:02:29,820 --> 00:02:33,000
Now we are going to talk about ARP packets in just a second

50
00:02:33,000 --> 00:02:35,400
but what I want to mention for now is that

51
00:02:35,400 --> 00:02:40,400
our router has ARP tables that map every IP address inside

52
00:02:40,800 --> 00:02:43,830
of the network with their MAC addresses.

53
00:02:43,830 --> 00:02:46,230
Then it uses the machines MAC address

54
00:02:46,230 --> 00:02:48,183
to forward the packet to them.

55
00:02:49,080 --> 00:02:51,870
We know by now that MAC addresses are unique

56
00:02:51,870 --> 00:02:53,460
therefore, by knowing them,

57
00:02:53,460 --> 00:02:55,140
you know the idea of that machine

58
00:02:55,140 --> 00:02:58,800
and then you can communicate with that machine.

59
00:02:58,800 --> 00:03:01,650
Now let's explain those ARP packets.

60
00:03:01,650 --> 00:03:04,380
What are they and how they allow us to communicate

61
00:03:04,380 --> 00:03:05,550
with each other?

62
00:03:05,550 --> 00:03:07,110
Well, to explain this

63
00:03:07,110 --> 00:03:11,250
I will remove one machine just for the simplicity.

64
00:03:11,250 --> 00:03:14,580
Okay, so there are two types of ARP packets.

65
00:03:14,580 --> 00:03:19,580
We have ARP requests and ARP replies or ARP responses.

66
00:03:20,910 --> 00:03:24,840
Now with requests, we find out what machine has

67
00:03:24,840 --> 00:03:28,740
what MAC address and with ARP replies we reply to that

68
00:03:28,740 --> 00:03:33,090
machine that ask the question with our response.

69
00:03:33,090 --> 00:03:35,580
Requests would look something like this

70
00:03:35,580 --> 00:03:38,070
let's say machine A wants to communicate

71
00:03:38,070 --> 00:03:40,080
with our Cal Linux machine.

72
00:03:40,080 --> 00:03:42,990
To do that, it must know our MAC address.

73
00:03:42,990 --> 00:03:46,650
So it sends the ARP request to the broadcast address

74
00:03:46,650 --> 00:03:49,260
which simply means every machine on the network

75
00:03:49,260 --> 00:03:51,360
will get that ARP request.

76
00:03:51,360 --> 00:03:55,740
And with that ARP request the machine A asks

77
00:03:55,740 --> 00:04:00,740
who has an IP address, or 192.168.1.7.

78
00:04:00,780 --> 00:04:03,810
And it also tells send me your MAC address

79
00:04:03,810 --> 00:04:05,970
if this is your IP address.

80
00:04:05,970 --> 00:04:08,460
In this scenario, our Cal Linux machine

81
00:04:08,460 --> 00:04:12,390
receives the request and it gives an answer.

82
00:04:12,390 --> 00:04:16,170
It says, I am 192.168.1.7

83
00:04:16,170 --> 00:04:18,750
and here is my MAC address.

84
00:04:18,750 --> 00:04:22,290
Now, this is just normal communication in any network.

85
00:04:22,290 --> 00:04:24,630
This is how machines and our router

86
00:04:24,630 --> 00:04:28,380
figures out to who they should forward a certain packet.

87
00:04:28,380 --> 00:04:32,340
However, there are ways that this can be abused.

88
00:04:32,340 --> 00:04:36,180
For example, what if I, from my Cal Linux machine,

89
00:04:36,180 --> 00:04:40,110
raft an ARP response and send it to machine A saying

90
00:04:40,110 --> 00:04:45,110
that I am 192.168.1.1, which is the router.

91
00:04:45,660 --> 00:04:48,349
If we know that machine A uses router to communicate

92
00:04:48,349 --> 00:04:52,200
with the internet, therefore once we send the machine A

93
00:04:52,200 --> 00:04:55,220
and ARP response and tell it that we have an IP address

94
00:04:55,220 --> 00:04:58,620
of the router it will start sending its packets

95
00:04:58,620 --> 00:05:01,170
to us instead of the router.

96
00:05:01,170 --> 00:05:05,490
For example, let's say machine A wants to visit Facebook.

97
00:05:05,490 --> 00:05:08,040
In this case, it would send that Facebook request

98
00:05:08,040 --> 00:05:12,210
to us instead of directly sending it to the real router.

99
00:05:12,210 --> 00:05:14,580
Well, you might be asking what now?

100
00:05:14,580 --> 00:05:17,490
We just managed to redirect the traffic of machine A

101
00:05:17,490 --> 00:05:20,370
to go to us and now that machine won't be able

102
00:05:20,370 --> 00:05:22,710
to access internet because the packets

103
00:05:22,710 --> 00:05:25,698
are not being forwarded to Facebook or any other page

104
00:05:25,698 --> 00:05:28,080
that they want to visit.

105
00:05:28,080 --> 00:05:29,700
Well, not exactly.

106
00:05:29,700 --> 00:05:33,900
We can also send an ARP response to the router.

107
00:05:33,900 --> 00:05:36,510
In this response, we tell the router that

108
00:05:36,510 --> 00:05:40,230
we are the machine A, now machine A believes

109
00:05:40,230 --> 00:05:42,900
that we are the router and router believes

110
00:05:42,900 --> 00:05:44,940
that we are machine A.

111
00:05:44,940 --> 00:05:47,520
All we are left to do in this case is forward

112
00:05:47,520 --> 00:05:50,460
the packets to keep the connection going.

113
00:05:50,460 --> 00:05:53,430
So, in this scenario, instead of communication

114
00:05:53,430 --> 00:05:55,593
to websites going like this.

115
00:05:56,940 --> 00:06:00,240
Instead we spoofed the network and now the communication

116
00:06:00,240 --> 00:06:02,073
is being done like this.

117
00:06:02,970 --> 00:06:06,720
In this case, if machine A tries to visit facebook.com

118
00:06:06,720 --> 00:06:10,290
for example it will send that request to us,

119
00:06:10,290 --> 00:06:14,070
which we then forward to the router and router forwards it

120
00:06:14,070 --> 00:06:15,450
to Facebook.

121
00:06:15,450 --> 00:06:18,540
Like this we can snip the data if it is unencrypted

122
00:06:18,540 --> 00:06:22,800
and we can also see what websites is machine A visiting.

123
00:06:22,800 --> 00:06:26,670
And this communication works both ways.

124
00:06:26,670 --> 00:06:29,370
Once Facebook receives machines A request

125
00:06:29,370 --> 00:06:31,920
it sends the response that comes to our router

126
00:06:31,920 --> 00:06:34,650
and then since router is also being spoofed,

127
00:06:34,650 --> 00:06:37,110
it thinks that we are machine A

128
00:06:37,110 --> 00:06:39,693
and it sends back the response to us.

129
00:06:40,530 --> 00:06:43,110
Then we forward the response to machine A

130
00:06:43,110 --> 00:06:46,800
so machine A has no idea that it is being spoofed

131
00:06:46,800 --> 00:06:51,150
since it is able to visit any pages and websites.

132
00:06:51,150 --> 00:06:53,820
This attack is called Man in the Middle

133
00:06:53,820 --> 00:06:56,010
with the help of ARP spoofing.

134
00:06:56,010 --> 00:06:58,620
And of course, when we perform this attack

135
00:06:58,620 --> 00:07:01,890
and we spoof our router and targets

136
00:07:01,890 --> 00:07:05,700
their ARP tables will look something like this.

137
00:07:05,700 --> 00:07:08,160
The MAC address or machine A changes

138
00:07:08,160 --> 00:07:12,180
to our MAC address inside of the router's ARP tables

139
00:07:12,180 --> 00:07:14,760
and that is while it's being spoofed.

140
00:07:14,760 --> 00:07:18,000
Once we stopped spoofing the MAC address changes back

141
00:07:18,000 --> 00:07:20,460
to its real MAC address.

142
00:07:20,460 --> 00:07:21,630
Okay, great.

143
00:07:21,630 --> 00:07:24,390
Now that we know how exactly the attack works

144
00:07:24,390 --> 00:07:27,330
let's mention a few things that we might want to get

145
00:07:27,330 --> 00:07:29,490
once performing this attack.

146
00:07:29,490 --> 00:07:33,150
The goal of it would most likely be to overall

147
00:07:33,150 --> 00:07:36,150
be able to save the data going from other machines

148
00:07:36,150 --> 00:07:37,770
on the same network.

149
00:07:37,770 --> 00:07:40,260
We also want to be able to check out what websites

150
00:07:40,260 --> 00:07:43,110
are other machines visiting, and if possible,

151
00:07:43,110 --> 00:07:45,551
in case some communication is not encrypted,

152
00:07:45,551 --> 00:07:47,550
we would want to sniff passwords

153
00:07:47,550 --> 00:07:50,700
if someone tries to log in to some page.

154
00:07:50,700 --> 00:07:53,610
Just most of these things depend on which websites

155
00:07:53,610 --> 00:07:55,170
are they visiting.

156
00:07:55,170 --> 00:07:58,290
Nonetheless, now that we know theory behind the attack

157
00:07:58,290 --> 00:08:02,220
let's see how we can perform it using different tools.

158
00:08:02,220 --> 00:08:03,520
See you in the next video.