1 00:00:00,250 --> 00:00:04,570 So switches make it difficult to sniff the network traffic. 2 00:00:04,660 --> 00:00:10,540 In the past, the traffic was being sent to all ports with a hub, technology with switches. 3 00:00:10,570 --> 00:00:17,230 The traffic is directed only to the specified port, so a network device only receives its own packets, 4 00:00:17,260 --> 00:00:18,760 not the others. 5 00:00:19,000 --> 00:00:23,590 So we need to use some techniques to sniff the traffic of the other devices then, huh? 6 00:00:31,660 --> 00:00:35,860 These are some of the techniques to expand the sniffing space. 7 00:00:35,890 --> 00:00:37,600 You thought it couldn't be done. 8 00:00:38,470 --> 00:00:45,280 So we'll talk about span switched port analyzer or port mirroring. 9 00:00:45,610 --> 00:00:49,360 So that's a method of monitoring network traffic. 10 00:00:49,360 --> 00:00:57,490 With port mirroring enabled, the switch sends a copy of all network packets seen on one port or an 11 00:00:57,490 --> 00:01:01,840 entire Vlan to another port where the packet can be analyzed. 12 00:01:01,870 --> 00:01:08,440 Port mirroring is supported by almost all enterprise class switches that I can think of. 13 00:01:08,470 --> 00:01:16,090 So in other words, managed switches, it allows a particular computer to see the network traffic which 14 00:01:16,090 --> 00:01:17,530 is normally hidden from it. 15 00:01:18,620 --> 00:01:24,380 You can monitor the entire traffic sent from the switch by copying its uplink port. 16 00:01:25,590 --> 00:01:30,450 Now you have to have physical access and the admin privileges on that switch. 17 00:01:30,810 --> 00:01:38,310 So this method is often used to send the network traffic to the IDs, which is typically an intrusion 18 00:01:38,310 --> 00:01:40,050 detection system device. 19 00:01:41,180 --> 00:01:48,740 In a mac address table, overflow attack, also known as Mac Flooding attack within a very short time. 20 00:01:48,740 --> 00:01:54,350 The switches Mac address table is full with fake Mac address and port mappings. 21 00:01:55,710 --> 00:01:56,430 Switches. 22 00:01:56,430 --> 00:02:02,340 Mac address table has only a limited amount of memory, and when that table is full, the switch cannot 23 00:02:02,340 --> 00:02:04,560 save any more Mac addresses in it. 24 00:02:05,680 --> 00:02:12,250 So once the switches Mac address table is full and it can't save any more Mac addresses, it generally 25 00:02:12,250 --> 00:02:17,140 enters into a fail open mode and it starts behaving like a network hub. 26 00:02:17,290 --> 00:02:22,390 Frames are flooded to all ports similar to broadcast type of communication. 27 00:02:22,630 --> 00:02:26,980 So as an attacker in the network, you start to receive the frames of others. 28 00:02:28,020 --> 00:02:30,630 You know, address resolution protocol. 29 00:02:30,690 --> 00:02:38,940 ARP or ARP is a network layer protocol used for mapping a network address, such as an IPV four address 30 00:02:38,970 --> 00:02:41,730 to a physical address, such as a mac address. 31 00:02:42,450 --> 00:02:49,200 A system asks for the owner of an IP address by sending an ARP request and the owner of the IP address 32 00:02:49,200 --> 00:02:52,080 answers him with an ARP reply. 33 00:02:52,290 --> 00:02:57,060 What if the attacker replies first before the owner of the IP? 34 00:02:57,480 --> 00:03:04,290 Once the attacker's Mac address is connected to an authentic IP address, the attacker will begin receiving 35 00:03:04,290 --> 00:03:07,470 any data that is intended for that IP address. 36 00:03:07,590 --> 00:03:11,310 This is the basic principle of ARP spoof attacks. 37 00:03:12,020 --> 00:03:18,890 ARP poisoning can be achieved because of the lack of authentication in the ARP protocol so the attacker 38 00:03:18,920 --> 00:03:22,250 can send a spoofed ARP message onto the LAN. 39 00:03:23,710 --> 00:03:27,070 Would you like to make the attack much more powerful? 40 00:03:27,400 --> 00:03:27,870 Hmm. 41 00:03:27,880 --> 00:03:29,440 I suspect it as much. 42 00:03:29,530 --> 00:03:33,970 Then you've got to replace your Mac with the gateway. 43 00:03:34,060 --> 00:03:39,970 So every packet sent by the victim will be in your malicious hands. 44 00:03:40,270 --> 00:03:42,820 But we are ethical hackers, remember? 45 00:03:43,800 --> 00:03:46,350 Dynamic host configuration protocol. 46 00:03:46,350 --> 00:03:53,190 Dhcp is a protocol used to provide automatic and central management for the distribution of IP addresses 47 00:03:53,190 --> 00:03:55,170 within a single network. 48 00:03:55,440 --> 00:04:02,310 It's also used to configure the proper subnet mask, default gateway and DNS server information on the 49 00:04:02,310 --> 00:04:03,450 particular device. 50 00:04:04,270 --> 00:04:10,090 Now similar to the other types of spoofing attacks, Dhcp spoofing involves an attacker pretending to 51 00:04:10,090 --> 00:04:15,220 be someone else, in this case acting as the legitimate Dhcp server. 52 00:04:15,800 --> 00:04:22,790 Since Dhcp is used to provide, addressing and other information to clients, losing control of this 53 00:04:22,790 --> 00:04:24,950 part of the network can be very dangerous. 54 00:04:25,750 --> 00:04:28,110 In Dhcp spoofing attacks. 55 00:04:28,120 --> 00:04:36,430 The attacker places a rogue Dhcp server on the network and as clients are turned on and request an address, 56 00:04:36,520 --> 00:04:39,490 the server with the fastest response is used. 57 00:04:39,670 --> 00:04:46,420 If the device receives a response from the rogue server first, the rogue server can assign any address 58 00:04:46,420 --> 00:04:51,070 as well as control which device it uses as a gateway. 59 00:04:51,640 --> 00:04:59,020 So a well-designed attack can collect traffic from local hosts to a rogue server that logs all traffic 60 00:04:59,020 --> 00:05:05,020 and then forwards out the traffic to the correct gateway or to the device. 61 00:05:05,020 --> 00:05:07,960 So this action would be almost transparent. 62 00:05:07,990 --> 00:05:12,340 Thus, the attacker can steal information almost invisibly.