1
00:00:01,390 --> 00:00:03,910
An AARP spoof is performed.

2
00:00:03,910 --> 00:00:09,160
Replying to an ARP request before the real owner of the IP address.

3
00:00:09,870 --> 00:00:15,840
Because of the lack of authentication mechanisms in our protocol, you're able to set yourself as the

4
00:00:15,840 --> 00:00:19,260
owner of the IP in the source machines ARP table.

5
00:00:20,080 --> 00:00:25,180
Okay to understand the ARP spoof or ARP cache poisoning attack.

6
00:00:25,330 --> 00:00:29,230
Let's remember the ARP protocol and its principles once again.

7
00:00:30,010 --> 00:00:32,290
Address resolution protocol.

8
00:00:32,320 --> 00:00:39,730
ARP is a network layer protocol used for mapping a network address, such as an IPV four address to

9
00:00:39,730 --> 00:00:42,100
a physical address such as a mac address.

10
00:00:42,900 --> 00:00:45,510
To simulate how the AARP mechanism works.

11
00:00:45,690 --> 00:00:52,410
We have a small network in the slide, a switch on top, and three computers connected to it.

12
00:00:52,440 --> 00:00:55,140
Computer A wants to talk to Computer C.

13
00:00:56,400 --> 00:01:00,780
It puts an ARP request onto the wire, which happens to be broadcast.

14
00:01:01,320 --> 00:01:05,910
Essentially what it's saying is who has computer sees Mac address.

15
00:01:06,860 --> 00:01:11,390
Of course, because it's a broadcast, every system on the network hears it.

16
00:01:11,920 --> 00:01:13,510
Does everybody respond?

17
00:01:13,690 --> 00:01:16,870
Well, what happens is that B hears it.

18
00:01:16,870 --> 00:01:19,720
A is looking for the Mac address of Computer C.

19
00:01:20,650 --> 00:01:26,710
Be knows that it's not computer see, and therefore does not respond to the broadcast.

20
00:01:27,440 --> 00:01:28,550
The broadcast.

21
00:01:28,550 --> 00:01:36,650
The request goes out to every system, but the only system that will reply is computer C with an ARP

22
00:01:36,650 --> 00:01:37,430
reply.

23
00:01:38,270 --> 00:01:42,920
In other words, Computer A says who has the Mac address of Computer C?

24
00:01:42,950 --> 00:01:49,070
And although all the workstations here, the question only C replies and says, I've got the Mac address

25
00:01:49,070 --> 00:01:52,160
of Computer C and this is what it is.

26
00:01:52,310 --> 00:02:00,050
So the ARP reply sends back the Mac address to Computer A and each of these machines start building

27
00:02:00,050 --> 00:02:01,160
an ARP table.

28
00:02:01,850 --> 00:02:06,560
These are how ARP requests and responses look in Wireshark.

29
00:02:06,680 --> 00:02:08,919
The first packet is an ARP request.

30
00:02:08,930 --> 00:02:15,200
As you see, it is broadcast and the second packet is an ARP reply.

31
00:02:15,830 --> 00:02:20,300
The owner of the IP 2007 answers with its Mac address.

32
00:02:20,600 --> 00:02:28,610
As you see, ARP request is broadcast throughout the network and the first reply is trusted and accepted.

33
00:02:30,190 --> 00:02:30,610
Okay.

34
00:02:30,610 --> 00:02:35,020
So we have already seen the routine of the ARP protocol.

35
00:02:35,860 --> 00:02:38,290
Computer A sends an ARP request.

36
00:02:38,910 --> 00:02:40,800
The request is broadcast.

37
00:02:41,950 --> 00:02:47,860
The owner of the IP replies with an ARP reply, and both sides update their ARP tables.

38
00:02:48,540 --> 00:02:51,180
Now we have an attacker in the network.

39
00:02:52,320 --> 00:02:56,160
Okay, so this is how the Arpspoof attack works.

40
00:02:56,460 --> 00:03:03,660
Computer A wants to talk to Computer C if the Mac address table of computer C is not in the ARP table

41
00:03:03,660 --> 00:03:10,050
of Computer A, it puts an ARP request into the wire which happens to be broadcast.

42
00:03:10,530 --> 00:03:15,750
This is a point where all the computers on the network get the ARP request.

43
00:03:16,800 --> 00:03:23,550
So although it's not his IP address, the attacker replies the ARP request before the real owner.

44
00:03:24,240 --> 00:03:29,760
In this reply, the attacker puts his own Mac address corresponding to the target IP address.

45
00:03:31,120 --> 00:03:38,590
Computer A receives the ARP reply and stores the address pair in its ARP table and communication takes

46
00:03:38,590 --> 00:03:39,250
place.