1
00:00:00,520 --> 00:00:06,640
So look at the page scene in the slide, this is the manual page of the Mac of Command.

2
00:00:08,290 --> 00:00:15,820
Markov is a command line tool, mainly used to flood the switch on a local network with random addresses.

3
00:00:16,360 --> 00:00:21,790
So as I mentioned before, when the switch receives a frame, it creates a new entry in its Mac address

4
00:00:21,790 --> 00:00:23,320
table for these Mac addresses.

5
00:00:24,130 --> 00:00:29,620
Once the switch is Mac address table is full and it cannot save any more Mac addresses, it generally

6
00:00:29,650 --> 00:00:34,000
enters into a fail open mode and it starts behaving like a network hub.

7
00:00:35,420 --> 00:00:37,940
So let's see Makk of command in action.

8
00:00:40,070 --> 00:00:43,070
So here's a network that I created in Genesis three.

9
00:00:45,400 --> 00:00:49,870
Well, the IP addresses are different from the one that I created in the previous lectures, but not

10
00:00:49,870 --> 00:00:53,320
to worry, it's completely identical with that network.

11
00:00:54,480 --> 00:01:03,480
So in addition, I've added some other VMware VMS, a WASP broken Web applications and US voidable in

12
00:01:03,480 --> 00:01:09,870
the same way with Colly, not just a little word of caution while you're adding a VMware VM to Ginés

13
00:01:09,870 --> 00:01:10,610
three network.

14
00:01:10,950 --> 00:01:19,650
Do not forget to create a new custom network mode such as Vernette two because all VMS need a separate

15
00:01:19,650 --> 00:01:20,800
custom network moag.

16
00:01:21,300 --> 00:01:21,900
Remember that.

17
00:01:23,120 --> 00:01:24,450
OK, so now go to college.

18
00:01:25,250 --> 00:01:32,540
Since college is a part of the Jeunesse three network, it's network settings is custom, so it's not

19
00:01:32,540 --> 00:01:33,830
in that mode right now.

20
00:01:35,450 --> 00:01:38,240
Have a look at the IP address using if config.

21
00:01:38,840 --> 00:01:46,100
OK, so it's in one nine two one six eight one zero zero twenty four IP block.

22
00:01:46,970 --> 00:01:54,260
So now check the entire network, I go over to the other teams and look at the interface configurations,

23
00:01:55,340 --> 00:01:58,490
these are the IP addresses of all the VMS.

24
00:01:59,330 --> 00:02:00,770
Now go to college and ping them.

25
00:02:02,820 --> 00:02:04,120
The results are pretty good.

26
00:02:04,560 --> 00:02:06,990
We got the reply packets for ping request.

27
00:02:08,100 --> 00:02:16,680
So now I open another terminal screen and scan these two VMS and see the open ports and running services.

28
00:02:18,380 --> 00:02:25,610
So I'll simply use the Inmet command with the IP address only, so it'll be a skin scan and the top

29
00:02:25,610 --> 00:02:27,380
1000 ports will be scanned.

30
00:02:28,440 --> 00:02:29,310
Here are the results.

31
00:02:30,540 --> 00:02:35,770
10.1 one has nine open ports and 10.1 two has 23.

32
00:02:36,150 --> 00:02:42,330
And as you see here, telnet port of the one nine two to one six eight, that one zero eight one two

33
00:02:42,720 --> 00:02:43,340
is open.

34
00:02:45,020 --> 00:02:46,310
So let's go to the VMS.

35
00:02:47,480 --> 00:02:53,090
Dengue 12 is metastable and ten point eleven is a waspy way.

36
00:02:54,080 --> 00:03:01,430
Now we know the telnet service is running on Métis, Floyd, so to create some traffic and let the switch

37
00:03:01,430 --> 00:03:08,210
fill the Mac address table, I'll start up a telnet connection from a speedway to meet exploitable.

38
00:03:09,200 --> 00:03:16,340
Type Telnet and the IP address of Madison Voidable enter the username and password, which are already

39
00:03:16,340 --> 00:03:18,140
given, is a welcome message here.

40
00:03:21,160 --> 00:03:23,140
And we got the session.

41
00:03:25,150 --> 00:03:26,930
OK, so we can exit now.

42
00:03:27,740 --> 00:03:35,800
Now we'll go to the console of the switch and type show Mac address table dynamic to see the dynamic

43
00:03:35,800 --> 00:03:37,510
records of the Mac address table.

44
00:03:38,730 --> 00:03:43,320
Now, here there are six Port and Mac mappings for now.

45
00:03:44,270 --> 00:03:47,510
Run the command again, and now we have two rows.

46
00:03:48,450 --> 00:03:54,300
So it seems by the look at this that the Mac address table aging is 10 or 15 seconds.

47
00:03:55,840 --> 00:03:57,850
OK, you ready for this?

48
00:03:59,170 --> 00:04:01,510
This is the time of Mac Fleming.

49
00:04:02,960 --> 00:04:05,090
So now I'm in a terminal screen on Colly.

50
00:04:06,140 --> 00:04:12,530
Have a look at the manual of Mackoff of Command first, so type man Mackoff and hit enter.

51
00:04:14,000 --> 00:04:19,730
Mack of is a tool that's used to flood the local network with random addresses.

52
00:04:21,060 --> 00:04:22,170
And here are the options.

53
00:04:23,760 --> 00:04:32,430
I to identify the network interface, to attack and to specify the number of packets to send D to specify

54
00:04:32,430 --> 00:04:34,560
the destination systems IP address.

55
00:04:36,120 --> 00:04:37,170
So let's create the command.

56
00:04:38,140 --> 00:04:42,190
Of course, the first command I'll send is Mackoff.

57
00:04:43,170 --> 00:04:52,560
I the interface it's used to attack will type that in as zero d the destination, the ether switch router.

58
00:04:54,010 --> 00:04:56,710
Now we're ready to run a command, so hit enter.

59
00:04:58,230 --> 00:05:03,330
And the Mac flood started and up sends tens of packets in seconds.

60
00:05:04,640 --> 00:05:11,510
Now, let me go to the either switch router console and look at the dynamic Mac address table again,

61
00:05:12,440 --> 00:05:15,800
you can call the last command by using the up Ruki.

62
00:05:16,940 --> 00:05:23,600
And as you see, there are a lot of rows for our fast Ethernet one zero port, which is used for Colly.

63
00:05:25,020 --> 00:05:31,890
So while Mackoff is running, let's run Wireshark and try to listen in to the traffic on the telnet,

64
00:05:31,890 --> 00:05:33,600
that of Carly's own network interface.

65
00:05:41,080 --> 00:05:47,890
Now, to see only the telnet traffic type telnet in the filter box and click the blue button next to

66
00:05:47,890 --> 00:05:48,310
the box.

67
00:05:48,940 --> 00:05:51,040
OK, no telnet traffic for now.

68
00:05:51,790 --> 00:06:00,370
Now go back to the OAS, BW, AVM and Telnet to the medicine Bloy VM again telnet the IP address of

69
00:06:00,670 --> 00:06:02,740
voidable username and password.

70
00:06:04,820 --> 00:06:05,540
Run command.

71
00:06:05,840 --> 00:06:08,000
OK, so back to Carly.

72
00:06:09,160 --> 00:06:10,660
You see the telnet traffic here.

73
00:06:11,590 --> 00:06:17,110
Collie is neither the source of the traffic nor the destination it receives betelnut traffic.

74
00:06:17,770 --> 00:06:25,060
Now, this is a typical in her behavior to send packets to each node so we can say that our switch is

75
00:06:25,060 --> 00:06:28,000
behaving like a hub now, just like we predicted.

76
00:06:29,650 --> 00:06:36,460
So let's go ahead and stop Wireshark and the lack of command using control sickies, you can do that.

77
00:06:38,990 --> 00:06:46,460
These are the telnet packets, since Telnet is a clear text protocol, by default, we can see the payload

78
00:06:46,460 --> 00:06:48,140
as well as the metadata.

79
00:06:49,070 --> 00:06:55,730
We can see every character in a different packet, so select one of them, right, click, follow and

80
00:06:55,730 --> 00:06:57,560
select TCP stream.

81
00:06:58,820 --> 00:07:05,060
So the right characters here are client packets, the blue characters are the server packets, here's

82
00:07:05,060 --> 00:07:08,090
a credential username and password.