1 00:00:02,230 --> 00:00:08,220 Before we move on to analyze the tax on the second oh layer we have to explain one more thing. 2 00:00:09,340 --> 00:00:12,530 There are two kinds of devices operating in the Linkletter. 3 00:00:12,910 --> 00:00:14,530 These are hubs and switches. 4 00:00:18,340 --> 00:00:21,310 Hubs are still in use though they're getting less and less popular. 5 00:00:22,200 --> 00:00:27,870 They differ and that they pass on the frames that they receive when a hub receives a frame it will get 6 00:00:27,870 --> 00:00:30,690 forwarded through all ports. 7 00:00:30,700 --> 00:00:33,100 This is called broadcast. 8 00:00:33,220 --> 00:00:39,910 In this case everyone can receive the frame but obviously the only receiver should be the network card 9 00:00:39,910 --> 00:00:43,100 that the frame was addressed to. 10 00:00:43,140 --> 00:00:49,180 On the other hand a switch would forward the frame through a port connected to the host identified by 11 00:00:49,180 --> 00:00:52,870 the MAC address appearing in the frame. 12 00:00:52,890 --> 00:00:58,310 Someone may ask how does a switch know which port a given host is connected to. 13 00:00:59,150 --> 00:01:05,710 This is not part of a switch initial configuration switch learns which hosts are connected to which 14 00:01:05,710 --> 00:01:08,670 ports. 15 00:01:08,850 --> 00:01:13,860 If it doesn't have that information it forwards incoming packets to all hosts that are connected to 16 00:01:13,860 --> 00:01:14,260 it. 17 00:01:16,370 --> 00:01:24,290 Only one of them should give a response message only one port should actually receive the packet. 18 00:01:24,310 --> 00:01:30,550 This is how the switch learns that a computer identified by the MAC address ending in 0 9 is connected 19 00:01:30,550 --> 00:01:32,400 to the port number 12. 20 00:01:32,410 --> 00:01:35,760 This information is then stored in the cam memory. 21 00:01:35,770 --> 00:01:37,680 It's an associate of memory. 22 00:01:38,020 --> 00:01:45,830 And contrary to address based memory such as Ram Kammas a content based memory as a consequence a switch 23 00:01:45,830 --> 00:01:47,270 can work like a hub. 24 00:01:47,600 --> 00:01:54,380 This is how it works right after the first start of it can also be changed to the hub mode by an attacker 25 00:01:58,620 --> 00:02:01,040 almost every network is based on switches. 26 00:02:02,600 --> 00:02:09,570 You won't be able to intercept data sent between hosts just by connecting to the medium because of the 27 00:02:09,570 --> 00:02:11,850 mechanism we just described. 28 00:02:12,180 --> 00:02:15,580 You won't get data that's not addressed specifically to your machine 29 00:02:18,230 --> 00:02:21,660 the port your computer uses won't get any needless signals. 30 00:02:22,800 --> 00:02:26,910 This problem is typical of wired networks. 31 00:02:26,990 --> 00:02:29,570 It's not present in wireless networks. 32 00:02:30,340 --> 00:02:34,000 In wireless networking all users share the same medium. 33 00:02:39,960 --> 00:02:44,930 Therefore attacks on wireless networks don't require the attacker to perform all the operations we're 34 00:02:44,930 --> 00:02:49,220 about to discuss such as poisoning victims RPE cash 35 00:02:54,660 --> 00:03:00,990 the first way to intercept traffic in a wired network is to change the switch configuration. 36 00:03:01,020 --> 00:03:02,980 It must be forced into hub mode. 37 00:03:04,200 --> 00:03:10,900 One way to implement this kind of attack is by using a program called Murkoff the program flood switches 38 00:03:10,900 --> 00:03:15,860 with random IP addresses with attached MAC addresses. 39 00:03:15,880 --> 00:03:22,370 The switch must remember all of them usually users by cheaps switches. 40 00:03:22,450 --> 00:03:28,670 So it may be expected that the devices can memory will shortly be full then it will no longer be able 41 00:03:28,670 --> 00:03:36,040 to remember which hosts connected to which port how the switch will react depends on a specific model. 42 00:03:36,840 --> 00:03:38,780 Some models go into the hub mode. 43 00:03:39,120 --> 00:03:42,540 It broadcasts the packets which ensures that the network won't go down. 44 00:03:45,020 --> 00:03:50,190 Newer models usually block the port that receives the flood of random IP and MAC addresses. 45 00:03:51,470 --> 00:04:01,030 Still others just crash switch manufacturers reacted to the threat coming from the May off program. 46 00:04:01,110 --> 00:04:04,440 Therefore a new version of the program was created. 47 00:04:04,440 --> 00:04:07,800 This time it uses only IP addresses from the local network. 48 00:04:09,530 --> 00:04:12,050 Switch flooding is however not very effective. 49 00:04:15,440 --> 00:04:21,270 It depends on something that the attacker doesn't control the switch reaction. 50 00:04:21,300 --> 00:04:24,280 It's also a very noisy method. 51 00:04:24,370 --> 00:04:32,090 It may end up as a DNS attack affecting the whole company a typical company network has a hierarchical 52 00:04:32,090 --> 00:04:34,070 structure. 53 00:04:34,180 --> 00:04:40,390 The first flooded switch starts broadcasting packets everywhere even through the uplink port which sends 54 00:04:40,390 --> 00:04:42,020 them upward in the hierarchy. 55 00:04:43,610 --> 00:04:48,380 This may lead to the flooding of the whole network which would obviously prevent you from intercepting 56 00:04:48,380 --> 00:04:52,900 any meaningful network traffic. 57 00:04:53,020 --> 00:05:02,590 Therefore another frequent attack consists of AARP cache poisoning the AARP or address resolution protocol 58 00:05:03,040 --> 00:05:07,180 is responsible for IPN MAC address mapping. 59 00:05:07,290 --> 00:05:15,070 When you want to connect to a host you don't use its MAC address but either it's IP or its name a mechanism 60 00:05:15,070 --> 00:05:24,370 must exist that would change the IP you type to the MAC address and it's done through broadcasting. 61 00:05:24,400 --> 00:05:30,370 If a computer learns that a MAC address ending in 0 9 corresponds to a machine identified with an IP 62 00:05:30,370 --> 00:05:41,200 address ending in 12 it will save this information the information will be saved in the AARP cache buffer. 63 00:05:41,280 --> 00:05:46,230 After that whenever your computer will try to establish a connection with the machine of a given IP 64 00:05:46,920 --> 00:05:49,670 it will send packets to the MAC address saved in the buffer.