1
00:00:02,030 --> 00:00:02,350
OK.

2
00:00:02,360 --> 00:00:09,820
So now let's see how we can use wire shark to discover suspicious activities in our network and before

3
00:00:09,820 --> 00:00:12,040
I do anything I'm gonna go to the preferences

4
00:00:16,590 --> 00:00:20,950
and I'm gonna go to protocols AARP

5
00:00:23,900 --> 00:00:27,350
and I'm going to enable the option to detect AARP requests.

6
00:00:27,350 --> 00:00:34,240
Terms what this will do it will actually discover if anybody is trying to discover all the devices or

7
00:00:34,370 --> 00:00:37,760
on the network and it's gonna give me a notification.

8
00:00:37,760 --> 00:00:41,150
So I'm gonna click on OK and I'm gonna start my captcha

9
00:00:44,360 --> 00:00:49,730
now I'm gonna go to my candy machine and I'm going to use Net this cover so I'm not going to do A R

10
00:00:49,730 --> 00:00:50,830
P poisoning.

11
00:00:51,030 --> 00:00:55,100
I'm only going to do a try to discover all the connected devices to my network.

12
00:00:56,140 --> 00:01:01,810
So we're using exactly the same command that we used before the Discover interface and the range to

13
00:01:01,820 --> 00:01:10,160
hit enter and we can see that net discover finished it discovered all the devices that we have so if

14
00:01:10,160 --> 00:01:16,640
we come here even before we look at the output of the notifications let's just look at the packets that

15
00:01:16,640 --> 00:01:22,320
have been generated you can see that there is a device here.

16
00:01:22,380 --> 00:01:25,290
This source is broadcasting.

17
00:01:25,290 --> 00:01:27,360
So basically it doesn't have a destination.

18
00:01:27,360 --> 00:01:34,070
It's asking all the other devices and the network and it's inquiring about each possible IP.

19
00:01:34,080 --> 00:01:40,010
So it's basically asking who has this IP until the 67 IP.

20
00:01:40,200 --> 00:01:48,360
And then it's asking Who has the two for one IP tell the 67 who has the two told the 67 and it's doing

21
00:01:48,390 --> 00:01:50,490
this for every possible IP.

22
00:01:50,490 --> 00:01:56,040
So it's basically a chicken if any possible IP and the range exists.

23
00:01:56,040 --> 00:02:01,800
And it's asking to return to the response to the IP adds 10 20 40 67.

24
00:02:01,800 --> 00:02:09,090
So from this we can deduce that someone's trying to discover all the connected devices and that someone

25
00:02:09,210 --> 00:02:13,460
is at 10 20 40 67.

26
00:02:13,500 --> 00:02:24,480
Now if you go on the analyze and expert information you'll see that we detected an IP packet storm.

27
00:02:24,480 --> 00:02:30,410
So basically it means that there was a single device sending a very large number of IP packets.

28
00:02:30,480 --> 00:02:35,690
So they're probably trying to discover connected devices or try and discover connected ports.

29
00:02:35,700 --> 00:02:43,110
So it's telling us that this person is trying to do something suspicious.

30
00:02:43,170 --> 00:02:46,530
Now let's go and I'm going to do a.

31
00:02:47,230 --> 00:02:57,010
They are people using attack and we'll see if we can get any notifications or warnings and while shark.

32
00:02:57,050 --> 00:03:01,990
Now I'm gonna go to analyze and expert info again.

33
00:03:02,540 --> 00:03:05,550
And if we look we'll see we have a warning here.

34
00:03:05,900 --> 00:03:10,580
And the warning is telling us that there is a duplicate IP address configured.

35
00:03:10,640 --> 00:03:19,710
So again this is telling us that the IP address of the router had two different MAC addresses what this

36
00:03:19,710 --> 00:03:20,040
means.

37
00:03:20,040 --> 00:03:27,210
Basically it means that someone was tampering with this and tampering with our IP table trying to place

38
00:03:27,210 --> 00:03:28,490
themselves in the middle.

39
00:03:28,500 --> 00:03:28,930
Use it.

40
00:03:28,950 --> 00:03:32,620
An AARP poisoning attack.

41
00:03:32,690 --> 00:03:36,820
Now we've seen a number of methods to detect AARP poisoning.

42
00:03:36,830 --> 00:03:41,290
Let's discuss how we can prevent it or protect ourselves from it.

43
00:03:41,330 --> 00:03:46,040
Now I'm just going to run an RPA and we're going to look at our table.

44
00:03:46,270 --> 00:03:52,220
There is switches that will monitor this for you as well and they'll notify you or even prevent AARP

45
00:03:52,310 --> 00:03:54,740
poisoning attacks.

46
00:03:54,740 --> 00:04:01,070
Another way to do that is if you look at here if you look at your router you'll see that this entry

47
00:04:01,070 --> 00:04:02,580
in the table is dynamic.

48
00:04:02,610 --> 00:04:08,450
So the type of this entry is dynamic what that means it basically this can change.

49
00:04:08,600 --> 00:04:12,180
It's the system allows this value to be changed.

50
00:04:12,230 --> 00:04:18,620
You can see right here you have static values which basically means the system will never allow these

51
00:04:18,620 --> 00:04:21,550
values to change.

52
00:04:21,770 --> 00:04:28,980
So you can use static AARP tables which basically means that you'll have to configure each IP address.

53
00:04:29,000 --> 00:04:35,270
So you have to actually configure your IP table and map each IP address to the MAC address to the relevant

54
00:04:35,270 --> 00:04:36,280
MAC address.

55
00:04:36,410 --> 00:04:42,860
But once you do that even if someone tries to send a response to your computer try to change it the

56
00:04:42,860 --> 00:04:50,060
system will refuse to change anything because you configured your IP table to be static.

57
00:04:50,060 --> 00:04:55,310
The only problem with that is every time you connect to a network and every time there is a new device

58
00:04:55,340 --> 00:05:01,660
connecting to your network you'll have to manually configured that device to you to work with your network.

59
00:05:01,700 --> 00:05:07,730
So it's not a very useful solution if you're in a big company or if you're in a big firm but maybe in

60
00:05:07,730 --> 00:05:13,400
a small house or in a small company then this would be a really good solution to prevent AARP poisoning

61
00:05:13,400 --> 00:05:15,900
attacks because everything is going to be static.

62
00:05:15,950 --> 00:05:17,700
You're going to have to set it up manually.

63
00:05:18,350 --> 00:05:24,140
But once someone tries to do an AARP poisoning attack even if their attack is successful and they use

64
00:05:24,140 --> 00:05:30,290
the best tools they can your table is set up in a way that it's not it's it's fixed.

65
00:05:30,290 --> 00:05:31,350
It can't be changed.

66
00:05:31,370 --> 00:05:36,860
So so the system will always refuse to change the values of the MAC addresses which will basically mean

67
00:05:37,020 --> 00:05:39,770
a are people poisoning attacks will never work against you.