1 00:00:00,520 --> 00:00:06,850 ‫So switches make it difficult to sniff the network traffic in the past, the traffic was being sent 2 00:00:06,850 --> 00:00:10,360 ‫to all ports with the hub technology with switches. 3 00:00:10,720 --> 00:00:17,050 ‫The traffic is directed only to the specified port, so a network device only receives its own packets, 4 00:00:17,530 --> 00:00:18,490 ‫not the others. 5 00:00:19,370 --> 00:00:23,320 ‫So we need to use some techniques to sniff the traffic of the other devices then. 6 00:00:23,320 --> 00:00:23,620 ‫Huh? 7 00:00:31,910 --> 00:00:35,660 ‫These are some of the techniques to expand the sniffing space. 8 00:00:36,170 --> 00:00:37,430 ‫You thought it couldn't be done? 9 00:00:38,770 --> 00:00:48,070 ‫So we'll talk about span switched port analyzer or port mirroring, so that's a method of monitoring 10 00:00:48,070 --> 00:00:56,080 ‫network traffic with port mirroring enabled, the switch sends a copy of all network packets seen on 11 00:00:56,080 --> 00:01:01,660 ‫one port or an entire V man to another port where the packet can be analyzed. 12 00:01:02,020 --> 00:01:08,510 ‫Port mirroring is supported by almost all enterprise class, which is all I can think of. 13 00:01:08,560 --> 00:01:11,440 ‫So, in other words, managed switches. 14 00:01:12,100 --> 00:01:17,380 ‫It allows a particular computer to see the network traffic, which is normally hidden from it. 15 00:01:18,840 --> 00:01:24,270 ‫You can monitor the entire traffic sent from the switch by copying its uplink port. 16 00:01:25,600 --> 00:01:30,230 ‫Now you have to have physical access and the admin privileges on that switch. 17 00:01:31,130 --> 00:01:38,390 ‫So this method is often used to send the network traffic to the ABC, which is typically an intrusion 18 00:01:38,390 --> 00:01:39,890 ‫detection system device. 19 00:01:41,360 --> 00:01:48,710 ‫In a Mac address table overflow attack, also known as Mac flooding attack within a very short time, 20 00:01:48,890 --> 00:01:49,620 ‫the switches. 21 00:01:49,640 --> 00:01:54,170 ‫Mac address table is full with fake Mac address and port mappings. 22 00:01:55,920 --> 00:01:59,880 ‫Switches Mac address table has only a limited amount of memory. 23 00:01:59,970 --> 00:02:04,380 ‫And when that table is full, the Switch cannot say any more Mac addresses in it. 24 00:02:05,840 --> 00:02:12,320 ‫So once this switches, MacArthur's table is full and it can't save anymore, Mac addresses, it generally 25 00:02:12,320 --> 00:02:19,520 ‫enters into a fail open mode, and it starts behaving like a network of frames are flooded all ports 26 00:02:19,670 --> 00:02:22,190 ‫similar to broadcast type of communication. 27 00:02:22,940 --> 00:02:26,780 ‫So as an attacker in the network, you start to receive the frames of others. 28 00:02:28,240 --> 00:02:36,580 ‫You know, address resolution protocol, AAP or AAP is network layer protocol used for mapping a network 29 00:02:36,580 --> 00:02:41,560 ‫address such as an IPv4 address to a physical address, such as a Mac address? 30 00:02:42,550 --> 00:02:49,090 ‫A system asks for the owner of an IP address by sending an AAP request, and the owner of the IP address 31 00:02:49,420 --> 00:02:51,850 ‫answers him with an ARP reply. 32 00:02:52,600 --> 00:02:56,860 ‫What if the attacker replies first before the owner of the IP? 33 00:02:57,760 --> 00:03:04,300 ‫Once the attacker's Mac address is connected to an authentic IP address, the attacker will begin receiving 34 00:03:04,300 --> 00:03:07,240 ‫any data that is intended for that IP address. 35 00:03:07,930 --> 00:03:11,140 ‫This is the basic principle of AAP spoof attacks. 36 00:03:12,120 --> 00:03:18,990 ‫Arp poisoning can be achieved because of the lack of authentication in the protocol, so the attacker 37 00:03:18,990 --> 00:03:22,230 ‫can send a spoofed art message on to the land. 38 00:03:23,970 --> 00:03:26,850 ‫Would you like to make the attack much more powerful? 39 00:03:27,290 --> 00:03:27,940 ‫Hmm. 40 00:03:27,960 --> 00:03:29,190 ‫I suspected as much. 41 00:03:29,880 --> 00:03:38,190 ‫Then you've got to replace your Mac with the Gateway, so every packet sent by the victim will be in 42 00:03:38,190 --> 00:03:39,750 ‫your malicious hands. 43 00:03:40,620 --> 00:03:42,720 ‫But we are ethical hackers remember. 44 00:03:43,890 --> 00:03:51,510 ‫Dynamic host configuration protocol DHP is a protocol used to provide automatic and central management 45 00:03:51,510 --> 00:03:58,530 ‫for the distribution of IP addresses within a single network is also used to configure the proper subnet 46 00:03:58,530 --> 00:04:03,300 ‫mask, default gateway and DNS server information on the particular device. 47 00:04:04,360 --> 00:04:10,030 ‫Now, similar to the other types of spoofing attacks, DHP spoofing involves an attacker pretending 48 00:04:10,030 --> 00:04:15,130 ‫to be someone else, in this case acting as the legitimate DHCP server. 49 00:04:16,000 --> 00:04:23,050 ‫Since DHP is used to provide addressing and other information, a client losing control of this part 50 00:04:23,050 --> 00:04:24,790 ‫of the network can be very dangerous. 51 00:04:25,970 --> 00:04:33,950 ‫In DHP, spoofing attacks, the attacker places a rogue DHP server on the network and his clients are 52 00:04:33,950 --> 00:04:41,240 ‫turned on and request an address, the server with the fastest responses used if the device receives 53 00:04:41,240 --> 00:04:43,040 ‫a response from the rogue server. 54 00:04:43,040 --> 00:04:50,930 ‫First, the rogue server can assign any address as well as control which device it uses as a gateway. 55 00:04:51,900 --> 00:04:59,130 ‫So a well designed attack can collect traffic from local hosts to a rogue server that logs all traffic 56 00:04:59,130 --> 00:05:04,860 ‫and then forwards out the traffic to the correct gateway or to the device. 57 00:05:05,250 --> 00:05:07,680 ‫So this action would be almost transparent. 58 00:05:08,310 --> 00:05:12,210 ‫Thus, the attacker can steal information almost invisibly.