1
00:00:01,630 --> 00:00:10,310
To perform N.P. poisoning the attacker must change certain entries in the air cash speaking more precisely.

2
00:00:10,310 --> 00:00:17,240
You will replace the IP the default gateway the DNS server or the database server of your computer with

3
00:00:17,240 --> 00:00:23,920
the ones of his own machine thus bypassing the higher layer protocols.

4
00:00:24,240 --> 00:00:29,660
Your computer will be sending data not to the router or a database server but to the attackers computer.

5
00:00:32,200 --> 00:00:38,850
Only the attacker knows what he's going to do with the data then he can send it to its original destination

6
00:00:38,850 --> 00:00:41,000
so that the victim won't notice the attack.

7
00:00:41,900 --> 00:00:44,440
This technique is called The Man in the middle attack.

8
00:00:45,850 --> 00:00:47,930
It's the first threat will demonstrate in a moment

9
00:00:53,770 --> 00:00:54,550
before we do that.

10
00:00:54,550 --> 00:01:00,730
However it's advisable that we briefly discuss how the ATO to one standard helped secure the link layer

11
00:01:01,990 --> 00:01:05,990
the standard defines methods of medium access control.

12
00:01:06,190 --> 00:01:12,300
Usually it's associated with wireless networks but it does apply to wired networks as well.

13
00:01:17,010 --> 00:01:22,050
In both cases its aim is to block access to the medium.

14
00:01:22,260 --> 00:01:26,040
For example a port with a switch will remain closed.

15
00:01:26,100 --> 00:01:31,040
The red light above the switch will glow until the host computer identity is verified.

16
00:01:32,890 --> 00:01:37,270
The standard is implemented through a radius server.

17
00:01:37,500 --> 00:01:40,230
The server verifies the identity of the device.

18
00:01:40,230 --> 00:01:46,610
For example a computer rather than the identity of the user when the verification is over.

19
00:01:46,610 --> 00:01:53,360
The green light above the port will go on your computer is called the supplicant.

20
00:01:53,530 --> 00:01:55,960
It will try to connect the authenticator.

21
00:01:56,110 --> 00:02:02,710
In this case to a managed switch before the green light lights up the authenticator will ask you to

22
00:02:02,710 --> 00:02:06,390
send some certificates.

23
00:02:06,470 --> 00:02:10,280
More specifically the EAP protocol which we'll discuss later on

24
00:02:13,160 --> 00:02:13,680
next.

25
00:02:13,710 --> 00:02:18,200
The killer will forward these certificates to the radius server.

26
00:02:18,440 --> 00:02:24,410
The server will verify whether the computers send the required certificate and this so it will unblock

27
00:02:24,410 --> 00:02:26,030
the switch port.

28
00:02:26,100 --> 00:02:31,000
Only then the computer will get access to the network.

29
00:02:31,030 --> 00:02:36,400
It seems to be a very secure method especially if you use certificates to verify the identity of the

30
00:02:36,400 --> 00:02:41,220
computer certificates are difficult to fake.

31
00:02:41,280 --> 00:02:43,980
It's not even done because it's simply ineffective.

32
00:02:47,630 --> 00:02:51,770
There is however another serious problem.

33
00:02:51,860 --> 00:02:57,530
Many companies invested huge amounts of money on implementing the readiest server and 8 to 1 X standard

34
00:02:57,620 --> 00:02:59,580
in their local wired networks.

35
00:03:00,660 --> 00:03:06,340
The standard is also very effective in wireless networks.

36
00:03:06,340 --> 00:03:12,310
The problem is that in the data link layer of the oocyte model a host is identified by its MAC address

37
00:03:14,410 --> 00:03:17,360
and we already know that the MAC address can easily be changed

38
00:03:22,660 --> 00:03:28,160
to connect to a company network secured in the way we've just described the attacker must first wait

39
00:03:28,160 --> 00:03:33,140
for one of the computers to authenticate which will be signaled by a green light above the port that's

40
00:03:33,140 --> 00:03:36,380
just open.

41
00:03:36,510 --> 00:03:42,330
Then the attacker must disconnect the user from the port and connect his own hub instead the hub will

42
00:03:42,330 --> 00:03:45,950
broadcast all packets passing through a to all switch ports.

43
00:03:47,070 --> 00:03:49,410
It does becomes a kind of signal multiplexer

44
00:03:53,260 --> 00:03:58,180
next detector must connect the user's computer to the hub so it will still be part of the network.

45
00:03:59,600 --> 00:04:06,440
The user unaware of all of this is able to use the network normally.

46
00:04:06,680 --> 00:04:11,240
If the attacker connects his computer to the hub he'll be able to intercept the client's communication

47
00:04:11,420 --> 00:04:13,410
with the whole network.

48
00:04:13,460 --> 00:04:18,060
The attacker can do much more than simply intercept network traffic.

49
00:04:18,070 --> 00:04:26,060
You can also obtain the client's computer MAC address in the second layer of us-I model MAC addresses

50
00:04:26,060 --> 00:04:27,370
are not encrypted.

51
00:04:32,410 --> 00:04:37,300
Now the attacker can change his computer's MAC address to the one he obtained.

52
00:04:37,300 --> 00:04:40,290
If the attackers computer MAC address is the same as the victims.

53
00:04:40,300 --> 00:04:42,610
But the machines have different IP addresses.

54
00:04:43,960 --> 00:04:48,520
The attacker will gain access to the UDP protocol and the TCAP protocol as well

55
00:04:53,100 --> 00:04:55,580
the victim's firewall is almost always active.

56
00:04:57,420 --> 00:05:00,720
Without elaborating on a subject that's yet to be introduced.

57
00:05:00,960 --> 00:05:07,060
Let's just mention that the TCAP protocol is a delivery protocol.

58
00:05:07,070 --> 00:05:11,180
This means it allows for a bi directional connection.

59
00:05:11,370 --> 00:05:16,380
If the attacker and the victim are identified by the same MAC address the packets sent by.

60
00:05:16,590 --> 00:05:23,450
For instance a database server will be delivered to both machines the attacker will try to connect to

61
00:05:23,450 --> 00:05:26,430
the server sending a sin packet.

62
00:05:26,590 --> 00:05:30,350
The server will respond by sending the signal packet to both computers.

63
00:05:31,750 --> 00:05:36,900
The victim didn't expect to receive the packet so in accordance with our A C standard it will send back

64
00:05:36,900 --> 00:05:42,120
a reset packet and close the current session.

65
00:05:42,120 --> 00:05:48,790
However this scenario won't happen because the signal packet will be blocked by the firewall.

66
00:05:48,790 --> 00:05:53,030
The firewall will reject the packet and no reset packet will be sent back.

67
00:05:54,720 --> 00:05:59,930
Now the attacker is connected to the open port after the port based user authentication took place.

68
00:06:02,020 --> 00:06:06,370
This allows him to intercept all traffic directed to the client and connect to the servers behind the

69
00:06:06,370 --> 00:06:10,940
switch the attacker achieved that by spoofing them victims.

70
00:06:11,110 --> 00:06:11,890
MAC address

71
00:06:15,000 --> 00:06:20,460
this in turn means that it only takes a hub worth about $15 to defeat a complex security infrastructure

72
00:06:20,460 --> 00:06:23,960
of the radius server certification server and such.

73
00:06:26,570 --> 00:06:32,260
As we know from one of the previous lecturers it's a perfect example of an ineffective security policy.