1
00:00:02,840 --> 00:00:10,180
Now will demonstrate an AARP cache poisoning attack which is a widely available program called Cain

2
00:00:10,180 --> 00:00:14,560
and Abel which has many additional functions but can be used for poisoning

3
00:00:19,180 --> 00:00:20,710
before we start using the program.

4
00:00:20,710 --> 00:00:27,610
Let's examine the victims AARP cash in order to see the contents of the ARP cache.

5
00:00:27,690 --> 00:00:35,680
You just have to type in art with the parameter a into the command line as you can see the cash now

6
00:00:35,680 --> 00:00:41,890
stores only one IP and one Mac were lied to victim to notice so that you can see how such an attack

7
00:00:41,890 --> 00:00:42,620
unfolds

8
00:00:51,000 --> 00:00:55,480
under the sniffer tab you can see the information about who's currently connected to the network.

9
00:00:58,450 --> 00:01:01,060
A couple of computers were found.

10
00:01:01,170 --> 00:01:03,970
We can see their names.

11
00:01:04,050 --> 00:01:12,700
We can learn that the victim's computer runs on Windows XP and that the IP ends in 1 1 5.

12
00:01:12,730 --> 00:01:18,880
Let's check again the contents of the ARP cache of the victim besides the address ending in one which

13
00:01:18,880 --> 00:01:21,220
is probably the default gateway.

14
00:01:21,400 --> 00:01:25,860
We see another IP ending in one to five and a MAC address ending in 42.

15
00:01:28,410 --> 00:01:33,750
It all pertains to the computer we will use to conduct the attack.

16
00:01:33,790 --> 00:01:35,840
For now this is all we should remember.

17
00:01:41,290 --> 00:01:47,020
Back in the Cain and Abel program which was the ark tab and we add the computer whose ARP cache we want

18
00:01:47,020 --> 00:01:47,770
to poison

19
00:01:50,440 --> 00:01:56,050
we'd like to do it in such a way that enables us to intercept packets sent to the default gateway which

20
00:01:56,050 --> 00:01:57,950
we will then forward to the router.

21
00:02:00,140 --> 00:02:06,170
And vice versa if the rudder tries to communicate with the victim's computer it will send the packets

22
00:02:06,170 --> 00:02:10,290
to us and we'll forward them will be the men in the middle.

23
00:02:12,840 --> 00:02:17,260
We start the program and return to the victim.

24
00:02:17,410 --> 00:02:20,100
Let's read the Arcachon once more to see what happened.

25
00:02:22,340 --> 00:02:30,660
The Mac ending in 42 is now associated with both IP addresses victims computer trees the attackers computer

26
00:02:30,660 --> 00:02:33,820
as the default gateway.

27
00:02:33,870 --> 00:02:35,780
It will send all the data to it.

28
00:02:38,590 --> 00:02:39,990
Let's try to send some data

29
00:02:43,370 --> 00:02:44,900
will connect to a certain server

30
00:02:48,920 --> 00:02:52,440
we're required to type in the username and password.

31
00:02:52,630 --> 00:02:55,810
We'll use test as the username and pass has the password

32
00:02:59,190 --> 00:03:02,220
this data is incorrect so we didn't manage to establish a connection

33
00:03:05,290 --> 00:03:08,590
we can try connecting to a local network host and to open a website

34
00:03:14,810 --> 00:03:17,200
everything works just fine.

35
00:03:17,210 --> 00:03:19,580
We browse the Internet.

36
00:03:19,820 --> 00:03:27,030
We could probably connect with a favorite banks logon page when we try to connect to a website through

37
00:03:27,030 --> 00:03:29,890
the secure HTP protocol.

38
00:03:29,910 --> 00:03:32,730
It turns out that the site certificat created some problems

39
00:03:38,130 --> 00:03:45,180
likely the certificate was issued by a company you have not chosen to trust.

40
00:03:45,230 --> 00:03:48,180
After closer examination the certificate seems valid

41
00:03:51,640 --> 00:03:54,810
it cannot be however verified.

42
00:03:54,960 --> 00:03:58,990
We had a chance to see that things look normal from the perspective of the target computer.

43
00:04:01,390 --> 00:04:07,710
It can still establish connections with web pages with the FTB server and with the network share items

44
00:04:09,350 --> 00:04:11,920
let's see how things look from the attackers perspective.

45
00:04:15,290 --> 00:04:19,210
As we can see some packets were indeed routed.

46
00:04:19,340 --> 00:04:26,700
We also intercepted a lot of data can enable has an additional function you can export the data directly

47
00:04:26,700 --> 00:04:27,900
to the passwords tab

48
00:04:32,160 --> 00:04:39,270
will find their passwords grouped in the categories above you can see the NZL and passwords which we'll

49
00:04:39,270 --> 00:04:40,490
talk about later.

50
00:04:44,680 --> 00:04:51,950
By right clicking on the password you can choose the option to send to Kracker having the passwords.

51
00:04:51,950 --> 00:04:57,940
We can find a Windows local network user's password and just a few minutes this password would allow

52
00:04:57,940 --> 00:05:05,690
us to connect to the file server the FTB server passwords are stored in plain text.

53
00:05:05,840 --> 00:05:10,540
If the HTP passwords are sent as plain text they'll be stored in that form as well.

54
00:05:15,010 --> 00:05:19,580
Let's start the victim's ARP cache poisoning.

55
00:05:19,650 --> 00:05:24,240
We have to do that to prevent the victim's computer from discovering our real mac address.

56
00:05:26,170 --> 00:05:31,220
The information we discussed before and the demonstration you've just watch should help you conduct

57
00:05:31,220 --> 00:05:37,070
your own Arbre cache poisoning attack using the Cain and Abel program which I strongly encourage you

58
00:05:37,070 --> 00:05:37,810
to do.

59
00:05:40,360 --> 00:05:42,560
You can try to use a newer web browser.

60
00:05:42,700 --> 00:05:48,020
For example the new Internet Explorer to connect to an HD secure Web site.

61
00:05:48,460 --> 00:05:53,150
It can be a bank's website or email web page.

62
00:05:53,250 --> 00:05:58,160
The web browser here doesn't really matter because the attack is conducted on a very low layer of the

63
00:05:58,160 --> 00:06:02,730
OS model and the web browser trusted is sent from the lower layers.

64
00:06:05,000 --> 00:06:09,920
Whatever browser you use you should get an untrusted certificate error message.

65
00:06:09,920 --> 00:06:17,140
In reality we don't connect directly to a web site but rather to the men in the middle computer reconnected

66
00:06:17,230 --> 00:06:21,730
their attackers computer who sends the data forward.

67
00:06:21,900 --> 00:06:26,460
The certificate is issued for a specific computer and won't be compatible with the man in the middle

68
00:06:26,460 --> 00:06:29,950
computer doing the exercise.

69
00:06:29,950 --> 00:06:34,530
You should ignore the untrusted certificate error message.

70
00:06:34,560 --> 00:06:42,240
It will allow you to connect to a Web site in the HTP secure forum you can type a log in and password.

71
00:06:42,470 --> 00:06:46,070
It will later be visible in the Cain and Abel program.

72
00:06:46,230 --> 00:06:49,970
There will be no need to decrypt them and it's not an encryption issue.

73
00:06:52,230 --> 00:06:58,650
The password will be visible because the victim has sent it to the attacker voluntarily the untrusted

74
00:06:58,650 --> 00:07:03,780
certificate error message was triggered by the certificate issued by the Cain and Abel program for this

75
00:07:03,780 --> 00:07:06,010
particular session.

76
00:07:06,050 --> 00:07:12,640
In this way the program enables you to connect to the HTP secure Web site.

77
00:07:12,660 --> 00:07:18,690
It turns out that the victim encrypts the data with the attackers encryption key the attacker decrypted

78
00:07:18,690 --> 00:07:25,870
them easily next to the attacker encrypted them again with the Web site's encryption key and sent them

79
00:07:25,870 --> 00:07:26,440
forward.