1 00:00:01,100 --> 00:00:07,980 Now in this lecture and the next few lectures I want to start talking about mine in the middle attacks. 2 00:00:08,840 --> 00:00:17,330 These are attacks that we can launch only if we are able to intercept the communication between two 3 00:00:17,330 --> 00:00:18,360 devices. 4 00:00:18,560 --> 00:00:21,920 Hence the name mine in the middle attacks. 5 00:00:22,720 --> 00:00:29,860 So a normal communication would look like this where the device is directly communicating with the entity 6 00:00:29,920 --> 00:00:34,460 that they want to communicate with in a mine in the middle attack. 7 00:00:34,600 --> 00:00:41,410 The hacker would be able to place themselves in the middle of the connection allowing them to enter 8 00:00:41,410 --> 00:00:47,250 served and see anything that is being transferred between these two devices. 9 00:00:48,360 --> 00:00:51,480 Now there are a number of ways to achieve this. 10 00:00:51,510 --> 00:00:57,700 The first method that we'll cover in this chorus is using an IP spoofing attack. 11 00:00:58,480 --> 00:01:02,660 AARP spoofing allow us to redirect the flow of packets. 12 00:01:02,770 --> 00:01:10,650 So instead of it Floyd as shown in this diagram it would flow through my own computer. 13 00:01:10,930 --> 00:01:19,600 So any requests sent and any responses received by the targeted computer will have to flow through the 14 00:01:19,600 --> 00:01:21,740 hacker computer. 15 00:01:21,760 --> 00:01:29,920 This means that any messages any website and images and user names any passwords and to it by the target 16 00:01:30,220 --> 00:01:33,390 will have to flow through my computer. 17 00:01:33,400 --> 00:01:38,430 This allows me to read this information modify it or drop it. 18 00:01:38,980 --> 00:01:43,580 So as you can see this is a very serious and very powerful attack. 19 00:01:43,840 --> 00:01:51,340 And the reason why it is possible is because a PE is not very secure. 20 00:01:51,370 --> 00:01:58,870 Now for us to understand how this works you need to have a basic understanding of what a rpe is. 21 00:01:59,100 --> 00:02:06,550 Our PEER stands for address resolution protocol and it's a very simple protocol that allows us to link 22 00:02:06,640 --> 00:02:09,850 IP addresses to my addresses. 23 00:02:10,090 --> 00:02:13,380 So for example let's say we have a network here. 24 00:02:13,750 --> 00:02:18,540 We have devices A B C and the they're all connected to the same network. 25 00:02:18,970 --> 00:02:21,810 And we have the right here for this network. 26 00:02:21,970 --> 00:02:25,790 We can see that each device has an IP and a MAC address. 27 00:02:25,950 --> 00:02:32,060 And let's assume that device a needs to communicate with the voice see. 28 00:02:32,230 --> 00:02:38,810 Now we're also going to assume that device a no is the IP of a device see what as we know so far. 29 00:02:38,920 --> 00:02:45,700 In order for these devices to communicate within the same network device a needs to know the MAC address 30 00:02:45,760 --> 00:02:46,970 of device see. 31 00:02:47,050 --> 00:02:53,200 Because like we said before the communication inside the network is carried out using the MAC address 32 00:02:53,380 --> 00:02:56,240 and not using the IP address. 33 00:02:56,290 --> 00:03:01,960 So this is a perfectly normal situation where we have a client that needs to know the MAC address of 34 00:03:01,960 --> 00:03:05,700 another client so that it can communicate with the client. 35 00:03:06,100 --> 00:03:11,620 So what the supply and does it uses the arpu product what do I mean by that. 36 00:03:11,830 --> 00:03:19,420 Basically it sends a broadcast message so it sends an IP request to all the clients on the network saying 37 00:03:19,660 --> 00:03:22,370 who has 10 0 2 6. 38 00:03:22,630 --> 00:03:29,560 Now all of these devices will ignore this packet except the one that has this IP address which is days 39 00:03:29,750 --> 00:03:35,730 to six which is device C. So all devices will not do anything. 40 00:03:36,100 --> 00:03:44,050 And the only device that will respond is device C sending in a pure response in this response device 41 00:03:44,240 --> 00:03:50,000 is going to say I half days you ought to say X my MAC address is this Mike address. 42 00:03:51,070 --> 00:03:57,460 This way device a will have the MAC address of the Boise and now it'll be able to communicate with the 43 00:03:57,500 --> 00:04:02,500 boycie and do whatever task that it wanted to do initially. 44 00:04:02,500 --> 00:04:08,100 So all of this communication is facilitated using the AARP protocol. 45 00:04:08,110 --> 00:04:14,290 Like I said the IP protocol is a very simple protocol as you kiss you on the towers is requests and 46 00:04:14,290 --> 00:04:16,240 the responses are. 47 00:04:16,420 --> 00:04:23,560 The whole point of it is so that we can link IP addresses to MAC addresses or translate IP addresses 48 00:04:23,770 --> 00:04:24,880 to Mike addresses. 49 00:04:25,090 --> 00:04:30,760 So a device can send their request asking for a MAC address and then the device that has the MAC address 50 00:04:30,850 --> 00:04:33,670 would respond with its Mike address. 51 00:04:35,160 --> 00:04:44,740 So each computer have an IP table which links IP addresses on the same network to their MAC addresses. 52 00:04:44,870 --> 00:04:51,780 So if I go on the candy machine and do AARP a you can see my AARP table here. 53 00:04:51,830 --> 00:04:57,050 And as you can see it's like in the rotaries IP to the outer is Mike address. 54 00:04:58,000 --> 00:04:58,550 No sane. 55 00:04:58,570 --> 00:05:03,080 If I go to the Windows machine and the reason why it's anybody. 56 00:05:04,360 --> 00:05:07,370 And do a r p a. 57 00:05:07,390 --> 00:05:13,060 You'll see again it's Lincoln the routier is IP to its Mike address. 58 00:05:13,150 --> 00:05:20,470 So this machine any time it needs to send any request to the internet it will direct that request to 59 00:05:20,470 --> 00:05:28,370 this MAC address to the MAC address that's associated with the IP of the routier which is 10 0 to 1. 60 00:05:29,620 --> 00:05:38,320 Now this value in year can be easily modified by exploiting the AARP protocol. 61 00:05:38,350 --> 00:05:40,630 So let me go back to my diagrams. 62 00:05:40,630 --> 00:05:48,820 And right here we have a diagram of a typical network and you can see that normally any device that's 63 00:05:48,820 --> 00:05:54,510 connected to the network if it wants to send the requests it will send them to the routier. 64 00:05:54,530 --> 00:06:00,430 The writer will go and send that request to the Internet wait for the response and then forward the 65 00:06:00,430 --> 00:06:03,550 response to the device that requested it. 66 00:06:03,550 --> 00:06:09,820 So if the hiker or the victim or any other computer on the network wanted to send a request they will 67 00:06:09,820 --> 00:06:11,200 send that request. 68 00:06:11,290 --> 00:06:14,590 The right lead to the rafter. 69 00:06:14,650 --> 00:06:24,210 Now what we can do is we can exploit the arpu Protocol and send to our p responses one to the gateway 70 00:06:24,490 --> 00:06:33,580 and one to the victim will again tell the gateway that I am at the IP of the victim so the access point 71 00:06:33,580 --> 00:06:34,420 will update. 72 00:06:34,430 --> 00:06:42,000 It's a peace table and it'll associate the IP of the target with my MAC address. 73 00:06:42,160 --> 00:06:46,750 We'll do the same with the victim so we'll send it an AARP response. 74 00:06:46,840 --> 00:06:50,720 We're again told that ah yeah there's zero to one. 75 00:06:50,980 --> 00:07:00,880 So it's going to of date it's a arpey table and associate the IP of 10 0 to one with my own MAC address. 76 00:07:00,880 --> 00:07:07,720 So the result of this the victim is going to think that I am the writer and the writer is going to think 77 00:07:07,720 --> 00:07:09,920 that I am the victim. 78 00:07:10,150 --> 00:07:16,680 So any time the victim wants to send any requests the requests will have to flow through my computer 79 00:07:17,110 --> 00:07:23,270 and I'm going to forward them to your outer and then any time the access point or their outer wants 80 00:07:23,320 --> 00:07:30,700 to send a response is they're going to go to my machine because it thinks that I am the victim and then 81 00:07:30,820 --> 00:07:34,660 I'm going to forward it to the victim. 82 00:07:34,720 --> 00:07:40,510 So as you see this puts me in the middle of the connection and it gives me so much power. 83 00:07:40,570 --> 00:07:44,820 And we'll see all the things that we can do once we become the mine in the middle. 84 00:07:47,130 --> 00:07:57,240 No the main reason why we can do all of this is because a our P is not secure because first of all clients 85 00:07:57,240 --> 00:08:01,890 can accept responses even if they did not send their request. 86 00:08:01,920 --> 00:08:07,560 So as I said before we're going to send the response to the access point and the response to the victim 87 00:08:07,770 --> 00:08:14,820 tell them that I am at a specific IP without them asking who are my own without them asking for this 88 00:08:14,880 --> 00:08:19,090 IP I'm just going to send a response and they're going to accept that response. 89 00:08:19,110 --> 00:08:20,780 Any white. 90 00:08:20,880 --> 00:08:25,670 Not only that were there also not going to verify who I am. 91 00:08:25,710 --> 00:08:33,210 So when I say that I am a 10 0 2 7 I am clearly not at that IP because this computer is out this IP 92 00:08:33,700 --> 00:08:37,640 but the access point will trost this and it'll actually update. 93 00:08:37,640 --> 00:08:41,390 It's a rpe table based on the information that I send. 94 00:08:42,260 --> 00:08:43,710 Same goes to the victim. 95 00:08:43,730 --> 00:08:46,900 I'm going to tell it that I am at in 0 2 1. 96 00:08:47,150 --> 00:08:53,480 It's going to trust and believe this even though I am clearly not at this IP because the access point 97 00:08:53,480 --> 00:08:54,920 is at this IP. 98 00:08:55,770 --> 00:09:04,090 So these are the two main weaknesses with a arpey Protocol that allow us to run a rpe call a tax.