1
00:00:01,910 --> 00:00:02,150
Right.

2
00:00:02,150 --> 00:00:11,060
So let's talk about how we can detect P poisoning attacks first of all let me show you the AARP tables

3
00:00:11,070 --> 00:00:15,670
so in our Windows device which is the device that we always attack.

4
00:00:15,730 --> 00:00:22,950
I'm going to run a command DARPA to list all the entries and the AARP table.

5
00:00:23,020 --> 00:00:31,950
So each computer has an AARP table and that table associates IP addresses with MAC addresses so we can

6
00:00:31,950 --> 00:00:39,770
see the IP address of the writer which is 10 2014 one is associated with the MAC address 52 54.

7
00:00:39,930 --> 00:00:44,130
And it ends up in 35 0 0.

8
00:00:44,430 --> 00:00:48,100
So this is the MAC address for the IP for the writer.

9
00:00:48,360 --> 00:00:55,050
So the way that they are poisoning works like we discussed before is it works before because each request

10
00:00:55,140 --> 00:01:01,200
is trusted and clients accept responses even if they didn't send the request.

11
00:01:01,230 --> 00:01:07,560
So what the hacker does is he sends a response to the client telling them that they are the writer.

12
00:01:07,650 --> 00:01:11,880
So the client will accept that if it was trusted and is going to accept the response even though it

13
00:01:11,880 --> 00:01:17,100
didn't send the request then we'll send another response to the writer telling them that we are the

14
00:01:17,100 --> 00:01:18,570
client.

15
00:01:18,660 --> 00:01:23,460
So what's this is going to do it's going to modify the entries and the AARP tables and both and the

16
00:01:23,460 --> 00:01:29,640
router and in the client and for the client it's going to contain the hackers MAC address and it's going

17
00:01:29,640 --> 00:01:33,130
to associate that with the writers IP address.

18
00:01:33,270 --> 00:01:39,090
So what's basically going to happen is it's going to modify the MAC address here and it's going to change

19
00:01:39,090 --> 00:01:44,660
that to the attackers MAC address and instead of the writer's real MAC address.

20
00:01:44,700 --> 00:01:51,000
So when that happened then the hacker will be in the middle of the connection and they'll be able to

21
00:01:51,000 --> 00:01:57,840
read analyze and modify the packets because they're going to be flowing through the hacker device so

22
00:01:58,050 --> 00:02:05,360
let's run they are poisoning normal they are people using attacks like we always do it and when I go

23
00:02:05,360 --> 00:02:11,450
back here I'm going to execute the same commands I'm going to do any RPA again and note how with the

24
00:02:11,450 --> 00:02:13,200
MAC address is going to be different.

25
00:02:13,220 --> 00:02:19,610
So the MAC address for the router it used to be this one and when we write the command that the MAC

26
00:02:19,610 --> 00:02:27,320
address changed to this one and this MAC address right here is the MAC address of the network card that

27
00:02:27,320 --> 00:02:28,460
the attackers use.

28
00:02:28,970 --> 00:02:37,180
So if I come here and just do an F config you'll see that this is the MAC address the same the same

29
00:02:37,180 --> 00:02:41,440
MAC address that is displayed in here.

30
00:02:41,450 --> 00:02:46,760
So this is the easiest and the simplest way to discover a are poisoning attacks.

31
00:02:46,790 --> 00:02:52,460
It's not the hands yes way though because you're going to have to keep doing this command and keep comparing

32
00:02:52,460 --> 00:02:56,610
the entries if you really wanted to check if you're being a IP poisoned.

33
00:02:56,780 --> 00:03:03,170
So there is a tool called X R and it allows it does that automatically for you and it's available for

34
00:03:03,170 --> 00:03:04,920
Linux and Windows.

35
00:03:05,060 --> 00:03:08,620
So I already downloaded you can just Google X Arp and you can download it.

36
00:03:08,630 --> 00:03:10,910
Very easy to download and install.

37
00:03:11,200 --> 00:03:13,050
And I'm just going to run it.

38
00:03:13,250 --> 00:03:19,900
I'm actually going to stop the attack first and then I'm going to want to now notice when you stop the

39
00:03:19,900 --> 00:03:26,960
attack the IP address is going to go back to what it was so you can see that the MAC address of the

40
00:03:26,960 --> 00:03:35,510
router is back to its default right value of the writer so I'm just gonna run X out now and you can

41
00:03:35,510 --> 00:03:36,850
see that everything is good.

42
00:03:37,980 --> 00:03:41,940
And you can see that the entries are very similar to what we did when we did a RPA.

43
00:03:41,940 --> 00:03:46,520
So we have the IP addresses and the MAC addresses associated with it.

44
00:03:46,650 --> 00:03:47,880
What the tool basically does.

45
00:03:47,880 --> 00:03:53,280
It's just going to automatically monitor this and whenever something changes it's gonna know that something's

46
00:03:53,280 --> 00:03:58,060
wrong is happening because each IP address should have a unique MAC address.

47
00:03:58,110 --> 00:04:00,220
There should be no duplicates in the network.

48
00:04:00,960 --> 00:04:09,160
So I'm gonna do another ARPU poisoning attack exactly like we did it before and when we come here you'll

49
00:04:09,160 --> 00:04:15,160
see that X AAP is giving us a notification and telling us that something's happening.

50
00:04:15,370 --> 00:04:22,390
It's telling us that the MAC address for the router which is the 10 2014 one IP has changed from this

51
00:04:22,660 --> 00:04:31,180
to that and if we look here I'm going to click OK and if we look here we can see that the affected machines

52
00:04:31,180 --> 00:04:36,970
are the writer my own machine right now and the attacker.

53
00:04:36,970 --> 00:04:37,290
Sorry.

54
00:04:37,310 --> 00:04:38,460
That's that's me.

55
00:04:38,620 --> 00:04:40,180
And that's the attacker.

56
00:04:40,180 --> 00:04:46,940
So basically we know that the machine at 10 2014 two or three is trying to do an eye are people using

57
00:04:47,020 --> 00:04:52,710
attack because it's the one that the the rotors MAC address has changed too.

58
00:04:52,840 --> 00:04:55,430
Therefore we know this is the attacker machine.

59
00:04:56,110 --> 00:05:01,030
So this tool is really handy because it does the monitoring automatically for us and it will tell us

60
00:05:01,030 --> 00:05:04,210
whenever someone is trying to a IP poisoned the network.