1
00:00:00,330 --> 00:00:05,460
This is one of multiple videos where I'm showing you how to hack networks using Kali Linux.

2
00:00:06,060 --> 00:00:12,360
In previous videos, I showed you how to download and install Kali Linux on a Windows 10 computer using

3
00:00:12,360 --> 00:00:15,630
a pre-built image that you can download from Kali.org.

4
00:00:16,410 --> 00:00:22,640
I also showed you how you can hack Cisco Networks when a switch is badly or poorly configured.

5
00:00:22,950 --> 00:00:26,040
It's important that you configure networks properly.

6
00:00:26,190 --> 00:00:32,820
Otherwise, it's very easy to hack networks such as Cisco Networks using Kali Linux. In this video,

7
00:00:32,820 --> 00:00:37,980
I'm going to show you how easy it is to break networks that are badly configured.

8
00:00:38,280 --> 00:00:39,990
We're going to use two protocols.

9
00:00:40,170 --> 00:00:46,530
The first one, dynamic trunking protocol or DTP and the second one the VTP or VLAN trunking protocol.

10
00:00:47,160 --> 00:00:53,070
We basically going to do things to the network by leveraging those two protocols.

11
00:00:53,740 --> 00:01:00,150
I'm going to show you as an example how you can take devices off the network by sending VTP packets

12
00:01:00,150 --> 00:01:02,370
to a Cisco switch using Kali Linux.

13
00:01:02,820 --> 00:01:10,260
So we basically going to delete VLANs from a switch by simply injecting VTP packets into the network.

14
00:01:11,210 --> 00:01:16,770
Kali Linux, in our example, will be configured on one VLAN will have hosts on a separate VLAN, but that's

15
00:01:16,770 --> 00:01:17,600
not going to stop us.

16
00:01:17,620 --> 00:01:24,120
We're going to use DTP to form a trunk with a Cisco switch, have visibility of a separate VLAN.

17
00:01:24,130 --> 00:01:27,240
So Kali Linux will be in one VLAN, let's say VLAN 1.

18
00:01:27,780 --> 00:01:33,000
Our hosts will be in a separate VLAN, let's say VLAN 2 will say in DTP packets to the switch so that

19
00:01:33,000 --> 00:01:36,390
we have visibility of those hosts from our Kali Linux host

20
00:01:36,720 --> 00:01:44,190
and then what we'll do is use VTP to delete VLANs automatically on a Cisco switch, basically removing

21
00:01:44,340 --> 00:01:47,010
devices in one VLAN from the network.

22
00:02:01,240 --> 00:02:08,500
All right, without further ado, let me show you how to hack Cisco Networks, at the moment on the switch

23
00:02:08,500 --> 00:02:15,280
show interface trunk shows us that there are no trunk ports on the switch, show interface gigabit 0

24
00:02:15,280 --> 00:02:23,920
1 switch port shows us that this port, there's the command again, this port is configured to use

25
00:02:23,920 --> 00:02:29,170
DTP, but at the moment it's a static access port.

26
00:02:30,180 --> 00:02:35,160
Administrative mode is dynamic auto, bad idea to use DTP.

27
00:02:36,900 --> 00:02:43,070
Show run interface Gigabit 01 shows us that this port is configured with a default configuration.

28
00:02:43,140 --> 00:02:52,470
That's a bad idea because what we can do is launch a DTP attack and enable trunking by simply selecting

29
00:02:52,470 --> 00:02:53,490
that option and clicking

30
00:02:53,490 --> 00:03:00,540
OK, Yersenia sees that there's a switch using access auto, which is what we saw

31
00:03:02,230 --> 00:03:08,350
over here, dynamic auto, but in the output of the switch, we can see that the interface went down

32
00:03:08,350 --> 00:03:12,280
and came up again, gigabit 01 went down, 

33
00:03:12,970 --> 00:03:15,240
now Gigabit 01 has come up

34
00:03:16,180 --> 00:03:23,740
and if we use the same command again, show interface trunk notice trunking is now enabled on gigabit

35
00:03:23,830 --> 00:03:24,670
01,

36
00:03:25,150 --> 00:03:28,590
so Gigabit 01 is using 802.1q.

37
00:03:29,560 --> 00:03:34,660
The VLAN 1 interface on the switch or the SVI or switch virtual interface came up because

38
00:03:34,660 --> 00:03:36,540
we have an interface in that VLAN

39
00:03:36,550 --> 00:03:45,400
but again, show interface trunk, native VLAN is VLAN 1 on this port, but trunking is now used using

40
00:03:45,400 --> 00:03:52,330
802.1q mode is auto VLANs 1 and 2 are allowed across that trunk.

41
00:03:53,090 --> 00:04:03,130
That means that Kali Linux will have the visibility of the PC in VLAN 2, show run interface gigabit

42
00:04:03,180 --> 00:04:03,880
01. 

43
00:04:04,360 --> 00:04:13,090
No configuration on that port, but the MacBook is in VLAN 2, notice it's been configured in VLAN 2

44
00:04:13,600 --> 00:04:19,390
and if we type show interface gigabit02 switch port, we can see through this command that that

45
00:04:19,390 --> 00:04:26,890
port Gigabit 02 is configured in VLAN 2 it's currently acting as an access port.

46
00:04:28,740 --> 00:04:36,960
Again, Kali Linux, which is supposedly in VLAN 1, will be able to see traffic sent by devices

47
00:04:36,960 --> 00:04:37,710
in VLAN2.

48
00:04:38,550 --> 00:04:41,340
Before we look at that, let's have a look at spanning tree again.

49
00:04:41,340 --> 00:04:44,280
So show spanning tree, for VLAN 1

50
00:04:44,700 --> 00:04:46,340
the switch is no longer the root

51
00:04:47,250 --> 00:04:50,010
it has a cost of 4 to get to the root switch.

52
00:04:51,000 --> 00:04:57,180
Gigabit 01 is its root port to get to the root switch, for VLAN 2 it's the root.

53
00:04:58,290 --> 00:05:06,480
Notice Gigabit 01 and 02 are now designated ports, previously we only saw gigabit 02 in the output

54
00:05:06,480 --> 00:05:06,750
bay.

55
00:05:09,300 --> 00:05:13,830
So back in, Kali Linux, let's start Wireshark, 

56
00:05:16,610 --> 00:05:18,470
select capture start.

57
00:05:20,130 --> 00:05:25,020
You can see that we are capturing a bunch of traffic on the network, including spanning tree.

58
00:05:27,870 --> 00:05:29,490
Bunch of other traffic seen here.

59
00:05:31,600 --> 00:05:32,890
But let's filter for DHCP.

60
00:05:35,180 --> 00:05:41,510
On the MacBook currently has this IP address, I'm going to disable the Ethernet interface on the MacBook,

61
00:05:42,470 --> 00:05:48,950
I'll enable it again so that it sends a DHCP request, notice

62
00:05:48,950 --> 00:05:53,090
Kali Linux is seeing the DHCP information.

63
00:05:54,960 --> 00:06:04,020
So it's seeing the DHCP Discover message, seeing the DHCP offer from the switch to that host, it sees the

64
00:06:04,020 --> 00:06:10,410
DHCP request and sees the acknowledgment. This is on VLAN 2, 

65
00:06:11,390 --> 00:06:18,380
notice the IP address, 10.1.2.254, giving this IP address to the MacBook.

66
00:06:19,950 --> 00:06:25,980
So the MacBook has been given IP address 10.1.2.2 and Kali Linux, which is supposedly in a

67
00:06:25,980 --> 00:06:28,380
different VLAN, was able to see that.

68
00:06:30,350 --> 00:06:37,730
On the MacBook, if I ping a nonexistent IP address, so ping 10.1.2.123 I'll

69
00:06:37,730 --> 00:06:39,350
press enter on the MacBook

70
00:06:41,190 --> 00:06:42,510
and filter for ARP.

71
00:06:44,970 --> 00:06:51,840
Notice we can see ARP resolution protocol send the IP addresses, this looking for the Mac address of 10.

72
00:06:51,840 --> 00:06:53,110
1.2.123.

73
00:06:53,820 --> 00:07:00,610
Basically, the Kali Linux host, which is supposedly in VLAN, 1 can now see the traffic in VLAN

74
00:07:00,630 --> 00:07:00,910
2.

75
00:07:01,860 --> 00:07:03,240
Now, that's a broadcast.

76
00:07:04,110 --> 00:07:11,610
If the host sent multicast traffic to, let's say, 239.1.2.3, the Kali Linux host

77
00:07:12,030 --> 00:07:15,780
would see that ICMP traffic.

78
00:07:18,760 --> 00:07:26,590
So here we go, we can see IP address 10.1.2.2 pinging 239.1.2.3.

79
00:07:27,040 --> 00:07:29,530
This is multicast traffic.

80
00:07:30,510 --> 00:07:31,510
I'll stop that ping.

81
00:07:32,190 --> 00:07:33,360
Now, this is not doing much here

82
00:07:33,390 --> 00:07:37,970
I'll show you in a subsequent video how I can, for instance, sniff OSPF passwords.

83
00:07:38,430 --> 00:07:43,230
OSPF, which is a routing protocol, sends updates into the network using multicast

84
00:07:43,560 --> 00:07:48,930
and Kali Linux will be able to sniff those routing updates and capture passwords as an example on the

85
00:07:48,940 --> 00:07:49,980
OSPF updates.

86
00:07:51,120 --> 00:07:57,180
So what we've seen thus far is a CDP attack, I've shown you DTP attack

87
00:07:58,250 --> 00:08:05,270
and I've shown you spanning tree. Let's have a look at VTP, VTP is a really bad protocol, 

88
00:08:06,080 --> 00:08:07,400
generally, you want to turn it off.

89
00:08:07,680 --> 00:08:10,690
It's actually been removed from the Cisco CCNA exam.

90
00:08:11,270 --> 00:08:16,430
So in the next release of CCNA, it wouldn't be there. If I type show VTP status

91
00:08:17,910 --> 00:08:21,160
the switch is in this domain called home.

92
00:08:21,930 --> 00:08:26,730
It's currently acting as a server, configuration, revision number is 1.

93
00:08:27,830 --> 00:08:38,059
It has six VLANs configured, show VLAN brief as an example, shows me that VLAN 1 and 2 exist

94
00:08:38,059 --> 00:08:38,809
on the switch.

95
00:08:39,409 --> 00:08:46,580
If I create another VLAN, let's say VLAN 3, show VLAN brief VLAN 3 has been created,

96
00:08:47,600 --> 00:08:51,650
show VTP status configuration

97
00:08:51,650 --> 00:08:53,240
revision number is now 2.

98
00:08:55,860 --> 00:09:00,450
So in Kali Linux, let's send a VTP packet.

99
00:09:01,690 --> 00:09:06,940
You can see it's learnt about the home VTP domain.

100
00:09:08,820 --> 00:09:17,880
I'm going to launch an attack and let's delete a VLAN now before I do that, I'm going to plug in my

101
00:09:18,300 --> 00:09:23,700
MacBook, so this MacBook is now plugged into the network in port 3.

102
00:09:25,050 --> 00:09:29,430
So on the switch, we can see that Gigabit03 came up.

103
00:09:29,430 --> 00:09:32,700
So show IP interface brief, 

104
00:09:34,990 --> 00:09:46,690
Gigabit 01, 2, and 3 are now up, I'll configure gigabit 03 as an access port

105
00:09:50,770 --> 00:09:54,970
and put it into VLAN 2, so show run

106
00:10:04,490 --> 00:10:09,920
these two ports are now in the same VLAN. On this MacBook

107
00:10:10,250 --> 00:10:16,760
I'm going to enable DHCP it should get an IP address in VLAN 2

108
00:10:18,000 --> 00:10:18,700
and there you go

109
00:10:18,910 --> 00:10:20,400
10.1.2.3.

110
00:10:21,400 --> 00:10:34,750
So on that MacBook over there, the small one ping 10.1.2.3  pings succeeds, so again,

111
00:10:35,770 --> 00:10:38,260
that MacBook can ping this MacBook.

112
00:10:38,440 --> 00:10:40,150
They are both in VLAN 2

113
00:10:44,050 --> 00:10:47,260
but what I'll do now in Kali Linux is delete VLAN, 

114
00:10:49,280 --> 00:10:51,950
and the VLAN I'm going to delete is VLAN 2.

115
00:10:54,290 --> 00:10:58,670
So on the switch show VTP status.

116
00:11:00,610 --> 00:11:05,930
At the moment, configuration revision number is still to show Vilan brief.

117
00:11:05,950 --> 00:11:08,290
We still have those VLANs.

118
00:11:09,970 --> 00:11:15,140
I've seen some times that this doesn't work that well, but notice here VLAN 2 has now been removed.

119
00:11:15,940 --> 00:11:22,900
I've noticed sometimes you have to create a VLAN to speed this up, but if I type show VLAN, brief

120
00:11:23,410 --> 00:11:28,390
VLAN 2 is missing and that MacBook can no longer ping this MacBook.

121
00:11:28,870 --> 00:11:38,590
I've basically removed these two devices from the network again show interface gigabit 02 switch

122
00:11:38,590 --> 00:11:38,980
port.

123
00:11:40,640 --> 00:11:48,500
Gigabit 02 the interface that that MacBook is connected to is configured in VLAN 2, but the

124
00:11:48,500 --> 00:11:49,770
VLAN is inactive.

125
00:11:49,790 --> 00:11:53,110
So basically I've removed these devices from the network.

126
00:11:54,110 --> 00:12:01,080
If I have a look at gigabit 03, that's the port that this MacBook is connected to.

127
00:12:01,970 --> 00:12:03,560
It's also in VLN 2, 

128
00:12:04,370 --> 00:12:10,850
so this command shows us that Gigabit 03 is configured in VLAN 2, but it's inactive.

129
00:12:10,880 --> 00:12:14,660
I've removed the device from the network, essentially.

130
00:12:17,540 --> 00:12:27,770
So if I create VLAN 2 again, so show VLAN brief, I've now got VLAN 2 back on the switch.

131
00:12:28,920 --> 00:12:34,740
The pings should start succeeding once things converge and there you go, the pings are now succeeding.

132
00:12:35,760 --> 00:12:41,510
Interface VLAN 2 has also come up on the switch so that MacBook can now ping this MacBook.

133
00:12:42,570 --> 00:12:47,790
But again, I can simply delete that VLAN using Kali Linux.

134
00:12:49,820 --> 00:12:54,360
Show VLAN Brief shows us that the VLAN exists, to speed things up, 

135
00:12:54,380 --> 00:12:56,920
I could simply create another VLAN, so let's create VLAN

136
00:12:56,930 --> 00:12:59,300
5 type exit

137
00:13:00,490 --> 00:13:05,560
and as soon as I did that, the ping started failing on the MacBook because things converged quicker

138
00:13:05,860 --> 00:13:11,140
when you actually do something on the switch, like create a VLAN, otherwise you just need to wait

139
00:13:11,140 --> 00:13:14,290
a while for for that VLAN to be removed.

140
00:13:14,710 --> 00:13:17,830
So show VLAN brief, 

141
00:13:19,210 --> 00:13:22,690
VLAN 5 is there but VLAN 2 is gone

142
00:13:24,480 --> 00:13:28,020
and if you want to really be nasty, you could simply say

143
00:13:29,440 --> 00:13:39,370
delete all VTP VLANs. So at the moment we've got VLAN 1,3 nd 5, 1 will not be deleted

144
00:13:39,370 --> 00:13:40,990
because it's a default VLAN.

145
00:13:41,830 --> 00:13:46,620
These other VLANs will also not be deleted, but 3 and 5 should disappear

146
00:13:48,870 --> 00:13:57,690
when this converges. To speed it up, I'll create VLAN 10 and type End, so show VLAN brief notice all

147
00:13:57,690 --> 00:13:58,590
the VLANs have gone.

148
00:14:00,610 --> 00:14:07,170
VLAN 3, 5, 2, 10 are all gone, that can basically break an entire network if you're using VTP.

149
00:14:07,750 --> 00:14:12,930
So don't use VTP or set your devices too transparent.

150
00:14:13,360 --> 00:14:18,760
So either disable VTP or use transparent, don't use server or client mode.

151
00:14:19,240 --> 00:14:20,710
VTP is a bad idea.

152
00:14:21,010 --> 00:14:24,790
Now there's some basic examples of how you can hack networks using Kali Linux.

153
00:14:25,180 --> 00:14:31,990
Make sure that you understand how your protocols work in your network and how you can secure your network.

154
00:14:32,350 --> 00:14:36,820
In other videos, I'll show you how you can protect your network from these kind of hacks.

155
00:14:37,390 --> 00:14:40,840
But in this video, I wanted to show you what's possible using Kali Linux.