1
00:00:00,150 --> 00:00:06,180
In this video, I'm going to show you multiple attacks, I'm firstly going to show you how to poison ARP caches

2
00:00:06,180 --> 00:00:12,920
on PCs, ARP or address resolution protocol is a fundamental building block in networks today.

3
00:00:13,530 --> 00:00:19,260
Basically, it allows devices to learn the Mac addresses of other devices on an Ethernet network.

4
00:00:20,320 --> 00:00:25,960
Once we've poisoned the ARP cache of a device, we're going to implement a man in the middle attack where

5
00:00:25,960 --> 00:00:31,280
we view the passwords and data sent between multiple devices in our network.

6
00:00:31,660 --> 00:00:37,480
I'm going to show you how to capture usernames and passwords, as well as data sent between a router

7
00:00:37,720 --> 00:00:40,030
and a host in our topology

8
00:00:40,510 --> 00:00:44,810
but rather than just talking about this, I want to show you practically how this actually works.

9
00:00:45,220 --> 00:00:52,840
I'm going to show you using Wireshark captures how ARP works, how ARP caches are then poisoned using

10
00:00:52,840 --> 00:00:59,860
AACAP and how we can implement a man in the middle attack using a virtual network running in this example

11
00:00:59,860 --> 00:01:00,400
in EVE-NG.

12
00:01:14,700 --> 00:01:19,560
Disclaimer as always the information shared here is for educational purposes only.

13
00:01:19,770 --> 00:01:25,260
Don't use the information that I'm sharing here to go and hack a public network that you don't have

14
00:01:25,260 --> 00:01:26,220
permission to hack.

15
00:01:26,730 --> 00:01:32,610
Only hack networks that you have explicit permission to hack or test networks such as the one that I'm

16
00:01:32,610 --> 00:01:39,120
showing you here in this example I'm using even in the cloud, but even allows you to virtualize networks

17
00:01:39,120 --> 00:01:40,020
on your laptop.

18
00:01:40,020 --> 00:01:41,150
It's great software.

19
00:01:41,460 --> 00:01:47,940
I'd recommend that you use EVE-NG or GNS3 or Cisco VIRL if you want to learn how to build 

20
00:01:47,940 --> 00:01:51,090
networks and virtualize networks on your laptop.

21
00:01:51,480 --> 00:01:55,290
So let's look at this practically so on the Windows 10 host.

22
00:01:55,950 --> 00:01:58,800
What does the ARP cache currently look like?

23
00:01:59,430 --> 00:02:03,720
So firstly, IP config shows us the IP address of this host.

24
00:02:04,050 --> 00:02:13,230
It has IP address 10.1.1.100 default gateway is 10.1.1.254, which is the router

25
00:02:13,260 --> 00:02:14,270
in this topology.

26
00:02:14,850 --> 00:02:15,750
So here's the router,

27
00:02:15,870 --> 00:02:19,530
it's a Cisco router, but you could use any router if you prefer.

28
00:02:19,920 --> 00:02:22,680
Show IP interface brief.

29
00:02:23,660 --> 00:02:30,200
This is the IP address of the Gigabit 00 interface, and that is the interface connecting the router

30
00:02:30,200 --> 00:02:31,970
to the switch. In our topology

31
00:02:32,630 --> 00:02:38,320
the router has this Mac address on gigabit 00.

32
00:02:38,450 --> 00:02:45,980
So show interface Gigabit 00 shows us that the Mac address is 5001.0009

33
00:02:46,250 --> 00:02:50,870
followed by 0000. On the Windows 10 host ARP-A, 

34
00:02:51,200 --> 00:02:54,800
this is the Mac address associated with that IP address.

35
00:02:55,220 --> 00:03:03,140
In other words, this device has learnt the Mac address of the router correctly 50-01

36
00:03:03,380 --> 00:03:06,710
followed by 00-09 followed by 00-00.

37
00:03:07,050 --> 00:03:09,370
That's the Mac address of the router.

38
00:03:09,860 --> 00:03:13,490
Now, to prove the point, I'm going to delete the ARP cache on the PC

39
00:03:13,610 --> 00:03:18,380
but before I do that, let's run Wireshark so that we can see what's going on.

40
00:03:18,860 --> 00:03:21,950
I'm going to run Wireshark on Ethernet 0.

41
00:03:22,370 --> 00:03:26,570
That's the Ethernet interface connecting the PC to our network.

42
00:03:28,830 --> 00:03:34,170
So here's our Wireshark capture, we see a lot of traffic, but I'm going to filter for ARP. Windows

43
00:03:34,170 --> 00:03:36,450
10 send a lot of traffic into the network.

44
00:03:36,460 --> 00:03:39,330
So what I'm going to do is delete the ARP cache

45
00:03:39,660 --> 00:03:45,420
and what you'll see is ARP traffic has been generated in Wireshark.

46
00:03:48,450 --> 00:03:56,010
We can see that this device with Mac address, starting with 50-01, is sending a broadcast

47
00:03:56,010 --> 00:03:57,060
into the network.

48
00:03:57,420 --> 00:04:06,390
This is an ARP asking who has IP address 10.1.1.254 Tell 10.1.1.100.

49
00:04:07,030 --> 00:04:10,800
OK, so ipconfig/all, 

50
00:04:14,390 --> 00:04:23,420
shows us that this PC, our Windows 10 host has this Mac address, the local PC with this Mac address is

51
00:04:23,420 --> 00:04:30,490
sending a broadcast into the network asking for the Mac address of 10.1.1.254.

52
00:04:30,800 --> 00:04:33,370
Notice the target Mac address is blank.

53
00:04:33,380 --> 00:04:34,710
It's a bunch of zeros.

54
00:04:35,120 --> 00:04:38,440
That's because the PC doesn't know the Mac address of the router.

55
00:04:38,630 --> 00:04:44,540
It's asking for the Mac address of the router, basically saying who has this IP address?

56
00:04:45,380 --> 00:04:51,980
The router then replies back, saying, I have this IP address and here's my Mac address

57
00:04:52,320 --> 00:04:55,620
and that's sent as a unicast back to the PC.

58
00:04:55,970 --> 00:04:58,760
So basically, the PC sends a message into the network.

59
00:04:58,760 --> 00:05:01,700
It's a broadcast that's flooded by the switch.

60
00:05:02,640 --> 00:05:09,240
The router replies back with its Mac address, it's a unicast that gets sent to the PC so that the PC

61
00:05:09,240 --> 00:05:12,960
can learn the Mac address of the router. Now on the switch

62
00:05:12,990 --> 00:05:15,870
this is a Cisco switch, show Mac address table.

63
00:05:16,200 --> 00:05:21,690
We can see the Mac address of the PC and the Mac address of the router.

64
00:05:21,840 --> 00:05:24,660
Those Mac addresses have been learnt by the switch.

65
00:05:25,260 --> 00:05:29,640
The switch currently hasn't learnt the Linux host Mac address yet.

66
00:05:30,000 --> 00:05:37,110
We can see that the PC is on Gigabit01 and the router is on gigabit02 those Mac addresses

67
00:05:37,110 --> 00:05:38,370
will learn to dynamically.

68
00:05:38,910 --> 00:05:43,380
So PCs on this interface, router is on this interface.

69
00:05:44,010 --> 00:05:47,610
So on the Kali Linux host, ifconfig

70
00:05:48,550 --> 00:05:49,780
pipe that to more.

71
00:05:51,150 --> 00:05:57,600
IP address of Kali is that Mac address is this, I'll ping the default gateway

72
00:05:58,500 --> 00:06:04,920
just to generate some traffic, cancel that, on the switch show Mac address table.

73
00:06:07,520 --> 00:06:12,320
The switch has now learnt the Mac address of the Kali Linux host.

74
00:06:13,290 --> 00:06:19,260
OK, so this is where it gets interesting in Kali Linux, I'm going to go to applications sniffing

75
00:06:19,260 --> 00:06:21,750
and spoofing and select ettercap.

76
00:06:23,530 --> 00:06:31,150
I'm going to go to sniff, I'm using unified sniffing because I only want to sniff one interface, which

77
00:06:31,150 --> 00:06:35,030
is Ethernet0, so unified sniffing has started.

78
00:06:35,740 --> 00:06:39,220
I'm then going to go to hosts, scan for hosts.

79
00:06:39,790 --> 00:06:42,360
So we're going to scan for hosts in the network.

80
00:06:42,370 --> 00:06:43,210
It's scanned

81
00:06:44,140 --> 00:06:52,360
for 255 hosts in our subnet noticed two hosts have been added to the hosts list, ettercap has discovered

82
00:06:52,360 --> 00:06:53,970
two hosts in our network.

83
00:06:54,310 --> 00:07:03,170
We can view those hosts by going to hosts hosts list and we'll see our two devices, 10.1.1.100 

84
00:07:03,400 --> 00:07:09,540
is the Windows PC, 10.1.1.254 is our router.

85
00:07:10,210 --> 00:07:13,180
So I'm going to add the router to target 1.

86
00:07:13,960 --> 00:07:18,460
I'm going to add the Windows host to Target 2.

87
00:07:19,810 --> 00:07:26,980
On the Windows host, you'll notice a bunch of our broadcasts have been sent out from 10.1.1.1

88
00:07:26,980 --> 00:07:30,370
56, which is our Kali Linux host.

89
00:07:30,370 --> 00:07:31,930
Once again, ifconfig

90
00:07:33,050 --> 00:07:37,220
pipe more, this is the IP address of the hacking host.

91
00:07:38,510 --> 00:07:44,330
Now that we've discovered the hosts in the network and specified our targets, next step is to implement

92
00:07:44,330 --> 00:07:48,410
a man in the middle attack and we're going to implement ARP poisoning.

93
00:07:49,510 --> 00:07:57,190
We're going to sniff the remote connections and click OK, so we are poisoning these two devices,

94
00:07:57,790 --> 00:08:05,380
10.1.1.254 in group 1 and 10.1.1.100 in group 2. Back on the Windows host

95
00:08:05,980 --> 00:08:13,570
the device is receiving ARP messages stating that this IP address is using this Mac address.

96
00:08:15,040 --> 00:08:18,340
On the router show interface Gigabit 00.

97
00:08:19,820 --> 00:08:28,460
This is the Mac address of the actual router, 5001.0009 note that is different

98
00:08:28,460 --> 00:08:29,710
to what we're seeing here.

99
00:08:30,470 --> 00:08:37,610
This is 5001 0002 not 5001 0009.

100
00:08:38,850 --> 00:08:44,610
So on the Windows host, if we look at the ARP cache, so arp-a.

101
00:08:45,720 --> 00:08:53,820
This IP address is using the same Mac address as this IP address, which is our Kali Linux host.

102
00:08:54,840 --> 00:08:59,250
So on, Kali, let's start Wireshark so that we can sniff traffic.

103
00:09:00,140 --> 00:09:05,870
We've implemented a man in the middle attack now because when traffic is sent to the router, it's actually

104
00:09:05,870 --> 00:09:10,670
going to be sent to the Kali Linux host. On the switch once again

105
00:09:15,620 --> 00:09:17,030
show Mac address table.

106
00:09:20,820 --> 00:09:29,130
This Mac address is the Kelly Linux host Mac address found on Gigabit 00, the router using this Mac

107
00:09:29,130 --> 00:09:32,700
address is actually found on gigabit 02.

108
00:09:33,210 --> 00:09:38,030
So the traffic is going to flow to the Kali Linux host and then to the router.

109
00:09:38,820 --> 00:09:39,180
So on

110
00:09:39,180 --> 00:09:40,770
Kali I'll start a

111
00:09:41,790 --> 00:09:44,010
wireshark capture on Ethernet0.

112
00:09:49,780 --> 00:09:53,290
We can see a bunch of traffic, but let's filter for telnet.

113
00:09:54,640 --> 00:09:59,680
Now, in this example, let's assume that the administrator made a bad decision and enabled telnet on

114
00:09:59,680 --> 00:10:00,260
the router.

115
00:10:01,000 --> 00:10:09,280
So when I open up PuTTy, I'm going to use Telnet and I'm going to telnet to the router 10.1.1

116
00:10:09,460 --> 00:10:10,420
254.

117
00:10:11,450 --> 00:10:14,790
I'm prompted for a password, which I'll enter and login.

118
00:10:15,620 --> 00:10:17,840
The font is very small, so I'll change that.

119
00:10:20,170 --> 00:10:23,080
So change the appearance of PuTTy, 

120
00:10:24,930 --> 00:10:25,860
make this bigger.

121
00:10:27,650 --> 00:10:33,680
So there you go, what you'll notice is I was prompted for a username and password, which I entered

122
00:10:34,100 --> 00:10:36,170
and I've been able to log into the router.

123
00:10:36,680 --> 00:10:42,710
I'll type enable to go to privilege mode and enter my password, so I'm now in privilege mode on the router

124
00:10:45,120 --> 00:10:51,600
and if I type something such as show run, I'll see the running configuration of the router displayed

125
00:10:51,600 --> 00:10:52,930
on the Windows computer.

126
00:10:53,760 --> 00:11:01,200
However, all that data has been captured by the Kali Linux host, traffic from 10.1.1.100 the

127
00:11:01,200 --> 00:11:07,020
PC going to the router scrolling down, we can see a password prompt as an example

128
00:11:08,060 --> 00:11:15,890
and then we can see the password c i s c o it's not very easy to see that, however, so I'm going to

129
00:11:15,890 --> 00:11:19,790
right click here and go to follow TCP stream

130
00:11:20,810 --> 00:11:23,420
and what you'll notice is the password is displayed.

131
00:11:23,510 --> 00:11:25,350
So there's the original password.

132
00:11:25,880 --> 00:11:27,860
In other words, the telnet password.

133
00:11:28,130 --> 00:11:34,970
Here's the enable password and here's the full running configuration of the router displayed on the

134
00:11:34,970 --> 00:11:36,370
Kali Linux host.

135
00:11:37,010 --> 00:11:44,510
I've been able to capture the entire telnet session between the host and the router because the traffic

136
00:11:44,690 --> 00:11:47,510
is going through the Kali Linux host.

137
00:11:47,690 --> 00:11:51,360
We have poisoned the ARP cache on the Windows computer.

138
00:11:52,070 --> 00:11:55,700
Now, the same thing is true if we used HTTP on the Windows PC.

139
00:11:56,830 --> 00:12:00,070
So I'll open up a browser and

140
00:12:01,570 --> 00:12:08,860
browse to the router 10.1.1.254 and log in with my password of Cisco, Cisco.

141
00:12:10,710 --> 00:12:11,850
Back in Kali

142
00:12:12,930 --> 00:12:14,700
I'll search for HTTP.

143
00:12:17,610 --> 00:12:28,560
Now the Windows host is sending HTTP traffic not just to the router s fault for IP address equals 10.

144
00:12:28,560 --> 00:12:30,380
1.1.254.

145
00:12:31,260 --> 00:12:36,930
So we see traffic from the Windows PC to the router and not to other destinations on the Internet.

146
00:12:37,830 --> 00:12:38,880
So scrolling down.

147
00:12:39,840 --> 00:12:47,610
We can see that the router is saying the session is unauthorized, so the PC is now sending authorization

148
00:12:47,610 --> 00:12:51,600
information, including the user name and password to the router.

149
00:12:51,870 --> 00:12:57,930
So we've been able to capture the user name and password because it's sent in clear text from the PC

150
00:12:57,930 --> 00:12:58,560
to the router.

151
00:12:58,830 --> 00:13:02,340
You shouldn't be using clear text protocols in your network today.

152
00:13:02,730 --> 00:13:04,650
So in other words, we shouldn't be using telnet.

153
00:13:04,650 --> 00:13:06,230
We shouldn't be using HTTP.

154
00:13:06,270 --> 00:13:08,400
We should be using encrypted protocols.

155
00:13:08,760 --> 00:13:16,830
But I've been able to capture the username and password of the router through Telnet and HTTP by simply

156
00:13:16,830 --> 00:13:19,850
implementing an ettercap arp poisoning attack.

157
00:13:21,220 --> 00:13:29,140
Now, a lot of Cisco engineers will back up the configuration of a router using TFTP, so we'll use

158
00:13:29,140 --> 00:13:32,090
a command such as copy running config TFTP.

159
00:13:32,290 --> 00:13:40,030
And in this example, I'll specify the Windows host as the TFTP server, before I press enter there on the

160
00:13:40,030 --> 00:13:40,810
windows host

161
00:13:40,810 --> 00:13:49,720
I'm going to run TFTP 32, which is a TFTP server, so that TFTP server is now running on the Windows

162
00:13:49,720 --> 00:13:50,350
PC.

163
00:13:51,360 --> 00:13:56,430
On the router, I'll press enter now to back up the configuration to the TFTP server.

164
00:13:57,740 --> 00:14:01,070
I'm getting permission denied there, so let me try that again.

165
00:14:05,040 --> 00:14:06,960
and I'll specify different file name.

166
00:14:09,690 --> 00:14:14,600
Back on the TFTP server, here's a problem, I'll specify security is none.

167
00:14:14,910 --> 00:14:17,240
Once again, that's not necessarily a good idea.

168
00:14:17,580 --> 00:14:24,060
I'll specify the desktop as the destination folder and click, OK.

169
00:14:25,260 --> 00:14:34,140
So try that again, it's a copy running config TFTP specify the type to be server specified the file

170
00:14:34,140 --> 00:14:38,190
name and notice you can see the configuration was copied successfully.

171
00:14:39,060 --> 00:14:39,810
Now, that's OK

172
00:14:39,830 --> 00:14:44,250
but back on a Kali Linux host I'll filter for TFTP

173
00:14:45,370 --> 00:14:48,040
and you can see the file name there.

174
00:14:49,330 --> 00:14:52,100
There was a TFTP error.

175
00:14:52,570 --> 00:14:59,620
So what I'll do actually is scroll all the way to the end so that we see the successful right.

176
00:15:00,700 --> 00:15:06,760
Here's an acknowledgment of a block of data, TFTP sends data in blocks so the sender will send a block

177
00:15:06,760 --> 00:15:07,240
of data.

178
00:15:07,720 --> 00:15:09,810
The receiver will send back an acknowledgement.

179
00:15:09,820 --> 00:15:12,500
So there's an acknowledgement of part of data.

180
00:15:13,090 --> 00:15:19,540
Here's the actual data from the router to the TFTP server.

181
00:15:20,110 --> 00:15:20,680
I'll right

182
00:15:20,680 --> 00:15:23,770
click on the data and show packet bytes.

183
00:15:25,690 --> 00:15:28,210
There's the last part of the routers configuration.

184
00:15:29,590 --> 00:15:37,030
So that's OK, but let's see if we can get some passwords, so scrolling right up to block 1, passwords

185
00:15:37,030 --> 00:15:39,460
are at the top of the router configuration.

186
00:15:40,180 --> 00:15:43,620
So here's block 1 sent from the router to the TFTP server.

187
00:15:43,990 --> 00:15:44,410
Right

188
00:15:44,410 --> 00:15:49,590
click and select show packet bytes, as you can see there

189
00:15:49,810 --> 00:15:51,850
that's the enable password of the router.

190
00:15:52,480 --> 00:15:59,140
We can see the entire router configuration by simply looking at the blocks of data.

191
00:16:00,140 --> 00:16:03,590
So here's block 2 look at that block of data.

192
00:16:07,720 --> 00:16:12,600
Here's the loopback interface IP address, there's gigabit00 IP address.

193
00:16:13,990 --> 00:16:19,600
Now, it's once again bad practice to use clear text protocols in networks today, you should be using

194
00:16:19,600 --> 00:16:21,760
encrypted protocols wherever possible.

195
00:16:22,390 --> 00:16:28,210
You can also stop this kind of nonsense in networks today by implementing dynamic ARP inspection on

196
00:16:28,210 --> 00:16:28,930
your switches.

197
00:16:29,270 --> 00:16:33,740
I'll show you how to stop these kind of hacks in subsequent videos, this videos getting too long.

198
00:16:34,180 --> 00:16:35,710
Now, this is a troubleshooting hint.

199
00:16:35,980 --> 00:16:43,660
If traffic is not being forwarded by your Kali Linux host type, this command, this command forwards

200
00:16:43,660 --> 00:16:45,510
IP version 4 traffic.

201
00:16:46,000 --> 00:16:51,970
So it basically allows the Kali Linux host, well, any Linux host to receive traffic and then forward

202
00:16:51,970 --> 00:16:54,880
it on when destined for another host.

203
00:16:55,210 --> 00:17:00,520
So it basically acts as a router, receives traffic for another device and basically sends it back into

204
00:17:00,520 --> 00:17:01,240
the network.

205
00:17:01,630 --> 00:17:05,020
So if you have issues forwarding traffic, then use this command.

206
00:17:06,150 --> 00:17:13,859
OK, so this video I showed you how to implement a man in the middle attack using ARP poisoning, using

207
00:17:13,859 --> 00:17:17,520
the application ettercap, which is available in Kali Linux.