ARP Poisoning and Defense Strategies

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey welcome back to the channel everybody this is kevin and in this week's video we're going to take a look at how an attacker might launch an arp poisoning attack against our network and by doing that they might be able to set themselves up as a man in the middle or traffic going between their victim and the default gateway where all that traffic goes through them where they might capture that traffic and we'll see how to defend ourselves against an arp poisoning attack and this video is actually a continuation of a video i posted a couple of weeks ago on dhcp attacks back in that video we configured d8cp snooping well that's actually going to be a prerequisite to how we're going to defend ourselves against an arp poisoning attack so if you've not watched that video i encourage you to go back and do that now and by the way this content is coming from our upcoming certified ethical hacker course and i want to encourage you not to use this knowledge in any unauthorized way the demos in this video are performed on a local network that i have set up that's isolated from the rest of my network and if you enjoy this video please do me a favor click the like button down below subscribe and click the bell notification icon so you'll know when our next video comes out now join me as we take a look at how to launch and how to defend against our poisoning attacks in this video we want to consider an arp poisoning attack and see how to defend against such an attack but first let's review what arp is all about arp that stands for address resolution protocol and it's a way for a device on a network to determine the mac address of a known ip address or if that device that we're trying to reach with the known mac address if it does not live on our subnet then we need to find out who our default gateway is and we'll send out an arp saying hey what's the mac address for this default gateways ip address that i have that's what we have here on screen the victim's laptop wants to get out to the internet and right now in its arp cache it does not know the mac address of 10.1.1.1 which is router r1 r1's arp cache does not know the mac address of 10.1.1.100 which is the victim's laptop and the victim's going to send out an arp broadcast saying hey can somebody tell me the mac address for 10.1.1.1 that goes to r1 when it goes to r1 r1 suddenly learns that the all c's mac address is associated with 10.1.1.100 it learned that in the frame it just received in that r broadcast and it's going to respond to the laptop saying hey that's me i've got a mac address of all a's we'll pretend and the victim's laptop will update its arp cache saying the mac address associated with 10.1.1.1 is the ola's mac address so now the victim's laptop can reach the internet by sending a frame destined for the default gateway which has a mac address of all a's and when r1 responds back to the victim's laptop it knows it's sending that frame to a destination mac address of all c's but let's imagine that an attacker joins the network they're going to launch a man in the middle attack they're able to access an access layer switch maybe in a wiring closet they plug into an open switchboard and let's say that the attacker has an ip address of 10.1.1.123 and we'll pretend they have a mac address of all b's and the attacker is going to try to convince the victim that the mac address associated with the default gateway is the attacker's mac address of all bees so when the victim tries to go out to the internet it's going to go to a next top mac address of the attacker not router r1 and because we want bi-directional traffic the attacker is also going to try to convince r1 that the mac address associated with 10.1.1.100 the victim's laptop we want to convince r1 that its mac address is all b's again the attacker so we can have that bi-directional communication so here's what the attacker does they send out an unsolicited rpreply sometimes called a gratuitous arp saying by the way the mac address of 10.1.1.1 it's the albee's mac address and we're sending that arp reply to the victim's laptop and the victim's laptop is going to say oh thanks so much let me update my arp cache i thought it was the all a's mac address let me correct that i'll update that and say it's the all bees mac address that gets me to 10.1.1.1 so now when the victim tries to go out to the internet via its default gateway it's going to be sending frames to the attacker now the attacker also needs to convince the router that the mac address of the victim's laptop is the albee's mac address the attacker's mac address so we send out another gratuitous arp saying the mac address of 10.1.1.100 the victim's laptop is all b's that goes to router r1 and it's going to update its arp cache now when the victim tries to go out to the internet its next hop is going to be the attacker which might then capture the packet and then send the packet on its way so the victim doesn't suspect that anything is going on and the return traffic is sent through the attacker's computer because we convinced router r1 that the victim's mac address was the old b's mac address so now the attacker has injected themselves as a man in the middle and there are different utilities that the attacker might be using to carry out such an attack we're going to go out to a live interface now and demonstrate one called eater cap and it's running on kali linux it comes built in with cali linux in fact and we're going to launch a man in the middle attack we're going to allow that attacker to sniff some telnet packets going between the laptop and the router and because telnet is in clear text we're going to be able to read password information and then we're going to fix that with utility called dai dynamic arp inspection so let's hop out now to our live interface here on screen you see a topology where we have a mac laptop and that's going to be our victim in this scenario they're connected into switch sw1 also connected into that switch on gig zero slash two is an attacker and they're running cali linux on a mac kelly linux is running inside of a virtual machine so when we see the packets that it's sending out it might look like it's coming from a source mac address that is a vmware mac address because cali linux is running as a vm but let's confirm our mac addresses are as we think they are let's go to router r1 let's do a show interface gig zero slash one that's what connects into switch sw1 and we can see its mac address and that matches what we see in this topology it ends in five ce1 let's check out the mac address of our kali linux machine let's open up a terminal and i'll do an if config here's its mac address it ends in an fde1 like we see on screen and finally let's take a look at the mac address of our mac laptop which is going to be our victims laptop it's got an ip address of 192.168.1.107. if i go to advanced and hardware we'll be able to see its mac address it ends in 1489 and that matches our topology on screen so we've confirmed our topology and the mac addresses on that topology now let's see the mac address that the laptop thinks belongs to the router and the mac address the router thinks belongs to the laptop and at this point it should be correct let's open up a terminal window on the laptop and i'm going to do an arp space minus a and it's going to come back with any known ip to mac address mappings that it knows about and here it thinks that 192.168.1.1 has a mac address that ends in 5ce1 if we take a look at our topology we see that yes that is correct that is the mac address associated with gig zero slash one on a router r1 now let's go over to router r1 and see what it thinks the mac address is for our laptop which has an ip address of 192.168.1.107. let's do a show ip arp on router r1 and it thinks that 192.168.1.107 has a mac address that ends in 1489 and that's correct based on our topology now let's see how an attacker might launch a man-in-the-middle attack specifically an arp poisoning attack let's go back over to kali linux i'll close out of our terminal and i'll use the graphical version of eater cap i'll go into the cali menu i'll select sniffing and spoofing and i'll select eater cap graphical i need to give the password i'll accept the default settings i'm using if0 and i'm going to specify the targets of this attack i'll say targets select targets and one target is going to be the router it's going to have an ip address of 192.168.1.1 the other target is going to be the laptop it has an ip address of 192.160 i'll say okay and i'm ready to launch the attack let's click this man in the middle menu i'll select arp poisoning and i don't want to do a one-way attack i want to do it both ways i want bi-directional traffic between the laptop and the router possibly going out beyond the router so i'll say okay and while that's happening let's open up wireshark on cali linux select eth0 and i thought i'd filter for our packets we should see a bunch of incorrect arp replies coming back notice that the source is vmware that's our kali linux machine and it's sending an arp reply for 192.168.1.1 and 192.168.1.107 and notice that the mac address for both of those ip addresses ends at fde yeah that's the mac address of our cali box so that's how the attacker launches such an attack now let's go over to our laptop and router r1 and see if they're convinced let's go to the laptop first and i'll say arp minus a remembering that previously the mac address for 192.168.1.1 ended in 5ce1 let's see what it comes back as now and look at that this time it says the mac address of 192.168.1.1 is the mac address ending in fde1 if you look at our topology that's our cali box let's go to router r1 previously it thought 192.168.1.107 ended in 1489. what about now let's do another show ipr this time it thinks 192.168.1.107 ends in fde1 again that's the cali box so if i go back to our kali linux machine and i start another capture and i want to filter for telnet traffic this time let's go to our laptop and i'm going to say telnet to 192.168.1.1 i'm just going to tell that into the router but this would apply to telnet traffic passing through the router as well let's log login got a password of cisco let's say enable again the password is cisco and let's go back over to wireshark and see if we can see that information on wireshark i'll stop the capture let's select one of these packets i'll right click and i'll say i want to follow this tcp stream now you can see that the router prompt comes up as user access verification it's prompting me for my password and look at this we see my password now it's not echoed back on my laptop screen which would appear in a different color it would appear as blue if it was echoed back to my screen but if the laptop is sending it it shows up as red so here it is s-i-s-c-o very clearly we see that the password is cisco that was typed in then on r1 once i'm logged in i say enable now here we have two e's and two ends and so on again the red is the character coming from the laptop and the blue is that character being echoed back on the laptop it's asking for the password to enter enable mode and i type in cisco again it's not echoed back on the laptop but we see very clearly what the password is that should be concerning to us and another reason that we should always use secure protocols when possible for example let's use secure shell instead of telnet let's use https instead of http and let's use ftps or sftp instead of just plain ftp now let's fix this let's go back to our eater cap screen and i'll click the stop button and it's stopping the main in the middle attack and as part of that it says it's re-arping the victims so it's allowing the victims to once again know the correct mac address for the router and for the laptop let's go to our switch now and configure this feature called dynamic arp inspection first let's confirm that the laptop is convinced of the correct mac address and so is the router so back on the laptop let me exit out of this and i'll say arp space minus a and it thinks the mac address of 192.168.1.1 ends in 5ce1 let's check our topology yes indeed that is the router's mac address let's go back to router r1 and do a show ipr this time we've gone from the attacker's mac address ending in fde1 for 192.168.1.107. this time 192.168.1.107 says the mac address ends in 1489. that's the actual mac address of our laptop as you can see on screen so the victim's laptop and the router they now see correct mac addresses let's go to our switch and configure dynamic arp inspection and to configure dynamic arp inspection as a prerequisite we have to have d8cp snooping enabled and we configured that in a prior video so we're building on that existing configuration of d8cp snooping and we're going to add the configuration for dynamic arp inspection the reason it's a prerequisite is that dhcp snooping built a bonding table of information it learned by snooping in on those d8 cb packets it knows mac address and ip address and port number information that was set up through d8cp and if it sees arp information coming in that's not consistent with what dhcp said it should be it's going to create an error it's going to block traffic on that port let's confirm that dhcp snooping is enabled on the switch i'll say show ipd snooping and we see that it is enabled for vlan 1. let's do show ipd8 cp snooping binding and we can see that a couple of our devices on our network have obtained ipdress information via d8cp and one thing you might notice here is i just renewed the lease on my laptop and it picked up a different ip address it's now 192.168.1.108. so let me update my topology there we go and let's configure dynamic arp inspection let's go into global configuration mode and i'm going to trust any messages on gigabit zero slash one because i know where that connects i know that connects back to router r1 so i'm not going to be examining our messages there i'll say interface gig zero slash one ipr inspection trust and notice i'm setting up my trusted ports before i globally turn on iprp inspection also known as dynamic arp inspection the reason i'm doing that is if i don't set up my trusted ports first i might have a violation on those ports before i get around to saying they're trusted so i like to say which ports are trusted before globally turning it on but i'm going to say gig zero slash one it's trusted now let's exit to global configuration mode and i'll say i want to enable ipr inspection again that's the same thing as dynamic arp inspection for vlan 1. ipr inspection on vlan 1 and i'll do a show iprp inspection command and we see that it is enabled for vlan 1. we haven't dropped anything yet we haven't had any violations let's create some violations let's go back to kali linux run eater cap again and see if eater cap can now convince the laptop to go to the attacker's machine to get to the router and to convince the router to go to the attacker's machine to get to the laptop let's again go under our eater cap menu and for targets i'll say select targets and i'll use the existing targets we had except i need to update the ip address on my laptop it's now 1.108 i'll say okay i'm going to launch an arp poisoning attack we'll say ok now if i tell wireshark to monitor what's going on i'll tell it to watch our messages we can see that this vmware source that's kali linux it's sending out arp messages claiming that it is the mac address for 192.168.1.108. and for 192.168.1.1 we can go ahead and stop that we've confirmed that those poisoned arps are being sent out but are they being believed on switch sw1 there are all kinds of alerts going off invalid arps we know that the gratuitous arp information coming in from kelly linux is not correct let's go make sure that it's not being believed by our router on router r1 i'll do a show ipr 192.168.1.108 it says the mac address ends in 1489. that's correct and that's not consistent with what kali linux is saying kali linux is saying the mac address for 192.168.1.108 it's saying that it's itself let's go back over to our laptop and see if the gratuitous arc attack convinced it that to get to the router we need to go to the attacker's machine first let's do an arp minus a and great news the laptop does not believe those gratuitous arps in fact it's not even seeing those gratuitous arps because dynamic arp inspection is blocking them our laptop thinks that 192.168.1.1 has a mac address ending in 5ce1 and it does it's not going to go to the attacker's machine believing it's the default gateway now let's turn off this attack close that out stop the attack re-arp everything but let's go investigate the switch just a bit let's once again do a show iprp inspection now before we had not dropped anybody now it looks like we have dropped about 47 packets we've noticed multiple arp violations our messages coming in on the switch that were not consistent with the ip address and the mac address and the port information set up by dhcp when those endpoints got their ip address information via d8cp our switch snooped in on that it built this binding table again we'll take a look at that binding table and those are messages coming from cali were not consistent with this table so they were dropped and that's a look at how an attacker might launch an our poisoning attack using eater cap and how we can defend ourselves against that using dynamic arp inspection [Music]

Info

Channel: Kevin Wallace Training, LLC

Views: 3,193

Rating: undefined out of 5

Keywords: certified ethical hacker, ethical hacking, arp, arp spoofing, arp poisoning, ettercap, kali, kali linux, ceh, cehv11, cisco, ccna, ccnp, ccie, 350-401, 300-410, 200-301, #kwtrain

Id: 93WDiQj0F4c

Channel Id: undefined

Length: 20min 5sec (1205 seconds)

Published: Thu Oct 07 2021