1
00:00:00,690 --> 00:00:01,620
Instructor: Welcome back.

2
00:00:01,620 --> 00:00:03,900
In this video we're going to take a look at

3
00:00:03,900 --> 00:00:07,800
cool way that we can actually perform ARP spoofing

4
00:00:07,800 --> 00:00:10,650
or ARP poisoning manually.

5
00:00:10,650 --> 00:00:13,950
We're going to do that using a huge library that comes

6
00:00:13,950 --> 00:00:18,090
with Python 3 and that is called the Scapy Library.

7
00:00:18,090 --> 00:00:21,150
Now Scapy allows us to manipulate different

8
00:00:21,150 --> 00:00:24,840
networking packets and we can also send and receive

9
00:00:24,840 --> 00:00:26,640
the packets as well.

10
00:00:26,640 --> 00:00:28,440
Now, we could do something like this

11
00:00:28,440 --> 00:00:31,470
with the help of a socket library, but that would be much

12
00:00:31,470 --> 00:00:34,080
much harder because with the help of Scapy

13
00:00:34,080 --> 00:00:37,020
we have all of the packets already predefined

14
00:00:37,020 --> 00:00:39,513
and we can just craft them to our liking.

15
00:00:40,410 --> 00:00:43,320
Now the same way that you can open Python inside

16
00:00:43,320 --> 00:00:44,280
of the terminal

17
00:00:44,280 --> 00:00:48,120
you can also open Scapy inside of the terminal

18
00:00:48,120 --> 00:00:51,540
and this will allow you to write the code line by line.

19
00:00:51,540 --> 00:00:54,360
So it'll take a few seconds to open this framework

20
00:00:54,360 --> 00:00:57,420
and once it opens up you will see this Scapy banner

21
00:00:57,420 --> 00:01:00,303
and then you will be able to run the commands right here.

22
00:01:01,230 --> 00:01:03,480
Scapy works similarly to Python

23
00:01:03,480 --> 00:01:07,140
so you can use the print statements to print hello world

24
00:01:07,140 --> 00:01:10,950
for example, and it will also run debt code as well.

25
00:01:10,950 --> 00:01:14,040
However, we are not going to use it for this.

26
00:01:14,040 --> 00:01:17,010
We're going to use it to craft packets.

27
00:01:17,010 --> 00:01:19,620
For example, there are ether headers inside

28
00:01:19,620 --> 00:01:21,600
of a packet and to see all

29
00:01:21,600 --> 00:01:25,710
of the fields that an ether header has, we can type ls

30
00:01:25,710 --> 00:01:27,750
and then ether.

31
00:01:27,750 --> 00:01:30,120
The same way we can do for the ARP packets.

32
00:01:30,120 --> 00:01:34,050
For example, if I type ARP inside of the brackets

33
00:01:34,050 --> 00:01:38,820
it'll give me all of the fields that an ARP packet has

34
00:01:38,820 --> 00:01:41,340
and you can do that for any packet that you want.

35
00:01:41,340 --> 00:01:43,860
For example, you can also do it for TCP packet

36
00:01:43,860 --> 00:01:48,270
and it'll give you all the fields that the TCP header has

37
00:01:48,270 --> 00:01:52,110
and then you can change each of these fields to your liking.

38
00:01:52,110 --> 00:01:55,590
But as I already mentioned, the goal for this video is

39
00:01:55,590 --> 00:01:59,700
for us to craft an ARP packet that will poison the ARP cache

40
00:01:59,700 --> 00:02:01,020
of Windows 10 machine

41
00:02:01,020 --> 00:02:02,523
and that will tell our Windows 10 machine

42
00:02:02,523 --> 00:02:04,920
that we are the router.

43
00:02:04,920 --> 00:02:06,330
So how can we do that?

44
00:02:06,330 --> 00:02:08,280
Well, first, if you remember

45
00:02:08,280 --> 00:02:11,130
we must know the MAC address of our Windows 10

46
00:02:11,130 --> 00:02:15,270
machine to be able to send the ARP poisoning packet to it.

47
00:02:15,270 --> 00:02:16,710
Now, we're not going to cheat

48
00:02:16,710 --> 00:02:18,338
and check out the MAC address inside

49
00:02:18,338 --> 00:02:20,670
of the command prompt on Windows 10.

50
00:02:20,670 --> 00:02:23,130
We're going to get it using Scapy.

51
00:02:23,130 --> 00:02:24,090
To do that,

52
00:02:24,090 --> 00:02:27,900
we must send an ARP request that we request the MAC address

53
00:02:27,900 --> 00:02:29,970
of the Windows 10 machine.

54
00:02:29,970 --> 00:02:32,760
To do that, we must also send that request

55
00:02:32,760 --> 00:02:36,360
to the broadcast MAC address, which if you remember means

56
00:02:36,360 --> 00:02:39,750
that every machine on the network will receive that request

57
00:02:39,750 --> 00:02:42,690
and then hopefully our Windows 10 machine will reply

58
00:02:42,690 --> 00:02:44,970
with its MAC address.

59
00:02:44,970 --> 00:02:47,636
So to do that, let me see if I can use

60
00:02:47,636 --> 00:02:49,020
clear command right here.

61
00:02:49,020 --> 00:02:49,853
Okay, great.

62
00:02:49,853 --> 00:02:50,820
I can use it.

63
00:02:50,820 --> 00:02:55,110
To do that, we are going to combine the ether header

64
00:02:55,110 --> 00:02:56,460
that we just checked out

65
00:02:56,460 --> 00:03:00,420
with the ARP header or the ARP packet.

66
00:03:00,420 --> 00:03:02,250
The reason we need the ether header is

67
00:03:02,250 --> 00:03:04,920
so we can specify the destination MAC field to

68
00:03:04,920 --> 00:03:07,530
be the broadcast MAC address.

69
00:03:07,530 --> 00:03:10,080
Therefore our ARP packet will be received

70
00:03:10,080 --> 00:03:12,240
by anyone on the network.

71
00:03:12,240 --> 00:03:13,073
Let's do that.

72
00:03:13,073 --> 00:03:15,720
So let's create a variable called broadcast

73
00:03:15,720 --> 00:03:19,020
and this variable will be equal to ether header

74
00:03:19,020 --> 00:03:21,900
and the dst field, which is the destination,

75
00:03:21,900 --> 00:03:24,480
We can set the broadcast MAC address

76
00:03:24,480 --> 00:03:29,480
which is for everyone, six times ff, separated by two dots.

77
00:03:30,570 --> 00:03:32,520
Once you do that, you can close the brackets

78
00:03:32,520 --> 00:03:35,940
and now we've got our broadcast packet ready.

79
00:03:35,940 --> 00:03:38,580
To check out whether everything is selected correctly

80
00:03:38,580 --> 00:03:43,200
we can type broadcast.show and this will show all

81
00:03:43,200 --> 00:03:45,150
of the fields that we have right here.

82
00:03:45,150 --> 00:03:46,140
And you will notice

83
00:03:46,140 --> 00:03:49,500
that it'll automatically set the other two fields.

84
00:03:49,500 --> 00:03:52,320
This is the MAC address of our Kal Linux machine

85
00:03:52,320 --> 00:03:54,000
which is the source MAC address

86
00:03:54,000 --> 00:03:57,030
because we are sending the packet from our Kal Linux machine

87
00:03:57,030 --> 00:04:00,600
and the destination is to who we are sending the packet.

88
00:04:00,600 --> 00:04:04,080
In this case, we're sending the packet to everyone.

89
00:04:04,080 --> 00:04:07,110
Now what we must do is we must also create the ARP layer

90
00:04:07,110 --> 00:04:08,280
to this packet.

91
00:04:08,280 --> 00:04:12,780
And to do that we can type ls ARP first to check out all

92
00:04:12,780 --> 00:04:17,370
of the fields, and we want to target the Windows 10 machine

93
00:04:17,370 --> 00:04:20,010
because we want to get its MAC address.

94
00:04:20,010 --> 00:04:23,700
So what we must do is we must type the P destination to

95
00:04:23,700 --> 00:04:27,063
be equal to the IP address of Windows 10 machine.

96
00:04:27,960 --> 00:04:30,180
All the other fields will be set automatically

97
00:04:30,180 --> 00:04:33,330
for us except this hardware destination field

98
00:04:33,330 --> 00:04:35,220
which is the MAC address of our target

99
00:04:35,220 --> 00:04:38,280
which we get from the R response.

100
00:04:38,280 --> 00:04:39,930
So to craft the ARP layer

101
00:04:39,930 --> 00:04:44,820
we can type ARP layer equals and then ARP.

102
00:04:44,820 --> 00:04:46,920
And inside of the brackets we specify

103
00:04:46,920 --> 00:04:48,510
the fields that we want to use.

104
00:04:48,510 --> 00:04:51,960
In this case, we only specify the P destination to be equal

105
00:04:51,960 --> 00:04:56,130
to 192.168.1.7, or you can just specify

106
00:04:56,130 --> 00:04:58,890
the IP address of your target machine.

107
00:04:58,890 --> 00:05:02,220
Press enter and before I explain this, I can just

108
00:05:02,220 --> 00:05:05,910
type ARP.show to show you how the packet looks like.

109
00:05:05,910 --> 00:05:10,080
So it'll select the hardware source to be our MAC address.

110
00:05:10,080 --> 00:05:13,350
It'll select the P source to be our IP address.

111
00:05:13,350 --> 00:05:16,980
It'll select the P destination to be the targets IP address

112
00:05:16,980 --> 00:05:20,160
which in our case is 192.168.1.7

113
00:05:20,160 --> 00:05:22,170
and the hardware destination will be empty

114
00:05:22,170 --> 00:05:25,050
because this is the value that we want to get back.

115
00:05:25,050 --> 00:05:29,970
This packet is essentially saying who has 192.168.1.7,

116
00:05:29,970 --> 00:05:32,370
give me your MAC address.

117
00:05:32,370 --> 00:05:33,930
And to combine this packet

118
00:05:33,930 --> 00:05:37,020
with our broadcast layer, we can type

119
00:05:37,020 --> 00:05:41,010
entire_packet equals

120
00:05:41,010 --> 00:05:42,753
broadcast/ARP_layer.

121
00:05:45,300 --> 00:05:48,090
And this will put our two layers together.

122
00:05:48,090 --> 00:05:50,850
If I type entire_packet.show

123
00:05:50,850 --> 00:05:53,400
you will see we have both the ethernet layer

124
00:05:53,400 --> 00:05:55,830
and the ARP layer.

125
00:05:55,830 --> 00:05:59,250
Only thing we must do right now is we must send this packet

126
00:05:59,250 --> 00:06:00,330
to our network.

127
00:06:00,330 --> 00:06:02,370
We can do that using SRP function

128
00:06:02,370 --> 00:06:05,490
and this function takes arguments of entire packet.

129
00:06:05,490 --> 00:06:08,310
We can also set a timeout to be two

130
00:06:08,310 --> 00:06:11,433
and we can set the verbose to be equal to true.

131
00:06:12,390 --> 00:06:15,030
Now this is not something that we want to send.

132
00:06:15,030 --> 00:06:17,748
We want to store the response inside of the answer because

133
00:06:17,748 --> 00:06:21,930
if the Windows 10 machine answers, we will have our answer

134
00:06:21,930 --> 00:06:24,540
with the Windows 10s MAC address right here

135
00:06:24,540 --> 00:06:25,860
in this variable.

136
00:06:25,860 --> 00:06:28,050
We also want to only get the answers

137
00:06:28,050 --> 00:06:30,000
and not the unanswered packets

138
00:06:30,000 --> 00:06:32,430
and we can do that by specifying right here,

139
00:06:32,430 --> 00:06:36,570
zero, to select the first element inside of the list.

140
00:06:36,570 --> 00:06:39,450
Once we do that, we can press enter

141
00:06:39,450 --> 00:06:41,940
and we get operation not permitted

142
00:06:41,940 --> 00:06:46,940
and that could be because we are not route account.

143
00:06:47,010 --> 00:06:49,650
So what I'm going to do is I'm going to

144
00:06:49,650 --> 00:06:52,260
run this real quick as route.

145
00:06:52,260 --> 00:06:53,940
So I'm just going to write all

146
00:06:53,940 --> 00:06:56,040
of the commands that we just did and I will get back

147
00:06:56,040 --> 00:06:59,340
to you as soon as you get to the SRP command.

148
00:06:59,340 --> 00:07:00,720
Okay, so here we are.

149
00:07:00,720 --> 00:07:03,390
Now we made a mistake that I already talked about.

150
00:07:03,390 --> 00:07:05,640
We must run all of this as a root account

151
00:07:05,640 --> 00:07:08,280
otherwise some of these commands will not work.

152
00:07:08,280 --> 00:07:10,710
And I just typed all of the previous commands

153
00:07:10,710 --> 00:07:13,440
that we did such as setting the broadcast layer ARP layer

154
00:07:13,440 --> 00:07:14,937
and creating the entire packet.

155
00:07:14,937 --> 00:07:18,330
And now we are sending the entire packet with this command

156
00:07:18,330 --> 00:07:21,630
and we are storing the response in the answer variable.

157
00:07:21,630 --> 00:07:22,810
So let's press enter

158
00:07:23,760 --> 00:07:26,640
and it'll tell us finish sending one packets

159
00:07:26,640 --> 00:07:30,660
received one packets back and got one answers.

160
00:07:30,660 --> 00:07:33,660
Now to get this answer, it's a little bit tricky, so

161
00:07:33,660 --> 00:07:36,840
if I type print answer, we will get this

162
00:07:36,840 --> 00:07:38,340
response right here.

163
00:07:38,340 --> 00:07:41,100
And since all of these are empty, we want to

164
00:07:41,100 --> 00:07:45,690
select this other part right here and print just that part.

165
00:07:45,690 --> 00:07:48,330
To do that, we can type print answer

166
00:07:48,330 --> 00:07:51,960
and then the first element which will be the answer packets.

167
00:07:51,960 --> 00:07:55,950
So in the brackets we specify zero, press enter

168
00:07:55,950 --> 00:07:59,640
and this is our response from the Windows 10 machine.

169
00:07:59,640 --> 00:08:01,770
If we take a look at the response right here

170
00:08:01,770 --> 00:08:05,010
we're going to see the MAC address of Windows 10 machine.

171
00:08:05,010 --> 00:08:07,860
So we successfully received it with our packet.

172
00:08:07,860 --> 00:08:10,320
Now we can either copy it from here

173
00:08:10,320 --> 00:08:14,040
and store it in a variable or we can select it like this.

174
00:08:14,040 --> 00:08:16,710
So we're going to print the answer

175
00:08:16,710 --> 00:08:19,170
and from the answer we are selecting the first element.

176
00:08:19,170 --> 00:08:22,290
And from the second list we are selecting the second element

177
00:08:22,290 --> 00:08:25,293
and we are going to type .hwsrc.

178
00:08:26,220 --> 00:08:28,860
And the reason we are using hw src is

179
00:08:28,860 --> 00:08:31,680
because this is the field that has the MAC address

180
00:08:31,680 --> 00:08:35,760
of our Windows 10 machine or of our target machine.

181
00:08:35,760 --> 00:08:37,475
Then if I print this

182
00:08:37,475 --> 00:08:41,820
it should print just the MAC address and here it is.

183
00:08:41,820 --> 00:08:44,230
And all we need to do right now is copy this

184
00:08:47,010 --> 00:08:48,720
and store that in a variable

185
00:08:48,720 --> 00:08:52,650
that we can name target MAC address equals

186
00:08:52,650 --> 00:08:57,450
and then our answer with the hw source field.

187
00:08:57,450 --> 00:09:00,180
Great. Now we got our targets MAC address

188
00:09:00,180 --> 00:09:03,750
and we are ready to craft the malicious ARP packet.

189
00:09:03,750 --> 00:09:07,230
So what we can do is we can type something like this.

190
00:09:07,230 --> 00:09:10,020
The packet will be equal to ARP packet

191
00:09:10,020 --> 00:09:14,520
and we are going to select the op field to be equal to two.

192
00:09:14,520 --> 00:09:17,640
Now, if you type ls ARP, you're going to see the op field.

193
00:09:17,640 --> 00:09:20,820
And this op field is simply just asking are we

194
00:09:20,820 --> 00:09:23,640
sending ARP request or ARP reply?

195
00:09:23,640 --> 00:09:26,310
Once we select the field to be equal to two

196
00:09:26,310 --> 00:09:29,580
this means we are sending an ARP response.

197
00:09:29,580 --> 00:09:32,280
And remember to send a malicious ARP packet.

198
00:09:32,280 --> 00:09:35,550
It must be an ARP response telling the router

199
00:09:35,550 --> 00:09:38,640
that we are Windows 10 machine or something similar to that.

200
00:09:38,640 --> 00:09:41,030
Once we set the op to be equal to two

201
00:09:41,030 --> 00:09:43,890
we must set the hardware destination to be equal to

202
00:09:43,890 --> 00:09:45,363
target_mac_address.

203
00:09:46,500 --> 00:09:49,710
And from here we are selecting two more fields

204
00:09:49,710 --> 00:09:53,700
which are P destination to be the IP address of our target.

205
00:09:53,700 --> 00:09:55,170
So this simply means

206
00:09:55,170 --> 00:09:57,720
that we are sending this packet to our target.

207
00:09:57,720 --> 00:10:01,890
And the last part is where we add the malicious thing.

208
00:10:01,890 --> 00:10:04,950
Here under the P source in a real packet

209
00:10:04,950 --> 00:10:06,090
in real communication

210
00:10:06,090 --> 00:10:08,190
we would specify right here the IP address

211
00:10:08,190 --> 00:10:10,890
of our Kal Linux machine, but in this case

212
00:10:10,890 --> 00:10:12,690
we want to pretend that we are router.

213
00:10:12,690 --> 00:10:16,680
So we're just going to specify the IP address of the router.

214
00:10:16,680 --> 00:10:21,240
And this right here is our malicious packet.

215
00:10:21,240 --> 00:10:26,100
If I type packet.show, you will see it right here.

216
00:10:26,100 --> 00:10:29,430
We have the MAC address of our Kal Linux machine

217
00:10:29,430 --> 00:10:31,950
but we also pretend to be the router.

218
00:10:31,950 --> 00:10:35,520
We typed the router's IP address instead of our own.

219
00:10:35,520 --> 00:10:39,420
And this packet is being sent to this destination.

220
00:10:39,420 --> 00:10:42,840
Now, before I send it, I'm going to open the command prompt

221
00:10:42,840 --> 00:10:44,280
on my Windows 10 machine

222
00:10:44,280 --> 00:10:46,740
and I'm going to run the ARP dash a command

223
00:10:46,740 --> 00:10:49,590
from the previous video just to see how the ARP

224
00:10:49,590 --> 00:10:51,480
tables are currently being set.

225
00:10:51,480 --> 00:10:54,300
So we can see that the router, which is in my case

226
00:10:54,300 --> 00:10:58,623
192.168.1.1 has this MAC address.

227
00:10:59,490 --> 00:11:00,990
Our Kal Linux machine

228
00:11:00,990 --> 00:11:04,980
which is 192.168.1.10 has this MAC address.

229
00:11:04,980 --> 00:11:08,220
And you will notice once they send this packet

230
00:11:08,220 --> 00:11:10,590
this IP address, which is our Kal Linux

231
00:11:10,590 --> 00:11:15,590
and the router's IP address will have the same MAC address.

232
00:11:15,600 --> 00:11:18,510
And that is an indication that the ARPs proofing attack

233
00:11:18,510 --> 00:11:22,020
is taking place at that specific time.

234
00:11:22,020 --> 00:11:23,400
So let's send the packet.

235
00:11:23,400 --> 00:11:25,680
And to do that, we can use the send function.

236
00:11:25,680 --> 00:11:27,720
The first argument is going to be the packet

237
00:11:27,720 --> 00:11:31,620
and we can set the verbose to be equal to false

238
00:11:31,620 --> 00:11:33,510
and press enter.

239
00:11:33,510 --> 00:11:37,740
If I go back to command prompt and type ARP dash a again,

240
00:11:37,740 --> 00:11:41,790
we can see now router has the same MAC address

241
00:11:41,790 --> 00:11:44,343
as our Kal Linux machine right here.

242
00:11:45,480 --> 00:11:48,480
So we successfully ARP poisoned the ARP cache

243
00:11:48,480 --> 00:11:50,760
of our target machine.

244
00:11:50,760 --> 00:11:52,770
Now that we did this, you probably now

245
00:11:52,770 --> 00:11:56,070
fully understand how ARP poisoning works

246
00:11:56,070 --> 00:11:57,450
and you can also take a look

247
00:11:57,450 --> 00:11:59,130
at different tools online to see

248
00:11:59,130 --> 00:12:01,230
if there are some better tools that you can use to

249
00:12:01,230 --> 00:12:03,180
perform man in the middle attack.

250
00:12:03,180 --> 00:12:04,740
Some of them have more options

251
00:12:04,740 --> 00:12:06,870
some of them have less options.

252
00:12:06,870 --> 00:12:11,580
But nonetheless, this is all it is about this attack.

253
00:12:11,580 --> 00:12:14,340
You simply just send a malicious ARP packets

254
00:12:14,340 --> 00:12:17,100
and redirect the connection to you.

255
00:12:17,100 --> 00:12:18,480
So thank you for watching this video

256
00:12:18,480 --> 00:12:21,153
and I will see you in the next section.