1 00:00:00,320 --> 00:00:02,960 So look at the page seen in the slide. 2 00:00:02,960 --> 00:00:06,770 This is the manual page of the Mac of Command. 3 00:00:08,109 --> 00:00:16,050 Markov is a command line tool, mainly used to flood the switch on a local network with random Mac addresses. 4 00:00:16,059 --> 00:00:21,700 So as I mentioned before, when the switch receives a frame, it creates a new entry in its Mac address 5 00:00:21,700 --> 00:00:23,500 table for these Mac addresses. 6 00:00:23,830 --> 00:00:29,560 Once the switches Mac address table is full and it cannot save any more Mac addresses, it generally 7 00:00:29,560 --> 00:00:34,120 enters into a fail open mode and it starts behaving like a network hub. 8 00:00:35,130 --> 00:00:36,420 So let's see. 9 00:00:36,450 --> 00:00:38,070 Mac of command in action. 10 00:00:39,810 --> 00:00:43,230 So here's a network that I created in three. 11 00:00:45,260 --> 00:00:48,980 Well, the IP addresses are different from the one that I created in the previous lectures. 12 00:00:48,980 --> 00:00:53,420 But not to worry, it's completely identical with that network. 13 00:00:54,260 --> 00:01:03,140 So in addition, I've added some other VMware, VMs, Owasp, Broken Web applications and Metasploitable 14 00:01:03,140 --> 00:01:04,819 in the same way with Kali. 15 00:01:05,090 --> 00:01:11,570 Now, just a little word of caution while you're adding a VMware VM to a Gns3 network, do not forget 16 00:01:11,570 --> 00:01:20,390 to create a new custom network mode such as VM net two because all VMs need a separate custom network 17 00:01:20,390 --> 00:01:20,990 mode. 18 00:01:21,200 --> 00:01:22,010 Remember that? 19 00:01:22,960 --> 00:01:24,400 Okay, so now I'll go to Carly. 20 00:01:24,940 --> 00:01:33,190 Since Carly is a part of the Ns3 network, its network settings is custom, so it's not in Nat mode 21 00:01:33,190 --> 00:01:33,970 right now. 22 00:01:35,480 --> 00:01:38,390 Have a look at the IP address using ifconfig. 23 00:01:38,780 --> 00:01:46,190 Okay, so it's in 192.168.10.0 24 IP block. 24 00:01:46,750 --> 00:01:49,150 So now check the entire network. 25 00:01:49,600 --> 00:01:54,460 I go over to the other VMs and look at the interface configurations. 26 00:01:55,000 --> 00:01:58,660 These are the IP addresses of all the VMs. 27 00:01:58,990 --> 00:02:00,940 Now go to Kali and ping them. 28 00:02:02,690 --> 00:02:04,260 The results are pretty good. 29 00:02:04,280 --> 00:02:07,190 We got the reply packets for ping requests. 30 00:02:07,760 --> 00:02:16,850 So now I open another terminal screen and scan these two VMs and see the open ports and running services. 31 00:02:18,180 --> 00:02:26,280 So I'll simply use the Nmap command with the IP address only so it'll be a Sin scan and the top 1000 32 00:02:26,280 --> 00:02:27,540 ports will be scanned. 33 00:02:28,250 --> 00:02:29,510 Here are the results. 34 00:02:30,470 --> 00:02:35,930 10.11 has nine open ports and 10.12 has 23. 35 00:02:35,930 --> 00:02:43,460 And as you see here, Telnet port of the 192.168.10.12 is open. 36 00:02:44,730 --> 00:02:46,440 So let's go to the VMs. 37 00:02:47,300 --> 00:02:53,030 Dundalk 12 is Metasploitable and 1011 is Owasp BWA. 38 00:02:53,780 --> 00:02:57,920 Now we know the Telnet service is running on Metasploitable. 39 00:02:58,550 --> 00:03:05,180 So to create some traffic and let the switch fill the Mac address table, I'll start up a Telnet connection 40 00:03:05,180 --> 00:03:12,470 from Owasp, BWA to Metasploitable type Telnet and the IP address of Metasploitable. 41 00:03:12,650 --> 00:03:18,290 Enter the username and password which are already given as a welcome message here. 42 00:03:21,130 --> 00:03:23,260 And we got the session. 43 00:03:25,060 --> 00:03:25,510 Okay. 44 00:03:25,510 --> 00:03:27,100 So we can exit now. 45 00:03:27,480 --> 00:03:35,740 Now I'll go to the console of the switch and type show Mac address table dynamic to see the dynamic 46 00:03:35,740 --> 00:03:37,690 records of the Mac address table. 47 00:03:38,580 --> 00:03:43,470 Now here there are six Port and Mac mappings for now. 48 00:03:44,090 --> 00:03:45,770 Run the command again. 49 00:03:45,950 --> 00:03:47,690 And now we have two rows. 50 00:03:48,280 --> 00:03:54,490 So it seems by the look of this that the Mac address table aging is 10 or 15 seconds. 51 00:03:55,840 --> 00:03:56,530 Okay. 52 00:03:56,650 --> 00:03:58,000 You ready for this? 53 00:03:58,840 --> 00:04:01,660 This is the time of Mac flooding. 54 00:04:02,660 --> 00:04:05,270 So now I'm in a terminal screen on Kali. 55 00:04:06,110 --> 00:04:12,650 Have a look at the manual of Mecha command first so type man mac of and hit enter. 56 00:04:13,790 --> 00:04:19,910 Markov is a tool that's used to flood the local network with random Mac addresses. 57 00:04:20,910 --> 00:04:22,320 And here are the options. 58 00:04:23,640 --> 00:04:30,450 I to identify the network interface to attack n to specify the number of packets to send. 59 00:04:30,490 --> 00:04:35,490 D to specify the destination system's IP address, etcetera. 60 00:04:35,820 --> 00:04:37,320 So let's create the command. 61 00:04:38,110 --> 00:04:42,340 Of course, the first command I'll send is Markov. 62 00:04:43,170 --> 00:04:45,990 I the interface that's used to attack. 63 00:04:45,990 --> 00:04:48,770 We'll type that in as eth0. 64 00:04:48,970 --> 00:04:52,710 D the destination the ether switch router. 65 00:04:53,830 --> 00:04:55,740 Now we're ready to run the command. 66 00:04:55,750 --> 00:04:56,830 So hit Enter. 67 00:04:58,200 --> 00:05:03,480 And the flood started and Markov sends tens of packets in seconds. 68 00:05:04,500 --> 00:05:11,700 Now let me go to the ether switch router console and look at the dynamic Mac address table again. 69 00:05:12,150 --> 00:05:15,990 You can call the last command by using the up arrow key. 70 00:05:16,740 --> 00:05:23,760 And as you see, there are a lot of rows for our fast Ethernet one zero port, which is used for Kali. 71 00:05:24,690 --> 00:05:32,370 So while Mac is running, let's run Wireshark and try to listen in to the traffic on the Telnet of Kylie's 72 00:05:32,370 --> 00:05:33,750 own network interface. 73 00:05:40,860 --> 00:05:47,880 Now to see only the telnet traffic type Telnet in the filter box and click the blue button next to the 74 00:05:47,880 --> 00:05:48,510 box. 75 00:05:48,840 --> 00:05:49,400 Okay. 76 00:05:49,410 --> 00:05:51,240 No telnet traffic for now. 77 00:05:51,510 --> 00:05:58,050 Now go back to the VM and telnet to the metasploit VM again. 78 00:05:58,320 --> 00:06:02,880 Telnet the IP address of metasploitable username and password. 79 00:06:04,770 --> 00:06:05,700 Run a command. 80 00:06:05,820 --> 00:06:08,160 Okay, so back to Kali. 81 00:06:08,990 --> 00:06:10,820 You see the Telnet traffic here? 82 00:06:11,420 --> 00:06:14,900 Kylie is neither the source of the traffic nor the destination. 83 00:06:14,900 --> 00:06:17,360 It receives the Telnet traffic. 84 00:06:17,540 --> 00:06:23,010 Now, this is a typical in hub behaviour to send packets to each node. 85 00:06:23,030 --> 00:06:26,360 So we can say that our switch is behaving like a hub now. 86 00:06:26,630 --> 00:06:28,130 Just like we predicted. 87 00:06:29,360 --> 00:06:35,570 So let's go ahead and stop Wireshark and the Mac of command using Ctrl C keys. 88 00:06:35,570 --> 00:06:36,620 You can do that. 89 00:06:38,770 --> 00:06:40,660 These are the telnet packets. 90 00:06:40,990 --> 00:06:44,740 Since Telnet is a clear text protocol by default. 91 00:06:44,770 --> 00:06:48,310 We can see the payload as well as the metadata. 92 00:06:48,930 --> 00:06:53,410 We can see every character in a different packet, so select one of them. 93 00:06:53,430 --> 00:06:57,720 Right click, follow and select TCP stream. 94 00:06:58,600 --> 00:07:01,180 So the red characters here are client packets. 95 00:07:01,180 --> 00:07:04,400 The blue characters are the server packets. 96 00:07:04,420 --> 00:07:08,200 Here's a credential username and password.