1
00:00:00,080 --> 00:00:08,210
So let's see how we can perform a Dhcp starvation attack and consume the Dhcp pool using Yersinia.

2
00:00:08,240 --> 00:00:15,650
Yersinia is a network tool designed to take advantage of some weaknesses in different network protocols.

3
00:00:15,680 --> 00:00:20,540
The protocols currently implemented in Yersinia are shown in the slide.

4
00:00:22,920 --> 00:00:26,850
Now we're going to use our VMs in net mode during this demo.

5
00:00:27,830 --> 00:00:32,000
So I'm on my host machine and open the virtual machine library.

6
00:00:32,670 --> 00:00:34,530
This is the collie that I'll use.

7
00:00:34,950 --> 00:00:37,770
So click this icon to see the VM settings.

8
00:00:38,160 --> 00:00:40,230
Click the network adapter icon.

9
00:00:40,830 --> 00:00:43,800
It says Internet is shared with my Mac.

10
00:00:43,800 --> 00:00:50,700
So if you look at the explanation in the right hand side of the frame, it means the VM is in that mode.

11
00:00:51,390 --> 00:00:52,710
So this is what we want.

12
00:00:52,740 --> 00:00:54,630
So just leave it as it is.

13
00:00:55,140 --> 00:01:01,650
The Connect Network adapter is selected so Kali is ready to use with a network connection.

14
00:01:02,670 --> 00:01:08,640
So Windows 8 is the other VM that I'll use to demonstrate Dhcp starvation attack.

15
00:01:09,150 --> 00:01:12,530
Let's have a look at the network settings of windows as well.

16
00:01:12,540 --> 00:01:16,290
Yeah, it's in that mode and the network adapter is connected.

17
00:01:16,980 --> 00:01:23,640
So I'll disconnect the network adapter by clicking here because I just want to show you that the Dhcp

18
00:01:23,670 --> 00:01:25,710
of VMware is working properly.

19
00:01:26,420 --> 00:01:30,750
So I want to add a second network interface for my Windows system.

20
00:01:30,770 --> 00:01:34,430
Click show all and go to the settings menu.

21
00:01:35,120 --> 00:01:39,800
And click on Add device at the upper left hand corner.

22
00:01:40,070 --> 00:01:43,580
Select Network Adapter and click Add.

23
00:01:44,300 --> 00:01:47,000
The details of the new adapter are listed here.

24
00:01:47,090 --> 00:01:49,760
The Nat mode is selected by default already.

25
00:01:50,650 --> 00:01:54,550
So uncheck the Kinect network adapter box for now.

26
00:01:55,310 --> 00:01:55,580
Okay.

27
00:01:55,580 --> 00:02:00,140
So as you see, we have two network adapters for the Windows system.

28
00:02:00,140 --> 00:02:03,470
Both of them are in that mode and are disconnected.

29
00:02:04,070 --> 00:02:06,290
So now I'll start the Windows 8 system.

30
00:02:09,870 --> 00:02:10,830
Log in.

31
00:02:12,320 --> 00:02:14,030
And sure enough, it's ready.

32
00:02:14,870 --> 00:02:21,530
Right click on the network icon at the lower right corner and select Open Network and Sharing Center.

33
00:02:22,830 --> 00:02:27,240
And right there, we don't have an active network at the moment.

34
00:02:28,130 --> 00:02:29,420
That's to be expected.

35
00:02:30,110 --> 00:02:37,490
So now I connect the first adapter and activate the network in VMware Fusion.

36
00:02:37,520 --> 00:02:40,760
You can see and change the setting in several ways.

37
00:02:41,420 --> 00:02:49,130
If you use the VM in full screen mode like I do, just go to the upper side for VMware Fusion menu.

38
00:02:49,160 --> 00:02:49,840
There it is.

39
00:02:49,850 --> 00:02:54,260
And if the menu does not appear, just press command control buttons together.

40
00:02:54,830 --> 00:02:55,340
Right.

41
00:02:55,340 --> 00:03:00,410
So this is the default setting of VMware Fusion to turn back to the host system when you're inside a

42
00:03:00,440 --> 00:03:01,040
VM.

43
00:03:01,990 --> 00:03:05,260
And these are the network adapters.

44
00:03:05,560 --> 00:03:09,640
When you click on them, you'll see the short menu for network adapter.

45
00:03:09,640 --> 00:03:16,000
And here you can connect or disconnect the network adapter, change the network mode, Nat bridge or

46
00:03:16,000 --> 00:03:20,980
host only, and you can use this pop up for the network adapter settings.

47
00:03:22,400 --> 00:03:29,360
Now, the second way to see and change the network settings is to click the settings icon, then select

48
00:03:29,360 --> 00:03:31,310
the adapter to see the settings.

49
00:03:32,130 --> 00:03:35,970
So the third way is to go to the virtual machine menu.

50
00:03:37,400 --> 00:03:42,320
Go to the network adapter and you will see the short menu of the adapter.

51
00:03:43,220 --> 00:03:50,390
Now go to the first network adapter icon and click on the Connect Network adapter menu item.

52
00:03:50,780 --> 00:03:57,140
And now you see in the network and sharing center window, we now have an active network connection.

53
00:03:57,320 --> 00:04:01,280
So click the network name and the details button.

54
00:04:02,020 --> 00:04:03,580
Here are the connection details.

55
00:04:03,580 --> 00:04:04,870
And right there.

56
00:04:04,870 --> 00:04:05,320
There it is.

57
00:04:05,350 --> 00:04:12,490
Dhcp is 172.16.99.254 and it assigned an IP address for the VM.

58
00:04:12,490 --> 00:04:16,029
172.16.99.221.

59
00:04:16,510 --> 00:04:19,300
As well as the gateway and the DNS address.

60
00:04:21,800 --> 00:04:25,550
Now I'll go back to Cali and open a terminal screen.

61
00:04:26,090 --> 00:04:32,150
Using the ifconfig command to see the network interface configuration and sure enough, it has the IP

62
00:04:32,150 --> 00:04:32,900
address.

63
00:04:33,680 --> 00:04:36,680
So ping the Windows 8 system to validate the network.

64
00:04:36,710 --> 00:04:37,670
Two, two, one.

65
00:04:38,590 --> 00:04:43,720
Okay, we received the ICMP reply, so everything looks okay.

66
00:04:45,140 --> 00:04:48,210
Now is the time for your cinema.

67
00:04:48,230 --> 00:04:52,940
So type men Yersinia and hit enter to see the menu.

68
00:04:53,720 --> 00:04:59,570
And right here in the manual, Yersinia is a framework for performing layer two attacks.

69
00:04:59,570 --> 00:05:03,140
And here's a list of protocols implemented in Yersinia.

70
00:05:05,320 --> 00:05:08,320
Scroll down, you'll see the options.

71
00:05:08,470 --> 00:05:12,790
We can use uppercase G to start a graphical interface.

72
00:05:12,880 --> 00:05:15,400
So let's go ahead and use it in graphical mode.

73
00:05:16,320 --> 00:05:21,240
You can press Q to quit from the manual and turn back to the terminal.

74
00:05:21,600 --> 00:05:27,180
Now type Yersinia Uppercase G and press enter.

75
00:05:27,540 --> 00:05:31,200
So this is the graphical user interface of Yersinia.

76
00:05:32,040 --> 00:05:33,900
Before running the attack.

77
00:05:34,080 --> 00:05:39,810
Lets open Wireshark and monitor the network packets to see what happens when we start the attack.

78
00:05:40,140 --> 00:05:48,330
You can type Wireshark in terminal to start it or just click the Wireshark icon to select the interface

79
00:05:48,330 --> 00:05:49,140
to listen.

80
00:05:49,230 --> 00:05:51,030
Double click Eth0.

81
00:05:51,800 --> 00:05:56,690
And to discard the different packets and focus only on the Dhcp packets.

82
00:05:56,720 --> 00:06:03,290
We can filter the packets in the filter box, type boot IP and hit enter.

83
00:06:04,130 --> 00:06:10,550
So boot P is the short form of bootstrap protocol which I mentioned earlier.

84
00:06:10,550 --> 00:06:16,850
It's basically a computer networking protocol to automatically assign an IP address to network devices

85
00:06:16,850 --> 00:06:22,010
from a configuration server and obviously it's used by the Dhcp server.

86
00:06:23,290 --> 00:06:27,880
Now we can turn back to Yersinia and prepare and run the attack.

87
00:06:28,410 --> 00:06:30,540
So click launch attack.

88
00:06:30,570 --> 00:06:32,940
That's the link at the upper left hand corner.

89
00:06:33,990 --> 00:06:37,710
The tabs in the window are the implemented protocols.

90
00:06:38,040 --> 00:06:43,050
Choose Dhcp and select sending Discover packet.

91
00:06:43,230 --> 00:06:44,010
Now click.

92
00:06:44,010 --> 00:06:44,640
Okay.

93
00:06:45,760 --> 00:06:52,210
As soon as we click the button, Yersinia starts sending dozens of Dhcp requests in a second.

94
00:06:52,690 --> 00:06:55,840
It'll keep sending the packets till we stop the attack.

95
00:06:57,090 --> 00:06:58,980
Now look at the wireshark window.

96
00:06:59,280 --> 00:07:03,270
These are the Dhcp Discover packets sent by Yersinia.

97
00:07:04,970 --> 00:07:10,820
So now, while Yersinia is sending the Dhcp Discover packets, let's activate the second interface of

98
00:07:10,820 --> 00:07:17,090
the Windows VM and let's see if the Dhcp server assigns an IP address for the second interface.

99
00:07:18,800 --> 00:07:21,410
All right, So we're in the Windows VM now.

100
00:07:21,560 --> 00:07:24,620
Go to the second network adapter, click Connect.

101
00:07:24,650 --> 00:07:27,890
Network adapter two to activate the second interface.

102
00:07:28,510 --> 00:07:33,580
Now, do you remember what happened when we activated the first interface?

103
00:07:33,820 --> 00:07:36,310
We saw the new network activated.

104
00:07:36,400 --> 00:07:43,000
But now there is still no network because the Dhcp server is busy replying to the request created by

105
00:07:43,000 --> 00:07:43,810
Yersinia.

106
00:07:43,840 --> 00:07:46,720
It's not going to answer the Windows 8 second interface.

107
00:07:47,800 --> 00:07:50,830
So let's turn back to Cali and stop the attack.

108
00:07:51,650 --> 00:07:53,090
In your seniors interface.

109
00:07:53,090 --> 00:07:57,590
Just click list attacks and then click Stop or stop all.

110
00:07:58,980 --> 00:08:00,270
And the wireshark window.

111
00:08:00,270 --> 00:08:02,070
Look at the bottom of the packets list.

112
00:08:02,490 --> 00:08:06,570
We now have a complete Dhcp sequence.

113
00:08:07,490 --> 00:08:11,810
Discover, offer, request and ack packets.

114
00:08:12,990 --> 00:08:14,700
In the Windows 8 VM.

115
00:08:14,880 --> 00:08:16,920
We now have the second network.

116
00:08:16,950 --> 00:08:19,890
The first one was Ethernet zero two.

117
00:08:19,920 --> 00:08:21,870
This one is Ethernet zero.

118
00:08:22,770 --> 00:08:26,910
Click on it in the status window, click on details.

119
00:08:27,450 --> 00:08:33,059
The second interface has an IP address now assigned by the Dhcp server.