1 00:00:00,080 --> 00:00:08,210 So let's see how we can perform a Dhcp starvation attack and consume the Dhcp pool using Yersinia. 2 00:00:08,240 --> 00:00:15,650 Yersinia is a network tool designed to take advantage of some weaknesses in different network protocols. 3 00:00:15,680 --> 00:00:20,540 The protocols currently implemented in Yersinia are shown in the slide. 4 00:00:22,920 --> 00:00:26,850 Now we're going to use our VMs in net mode during this demo. 5 00:00:27,830 --> 00:00:32,000 So I'm on my host machine and open the virtual machine library. 6 00:00:32,670 --> 00:00:34,530 This is the collie that I'll use. 7 00:00:34,950 --> 00:00:37,770 So click this icon to see the VM settings. 8 00:00:38,160 --> 00:00:40,230 Click the network adapter icon. 9 00:00:40,830 --> 00:00:43,800 It says Internet is shared with my Mac. 10 00:00:43,800 --> 00:00:50,700 So if you look at the explanation in the right hand side of the frame, it means the VM is in that mode. 11 00:00:51,390 --> 00:00:52,710 So this is what we want. 12 00:00:52,740 --> 00:00:54,630 So just leave it as it is. 13 00:00:55,140 --> 00:01:01,650 The Connect Network adapter is selected so Kali is ready to use with a network connection. 14 00:01:02,670 --> 00:01:08,640 So Windows 8 is the other VM that I'll use to demonstrate Dhcp starvation attack. 15 00:01:09,150 --> 00:01:12,530 Let's have a look at the network settings of windows as well. 16 00:01:12,540 --> 00:01:16,290 Yeah, it's in that mode and the network adapter is connected. 17 00:01:16,980 --> 00:01:23,640 So I'll disconnect the network adapter by clicking here because I just want to show you that the Dhcp 18 00:01:23,670 --> 00:01:25,710 of VMware is working properly. 19 00:01:26,420 --> 00:01:30,750 So I want to add a second network interface for my Windows system. 20 00:01:30,770 --> 00:01:34,430 Click show all and go to the settings menu. 21 00:01:35,120 --> 00:01:39,800 And click on Add device at the upper left hand corner. 22 00:01:40,070 --> 00:01:43,580 Select Network Adapter and click Add. 23 00:01:44,300 --> 00:01:47,000 The details of the new adapter are listed here. 24 00:01:47,090 --> 00:01:49,760 The Nat mode is selected by default already. 25 00:01:50,650 --> 00:01:54,550 So uncheck the Kinect network adapter box for now. 26 00:01:55,310 --> 00:01:55,580 Okay. 27 00:01:55,580 --> 00:02:00,140 So as you see, we have two network adapters for the Windows system. 28 00:02:00,140 --> 00:02:03,470 Both of them are in that mode and are disconnected. 29 00:02:04,070 --> 00:02:06,290 So now I'll start the Windows 8 system. 30 00:02:09,870 --> 00:02:10,830 Log in. 31 00:02:12,320 --> 00:02:14,030 And sure enough, it's ready. 32 00:02:14,870 --> 00:02:21,530 Right click on the network icon at the lower right corner and select Open Network and Sharing Center. 33 00:02:22,830 --> 00:02:27,240 And right there, we don't have an active network at the moment. 34 00:02:28,130 --> 00:02:29,420 That's to be expected. 35 00:02:30,110 --> 00:02:37,490 So now I connect the first adapter and activate the network in VMware Fusion. 36 00:02:37,520 --> 00:02:40,760 You can see and change the setting in several ways. 37 00:02:41,420 --> 00:02:49,130 If you use the VM in full screen mode like I do, just go to the upper side for VMware Fusion menu. 38 00:02:49,160 --> 00:02:49,840 There it is. 39 00:02:49,850 --> 00:02:54,260 And if the menu does not appear, just press command control buttons together. 40 00:02:54,830 --> 00:02:55,340 Right. 41 00:02:55,340 --> 00:03:00,410 So this is the default setting of VMware Fusion to turn back to the host system when you're inside a 42 00:03:00,440 --> 00:03:01,040 VM. 43 00:03:01,990 --> 00:03:05,260 And these are the network adapters. 44 00:03:05,560 --> 00:03:09,640 When you click on them, you'll see the short menu for network adapter. 45 00:03:09,640 --> 00:03:16,000 And here you can connect or disconnect the network adapter, change the network mode, Nat bridge or 46 00:03:16,000 --> 00:03:20,980 host only, and you can use this pop up for the network adapter settings. 47 00:03:22,400 --> 00:03:29,360 Now, the second way to see and change the network settings is to click the settings icon, then select 48 00:03:29,360 --> 00:03:31,310 the adapter to see the settings. 49 00:03:32,130 --> 00:03:35,970 So the third way is to go to the virtual machine menu. 50 00:03:37,400 --> 00:03:42,320 Go to the network adapter and you will see the short menu of the adapter. 51 00:03:43,220 --> 00:03:50,390 Now go to the first network adapter icon and click on the Connect Network adapter menu item. 52 00:03:50,780 --> 00:03:57,140 And now you see in the network and sharing center window, we now have an active network connection. 53 00:03:57,320 --> 00:04:01,280 So click the network name and the details button. 54 00:04:02,020 --> 00:04:03,580 Here are the connection details. 55 00:04:03,580 --> 00:04:04,870 And right there. 56 00:04:04,870 --> 00:04:05,320 There it is. 57 00:04:05,350 --> 00:04:12,490 Dhcp is 172.16.99.254 and it assigned an IP address for the VM. 58 00:04:12,490 --> 00:04:16,029 172.16.99.221. 59 00:04:16,510 --> 00:04:19,300 As well as the gateway and the DNS address. 60 00:04:21,800 --> 00:04:25,550 Now I'll go back to Cali and open a terminal screen. 61 00:04:26,090 --> 00:04:32,150 Using the ifconfig command to see the network interface configuration and sure enough, it has the IP 62 00:04:32,150 --> 00:04:32,900 address. 63 00:04:33,680 --> 00:04:36,680 So ping the Windows 8 system to validate the network. 64 00:04:36,710 --> 00:04:37,670 Two, two, one. 65 00:04:38,590 --> 00:04:43,720 Okay, we received the ICMP reply, so everything looks okay. 66 00:04:45,140 --> 00:04:48,210 Now is the time for your cinema. 67 00:04:48,230 --> 00:04:52,940 So type men Yersinia and hit enter to see the menu. 68 00:04:53,720 --> 00:04:59,570 And right here in the manual, Yersinia is a framework for performing layer two attacks. 69 00:04:59,570 --> 00:05:03,140 And here's a list of protocols implemented in Yersinia. 70 00:05:05,320 --> 00:05:08,320 Scroll down, you'll see the options. 71 00:05:08,470 --> 00:05:12,790 We can use uppercase G to start a graphical interface. 72 00:05:12,880 --> 00:05:15,400 So let's go ahead and use it in graphical mode. 73 00:05:16,320 --> 00:05:21,240 You can press Q to quit from the manual and turn back to the terminal. 74 00:05:21,600 --> 00:05:27,180 Now type Yersinia Uppercase G and press enter. 75 00:05:27,540 --> 00:05:31,200 So this is the graphical user interface of Yersinia. 76 00:05:32,040 --> 00:05:33,900 Before running the attack. 77 00:05:34,080 --> 00:05:39,810 Lets open Wireshark and monitor the network packets to see what happens when we start the attack. 78 00:05:40,140 --> 00:05:48,330 You can type Wireshark in terminal to start it or just click the Wireshark icon to select the interface 79 00:05:48,330 --> 00:05:49,140 to listen. 80 00:05:49,230 --> 00:05:51,030 Double click Eth0. 81 00:05:51,800 --> 00:05:56,690 And to discard the different packets and focus only on the Dhcp packets. 82 00:05:56,720 --> 00:06:03,290 We can filter the packets in the filter box, type boot IP and hit enter. 83 00:06:04,130 --> 00:06:10,550 So boot P is the short form of bootstrap protocol which I mentioned earlier. 84 00:06:10,550 --> 00:06:16,850 It's basically a computer networking protocol to automatically assign an IP address to network devices 85 00:06:16,850 --> 00:06:22,010 from a configuration server and obviously it's used by the Dhcp server. 86 00:06:23,290 --> 00:06:27,880 Now we can turn back to Yersinia and prepare and run the attack. 87 00:06:28,410 --> 00:06:30,540 So click launch attack. 88 00:06:30,570 --> 00:06:32,940 That's the link at the upper left hand corner. 89 00:06:33,990 --> 00:06:37,710 The tabs in the window are the implemented protocols. 90 00:06:38,040 --> 00:06:43,050 Choose Dhcp and select sending Discover packet. 91 00:06:43,230 --> 00:06:44,010 Now click. 92 00:06:44,010 --> 00:06:44,640 Okay. 93 00:06:45,760 --> 00:06:52,210 As soon as we click the button, Yersinia starts sending dozens of Dhcp requests in a second. 94 00:06:52,690 --> 00:06:55,840 It'll keep sending the packets till we stop the attack. 95 00:06:57,090 --> 00:06:58,980 Now look at the wireshark window. 96 00:06:59,280 --> 00:07:03,270 These are the Dhcp Discover packets sent by Yersinia. 97 00:07:04,970 --> 00:07:10,820 So now, while Yersinia is sending the Dhcp Discover packets, let's activate the second interface of 98 00:07:10,820 --> 00:07:17,090 the Windows VM and let's see if the Dhcp server assigns an IP address for the second interface. 99 00:07:18,800 --> 00:07:21,410 All right, So we're in the Windows VM now. 100 00:07:21,560 --> 00:07:24,620 Go to the second network adapter, click Connect. 101 00:07:24,650 --> 00:07:27,890 Network adapter two to activate the second interface. 102 00:07:28,510 --> 00:07:33,580 Now, do you remember what happened when we activated the first interface? 103 00:07:33,820 --> 00:07:36,310 We saw the new network activated. 104 00:07:36,400 --> 00:07:43,000 But now there is still no network because the Dhcp server is busy replying to the request created by 105 00:07:43,000 --> 00:07:43,810 Yersinia. 106 00:07:43,840 --> 00:07:46,720 It's not going to answer the Windows 8 second interface. 107 00:07:47,800 --> 00:07:50,830 So let's turn back to Cali and stop the attack. 108 00:07:51,650 --> 00:07:53,090 In your seniors interface. 109 00:07:53,090 --> 00:07:57,590 Just click list attacks and then click Stop or stop all. 110 00:07:58,980 --> 00:08:00,270 And the wireshark window. 111 00:08:00,270 --> 00:08:02,070 Look at the bottom of the packets list. 112 00:08:02,490 --> 00:08:06,570 We now have a complete Dhcp sequence. 113 00:08:07,490 --> 00:08:11,810 Discover, offer, request and ack packets. 114 00:08:12,990 --> 00:08:14,700 In the Windows 8 VM. 115 00:08:14,880 --> 00:08:16,920 We now have the second network. 116 00:08:16,950 --> 00:08:19,890 The first one was Ethernet zero two. 117 00:08:19,920 --> 00:08:21,870 This one is Ethernet zero. 118 00:08:22,770 --> 00:08:26,910 Click on it in the status window, click on details. 119 00:08:27,450 --> 00:08:33,059 The second interface has an IP address now assigned by the Dhcp server.