1
00:00:00,790 --> 00:00:07,090
‫So although we stored the passwords with a strong encryption algorithm, it's still not safe to let

2
00:00:07,090 --> 00:00:13,540
‫just anyone access the password hashes because they're still open to the offline password cracking attacks.

3
00:00:15,090 --> 00:00:21,420
‫So it's possible to identify access control lists for the communications services such as an MP, as

4
00:00:21,420 --> 00:00:29,550
‫I say, can tell that with these access lists, we can decide who can and cannot connect to the services,

5
00:00:29,940 --> 00:00:33,210
‫then close the services for everybody else.

6
00:00:34,580 --> 00:00:38,810
‫So there are two types of access lists, standard and extended.

7
00:00:39,530 --> 00:00:40,100
‫Let's have a look.

8
00:00:40,820 --> 00:00:43,700
‫We can see how we can manage the access to the router.

9
00:00:45,260 --> 00:00:52,460
‫So once again, we are back in the network here we created by using Genesis three, all the devices

10
00:00:52,460 --> 00:00:53,630
‫are still active and running.

11
00:00:53,630 --> 00:00:54,440
‫That's always a good time.

12
00:00:55,920 --> 00:00:57,240
‫Over the routers console.

13
00:00:58,660 --> 00:01:00,370
‫And enter the config terminal mode.

14
00:01:02,080 --> 00:01:06,850
‫Access list is the key word to create and configure access control list.

15
00:01:07,900 --> 00:01:10,050
‫So put a question mark to see the options.

16
00:01:11,410 --> 00:01:18,490
‫The number here decides the type of the access list will make an example of standard access.

17
00:01:18,550 --> 00:01:21,590
‫So just put a number between one and 99.

18
00:01:21,620 --> 00:01:22,510
‫I'll just put two.

19
00:01:23,570 --> 00:01:28,820
‫A standard access control list either denies or permits source IP addresses.

20
00:01:30,450 --> 00:01:38,130
‫In addition, a source IP addresses and extended access control, this can also deny or permit based

21
00:01:38,130 --> 00:01:42,600
‫on destination IP addresses, ports and those services as well.

22
00:01:43,990 --> 00:01:44,890
‫Question mark again.

23
00:01:45,610 --> 00:01:51,520
‫And these are the options we can either deny or permit a connection request.

24
00:01:52,780 --> 00:01:57,280
‫So let's decide who to permit first question mark to see the options.

25
00:01:57,460 --> 00:01:57,850
‫OK.

26
00:01:59,680 --> 00:02:04,240
‫We can put a pattern here, so the computers matching the pattern are allowed.

27
00:02:05,890 --> 00:02:13,270
‫If we use any year, that means we permit all computers except ones which are identified by the deny

28
00:02:13,570 --> 00:02:14,800
‫and the access list.

29
00:02:16,100 --> 00:02:21,380
‫Alternatively, we can permit directly to any specified computer.

30
00:02:22,550 --> 00:02:28,640
‫So here I'll use host as the option and let my colleague access to it.

31
00:02:29,330 --> 00:02:33,140
‫So let me look at the IP address of the Kali 10.3.

32
00:02:34,690 --> 00:02:40,540
‫I want to deny all others, so access list to deny any.

33
00:02:41,970 --> 00:02:50,640
‫Now, the next thing we have to do is go to the line the DIY and apply this access list to the interface.

34
00:02:52,140 --> 00:02:56,460
‫Good, so tip line y zero four to enter line config.

35
00:02:58,440 --> 00:03:01,620
‫In the line config, we'll use access list command.

36
00:03:03,210 --> 00:03:10,290
‫Number of access list first and now a question mark to see the options and look at that, there are

37
00:03:10,290 --> 00:03:12,450
‫two options in and out.

38
00:03:13,600 --> 00:03:18,550
‫Now, since we're going to be telnet into the router, we're going to use in.

39
00:03:19,710 --> 00:03:22,860
‫Exit or control C to exit from the line config mode.

40
00:03:24,280 --> 00:03:28,630
‫Now I want you to see the running conflict, so type, show, run.

41
00:03:30,140 --> 00:03:33,890
‫And here is the running config, so scrolling down.

42
00:03:34,320 --> 00:03:37,460
‫Showing the access list and make sure that everything's right.

43
00:03:42,540 --> 00:03:43,290
‫So here it is.

44
00:03:43,680 --> 00:03:50,430
‫And yes, as you can see, we have our access list to to permit Carly and deny any other host attempting

45
00:03:50,430 --> 00:03:51,510
‫to make a Telnet connection.

46
00:03:53,680 --> 00:03:57,610
‫Now, let's test whether the access list works as intended.

47
00:04:00,050 --> 00:04:03,150
‫So back in my network, I have other VR machines like like.

48
00:04:04,010 --> 00:04:09,170
‫One of them is OWASP, BWC, as you know, and its IP address is 10.4.

49
00:04:10,770 --> 00:04:17,580
‫First, I want to check if the network is OK, and OWASP sees the router so ping one nine two two one

50
00:04:17,580 --> 00:04:19,370
‫six eight one zero two one.

51
00:04:19,860 --> 00:04:22,080
‫And sure enough, we have the replies.

52
00:04:23,820 --> 00:04:30,690
‫Now I want to create a Telnet connection to the router, so take Telnet and the router IP hit enter.

53
00:04:32,280 --> 00:04:33,630
‫Connection is refused.

54
00:04:34,720 --> 00:04:37,150
‫Well, that's what's supposed to be right.

55
00:04:37,660 --> 00:04:40,960
‫That means the deny part of the access list is working properly.

56
00:04:41,810 --> 00:04:43,220
‫What about the permit part?

57
00:04:44,150 --> 00:04:51,650
‫So go to Carl in terminal screen, telnet into the router and as you can see, we can telnet into the

58
00:04:51,650 --> 00:04:52,040
‫router.

59
00:04:52,850 --> 00:04:57,380
‫The request is not refused and we are allowed to telnet from Carly.

60
00:04:58,860 --> 00:05:05,280
‫So to double check, I'll run an end map query to check whether the Telnet port of the router is open.

61
00:05:09,660 --> 00:05:11,340
‫And yes, of course it is.