WEBVTT

0
00:01.230 --> 00:02.400
Hello guys!

1
00:02.430 --> 00:08.150
I'll start a series of videos of how to hack the ARP protocol and launch 

2
00:08.160 --> 00:12.270
a MiTM attack to capture sensitive data.

3
00:12.270 --> 00:19.580
I want to start with a disclaimer: do not use any of the information I teach you in this video and

4
00:19.600 --> 00:27.720
in all my other videos related to network security and ethical hacking for malicious activities. Launch

5
00:27.750 --> 00:34.530
the attacks shown in this course only on your network or on other networks that you have permission

6
00:34.530 --> 00:37.440
to access. Let's

7
00:37.440 --> 00:45.410
start with a short explanation of what ARP is and how it works. A good understanding or ARP is critical to 

8
00:45.410 --> 00:48.970
to deeply understand how this attack works.

9
00:49.310 --> 00:57.080
ARP (or ARP) stands for  Address Resolution Protocol and is one of the fundamental protocols used in 

10
00:57.080 --> 01:05.840
wired Ethernet and wireless networks. When a device wants to communicate with another device in a local

11
01:05.840 --> 01:06.840
area network

12
01:06.950 --> 01:15.500
it needs both the Mac and the IP address of the destination. The user that starts the application on

13
01:15.500 --> 01:23.430
the source host uses only the IP address of the destination host. The destination MAC address remains

14
01:23.430 --> 01:26.300
hidden to the user.

15
01:26.410 --> 01:32.950
Just imagine that you want to ping a device on your land or you want to connect using http,

16
01:32.980 --> 01:40.690
so the browser, to the local router or to other websites. In all these cases you'll use only the

17
01:40.690 --> 01:42.730
IP address of the destination.

18
01:42.850 --> 01:49.450
If you are not a networking engineer or a technical person you wouldn't even know that there is also a

19
01:49.450 --> 01:52.590
MAC address involved. In a LAN

20
01:52.630 --> 02:01.210
the packets go through a Switch or an Access Point and they take decisions based only on the MAC address.

21
02:02.620 --> 02:09.280
The Switch or the Access Point looks for the Mac address of the pack it in the packet headers and

22
02:09.280 --> 02:11.510
forwards it accordingly.

23
02:11.530 --> 02:13.240
Let's look at an example!

24
02:13.330 --> 02:20.370
I'll ping the internal interface of the router,  which is the default gateway. Before launching

25
02:20.380 --> 02:21.670
the ping command

26
02:21.670 --> 02:26.090
I'll start wirehark to sniff the traffic.

27
02:26.310 --> 02:32.210
I want to see all packets that are being transmitted and received.

28
02:32.430 --> 02:38.670
I am starting wire shark: capture options

29
02:38.670 --> 02:42.740
I am selecting the interface, WiFi, and start!

30
02:45.480 --> 02:51.850
And I am pinging the default gateway ping 192.168.0 

31
02:51.870 --> 02:52.770
.1

32
02:58.770 --> 03:07.210
okay ! It's working! As you can see I've used only the IP address of the destination and not the MAC address

33
03:07.270 --> 03:07.810
as well

34
03:10.790 --> 03:17.600
I'll stop capturing packets! If we take a look in wireshark at ICMP packets,

35
03:17.640 --> 03:26.610
these are ICMP packets, and were generated by the ping command, we notice that they are both the IP and

36
03:26.610 --> 03:30.220
the MAC address in the packet headers.

37
03:30.240 --> 03:33.120
Let's take a look at this packet!

38
03:33.120 --> 03:39.720
This is the source MAC address, the destination MAC address, the source IP address and the destination

39
03:39.930 --> 03:47.920
IP address; somehow the source host should have found the MAC address of the destination.

40
03:48.230 --> 03:50.870
And here is where ARP comes into play.

41
03:50.870 --> 03:58.820
It works behind the scenes and finds the hardware address, also known as MAC address, of a host from its

42
03:58.940 --> 04:01.110
own IP address.

43
04:01.130 --> 04:05.400
Let's take a look again at the packets captured by wire shark.

44
04:06.420 --> 04:12.860
And we notice these two packets; these two packs of type ARP.

45
04:12.870 --> 04:14.810
This is an ARP request packet

46
04:14.940 --> 04:17.830
and this is an ARP reply packet.

47
04:17.910 --> 04:23.910
The ARP request packet is nothing about a broadcast packet sent over the network to find out the

48
04:23.910 --> 04:27.480
corresponding MAC address of a given IP address,

49
04:27.480 --> 04:29.510
the destination address.

50
04:29.790 --> 04:37.980
We notice that these ARP request packet is destined to the broadcast address. The destination MAC

51
04:37.980 --> 04:40.850
address is of type broadcast.

52
04:41.160 --> 04:48.700
Being a broadcast packet means that it will be received by each host in the network and the message

53
04:48.790 --> 04:57.560
says who has 192.168.0.1 tell 

54
04:57.560 --> 05:06.450
192.168.0.103  .1 was the destination, 

55
05:06.550 --> 05:15.260
so the IP address of the default gateway and .103 the IP address of windows. In plain

56
05:15.290 --> 05:24.020
English it means: what is the MAC address of 192.168.0.1 wants to

57
05:24.020 --> 05:32.030
know 192.168.0.103  Each host on the

58
05:32.030 --> 05:39.150
network has received the packet but only the host with the IP address 192.168.0.1 

59
05:39.250 --> 05:47.540
has responded back with an ARP reply packet that contains its own

60
05:47.600 --> 05:56.860
MAC address. This is the ARP reply packet and it says that 192.168.0.1 

61
05:56.860 --> 06:04.550
so the destination,  has this MAC address. Now the source host which is

62
06:04.550 --> 06:11.450
the Windows machine, knows both the IP and the MAC address of the destination and can build and then

63
06:11.510 --> 06:21.520
send the ping echo request packets on the network; and we've seen the packet headers both the IP of the destination

64
06:21.550 --> 06:28.770
given by the user and its corresponding MAC address found by ARP.

65
06:28.940 --> 06:37.740
This is the destination MAC address found by ARP. Now after resolving the MAC address of the 

66
06:37.740 --> 06:39.690
destination ARP stores 

67
06:39.700 --> 06:47.590
the mapping between IP and the Mac in a table called ARP table for future reference; the subsequent

68
06:47.620 --> 06:54.250
communications with the same destination IP address can use the same MAC address from the ARP table.

69
06:54.670 --> 07:02.310
The source host will not repeat the process to find the MAC address of the destination. If you want

70
07:02.310 --> 07:10.080
to display the ARP tabel you execute arp -a both on Windows  and Linux.

71
07:15.430 --> 07:23.790
This is the ARP table; you will see the mappings between IP addresses and the MAC addresses. For example

72
07:23.970 --> 07:32.980
this is the mapping between the IP address of the default gateway and its MAC address found by ARP. If

73
07:32.980 --> 07:41.440
you want to delete the entries in the ARP table you execute arp -d on Windows. To run this command

74
07:41.650 --> 07:52.400
you need administrative privileges . Now the ARP table is empty. So this is basically how ARP works.

75
07:53.210 --> 07:59.030
Now will take a short break and in the next lecture we'll talk about the Man in the Middle Attacks

76
07:59.180 --> 08:00.470
and ARP poisoning!