WEBVTT

0
00:01.730 --> 00:05.950
In the last lecture we've seen what's ARP and how it works.

1
00:06.020 --> 00:12.020
Now it's time to go deep into Man in the Middle Attack and ARP poisoning. Let's 

2
00:12.020 --> 00:14.210
go ahead to the ARP poisoning

3
00:14.320 --> 00:17.150
aka ARP spoofing attack.

4
00:17.180 --> 00:23.990
This is a MITM attack that is carried out over a Local Area Network (LAN) and involves sending 


5
00:24.020 --> 00:28.580
malicious ARP reply packets to at least 2 hosts on the network

6
00:28.580 --> 00:35.960
which are the victims of the attack. A MITM attack is a cyber attack in which a hacker 

7
00:35.980 --> 00:43.670
inserts himself in a conversation between 2 users or applications, either to eavesdrop or to impersonate 

8
00:43.670 --> 00:50.960
one of the parties, making it to appear as if a normal exchange of information is underway. 

9
00:50.960 --> 00:58.040
The goal of an attack is to steal personal information such as log in credentials, account details or

10
00:58.040 --> 00:59.630
credit card numbers.

11
01:00.680 --> 01:09.150
Critical to this scenario is that the victim isn't aware of the Man in the Middle. Most of the time

12
01:09.240 --> 01:14.460
router, which is the default gateway of the LAN,  is one of the victims.

13
01:14.460 --> 01:22.820
This allows the hacker to intercept packets on a network, modified the traffic or stop all traffic.

14
01:22.890 --> 01:28.020
Often this attack is used as an opening for other attacks.

15
01:28.110 --> 01:31.020
Let's take a closer look at this image.

16
01:31.050 --> 01:39.850
I want to explain to you how the attack works. The hacker or the malicious user will continuously send

17
01:39.940 --> 01:46.660
ARP reply packets to both the default gateway and the user in the LAN which is the victim of the 


18
01:46.660 --> 01:51.760
attack. In these special crafted ARP reply packets the 


19
01:51.760 --> 01:59.050
hacker will associate its own MAC address with the IP address of the other host, such as a web 

20
01:59.050 --> 02:01.730
server or the default gateway

21
02:01.840 --> 02:06.880
It will cause any traffic meant for that IP address, the default gateway

22
02:06.880 --> 02:10.840
in this case, to be sent to the attacker instead.

23
02:10.870 --> 02:17.050
Note that clients accept responses even though they didn't send the request.

24
02:17.050 --> 02:22.840
They simply trust the ARP response without any form of verification.

25
02:22.840 --> 02:31.880
This is a weakness in ARP protocol that allows the existence of the ARP spoofing attack. In this image

26
02:31.880 --> 02:39.050
the hacker will send an ARP reply packet to the host saying that the IP address of the default gateway

27
02:39.380 --> 02:41.200
has its own MAC address,

28
02:41.240 --> 02:49.130
the hackers MAC address. It will also send another ARP reply packet to the default gateway saying

29
02:49.130 --> 02:57.800
that the IP address of the host has the MAC address of the hacker; the user will save in its ARP table

30
02:58.070 --> 03:04.770
the IP address of the default gateway and the MAC address of the hacker and the default gateway will

31
03:04.770 --> 03:11.870
save in its ARP table  the IP address of the user and the MAC address of the same hacker.

32
03:12.060 --> 03:19.020
Now when the host wants to send the packet outside the local network, so to the Internet, it will use

33
03:19.260 --> 03:25.830
the IP address or the domain of the destination, for example Google.com and MAC Address of the

34
03:25.830 --> 03:28.310
router found by ARP.

35
03:28.320 --> 03:30.510
This is how networks work.

36
03:30.600 --> 03:37.020
Each packet destined to a destination outside the LAN will be sent to the MAC address of the DG. 


37
03:37.020 --> 03:44.370
The switch that receives the packet will forward the packet based on the destination MAC 

38
03:44.430 --> 03:51.050
address and will forward it to the hacker because that’s the destination MAC address of the packet.

39
03:51.060 --> 03:57.810
Now if the hacker just wants to read the data and remain invisible he will read the packet contents 

40
03:58.080 --> 04:00.900
and then forwarded to the real destination.

41
04:01.730 --> 04:04.170
When the return traffic from the Internet

42
04:04.170 --> 04:10.610
hits the router’s interface, the router will forward the packet to the destination host in the

43
04:10.610 --> 04:11.290
LAN.

44
04:11.300 --> 04:15.450
It will search for the MAC address of the destination in its 

45
04:15.520 --> 04:23.690
ARP table and use that MAC address in the packet header.  Now, as we’ve already learned, in ARP

46
04:23.830 --> 04:31.700
table the IP address of the host is mapped to the MAC address of the hacker so the hacker will receive

47
04:31.730 --> 04:39.190
the response packet. It will capture and inspect the packet and then forwarded to the actual destination.

48
04:39.350 --> 04:45.460
If the hacker just wants to launch a denial of service attack he simply drops the packets.

49
04:45.470 --> 04:49.680
This type of attack remains invisible to the victim.

50
04:49.700 --> 04:57.120
Now you have a very good understanding of how ARP and ARP poisoning work. In the next lecture

51
04:57.200 --> 04:58.610
we'll launch the attack!