WEBVTT

0
00:01.030 --> 00:08.150
Now that we know in detail how ARP works and how ARP Poisoning is performed let’s launch the attack! 


1
00:08.150 --> 00:13.290
The attack is possible on both wired and wireless networks.

2
00:13.360 --> 00:20.470
My set up in this video is to launch of the attack on the wireless network and I have a Linux Mint

3
00:20.590 --> 00:28.540
installed in a VM on Windows 10; it's important that the WiFi network to be set to bridge mode. 

4
00:29.920 --> 00:37.960
So in Virtual Box or in VM  go to networks and check that it's attached to the bridged adapter.

5
00:41.390 --> 00:42.360
In this lab

6
00:42.560 --> 00:48.470
I'm going to use a tool called Ettercap, which is the default tool used to attack ARP.

7
00:48.530 --> 00:56.360
Other interesting tools that to do the same are: ARP spoof, Man in the Middle framework or Bettercap.

8
00:56.420 --> 01:03.670
We'll take a deeper look at Bettercap, which is an advanced hacking tool, in the next lectures. You'll

9
01:03.670 --> 01:07.240
find Ettercap in Kali Linux already installed

10
01:07.240 --> 01:10.810
or we can install it on any other Linux distribution.

11
01:10.810 --> 01:18.380
It's a common security application that belongs to the standard repositories.If you don't use Kali

12
01:18.580 --> 01:21.260
and use Ubuntu to our other similar distribution

13
01:21.300 --> 01:23.820
you can install it using apt

14
01:23.970 --> 01:30.270
This is Linux Mint which is based on Ubuntu and I'll show you how to install Ettercap just in case

15
01:30.360 --> 01:40.910
you don't use Kali. There are both a text only ana a GUI enabled version of Enttercap. As root I am executing

16
01:40.980 --> 01:43.670
apt search ettercap

17
01:48.140 --> 01:56.660
This is at ettercap GUI enabled executable and this is the text only version. In this video I'll use

18
01:56.660 --> 02:02.750
that text only version. Maybe you want to run Ettercap from a machine that doesn't have a graphical

19
02:02.750 --> 02:10.700
interface installed or yau are connected using ssh on the machine where you want it to start. And

20
02:10.700 --> 02:17.140
to install it I run apt install ettercap-text-only

21
02:21.440 --> 02:28.870
Perfect, it has been installed! In this attach I wanted to poison the ARP cache of both the router 

22
02:29.000 --> 02:32.950
and the Windows machine which I use to record this video.

23
02:33.110 --> 02:39.680
It will be the victim ; the IP address of that out there is 192.168.0.1

24
02:39.710 --> 02:48.610
and the IP address of Windows is this 192.169.0.103

25
02:48.610 --> 02:59.520
Okay I am executing the attack ettercap-T-

26
02:59.610 --> 03:09.780
M ARP / the victim 192.168.0.103 //

27
03:10.080 --> 03:11.800
and the default gateway.

28
03:11.850 --> 03:21.540
In fact this is the second victim. I am not hitting enter yet. I want to explain to you some things:

29
03:22.020 --> 03:31.020
-T means text only interface and the - M means Men in the Middle Attack of type ARP poisoning.

30
03:32.210 --> 03:39.200
This option will activate the Men in the Middle Attack which is totally independent from the sniffing. 

31
03:40.100 --> 03:47.540
The aim of the attack is to hijack packets and redirect them to ettercap;  then the sniffing engine

32
03:47.750 --> 03:55.430
will forward them to the real destination. Everything will be transparent to the victims. Before starting

33
03:55.430 --> 04:06.650
the attack let's see if the ARP cache of the victim arp-a and we notice the ARP and the MAC address

34
04:06.680 --> 04:15.020
of the router but there is not the Linux IP and MAC address, that's because it hasn't learned it yet.

35
04:15.210 --> 04:22.970
and I'll ping the Linux machine to generate an ARP request and reply packets so it will learn the MAC address

36
04:23.150 --> 04:30.870
of the Linux machine: ping and the let's see the IP address of Linux: ifconfig

37
04:32.080 --> 04:32.650
Okay.

38
04:32.700 --> 04:36.450
This is the IP address of Linux and I am pinging it!

39
04:42.880 --> 04:51.360
Let's check the ARP table again! Perfect; it has learned the MAC address of Linux!

40
04:51.520 --> 04:57.830
This is the IP address of the default gateway and its MAC address and the the IP address of Linux

41
04:58.120 --> 05:04.070
and its MAC address. Let's start the attack! I am hitting the enter key!

42
05:10.000 --> 05:18.970
ARP poisoning victims and starting unified sniffing ! It has started the unified sniffing

43
05:19.000 --> 05:26.290
which means it will sniff all the packets that pass on the medium! Note that I had some issues with

44
05:26.290 --> 05:33.550
Kali Linux so if you get this error try to install another Linux distribution, like Ubuntu or Linux Mint,

45
05:33.850 --> 05:35.680
and see if it works.

46
05:35.920 --> 05:43.600
Please get in touch with me if you don't make it to work and I'll assist you with this! Let's return

47
05:43.720 --> 05:51.380
to the attack. We suppose that everything runs smoothly  and we move ahead. I'll go to Windows and

48
05:51.380 --> 05:53.490
see the  ARP table again.

49
05:55.620 --> 06:04.420
And surprise! We notice that both the default gateway and the attacker have the same  MAC address

50
06:04.480 --> 06:13.180
saved in ARP cache. This is the MAC address of the attacker in the previous arp-a command

51
06:13.660 --> 06:19.970
and the same MAC address is bound to both the default gateway and the hacker.

52
06:20.110 --> 06:22.880
This is what ARP poisoning does!

53
06:22.960 --> 06:30.070
The ARP cache has been poisoned! Now let's visit a website from the victim machine.

54
06:30.380 --> 06:37.970
I have chosen wulnweb.com which is a site that hosts intentionally vulnerable applications to understand

55
06:37.970 --> 06:42.510
how programming and configuration errors lead to security breaches.

56
06:42.530 --> 06:48.480
It was created for the purpose of manual penetration testing or for educational purposes.

57
06:48.530 --> 06:57.030
Feel free to use it to test how ARP poisoning works! And I'll access the last url which is in fact

58
06:57.120 --> 07:01.290
a blog and then on log in.

59
07:01.460 --> 07:06.080
I'll try to log in! Back to the hackers computer

60
07:06.680 --> 07:19.290
I'll start Wireshark ! Capture- options-the interface and start And on the victim machine

61
07:19.290 --> 07:29.360
I log in to that website: hacker and the password will be test 1 2 3 4 and I am clicking log in. 

62
07:31.160 --> 07:37.370
The authentication was not successful but this is not important at this moment.

63
07:37.400 --> 07:42.280
Let's move to the hackers machine and see the intercepted traffic!

64
07:46.140 --> 07:48.970
I'll stop capturing packets.

65
07:48.990 --> 07:56.660
These are the packets sent between the victim and the website and there should also be the credentials

66
07:56.670 --> 08:02.540
I've just entered. I am filtering for http packets.

67
08:04.580 --> 08:13.130
We notice that this isn't an encrypted connection; it's using http and not https. Let's click on an 

68
08:13.130 --> 08:23.230
http packet with the mouse right button and then follow and a http stream; and in this window we

69
08:23.230 --> 08:30.960
see the http packets sent to between client and server which contain also the user name and password.

70
08:32.110 --> 08:33.440
Look here!

71
08:33.610 --> 08:37.020
User name hacker password test

72
08:37.150 --> 08:40.780
234 okay!

73
08:40.810 --> 08:47.660
We have successfully launched this Man in the Middle Attack and captured sensitive data.

74
08:47.670 --> 08:57.420
My advice to you is to never use unencrypted connections like http, telnet, smtp ot ftp.

75
08:57.540 --> 08:59.790
This is an unencrypted connection.

76
08:59.820 --> 09:01.080
It's not secure.

77
09:01.930 --> 09:10.300
A malicious user could sniff your traffic and sensitive data very easily. To stop the attack

78
09:10.310 --> 09:19.790
you press on Q in the terminal where Ettercap is running and it's simply re-arping the victims; you've

79
09:19.790 --> 09:27.530
just learnt how to launch ARP spoofing attacks of type Man in the Middle on any wired or wireless

80
09:27.530 --> 09:28.310
network.

81
09:28.370 --> 09:35.000
In the next lecture we'll dive deeper into ARP spoofing and I'll show you other advanced hacking tools

82
09:35.210 --> 09:39.510
and how to bypass a https and sniff encrypted traffic.

83
09:40.570 --> 09:42.160
See you in a few seconds!