WEBVTT

0
00:01.540 --> 00:09.310
In this video I'll show you another attack on ARP protocol, this time of type  denial of service.

1
00:09.380 --> 00:17.110
A hacker could launch this attack on any host wired or wireless for example on a mobile phone or on

2
00:17.260 --> 00:23.430
an IoT  device on the local network which he's connected to. This hack

3
00:23.470 --> 00:30.210
will use arp spoofing just like the MITM attack we’ve seen in the last lecture, just that but this

4
00:30.280 --> 00:38.050
this time the hacker will disrupt the service or host connection to make the websites or other resources

5
00:38.280 --> 00:40.540
unavailable to the victim.

6
00:40.600 --> 00:46.820
The anatomy of this attack is the same as of the ARP Man in the Middle attack

7
00:46.990 --> 00:51.330
just that the hacker will drop any packets he intercepts

8
00:51.400 --> 00:58.270
instead of routing them to the real destination like in the case of the Man in the Middle Attack. Let's

9
00:58.330 --> 01:03.320
see the attack live. On Kali

10
01:03.360 --> 01:06.820
I am opening a terminal and becoming  root

11
01:09.780 --> 01:11.800
sudo su and a hyphen

12
01:14.840 --> 01:16.730
and I am starting bettercap

13
01:16.730 --> 01:26.110
bettercap -iface and the name of the interface eth0. Let's

14
01:26.120 --> 01:30.050
see the help f arp.spoof module again

15
01:34.400 --> 01:43.690
and we notice arp.ban which can be on or off. This attack will use the same of module, named arp.

16
01:43.710 --> 01:44.310
spoof, 

17
01:44.390 --> 01:50.420
but this time in ban mode meaning that the target connectivity will not work anymore.

18
01:52.240 --> 02:00.610
Okay let's set the target: set arp.spoof.targets
and the IP address of the windows

19
02:00.610 --> 02:01.600
machine.

20
02:01.600 --> 02:02.670
This will be the victim

21
02:07.630 --> 02:13.460
192.168.0.113

22
02:16.350 --> 02:20.760
net.recon module is required for arp.ban

23
02:21.000 --> 02:22.640
So I'm going to start it.

24
02:22.860 --> 02:30.480
If you don't start it explicitly bettercup will start to net.recon as a requirement when starting

25
02:30.580 --> 02:40.080
arp.ban.  So net.recon on! Before starting the attack let's see that the victim can communicate

26
02:40.140 --> 02:43.040
normally on the LAN and on the Internet

27
02:45.810 --> 02:52.470
ping.8.8.8.8 it's working and let's a website!

28
02:56.070 --> 03:08.260
okay it's working ! Let's start the attack arp.ban on and we notice that arp.ban has been started

29
03:09.890 --> 03:17.850
In fact arp.ban means arp.spoof without forwarding enabled, so intercepted packets are

30
03:17.850 --> 03:25.230
not forwarded to their real destination. Let's return to the victim machine and see if the connection

31
03:25.260 --> 03:26.370
still works;

32
03:31.390 --> 03:40.810
and it's not working, the packets are intercepted by the hacker and dropped; and the website, I am refreshing

33
03:40.900 --> 03:44.740
the page and it's not the loading!

34
03:49.630 --> 03:57.880
and arp-a say and we notice that the hacker, the IP address that ends in 200 and the default

35
03:57.880 --> 04:07.340
gateway have the sameMAC address. This is what are spoofing means. Again on the hacker machine I am

36
04:07.340 --> 04:18.600
stopping the attack arp.ban off restoring arp cache of one target; let's see if  it works: ping

37
04:18.960 --> 04:26.700
.8.8.8.8 and it's working and that the web page is loading ! This is

38
04:26.700 --> 04:32.970
how you perform a denial of service attack using Bettercap and ARP on your local network.