WEBVTT

0
00:01.850 --> 00:03.790
Hello and welcome back!

1
00:03.800 --> 00:10.910
In the last lectures we've discussed what ARP poisoning is and how to execute an ARP poison attack using

2
00:10.910 --> 00:15.650
both Ettercap and Bettercap. Let's recap in just a few words

3
00:15.680 --> 00:17.340
what was all about.

4
00:17.440 --> 00:24.500
A Man in the Middle Attack of type ARP poisoning is achieved when an attacker poisons the ARP cache of

5
00:24.500 --> 00:32.200
two devices with its own MAC address; once the ARP cache has been successfully poisoned

6
00:32.260 --> 00:40.210
each of the victim devices sends all of their packets to the attacker when communicating to each other.

7
00:40.210 --> 00:46.170
This puts the attacker in the middle of the communication between the two victim devices,

8
00:46.390 --> 00:49.350
hence the name Man in the Middle Attack.

9
00:49.450 --> 00:55.530
It allows an attacker to easily monitor all communication between victim devices.

10
00:55.540 --> 01:01.810
The purpose is to take over the session, intercept and view of the information being passed between the

11
01:01.810 --> 01:08.940
two victim devices; let's go ahead and see the techniques to mitigate this attack.

12
01:08.970 --> 01:12.420
We divide these techniques in 2 categories.

13
01:12.420 --> 01:19.770
There is a central solution for the entire LAN which is implemented on the switch and is called Dynamic

14
01:19.910 --> 01:22.810
ARP Inspection or DAI.

15
01:22.890 --> 01:27.500
It has a dependency on the DHCP Snooping which must be enabled.

16
01:28.050 --> 01:31.890
DHCP Snooping feature is covered in more details

17
01:31.890 --> 01:39.960
in another lecture. Dynamic ARP Inspection is a security feature that is available on professional networking

18
01:39.960 --> 01:42.800
devices like Cisco switches.

19
01:42.930 --> 01:52.500
It helps prevent ARP poisoning and other ARP based attacks by intercepting all ARP requests and responses

20
01:52.950 --> 02:00.490
and by verifying their authenticity before forwarding the packets to the intended destinations.

21
02:00.510 --> 02:08.610
The switch creates a trusted binding table of IP and MAC addresses and then discards any ARP packets

22
02:08.850 --> 02:14.900
that are inconsistent with the information contained in the binding table.

23
02:14.910 --> 02:23.550
This binding table is dynamically populated by the DHCP Snooping or statically by admin for a static

24
02:23.610 --> 02:24.970
IP addresses.

25
02:25.020 --> 02:33.280
If you activate dynamic ARP inspection and DHCP Snooping  on each switch and the possible attacker

26
02:33.300 --> 02:39.060
starts and are poisoning attack the switch will not forward to the hosts

27
02:39.060 --> 02:47.730
the ARP reply packets that associate the IP of the victim to the MAC of the attacker; it will verify each

28
02:47.730 --> 02:56.080
intercepted packet for a valid IP to MAC binding. I will not show you how to configure it because it's

29
02:56.100 --> 03:02.400
not the purpose of this lecture but I'll attach a full documentation of how to do it

30
03:02.400 --> 03:10.620
as a source for this lecture. Besides Dynamic ARP Inspection, which is a solution for enterprise

31
03:10.620 --> 03:14.310
networks and involves expensive switches,

32
03:14.310 --> 03:20.440
there are also local solutions that can be applied to each individual host.

33
03:20.460 --> 03:30.270
Let's take a look at these solutions! First I'll start an apr spoofing attack usin gEttercap. 

34
03:30.310 --> 03:41.540
ettercap -T- M ARP and the victims: the default gateway and the windows machine

35
03:49.220 --> 03:49.790
okay.

36
03:49.810 --> 03:50.890
The attack is running!

37
03:53.580 --> 03:55.170
Now on the victim

38
03:55.190 --> 03:59.460
I'm displaying the ARP table: arp-a

39
04:02.640 --> 04:09.990
and we notice how the MAC of the attacker is associated with both the default gateway and the attacker.

40
04:12.040 --> 04:14.260
By inspecting of the ARP table

41
04:14.260 --> 04:19.770
this way you can become aware that you are a victim of an ARP spoofing attack.

42
04:19.900 --> 04:23.860
But let's be honest who would continuously check the ARP table?

43
04:23.890 --> 04:32.250
It's not only impossible to do it on our regular basis but also annoying! The good news is that there

44
04:32.250 --> 04:35.370
are tools that automatically monitor for you

45
04:35.370 --> 04:44.600
the ARP table and generate an alert when something bad happens. You can see here a lot of tools that

46
04:44.630 --> 04:53.460
do this. One well-known tool is X ARP which works both on Linux and Windows.

47
04:53.460 --> 05:01.890
There is also a very good tool called ARP Watch for Linux based systems and I have used it successfully

48
05:01.890 --> 05:08.800
many times. Let's download and install X ARP on the victim machine.

49
05:12.130 --> 05:18.560
Download! I am downloading the Windows version and I will install it

50
05:28.480 --> 05:29.670
and I'm running it

51
05:33.730 --> 05:34.650
OK.

52
05:34.790 --> 05:40.910
We notice that X ARP has generated an alert saying an ARP spoofing attack

53
05:40.920 --> 05:41.920
it's running.

54
05:41.970 --> 05:45.640
This is the alert ! OK.

55
05:45.650 --> 05:54.560
It noticed that the MAC address for this IP address the default gateway changed; this is what

56
05:54.600 --> 06:05.210
X ARP does. It alerts you when something bad is happening! I'm stopping the attack; let's move on and

57
06:05.210 --> 06:09.910
take a look at another solution to mitigate the ARP spoofing attack.

58
06:10.130 --> 06:17.430
You can use static ARP entries to combat spoofing and the Man in the Middle Attacks; statis

59
06:17.460 --> 06:24.560
ARP entries are IP MAC bindings that are manually added to the cache table for a device and are

60
06:24.560 --> 06:33.010
retained in the case on a permanent basis; when this is done the OS will ignore all ARP responses

61
06:33.230 --> 06:41.150
for the specific IP address used in the entry and use the specified MAC address instead.

62
06:41.360 --> 06:50.700
You need to create ARP table entries for all of the devices on your LAN and this is not scalable. If

63
06:50.700 --> 06:58.920
you have n- devices you must create in total n(n-1)/2 entries or if you

64
06:58.920 --> 07:04.270
have 10 devices you have to create 45 ARP entries.

65
07:04.350 --> 07:10.740
You can automated the process by using scripting or we can at least protect the default gateway or the

66
07:10.740 --> 07:14.990
main server. At the end of this lecture

67
07:15.020 --> 07:21.710
I'll show you how to detect different protocol anomalies including an ARP storm which is in fact a kind

68
07:21.770 --> 07:25.070
of network scanning. Let's open wireshark!

69
07:29.260 --> 07:42.210
And I'll go to a Edit Preferences Protocols and I'm searching for ARP and I'm selecting Detect ARP Request

70
07:42.220 --> 07:46.850
storms OK and I'll start the capture.

71
07:56.980 --> 08:05.920
I'm returning to Kali and I'll run net discover; net discover is a reconnaissance tool used to detect

72
08:06.010 --> 08:10.660
online hosts or search for them by sending ARP requests.

73
08:15.170 --> 08:20.460
It's scanning the network with ARP request packets OK.

74
08:20.590 --> 08:30.840
These are the hosts; let's return to Wireshark! We see a lot of ARP packets. Let's stop capturing packets!

75
08:31.350 --> 08:41.440
I'll go to Analyse Expert Information and we see here useful information including information about

76
08:41.530 --> 08:50.410
the ARP attack, ARP storm packet detected and the number of ARP packets for the past 100 milliseconds.