1
00:00:00,360 --> 00:00:07,740
Dynamic host Configuration Protocol, DHP, now it's a protocol used to provide automatic and central

2
00:00:07,740 --> 00:00:11,040
management for the distribution of IP addresses within a network.

3
00:00:12,630 --> 00:00:19,650
It's also used to configure the proper subnet mask, default gateway and DNS server information on the

4
00:00:19,650 --> 00:00:20,190
device.

5
00:00:21,200 --> 00:00:29,780
And most homes and small businesses, the router acts as a DHP server in large networks, a single computer

6
00:00:29,780 --> 00:00:31,610
might act as a DHP server.

7
00:00:32,800 --> 00:00:40,000
In short, the process goes like this, otherwise the client requests an IP address from a router,

8
00:00:40,330 --> 00:00:40,870
the host.

9
00:00:41,710 --> 00:00:47,950
After which, the host assigns an available IP address to allow the client to communicate on the network.

10
00:00:49,240 --> 00:00:52,510
So let's look at some of the advantages of using DHP.

11
00:00:53,640 --> 00:01:00,630
A computer or any other device that connects to a network, local or Internet, must be properly configured

12
00:01:00,630 --> 00:01:02,080
to communicate on that network.

13
00:01:02,130 --> 00:01:06,960
Makes sense since DCPI allows that configuration to happen automatically.

14
00:01:07,410 --> 00:01:09,540
It's used in almost every device.

15
00:01:09,540 --> 00:01:13,500
It connects to a network, including computers, switches, smartphones, gaming consoles, you name

16
00:01:13,500 --> 00:01:13,590
it.

17
00:01:14,960 --> 00:01:21,560
And because of this dynamic IP address assignment, there's less of a chance that two devices will have

18
00:01:21,560 --> 00:01:28,520
the same IP address, which is very easy to run into when using manually assign static IP addresses.

19
00:01:30,400 --> 00:01:38,200
Using DHP also makes a network much easier to manage from an administrative point of view, every device

20
00:01:38,200 --> 00:01:43,600
on the network can get an IP address with nothing more than their default network settings, which is

21
00:01:43,600 --> 00:01:46,060
set up to obtain and address automatically.

22
00:01:46,060 --> 00:01:47,110
So that's easy.

23
00:01:47,110 --> 00:01:49,870
Gives them nothing to call the helpdesk about.

24
00:01:50,980 --> 00:01:56,830
The only other alternative is to manually assign addresses to each and every device on the network.

25
00:01:58,220 --> 00:01:59,810
You're not getting paid enough to do that.

26
00:02:01,610 --> 00:02:07,850
So because these devices can get an IP address automatically, they can move freely from one network

27
00:02:07,850 --> 00:02:15,020
to another, given that they're all set up with DCPI and receive an IP address automatically, which

28
00:02:15,020 --> 00:02:16,760
is super helpful with mobile devices.

29
00:02:18,020 --> 00:02:24,890
Now, as a cyber security expert, you should know one more thing about the mechanism.

30
00:02:25,950 --> 00:02:32,490
The first device, which applies to a DHC discovery request, decides the configuration of the client.

31
00:02:33,910 --> 00:02:38,260
There is not any mechanism to authenticate the DHP server.

32
00:02:40,420 --> 00:02:50,290
Similarly, a server tries to reply to all the requests, and again, there is no authentication mechanism

33
00:02:50,290 --> 00:02:53,870
for the client who request an IP, you get it?

34
00:02:54,820 --> 00:02:55,590
I think you do.

35
00:02:56,050 --> 00:02:58,960
What if a hacker replies before the real DHP?

36
00:02:59,410 --> 00:03:06,100
Or what if a client sends a lot of DHP Discovery requests by changing the Mac address each time?

37
00:03:08,540 --> 00:03:13,150
So let's have a look to see how a mechanism works in detail.

38
00:03:15,140 --> 00:03:21,290
Once a device is turned on and connected to a network that has a DHP server, it will send a request

39
00:03:21,290 --> 00:03:24,560
to the server called a Discover request.

40
00:03:25,920 --> 00:03:32,670
After the Discover packet reaches the DHP server, the server attempts to hold on to an IP address that

41
00:03:32,670 --> 00:03:38,580
the device can use and then offers a client the address with a offer packet.

42
00:03:39,950 --> 00:03:46,840
Once the offer has been made for the chosen IP address, the device responds to the server with a DHP

43
00:03:46,850 --> 00:03:48,550
request packet to accept it.

44
00:03:49,520 --> 00:03:56,600
After which the server sends an X packet that's used to confirm that the device has that specific IP

45
00:03:56,600 --> 00:04:02,960
address and to define the amount of time that the device can use the address before getting a new one.

46
00:04:03,900 --> 00:04:09,150
If the server decides a device cannot have the IP address, it will send Nacke.

47
00:04:11,150 --> 00:04:14,090
Let's see the server mechanism and Wireshark.

48
00:04:16,400 --> 00:04:22,550
So Wireshark is already embedded into collee and it's ready to use in addition, I'd also like to show

49
00:04:22,550 --> 00:04:25,590
you how to download and install it in a window system.

50
00:04:26,300 --> 00:04:33,380
So right now, I'm in a Windows eight system, open the Internet browser and search for Wireshark for

51
00:04:33,380 --> 00:04:36,080
Windows using those as the keywords.

52
00:04:36,770 --> 00:04:40,640
First link is the download page of Wireshark dot org.

53
00:04:40,880 --> 00:04:41,630
So let's click it.

54
00:04:43,010 --> 00:04:50,240
My windows is 64 bit, so I'll download the 64 bit, which is the latest stable version, click it and

55
00:04:50,240 --> 00:04:51,230
say the installer.

56
00:04:52,060 --> 00:04:56,950
Now it takes less than a minute, unless your connection is a mess, you might want to look into that.

57
00:05:01,590 --> 00:05:02,670
Click to run it.

58
00:05:06,960 --> 00:05:08,170
A setup wizard opens.

59
00:05:09,000 --> 00:05:14,880
OK, so simply it's a next next next finish installation, don't need to change anything.

60
00:05:15,210 --> 00:05:17,160
Wait until the installation finishes.

61
00:05:27,490 --> 00:05:31,720
OK, so check this to run Wireshark now and click finish.

62
00:05:32,660 --> 00:05:35,570
And welcome to the Wireshark and Windows interface.

63
00:05:39,050 --> 00:05:43,820
So now I will show you the DHP mechanism in Wireshark.

64
00:05:46,850 --> 00:05:52,760
So let's run Wireshark and you can see that it's listing the packets received by E0.

65
00:05:54,420 --> 00:05:57,810
So to demonstrate the DHS mechanism.

66
00:05:58,790 --> 00:06:03,050
We need to ask for an IP address over at the DHP server.

67
00:06:05,020 --> 00:06:11,380
From the bottom right corner, right, click to the network icon and Select Open Network and sharing

68
00:06:11,380 --> 00:06:18,820
center, click Ethernet zero and then properties you have scroll down a little bit and double click

69
00:06:19,030 --> 00:06:20,680
IP version for.

70
00:06:21,610 --> 00:06:25,890
And as you see here, the IP address is manually set for my Windows eight.

71
00:06:26,670 --> 00:06:33,520
So to start a DHP request, I'll choose obtain an IP address and DNS server address automatically.

72
00:06:33,970 --> 00:06:35,380
Those are my options.

73
00:06:36,310 --> 00:06:42,070
Now, before I click, OK, I'll go to Wireshark and restart capturing by clicking the green button

74
00:06:42,070 --> 00:06:42,760
on the toolbar.

75
00:06:43,900 --> 00:06:48,590
So now Wireshark windows will be cleaned, continue without saving.

76
00:06:49,450 --> 00:06:55,120
So now go to the network status window and click, OK, and we can close all the networking windows.

77
00:06:56,510 --> 00:07:02,420
So Wireshark captured the packet's, well, it's still capturing, but let's go to the top of the list

78
00:07:02,420 --> 00:07:04,490
to find the DHP package.

79
00:07:05,690 --> 00:07:12,470
So here the Discover packet is right here at the top of the list, when we look at the ports in the

80
00:07:12,470 --> 00:07:13,260
UDP header.

81
00:07:13,910 --> 00:07:18,270
We see that the Port 68 is used to send the HP Discover packets.

82
00:07:18,950 --> 00:07:24,950
So let's go back to the filter box and type UDP port equals equals 68.

83
00:07:25,430 --> 00:07:28,580
And now we have the DHP packets only.

84
00:07:30,100 --> 00:07:38,230
So the first packet is the HP Discover, and as I mentioned before, it broadcast source IP is all zeroes

85
00:07:38,230 --> 00:07:40,180
because we don't have an IP address at the moment.

86
00:07:40,870 --> 00:07:43,060
Destination IP is all one's.

87
00:07:43,960 --> 00:07:48,970
255, 255, 255, 255, because it's a broadcast Bacquet.

88
00:07:50,790 --> 00:07:57,780
And right here is bootstrap protocol, which is an application layer protocol used by DHP mechanisms.

89
00:07:59,150 --> 00:08:06,980
The second packet is a DHP offer packet sent by the DHP server one seven two one six eight nine nine

90
00:08:07,130 --> 00:08:09,190
to five four to the Windows system.

91
00:08:10,010 --> 00:08:15,680
Destination IP is one seven two point one six nine nine nine two three three, which is offered to the

92
00:08:15,980 --> 00:08:19,940
DHP server to hear the destination.

93
00:08:19,940 --> 00:08:21,320
Mac address is important.

94
00:08:22,190 --> 00:08:24,650
That's what's going to be targeted according to the Mac address.

95
00:08:25,250 --> 00:08:32,270
As you see, the destination Mac address of the DHC offer packet is the same as the source Mac address

96
00:08:32,330 --> 00:08:34,670
of the DHP Discover packet.

97
00:08:36,060 --> 00:08:40,920
Now, the third package is the DHP request sent by the window system.

98
00:08:41,910 --> 00:08:46,680
It's still a broadcast packet and a source IP is still all zeroes.

99
00:08:47,720 --> 00:08:56,150
The message is request, and the requested IP address is an option 50, so if you expand it, you see

100
00:08:56,150 --> 00:09:03,260
the requested IP address and it's the same as the offered IP address, one seven two one six nine nine

101
00:09:03,260 --> 00:09:04,730
nine two two three.

102
00:09:05,510 --> 00:09:11,030
The last packet is sent by the server to the window system.

103
00:09:11,970 --> 00:09:15,420
This packet completes the DHP mechanism successfully.

104
00:09:17,110 --> 00:09:23,320
So from now on, the IP address of our Windows system is one seven two one six eight nine nine two two

105
00:09:23,320 --> 00:09:23,620
three.