1
00:00:00,490 --> 00:00:06,880
So switches make it difficult to sniff the network traffic in the past, the traffic was being sent

2
00:00:06,880 --> 00:00:10,390
to all ports with the hub technology with switches.

3
00:00:10,720 --> 00:00:17,080
The traffic is directed only to the specified port, so a network device only receives its own packets,

4
00:00:17,530 --> 00:00:18,520
not the others.

5
00:00:19,470 --> 00:00:23,670
We need to use some techniques to sniff the traffic of the other devices then, huh?

6
00:00:31,910 --> 00:00:37,460
These are some of the techniques to expand this sniffing space, you thought it couldn't be done.

7
00:00:38,770 --> 00:00:45,070
So we'll talk about spane switched to analyzer or port mirroring.

8
00:00:45,910 --> 00:00:48,070
So that's a method of monitoring.

9
00:00:48,070 --> 00:00:56,380
Network traffic with port mirroring enabled the switch sends a copy of all network packets seen on one

10
00:00:56,380 --> 00:01:01,710
port or an entire van to another port where the packet can be analyzed.

11
00:01:02,020 --> 00:01:08,530
Port mirroring is supported by almost all enterprise class, which is I can think of.

12
00:01:08,560 --> 00:01:11,470
So in other words, managed switches.

13
00:01:12,100 --> 00:01:17,410
It allows a particular computer to see the network traffic, which is normally hidden from it.

14
00:01:18,840 --> 00:01:24,300
You can monitor the entire traffic sent from the switch by copying its uplink port.

15
00:01:25,550 --> 00:01:32,330
Now you have to have physical access and the admin privileges on that switch, so this method is often

16
00:01:32,330 --> 00:01:39,890
used to send the network traffic to the IBS, which is typically an intrusion detection system device.

17
00:01:41,330 --> 00:01:48,710
In a Mac address table overflow attack, also known as Mac flooding attack within a very short time.

18
00:01:48,890 --> 00:01:54,170
The switches Mac address table is full with fake Mac address and port mappings.

19
00:01:55,890 --> 00:02:01,980
Switches Mac address table has only a limited amount of memory, and when that table is full, the switch

20
00:02:01,980 --> 00:02:04,410
cannot say any more Mac addresses in it.

21
00:02:05,840 --> 00:02:12,350
So once this switch is MacArthur's table is full and it can't save anymore, Mac addresses, it generally

22
00:02:12,350 --> 00:02:16,700
enters into a fail open mode and it starts behaving like a network.

23
00:02:16,700 --> 00:02:22,210
Up frames are flooded to all ports similar to broadcast type of communication.

24
00:02:22,940 --> 00:02:26,810
So as an attacker in the network, you start to receive the frames of others.

25
00:02:28,210 --> 00:02:36,610
You know, address resolution protocol, AARP or AAP is network or protocol used for mapping a network

26
00:02:36,610 --> 00:02:44,260
address, such as an IP address to a physical address such as a Mac address, a system asks for the

27
00:02:44,260 --> 00:02:50,980
owner of an IP address by sending in our request, and the owner of the IP address answers him with

28
00:02:51,070 --> 00:02:51,850
our reply.

29
00:02:52,630 --> 00:02:56,860
What if the attacker replies first before the owner of the IP?

30
00:02:57,790 --> 00:03:04,330
Once the attackers Mac address is connected to an authentic IP address, the attacker will begin receiving

31
00:03:04,330 --> 00:03:07,270
any data that is intended for that IP address.

32
00:03:07,930 --> 00:03:11,140
This is the basic principle of AAFP spoof attacks.

33
00:03:12,120 --> 00:03:19,020
Our poisoning can be achieved because of the lack of authentication in the protocol so the attacker

34
00:03:19,020 --> 00:03:26,850
can send a spoofed art message onto the land, would you like to make the attack much more powerful?

35
00:03:27,150 --> 00:03:27,960
Mm hmm.

36
00:03:27,990 --> 00:03:29,220
I suspected as much.

37
00:03:29,850 --> 00:03:38,220
Then you've got to replace your Mac with the gateway, so every packet sent by the victim will be in

38
00:03:38,220 --> 00:03:39,780
your malicious hands.

39
00:03:40,620 --> 00:03:42,720
But we are ethical hackers, remember?

40
00:03:43,890 --> 00:03:51,540
Dynamic host Configuration Protocol DHP is a protocol used to provide automatic and central management

41
00:03:51,540 --> 00:03:58,050
for the distribution of IP addresses within a single network, is also used to configure the proper

42
00:03:58,050 --> 00:04:03,300
subnet mask, default gateway and DNS server information on the particular device.

43
00:04:04,330 --> 00:04:10,060
Now, similar to the other types of spoofing attacks, DHP spoofing involves an attacker pretending

44
00:04:10,060 --> 00:04:15,130
to be someone else, in this case acting as the legitimate DHP server.

45
00:04:15,970 --> 00:04:23,050
Since DCPI is used to provide dressing and other information, a client losing control of this part

46
00:04:23,050 --> 00:04:24,790
of the network can be very dangerous.

47
00:04:25,940 --> 00:04:34,310
And DCPI spoofing attacks, the attacker places a road server on the network and his clients are turned

48
00:04:34,310 --> 00:04:39,290
on and request an address, the server with the fastest responses used.

49
00:04:39,980 --> 00:04:46,550
If the device receives a response from the rogue server first, the rogue server can assign any address

50
00:04:46,550 --> 00:04:50,930
as well as control which device it uses as a gateway.

51
00:04:51,900 --> 00:04:59,130
So a well-designed attack can collect traffic from local hosts to a rogue server that logs all traffic

52
00:04:59,130 --> 00:05:04,870
and then forwards out the traffic to the correct gateway or to the device.

53
00:05:05,250 --> 00:05:07,680
So this action would be almost transparent.

54
00:05:08,310 --> 00:05:12,210
Thus, the attacker can steal information almost invisibly.