1
00:00:06,660 --> 00:00:13,470
The ICMP is used for diagnostic purposes and it's widely available virtually every local network uses

2
00:00:13,470 --> 00:00:20,580
the protocol and few people block its packets even administrators really analyze these packets.

3
00:00:21,440 --> 00:00:28,680
Network intrusion detection systems to CERN the ICMP packets but don't analyze their contents as you

4
00:00:28,680 --> 00:00:29,790
can see in the picture above.

5
00:00:29,790 --> 00:00:36,740
You can send data in ICMP packets if you're connected to the network and wanted to send something so

6
00:00:36,740 --> 00:00:43,640
that the administrator wouldn't notice you could use the ICMP packets for that no one and nothing would

7
00:00:43,640 --> 00:00:48,090
block this data or analyze the contents of the packets you sent.

8
00:00:48,100 --> 00:00:51,020
This is because nobody expects any data in these packets.

9
00:00:52,060 --> 00:00:59,030
Usually there is none on the web you can find about a dozen programs that allow you to send text or

10
00:00:59,030 --> 00:01:03,770
binary codes using ICMP.

11
00:01:03,770 --> 00:01:08,670
How then can you secure yourself against vulnerabilities in the third layer of the OSA model.

12
00:01:14,510 --> 00:01:20,470
One of the solutions consists of dividing the network into smaller segments called subnets we'll elaborate

13
00:01:20,470 --> 00:01:21,780
on that later on.

14
00:01:24,230 --> 00:01:30,840
Another is monitoring all packets passing through the layer to ensure that no packets are sent or received

15
00:01:30,840 --> 00:01:32,640
without your control.

16
00:01:32,640 --> 00:01:38,580
You have to monitor IP and ICMP packets.

17
00:01:38,620 --> 00:01:46,190
The third method of protection involves taking into account that IP version 6 is a dynamic protocol.

18
00:01:46,430 --> 00:01:52,060
If you don't need automatic routing configuration for example you don't switch servers between networks.

19
00:01:52,340 --> 00:01:56,000
You should either disable it or limited.

20
00:01:56,060 --> 00:02:02,970
You should also limit the list of IP addresses of routers you'll accept advertisements from the network

21
00:02:02,970 --> 00:02:08,290
layers the first layer of the OSA model that can be secured using protocols.

22
00:02:08,390 --> 00:02:14,240
And that's where you can see the basic protocol because it works in the third layer.

23
00:02:14,380 --> 00:02:17,730
It's less visible for applications working in the seventh layer.

24
00:02:18,100 --> 00:02:20,730
We'll discuss the upset rules during one of the next lectures

25
00:02:30,110 --> 00:02:34,880
now demonstrate how to impersonate somebody by changing your IP address and how easy it is to disable

26
00:02:34,880 --> 00:02:40,430
the computer by advertising false IP version 6 routes.

27
00:02:40,470 --> 00:02:44,940
We'll also learn how easy it is to perform IP spoofing in order to hide the IP of the computer used

28
00:02:44,940 --> 00:02:45,930
remote scanning

29
00:02:50,990 --> 00:02:55,180
will use the map program.

30
00:02:55,190 --> 00:03:01,310
This is a tool that allows you to perform various types of scanning such as TCAP scanning an IP an IP

31
00:03:01,310 --> 00:03:09,550
protocol scanning which will be discussed later.

32
00:03:09,650 --> 00:03:16,100
It can also be used for IP and Mac spoofing IP version 6 can and can also be performed

33
00:03:18,790 --> 00:03:23,350
first will hide the real mac address we'll change it to a random address chosen from.

34
00:03:23,350 --> 00:03:26,690
For example the pool of addresses of Apple network cards.

35
00:03:28,930 --> 00:03:31,350
Then will hide the real IP address.

36
00:03:32,790 --> 00:03:37,590
We'll use IP addresses which will be interpreted by the victim as computers that try to establish connections

37
00:03:37,590 --> 00:03:38,180
with it.

38
00:03:39,820 --> 00:03:47,350
To make it convincing We must use only the addresses of computers currently on line at the moment.

39
00:03:47,350 --> 00:03:58,860
We're sure that the computer identified by IP number 1 9 2 1 6 8 0 1 15 is online.

40
00:03:59,030 --> 00:04:03,960
We can also use and map to generate a number of random addresses to use.

41
00:04:04,100 --> 00:04:06,160
We have to type the real address in as well.

42
00:04:07,780 --> 00:04:12,910
If all packets had false addresses in the sender IP address field we wouldn't get a response from the

43
00:04:12,910 --> 00:04:16,040
victim's computer we're trying to perform the scan on.

44
00:04:16,120 --> 00:04:18,380
As a result we will learn nothing about it.

45
00:04:20,890 --> 00:04:28,410
If the real address comes sixth or seventh most network intrusion detection systems won't save it for

46
00:04:28,410 --> 00:04:32,670
efficiency reasons the systems usually only save the first five addresses.

47
00:04:36,160 --> 00:04:37,590
Which use the scan type.

48
00:04:37,820 --> 00:04:40,770
For example TCAP still scan.

49
00:04:40,840 --> 00:04:47,550
Also we have to select the port we would like to scan which is standard TCAP ports ranging from 1 to

50
00:04:47,550 --> 00:04:52,160
1024.

51
00:04:52,180 --> 00:04:57,500
The last thing we have to do is determine the scan target in a later part of the seminar.

52
00:04:57,590 --> 00:05:03,280
We'll learn how to monitor data passing through the network using wireshark network analyzer.

53
00:05:03,320 --> 00:05:09,940
I highly recommend you return to this exercise once you get to know the program with wireshark enabled

54
00:05:09,940 --> 00:05:12,240
on the server you perform the scan on.

55
00:05:12,490 --> 00:05:16,050
You'll be able to see which sender IPs show up on the computer being scanned.

56
00:05:17,040 --> 00:05:24,640
It'll turn out that there's more than one six for example only the six IP will identify the computer

57
00:05:24,640 --> 00:05:30,190
that actually performed the scan because only six of the packets sent returned to us.

58
00:05:30,190 --> 00:05:34,990
The scan will take longer when it's finished.

59
00:05:35,080 --> 00:05:43,740
We should be able to observe TCAP ports on the target host ranging from 1 to 1024 or open.

60
00:05:43,980 --> 00:05:53,490
Let's have a closer look at one of the tools that are included in backtrack.

61
00:05:53,720 --> 00:06:00,150
We can see here a couple of tools that send IP version 6 rudder advertisements one of these tools is

62
00:06:00,150 --> 00:06:09,960
called Floyd rodder 6.

63
00:06:09,990 --> 00:06:13,770
The only thing we have to provide in the program is the interface through which the advertizements need

64
00:06:13,770 --> 00:06:19,000
to be sent before you execute the command that you see in the picture.

65
00:06:19,010 --> 00:06:23,450
It's advisable that you save all the documents you're working on because it will crash all the local

66
00:06:23,450 --> 00:06:30,140
network hosts that support IP version 6 protocol all of the computers that will be affected are running

67
00:06:30,140 --> 00:06:33,820
under Vista and Windows 7.

68
00:06:33,860 --> 00:06:40,030
We analyzed the first three layers of the OS model the physical layer the data Linkletter and the network

69
00:06:40,030 --> 00:06:41,940
layer.

70
00:06:41,960 --> 00:06:46,070
We also learned about the vulnerabilities characteristic of each layer and the ways to mitigate those

71
00:06:46,070 --> 00:06:51,300
vulnerabilities which is the topic we will also elaborate on during the next modules.

72
00:06:53,880 --> 00:06:55,290
Thank you for your attention.