1
00:00:00,150 --> 00:00:04,230
In this video, I'm going to show you how to hack Cisco switches using Kali Linux.

2
00:00:04,230 --> 00:00:10,990
In a previous video, I showed you how to get Kali Linux downloaded and installed on a Windows 10 computer.

3
00:00:11,370 --> 00:00:14,100
So have a look at the video which I've linked here or below.

4
00:00:14,310 --> 00:00:19,980
If you haven't got Kali Linux installed and running, I basically show you how to download a pre-built

5
00:00:20,190 --> 00:00:25,980
version of Kali Linux and imported into VMware workstation player, which is free software that allows

6
00:00:25,980 --> 00:00:29,310
you to run Kali Linux on your Windows 10 computer.

7
00:00:43,130 --> 00:00:48,320
All right, without further ado, let me show you how to hack Cisco Networks. In this video

8
00:00:48,350 --> 00:00:53,570
I'm going to demonstrate the use of Yersinia, which is a framework for performing layer 2 attacks.

9
00:00:54,140 --> 00:01:01,040
It allows you to attack multiple network protocols, including spanning tree, CDP or Cisco Discovery

10
00:01:01,040 --> 00:01:10,700
Protocol, DTP or Dynamic Trunking Protocol, DHCP, HSRP 802.1q, 802.1x, ISL and VLAN trunking

11
00:01:10,700 --> 00:01:12,140
protocol or VTP.

12
00:01:12,650 --> 00:01:20,000
So basically this application allows you to hack multiple protocols in Cisco networks, doesn't just

13
00:01:20,000 --> 00:01:27,260
apply to Cisco Networks, but some of these protocols such as CDP, DTP and HSRP are Cisco proprietary

14
00:01:27,260 --> 00:01:27,880
protocols.

15
00:01:27,890 --> 00:01:34,220
So this application is really geared for hacking Cisco Networks, but you could use it for hacking other

16
00:01:34,220 --> 00:01:39,080
protocols and networks that have other vendor devices in it.

17
00:01:39,500 --> 00:01:41,860
Cisco is the biggest networking vendor in the world.

18
00:01:42,230 --> 00:01:49,060
So Cisco switches and Cisco routers will be found in many, many corporate environments around the world.

19
00:01:49,430 --> 00:01:57,650
So I'm going to demonstrate how to hack Cisco devices using Yersenia running in Kali Linux. Now in this

20
00:01:57,650 --> 00:01:58,610
basic network.

21
00:01:58,760 --> 00:01:59,960
I've got a Cisco switch.

22
00:02:00,380 --> 00:02:03,380
This is a catalyst, 29 60 switch.

23
00:02:03,860 --> 00:02:08,360
The reason I'm using a small switch like this is it's fanless, so it doesn't make a lot of noise.

24
00:02:08,780 --> 00:02:16,970
I've got a Windows 10 laptop that I've connected physically to the Ethernet switch on port 1.

25
00:02:17,360 --> 00:02:24,500
I've got a MacBook connected on port 2 these devices are connected via Ethernet cables to the switch.

26
00:02:24,860 --> 00:02:30,560
I've also connected to the console of the switch using a USB connection. In this example

27
00:02:30,560 --> 00:02:35,110
I'm also controlling both of those devices from my local Mac.

28
00:02:35,600 --> 00:02:37,760
It just makes it easier to do the recordings.

29
00:02:38,180 --> 00:02:45,560
So I've got the connection to the MacBook and I'm controlling that via VNC and I'm also controlling

30
00:02:45,560 --> 00:02:48,260
the Windows computer via VNC.

31
00:02:48,590 --> 00:02:55,000
The Windows computer once again is running Kali Linux within VMware workstation player.

32
00:02:56,450 --> 00:02:58,100
OK, so I'm going to open up a terminal

33
00:02:59,970 --> 00:03:09,480
and I'm going to type y e r s tab, and you'll notice nothing happens, that's because this application

34
00:03:09,480 --> 00:03:16,260
is no longer installed by default in this latest release of Kali Linux.

35
00:03:17,770 --> 00:03:24,880
So I'm going to type apt-get updates, to update references on this Kali Linux host, and then I'm

36
00:03:24,880 --> 00:03:29,440
going to say apt-get install yersinia.

37
00:03:35,430 --> 00:03:40,070
So I'm basically installing this application on Kali Linux.

38
00:03:41,070 --> 00:03:45,570
It used to be installed by default, but in this release is no longer installed.

39
00:03:46,260 --> 00:03:50,310
The version of Kelly Linux that I'm using is 2019 three.

40
00:03:51,810 --> 00:03:54,960
You simply need to wait now for the application to install.

41
00:03:56,900 --> 00:04:02,810
OK, so it's now installed, so I'll clear the screen and notice now when I type y e r

42
00:04:02,810 --> 00:04:11,530
S tab, the command auto completes and I can press, dash or hyphen h to get help about the application.

43
00:04:12,020 --> 00:04:18,160
So we're told that we can get the application version number by using uppercase v h displays.

44
00:04:18,170 --> 00:04:25,850
This helps screen G gives us a graphical user interface, I is interactive, uppercase D daemon mode, lowercase

45
00:04:25,850 --> 00:04:26,890
D debug mode.

46
00:04:27,260 --> 00:04:29,560
We've also got some logging options.

47
00:04:30,710 --> 00:04:36,660
So what I'm going to type is Yersenia-G to get a graphical user interface.

48
00:04:37,310 --> 00:04:39,560
Now we're told that this is an alpha release.

49
00:04:39,560 --> 00:04:40,460
That's fine.

50
00:04:40,640 --> 00:04:45,800
For our example, notice once again that multiple protocols are supported.

51
00:04:45,800 --> 00:04:59,390
CDP, DHCP, 802.1q, 802.1x, DTP, HSRP, ISL, MPLS, STP, VTP and we've got a log here. Now in this video

52
00:04:59,390 --> 00:05:04,100
I'm assuming that you have knowledge of these protocols, to be able to hack networks

53
00:05:04,100 --> 00:05:08,680
you need to have an understanding of the protocols that network devices use.

54
00:05:09,290 --> 00:05:11,870
Now if you don't know what those protocols are, 

55
00:05:12,140 --> 00:05:17,450
have a look at some of the videos that I've linked below or have a look at my course, in my CCNA course

56
00:05:17,450 --> 00:05:19,340
I teach a lot of these protocols.

57
00:05:19,640 --> 00:05:24,020
You don't have to take my course if you don't want to have a look at other videos on YouTube or other

58
00:05:24,020 --> 00:05:25,070
CCNA courses

59
00:05:25,070 --> 00:05:28,370
but for this video, I'm assuming that you have knowledge of these protocols.

60
00:05:30,420 --> 00:05:32,430
Now, in this example, I'll start PuTTy, 

61
00:05:34,480 --> 00:05:39,130
because what I want to do is connect to the console of the Cisco switch and show you how the switch

62
00:05:39,130 --> 00:05:45,760
is being configured, before I do that, we need to know which console port to use.

63
00:05:46,920 --> 00:05:48,630
So I'm going to go to device manager

64
00:05:50,510 --> 00:05:59,180
and here I can see that USB serial device, COM3 is being used, so I'm going to specify COM3

65
00:05:59,180 --> 00:06:06,230
in PuTTy and click open and now I'm connected to this switch.

66
00:06:07,100 --> 00:06:09,950
This switch has not been configured with best practices

67
00:06:09,950 --> 00:06:15,770
and that's a problem because with hacking tools like Kali Linux, if you don't configure a network

68
00:06:15,770 --> 00:06:19,790
device properly, hackers can get access to your network very, very easily.

69
00:06:20,330 --> 00:06:21,920
So if I type sh run on the switch.

70
00:06:25,100 --> 00:06:27,710
It's got two DHCP pool configured.

71
00:06:29,280 --> 00:06:36,030
Port 1 on the switch is configured in VLAN 1 and Port 2 is configured in VLAN 2 in other words,

72
00:06:36,090 --> 00:06:44,010
this laptop is in a different VLAN to that laptop, but we're not going to let that stop us. Scrolling

73
00:06:44,010 --> 00:06:44,400
down

74
00:06:44,910 --> 00:06:49,760
you can see that interface gigabit 01 is configured with defaults.

75
00:06:49,950 --> 00:06:51,410
Very bad idea.

76
00:06:51,720 --> 00:06:56,130
You don't want to use default configurations on a switch, put on a switch.

77
00:06:56,700 --> 00:07:03,420
You should at least shut down ports on a switch that are not in use or put them in a separate VLAN or

78
00:07:03,510 --> 00:07:06,570
stop protocols like DTP being used.

79
00:07:07,320 --> 00:07:10,920
So as an example, show interface gigabit 01 switch port.

80
00:07:12,680 --> 00:07:19,260
What you'll notice is negotiation of trunking is on, current administrative mode is dynamic auto.

81
00:07:19,850 --> 00:07:23,590
We've got DTP enabled on this port.

82
00:07:24,050 --> 00:07:25,500
That's something we don't want to do.

83
00:07:26,240 --> 00:07:35,230
So this command show Interface Port number switch Port shows us that the port is configured in VLAN 1, but DTP

84
00:07:35,240 --> 00:07:36,630
is enabled on that port.

85
00:07:37,310 --> 00:07:39,860
So again, sh run interface gigabit 01, 

86
00:07:40,130 --> 00:07:41,870
that's the configuration of port 1, 

87
00:07:42,180 --> 00:07:47,750
here's the configuration of port 2, I'll put the switches configuration below the video if you want to have

88
00:07:47,750 --> 00:07:51,020
a look at the switches configuration off-line

89
00:07:51,830 --> 00:08:00,200
but apart from that, this switch also doesn't have routing enabled and that means that there's no routing

90
00:08:01,940 --> 00:08:06,530
from one VLAN to another on the switch, at the moment

91
00:08:06,530 --> 00:08:11,960
VLAN 1 is down because I haven't plugged in my Kali  Linux PC.

92
00:08:12,350 --> 00:08:13,430
So let me do that

93
00:08:16,600 --> 00:08:22,810
and what we should notice is the port on the switch comes up and it does so show IP interface brief,

94
00:08:23,620 --> 00:08:30,210
this VLAN is still down, but we can see that interface Gigabit 01 has come up.

95
00:08:30,640 --> 00:08:36,340
So after a while that SVI or switch virtual interface should come up

96
00:08:37,150 --> 00:08:37,900
and there you go,

97
00:08:38,080 --> 00:08:39,220
it's now come up.

98
00:08:41,600 --> 00:08:47,750
So VLAN 1 and VLAN 2 are now configured on the switch, the switch is acting as a DHCP server and allocating

99
00:08:47,750 --> 00:08:57,320
IP addresses to devices in the relevant VLANs, show VLAN shows us that gigabit 01 is in VLAN 1

100
00:08:57,680 --> 00:09:06,380
gigabit 02 is in VLAN 2, the MacBook has been allocated to this IP address 10121 by the

101
00:09:06,380 --> 00:09:07,460
DHCP server.

102
00:09:08,990 --> 00:09:14,600
We can see that on the switch by typing show IP DHCP bindings.

103
00:09:15,730 --> 00:09:21,520
So that IP address has been allocated to the MacBook, according to the switch, this IP address has

104
00:09:21,520 --> 00:09:25,870
also been allocated and that's probably my Windows computer.

105
00:09:29,580 --> 00:09:32,580
Change the font size here to make it easier to see.

106
00:09:35,910 --> 00:09:48,000
So command prompt IP config, this Windows computer has been allocated this IP address, but the PCs

107
00:09:48,000 --> 00:09:53,570
won't be able to ping each other because IP routing is disabled on the switch.

108
00:09:53,850 --> 00:09:58,100
There's no routing from one VLAN to another in this topology.

109
00:09:59,190 --> 00:10:06,090
So on my MacBook as an example, if the MacBook tries to ping the Windows computer, it can't do that

110
00:10:06,480 --> 00:10:08,910
because IP routing is disabled.

111
00:10:09,540 --> 00:10:14,920
There's no routing between the VLANs, but that's not going to stop us once again.

112
00:10:15,660 --> 00:10:18,870
Now, currently, the Kali Linux host

113
00:10:19,870 --> 00:10:29,780
is configured to use NAT, and it's been using my wireless connection to get access to the Internet.

114
00:10:30,280 --> 00:10:33,060
This little network here doesn't have any Internet access.

115
00:10:33,490 --> 00:10:37,090
So what I'm going to do is I'm going to bridge the

116
00:10:38,140 --> 00:10:46,000
Kali Linux host to the Realtek USB Gigabit Ethernet family controller, so I'm going to bridge

117
00:10:46,000 --> 00:10:50,260
it to this Ethernet connection and click, OK.

118
00:10:52,350 --> 00:10:59,550
So in Kali Linux, I'll open up another terminal window IF config will show us the IP address.

119
00:11:00,150 --> 00:11:03,030
At the moment, no IP address has been allocated.

120
00:11:04,220 --> 00:11:13,310
Do that command again and notice 10.1.1.3 has been allocated, so on the switch show IP DHCP bindings,

121
00:11:13,730 --> 00:11:17,390
this IP address has been allocated to the Kali Linux host.

122
00:11:18,050 --> 00:11:24,350
So that means I've got three devices in this topology physical Windows PC, MacBook plus Kali Linux

123
00:11:24,360 --> 00:11:25,530
Virtual Computer.

124
00:11:26,300 --> 00:11:29,420
So let's use Kali now to hack the network.

125
00:11:32,060 --> 00:11:32,900
OK, so

126
00:11:33,970 --> 00:11:37,870
It's already picked up that it's connected to a switch through CDP.

127
00:11:38,890 --> 00:11:45,400
So we already know that we're connected to a Cisco switch, on the Cisco switch show CDP neighbor, it doesn't

128
00:11:45,400 --> 00:11:54,820
see any neighbors at the moment, but what we could do is launch an attack and send a CDP packet and

129
00:11:54,820 --> 00:11:55,480
click OK.

130
00:11:56,380 --> 00:12:01,290
In the log, we can see that an attack was launched and it's now finished.

131
00:12:02,050 --> 00:12:04,630
So back on the switch, show CDP neighbors,

132
00:12:06,170 --> 00:12:07,460
still don't see a neighbor.

133
00:12:08,500 --> 00:12:10,930
So let's flood the CDP table of that switch.

134
00:12:13,190 --> 00:12:20,240
So as you can see, a lot of CDP packets are being sent out on the switch, shows CDP neighbors, 

135
00:12:21,410 --> 00:12:29,420
notice we suddenly have a huge amount of CDP neighbors and you can see the platform here is Yersinia.

136
00:12:30,530 --> 00:12:34,940
So we are flooding the CDP neighbor table on the switch.

137
00:12:35,630 --> 00:12:41,900
That isn't really a fantastic attack, but it just shows you that by a simple attack, I can flood the

138
00:12:41,900 --> 00:12:43,520
CDP table of that switch.

139
00:12:43,910 --> 00:12:46,520
Notice how many packets are being sent out.

140
00:12:47,060 --> 00:12:49,790
After a short while, you'll see this has increased dramatically.

141
00:12:49,790 --> 00:12:52,190
The CPU on that laptop is going crazy.

142
00:12:52,460 --> 00:12:55,010
The lights on that switch are going mad.

143
00:12:55,910 --> 00:12:59,990
I am essentially flooding this switch

144
00:13:01,820 --> 00:13:10,340
with a lot of neighbor relationships, so if I type show CDP traffic.

145
00:13:11,340 --> 00:13:16,850
You'll notice a lot of input packets are being received by the switch.

146
00:13:16,890 --> 00:13:22,320
A lot of attack packets, to stop this, go to actions list attacks

147
00:13:24,290 --> 00:13:31,100
and I'm going to say stop all attacks if you want to shut the program down and stop the attack, click

148
00:13:31,100 --> 00:13:35,720
exit, but you probably want to go to action's list attacks

149
00:13:36,800 --> 00:13:41,130
and then you can shut down the attacks. Now, because this network is small, 

150
00:13:41,180 --> 00:13:43,580
I mean, there's only one switch in this topology.

151
00:13:43,590 --> 00:13:49,220
I can't show you large scale attacks, but I'll continue showing you some basic attacks, which you

152
00:13:49,220 --> 00:13:51,080
can then apply to larer topologies.

153
00:13:51,080 --> 00:13:53,540
I'll show you larger topologies in separate videos.

154
00:13:54,290 --> 00:13:59,570
Now, very basic attack that can be used is attacking spanning tree.

155
00:14:00,650 --> 00:14:06,710
At the moment in this network show spanning-tree shows me that the switch is the root of the topology.

156
00:14:07,430 --> 00:14:10,700
Gigabit 01 is forwarding on VLAN

157
00:14:10,700 --> 00:14:17,150
1, switch is the root for VLAN, 1, for VLAN 2 switch is also the root.

158
00:14:17,390 --> 00:14:23,120
So VLAN 2 switch is the root, port that's forwarding is gigabit 02.

159
00:14:23,750 --> 00:14:27,560
I only have two ports currently up in this topology port

160
00:14:27,560 --> 00:14:29,240
1 is in VLAN 1.

161
00:14:29,240 --> 00:14:32,390
We can see that with the show VLAN Brief Command.

162
00:14:32,780 --> 00:14:42,350
So Gigabit 01 is currently in VLAN 1, gigabit 02 is configured in VLAN 2, I only have two ports

163
00:14:42,620 --> 00:14:43,820
plugged into the switch.

164
00:14:44,210 --> 00:14:50,300
And again port 1 is in VLAN 1, port 2 is in VLAN 2, show spanning-tree

165
00:14:52,320 --> 00:14:53,010
root

166
00:14:54,090 --> 00:15:01,020
shows us that the current switch is the root for VLN 1 and VLAN 2, we can see the root cost

167
00:15:01,020 --> 00:15:03,240
is zero for both those VLANs.

168
00:15:04,770 --> 00:15:09,840
And again, we can use the show spanning-tree command to see that the switch is the root for VLAN 1

169
00:15:10,410 --> 00:15:11,580
and VLAN 2

170
00:15:12,060 --> 00:15:13,310
but let's change that.

171
00:15:13,950 --> 00:15:15,690
So I'm going to launch an attack.

172
00:15:16,290 --> 00:15:18,330
In this case, it's a spanning-tree attack.

173
00:15:19,080 --> 00:15:23,580
We are going to claim root roll and click, OK.

174
00:15:24,810 --> 00:15:30,270
So Yersenia has picked up that there's a switch in the topology, but we're going to claim to be the

175
00:15:30,270 --> 00:15:30,700
root.

176
00:15:31,740 --> 00:15:34,200
So on the switch show spanning tree.

177
00:15:35,270 --> 00:15:41,050
Notice for VLAN 1, the switch is no longer the root, it has a cost of 4 to get to the root.

178
00:15:41,870 --> 00:15:46,780
We can see that Gigabit 01 is a root port with the cost of four.

179
00:15:47,360 --> 00:15:53,400
Previously the port was a designated port when the switch was the root.

180
00:15:54,290 --> 00:15:57,340
So we've changed the roll to root.

181
00:15:58,370 --> 00:16:02,900
This is the port that the physical switch is going to use to get to the root bridge, which is currently

182
00:16:03,200 --> 00:16:10,040
Kali Linux. For VLAN 2 we can see that the switch is root, notice gigabit 02 is a designated

183
00:16:10,040 --> 00:16:10,470
port.

184
00:16:11,150 --> 00:16:13,970
Now, I won't have time to go through all the protocols.

185
00:16:14,000 --> 00:16:18,130
There's a lot of things you can do just with Yersenia within Kali Linux.

186
00:16:18,560 --> 00:16:21,920
I'll show you other hacks in subsequent videos.