1 00:00:00,180 --> 00:00:06,360 In a previous video, which I've linked below, I showed you how to set up Kali or Kali if you prefer 2 00:00:06,360 --> 00:00:12,930 Linux as a DHCP server and then implement a man-in-the-middle attack. In a topology such as this 3 00:00:13,140 --> 00:00:20,310 Kali Linux is set up as a DHCP server to allocate IP addresses to PC, such as the Windows 10 host and 4 00:00:20,310 --> 00:00:23,130 then set the default gateway to itself. 5 00:00:23,430 --> 00:00:29,820 So the traffic is sent through the Kali Linux server onto the Internet and onto other destinations. 6 00:00:30,390 --> 00:00:35,220 That allows us then to implement a man in the middle attack because all traffic is going through Kali 7 00:00:35,520 --> 00:00:37,370 to other devices in the topology. 8 00:00:38,010 --> 00:00:43,230 Now, to stop that from happening, we're going to set up this switch to use DHCP snooping. 9 00:00:43,590 --> 00:00:52,170 So it's going to snoop or listen in on DHCP messages and only allow certain DHCP messages from trusted 10 00:00:52,170 --> 00:00:52,800 servers. 11 00:00:53,250 --> 00:01:00,060 So the switch will allow clients to request IP addresses, but will not allow Kali or other servers 12 00:01:00,060 --> 00:01:03,630 on untrusted ports to offer IP addresses to clients. 13 00:01:04,110 --> 00:01:11,100 We'll set up this interface on the switch as a trusted port so that the router is able to allocate IP 14 00:01:11,100 --> 00:01:15,380 addresses to the PC, but Kali is not able to do that. 15 00:01:16,020 --> 00:01:21,930 OK, so I'm now going to show you practically how to use DHCP snooping to stop these kind of attacks 16 00:01:22,350 --> 00:01:25,020 but I've also added some additional information below this video. 17 00:01:25,020 --> 00:01:30,120 There's a PowerPoint presentation that you can download as an example that gives you the commands to 18 00:01:30,120 --> 00:01:31,560 set this up on a switch. 19 00:01:45,410 --> 00:01:51,950 OK, so on the Windows computer, I'm going to open up command prompt, so open up a CMD prompt, 20 00:01:53,230 --> 00:01:58,960 ifconfig shows me that this is the IP address of the PC at the moment, Default Gateway is 10.1.1 21 00:01:58,960 --> 00:02:04,750 254 which is the router in the topology. On the router 22 00:02:06,110 --> 00:02:10,320 show IP interface, brief notice, IP address of the router 23 00:02:10,490 --> 00:02:19,520 is this. The router is configured as a DHCP server show IP DHCP binding shows me that two IP addresses 24 00:02:19,520 --> 00:02:25,790 have been allocated, one to the Windows computer and one to Kali. On Kali 25 00:02:25,790 --> 00:02:30,980 as an example, if I open up a terminal and type ifconfig 26 00:02:31,430 --> 00:02:35,640 this is the IP address that's been allocated to the Kali Linux server. 27 00:02:35,960 --> 00:02:43,400 Once again, this is the IP address allocated to the PC if I type IP config slash release to release the IP 28 00:02:43,400 --> 00:02:43,880 address. 29 00:02:46,480 --> 00:02:52,600 I'll make that a bit bigger and then type IPconfig, you'll notice that it's not being allocated an 30 00:02:52,600 --> 00:02:59,460 IP address, it's using a link-local IP version 4 address and link-local IP version 6 address. 31 00:03:00,340 --> 00:03:07,000 But if I type IP config slash renew, it should get an IP address from the DHCP server. 32 00:03:08,500 --> 00:03:14,200 And there you go, IP address has been allocated by the router to the Windows computer. 33 00:03:15,300 --> 00:03:20,850 But now let's set up Kali as a rogue DHCP server. 34 00:03:22,250 --> 00:03:27,780 So to do that, I'm going to run Yersenia and use a graphical user interface. 35 00:03:28,580 --> 00:03:33,180 I showed you previously how to use this application in a lot of detail. 36 00:03:33,950 --> 00:03:38,030 So once again, refer to the previous videos, if you want to learn more about this application. 37 00:03:38,750 --> 00:03:39,970 But it's quite simple. 38 00:03:39,980 --> 00:03:47,180 All I'm going to do is launch an attack and I'm going to set up a rogue DHCP server. 39 00:03:47,690 --> 00:03:50,500 So I'm going to select that option and click OK. 40 00:03:51,340 --> 00:03:59,960 The IP address of the rogue DHCP server is going to be the local Kali Linux host, which has an IP address 41 00:03:59,960 --> 00:04:03,680 of 10.1.1.2/24. 42 00:04:05,350 --> 00:04:13,500 Now, I'll use a different range of IP addresses for hosts that we allocate addresses to using Kali. 43 00:04:13,510 --> 00:04:21,070 So let's say 100 to 110, the least time and renewed time offset to 3600 seconds. 44 00:04:22,320 --> 00:04:28,850 Subnet mask will be /24 mask, and this is how I can implement a man-in-the-middle attack. 45 00:04:28,860 --> 00:04:32,440 I'm going to set myself as the default gateway. 46 00:04:33,300 --> 00:04:38,310 That means that the host will send traffic to the Kali Linux host, which will then forward traffic 47 00:04:38,310 --> 00:04:44,150 to the router so we can implement a man-in-the-middle attack without the user knowing what's going on. 48 00:04:45,270 --> 00:04:52,580 DNS server, I'll set to Google and the domain I'll simply set to home.com and click OK. 49 00:04:53,600 --> 00:05:01,880 So if we look at actions, the list of task, you can see that I'm running a rogue server attack, you 50 00:05:01,880 --> 00:05:05,810 can see that the DHCP rogue server is currently running. 51 00:05:06,410 --> 00:05:10,270 So on the client, I'm going to release my IP address again and then renew it. 52 00:05:10,760 --> 00:05:16,140 Now, it may get an IP address from the router rather than from the Kali Linux server. 53 00:05:16,160 --> 00:05:19,100 It just depends which device replies first. 54 00:05:19,670 --> 00:05:23,840 So you can see it got its IP address from the router. 55 00:05:24,970 --> 00:05:34,600 So on the router, I'm going to type no service DHCP, I'm going to disable the DHCP service on the router. 56 00:05:35,230 --> 00:05:37,540 So show IP DHCP binding, 57 00:05:39,270 --> 00:05:47,910 you can see that the bindings have been removed from the router, so on the PC, I'll release my IP address 58 00:05:48,780 --> 00:05:54,720 and then I'll renew it and let's see if it gets an IP address from the Kali Linux server. 59 00:05:55,930 --> 00:05:58,690 On Kali, you can see there's a DHCP Discover. 60 00:05:59,690 --> 00:06:06,920 DHCP discovers are being received, now sometimes this application bombs out or breaks, so you have 61 00:06:06,920 --> 00:06:09,080 to rerun the DHCP server. 62 00:06:09,350 --> 00:06:11,100 That's a lesson in hacking. 63 00:06:11,110 --> 00:06:17,330 You can't expect everything to work the first time you go to be persistent and be tenacious and keep 64 00:06:17,330 --> 00:06:18,030 on trying. 65 00:06:18,500 --> 00:06:24,730 So now it received a DHCP request from the client and it acknowledged it. 66 00:06:25,640 --> 00:06:28,340 In other words, when I ran ipconfig/renew again 67 00:06:28,340 --> 00:06:29,660 It got an IP address. 68 00:06:30,750 --> 00:06:37,500 OK, so the PC has been given an IP address, but note previously, I had an error here saying unable 69 00:06:37,500 --> 00:06:40,800 to contact your DHCP server request timed out. 70 00:06:41,940 --> 00:06:47,560 The Yersinia application sometimes bombs out, especially the graphical user interface. 71 00:06:47,850 --> 00:06:49,100 It is an alpha release. 72 00:06:49,110 --> 00:06:52,200 That's probably why you want to do stuff through the CLI if you can 73 00:06:52,200 --> 00:06:54,120 but to keep things simple, I've done it through the GUI. 74 00:06:55,180 --> 00:07:03,130 But the net result is that the PC has been given an IP address from the Kali Linux server, that's 75 00:07:03,130 --> 00:07:04,130 what we don't want. 76 00:07:04,660 --> 00:07:07,180 Notice the default gateway is Kali. 77 00:07:07,970 --> 00:07:11,380 That means a man in the middle attack could be used here. 78 00:07:12,720 --> 00:07:20,130 OK, so to stop this nonsense, now on the switch that the devices connect to, I'm going to enable DHCP 79 00:07:20,130 --> 00:07:20,570 snooping. 80 00:07:20,850 --> 00:07:22,440 This is a layer 2 switch. 81 00:07:23,380 --> 00:07:29,400 Always configured as a layer 2 switch it does support other options, show IP DHCP snooping. 82 00:07:30,480 --> 00:07:34,120 At the moment, DHCP snooping is disabled. 83 00:07:34,170 --> 00:07:38,300 There's the command notice, DHCP snooping is disabled. 84 00:07:38,310 --> 00:07:43,170 It's not configured on any VLANs and it's not operational on any VLANs. 85 00:07:44,290 --> 00:07:48,580 No interfaces have been configured to be trusted. 86 00:07:49,800 --> 00:07:58,650 So in global configuration mode, I'm simply going to type IP, DHCP snooping, that enables DHCP snooping 87 00:07:58,650 --> 00:07:59,870 on the switch globally 88 00:08:00,150 --> 00:08:02,750 but please note, that's not how you make it work. 89 00:08:02,760 --> 00:08:04,220 This is the first step. 90 00:08:05,240 --> 00:08:12,410 Type the command show IP DHCP snooping again, you can see that it's now being globally enabled, but 91 00:08:12,410 --> 00:08:18,380 it's not enabled on any VLANs, so don't forget to enable it on the VLAN 92 00:08:18,770 --> 00:08:23,050 and to do that, you type IP DHCP snooping VLAN 1. 93 00:08:23,540 --> 00:08:25,150 So two commands are required. 94 00:08:26,060 --> 00:08:29,150 Show, run, pipe include DHCP. 95 00:08:30,050 --> 00:08:37,880 We have now used this command globally as well as this command globally on the switch, show IP DHCP Snooping 96 00:08:37,880 --> 00:08:43,610 shows us that DHCP snooping is now enabled on a VLAN 1. 97 00:08:44,640 --> 00:08:52,800 I'll type IP config slash renew on the PC now at this point, it's not going to get any IP addresses 98 00:08:52,800 --> 00:08:55,380 because we've got DHCP snooping enabled. 99 00:08:56,040 --> 00:09:01,330 The Kali Linux host won't be able to allocate IP addresses to the PC, but nor will the router. 100 00:09:02,040 --> 00:09:04,770 So to prove that on the router. 101 00:09:06,470 --> 00:09:13,370 I'll enable the DHCP service again, so show run shows us 102 00:09:14,410 --> 00:09:20,210 that we've got this DHCP pool configured, this is the network. 103 00:09:20,300 --> 00:09:21,590 This is the default gateway. 104 00:09:21,590 --> 00:09:27,680 This is the DNS server, but the PC is not getting any IP addresses. 105 00:09:27,680 --> 00:09:37,340 So IP config slash renew notice, no IP address is being allocated, show IP DHCP binding, no IP addresses 106 00:09:37,340 --> 00:09:45,320 are allocated by the router and no IP addresses are being allocated by the Kali Linux host. Now to see 107 00:09:45,320 --> 00:09:46,430 what's actually going on. 108 00:09:46,430 --> 00:09:54,640 We can run a debug on the switch, so let's run debug IP DHCP snooping packets so we can see a lot of detail. 109 00:09:55,160 --> 00:09:56,780 Be careful with packets. 110 00:09:57,080 --> 00:09:59,200 You'll see a lot of detail in the output here. 111 00:09:59,840 --> 00:10:02,210 So you may prefer to use events. 112 00:10:03,300 --> 00:10:07,440 But let's run this again, IP config slash renew. 113 00:10:09,910 --> 00:10:11,890 Notice we're seeing a lot of output 114 00:10:13,020 --> 00:10:17,910 but what I'll do now is turn off debugging for the moment, we can see 115 00:10:20,800 --> 00:10:29,380 received a new packet from input interface Gigabit 02, that is the PC. 116 00:10:30,760 --> 00:10:39,520 It's a discover message, notice the source Mac address is this ending in 7c00 on the 117 00:10:39,520 --> 00:10:41,890 PC IP config/all. 118 00:10:43,620 --> 00:10:49,170 That is the Mac address of the Windows computer, so the Windows computers requesting an IP address. 119 00:10:49,710 --> 00:10:56,730 At layer 2, we can see the source Mac address of the PC destination is a broadcast notice all FS. 120 00:10:57,510 --> 00:11:01,110 So hexadecimal FS broadcast at layer 3 121 00:11:01,110 --> 00:11:06,660 destination is a broadcast IP version 4 source IP address is unknown. 122 00:11:06,660 --> 00:11:08,510 It doesn't currently have an IP address. 123 00:11:08,520 --> 00:11:10,050 It's requesting an IP address. 124 00:11:10,710 --> 00:11:16,620 So we've got invalid entry for flooding on ingress VLAN 125 00:11:16,620 --> 00:11:21,260 1 bridge output port is null, packet is dropped. 126 00:11:22,080 --> 00:11:24,720 So the switch is essentially just dropping that packet. 127 00:11:24,970 --> 00:11:31,020 It's not forwarding it anyway, to forward that request to the router on this interface, we need to trust 128 00:11:31,020 --> 00:11:31,680 this port. 129 00:11:31,950 --> 00:11:39,420 So we need to make Gigabit 00 a trusted port so that that DHCP request can be forwarded to the router. 130 00:11:40,230 --> 00:11:48,570 So on the switch interface, gigabit 00, that's the interface connecting to the router, IP, 131 00:11:48,570 --> 00:11:50,970 DHCP, snooping. 132 00:11:51,540 --> 00:11:53,280 We're going to trust the port. 133 00:11:54,940 --> 00:12:01,240 Debug IP DHCP snooping packet, back on the PC 134 00:12:03,540 --> 00:12:07,530 ipconfig/renew let's try and get an IP address. 135 00:12:09,720 --> 00:12:17,220 Can see a lot happening here, but notice right at the bottom of this debug bridge packet sent to Port 136 00:12:17,220 --> 00:12:18,580 Gigabit 00. 137 00:12:19,290 --> 00:12:27,240 So the DHCP request received by the switch from the PC is being forwarded to the router. 138 00:12:27,810 --> 00:12:34,760 We've got DHCP discover from the PC on gigabit 02 asking for an IP address. 139 00:12:35,310 --> 00:12:42,900 But notice this problem we see here, option 82, option 82 can cause problems. 140 00:12:43,530 --> 00:12:49,920 Option 82 is used when you need to forward DHCP requests from a router to a DHCP server as an example and 141 00:12:49,920 --> 00:12:51,780 include information such as port numbers. 142 00:12:52,500 --> 00:13:04,570 So if you have problems with that on the switch type no IP, DHCP snooping information option, enter. 143 00:13:04,950 --> 00:13:08,910 So we're not going to forward option 82 information to the router. 144 00:13:09,180 --> 00:13:10,620 So let's try that again. 145 00:13:10,890 --> 00:13:12,400 IP config /renew, 146 00:13:12,930 --> 00:13:15,420 notice the PC now gets an IP address. 147 00:13:16,320 --> 00:13:20,760 So back on the switch, a lot of outputs in the debug. 148 00:13:21,180 --> 00:13:24,210 So once again, the PC is requesting an IP address. 149 00:13:24,210 --> 00:13:32,220 Inbound interface is gigabit 02, the switch is ending the packet to the router on gigabit 00. 150 00:13:32,610 --> 00:13:34,230 The router replies back. 151 00:13:34,650 --> 00:13:43,070 There's the DHCP packet inbound on gigabit 00, we see the router allocating an IP address to the client. 152 00:13:43,470 --> 00:13:49,500 So in the output here, we can see that this IP address, which is the router is sending a broadcast. 153 00:13:49,800 --> 00:13:55,790 It's a broadcast at layer 2, broadcast at layer 3, allocating the IP address to the PC. 154 00:13:56,250 --> 00:13:59,640 This, once again, if you remember, is the Mac address of the PC. 155 00:14:00,090 --> 00:14:03,480 So the router has successfully allocated an IP address to the PC. 156 00:14:03,900 --> 00:14:06,870 The PC got that IP address from the router. 157 00:14:07,260 --> 00:14:14,100 Now it got given 10.1.1.100 because the PC will ask for the IP address that it had previously. 158 00:14:14,370 --> 00:14:18,840 Previously it had been given that IP address by the Kali Linux server. 159 00:14:19,170 --> 00:14:23,250 So Windows remembers that information and basically requests the IP address it had before. 160 00:14:23,610 --> 00:14:25,230 So it got a different IP address 161 00:14:25,230 --> 00:14:29,670 but that IP address is in the pool of IP addresses on the router. 162 00:14:30,060 --> 00:14:34,560 So you can see that this IP address was allocated to the PC 163 00:14:34,920 --> 00:14:42,840 and if we have a look at the DHCP pool once again, you can see that the pool is all IP addresses in 10.1. 164 00:14:42,840 --> 00:14:43,630 1.0. 165 00:14:44,460 --> 00:14:48,120 So 10.1.1.100 is a valid IP address in that range. 166 00:14:48,960 --> 00:14:50,070 Okay, so back on the switch. 167 00:14:50,070 --> 00:14:52,410 Let's recap what we configured. 168 00:14:54,250 --> 00:15:04,450 Show run pipe include DHCP, we configured DHCP snooping globally on the switch, we configured it globally 169 00:15:04,450 --> 00:15:05,490 on VLAN 1. 170 00:15:05,770 --> 00:15:07,910 So those are global configuration commands. 171 00:15:08,680 --> 00:15:13,150 We also stopped option 82 by configuring that globally 172 00:15:13,450 --> 00:15:20,760 and then we trusted that Gigabit 00 Interface, so show run interface gigabit 00. 173 00:15:20,950 --> 00:15:24,580 Notice this interface has been configured as a trusted interface. 174 00:15:25,150 --> 00:15:29,410 We should do some show commands, so show IP DHCP snooping. 175 00:15:30,650 --> 00:15:38,750 We can see through the output of this command that DHCP snooping is enabled globally, also enabled on 176 00:15:38,750 --> 00:15:40,880 VLAN 1, none other VLANs 177 00:15:40,880 --> 00:15:47,770 all the devices in this network on VLAN one gigabit 00 is a trusted interface. 178 00:15:48,200 --> 00:15:51,380 We are not rate limiting that interface. 179 00:15:52,010 --> 00:15:56,560 But what we may want to do is rate limit requests from PCs. 180 00:15:56,870 --> 00:16:00,210 So we may want to rate this interface and this interface. 181 00:16:00,830 --> 00:16:06,320 The reason why is on Kali Linux we could 182 00:16:07,700 --> 00:16:09,330 do a DHCP 183 00:16:11,010 --> 00:16:19,430 denial of service attack, so send DHCP packets and basically just flood the network with a huge amount 184 00:16:19,430 --> 00:16:24,870 of DHCP requests and that can actually kill or cause problems in the network. 185 00:16:25,160 --> 00:16:26,750 It's actually killing the switch. 186 00:16:27,200 --> 00:16:28,910 So I'll stop that attack. 187 00:16:30,530 --> 00:16:32,360 So actions list attacks 188 00:16:34,150 --> 00:16:40,090 and I'll stop the DHCP discovery attack because it basically kills the switch. 189 00:16:40,330 --> 00:16:45,190 I'm going to get a huge amount of debug output now because I was running a debug. 190 00:16:45,430 --> 00:16:46,600 So an important lesson 191 00:16:46,600 --> 00:16:47,860 don't leave a debug running. 192 00:16:48,340 --> 00:16:51,280 And Kali sent a huge amount of packets to the switch. 193 00:16:51,550 --> 00:16:53,080 So this may take a while. 194 00:16:54,820 --> 00:16:56,320 So I'll turn off debugging. 195 00:16:56,950 --> 00:17:02,230 Not sure if you saw that about a top that quickly, but there it is again, un all and what I'll do is 196 00:17:02,230 --> 00:17:05,740 on the interface to the Kali Linux server. 197 00:17:06,890 --> 00:17:17,329 Which is gigabit 01 all enable rate limiting, so IP DHCP snooping, limit rate to 10 packets. 198 00:17:18,569 --> 00:17:28,710 That means 10 packets per second, so we'll rate limit this packet generation on Kali, basically stop 199 00:17:28,710 --> 00:17:30,200 it from sending too many packets. 200 00:17:30,900 --> 00:17:36,360 So back on the switch and notice DHCP snooping error disable. 201 00:17:36,990 --> 00:17:43,860 We've received more than 10 DHCP packets on gigabit 00 DHP snooping rate limit is exceeded. 202 00:17:44,610 --> 00:17:46,380 More packets have been received. 203 00:17:46,560 --> 00:17:47,630 And what has happened? 204 00:17:47,640 --> 00:17:49,280 The interface has been taken down. 205 00:17:50,010 --> 00:17:53,660 So show IP interface brief on the switch. 206 00:17:54,270 --> 00:17:55,410 There's the command again. 207 00:17:55,710 --> 00:18:01,530 Notice this interface has gone down because Kali sent too many packets. 208 00:18:04,830 --> 00:18:10,930 I'll shut it down to manually shut it and then no shut it and let's see what happens. 209 00:18:12,300 --> 00:18:19,180 It's actually locked up my switch now you can see the CPU is gone crazy, so on 210 00:18:19,260 --> 00:18:22,230 Kali, I'll stop that attack. 211 00:18:25,840 --> 00:18:31,600 This is one of the problems using a virtual environment such as GNS3 or Cisco VIRL or EVENG. 212 00:18:32,260 --> 00:18:37,540 The problem is this is not a physical switch, so it hasn't got the A6 to forward lots of traffic through 213 00:18:37,540 --> 00:18:37,720 it. 214 00:18:38,080 --> 00:18:41,430 So you can basically destroy the switch, which has happened here. 215 00:18:41,680 --> 00:18:49,210 But after a while, what happened was the messages displayed, DHCP snooping, 10 DHCP packets have been 216 00:18:49,210 --> 00:18:49,780 received. 217 00:18:49,990 --> 00:18:54,330 And what has happened now is the interface is shut down once again. 218 00:18:54,640 --> 00:18:59,030 So show IP interface, brief interface has gone down. 219 00:18:59,530 --> 00:19:02,620 So basically what happened is I shut the interface. 220 00:19:02,620 --> 00:19:03,310 No, shut it. 221 00:19:03,520 --> 00:19:09,610 So many packets were being received from the Kali Linux host that the switch bombed out, now physical 222 00:19:09,610 --> 00:19:16,060 switch would necessarily have that problem because it's got the A6, then the 10 packet limit kicked 223 00:19:16,060 --> 00:19:19,160 in and the port was shut down to protect the switch. 224 00:19:19,720 --> 00:19:26,980 So there was a delay from the interface going up, CPU being hammered by Kali to the port, being shut 225 00:19:26,980 --> 00:19:28,140 down by that command. 226 00:19:28,390 --> 00:19:31,390 And that's because I'm using a virtual switch rather than a physical switch. 227 00:19:31,660 --> 00:19:35,240 Physical switch with built-in A6 would stop this kind of nonsense from happening. 228 00:19:35,680 --> 00:19:39,640 Net result, however, is that the interface has gone down. 229 00:19:39,880 --> 00:19:41,720 We've protected the network. 230 00:19:42,610 --> 00:19:46,660 So in this video, I showed you how to protect a network using DHCP snooping. 231 00:19:46,660 --> 00:19:50,410 I showed you how to stop rogue DHCP servers on the network. 232 00:19:50,560 --> 00:19:57,340 I showed you how to stop a denial of service attack by Kelly Linux, where it sends a whole bunch of 233 00:19:57,340 --> 00:19:58,480 DHCP messages. 234 00:19:58,840 --> 00:20:05,440 The switch will shut the port down if it receives too many DHCP requests in a certain amount of time. 235 00:20:05,710 --> 00:20:09,370 Don't forget option 82 can cause problems like it did here.