1
00:00:00,240 --> 00:00:02,490
Zebra, what are you doing?

2
00:00:03,870 --> 00:00:05,640
Are you a nasty Zebra?

3
00:00:06,610 --> 00:00:09,430
Well done Zebra.

4
00:00:09,700 --> 00:00:15,340
Let's break some networks. In this video, I'm going to show you how to implement dynamic ARP inspection,

5
00:00:15,340 --> 00:00:20,980
dynamic ARP inspection stops, attacks such as ARP poisoning and man in the middle attacks.

6
00:00:21,160 --> 00:00:27,490
In a previous video, which I've linked here and below, I showed you how to use Kali or Kali Linux

7
00:00:27,490 --> 00:00:33,700
if you prefer to implement a man-in-the-middle attack by poisoning the ARP caches of devices.

8
00:00:34,210 --> 00:00:40,900
We had Kali poisoning the ARP cache of a Windows device and a Cisco router and then implementing a man

9
00:00:40,900 --> 00:00:45,670
in the middle attack where all traffic from that Windows host to its default gateway, the Cisco router,

10
00:00:45,940 --> 00:00:50,160
was routed or switched in this case through the Kali Linux host.

11
00:00:50,590 --> 00:00:57,430
So Kali was able to see all the traffic from Windows to the router and Windows to the Internet

12
00:00:57,430 --> 00:01:02,170
as an example, we were able to capture Telnet passwords and HTTP passwords.

13
00:01:02,170 --> 00:01:07,600
You shouldn't be using clear text protocols in your network today, so you shouldn't be using protocols

14
00:01:07,600 --> 00:01:09,370
such as HTTP or Telnet.

15
00:01:09,700 --> 00:01:16,030
But if someone did use clear text passwords, I'd have visibility of those passwords and have visibility

16
00:01:16,030 --> 00:01:22,090
of the data because all traffic is sent through the Kali Linux host, which in this case implemented

17
00:01:22,090 --> 00:01:23,470
a man in the middle attack.

18
00:01:23,710 --> 00:01:27,610
We can stop that kind of nonsense by implementing dynamic ARP inspection.

19
00:01:27,940 --> 00:01:33,760
Dynamic ARP inspection requires either DHCP snooping or that you manually configure MAC addresses.

20
00:01:34,360 --> 00:01:42,190
The switch is basically snooping or listening in on DHCP requests from hosts or devices to the DHCP server

21
00:01:42,370 --> 00:01:50,010
and then is creating dynamically when using DHCP snooping a MAC address to IP address mapping to an interface.

22
00:01:50,260 --> 00:01:54,730
So it says this Mac address, this IP address belongs on this interface.

23
00:01:54,970 --> 00:01:58,720
If you change your Mac address, that traffic is denied

24
00:01:58,900 --> 00:02:02,560
and I'm going to demonstrate that using Kali Linux in this video.

25
00:02:02,950 --> 00:02:10,539
So I'm going to show you how you can implement DHCP Snooping, Dynamic ARP inspection and then stop Kali

26
00:02:10,840 --> 00:02:13,480
from sending traffic when it changes its Mac address.

27
00:02:13,610 --> 00:02:17,840
So we're going to stop ARP poisoning attacks. Now to make it easier, 

28
00:02:18,100 --> 00:02:20,170
I've added this presentation below

29
00:02:20,170 --> 00:02:20,970
this video.

30
00:02:21,340 --> 00:02:27,810
This presentation shows you the network that I'm using and then shows you how to configure dynamic ARP

31
00:02:27,850 --> 00:02:28,450
inspection.

32
00:02:28,750 --> 00:02:34,330
So I've got links in here to Cisco and other websites that give you more information.

33
00:02:34,450 --> 00:02:42,600
But I also show you how to configure both DHP snooping as well as dynamic up inspection.

34
00:02:42,940 --> 00:02:46,870
So in this video, I'm going to show you quite a lot of detail how this all works.

35
00:02:47,260 --> 00:02:51,610
Use the menu here to jump to a specific topic if you want to.

36
00:02:51,880 --> 00:02:56,530
So I'm going to show you how to set up DHCP snooping, but I've covered that once again in this video.

37
00:02:56,530 --> 00:03:01,660
So if you just want to see the dynamic of the inspection part of the video, then jump to the specific

38
00:03:01,660 --> 00:03:03,220
time stamp of interest.

39
00:03:03,880 --> 00:03:06,190
I've included this once again below this video.

40
00:03:06,670 --> 00:03:13,060
This presentation shows you how to set this up, how to verify it on a Cisco switch.

41
00:03:27,130 --> 00:03:30,590
Now, the first thing we need to do is enable the snooping.

42
00:03:30,830 --> 00:03:35,680
Now, I've covered this in a lot of detail in the previous video, so all I'm going to do here is copy

43
00:03:35,680 --> 00:03:37,950
and paste the commands into the switch.

44
00:03:38,680 --> 00:03:45,070
Have a look at this video if you want to look at snooping video that discusses this in a lot of detail.

45
00:03:45,610 --> 00:03:52,660
OK, so what I'm going to do is copy the commands from this presentation and paste the commands on our

46
00:03:52,660 --> 00:03:53,170
switch.

47
00:03:54,310 --> 00:03:57,460
Now in our topology, once again, we've got a Cisco router, this

48
00:03:57,460 --> 00:03:59,730
router is configured with a DHCP server.

49
00:04:00,640 --> 00:04:02,590
So let's review that first.

50
00:04:04,710 --> 00:04:09,980
Here's the router show run pipe begin.

51
00:04:11,700 --> 00:04:17,880
That just allows me to filter the configuration until the keyword DHCP is found.

52
00:04:19,750 --> 00:04:29,440
So there's the command here's my DHCP pool you can see the network used is 10..1.1.0/24 default

53
00:04:29,440 --> 00:04:32,380
router or default Gateway is the local router.

54
00:04:32,980 --> 00:04:35,140
DNS server is set to Google.

55
00:04:35,920 --> 00:04:43,190
The router has this IP address, 10.1.1.254 configured on gigabit 00.

56
00:04:43,540 --> 00:04:51,190
So this interface is configured with the IP address 10.1.1.254  and the routers allocating

57
00:04:51,220 --> 00:04:52,930
IP addresses to devices

58
00:04:53,890 --> 00:05:01,030
and we can see that by typing show IP DHCP binding, we can see that two devices have received IP addresses.

59
00:05:01,540 --> 00:05:07,750
This is the IP address allocated to Kali Linux, this is the IP address allocated to the Windows computer.

60
00:05:08,080 --> 00:05:09,520
We can verify that

61
00:05:12,930 --> 00:05:20,580
by using the command IP address on Kali, notice there's the IP address allocated to the Kali Linux host

62
00:05:21,090 --> 00:05:28,320
and on the Windows computer, I'll open up a CMD prompt IP config.

63
00:05:30,480 --> 00:05:33,180
This is the IP address of the Windows computer.

64
00:05:34,140 --> 00:05:36,210
So the DHCP server has been configured.

65
00:05:36,210 --> 00:05:39,700
It's allocating IP addresses to the devices in the network.

66
00:05:40,230 --> 00:05:45,720
What we need to do now is configure DHCP snooping on the switch.

67
00:05:45,720 --> 00:05:53,670
At the moment, no DHCP snooping has been enabled, so you can see that no DHCP commands have been enabled

68
00:05:54,270 --> 00:05:57,120
and we haven't enabled dynamic ARP inspection.

69
00:05:57,750 --> 00:06:05,220
OK, so the first thing I'm going to do is copy the DHCP snooping commands to the switch.

70
00:06:08,250 --> 00:06:09,600
So I'll paste those in

71
00:06:16,340 --> 00:06:23,330
and you can see here that DHCP snooping has been enabled globally, it's been enabled for VLAN 1, 

72
00:06:24,770 --> 00:06:34,550
we've disabled option 82 and the command show IP DHCP Snooping shows us that DHCP snooping is now enabled

73
00:06:34,940 --> 00:06:36,440
on VLAN 1.

74
00:06:37,040 --> 00:06:39,690
No trusted ports have been configured yet.

75
00:06:40,460 --> 00:06:45,110
Now, once again, I've shown you previously how to configure DHCP snooping and I've explained it in

76
00:06:45,110 --> 00:06:48,900
a lot of detail, so I'm not doing that here. OK,

77
00:06:48,920 --> 00:06:53,870
the next step is to configure trusted ports, in my topology

78
00:06:54,230 --> 00:06:57,140
gigabit 00 is a trusted port.

79
00:06:58,160 --> 00:07:01,100
OK, so in my topology gigabit

80
00:07:01,170 --> 00:07:04,520
00 is the interface that connects to the router.

81
00:07:04,850 --> 00:07:07,790
The router is running the DHCP service.

82
00:07:08,330 --> 00:07:09,980
It's allocating IP addresses.

83
00:07:09,980 --> 00:07:12,380
We want to trust this DHCP server.

84
00:07:12,650 --> 00:07:18,060
We don't want to trust this Kali Linux host as a DHCP server.

85
00:07:19,130 --> 00:07:23,690
So back on the switch, I'm going to paste those commands.

86
00:07:25,940 --> 00:07:33,530
Gigabit 00 is now a trusted interface show IP, DHCP Snooping.

87
00:07:34,190 --> 00:07:39,170
We can see that Gigabit 00 is now a trusted interface.

88
00:07:39,770 --> 00:07:46,480
Now we can also rate limit DHCP requests to stop a denial of service attack.

89
00:07:47,000 --> 00:07:55,430
So I'm going to rate limit DHCP messages to 10 packets per second on gigabit 01, which is the

90
00:07:55,430 --> 00:07:58,100
interface connecting me to the Kali Linux host.

91
00:07:58,550 --> 00:08:02,630
Again, I've explained that in a lot of detail in the previous video.

92
00:08:02,930 --> 00:08:04,130
So I'll paste that in.

93
00:08:12,680 --> 00:08:16,490
Got to type conft first, so try that again

94
00:08:17,030 --> 00:08:17,770
there we go.

95
00:08:18,980 --> 00:08:23,200
So show run interface gigabit 00.

96
00:08:23,390 --> 00:08:25,460
We are trusting this interface.

97
00:08:26,120 --> 00:08:31,070
We are not trusting this interface, this interface.

98
00:08:31,610 --> 00:08:34,309
Gigabit 01 is being rate limited.

99
00:08:34,640 --> 00:08:36,700
00 is being trusted.

100
00:08:37,370 --> 00:08:42,169
OK, now that I've configured DHCP snooping, I can configure dynamic ARP inspection.

101
00:08:42,830 --> 00:08:46,730
Dynamic ARP inspection is fairly simple to configure.

102
00:08:47,210 --> 00:08:55,490
What we're going to do is configure it globally on the switch by using the command IP ARP inspection

103
00:08:55,490 --> 00:08:56,300
VLAN 1.

104
00:08:57,260 --> 00:09:03,410
So conft ip arp inspection specify the VLAN.

105
00:09:04,070 --> 00:09:04,760
In my example,

106
00:09:04,760 --> 00:09:13,460
it's VLAN 1 because all ports on the switch are currently configured in VLAN 1.

107
00:09:14,630 --> 00:09:16,070
Now typically in the real world

108
00:09:16,070 --> 00:09:21,360
you wouldn't put your devices in VLAN 1, you would put them in a different VLAN.

109
00:09:21,800 --> 00:09:23,150
Now notice what's happening.

110
00:09:23,150 --> 00:09:28,730
We are already seeing invalid ARP messages received on Gigabit 02.

111
00:09:29,000 --> 00:09:32,690
That is the Windows host.

112
00:09:33,590 --> 00:09:36,020
We are not trusting anyone at the moment.

113
00:09:36,020 --> 00:09:38,420
We are basically blocking all traffic.

114
00:09:39,170 --> 00:09:43,340
So the Windows host is trying to get to its default gateway.

115
00:09:43,700 --> 00:09:46,760
So it's trying to get to 10.1.1.254.

116
00:09:47,150 --> 00:09:53,000
There's the IP address of the Windows host Mac address of the Windows host trying to get to its default

117
00:09:53,000 --> 00:09:55,580
gateway and the traffic is being denied.

118
00:09:57,020 --> 00:09:59,480
We can see that as an example on the Windows PC.

119
00:09:59,720 --> 00:10:05,510
If I try and ping the router, it's not going to work.

120
00:10:06,140 --> 00:10:07,100
Traffic is denied

121
00:10:09,800 --> 00:10:11,540
and actually, let me demonstrate this.

122
00:10:11,840 --> 00:10:16,460
I'm going to remove dynamic ARP inspection, so let's remove

123
00:10:16,970 --> 00:10:21,140
and what you'll notice is the PC, the Windows PC can ping the router.

124
00:10:21,980 --> 00:10:29,060
and it can ping the router. So Kali can ping both the Windows PC as well as the router

125
00:10:29,570 --> 00:10:36,470
and it can ping the router so Kelly can ping both the Windows PC as well as the router.

126
00:10:36,950 --> 00:10:45,710
but as soon as we enable dynamic ARP inspection, we basically break the network because notice traffic

127
00:10:45,710 --> 00:10:50,960
from 10.1.1.2 to 10.1.1.100 is being denied.

128
00:10:52,730 --> 00:10:59,300
Because now when we try and ping, say, the Windows host, the traffic is denied.

129
00:11:00,470 --> 00:11:08,720
Kali is not able to ping the Windows host and it's not able to ping its default gateway, the Windows

130
00:11:08,720 --> 00:11:11,500
host can't get to its default gateway.

131
00:11:12,020 --> 00:11:13,030
That's a problem.

132
00:11:13,040 --> 00:11:15,780
We want it to be able to talk to its default gateway.

133
00:11:16,850 --> 00:11:24,460
So what are we going to do is set gigabit 00 as a trusted port.

134
00:11:24,900 --> 00:11:27,770
That's the port connecting us to the router.

135
00:11:28,580 --> 00:11:33,530
So on the switch interface, gigabit 00 IP ARP inspection.

136
00:11:35,290 --> 00:11:43,810
I'll just use Questionmark again, trust, we're going to trust that interface, so show run interface Gigabit

137
00:11:43,810 --> 00:11:44,680
00.

138
00:11:46,270 --> 00:11:54,490
This command shows us that this interface is trusted for DHCP snooping as well as for ARP inspection.

139
00:11:56,610 --> 00:12:02,880
So now can the Windows PC ping the router? At the moment, we can see that it can't.

140
00:12:03,960 --> 00:12:07,740
We're still getting a whole bunch of denies on the switch show IP DHCP

141
00:12:11,160 --> 00:12:11,940
snooping.

142
00:12:12,880 --> 00:12:18,480
Let's look at the bindings, notice the problem, there are no DHCP bindings at the moment.

143
00:12:18,970 --> 00:12:24,540
We are relying on the DHCP bindings database to implement dynamic ARP inspection.

144
00:12:24,700 --> 00:12:30,220
We need to have the bindings in the database for dynamic ARP inspection to work.

145
00:12:31,730 --> 00:12:40,490
So we constantly getting these deniers at the moment because there is no entry in the DHCP snooping database,

146
00:12:41,000 --> 00:12:45,380
so I'm going to type ipconfig/release to release my IP address

147
00:12:47,290 --> 00:12:52,610
and then I'm going to type renew to renew the IP address on the Windows computer.

148
00:12:53,620 --> 00:13:01,690
It's now been given this IP address back on the switch show, IP DHCP snooping binding.

149
00:13:02,410 --> 00:13:11,530
We can see that this Mac address has been given this IP address and we can see that via DHCP snooping

150
00:13:11,530 --> 00:13:12,610
on VLAN 1.

151
00:13:13,000 --> 00:13:16,960
The interface where that host resides is gigabit 02.

152
00:13:18,110 --> 00:13:26,120
So back on the Windows PC, can it now ping its default gateway? and the answer is yes, it can.

153
00:13:26,690 --> 00:13:34,100
So remember, because we're using the DHCP snooping, the PCs have to request IP addresses and those IP

154
00:13:34,100 --> 00:13:36,170
addresses have to be allocated through DHCP.

155
00:13:37,190 --> 00:13:43,250
We've got to have DHCP snooping, listening in on the conversation, seeing that the router allocates

156
00:13:43,250 --> 00:13:50,180
the IP address to the PC and then because of that, the DHCP snooping databases built and dynamic ARP inspection.

157
00:13:50,420 --> 00:13:54,160
Can you leverage that database to permit devices?

158
00:13:55,130 --> 00:14:02,630
So again, on the switch show IP DGP snooping binding, we can see that this IP address was allocated

159
00:14:02,630 --> 00:14:05,820
to this Mac address on this interface.

160
00:14:06,710 --> 00:14:13,190
Now Kali can stall, not ping the default gateway because

161
00:14:14,430 --> 00:14:24,150
an IP address hasn't been added to the DHCP snooping database, so what I'm going to do is edit connections

162
00:14:24,150 --> 00:14:24,900
in Kali.

163
00:14:28,080 --> 00:14:33,450
I'm going to go to IPv4s settings, disable the interface.

164
00:14:38,060 --> 00:14:42,560
Go back and get it to use DHCP.

165
00:14:48,110 --> 00:14:49,220
Ifconfig

166
00:14:51,380 --> 00:14:53,450
shows us that it's got its IP address.

167
00:14:56,030 --> 00:15:03,610
Show IP DHCP binding on the switch, you can see that this IP address has been allocated to this Mac

168
00:15:03,610 --> 00:15:05,680
address, which is

169
00:15:07,390 --> 00:15:14,240
the Kali Linux host Mac address ends in 5a 00 which is what we see over here.

170
00:15:14,650 --> 00:15:19,960
So on the switch, once again, show IP DHCP snooping binding.

171
00:15:20,020 --> 00:15:20,990
Yes, it can.

172
00:15:21,610 --> 00:15:26,560
So on the switch, once again, show IP snooping binding.

173
00:15:27,370 --> 00:15:35,510
We can see that two IP addresses have been allocated to specific MAC addresses show IP ARP

174
00:15:37,390 --> 00:15:47,560
inspection, so there's the command again, we can see that it's enabled for VLAN 1, so many packets

175
00:15:47,560 --> 00:15:49,270
have been dropped. Now

176
00:15:49,370 --> 00:15:59,470
on Kali, once again, ifconfig shows me that this is the Mac address of the host ending in 5

177
00:15:59,470 --> 00:16:08,830
a 00 ,on the switch show IP DHCP Snooping Database, that MAC address has been allocated this

178
00:16:08,830 --> 00:16:09,610
IP address.

179
00:16:10,900 --> 00:16:19,690
Kali can ping default gateway, once again, that IP address, this MAC address.

180
00:16:21,970 --> 00:16:26,980
Now I'm going to change the Mac address by using Mac changer.

181
00:16:28,780 --> 00:16:35,890
Mac Changer tells us that we can see the Mac address by using S as an option and then we can create

182
00:16:35,890 --> 00:16:44,580
a random Mac address using dash r or hyphen r. So Mac changer -s Ethernet0.

183
00:16:46,810 --> 00:16:48,820
That's the current Mac address.

184
00:16:49,370 --> 00:16:53,160
That's the permanent Mac address scrolling up once again.

185
00:16:53,590 --> 00:16:57,650
That's the Mac address that we saw previously with if config.

186
00:16:58,510 --> 00:17:01,690
So let's create a random Mac address.

187
00:17:02,560 --> 00:17:03,350
Mac address

188
00:17:03,370 --> 00:17:05,050
we've been told is now this.

189
00:17:05,589 --> 00:17:11,800
So ifconfig shows us that that is the new Mac address that we've been given.

190
00:17:11,800 --> 00:17:12,940
Random Mac address.

191
00:17:13,510 --> 00:17:17,079
Can we ping the default gateway?

192
00:17:17,440 --> 00:17:19,000
Answer is no, we can't.

193
00:17:22,510 --> 00:17:27,430
And we're seeing a lot of denies on the switch, you can't just create some random Mac address or try

194
00:17:27,430 --> 00:17:35,500
and implement ARP spoofing or poisoning because we've now got dynamic ARP inspection enabled on the switch.

195
00:17:36,580 --> 00:17:39,250
And I'll just stop the ping on

196
00:17:39,250 --> 00:17:45,370
Kali, the only Mac address that's allowed is that Mac address on Interface Gigabit

197
00:17:45,370 --> 00:17:46,180
01.

198
00:17:46,840 --> 00:17:50,890
This Mac address is permitted on Gigabit 02.

199
00:17:51,640 --> 00:18:04,090
So by randomly changing my Mac address using Mac changer from this address to this address, traffic

200
00:18:04,090 --> 00:18:05,170
is now being denied.

201
00:18:05,860 --> 00:18:13,930
It also stops someone from using an application such as ettercap to poison the ARP caches.

202
00:18:14,470 --> 00:18:21,790
So again, previously I showed you how to use ettercap to poison hosts on the network.

203
00:18:24,010 --> 00:18:31,300
So if I try and scan for hosts now that traffic is going to be denied by the switch because of dynamic

204
00:18:31,300 --> 00:18:38,980
ARP inspection, I can't implement ARP poisoning by using ettercap, unlike previously when I demonstrated

205
00:18:38,980 --> 00:18:43,540
it in this video, because we've got to dynamic ARP inspection enabled.

206
00:18:44,330 --> 00:18:49,780
OK, very long video once again, but hopefully I've shown you clearly how to set up dynamic ARP inspection

207
00:18:49,960 --> 00:18:50,980
and how to test it.

208
00:18:51,410 --> 00:18:58,030
You can once again download this presentation if you want to have a summary of what we've done and you

209
00:18:58,030 --> 00:18:59,680
want to keep this as a reference.