1 00:00:00,510 --> 00:00:06,900 ‫So switches make it difficult to sniff the network traffic in the past, the traffic was being sent 2 00:00:06,900 --> 00:00:10,410 ‫to all ports with the hub technology with switches. 3 00:00:10,750 --> 00:00:13,500 ‫The traffic is directed only to the specified port. 4 00:00:13,980 --> 00:00:18,540 ‫So a network device only receives its own packets, not the others. 5 00:00:19,490 --> 00:00:23,690 ‫We need to use some techniques to sniff the traffic of the other devices then, huh? 6 00:00:31,940 --> 00:00:37,490 ‫These are some of the techniques to expand this sniffing space, you thought it couldn't be done. 7 00:00:38,810 --> 00:00:48,110 ‫So we'll talk about spane switched Porta Analisa or port mirroring, so that's a method of monitoring. 8 00:00:48,110 --> 00:00:56,390 ‫Network traffic with port mirroring enabled the switch sends a copy of all network packets seen on one 9 00:00:56,390 --> 00:01:01,760 ‫port or an entire van to another port where the packet can be analyzed. 10 00:01:02,030 --> 00:01:07,750 ‫Port Maring is supported by almost all enterprise class switches. 11 00:01:07,790 --> 00:01:11,480 ‫I can think of so, in other words, managed switches. 12 00:01:12,140 --> 00:01:17,450 ‫It allows a particular computer to see the network traffic, which is normally hidden from it. 13 00:01:18,860 --> 00:01:24,320 ‫You can monitor the entire traffic sent from the switch by copying its uplink port. 14 00:01:25,590 --> 00:01:32,370 ‫Now you have to have physical access and the admin privileges on that switch, so this method is often 15 00:01:32,370 --> 00:01:39,930 ‫used to send the network traffic to the IBS, which is typically an intrusion detection system device. 16 00:01:41,360 --> 00:01:48,740 ‫In a Mac address table overflow attack, also known as Mac flooding attack within a very short time. 17 00:01:48,920 --> 00:01:54,230 ‫The switches Mac address table is full with fake Mac address and port mappings. 18 00:01:55,920 --> 00:02:02,010 ‫Switches Mac address table has only a limited amount of memory, and when that table is full, the switch 19 00:02:02,010 --> 00:02:04,440 ‫cannot say any more Mac addresses in it. 20 00:02:05,860 --> 00:02:12,370 ‫So once the switch is MacArthur's table is full and it can't save anymore, Mac addresses, it generally 21 00:02:12,370 --> 00:02:16,720 ‫enters into a feel open mode and it starts behaving like a network. 22 00:02:16,720 --> 00:02:22,230 ‫Up frames are flooded to all ports similar to broadcast type of communication. 23 00:02:22,960 --> 00:02:26,830 ‫So as an attacker in the network, you start to receive the frames of others. 24 00:02:28,270 --> 00:02:36,640 ‫You know, address resolution protocol, AARP or AAP is network or protocol used for mapping a network 25 00:02:36,640 --> 00:02:44,290 ‫address, such as an IP address to a physical address such as a Mac address, a system asks for the 26 00:02:44,290 --> 00:02:50,970 ‫owner of an IP address by sending in our request, and the owner of the IP address answers him with 27 00:02:51,010 --> 00:02:51,880 ‫an hour reply. 28 00:02:52,630 --> 00:02:56,890 ‫What if the attacker replies first before the owner of the IP? 29 00:02:57,820 --> 00:03:04,360 ‫Once the attackers Mac address is connected to an authentic IP address, the attacker will begin receiving 30 00:03:04,360 --> 00:03:07,270 ‫any data that is intended for that IP address. 31 00:03:07,900 --> 00:03:11,170 ‫This is the basic principle of AAFP spoof attacks. 32 00:03:12,150 --> 00:03:19,050 ‫Our poisoning can be achieved because of the lack of authentication in the art protocol so the attacker 33 00:03:19,050 --> 00:03:22,290 ‫can send a spoofed art message onto the LAN. 34 00:03:24,010 --> 00:03:26,890 ‫Would you like to make the attack much more powerful? 35 00:03:27,160 --> 00:03:27,980 ‫Mm hmm. 36 00:03:28,000 --> 00:03:29,250 ‫I suspected as much. 37 00:03:29,890 --> 00:03:38,620 ‫Then you've got to replace your Mac with the gateway so every packet sent by the victim will be in your 38 00:03:38,620 --> 00:03:39,820 ‫malicious hands. 39 00:03:40,630 --> 00:03:42,260 ‫But we are ethical hackers. 40 00:03:42,280 --> 00:03:42,760 ‫Remember? 41 00:03:43,940 --> 00:03:51,560 ‫Dynamic host Configuration Protocol DHP is a protocol used to provide automatic and central management 42 00:03:51,560 --> 00:03:58,100 ‫for the distribution of IP addresses within a single network, is also used to configure the proper 43 00:03:58,100 --> 00:04:03,350 ‫subnet mask, default gateway and DNS server information on the particular device. 44 00:04:04,350 --> 00:04:10,080 ‫Now, similar to the other types of spoofing attacks, DHP spoofing involves an attacker pretending 45 00:04:10,080 --> 00:04:15,150 ‫to be someone else, in this case acting as the legitimate DHP server. 46 00:04:16,020 --> 00:04:23,100 ‫Since DHP is used to provide a dressing and other information, a client losing control of this part 47 00:04:23,100 --> 00:04:24,810 ‫of the network can be very dangerous. 48 00:04:25,970 --> 00:04:34,340 ‫In DCPI spoofing attacks, the attacker places a road server on the network and has clients are turned 49 00:04:34,340 --> 00:04:41,960 ‫on and request an address, the server with the fastest response is used if the device receives a response 50 00:04:41,960 --> 00:04:49,100 ‫from the rogue server first, the rogue server can assign any address as well as control which device 51 00:04:49,100 --> 00:04:50,960 ‫it uses as a gateway. 52 00:04:51,920 --> 00:04:59,180 ‫So a well-designed attack can collect traffic from local hosts to a rogue server that logs all traffic 53 00:04:59,180 --> 00:05:04,890 ‫and then forwards out the traffic to the correct gateway or to the device. 54 00:05:05,270 --> 00:05:07,720 ‫So this action would be almost transparent. 55 00:05:08,330 --> 00:05:12,230 ‫Thus, the attacker can steal information almost invisibly.