7 hours 6 minutes
Hey, everyone, welcome back to the course in this video. We're gonna talk about some of the basic sniffing attacks that we can dio.
So let's talk about our different attacks, and we'll just go over real quick and then we're actually going to each individual once we have Mac flooding is one common attacks. Which port stealing. We've also got d HCP attacks. We've got our Pataxo are poisoning attacks, Mac spoofing attacks, DNS poisoning as well. So let's talk about each one of these individually.
So our max flooding attacks.
So each switch has what's called a contract content addressable memory table or cam table. Mrs. More commonly called Now this is basically a fixed sized dynamic table.
And so this stores information like the Mac addresses, for example, that are available on physical ports and then associates, um,
with their network connection. And what we do with the Mac flooding attack is we're flooding that camp table. So once that table is full on the switch, then additional art traffic AARP request will flood every port on the switch.
So essentially, what this does is what we talked about in the previous video of
injecting packets. Uh, in to cause a switch to focus, to work more as a hub. Right. So what this does what Mac flooding does is it will change the behavior switch so essentially it reset, and then it's gonna broadcast on every port. So it's gonna broadcast that traffic on every port like we talked about before
on again, similar to what a hub would do.
And so in this attack were essentially just flooding those camp tables with a fake Mac addresses and I p pairs and just flooding it, flooding it until it's full.
So next we have switch ports stealing this one uses Mac flooding as well to sniff the packets. So essentially they will flood the switch with our packets off. Forged our packets.
Um, with the target Mac address as a source, though, and then its own A Mac address as a destination. So the attacker will put their Mac address or the Mac address of the machine that they want as a destination. And they'll,
uh, send all these are packets to the switch.
And so the whole goal with this particular one is trying to direct those packets back to the attacker, right? So instead of the target intended target Host the Attackers trying to get that information back to them.
Next, we have d HCP starvation attacks. So this is a denial of service type of attacks, again affecting that availability of the CIA tree. Odd. This is an attack on the D H C P servers. Now, this is where the attacker is gonna broadcast Forge DCP request. And essentially, they're trying to lease all the d A. C P
addresses that are available within that d HCP scope. So essentially, what parameters we've set in there
and by doing this, what they do is legitimate users that need to renew an I. P address. They're not able to actually go ahead and renew that I p address because all of the requests are taken up by the attacker
and some tools we can use for this are things like gobbler or DCP starves Another one a zwelling your sena.
Next, we have DCP road server s. So this is where the attacker actually sets up a d h c P server in the network and then the attacker server response to DCP request with bogus I p addresses eso This results in compromise network access.
And so this is typically going to be used in conjunction with the d HCP starvation attacks. So essentially theater actors gonna bump off that user from three genuine D H C P server and then have them go over to the D H p, the rogue server, and uh and then go ahead and give them that fake I p address at that point.
Next, we have our ARP spoofing attacks, or sometimes called are poisoning attacks.
And this is where the Attackers gonna forge is our packets to be able to send data back to their machine S O. They basically create a large number of forge our packets,
and then there the goal is to try to overload the switch and get it to go into affording mode. So once they flood the AARP table, the switch will fail safe and affording mode. And essentially, the attacker will then be able to sniff all the network packets.
And so some tools I can use Thio do this are things I can enable, or even like when AARP attacker.
Next, we have Mac spoofing.
So this is where the attacker is gonna go ahead and sniff for valid Mac addresses of clients that are associated with the switch ports. And then essentially, just they're just gonna go ahead and pretend that they're that particular device.
So essentially all they're doing here is Aziz. The attacker is gonna take over that devices identity. Um,
because the device is already authenticated on the network
and smack is one of the tools that we can use that allows you to change the mac addresses for any NIC cards on Windows systems.
Next, we have DNS poisoning. So this is an attack that basically tricks to DNS server into believing it's received authentic information. What it actually hasn't, right? So what happens is the adversary will replace legitimate I P entries on the DNS server with the fake I P addresses.
So one of the things they might do with those I p addresses, they might create some that are that contain malicious content. So when you go to that, I p address it, send you to a malicious site
so we might see this like on the intranet eso the attacker has access to the local network. They can sniff the packets From there. We might also see it externally done through something like a Trojan
where the attacker attacks Susie Q's machine with the Trojan and then changes Heard D N s I p address to the Attackers i p address.
So just a quick, quick question here for you.
This type of attack. The adversary identifies Mac addresses on the network that are associated with the port and changes their Mac address to the one that's identified so that Mac spoofing are poisoning or DNS poisoning.
All right, so if you guess Mac spoofing you are correct. Ah, lot of a lot of the answer was actually in the question, right? You notice the basically the spoofing of the Mac address.
So in this video, we just cover some of the common types of sniffing attacks.