next. We have art. Now. AARP stands for address, resolution, protocol,
address resolution Protocol is how our computers find out
which I p addresses associated with which Mac address. So
our files under the data link layer the layer to
But again, it's sort of like our layer 2.5. Almost because we're so we're determining I p address to Mac address.
AARP is not going to a sign.
Mac addresses to I p addresses like our i p r eyepiece.
The i p part of our I p suite does do that. The i p part of our I p suite is what we use for assigning addresses. Assigning logical addresses to physical addresses are d N s helps resolve those art is just going to our dean s going to resolve fully qualified domain names though I p addresses
and art is going to resolve i P addresses toe mac addresses,
so don't confuse d n s with AARP. Dean s is
if we were to, uh, how we translate google dot com to an I p address.
AARP is how we translate an I P address to a network interface card address.
Now that we know what I P address? We're trying to send a packet to
art will let us know and helps us find out
what specific network interface card were sending a packet to.
So it's not just enough that we know. Okay, what logical address am I sending this packet to? I need to know exactly which cable and exactly which network interface card this packet goes to.
Our requests are used in order to form tables which allow us to map. They allow us to map ports to different Mac addresses. They allow us to send specific packets to specific Mac addresses and our requests. If you're using programs such as Wire Shark, which captures packets
and digest those packets for you. Protocol analyzer
protocol packet capture software. You'll see requests that say there are protocols and they'll say something similar to Who is X? Tell X
and those exes will be replaced by I P addresses. So our pool say Who is 1 92.1 68.1 dot one tell 1 92.1 68 1.3
So you're essentially having a client and say 1 92.1 68.1 dot one Say That's your That's your default. That's your default gateway.
And one of your clients is saying, Okay, I need to find out what Mac address this is. So
I need you to tell me what Mac address 1 92 That 1 68 That one. That one is because that was mine. Default. That's my default gateway. I need to know what Mac addresses that is. I didn't need to know where I need to point this to. Art can also be a good way to see if someone's trying to do something like enumerating our network.
If someone is trying to use a program on her computer to find different objects in our network
and find out if something is running in our network and find out what our network topology looks like, they may be using art.
I see in P requests. Ping requests
are a bit bigger packets, and they're requesting echoes back. Our requests aren't as big packets,
and they're just sort of a numerator on our network and looking around. So say we plug in our protocol analyzer. We plug in our wire shark and we see Whoa,
an ARP request for every single I P address in the 1 92.1 68.1 range and they're just going sequentially. I have an ARP request for 1 91 68.1 dot 11 92. Don't want 68 1 dot to 1 92 That 1 68 That one, not three.
And you have one particular client that's requesting the information for all of those I P addresses.
If you're seeing that all that additional our traffic on your network asking for
all of the i P addresses in a range, then you might wanna watch out.
Um, that may be an indicator that someone is trying to get ready to do something they might be getting ready to do. Our poisoning
are poisoning is where we are.
We have one device that is about to masquerade as someone else and perform a man in the middle attack essentially, where they're going toe. Wait until they hear an ARP request. They're goingto wait until they hear someone asked. So our device goes out and finds out.
Okay, I'm gonna do an ARP request on
all the devices in this range.
Okay, this is everyone's default gateway because this is the router. This is the router everybody's going through.
The next time somebody asks
who the router is, I'm gonna say it's me.
So the next time someone says, Who is 1 92.1 68? That one, that one.
I'm gonna say it's me.
So now we have a computer, We have a victim client
and we have an attacker computer,
badly drawn attacker computer. But it's a beat up old attacker computer.
And this attacker computer says, Oh yeah, 192.1 68. Not one, not one. That's me now.
So whenever the victim computer is going to send data that it thinks it's sending to its default gateway, it's sending toe it's router. Instead, it's going to send that now to the attacking computer
because that attacking computer has said Now I want you now to associate this I p address with my Mac address.
This is used especially in this. This wouldn't be is necessary in a hub environment,
because ah hub is gonna send packets. Everybody doesn't care.
This is especially notable for
ah switched environment where the switch is only going to send packets to who they belong to. And so this device is going to essentially pull in those packets.
So we're performing this man in the middle attack.
The victim is now sending all their packets. Tow us. We're scanning them and reading them,
and then we're passing them along to the router after we read them
So we can read those packets. We may be performing some other. We may be performing some other SSL stripping, or we may be doing things that are even more insidious than just scanning people's packets. But, um,
AARP is a very important protocol,
and it's very important to keep an eye on your network and to keep an eye on different clients. Performing different are different our operations because you don't want to run into a situation where you're having these man in the middle of tax going on, and you will be very careful with what's
speaking out and saying
who is X tell X? Because all it takes is someone with a little bit of computer knowledge or someone who has just
a little bit of Googling and YouTube experience to say, Oh, I can download this cool program that can do man that can completely automate man in the middle of tax for me And then in 10 minutes they're up and running and they're doing in there capturing packets on your network by performing a man in the middle of attack all thanks to you
using address resolution protocol on properly.
that's R I, C and P I G MP and art protocols thes our network and data link Leo protocols that do not have associated port numbers because we're not sending directly to a port number. So don't get these confused with our later protocols that do have port numbers
or run into a situation where
if you're on a test and you see a question like which of falling protocols is is the default protocol for Port 80 and I see and P I. G. MP and art are three out of the four answers, or you're in luck then, because that fourth answer should be http and is gonna be the right answer
because I see and P I g MP and art don't have protocols associated with our don't have port numbers
associated with them, but they are part of our T C I p T c i P protocol. Sweet