Time
31 hours 29 minutes
Difficulty
Beginner
CEU/CPE
30

Video Description

Address Resolution Protocol This lesson covers ARP, which stands for Address Resolution Protocol. This allows computers to discover which IP address is associated with which MAC address. ARP helps us discover what specific network interface card a packet is being sent too. ARP requests allow us to form tables so we can map ports to different MAC addresses and send specific packets to specific MAC addresses.

Video Transcription

00:04
next. We have art. Now. AARP stands for address, resolution, protocol,
00:10
address resolution Protocol is how our computers find out
00:15
which I p addresses associated with which Mac address. So
00:20
our files under the data link layer the layer to
00:25
But again, it's sort of like our layer 2.5. Almost because we're so we're determining I p address to Mac address.
00:32
Now,
00:33
AARP is not going to a sign.
00:36
Mac addresses to I p addresses like our i p r eyepiece.
00:42
The i p part of our I p suite does do that. The i p part of our I p suite is what we use for assigning addresses. Assigning logical addresses to physical addresses are d N s helps resolve those art is just going to our dean s going to resolve fully qualified domain names though I p addresses
00:59
and art is going to resolve i P addresses toe mac addresses,
01:03
so don't confuse d n s with AARP. Dean s is
01:07
if we were to, uh, how we translate google dot com to an I p address.
01:14
AARP is how we translate an I P address to a network interface card address.
01:19
Now that we know what I P address? We're trying to send a packet to
01:23
art will let us know and helps us find out
01:26
what specific network interface card were sending a packet to.
01:32
So it's not just enough that we know. Okay, what logical address am I sending this packet to? I need to know exactly which cable and exactly which network interface card this packet goes to.
01:44
Our requests are used in order to form tables which allow us to map. They allow us to map ports to different Mac addresses. They allow us to send specific packets to specific Mac addresses and our requests. If you're using programs such as Wire Shark, which captures packets
02:02
and digest those packets for you. Protocol analyzer
02:06
protocol packet capture software. You'll see requests that say there are protocols and they'll say something similar to Who is X? Tell X
02:17
and those exes will be replaced by I P addresses. So our pool say Who is 1 92.1 68.1 dot one tell 1 92.1 68 1.3
02:30
So you're essentially having a client and say 1 92.1 68.1 dot one Say That's your That's your default. That's your default gateway.
02:39
And one of your clients is saying, Okay, I need to find out what Mac address this is. So
02:46
till
02:46
I need you to tell me what Mac address 1 92 That 1 68 That one. That one is because that was mine. Default. That's my default gateway. I need to know what Mac addresses that is. I didn't need to know where I need to point this to. Art can also be a good way to see if someone's trying to do something like enumerating our network.
03:05
If someone is trying to use a program on her computer to find different objects in our network
03:14
and find out if something is running in our network and find out what our network topology looks like, they may be using art.
03:22
I see in P requests. Ping requests
03:24
are a bit bigger packets, and they're requesting echoes back. Our requests aren't as big packets,
03:32
and they're just sort of a numerator on our network and looking around. So say we plug in our protocol analyzer. We plug in our wire shark and we see Whoa,
03:43
I have, like
03:44
an ARP request for every single I P address in the 1 92.1 68.1 range and they're just going sequentially. I have an ARP request for 1 91 68.1 dot 11 92. Don't want 68 1 dot to 1 92 That 1 68 That one, not three.
03:59
And you have one particular client that's requesting the information for all of those I P addresses.
04:04
That's not normal.
04:06
If you're seeing that all that additional our traffic on your network asking for
04:13
all of the i P addresses in a range, then you might wanna watch out.
04:16
Um, that may be an indicator that someone is trying to get ready to do something they might be getting ready to do. Our poisoning
04:25
are poisoning is where we are.
04:30
We have one device that is about to masquerade as someone else and perform a man in the middle attack essentially, where they're going toe. Wait until they hear an ARP request. They're goingto wait until they hear someone asked. So our device goes out and finds out.
04:50
Okay, I'm gonna do an ARP request on
04:53
all the devices in this range.
04:55
Okay, this is everyone's default gateway because this is the router. This is the router everybody's going through.
05:00
The next time somebody asks
05:02
who the router is, I'm gonna say it's me.
05:05
So the next time someone says, Who is 1 92.1 68? That one, that one.
05:11
I'm gonna say it's me.
05:13
So now we have a computer, We have a victim client
05:16
and we have an attacker computer,
05:20
badly drawn attacker computer. But it's a beat up old attacker computer.
05:25
And this attacker computer says, Oh yeah, 192.1 68. Not one, not one. That's me now.
05:31
So whenever the victim computer is going to send data that it thinks it's sending to its default gateway, it's sending toe it's router. Instead, it's going to send that now to the attacking computer
05:42
because that attacking computer has said Now I want you now to associate this I p address with my Mac address.
05:48
This is used especially in this. This wouldn't be is necessary in a hub environment,
05:54
because ah hub is gonna send packets. Everybody doesn't care.
05:58
This is especially notable for
06:00
ah switched environment where the switch is only going to send packets to who they belong to. And so this device is going to essentially pull in those packets.
06:13
So we're performing this man in the middle attack.
06:16
The victim is now sending all their packets. Tow us. We're scanning them and reading them,
06:21
and then we're passing them along to the router after we read them
06:28
So we can read those packets. We may be performing some other. We may be performing some other SSL stripping, or we may be doing things that are even more insidious than just scanning people's packets. But, um,
06:43
AARP is a very important protocol,
06:46
and it's very important to keep an eye on your network and to keep an eye on different clients. Performing different are different our operations because you don't want to run into a situation where you're having these man in the middle of tax going on, and you will be very careful with what's
07:04
speaking out and saying
07:06
answering these,
07:09
who is X tell X? Because all it takes is someone with a little bit of computer knowledge or someone who has just
07:16
a little bit of Googling and YouTube experience to say, Oh, I can download this cool program that can do man that can completely automate man in the middle of tax for me And then in 10 minutes they're up and running and they're doing in there capturing packets on your network by performing a man in the middle of attack all thanks to you
07:34
using address resolution protocol on properly.
07:39
So
07:40
that's R I, C and P I G MP and art protocols thes our network and data link Leo protocols that do not have associated port numbers because we're not sending directly to a port number. So don't get these confused with our later protocols that do have port numbers
07:59
or run into a situation where
08:01
if you're on a test and you see a question like which of falling protocols is is the default protocol for Port 80 and I see and P I. G. MP and art are three out of the four answers, or you're in luck then, because that fourth answer should be http and is gonna be the right answer
08:18
because I see and P I g MP and art don't have protocols associated with our don't have port numbers
08:24
associated with them, but they are part of our T C I p T c i P protocol. Sweet

Up Next

CompTIA Network+

This CompTIA Network+ certification training provides you with the knowledge to begin a career in network administration. This online course teaches the skills needed to create, configure, manage, and troubleshoot wireless and wired networks.

Instructed By

Instructor Profile Image
Anthony Harris
Systems Analyst and Administrator at SAIC
Instructor