Traffic Capture (part 3) Address Resolution Protocol ARP

00:04

I mentioned we would talk about harp. We saw that in our wires or capture that there was our special for address resolution protocol. What that's gonna do is basically translate the idea dress to a Mac address

00:17

of the network adapter, so I'd be addressed. At least an I P. V four is a good deal. Easier to remember than a Mac address. Not so much an I P. V six. We'll tell host weirdos in the traffic. So basically, we call out to the broadcast and say, Who has this I p address and someone All right back. Hey, I have an I P address.

00:36

The only problem is that there's no requirement that mission's tell the truth.

00:41

It is possible to do something called ARP spoofing.

00:46

So we got a little diagram here. So here's my Callie. Here's my ex P. And here's my bun to Kelly in the middle.

00:53

So

00:56

what we're gonna do is

00:59

tell these machines

01:02

in the case like this of the FTP request, we're gonna

01:04

tell Booth you bunch you an X p that we are the other one, so they should just talk to each other instead, they're gonna send all their traffic through us on Callie, and we're gonna ford the traffic accordingly so they'll still be able to speak. But we'll be able to see all the traffic. You can also do this against,

01:23

like, the network switch,

01:26

whatever the gateway is, so you can see all traffic going in and out of an environment. The only downside with that is particularly when you're using of'em like this. You could actually cannot cause it

01:37

denial of service condition, because

01:41

your machine just may not be able to process all the traffic fast enough seal end of actually slowing down or even bringing down the network in that case, so be careful about during the gateway.

01:51

But just against these two systems here, it should be fine.

01:55

It was actually look, uh, example of doing this.

01:59

Can they draw the slides for the class so you can see them there?

02:04

All right, so it's come back over here to Callie. I've still got my wire shirt running

02:08

and

02:10

open up.

02:12

Who's this?

02:14

Used a tool called AARP Spoof as well. See, there's lots of different tools that will do is automatically, but we must do this kind of bit by bit. We're gonna start with the tool called Arcs Booth, which, as the name implies, it's built to do arts moving.

02:28

So the interface we want is eat zero, which we can check the here course. That's our network. There's face,

02:36

Arps, Booth, Dash, I eat zero

02:39

and our target

02:43

is going to be 192.168 dot 76

02:47

and we're going to tell 1 91 68 about 76 which is X p

02:53

that we are 19 She got 1 68 that one about 80 you bun to machine. Before we do that, there's actually one other thing I need to do.

03:01

I forgot. I mentioned that we do need to make sure that the traffic Ford, because if we do this, sure, the tropical come to us. But if we don't ford it on correct destination, but definitely created a denial of service

03:15

So what? I want to dio if I look at

03:20

crock sis net,

03:23

I pee before

03:27

I p underscore Ford currently set to zero. I want to change that value

03:35

toe one that's just going to tell it exactly that that we want afford any extraneous traffic that comes to us to the correct place. So this will keep the traffic moving

03:46

perfect.

03:50

We also run, are up and actually see our table. Right now it looks like I've actually got

03:57

a lot of things. Probably when I did that pink sweeping

04:01

in the first model ist happened. It's like it has in complete next. A lot of things that don't actually have

04:11

our entries.

04:13

Nothing replied,

04:15

But we'll see if we have anything for 70. Search

04:20

should just talk to it.

04:25

Yeah, here it is. 76.

04:27

So that's not ideal at my art table. So big, but 000 c 2985

04:33

33

04:36

She That should be correct. But if I come over to

04:42

XVI, I should have the same saying,

04:46

Well, let's feel know it. So let's go over to 12

04:51

and you are

04:58

Are you,

05:04

um so so 76 again. Seriously, Rosie, Rosie to 98533

05:13

Hey,

05:14

see? And it also knows the gateway,

05:17

so I don't know my Mac book, but that's not important. It's not in play so that we have the correct Mac address there. So the hardware's was just a V m word after.

05:31

Who are you?

05:32

X. P. So we'll see that that changes. Morty, the AARP Smooth.

05:38

All right. So I'm, like, over here

05:42

and

05:45

ends or target here is gonna be x p. And we're telling it that we are

05:50

You want to

05:51

Likewise, we need to do it the other way around. We need to do our spoon

05:58

and interface is zero, and target is You want to flip our i p addresses around

06:06

and we want to tell it we are.

06:10

Hey,

06:13

you can see that it's basically descending. A ton of unsolicited are purple eyes. So when

06:17

these machines are looking for the correct place to send traffic,

06:23

you'll get all these replies which will poison the AARP cash and should change

06:29

that value.

06:30

Come back over to bunch too.

06:33

See, if it's already changed may not change until they actually try and talk to it.

06:44

So it was for X p

06:48

hero 00 c 29 80 size

06:55

33

06:57

C s. Announce here 00 c 29 So the first parts are the same. That's not surprising, though, Is the first parts of it are going to be based on the vendor, and it all came from being where then it's foresee 70

07:10

hero zero.

07:12

So it looks like it has changed. Now if we do it at CP

07:21

Georgia

07:24

and Password Password,

07:26

do a dearer. Did you see that?

07:28

Credit cards don't text, but come back over.

07:31

Callie,

07:32

get my wire, Sherrick and see all these like retransmissions. That's what all the black is. We're getting stuff that's extraneous. It doesn't belong to us.

07:41

See, it's like source

07:44

1.76 destinations 1.80 and we're 1.77. So it's re transmitting it

07:50

because we did tell it to do the florid ing. So it is doing exactly what we want. Now, if we do our FTP

08:00

now, we see

08:01

user Georgia password for Georgia is required. Password is password.

08:09

Now we're logged on

08:13

quest for lists. That's harder.

08:18

We actually don't see the transfer do

08:22

just opening Data channel, so that should be STP data. So what if we d'oh or STP does data?

08:33

Here's FTP data 260 by its

08:37

This is just gonna be a list, not an actual smile.

08:41

But here is

08:45

you have C pre data

08:54

creditcards dot text.

08:58

So what if

09:01

person over here decided they would like to get creditcards dot text?

09:11

I don't probably I don't know why I gave it the spaces. I'm gonna have to escape it.

09:18

So I downloaded creditcards dot text overhears exit

09:24

and the cat out

09:26

Credit courage, doctor checks for fake credit card numbers. Okay, Not that interesting, I realized, but it could be a real credit card numbers, But again, I shouldn't be able to see any of that data

09:39

because I am not the source of the destination. There shouldn't be sending stuff like credit cards in plain text or usernames and passwords shouldn't be sent in plan Tax. But, you know, insecure protocol use happens. At least no one else should be able to see the data besides the source

09:56

on the destination. But if we come back over here,

10:01

I should be able to see

10:03

data.

10:09

It's clear that FTP or 50 feet data

10:16

don't apply.

10:20

So we did our list command. And then

10:24

here's your file. Not sound. Get it wrong.

10:31

Opening data channel for files transferred. Here's your 24 bites

10:39

the state credit card numbers. So if this was like

10:43

um, not text. If it was just like text data, we could just do a hex dump of it

10:48

Or raw would be the bites and we get out, put it into a smile and then decoded somehow open it in the correct software to parse it. But in this case, it's just a text file so

11:03

we can get sensitive data this way. So never send things in Plan Tex. And this is why you may be able to say, Well, no one else will be able to see it on this. Which network? Well, it's something like this. The art cash poisoning is happening, then absolutely someone else will be able to see it.

11:20

You may or may not be able to do this on your pin test. I mean, a lot of times I just

11:24

too worried about

11:26

networks going down or

11:28

being adversely affected. But sometimes you may be able to do it, so it's certainly worth knowing how to do

11:35

for sure. So let's look at a few more things we can do with our traffic capture. Now that we've got the basis in place where we're able to