Kali Linux: Hacking ARP

Key Takeaways

in this video I'm gonna show you multiple attacks I'm firstly going to show you how to poison app caches on PCs app or address resolution protocol is a fundamental building block in networks today basically it allows devices to learn the MAC addresses of other devices on an Ethernet network once we've poisoned the OP cache of a device we're going to implement a man-in-the-middle attack where we view the passwords and data sent between multiple devices in our network I'm going to show you how to capture usernames and passwords as well as data sent between a router and a host in our topology but rather than just talking about this I want to show you practically how this actually works I'm going to show you using wireshark captures how op works how op caches are then poisoned using ettercap and how we can implement a man-in-the-middle attack using a virtual network running in this example in even G [Music] if you enjoyed this video please consider subscribing to my youtube channel please like this video and please click on the bell to get notifications when I post a new video disclaimers always the information shared here is for educational purposes only don't use the information that I'm sharing here to go and hack a public network that you don't have permission to hack only hack networks that you have explicit permission to hack or test networks such as the one that I'm showing you here in this example I'm using even G in the cloud but even G allows you to virtualize networks on your laptop it's great software I'd recommend that you use even G or gns3 or cisco viral if you want to learn how to build networks and virtualized networks on your laptop so let's look at this practically so on the Windows 10 host what does the app cache currently look like so firstly ipconfig shows us the IP address of this host it has IP address 10 1 1 100 default gateway is 10 1 1 2 5 4 which is the router in this topology so here's the router it's a Cisco router but you could use any router if you prefer show IP interface brief this is the IP address of the gigabit 0/0 interface that is the interface connecting the router to the switch in our topology the router has this MAC address on gigabit 0/0 so show interface gigabit 0/0 shows us that the MAC address is 5 0 0 1 triple 0 9 followed by 4 zeros on the windows 10 host op - a this is the MAC address associated with that IP address in other words this device has learnt the MAC address of the router correctly 5 0 0 1 followed by three zeros and a 9 followed by four zeros that's the MAC address of the router now to prove the point I'm going to delete the odd cash on the PC but before I do that to run Wireshark so that we can see what's going on I'm going to run Wireshark on Ethernet a zero that's the Ethernet interface connecting the PC to our network so here's our wireshark capture we see a lot of traffic but I'm going to filter for up Windows 10 sends a lot of traffic into the network so what I'm going to do is delete the app cache and what you'll see is op traffic has been generated in Wireshark we can see that device with MAC address starting with five zero zero one is sending a broadcast into the network this is an app asking who has IP address ten one one two five four tell ten one one one hundred okay so ipconfig /all shows us that this PC our Windows 10 host has this MAC address the local PC where this MAC address is sending a broadcast into the network asking for the MAC address of ten one one two five four notice the target MAC address is blank it's a bunch of zeros that's because the PC doesn't know the MAC address of the router it's asking for the MAC address of the router basically saying who has this IP address the router then replies back saying I have this IP address and here's my MAC address that's sent as a unicast back to the PC so basically the PC sends a message into the network it's a broadcast that's flooded by the switch the router replies back with its MAC address it's a unicast that gets sent to the PC so that the PC can learn the MAC address of the router now on the switch this is a Cisco switch show MAC address table we can see the MAC address of the PC and the MAC address of the router those MAC addresses have been learnt by the switch the switch currently hasn't learnt the Kali Linux host MAC address yet we can see that the PC is on gigabit 2:01 and the router is on gigabit zero to those MAC addresses we'll learnt it dynamically so pcs on this interface router is on this interface so on the Kali Linux host I have config pipette to more IP address of Kelly is that MAC address is this I'll ping the default gateway just to generate some traffic cancel that on the switch show MAC address table the switches now learnt the MAC address of the Kelly olynyk's host okay so this is where it gets interesting in Kelly Linux I'm gonna go to applications sniffing and spoofing and select etic app I'm gonna go to snuff I'm using a unified sniffing because I only one is enough one interface which is Ethernet 0 so unified sniffing has started I'm then gonna go to hosts scanned for hosts so we're going to scan for hosts in the network it's scanned for 255 hosts in our subnet notice two hosts have been added to the hosts list yet a cap has discovered two hosts in our network we can view those hosts by going to hosts hosts lists and we'll see our two devices 10 1 1 100 is the Windows PC 10 1 1 2 5 4 is our router so I'm going to add the router to target 1 I'm gonna add the windows host to target 2 on the windows host you'll notice a bunch of our broadcasts have been sent out from 10111 56 which is our Kelly Linux host once again I have config pipe more this is the IP address of the hacking host now that we've discovered the hosts in the network and specified our targets next step is to implement a man-in-the-middle attack and we're going to implement op poisoning we're going to snuff the remote connections and click OK so we are poisoning these two devices 10 1 1 2 5 4 in Group 1 and 10 1 1 100 in group 2 back on the windows host the device is receiving op messages stating that this IP address is using this MAC address on the router show interface gigabit is 0 0 this is the MAC address of the actual browser 5001 0 0 0 9 note that is different to what we're seeing here this is 5 double 0 1 triple 0 2 not 5 0 0 1 triple 0 9 so on the windows host if we look at the op cash so op - a this IP address is using the same MAC address as this IP address which is our Kelly Linux host so on Kelly let's start Wireshark so that we can sniff traffic we've implemented a man-in-the-middle attack now because when traffic is centered to the router it's actually going to be sent to the Kali Linux host on the switch once again show MAC address table this MAC address is the Kali Linux host MAC addresses found on gigabyte to 0 0 the router using this MAC address is actually found on gigabit zero 2 so the traffic is going to flow to the Kali Linux host and then to the router so on Kali I'll start a wide shot capture on Ethernet 0 we can see a bunch of traffic but let's filter for telnet now in this example let's assume that the administrator made a bad decision and enable telnet on the router so when I open up putty I'm going to use telnet and I'm going to tell it to the router 10 1 1 2 5 4 I'm prompted for a password which I'll enter and login the font is very small so I'll change that so I'll change the appearance of putty make this bigger so there you go what you'll notice is I was prompted for a username and password which I entered and I've been able to login to the router I'll type in able to go to privileged mode and enter my password some now in privilege mode on the router and if I type something such as show run I'll see the running configuration of the router displayed on the windows computer however all that data has been captured by the Kali Linux host traffic from 10 1 1 100 the PC going to the router scrolling down we can see a password prompt as an example and then we can see the password see I s-see oh it's not very easy to see that however so I'm going to right click here and go to follow TCP stream and what you'll notice is the password is displayed so there's the original password in other words the talonnet password here's the enable password and here's the full running configuration of the Radha displayed on the Kelly olynyk's host I've been able to capture the entire Telenet session between the host and the router because the traffic is going through the Kali Linux host we have poisoned the ARP cache on the windows computer now the same thing is true if we used HTTP on the Windows PC so I'll open up a browser and browse to the router 10 1 1 2 5 4 and login with my password of Cisco Cisco back in Kelly I'll search for HTTP now the windows host is sending HTTP traffic not just to the router so I'll filter for IP address equals 10 1 1 2 5 4 so we see traffic from the Windows PC to the router and not to other destinations on the internet so scrolling down we can see that the rod is saying this session is unauthorized so the PC is now sending authorization information including the username and password to the router so we've been able to capture the username and password because it's sent in clear text from the PC to the router you shouldn't be using clear text protocols in your network today so in other words we shouldn't be using telnet we shouldn't be using HTTP we should be using encrypted protocols but I've been able to capture the username and password of the router through telnet and HTTP by simply implementing an etic app op poisoning attack now a lot of Cisco engineers will back up the configuration of a router using TFTP so we'll use a commands such as copy running-config TFTP and in this example i'll specify the windows host as the TFTP server before I press ENTER there on the windows host I'm going to run TFTP 32 which is the TFTP server so that TFTP server is now running on the Windows PC on the road I'll press ENTER now to back up the configuration to the TFTP server I'm getting permission denied there so let me try that again and I'll specify different file name back on the TFTP server here's a problem I'll specify security is none once again that's not necessarily a good idea I'll specify the desktop as the destination folder and click OK so try that again it's a copy running-config TFTP specify the TFTP server specify the file name and notice you can see the configuration was copied successfully now that's ok but back on a Kelly Linux host I'll filter 40 FTP and you can see the file name there there was a TFTP error so what I'll do actually scroll all the way to the end so that we see the successful right here's an acknowledgement of a block of data TFTP sends data in blocks so the sender will send a block of data the receiver will send back an acknowledgement so there's an acknowledgement of part of data here's the actual data from the router to the TFTP server I'll right-click on the data and show packet bytes there's the last part of the riders configuration so that's okay but let's see if we can get some passwords so scrolling right up to block one passwords are at the top of the router configuration so here's block one sent from the router to the TFTP server right click and select show packet bytes as you can see there that's the enable password of the router we can see the entire router configuration by simply looking at the blocks of data so he has blocked to look at that block of data here's the loopback interface IP address there's gigabit a zero zeros IP address now it's once again bad practice to use clear text protocols in networks today you should be using encrypted protocols wherever possible you can also stop this kind of nonsense in networks today by implementing dynamic op inspection on your switches I'll show you how to stop these kind of hacks in subsequent videos this video is getting too long now this is a troubleshooting hint if traffic is not being forwarded by your Kelly Linux host type of this command this command forwards IP version 4 traffic so it basically allows the Kelly Linux host well any Linux host to receive traffic and then forwarded on when destined for another host so it basically acts as a router receive traffic for another device and basically sends it back into the network so if you have issues forwarding traffic then use of this command ok so in this video I showed you how to implement a man-in-the-middle attack using ARP poisoning using the application attack app which is available in Kelly Linux now once again if you enjoyed this video please consider subscribing to my youtube channel please like her this video and please click on the bell to get notifications when I post a new video I'm David bumble and I want to wish you all the very best [Music] you [Music]