1
00:00:00,360 --> 00:00:06,660
This is one of multiple videos where I'm showing you how to hack networks using Kelly Linux in previous

2
00:00:06,660 --> 00:00:13,080
videos I showed you how to download and install Kelly Linux on Windows 10 computer using a pre-built

3
00:00:13,080 --> 00:00:16,530
image that you can download from Kelly dot org.

4
00:00:16,530 --> 00:00:23,040
I also showed you how you can hack Cisco networks when a switch is badly or poorly configured.

5
00:00:23,040 --> 00:00:29,790
It's important that you configure networks properly otherwise it's very easy to hack networks such as

6
00:00:29,790 --> 00:00:36,630
Cisco networks using Kelly Linux and thus video I'm going to show you how easy it is to break networks

7
00:00:36,690 --> 00:00:38,290
that are badly configured.

8
00:00:38,310 --> 00:00:40,230
We're going to use two protocols.

9
00:00:40,230 --> 00:00:43,440
The first one dynamic trucking protocol or DDP.

10
00:00:43,440 --> 00:00:46,950
And the second one to VTB or VLAN trucking protocol.

11
00:00:47,130 --> 00:00:53,850
We basically going to do things to the network by leveraging those two protocols.

12
00:00:53,850 --> 00:01:00,120
I'm going to show you as an example how you can take devices off the network by sending VTB packets

13
00:01:00,120 --> 00:01:02,800
to a Cisco switch using Kelly Linux.

14
00:01:02,880 --> 00:01:10,880
So we basically going to delete Evie lands from a switch by simply injecting VTB packets into the network.

15
00:01:10,950 --> 00:01:16,740
Kelly Linux in our example will be configured on one VLAN will have hosts on a separate VLAN but that's

16
00:01:16,740 --> 00:01:17,610
not going to stop us.

17
00:01:17,610 --> 00:01:21,690
We're going to use DDP to form a trunk with a Cisco switch.

18
00:01:21,690 --> 00:01:24,140
Have visibility of a separate DV land.

19
00:01:24,150 --> 00:01:26,240
So Kelly Linux will be in one V Line.

20
00:01:26,250 --> 00:01:27,620
Let's say we land one.

21
00:01:27,830 --> 00:01:30,660
Our host will be in a separate Vila let's say v land too.

22
00:01:30,750 --> 00:01:36,810
We'll say DTP packets to the switch so that we have visibility of those hosts from our Kelli linux host.

23
00:01:36,810 --> 00:01:42,570
And then what we'll do is use v DP to delete a v lands automatically on a Cisco switch.

24
00:01:42,690 --> 00:01:49,830
Basically removing devices in one VLAN from the network is

25
00:02:01,190 --> 00:02:01,760
a right.

26
00:02:01,770 --> 00:02:09,210
Without further ado let me show you how to hack Cisco networks at the moment on the switch show interface.

27
00:02:09,210 --> 00:02:13,500
Trunk shows us that they are no trunk ports on the switch.

28
00:02:13,650 --> 00:02:14,840
Show interface gigabit.

29
00:02:14,880 --> 00:02:21,150
0 1 switch port shows us that this port there's the command again.

30
00:02:21,150 --> 00:02:31,170
This port is configured to use DTP but at the moment it's a static access port administrative mode it's

31
00:02:31,170 --> 00:02:32,230
dynamic order.

32
00:02:32,310 --> 00:02:42,210
Bad idea to use DTP show run interface gigabit 0 1 shows us that this port is configured with a default

33
00:02:42,210 --> 00:02:43,200
configuration.

34
00:02:43,200 --> 00:02:52,440
That's a bad idea because what we can do is launch a DTP attack and enable truncate by simply selecting

35
00:02:52,440 --> 00:02:54,250
that option and clicking Okay.

36
00:02:54,400 --> 00:03:03,140
Yesenia sees that there's a switch using Access order which is what we saw over here.

37
00:03:03,140 --> 00:03:04,260
Dynamic order.

38
00:03:04,910 --> 00:03:10,730
But in the output of the switch we can see that the interface went down and came up again gigabit 0

39
00:03:10,740 --> 00:03:13,010
1 went down.

40
00:03:13,010 --> 00:03:16,280
Now gigabit 0 1 has come up.

41
00:03:16,280 --> 00:03:23,720
And if we use the same command again show interface trunk noticed trucking is now enabled on gigabit

42
00:03:23,810 --> 00:03:32,180
0 1 gigabit 0 1 is using attitude at one key the villain wanted to face on the switch or the XVI or

43
00:03:32,180 --> 00:03:37,750
switched to virtual interface came up because we have an interface in that VLAN but again show interface

44
00:03:37,760 --> 00:03:47,990
trunk native vlan is VLAN one on this port but trucking is now used using editor at 1 q motors auto

45
00:03:48,440 --> 00:03:53,030
v lands 1 and 2 are allowed across that trunk.

46
00:03:53,120 --> 00:04:03,510
That means that Kelly Linux will have visibility of the P.C. in Valenti show run interface gigabit 0

47
00:04:03,520 --> 00:04:06,020
1 no configuration on that port.

48
00:04:06,560 --> 00:04:13,440
But the Mac book is in VLAN to notice it's been configured in feeling too.

49
00:04:13,730 --> 00:04:19,850
And if we type show interface gigabit 0 to switch port we can see through this command that that port

50
00:04:19,880 --> 00:04:23,950
gigabit 0 2 is configured in V land 2.

51
00:04:24,210 --> 00:04:33,780
It's currently acting as an access port again Kelly Linux which is supposedly in VLAN one will be able

52
00:04:33,780 --> 00:04:39,760
to see traffic center by devices and Valenti before we look at that.

53
00:04:39,780 --> 00:04:44,490
Let's have a look at spanning tree again so show spanning tree for VLAN 1.

54
00:04:44,730 --> 00:04:52,560
The switch is no longer the route it has a cost of 4 to get to the root switch gigabit 0 1 is its route

55
00:04:52,560 --> 00:05:01,980
port to get to the route switch for violent to it's the route noticed gigabit 0 1 and 0 2 on not designated

56
00:05:01,980 --> 00:05:13,250
ports previously we only saw gigabit 0 2 in the output there so back in Kelly Linux let's start why

57
00:05:13,250 --> 00:05:13,830
a shock

58
00:05:16,670 --> 00:05:24,720
select capture start you can see that we are capturing a bunch of traffic on the network including spanning

59
00:05:24,720 --> 00:05:25,020
tree

60
00:05:27,900 --> 00:05:37,830
bunch of other traffic seen here but let's falter for DHEA P on the MacBook currently has this IP address

61
00:05:38,550 --> 00:05:46,680
I'm going to disable the Ethernet interface on the MacBook I'll enable it again so that it sends a DHB

62
00:05:46,710 --> 00:05:58,310
request notice Kelly Linux is seeing the D HP information so it seeing the HP Discover message seeing

63
00:05:58,310 --> 00:06:07,960
the DHB offer from the switch to that host it sees the DHB request and sees the D HP acknowledgement

64
00:06:08,750 --> 00:06:20,280
this is on V land to notice the IP address 10 1 2 2 5 4 giving this IP address to the MacBook so the

65
00:06:20,280 --> 00:06:27,360
MacBook has been given IP address 10 1 2 2 and Kelly Linux which is supposedly in a different VLAN was

66
00:06:27,360 --> 00:06:36,710
able to see that on the MacBook if I'm paying a non-existent IP address at ping ten one two one two

67
00:06:36,710 --> 00:06:48,570
three or press enter on the MacBook and faulted for OP notice we can see OP resolution protocol sender

68
00:06:48,620 --> 00:06:53,820
IP addresses this looking for the Mac address of 10 1 2 1 2 3.

69
00:06:53,850 --> 00:07:01,660
Basically the Kelly Linux host which is supposedly in VIGELAND One can now see the traffic in Vila too.

70
00:07:01,930 --> 00:07:03,790
Now that's a broadcast.

71
00:07:04,170 --> 00:07:15,150
If the host sent multicast traffic to let's say 2 3 9 1 2 3 that Kelly linux host would see that ICMP

72
00:07:15,150 --> 00:07:15,780
traffic

73
00:07:18,820 --> 00:07:20,020
so here we go.

74
00:07:20,020 --> 00:07:27,040
We can see IP address 10 1 2 2 pinging 2 3 9 1 2 3.

75
00:07:27,040 --> 00:07:32,160
This is multicast traffic or stop that ping.

76
00:07:32,230 --> 00:07:33,370
Now this is not doing much.

77
00:07:33,370 --> 00:07:39,610
I'll show you in a subsequent video how I can for instance sniff SPF passwords or SPF which is a writing

78
00:07:39,610 --> 00:07:45,700
protocol sends updates into the network using multicast and Kelly Linux will be able to sniff those

79
00:07:45,700 --> 00:07:51,150
writing updates and capture passwords as an example on the OSP SPF updates.

80
00:07:51,180 --> 00:08:00,620
So what we've seen thus far is a CTP attack I've shown you DTP attack and I've shown you spanning tree.

81
00:08:01,070 --> 00:08:06,060
Let's have a look at VTB VTB is a really bad protocol.

82
00:08:06,110 --> 00:08:07,760
Generally you want to turn it off.

83
00:08:07,760 --> 00:08:11,260
It's actually been removed from the Cisco CCMA exam.

84
00:08:11,330 --> 00:08:14,720
So in the next release of CCMA it will be there.

85
00:08:14,720 --> 00:08:21,890
If I type show VTB status the switch is in this domain called home.

86
00:08:22,000 --> 00:08:27,850
It's currently acting as a server configuration revision number is 1.

87
00:08:27,920 --> 00:08:36,950
It has six valence configured show veal and brief as an example shows me that veal and one and veal

88
00:08:36,950 --> 00:08:39,300
and two exist on the switch.

89
00:08:39,470 --> 00:08:46,610
If I create another veal and let's say veal and three show veal and brief veal and three is being created

90
00:08:47,630 --> 00:08:53,240
show VIP status configuration revision number is now two

91
00:08:55,950 --> 00:09:09,110
so in Kelly Lennox let's send a VTB packet you can see it's learnt about the home VTB domain going to

92
00:09:09,110 --> 00:09:20,430
launch an attack and let's delete a villain now before I do that I'm gonna plug in my Mac Book so this

93
00:09:20,430 --> 00:09:29,130
mac book is not plugged into the network on Pt. 3 So on the switch we can see that gigabit 0 3 came

94
00:09:29,130 --> 00:09:46,240
up so show IP interface brief gigabit 0 1 2 and 3 on now up I'll configure gigabit 0 3 as an access

95
00:09:46,240 --> 00:09:46,720
port

96
00:09:50,920 --> 00:09:55,000
and put it into v land to so show run

97
00:10:04,520 --> 00:10:14,510
these two ports are now in the same VLAN on this MacBook I'm going to enable DHEA P it should get an

98
00:10:14,510 --> 00:10:26,710
IP address in VLAN to and there you go 10 1 2 3 so on that Mac book over there the small one paying

99
00:10:26,740 --> 00:10:31,970
10 1 to 3 ping succeeds.

100
00:10:32,500 --> 00:10:38,470
So again that mac book can ping this mac book.

101
00:10:38,500 --> 00:10:40,150
They are both in Vila and to

102
00:10:44,050 --> 00:10:51,480
but what I'll do now on Kelly Linux is delete a villain and the villain I'm going to delete his villain

103
00:10:51,530 --> 00:11:04,870
to it's on the switch show V.P. status at the moment configuration revision number is still to show

104
00:11:04,870 --> 00:11:12,430
villain brief we still have those V'landys I've seen sometimes that this doesn't work that well.

105
00:11:12,550 --> 00:11:15,800
But notice your villain too has now been removed.

106
00:11:16,030 --> 00:11:22,380
I've noticed sometimes you have to create a villain to speed this up but if I type show the villain

107
00:11:22,380 --> 00:11:28,950
brief a villain too is missing and that Mac Book can no longer ping the smack book.

108
00:11:28,950 --> 00:11:33,460
I've basically removed these two devices from the network.

109
00:11:34,170 --> 00:11:44,240
Again show interface gigabit zero to switch port gigabit zero to the interface that that MacBook is

110
00:11:44,240 --> 00:11:49,800
connected to is configured in VLAN 2 but the V Line is inactive.

111
00:11:49,820 --> 00:11:53,810
So basically I've removed these devices from the network.

112
00:11:54,200 --> 00:12:01,700
If I have a look at gigabit 0 3 That's the port to that this MacBook is connected to.

113
00:12:02,060 --> 00:12:03,710
It's also in Vale and 2.

114
00:12:04,400 --> 00:12:10,910
So this command shows us that gigabit 0 3 is configured in Vale and 2 but it's inactive.

115
00:12:10,910 --> 00:12:14,630
I've removed the device from the network essentially

116
00:12:17,560 --> 00:12:29,070
so if I create a V Line to again show the line brief I've now got realigned to back on the switch the

117
00:12:29,070 --> 00:12:33,480
ping should start succeeding once things converge and there you go.

118
00:12:33,480 --> 00:12:40,440
The pings are now succeeding interface volunteers also come up on the switch so that MacBook cannot

119
00:12:40,440 --> 00:12:42,570
ping this MacBook.

120
00:12:42,570 --> 00:12:52,720
But again I can simply delete that V Line using Kelly Linux show veal and brief shows us that the VLAN

121
00:12:52,730 --> 00:12:54,380
exists to speed things up.

122
00:12:54,380 --> 00:13:02,140
I could simply create another VLAN so let's create VLAN 5 top exit and as soon as I did that the ping

123
00:13:02,140 --> 00:13:05,730
started failing on the MacBook because things converge quicker.

124
00:13:05,920 --> 00:13:11,500
When you actually do something on the switch like create a VPN otherwise you just need to wait a while

125
00:13:11,950 --> 00:13:14,600
for for that V Line to be removed.

126
00:13:14,770 --> 00:13:27,030
So show VLAN brief feel and 5 is there but villain too is gone and if you want to really be nasty you

127
00:13:27,030 --> 00:13:33,460
could simply say delete all of ETP V'landys.

128
00:13:33,770 --> 00:13:42,280
So at the moment we've got VLAN 1 3 and 5 1 will not be deleted because it's a default villain these

129
00:13:42,310 --> 00:13:50,790
other villains will also not be deleted but 3 and 5 should disappear when this converges to speed it

130
00:13:50,790 --> 00:14:01,840
up or create a V Line 10 and top end so show V Line brief notice all the villains have gone VLAN 3 5

131
00:14:01,870 --> 00:14:03,910
to 10 are all gone.

132
00:14:04,060 --> 00:14:12,040
That can basically break an entire network if you're using VTB so don't use the BGP or set your devices

133
00:14:12,040 --> 00:14:20,260
too transparent so either disable ATP or use transparent don't use server or client mode P2P is a bad

134
00:14:20,260 --> 00:14:21,060
idea.

135
00:14:21,060 --> 00:14:25,020
Are there some basic examples of how you can hack networks using Kelly Linux.

136
00:14:25,210 --> 00:14:32,410
Make sure that you understand how your protocols work in your network and how you can secure your network.

137
00:14:32,410 --> 00:14:36,840
In other videos I'll show you how you can protect your network from these kind of hacks.

138
00:14:37,390 --> 00:14:40,840
But in this video I wanted to show you what's possible using Kelly Linux.