1 00:00:00,270 --> 00:00:06,750 If you don't configure your network properly it's very easy for someone using Kelly LA Nix or another 2 00:00:06,750 --> 00:00:13,800 type of hacking tool to exhaust the IP addresses in a DHB pool set up a rogue DHB server and then allocate 3 00:00:13,830 --> 00:00:17,720 IP addresses to clients in a incorrect subnet. 4 00:00:17,760 --> 00:00:23,370 And what I'm going to show you in this video is how to do that but also show you how to setup the Kelly 5 00:00:23,370 --> 00:00:31,020 linux host as the default gateway so that traffic from pieces is sent via Kelly Linux to the Internet 6 00:00:31,050 --> 00:00:36,270 or to other devices in the network so that we can implement a man in the middle attack 7 00:00:50,290 --> 00:00:57,160 DCP or Dynamic Host Configuration Protocol is a fundamental building block in networks today and administrator 8 00:00:57,280 --> 00:01:03,520 which could be you will configure a pool or scope which is a range of IP addresses that are allocated 9 00:01:03,550 --> 00:01:06,030 to hosts in a specific subnet. 10 00:01:06,160 --> 00:01:12,700 Hosts will send a broadcast typically to request an IP address from a DTP server and the DHB server 11 00:01:12,700 --> 00:01:15,060 will allocate the IP address to the client. 12 00:01:15,070 --> 00:01:17,580 Have a look at this video which I've linked to and below. 13 00:01:17,620 --> 00:01:21,640 If you want to learn more about the fundamentals of DHEA P in that video. 14 00:01:21,640 --> 00:01:26,650 Show you how DHEA is configured how IP addresses are allocated to clients. 15 00:01:26,740 --> 00:01:32,560 I show you through why shock captures how messages are sent from a client to a server and from a server 16 00:01:32,560 --> 00:01:33,730 to a client. 17 00:01:33,740 --> 00:01:37,710 Now a quick summary of what we're going to do in this video we're going to hack DTP. 18 00:01:37,840 --> 00:01:44,110 We're going to exhaust ADHD people or DHB scope so that's the first attack we're going to setup a rogue 19 00:01:44,170 --> 00:01:47,940 DHB server to allocate IP addresses from a fake subnet. 20 00:01:47,950 --> 00:01:49,870 Second attack third attack. 21 00:01:49,870 --> 00:01:55,150 We're going to set the default gateway of clients to Kelly Linux so when they get an IP address from 22 00:01:55,150 --> 00:02:00,850 the rogue subnet they're going to see their default gateway as the Kelly linux host and that allows 23 00:02:00,850 --> 00:02:03,030 us to implement a man in the middle attack. 24 00:02:03,060 --> 00:02:08,320 So for tax right there then we'll use Y shock to sniff passwords on the network. 25 00:02:08,320 --> 00:02:13,660 You need to be careful when you configure your network using protocol such as DCP. 26 00:02:13,750 --> 00:02:17,680 Make sure that you configure your network securely and properly. 27 00:02:17,680 --> 00:02:21,710 Otherwise it's very easy to hack networks that run DHEA P. 28 00:02:21,790 --> 00:02:26,590 Now this is one of multiple videos where I'm showing you how to hack networks using Kelly Linux. 29 00:02:26,650 --> 00:02:30,940 I don't just want to show you how to break networks I want to show you how to protect networks and I'll 30 00:02:30,940 --> 00:02:34,480 show you how to do that in subsequent videos in the series. 31 00:02:34,480 --> 00:02:40,570 In previous videos in the series I showed you how to hack a physical Cisco switch but I'm travelling 32 00:02:40,570 --> 00:02:44,290 at the moment so I don't want to carry a whole bunch of equipment around with me. 33 00:02:44,290 --> 00:02:49,370 So what I've done is taken that switch all logically taken that switch and put it into the cloud. 34 00:02:49,390 --> 00:02:55,020 In this example I'm using even G and I've got a Cisco switch as well as a Cisco router. 35 00:02:55,060 --> 00:02:58,320 I've got a Windows 10 computer and I've got Kelly Linux. 36 00:02:58,330 --> 00:03:01,300 These devices are connected to the Internet. 37 00:03:01,330 --> 00:03:07,710 This network is running in the cloud but you could simulate this network on your laptop using Janus 38 00:03:07,720 --> 00:03:10,750 3 or even G or Cisco viral. 39 00:03:10,870 --> 00:03:14,480 In this example the switch is running a Cisco viral IOW image. 40 00:03:14,530 --> 00:03:17,760 The road is running a Cisco viral image as well. 41 00:03:17,800 --> 00:03:21,580 Have a look at my even videos or my genius 3 videos. 42 00:03:21,580 --> 00:03:27,370 If you want to learn more about how to virtualize networks on your laptop or how to virtualize them 43 00:03:27,370 --> 00:03:28,990 in the cloud. 44 00:03:28,990 --> 00:03:30,450 So let's start with the switch. 45 00:03:30,460 --> 00:03:33,280 Here's my console to the switch. 46 00:03:33,280 --> 00:03:38,500 Now in this example I'm currently in South Africa so my connection may be a bit slow to the northern 47 00:03:38,500 --> 00:03:39,030 hemisphere. 48 00:03:39,460 --> 00:03:46,120 Hopefully it won't affect this lab but notice I've connected to a switch show version shows me that 49 00:03:46,180 --> 00:03:55,300 this is a Cisco V I was late to switch running version 15 to now don't worry too much about the details 50 00:03:55,330 --> 00:03:56,410 of the switch. 51 00:03:56,410 --> 00:04:01,270 This is a Cisco switch but any switch could be used in this topology. 52 00:04:01,270 --> 00:04:07,780 I'm also using a Cisco broader but again you could use any routing here if you wanted to. 53 00:04:07,780 --> 00:04:18,610 So the Cisco router top show version is a Cisco IOW v router running version 15 dot 6 1 T. 54 00:04:18,610 --> 00:04:27,350 The reason I'm using a rowdy here is I want to set up this rather as a DHB server so if I type should 55 00:04:27,350 --> 00:04:34,200 run that shows me the running configuration of this device and what I want to point out here is I've 56 00:04:34,200 --> 00:04:42,030 configured a DHB pool a DHB pool in Cisco terminologies very similar to a scope so it's a range of IP 57 00:04:42,030 --> 00:04:45,630 addresses that we're going to allocate to clients in our network. 58 00:04:45,630 --> 00:04:53,260 The subnet that's gonna be allocated is 10 1 1 0 slash 24 so slash 24 mosque is being used. 59 00:04:53,310 --> 00:04:55,130 This is the default gateway. 60 00:04:55,260 --> 00:04:57,900 That is the IP address of the router. 61 00:04:58,000 --> 00:05:01,510 I've said to the DNS server to Google scrolling down. 62 00:05:01,560 --> 00:05:07,020 Notice this is the IP address of the Cisco router at the moment. 63 00:05:07,050 --> 00:05:09,750 This device has its interface shut down. 64 00:05:10,230 --> 00:05:16,220 So what I'll do is no shut that that basically enables that. 65 00:05:16,260 --> 00:05:19,790 I'll also enable the connection to the internet. 66 00:05:19,890 --> 00:05:27,400 Going back to my topology at this interface on the router connects me to my internal network. 67 00:05:27,510 --> 00:05:34,020 This interface connects me to the Internet so I'll type India show IP interface brief 68 00:05:37,230 --> 00:05:42,270 this is the IP address on the internal interface interfaces up up. 69 00:05:42,270 --> 00:05:44,310 That means that it's working. 70 00:05:44,310 --> 00:05:47,420 This interface is connected to the Internet. 71 00:05:47,610 --> 00:05:54,420 It's using DHEA p So this writer should be able to as an example paying Google dot com which it can 72 00:05:54,870 --> 00:05:58,380 and I'll save the configuration of the router. 73 00:05:58,440 --> 00:06:02,600 Now again you don't have to use a Cisco switch or a Cisco wrote it. 74 00:06:02,610 --> 00:06:08,760 The reason I want to use a Cisco switch here is Cisco switches support something called DHB snooping 75 00:06:09,060 --> 00:06:12,800 which allows me to stop these kind of attacks in a network. 76 00:06:13,950 --> 00:06:18,330 I haven't configured anything on the switch at the moment but in subsequent videos I'll show you how 77 00:06:18,330 --> 00:06:19,570 to stop this attack. 78 00:06:19,650 --> 00:06:26,080 But I firstly want to show you what's possible using Kelly Linux so I'll open up a console to Kelly. 79 00:06:26,250 --> 00:06:31,850 I'm not gonna get into the debate about the correct way to pronounce Kelly different people pronounce 80 00:06:31,850 --> 00:06:36,730 it differently but for the moment that's the way I'm gonna pronounce it okay. 81 00:06:36,760 --> 00:06:39,560 He has my Kelly linux host. 82 00:06:39,670 --> 00:06:41,260 Let's check if it got an IP address. 83 00:06:41,260 --> 00:06:45,980 It may not have got an IP address because the road is interface was shut down. 84 00:06:46,000 --> 00:06:52,810 I'll use more here rather than simply showing all the output and what you'll notice is this device has 85 00:06:52,870 --> 00:07:04,610 this IP address 10 1 1 3 show IP DHB bindings on the Cisco router we can see that this IP address has 86 00:07:04,610 --> 00:07:07,780 been allocated to this MAC address. 87 00:07:07,780 --> 00:07:13,700 This command show IP DHB binding basically shows us which IP addresses have been allocated to which 88 00:07:13,700 --> 00:07:15,040 MAC addresses. 89 00:07:15,170 --> 00:07:24,680 So this is the MAC address that Kelly is supposedly using five thousand 1 0 0 0 2 4 zeros and back in 90 00:07:24,680 --> 00:07:30,320 Kelly we can see that is the MAC address of this Ethernet interface. 91 00:07:30,770 --> 00:07:36,980 Okay so what I'm going to do now is start your senior using a graphical user interface in a previous 92 00:07:36,980 --> 00:07:38,050 video which I've linked here. 93 00:07:38,060 --> 00:07:40,960 I showed you how to install this on Kelly Linux. 94 00:07:40,960 --> 00:07:45,570 I also showed you how to implement or use Layer 2 attacks using your senior. 95 00:07:45,950 --> 00:07:50,160 But in this example I'm going to show you how to use this for P. attacks. 96 00:07:50,220 --> 00:07:52,160 We're told that this is an alpha version. 97 00:07:52,190 --> 00:07:57,030 That's a case I'm going to click okay and I'm gonna go to DHEA P. 98 00:07:57,800 --> 00:08:05,180 We can see some options here but what I want to do is launch a DHB attack so click the launch attack 99 00:08:06,450 --> 00:08:12,620 and we going to send discover packets using denial of service. 100 00:08:12,630 --> 00:08:24,270 Now before I do that on the road show IP DTP binding we only have one IP address allocated to a client. 101 00:08:24,290 --> 00:08:29,720 Now the reason why the windows host hasn't got an IP address yet is it's currently off. 102 00:08:29,720 --> 00:08:33,630 I haven't started the windows host at this point. 103 00:08:34,010 --> 00:08:42,370 So again show IP DHB binding on the Cisco rider only one IP address has been allocated. 104 00:08:42,510 --> 00:08:50,360 So Kelly I'm going to click Okay to start a Discover denial of service attack and what you'll see is 105 00:08:50,360 --> 00:08:55,580 a whole bunch of DHB messages are being sent into the network. 106 00:08:55,580 --> 00:09:03,860 You can see this packet count is going up on the Cisco router show IP DSP binding 107 00:09:06,480 --> 00:09:11,680 what you'll notice is a whole bunch of IP addresses have now been allocated. 108 00:09:11,820 --> 00:09:16,620 So 10 1 1 1 10 1 1 2 3 4. 109 00:09:17,220 --> 00:09:18,940 And it just carries on. 110 00:09:19,230 --> 00:09:26,390 Basically Kelly Linux has exhausted the DHB pool on the Cisco roster. 111 00:09:27,570 --> 00:09:33,560 And as I keep scrolling what you'll notice is all addresses have been taken from this pool. 112 00:09:33,600 --> 00:09:44,020 There are no IP addresses left in this pool show IP DHEA HP question mark pool let's press Enter here 113 00:09:44,790 --> 00:09:48,610 253 addresses have been allocated from the pool. 114 00:09:48,640 --> 00:09:57,250 The reason why 253 is the roader is using IP address 10 1 1 2 5 4. 115 00:09:57,250 --> 00:10:01,750 So this IP address shouldn't be allocated to clients because that's the IP address that the right is 116 00:10:01,750 --> 00:10:03,970 using. 117 00:10:03,970 --> 00:10:11,620 So again show IP DHB pool shows us that at this point we've successfully exhausted the DHB pool on the 118 00:10:11,620 --> 00:10:19,360 DHB server no IP addresses are gonna be available for Windows 10 client when we started up I'll stop 119 00:10:19,360 --> 00:10:24,970 that up and I'll open up a console to the Windows device. 120 00:10:25,090 --> 00:10:30,490 It'll take a while for this device to boot up but once it's booted up fully we'll see that it won't 121 00:10:30,490 --> 00:10:36,080 get an IP address because we've exhausted the IP addresses in the DHB pool. 122 00:10:36,340 --> 00:10:43,630 Now warning I will give you is a lot of packets are being sent into the network that can cause all kinds 123 00:10:43,630 --> 00:10:44,100 of issues. 124 00:10:44,110 --> 00:10:47,510 So don't run this in a production network. 125 00:10:47,590 --> 00:10:50,830 Be careful where you're going to run these attacks. 126 00:10:50,830 --> 00:10:57,220 Notice the number of the HP Discover messages being sent into the network okay from a Windows P.C. is 127 00:10:57,230 --> 00:10:58,340 booted up. 128 00:10:58,340 --> 00:11:04,400 I'm going to open up a command prompt and what I'll do is make this bigger so the font isn't so small 129 00:11:06,120 --> 00:11:11,900 it's running really slowly here and that's probably because of the number of broadcasts being sent into 130 00:11:11,910 --> 00:11:13,560 the network. 131 00:11:13,560 --> 00:11:20,310 If I type IP config notice no IP address has been allocated to the windows. 132 00:11:20,310 --> 00:11:29,100 P.S. It's using the default 169 254 IP address range IP config slash renew 133 00:11:32,230 --> 00:11:39,910 this device is not going to get an IP address because we've exhausted the DHB pool on the DHB server 134 00:11:41,200 --> 00:11:44,560 but what we can do now is launch our second attack. 135 00:11:44,560 --> 00:11:52,360 So going to click launch attack and let's set up a d HP rogue server 136 00:11:55,120 --> 00:12:01,480 IP address is gonna be 10 1 1 3 that's the IP address of our Kelly linux server. 137 00:12:01,480 --> 00:12:10,180 I'm gonna allocate IP addresses in the range 10 1 1 1 100 to 10 1 1 1 50. 138 00:12:10,260 --> 00:12:13,950 I'll set the least time to 3600 seconds. 139 00:12:13,960 --> 00:12:21,460 Same for renew subnet mask will be this the default router is now gonna be Kelly. 140 00:12:21,460 --> 00:12:32,250 It's not going to be the actual router in the network DNS server will set as Google and the domain name. 141 00:12:32,350 --> 00:12:39,100 You probably don't want to use something like hacked dot com let's just specify home dot com and click 142 00:12:39,100 --> 00:12:40,320 Okay. 143 00:12:40,550 --> 00:12:44,500 Okay back on the windows host type IP config. 144 00:12:44,500 --> 00:12:48,620 Notice we've been given this IP address 10 1 1 100. 145 00:12:48,670 --> 00:12:54,180 And notice this default gateway is 10 1 1 3. 146 00:12:54,250 --> 00:12:55,660 That's really important. 147 00:12:55,660 --> 00:12:59,850 The actual default gateway is 10 1 1 2 5 4. 148 00:13:00,100 --> 00:13:12,640 Kelly Linux is using IP address 10 1 1 3 so I have config more shows us that this is the IP address 149 00:13:12,670 --> 00:13:14,710 of the Kelly linux host. 150 00:13:15,040 --> 00:13:19,810 So the Windows computer is using Kelly as its default gateway. 151 00:13:19,840 --> 00:13:25,300 That's important because when the windows host sends traffic to the Internet that traffic is gonna go 152 00:13:25,300 --> 00:13:29,820 via Kelly to this writer onto the Internet. 153 00:13:31,800 --> 00:13:37,260 So as an example the broader has this loop back interface configured on it of one dot wandered wandered 154 00:13:37,300 --> 00:13:43,500 one that's essentially a loop back or imaginary interface on the broader that allows us to add a subnet 155 00:13:43,560 --> 00:13:51,300 to the right of the P.S. at the moment won't be able to ping that loop back address because the traffic 156 00:13:51,300 --> 00:13:57,630 is going through the network to Kelly but Kelly is not forwarding that traffic to the router we need 157 00:13:57,630 --> 00:14:02,640 to type a command on the Kelly linux host to forward the traffic. 158 00:14:02,640 --> 00:14:05,720 So again notice the pings are failing. 159 00:14:06,120 --> 00:14:09,600 So in Kelly we're going to type sis CTO 160 00:14:12,150 --> 00:14:22,530 dash w net dot IP V for IP underscore school forward equals one. 161 00:14:22,530 --> 00:14:27,940 Basically we're going to allow the Linux host to forward traffic that's sent to it. 162 00:14:27,990 --> 00:14:36,390 So on the windows P.C. ping wandered wandered wandered one now works that traffic is going off via the 163 00:14:36,390 --> 00:14:49,310 Kelly linux server and we can see that by going to applications snuffing and spoofing why shock so why 164 00:14:49,310 --> 00:14:53,600 shock will allow us to see the traffic being sent on the network. 165 00:14:53,600 --> 00:15:03,030 I'm going to capture traffic on Ethernet zero and I'll filter this for ICMP traffic so back on the windows. 166 00:15:03,030 --> 00:15:13,620 P.S. If I ping wandered wandered wondered one we can see that traffic from the PRC to the router we 167 00:15:13,620 --> 00:15:20,350 see a bunch of ICMP redirects but essentially the traffic is being sent through Kelly to the. 168 00:15:20,580 --> 00:15:27,430 We only see half the conversation but we can see the pings and this is the important piece. 169 00:15:27,480 --> 00:15:35,570 Let's assume the administrator of the router did something very stupid and allowed telnet connections. 170 00:15:35,730 --> 00:15:36,740 So on the windows. 171 00:15:36,740 --> 00:15:41,630 P.S. I'm going to tell it to the broader to administer the router. 172 00:15:41,640 --> 00:15:48,420 We should actually be using SSL each so before I click Okay. 173 00:15:49,540 --> 00:16:01,240 Let's filter for telnet in y shock and I'll click open in Patty now that font is very small but all 174 00:16:01,240 --> 00:16:03,150 into the password and log in 175 00:16:12,480 --> 00:16:13,380 so I've changed the font. 176 00:16:13,380 --> 00:16:19,980 Now basically the write up prompted for a password which I entered and I'm now in what's called user 177 00:16:19,980 --> 00:16:24,900 mode typing able into my password and I'm in privilege mode. 178 00:16:24,900 --> 00:16:31,480 But notice and Kelly now I can see telnet information including the password. 179 00:16:31,980 --> 00:16:38,640 Here's the password C I S C O Cisco. 180 00:16:38,640 --> 00:16:40,370 Now that's not such an easy way to view it. 181 00:16:40,390 --> 00:16:45,080 So I'm gonna right click on a packet and click follow TCB stream. 182 00:16:46,770 --> 00:16:51,930 And what you'll notice there there's the first password I type to enable. 183 00:16:52,020 --> 00:16:54,510 There's the second password which is Cisco. 184 00:16:54,690 --> 00:17:00,810 So I was able to see the password that was transmitted from the windows host to the router because the 185 00:17:00,810 --> 00:17:04,630 traffic is being sent through the Kelly linux host to the right. 186 00:17:05,640 --> 00:17:17,400 So that is an example of a man in the middle attack now on the P.C. I'll open up a web browser and what 187 00:17:17,400 --> 00:17:23,210 I'll do and Kelly is specify HDP. 188 00:17:23,680 --> 00:17:26,010 So let's look at HP traffic. 189 00:17:26,290 --> 00:17:28,480 You should be using HP yes. 190 00:17:28,810 --> 00:17:37,290 Most websites use HDP s but again if I connect to the router and put in my username and my password 191 00:17:38,520 --> 00:17:47,250 using HDP and sign in I can log into the broader and I'll be able to view information on the writer 192 00:17:47,950 --> 00:17:56,020 such as monitor the broader by using commands on the broader so I could type show IP interface brief 193 00:17:56,140 --> 00:18:02,310 as an example and execute that command on the rider using a GDP. 194 00:18:02,350 --> 00:18:10,510 But back in Cali you'll notice I'll be able to see all the HDP traffic from the P.C. to the router 195 00:18:15,310 --> 00:18:21,340 and one of the things I want to point out here is notice authorization there of the credentials username 196 00:18:21,340 --> 00:18:25,870 and password used to log into the Cisco broader. 197 00:18:26,200 --> 00:18:31,000 Again that's a man in the middle attack the PRC is sending the traffic to its default gateway which 198 00:18:31,000 --> 00:18:34,810 is the Kelly linux host which is sending it to the border. 199 00:18:35,320 --> 00:18:36,810 But we could connect to the Internet. 200 00:18:36,840 --> 00:18:37,880 So on the windows. 201 00:18:37,880 --> 00:18:40,600 P.S. I'll open up another tab. 202 00:18:40,600 --> 00:18:44,380 Most websites are now using encryption. 203 00:18:44,680 --> 00:18:45,890 One of them that's not. 204 00:18:45,910 --> 00:18:46,870 Which is really bad. 205 00:18:46,870 --> 00:18:50,580 Is OXFORD UNIVERSITY Oh X AC UK. 206 00:18:50,830 --> 00:18:55,120 That website is using GDP not GDP. 207 00:18:55,150 --> 00:18:57,550 Notice it says not secure in the output. 208 00:18:58,210 --> 00:18:58,960 Very bad 209 00:19:02,840 --> 00:19:04,910 your connection to the site is not secure. 210 00:19:04,910 --> 00:19:09,590 We've been told so back in Kelly we can see traffic sent from the windows. 211 00:19:09,590 --> 00:19:19,270 P.S. 10 1 1 100 to 120 967 to 40 to 154 which is the Oxford University website. 212 00:19:19,580 --> 00:19:30,940 Now at least here on their website when you try and log in so go to Oxford students as an example. 213 00:19:30,990 --> 00:19:36,120 They are now using encryption so only part of their website is in clear text. 214 00:19:36,120 --> 00:19:44,460 We should be using HDP yesterday but the point is I can see part of their website through Kelly Linux 215 00:19:44,880 --> 00:19:48,400 by using this man in the middle attack. 216 00:19:48,420 --> 00:19:56,240 You should always make sure that your traffic is encrypted and that you using a valid cert. 217 00:19:56,460 --> 00:20:02,430 So it's really important that you verify that the certificate is a good certificate that it's been issued 218 00:20:02,460 --> 00:20:10,230 correctly that it's not a rogue cert so make sure that your traffic is encrypted especially if you're 219 00:20:10,230 --> 00:20:13,330 using wireless hotspots or open networks. 220 00:20:13,470 --> 00:20:19,410 Make sure that the certificate is valid because the traffic could be going through a device such as 221 00:20:19,410 --> 00:20:22,700 Kelly Linux don't just connect to any network. 222 00:20:22,770 --> 00:20:25,460 Make sure that networks that you connect to are good. 223 00:20:25,530 --> 00:20:31,380 Make sure that you use a VPN or some kind of encryption mechanism so that your traffic is not sent in 224 00:20:31,380 --> 00:20:32,100 clear text.