1
00:00:00,210 --> 00:00:05,940
In a previous video which I've linked here and below I showed you how to set up Kelly or Carly if you

2
00:00:05,940 --> 00:00:12,960
prefer Linux as a DHB server and then implement a man in the middle attack in a topology such as this

3
00:00:13,170 --> 00:00:20,310
Kelly Linux is setup as a DHB server to allocate IP addresses to pieces such as Windows 10 host and

4
00:00:20,310 --> 00:00:27,600
then set the default gateway to itself so that traffic is sent through the Kelly linux server onto the

5
00:00:27,600 --> 00:00:30,450
Internet and onto other destinations.

6
00:00:30,450 --> 00:00:35,190
That allows us then to implement a man in the middle attack because all traffic is going through Kelly

7
00:00:35,530 --> 00:00:38,070
to other devices in the topology.

8
00:00:38,070 --> 00:00:45,060
Now to stop that from happening we going to set up the switch to use DHB snooping so it's going to snoop

9
00:00:45,120 --> 00:00:53,310
or listen in on the HP messages and only allow certain DHB messages from trusted servers.

10
00:00:53,310 --> 00:01:00,240
So the switch will allow clients to request IP addresses but will not allow Kelly or other servers on

11
00:01:00,330 --> 00:01:04,140
untrusted ports to offer IP addresses to clients.

12
00:01:04,160 --> 00:01:11,100
We'll setup this interface on the switch as a trusted port so that the writer is able to allocate IP

13
00:01:11,100 --> 00:01:16,010
addresses to the P.C. but Kelly is not able to do that.

14
00:01:16,080 --> 00:01:21,930
Okay so I'm not going to show you practically how to use DHB snooping to stop these kind of attacks

15
00:01:22,350 --> 00:01:25,020
but I've also added some additional information below this video.

16
00:01:25,020 --> 00:01:30,120
There's a PowerPoint presentation that you can download as an example that gives you the commands to

17
00:01:30,120 --> 00:01:34,810
set this up on a switch.

18
00:01:45,520 --> 00:01:54,040
Okay so on the windows computer I'm going to open up command prompt so open up a C D prompt IP config

19
00:01:54,040 --> 00:01:56,940
shows me that this is the IP address of the PC at the moment.

20
00:01:56,950 --> 00:02:07,400
Default gateway is 10 1 1 2 5 4 which is the router in the topology on the router show IP interface

21
00:02:07,410 --> 00:02:10,530
brief notice IP address of the router.

22
00:02:10,560 --> 00:02:19,500
Is this the right it is configured as a DHB server show IP DHB binding shows me that two IP addresses

23
00:02:19,500 --> 00:02:26,570
have been allocated one to the windows computer and one to Kelly on Kelly as an example.

24
00:02:26,580 --> 00:02:31,500
If I open up a terminal and type I have config.

25
00:02:31,500 --> 00:02:35,920
This is the IP address that's been allocated to the Kelly linux server.

26
00:02:36,000 --> 00:02:43,110
Once again this is the IP address allocated to the P.C. by top IP config slash release to release the

27
00:02:43,110 --> 00:02:46,330
IP address.

28
00:02:46,570 --> 00:02:50,020
I'll make that a bit bigger and then type IP config.

29
00:02:50,020 --> 00:02:53,530
You'll notice that it's not been allocated an IP address.

30
00:02:53,740 --> 00:03:00,150
It's using a link local IP version for address and link local IP version 6 address.

31
00:03:00,340 --> 00:03:09,310
But if I type IP config slash renew it should get an IP address from the DHB server and there you go.

32
00:03:09,320 --> 00:03:19,800
IP address has been allocated by the router to the windows computer but now let's setup Kelly as a rogue

33
00:03:19,830 --> 00:03:27,890
DHB server so to do that I'm going to run Yesenia and use a graphical user interface.

34
00:03:28,700 --> 00:03:33,830
I showed you previously how to use this application and a lot of detail.

35
00:03:34,010 --> 00:03:38,440
So once again referred to the previous videos if you want to learn more about this application.

36
00:03:38,780 --> 00:03:40,010
But it's quite simple.

37
00:03:40,010 --> 00:03:48,590
All I'm going to do is launch an attack and I'm going to setup a rogue DHB server so I'm going to select

38
00:03:48,650 --> 00:03:51,070
that option and click Okay.

39
00:03:51,210 --> 00:03:59,930
If the IP address of the rogue HP server is going to be the local Kelly linux host which has an IP address

40
00:04:00,020 --> 00:04:12,270
of 10 1 1 2 slash 24 now I'll use a different range of IP addresses for hosts that we allocate addresses

41
00:04:12,270 --> 00:04:13,530
to using Kelly.

42
00:04:13,530 --> 00:04:21,090
So let's say 100 to 110 release time and renew time all set to 3600 seconds.

43
00:04:22,380 --> 00:04:25,680
Subnet Mask will be a slash 24 mask.

44
00:04:25,680 --> 00:04:28,920
And this is how I can implement a man in the middle attack.

45
00:04:28,920 --> 00:04:33,360
I'm going to set myself as the default gateway.

46
00:04:33,360 --> 00:04:38,550
That means that the host will send traffic to the Kelly linux host which will then forward traffic to

47
00:04:38,550 --> 00:04:45,610
the rider so we can implement a man in the middle attack without the user knowing what's going on DNS

48
00:04:45,610 --> 00:04:46,000
server.

49
00:04:46,000 --> 00:04:52,760
I'll set to Google and the domain I'll simply set to whom dot com and click Okay.

50
00:04:53,650 --> 00:05:01,660
So if we look at actions list attacks you can see that I'm running a DHEA P rogue server attack.

51
00:05:01,760 --> 00:05:07,970
You can see that the D.A. GP rogue server is currently running so on the client I'm going to release

52
00:05:07,970 --> 00:05:10,770
my IP address again and then renew it.

53
00:05:10,820 --> 00:05:16,160
Now it may get an IP address from the broader rather than from the Kelly linux server.

54
00:05:16,160 --> 00:05:25,630
It just depends which device replies first so you can see it got its IP address from the router so on

55
00:05:25,630 --> 00:05:35,470
the router I'm going to type no service DHEA P I'm going to disable the DHB service on the router so

56
00:05:35,470 --> 00:05:39,130
show IP DHEA HP binding.

57
00:05:39,360 --> 00:05:47,910
You can see that the bindings have been removed from the router so on the P.C. I'll release my IP address

58
00:05:48,900 --> 00:05:56,620
and then I'll renew it and let's see if it gets an IP address from the Kelly linux server on Kelly you

59
00:05:56,620 --> 00:06:03,410
can see there's a D HP Discover DHB discovers are being received.

60
00:06:03,410 --> 00:06:09,410
Now sometimes this application bombs out or breaks so you have to rerun the DHB server.

61
00:06:09,410 --> 00:06:13,840
That's a lesson in hacking you can't expect everything to work the first time.

62
00:06:13,960 --> 00:06:18,050
You gotta be persistent and be tenacious and keep on trying.

63
00:06:18,560 --> 00:06:25,470
So now it received a D HP request from the client and it acknowledged it.

64
00:06:25,700 --> 00:06:29,680
In other words when I ran IP conflicts renew again it got an IP address.

65
00:06:30,780 --> 00:06:37,650
Okay so the P.C. has been given an IP address but not previously I had an error here saying unable to

66
00:06:37,650 --> 00:06:43,860
contact your DHB server request timed out the Yasuni application.

67
00:06:43,860 --> 00:06:49,100
Sometimes bombs art especially the graphical user interface it is an alpha release.

68
00:06:49,110 --> 00:06:53,340
That's probably why you want to do stuff through the CSI if you can but to keep things simple I've done

69
00:06:53,340 --> 00:07:01,090
it through the gooey but the net result is that the piece he has been given an IP address from the Kelly

70
00:07:01,090 --> 00:07:02,730
linux server.

71
00:07:02,860 --> 00:07:04,700
That's what we don't want.

72
00:07:04,720 --> 00:07:07,910
Notice the default gateway is Kelly.

73
00:07:08,020 --> 00:07:13,090
That means a man in the middle attack could be used here OK.

74
00:07:13,110 --> 00:07:15,950
So to stop this nonsense.

75
00:07:16,280 --> 00:07:18,580
Now on the switch that the devices connect to.

76
00:07:18,660 --> 00:07:20,880
I'm going to enable DHB snooping.

77
00:07:20,880 --> 00:07:25,140
This is a layer to switch or is configured as a layer to switch.

78
00:07:25,140 --> 00:07:27,330
It does support other options.

79
00:07:27,330 --> 00:07:34,210
Show IPD HP snooping at the moment DHB snooping is disabled.

80
00:07:34,220 --> 00:07:36,060
There's the command.

81
00:07:36,060 --> 00:07:38,330
Notice DHB snooping is disabled.

82
00:07:38,340 --> 00:07:46,390
It's not configured on any v lands and it's not operational on any V'landys no interfaces have been

83
00:07:46,390 --> 00:07:55,920
configured to be trusted so in global configuration mode I'm simply going to type IP DHEA P snooping

84
00:07:56,610 --> 00:08:00,160
that enables DHB snooping on the switch globally.

85
00:08:00,190 --> 00:08:02,790
But please note that's not how you make it work.

86
00:08:02,790 --> 00:08:08,560
This is the first step type the command show IP DHB snooping again.

87
00:08:08,720 --> 00:08:15,470
You can see that it's now been globally enabled but it's not enabled on any villains.

88
00:08:15,470 --> 00:08:23,060
So don't forget to enable it on the villain and to do that you type IP DHB snooping the villain one

89
00:08:23,550 --> 00:08:29,740
so two commands are required show run pipe include DHEA P.

90
00:08:30,080 --> 00:08:37,820
We have now used this command globally as well as this command globally on the switch show IP DHB snooping

91
00:08:37,910 --> 00:08:49,320
shows us that DCP snooping is now enabled on VLAN 1 I'll type IP config slash renew on the P.C. now

92
00:08:49,920 --> 00:08:56,990
at this point it's not going to get any IP addresses because we've got DHB snooping enabled the Kelly

93
00:08:57,000 --> 00:09:01,570
linux host won't be able to allocate IP addresses to the P.C. but nor will the router.

94
00:09:02,070 --> 00:09:09,110
So to prove that on the broader all enable the DHB service again.

95
00:09:09,890 --> 00:09:20,240
So show run shows us that we've got this DHB people configured this is the network.

96
00:09:20,270 --> 00:09:21,590
This is the default gateway.

97
00:09:21,590 --> 00:09:30,110
This is the DNS server but the piece is not getting any IP addresses so IP conflict slash renew notice

98
00:09:30,110 --> 00:09:39,500
no IP address is being allocated show IP DHEA P binding no IP addresses are allocated by the router

99
00:09:39,530 --> 00:09:46,430
and no IP addresses are being allocated by the Kelly Lennox host not to see what's actually going on

100
00:09:46,430 --> 00:09:49,280
we can run a debug on the switch.

101
00:09:49,280 --> 00:09:55,120
So let's run debug IPD HP snooping packets so we can see a lot of detail.

102
00:09:55,180 --> 00:09:59,630
Be careful with packets you'll see a lot of detail in the output here.

103
00:09:59,900 --> 00:10:11,170
So you may prefer to use events but let's run this again IP config slash Renee notice we seeing a lot

104
00:10:11,170 --> 00:10:12,120
of output.

105
00:10:13,080 --> 00:10:16,600
But what I'll do now is turn off debugging for the moment.

106
00:10:17,010 --> 00:10:17,940
We can see

107
00:10:20,830 --> 00:10:26,610
received a new DHEA packet from input interface gigabit 0.

108
00:10:26,950 --> 00:10:30,600
That is the P.C..

109
00:10:30,850 --> 00:10:32,860
It's a Discover message.

110
00:10:32,860 --> 00:10:36,910
Notice the source mac address is this ending in 7.

111
00:10:36,990 --> 00:10:43,560
See double zero on the P.C. IP config slash all.

112
00:10:43,740 --> 00:10:46,460
That is the MAC address of the Windows computer.

113
00:10:46,860 --> 00:10:52,530
So the Windows computers requesting an IP address at least two we can see the source MAC address of

114
00:10:52,530 --> 00:11:01,890
the P.C. destination is a broadcast notice all Fs so hexadecimal FS broadcast at layer 3 destination

115
00:11:01,950 --> 00:11:08,670
is a broadcast IP version 4 source IP address is unknown it doesn't currently have an IP address it's

116
00:11:08,670 --> 00:11:10,360
requesting an IP address.

117
00:11:10,770 --> 00:11:20,730
So we've got invalid entry for flooding on ingress of V land one breach output port is null packet is

118
00:11:20,730 --> 00:11:27,690
dropped so the switch is essentially just dropping that packet it's not forwarding it anyway to forward

119
00:11:27,720 --> 00:11:34,190
that request to the writer on this interface we need to trust this port so we need to make gigabit 00

120
00:11:34,200 --> 00:11:43,230
a trusted port so that that DHB requests can be forwarded to the router so on the switch interface gigabit

121
00:11:43,310 --> 00:11:53,280
00 that's this interface connecting to the router IP DHEA AP snooping we're going to trust the port

122
00:11:54,920 --> 00:12:07,560
debug IP DHEA AP snooping packet back on the P.C. IP config slash renew let's try and get an IP address

123
00:12:09,760 --> 00:12:17,170
can see a lot happening here but notice right at the bottom of this debug breach packet sent to Port

124
00:12:17,200 --> 00:12:18,850
gigabit 00.

125
00:12:19,360 --> 00:12:28,390
So the DHS P request received by the switch from the C is being forwarded to the router we've got the

126
00:12:28,390 --> 00:12:38,320
HP Discover from the P.S. On gigabit 02 asking for an IP address but notice this problem we see here

127
00:12:38,380 --> 00:12:43,330
option 82 option 82 can cause problems.

128
00:12:43,600 --> 00:12:49,540
Option 82 is used when you need to forward the HP requests from a writer to a D HP server as an example

129
00:12:49,780 --> 00:12:52,220
and include information such as port numbers.

130
00:12:52,490 --> 00:13:04,560
So if you have problems with that on the switch type no IP DHEA AP snooping information option enter.

131
00:13:05,020 --> 00:13:11,720
So we're not going to forward option 82 information to the writer so let's try that again I P conflict

132
00:13:11,710 --> 00:13:12,750
slash renew.

133
00:13:13,000 --> 00:13:16,130
Notice the P.C. now gets an IP address.

134
00:13:16,390 --> 00:13:18,040
So back on the switch.

135
00:13:18,310 --> 00:13:21,230
A lot of output in the debug.

136
00:13:21,250 --> 00:13:29,320
So once again the P.C. is requesting an IP address inbound interface is gigabit 0 to the switch sending

137
00:13:29,320 --> 00:13:32,460
the packet to the rider on gigabit 00.

138
00:13:32,680 --> 00:13:34,470
The rudder replies back.

139
00:13:34,710 --> 00:13:43,320
There's the DHB packet inbound on gigabit 00 we see the router allocating an IP address to the client.

140
00:13:43,530 --> 00:13:50,020
So in the output here we can see that this IP address which is the router is sending a broadcast it's

141
00:13:50,020 --> 00:13:57,010
a broadcast oddly a two broadcast at least three allocating the IP address to the P.C. thus once again

142
00:13:57,010 --> 00:14:02,650
if you remember is the MAC address of the P.C. so the writer has successfully allocated an IP address

143
00:14:02,650 --> 00:14:07,090
to the P.C. the P.C. got to that IP address from the router.

144
00:14:07,240 --> 00:14:14,250
Now it got given 10 1 1 100 because the P.C. will ask for the IP address that it had previously.

145
00:14:14,380 --> 00:14:19,090
Previously it had been given that IP address by the Kelly linux server.

146
00:14:19,240 --> 00:14:24,160
So Windows remembers that information and basically requests that IP address it had before so it got

147
00:14:24,160 --> 00:14:31,030
a different IP address but that IP address is in the pool of IP addresses on the router so you can see

148
00:14:31,480 --> 00:14:39,010
that this IP address was allocated to the P.C. and if we have a look at the DHB pool once again you

149
00:14:39,010 --> 00:14:43,630
can see that the pool is all IP addresses in 10 1 1 0.

150
00:14:44,520 --> 00:14:48,860
So 10 1 1 100 is a valid IP address in that range.

151
00:14:48,970 --> 00:14:49,130
Okay.

152
00:14:49,150 --> 00:15:00,580
So back on the switch let's recap what we configured show run pipe include DHEA P we configured DHEA

153
00:15:00,570 --> 00:15:07,370
P snooping globally on the switch we configured it globally on the veal and 1 so those are global configuration

154
00:15:07,370 --> 00:15:08,720
commands.

155
00:15:08,720 --> 00:15:17,720
We also stopped option 82 by configuring that globally and then we trusted the gigabit 00 interface

156
00:15:18,140 --> 00:15:20,960
so show run interface gigabit 00.

157
00:15:21,020 --> 00:15:24,980
Notice this interface has been configured as a trusted interface.

158
00:15:25,210 --> 00:15:33,740
Can we should do some show commands to show IPD HBP snooping we can see through the output of this command

159
00:15:33,770 --> 00:15:41,720
that DHB snooping is enabled globally also enabled on VLAN 1 not in other v lines all the devices in

160
00:15:41,720 --> 00:15:51,380
this network on VLAN one gigabit 00 is a trusted interface we are not a rate limiting that interface

161
00:15:52,040 --> 00:15:59,240
but what we may want to do is right limit requests from pieces so we may want a rate limit this interface

162
00:15:59,270 --> 00:16:12,740
and this interface the reason why is on Kelly Linux we could do a DHB P. a denial of service attack

163
00:16:13,070 --> 00:16:21,920
so send a DHB packets and basically just flood the network with a huge amount of DHB requests and that

164
00:16:21,920 --> 00:16:24,900
can actually kill or cause problems in the network.

165
00:16:25,190 --> 00:16:28,930
It's actually killing the switch so I'll stop that attack.

166
00:16:30,530 --> 00:16:40,390
So actions list attacks and I'll stop the D.A. HP Discover attack because it basically kills the switch.

167
00:16:40,420 --> 00:16:45,400
I'm going to get a huge amount of debug output now because I was running a debug.

168
00:16:45,460 --> 00:16:46,600
It's an important lesson.

169
00:16:46,600 --> 00:16:51,480
Don't leave a debug running and Kelly sent a huge amount of packets to the switch.

170
00:16:51,580 --> 00:16:56,970
So this may take a while so I'll turn off debugging.

171
00:16:56,980 --> 00:17:00,570
Not sure if you saw that about a topic quickly but there it is again unaltered.

172
00:17:01,030 --> 00:17:09,980
And what I'll do is on the interface to the Kelly linux server which is gigabit 0 1 all enabled rate

173
00:17:09,980 --> 00:17:10,870
limiting.

174
00:17:11,100 --> 00:17:23,640
So IPD HP snooping the limit rate to 10 packets that means 10 packets per second so we'll rate limit.

175
00:17:23,640 --> 00:17:30,810
This packet generation on Kelly basically stop it from sending too many packets.

176
00:17:30,910 --> 00:17:33,650
So back on the switch.

177
00:17:33,660 --> 00:17:37,020
Notice DCP snooping error disable.

178
00:17:37,020 --> 00:17:42,720
We've received more than 10 DHB packets on gigabit 00 DCP snooping rate.

179
00:17:42,720 --> 00:17:44,320
Limit is exceeded.

180
00:17:44,640 --> 00:17:47,660
More packets have been received and what has happened.

181
00:17:47,670 --> 00:17:49,700
The interface has been taken down.

182
00:17:50,070 --> 00:17:54,340
So show IP interface brief on the switch.

183
00:17:54,330 --> 00:17:55,800
There's the command again.

184
00:17:55,800 --> 00:18:01,530
Notice this interface has gone down because Kelly has sent too many packets

185
00:18:04,930 --> 00:18:09,140
I'll shut it down to manually shut it and then no shut.

186
00:18:09,640 --> 00:18:12,130
And let's see what happens.

187
00:18:12,370 --> 00:18:13,870
It's actually locked up my switch.

188
00:18:13,870 --> 00:18:17,940
Now you can see the CPSU is gone crazy.

189
00:18:19,040 --> 00:18:25,640
Some Kelly all stop that attack.

190
00:18:25,870 --> 00:18:32,320
This is one of the problems using a virtual environments such as Janus 3 or Cisco viral or even G.

191
00:18:32,320 --> 00:18:37,540
The problem is this is not a physical switch so it hasn't got the A6 to forward lots of traffic through

192
00:18:37,540 --> 00:18:44,110
it so you can basically destroy the switch which has happened here but after a while what happened was

193
00:18:44,170 --> 00:18:51,310
the messages displayed KGB snooping ten BHP packets have been received and what has happened now is

194
00:18:51,310 --> 00:18:54,510
the interface is shut down once again.

195
00:18:54,700 --> 00:18:59,440
So show IP interface brief interface has gone down.

196
00:18:59,590 --> 00:19:05,590
So basically what happened is I shut the interface no shut it so many packets were being received from

197
00:19:05,890 --> 00:19:11,410
the Kelly linux host that the switch bombed out our physical switch wouldn't necessarily have that problem

198
00:19:11,650 --> 00:19:18,760
because it's got the ASX then the 10 packet limit kicked in and the port was shut down to protect the

199
00:19:18,760 --> 00:19:19,750
switch.

200
00:19:19,750 --> 00:19:26,980
So there was a delay from interface going up see you being hammered by Kelly to the port being shut

201
00:19:26,980 --> 00:19:28,350
down by that command on.

202
00:19:28,510 --> 00:19:32,800
And that's because I'm using a virtual switch rather than a physical switch physical switch with Bolton

203
00:19:32,830 --> 00:19:35,670
ASX would stop this kind of nonsense from happening.

204
00:19:35,740 --> 00:19:39,950
Net result however is that the interface has gone down.

205
00:19:39,940 --> 00:19:42,570
We've protected the network.

206
00:19:42,670 --> 00:19:48,250
So in this video I showed you how to protect a network using DCP snooping I showed you how to stop rogue

207
00:19:48,300 --> 00:19:50,560
DHB servers on the network.

208
00:19:50,650 --> 00:19:57,880
I showed you how to stop a denial of service attack by Kelly Linux where it sends a whole bunch of HP

209
00:19:57,880 --> 00:19:58,760
messages.

210
00:19:58,900 --> 00:20:05,700
The switch will shut the port down if it receives too many DHB requests in a certain amount of time.

211
00:20:05,710 --> 00:20:09,370
Don't forget option 82 can cause problems like it did here.