1
00:00:00,270 --> 00:00:02,870
Zebra What are you doing.

2
00:00:02,900 --> 00:00:09,410
How are you a nasty zebra worth while guarding zebra.

3
00:00:09,730 --> 00:00:12,580
Let's break some model locks in this video.

4
00:00:12,580 --> 00:00:18,190
I'm gonna show you how to implement dynamic up inspection dynamic up inspection stops attacks such as

5
00:00:18,250 --> 00:00:19,370
OP poisoning.

6
00:00:19,540 --> 00:00:25,030
And man in the middle attacks in a previous video which I've linked here and below I showed you how

7
00:00:25,030 --> 00:00:31,960
to use Kelly or Collie Linux if you prefer to implement a man in the middle attack by poisoning of the

8
00:00:31,960 --> 00:00:34,120
OP caches of devices.

9
00:00:34,270 --> 00:00:40,900
We had Kelly poisoning the OP cache of a Windows device and a Cisco router and then implementing a man

10
00:00:40,900 --> 00:00:44,770
in the middle attack where all traffic from that Windows host to its default gateway.

11
00:00:44,770 --> 00:00:52,330
The Cisco rider was routed or switched in this case through the Kelly linux host So Carly was able to

12
00:00:52,660 --> 00:00:57,440
see all the traffic from Windows to the rider and windows to the Internet.

13
00:00:57,460 --> 00:01:02,180
As an example we were able to capture telnet passwords and HDP passwords.

14
00:01:02,200 --> 00:01:07,600
You shouldn't be using clear text protocols in your network today so you shouldn't be using protocols

15
00:01:07,600 --> 00:01:14,620
such as HDP or telnet but if someone did use clear text passwords I'd have visibility of those passwords

16
00:01:15,010 --> 00:01:20,260
and have visibility of the data because all traffic is sent through the Kelly linux host.

17
00:01:20,560 --> 00:01:23,720
Which in this case implemented a man in the middle attack.

18
00:01:23,770 --> 00:01:29,560
We can stop that kind of nonsense by implementing dynamic OP inspection dynamic OP inspection requires

19
00:01:29,590 --> 00:01:36,670
either DHB snooping or that you manually configure MAC addresses these switches basically snooping or

20
00:01:36,670 --> 00:01:44,620
listening in on the HP requests from hosts or devices to the DHB server and then is creating dynamically

21
00:01:44,680 --> 00:01:50,290
when using DHB snooping a MAC address to IP address mapping to an interface.

22
00:01:50,290 --> 00:01:54,970
So it says this MAC address this IP address belongs on this interface.

23
00:01:55,000 --> 00:02:01,120
If you change your mac address that traffic is denied and I'm going to demonstrate that using Kelly

24
00:02:01,120 --> 00:02:02,920
Linux in this video.

25
00:02:03,010 --> 00:02:10,540
So I'm going to show you how you can implement the HP snooping dynamic OP inspection and then stop Kelly

26
00:02:10,870 --> 00:02:13,690
from sending traffic when it changes its Mac address.

27
00:02:13,690 --> 00:02:16,170
So we're going to stop stop poisoning attacks.

28
00:02:16,330 --> 00:02:21,300
Now to make it easier I've added this presentation below this video.

29
00:02:21,350 --> 00:02:27,840
This presentation shows you the network that I'm using and then shows you how to configure dynamic IP

30
00:02:27,840 --> 00:02:28,780
inspection.

31
00:02:28,780 --> 00:02:35,410
So I've got links in here to Cisco and other websites that give you more information but I also show

32
00:02:35,410 --> 00:02:42,970
you how to configure both DHB snooping as well as dynamic of inspection.

33
00:02:42,970 --> 00:02:47,210
So in this video I'm going to show you quite a lot of detail how this all works.

34
00:02:47,320 --> 00:02:51,930
Use the menu here to jump to a specific topic if you want to.

35
00:02:51,940 --> 00:02:56,800
So going to show you how to set up DHB snooping but I've covered that once again in this video so if

36
00:02:56,800 --> 00:03:02,380
you just want to see the dynamic IP inspection part of the video then jump to the specific timestamp

37
00:03:02,470 --> 00:03:04,000
of interest.

38
00:03:04,000 --> 00:03:06,660
I've included this once again below this video.

39
00:03:06,730 --> 00:03:25,600
This presentation shows you how to set this up how to verify it on a Cisco switch.

40
00:03:27,160 --> 00:03:30,890
Now the first thing we need to do is enable DHB snooping.

41
00:03:30,890 --> 00:03:35,770
Now I've covered this and a lot of detail in a previous video so all I'm going to do here is copy and

42
00:03:35,770 --> 00:03:38,690
paste the commands into the switch.

43
00:03:38,710 --> 00:03:39,720
Have a look at this video.

44
00:03:39,730 --> 00:03:45,070
If you want to look at a DHB snooping video that discusses this in a lot of detail.

45
00:03:45,700 --> 00:03:52,660
Okay so what I'm gonna do is copy the commands from this presentation and paste the commands on our

46
00:03:52,660 --> 00:03:54,300
switch.

47
00:03:54,370 --> 00:04:00,210
Now you're not topology once again we've got a Cisco broader this rider is configured with a DHB server.

48
00:04:00,700 --> 00:04:09,140
So let's view that first here's the raw data show run pipe.

49
00:04:09,170 --> 00:04:20,310
Begin DHEA P that just allows me to falter the configuration until the keyword DHEA P is found so there's

50
00:04:20,350 --> 00:04:21,610
the command.

51
00:04:21,680 --> 00:04:23,880
Here's my DHB pull.

52
00:04:24,040 --> 00:04:28,900
You can see the network used its 10 1 1 0 slash 24.

53
00:04:28,900 --> 00:04:37,660
Default right or default gateway is the local router a DNS server is set to google the router has this

54
00:04:37,660 --> 00:04:43,400
IP address 10 1 1 2 5 4 configured on gigabit 0.

55
00:04:43,570 --> 00:04:52,030
So this interface is configured with the IP address 10 1 1 2 5 4 and the right is allocating IP addresses

56
00:04:52,030 --> 00:05:00,070
to devices and we can see that by typing show IP DHB binding we can see that two devices have received

57
00:05:00,100 --> 00:05:01,540
IP addresses.

58
00:05:01,540 --> 00:05:04,390
This is the IP address allocated to Kelly Linux.

59
00:05:04,390 --> 00:05:08,080
This is the IP address allocated to the Windows computer.

60
00:05:08,140 --> 00:05:09,520
We can verify that

61
00:05:12,980 --> 00:05:16,290
by using the command IP address on Kelly.

62
00:05:16,430 --> 00:05:24,860
Notice there's the IP address allocated to the Kelly linux host and on the Windows computer.

63
00:05:24,860 --> 00:05:30,410
I'll open up a C and D prompt IP config.

64
00:05:30,410 --> 00:05:36,220
This is the IP address of the windows computer so the DHB server has been configured.

65
00:05:36,230 --> 00:05:40,220
It's allocating IP addresses to the devices in the network.

66
00:05:40,250 --> 00:05:45,730
What we need to do now is configure DHB snooping on the switch.

67
00:05:45,740 --> 00:05:53,660
At the moment no DHB snooping has been enabled so you can see that no DCP commands have been enabled

68
00:05:54,380 --> 00:05:57,790
and we haven't enabled dynamic up inspection.

69
00:05:57,800 --> 00:06:05,240
Okay so the first thing I'm gonna do is copy the DHB P snooping commands to the switch

70
00:06:08,250 --> 00:06:09,600
so paste those in

71
00:06:16,440 --> 00:06:21,450
and you can see here that DHB snooping has been enabled globally.

72
00:06:21,510 --> 00:06:24,390
It's been enabled for VLAN 1.

73
00:06:24,840 --> 00:06:34,560
We've disabled option 82 and the command show IP DHB snooping shows us that to DHB snooping is now enabled

74
00:06:35,040 --> 00:06:40,500
on v 1 no trusted ports have been configured yet.

75
00:06:40,560 --> 00:06:45,150
Now once again I've shown you previously how to configure the HP snooping and I've explained it in a

76
00:06:45,150 --> 00:06:48,370
lot of detail so I'm not doing that here.

77
00:06:48,590 --> 00:06:48,910
Okay.

78
00:06:48,920 --> 00:06:58,710
The next step is to configure trusted ports in mind topology gigabit 0 0 is a trusted port Okay so it

79
00:06:58,710 --> 00:07:01,120
might topology gigabit.

80
00:07:01,170 --> 00:07:09,150
0 0 is the interface that connects to the rotor the rotor is running the DHB service it's allocating

81
00:07:09,150 --> 00:07:18,360
IP addresses we want to trust the CHP server we don't want to trust this Kelly linux host as a DHB server.

82
00:07:19,170 --> 00:07:30,360
So back on the switch I'm going to paste those commands gigabit 0 0 is now a trusted interface show

83
00:07:30,840 --> 00:07:41,040
IP the DHB snooping we can see that gigabit 0 0 is now a trusted interface now we can also reached a

84
00:07:41,060 --> 00:07:50,700
limit DHEA P requests to stop a denial of service attack so I'm going to rate limit DCP messages to

85
00:07:50,700 --> 00:07:59,070
10 packets per second on gigabit 0 1 which is the interface connecting me to the Kelly linux host again

86
00:07:59,070 --> 00:08:04,170
I've explained that in a lot of detail in the previous video sold piece to that in

87
00:08:12,540 --> 00:08:15,070
got to type quantity first.

88
00:08:15,450 --> 00:08:17,080
So try that again.

89
00:08:17,090 --> 00:08:18,980
There we go.

90
00:08:19,040 --> 00:08:23,200
So show run interface gigabit 00.

91
00:08:23,390 --> 00:08:26,090
We are trusting this interface.

92
00:08:26,150 --> 00:08:30,130
We are not trusting this interface.

93
00:08:30,170 --> 00:08:36,740
This interface gigabit 0 1 is being rate limited 0 0 is being trusted.

94
00:08:37,490 --> 00:08:44,000
Okay now that I've configured DHB snooping I can configure dynamic up inspection dynamic up inspection

95
00:08:44,000 --> 00:08:53,150
is fairly simple to configure what we're going to do is configure it globally on the switch by using

96
00:08:53,150 --> 00:09:05,330
the command IP inspection VLAN 1 so confetti IP OPP inspection specify the VLAN my example it's v land

97
00:09:05,330 --> 00:09:16,070
1 because all ports on the switch are currently configured in VLAN 1 now typically in the real world

98
00:09:16,070 --> 00:09:22,580
you wouldn't put your devices and VLAN one you would put them in a different VLAN now notice what's

99
00:09:22,580 --> 00:09:23,210
happening.

100
00:09:23,210 --> 00:09:28,870
We are already seeing invalid OP messages received on gigabit 02.

101
00:09:28,970 --> 00:09:33,640
That is the windows host.

102
00:09:33,640 --> 00:09:36,020
We are not trusting anyone at the moment.

103
00:09:36,020 --> 00:09:38,450
We are basically blocking all traffic.

104
00:09:39,230 --> 00:09:46,870
So the windows host is trying to get it to its default gateway so it's trying to get to 10 1 1 2 5 4.

105
00:09:47,190 --> 00:09:52,970
There's the IP address of the windows host Mac address of the windows host trying to get to its default

106
00:09:52,970 --> 00:09:57,050
gateway and the traffic is being denied.

107
00:09:57,050 --> 00:09:59,170
We can see that as an example on the windows.

108
00:09:59,160 --> 00:10:06,170
P.S. If I try and ping the router it's not going to work.

109
00:10:06,170 --> 00:10:07,100
Traffic is denied

110
00:10:09,920 --> 00:10:11,800
and actually let me demonstrate this.

111
00:10:11,930 --> 00:10:19,580
I'm going to remove dynamic OP inspection so it's removed and what you'll notice is the P.C. the windows

112
00:10:19,580 --> 00:10:27,890
P.C. can ping the router but what you'll also notice is the Kelly Linux host can ping the P.C. which

113
00:10:27,890 --> 00:10:35,900
we don't want it to do and it can ping the router so Kelly can ping both the windows P.C. as well as

114
00:10:35,900 --> 00:10:44,540
the router but as soon as we enable dynamic up inspection we basically break the network because notice

115
00:10:45,200 --> 00:10:56,330
traffic from 10 1 1 2 2 10 1 1 100 is being denied because now when we try and ping say the windows

116
00:10:56,330 --> 00:11:06,830
host the traffic is denied Kelly is not able to ping the windows host and it's not able to ping its

117
00:11:06,830 --> 00:11:12,110
default gateway the windows host can't get to its default gateway.

118
00:11:12,110 --> 00:11:13,070
That's a problem.

119
00:11:13,070 --> 00:11:16,880
We want it to be able to talk to its default gateway.

120
00:11:16,880 --> 00:11:24,810
So what we're going to do is set gigabit 0 0 as a trusted port.

121
00:11:24,970 --> 00:11:28,210
That's the port connecting us to the rotor.

122
00:11:28,640 --> 00:11:39,010
So on the switch interface gigabit 00 IP OPP inspection just use question mark again trust we are going

123
00:11:39,010 --> 00:11:46,160
to trust that interface so show run interface gigabit 00.

124
00:11:46,330 --> 00:11:56,880
This command shows us that this interface is trusted for DHB snooping as well as for OP inspection so

125
00:11:56,880 --> 00:12:00,590
now can the windows P.C. ping the rotor.

126
00:12:00,780 --> 00:12:03,800
At the moment we can see that it can't.

127
00:12:04,020 --> 00:12:08,670
We still getting a whole bunch of denies on the switch show IPD HP

128
00:12:11,190 --> 00:12:14,910
snooping let's look at the bindings.

129
00:12:14,970 --> 00:12:16,060
Notice the problem.

130
00:12:16,080 --> 00:12:18,830
There are no D HP bindings at the moment.

131
00:12:19,020 --> 00:12:24,700
We are relying on the D HP bindings database to implement dynamic OP inspection.

132
00:12:24,750 --> 00:12:30,240
We need to have the bindings in the database for dynamic of inspection to work.

133
00:12:31,790 --> 00:12:39,920
So we are constantly getting these denies at the moment because there is no entry in the DHB snooping

134
00:12:39,920 --> 00:12:40,510
database.

135
00:12:41,060 --> 00:12:49,180
So I'm going to top IP config slash release to release my IP address and then I'm going to type renew

136
00:12:49,330 --> 00:12:53,660
to renew the IP address on the windows computer.

137
00:12:53,710 --> 00:13:04,030
It's now being given this IP address back on the switch show IP DHB snooping binding we can see that

138
00:13:04,150 --> 00:13:13,990
this mac address has been given this IP address and we can see that via DHB snooping on VLAN 1 the interface

139
00:13:14,020 --> 00:13:19,420
where that host resides is gigabit 02 so back on the windows.

140
00:13:19,420 --> 00:13:24,610
P.S. Can it now ping its default gateway.

141
00:13:24,800 --> 00:13:26,720
And the answer is yes it can.

142
00:13:26,720 --> 00:13:34,100
So remember because we're using the HP snooping the pieces have to request IP addresses and those IP

143
00:13:34,100 --> 00:13:37,140
addresses have to be allocated through DHEA.

144
00:13:37,250 --> 00:13:43,340
We've got to have DHB snooping listening in on the conversation seeing that to the rider allocates the

145
00:13:43,340 --> 00:13:50,180
IP address to the P.C. and then because of that the DHB snooping databases bolt and dynamic up inspection

146
00:13:50,450 --> 00:13:55,190
can leverage that database to permit devices.

147
00:13:55,190 --> 00:14:02,870
So again on the switch show IP DHB snooping binding we can see that this IP address was allocated to

148
00:14:02,870 --> 00:14:06,770
this Mac address on this interface.

149
00:14:06,770 --> 00:14:19,770
Now Kelly can stall not paying the default gateway because an IP address hasn't been added to the DHB

150
00:14:19,770 --> 00:14:21,280
snooping database.

151
00:14:21,300 --> 00:14:27,920
So what I'm going to do is edit connections in Kelly.

152
00:14:28,210 --> 00:14:33,490
I'm going to go to IP version 4 settings disable the interface

153
00:14:38,090 --> 00:14:42,560
go back and get it to use DHEA P

154
00:14:47,850 --> 00:14:53,450
I have config shows us that it's got its IP address

155
00:14:56,120 --> 00:15:04,070
show IP DHB binding on the switch you can see that this IP address has been allocated to this mac address

156
00:15:04,640 --> 00:15:14,700
which is the Kelly Lennox host MAC address ends in 5 a 0 0 which is what we see over here.

157
00:15:14,710 --> 00:15:20,080
So can the Kelly Lennox host ping the default gateway.

158
00:15:20,080 --> 00:15:21,030
Yes it can.

159
00:15:21,670 --> 00:15:26,960
So on the switch once again show IP DHEA snooping binding.

160
00:15:27,430 --> 00:15:39,780
We can see that two IP addresses have been allocated to specific MAC addresses show IP up inspection.

161
00:15:40,440 --> 00:15:42,260
So there's the command again.

162
00:15:42,330 --> 00:15:48,950
We can see that it's enabled for veal and one so many packets have been dropped.

163
00:15:49,200 --> 00:15:59,460
Now on Kelly once again I have config shows me that this is the MAC address of the host ending in 5

164
00:15:59,490 --> 00:16:09,620
a 0 0 on the switch show IP DHB snooping database that MAC address has been allocated this IP address

165
00:16:10,920 --> 00:16:15,960
Kelly can paying default gateway.

166
00:16:15,960 --> 00:16:29,050
Once again that IP address this MAC address I'm gonna change the MAC address by using Mac changer Mac

167
00:16:29,050 --> 00:16:36,040
change it tells us that we can see the MAC address by using S. as an option and then we can create a

168
00:16:36,040 --> 00:16:48,070
random MAC address using dash bar or hyphen or so Mac change the dash s Ethernet zero that's the current

169
00:16:48,070 --> 00:16:49,480
mac address.

170
00:16:49,480 --> 00:16:53,440
That's the permanent MAC address scrolling up once again.

171
00:16:53,650 --> 00:16:57,830
That's the MAC address that we saw previously with I have config.

172
00:16:58,570 --> 00:17:02,210
So let's create a random MAC address.

173
00:17:02,650 --> 00:17:05,540
MAC address we've been told is now this.

174
00:17:05,650 --> 00:17:13,510
So I have config shows us that that is the new mac address that we've been given random MAC address.

175
00:17:13,510 --> 00:17:19,030
Can we paying the default gateway answer is no we can't

176
00:17:22,600 --> 00:17:24,550
and we're seeing a lot of denies on the switch.

177
00:17:24,550 --> 00:17:31,990
You can't just create some random MAC address or try and implement ops spoofing or OP poisoning because

178
00:17:31,990 --> 00:17:36,700
we've now got dynamic up inspection enabled on the switch.

179
00:17:36,700 --> 00:17:40,390
And I'll just stop the ping on Kelly.

180
00:17:40,900 --> 00:17:46,920
The only MAC address that's allowed is that MAC address on interface gigabit 0 1.

181
00:17:46,960 --> 00:17:51,310
This MAC address is permitted on gigabit 02.

182
00:17:51,700 --> 00:18:04,210
So by randomly changing my mac address using Mac changer from this address to this address traffic is

183
00:18:04,210 --> 00:18:14,530
now being denied it also stops someone from using an application such as a cap to poison the OP caches.

184
00:18:14,530 --> 00:18:24,910
So again previously I showed you how to use it a cap to poison hosts on the network so if I try and

185
00:18:24,910 --> 00:18:31,990
scan for hosts now that traffic is going to be denied by the switch because of dynamic up inspection

186
00:18:32,320 --> 00:18:39,970
I can't implement of poisoning by using at a cap unlike previously when I demonstrated it in this video

187
00:18:40,420 --> 00:18:44,370
because we've got a dynamic OP inspection enabled.

188
00:18:44,370 --> 00:18:44,620
Okay.

189
00:18:44,620 --> 00:18:49,750
Very long video once again but hopefully I've shown you clearly how to set up a dynamic of inspection

190
00:18:50,050 --> 00:18:56,200
and how to test it you can once again download this presentation if you want to have a summary of what

191
00:18:56,200 --> 00:18:59,680
we've done and you want to keep this as a reference.