1
00:00:01,850 --> 00:00:02,090
Right.

2
00:00:02,110 --> 00:00:06,260
So let's talk about how we can detect IRP poisoning attacks.

3
00:00:07,580 --> 00:00:11,030
First of all, let me show you the AARP tables.

4
00:00:11,030 --> 00:00:15,380
So in our Windows device, which is the device that we always attack.

5
00:00:15,710 --> 00:00:16,780
I'm going to run a command.

6
00:00:18,200 --> 00:00:22,550
DARPA to list all the entries in the AARP table.

7
00:00:22,960 --> 00:00:25,220
So each computer has an AARP table.

8
00:00:26,340 --> 00:00:33,990
And that table associates IP addresses with Mac addresses so we can see the IP address of the writer,

9
00:00:33,990 --> 00:00:43,340
which is 10 2014, one is associated with the Mac address, fifty to fifty four and it ends up in 35

10
00:00:43,390 --> 00:00:44,030
zero zero.

11
00:00:44,370 --> 00:00:47,520
So this is the Mac address for the IP, for the router.

12
00:00:48,330 --> 00:00:53,910
So the way that they are IP poisoning works, like we discussed before, is it works before because

13
00:00:54,270 --> 00:01:00,570
each request is trusted and clients accept responses even if they didn't send the request.

14
00:01:01,170 --> 00:01:07,290
So what the hacker does is he sends a response to the client telling them that they are there after.

15
00:01:07,570 --> 00:01:12,060
So the client will accept that it was trusted and is going to accept the response, even though it did

16
00:01:12,060 --> 00:01:12,840
send the request.

17
00:01:13,560 --> 00:01:17,520
Then we'll send another response to the writer telling them that we are the client.

18
00:01:18,630 --> 00:01:20,130
So what's this is going to do?

19
00:01:20,150 --> 00:01:23,160
It's going to modify the entries in the AARP tables and both.

20
00:01:23,200 --> 00:01:29,070
And they're out there and in the client and for the client, it's going to contain the hackers Mac address

21
00:01:29,250 --> 00:01:32,460
and it's going to associate that with the routers IP address.

22
00:01:33,210 --> 00:01:39,030
So what's basically going to happen is it's going to modify the Mac address here and it's going to change

23
00:01:39,030 --> 00:01:44,070
that to the attackers Mac address instead of the writer's real Mac address.

24
00:01:44,640 --> 00:01:50,790
So once that happened, then the hacker will be in the middle of the connection and they'll be able

25
00:01:50,790 --> 00:01:56,010
to read, analyze and modify the packets because they're going to be flowing through the hacker device.

26
00:01:57,490 --> 00:02:02,040
So let's run the AARP poisoning, anormal AARP poisoning attack like we always do it.

27
00:02:04,620 --> 00:02:07,490
And when I go back here, I'm going to execute the same command.

28
00:02:07,560 --> 00:02:12,930
I'm going to do an RPA again and note how the Mac address is gonna be different.

29
00:02:13,170 --> 00:02:16,470
So the Mac address for the router used to be this one.

30
00:02:17,310 --> 00:02:21,510
And when we ran the command, then the Mac address changed to this one.

31
00:02:22,410 --> 00:02:28,260
And this Mac address right here is the Mac address of the network card that the attackers used.

32
00:02:28,920 --> 00:02:31,560
So if I come here and just do an F config.

33
00:02:33,570 --> 00:02:40,200
You'll see that this is the Mac address, the same the same Mac address that is displayed in here.

34
00:02:41,440 --> 00:02:46,140
So this is the easiest and the simplest way to discover a Arpey poisoning attacks.

35
00:02:46,780 --> 00:02:51,880
It's not the handiest way, though, because you're going to have to keep doing this command and keep

36
00:02:51,880 --> 00:02:53,080
comparing the entries.

37
00:02:53,320 --> 00:02:56,100
If you really wanted to check if you're being IRP poisoned.

38
00:02:56,740 --> 00:03:01,960
So there is a tool called X R and it allows it does that automatically for you.

39
00:03:02,200 --> 00:03:04,180
And it's available for Linux and Windows.

40
00:03:05,050 --> 00:03:08,590
So I already downloaded you can just Google X AAFP and you can download it.

41
00:03:08,620 --> 00:03:10,900
Very easy to download and install.

42
00:03:11,200 --> 00:03:12,130
And I'm just going to run it.

43
00:03:13,240 --> 00:03:15,040
I'm actually going to stop the attack first.

44
00:03:16,100 --> 00:03:17,270
And then I'm going to run to.

45
00:03:18,380 --> 00:03:23,720
Now, notice, when you stop the attack, the IP address is going to go back to what it was.

46
00:03:24,760 --> 00:03:30,850
So you can see that the Mac address of the router is back to its default, right value of the router,

47
00:03:31,960 --> 00:03:33,490
so I'm just going to run X out now.

48
00:03:35,150 --> 00:03:36,660
And you can see that everything is good.

49
00:03:37,970 --> 00:03:41,870
And you can see that the entries are very similar to what we did when we did a RPA.

50
00:03:41,930 --> 00:03:47,840
So we have the IP addresses and the Mac addresses associated with it, what the tool basically does.

51
00:03:47,860 --> 00:03:49,900
It's just going to automatically monitor this.

52
00:03:50,240 --> 00:03:55,040
And whenever something changes, it's going to know that something's wrong is happening because each

53
00:03:55,040 --> 00:03:57,920
IP address should have a unique Mac address.

54
00:03:58,130 --> 00:04:00,080
There should be no duplicates in the network.

55
00:04:00,950 --> 00:04:05,900
So I'm gonna do another IRP poisoning attack exactly like we did before.

56
00:04:07,470 --> 00:04:14,190
And when we come here, you'll see that X AAP is giving us a notification and telling us that something's

57
00:04:14,190 --> 00:04:14,580
happening.

58
00:04:15,360 --> 00:04:21,900
It's telling us that the Mac address for the router, which is detent 2014, one IP, has changed from

59
00:04:21,900 --> 00:04:23,340
this to that.

60
00:04:25,370 --> 00:04:31,190
And if we look here, I'm going to flick, OK, and if we look here, we can see that the effected machines

61
00:04:31,190 --> 00:04:34,970
are the writer, my own machine right now.

62
00:04:35,270 --> 00:04:36,170
And the attacker.

63
00:04:36,980 --> 00:04:38,300
Sorry, that's that's me.

64
00:04:38,600 --> 00:04:39,620
And that's the attacker.

65
00:04:40,160 --> 00:04:47,420
So basically, we know that the machine at 2014 two or three is trying to do an IRP poisoning attack

66
00:04:47,750 --> 00:04:52,360
because it's the one that the directors Mac address has changed to.

67
00:04:52,850 --> 00:04:55,400
Therefore, we know this is the attacker machine.

68
00:04:56,090 --> 00:04:59,990
So this tool is really handy because it does the monitoring automatically for us.

69
00:05:00,260 --> 00:05:04,190
And it'll tell us whenever someone is trying to IRP poison the network.