Hello and welcome back. My name is Tyler McMahon with Aruba, a Hewlett Packard enterprise company. And this is the Network Security Basics course, Part one. And our fifth video, where in this video we're going to be looking at ARP attacks and ARP poisoning to implement man in the middle. Quick review of what we covered last time, spoofing addresses and fishing and talk about my favorite kind of attacks social engineering as well as attacks against passwords. And what will make a good password. So without further ado, let's jump on in. All right, So in the last video, we ended on address resolution protocol and how Alice will send a broadcast to discover a Mac address of a desired target and wait for the ARP response. For example, the response from Bob giving us his Mac address that updates Alice's art table or the response from the gateway giving us their Mac address. So now we have the Gateway Mac address, and we can send traffic to both Bob and the Gateway. Of course, this vulnerability is that there's no authentication being used, which exposes the attack called ARP poisoning. And this is an attack that someone malicious, like Mallory may utilize in order to trick a target device like Alice into thinking she's talking to Bob when in fact, she's talking to Mallory. So the way this works is first. You have Alice sending her normal flooded broadcast for a ARP request. She wants to know Bob's Mac address at 10.1.1.11, so she floods it out. And the switch, as it should, will flood that into the subnets that Alice belongs to. Bob will respond to that request, saying Yes, my Mac addresses ends in BB or whatever, Mallory also response. In fact, she'll respond repeatedly where Bob may respond once Mallory will respond and respond and respond, making sure that Alice's art table ends up with her Mac address from Mallory, even though it's Bob's I P address. So think about that. When Alice wants to send a file to Bob, she'll send it to 10.1.1.11, and she'll forward it with telling the switch, Hey, forward this to cc the Mac Address CC, which the switch will then send it to Mallory instead of Bob. So what's happened? Alice's ARP table is effectively been poisoned. It's not a reliable arp table, but she doesn't know. And there's really nothing that Alice can do here to authenticate that it came from Bob or didn't come from Bob. It would break the mechanism, as is designed. In fact, it could even be worse than this. Mallory could send what we call a gratuitous ARP. This is where Alice didn't broadcast for Bob at all. Alice was just sitting there with minding her business, and every few minutes Mallory sends a gratuitous ARP, just reminding everybody, hey, if you want to go talk to Bob, come to me. At the end of the day, you have an ARP response that Mallory forged or spoofed to trick Alice's ARP table and poison it to forward traffic to Mallory instead of Bob. And you've now used a gratuitous ARP to poison Bob's ARP table. So Bob thinks he's sending traffic to 10.1.1.10 to Alice, when in fact, it's going to end up in Mallory's hands as well. The result is what you see below. Alice talking to Bob sends it to Mallory. Bob talking Alice sends it to Mallory. So What is Mallory do with it? Well, she forwards it along, and the reason she forwards it along, it's because she's got what she wanted. She is injected herself as a man in the middle to be able to copy traffic. ARP poisoning only works against devices in the same sub net. You can still use ARP poisoning to implement a more widespread man in the middle attack, and you'll see this here. If Mallory injects herself and poisons Alice's ARP table to think that the rest of the world has to go through Mallory, then Mallory's capturing way more traffic than just the occasional file that might be traded between co workers. You could use this on the wired side as we have been demonstrating, or you could use this on the wireless side as well. Don't worry, I'm going to show you how to fix all of this. And there are mechanisms that you can enable in Aruba switch and on Aruba wireless devices to defend against these. But Mac and Ip spoofing Mac is where Mallory is spoofing her Mac address in order to look like a device that she doesn't actually belong to. Would be malicious user could use this to just simply hide the source of the attack or to gain unauthorized access, as I've been describing. But you can also use Mac and IP spoofing in order to do men in the middle ARP poisoning attacks or just a simple denial of service. So emails, spoofing and phishing, we're going to see an example of this here in just a minute. Phishing is where a user is trying to steal information through false emails. But the goal of Mallory here is to steal user information. Spear phishing is you're targeting usually an individual, a specific user, knowing something about them in an attempt to try and trick them into clicking on something they're not supposed to. But it does have this note of social engineering. What I find fascinating about social engineering is that it's not really a technical fault. Social engineering is where you're not hacking software or hardware. You're hacking individuals in an attempt to use human behavior to get around existing security measures. Locking your door. Let me hold some books and see if you'll open it for me. So, yeah, posing as an I T staff member, ask an employee for a password. This being an example of social engineering, and phishing is really an example of social engineering. You're trying to pull at the heartstrings of somebody who's sympathetic, either through flattery or you're trying to get people to do what you want more often than not through posing as someone in a position of authority. So additional attacks against passwords you have dictionary attacks and brute force attacks when it comes to passwords. Dictionary attack is where they might try and log in. Or guess the password of a device by trying all the words of a dictionary. If you save a dictionary file, it may only be a 10, 20, 30 megs. It's not very big, but computers can run through those in a matter of seconds. Brute force attacks where is where they try every possible combination of whatever you use in your passwords. So if you just use all lower case letters, that's 26 different characters that they can try. You add special characters, all asking characters. Now you go from 26, 52 all the way up to 256 possibilities. Making your passwords with special characters much, much, much more difficult to crack than just simply lower case characters. Online dictionary attacks are going to be less effective than offline. Online malicious Mallory here has to send frames against a website, and then, after a few failed attempts, the account is locked out. Brute forcing something like that is next to impossible. Maybe with some social engineering, she might be able to get around that, but it's fairly unlikely. Offline dictionary attacks, however, are much more effective for dictionary and brute force attacks or where they pre hash these attacks into what's called a rainbow table. They can run through these in a matter of minutes, whereas brute force might take months and months and months to do it on the fly. Either way, though, the Mallory takes an abusive created password that's been captured, takes it offline and then runs against these hash tables. Or just performs a raw brute force or dictionary attack right then and there be able to try millions of attempts in just a short amount of time. Especially if a hacker has information from another data breach, then these online might be viable. For example, if you use this password on a website that's been hacked. They know what your password is, and if you use the same password on site after site after site, this happened to me, I have, like, just a generic password. Who cares? And suddenly I was used on all these websites. One site got hacked, and often they'll sell those passwords to other hackers who then try that password on other websites. So if you lose your Netflix password, it might be the same thing they'll try on your Gmail password, on your Facebook password, on your bank password. So what makes a good password? One, never repeat that password. No simple variations. Eight or more characters is, according to the NIST standard recommended, but preferably much longer. Random characters preferred, but if not feasible, try four different random variations of words and then mix or use different character types a little less important than length. But still, they call this salting your password. Another option and this is what I definitely use is a password management solution, which allows you to randomly generate passwords. All browsers carry their own kind of password management solution built in, and there are paid solutions that you might want to look at as well. There's a ton of them out. Their bandages are that there's no repeated passwords. You get stronger passwords, is very easy to use, the disadvantages you now need to trust that company. What we're going to get into in some of these later sections is looking at certificates. All right, I think that's a good place to stop for it today. What we're going to do when we come back is we're going to take a look at some example of phishing emails and decide, is this sufficient attempt or not? Is this a legitimate email or not? So we'll do that in the next video. In this video, we covered quite a bit. We looked at our poisoning and how that is used in a man in the middle attack. We looked at Mac and IP spoofing, email spoofing and phishing. We're going to come back to that in the next video. And we finished off with some social engineering and passwords, including some good practices for protecting your password. So my name is Tyler with Aruba. I want to thank you for your time, and I will see you in the next video where we try and guess is this set of emails legitimate, or is this efficient attempt. I'll see in the next one.