Hello and welcome. My name is Tyler McMinn with Aruba, a Hewlett Packard Enterprise company. And this is the Network Security Basics course, our fourth video in the series. Where in the last video we went through a number of different types of viruses, different types of attacks that threaten your network here leading up to this last one on Distributed Denial of Service. In this video, we're going to be covering in more detail some of the networking attacks that might threaten your network and what form those take. So sit back and let's jump on in. [MUSIC] All right, so taking a look at Eavesdropping, Eavesdropping. So, with a malicious user in our network, we've got a legitimate user who's trying to go ahead and send traffic on a wireless network, for example. Eve the eavesdropper, she may be simply listening to these wireless frames as they go across, just sniffing the traffic as she walks through the halls of your business or walks past the front of your house or maybe it's your neighbor. Neighbors can be snoopy. If Eve, your snoopy neighbor, wants to listen to frames that don't belong to her, she only needs to have a network interface card or a radio, or it could be a port, that is able to enter what we call promiscuous mode. Normally, your machine only accepts frames on the wired or wireless that matches their MAC address, the burned in address at layer two of your laptop, or your phone, or your radio. But in promiscuous mode, this particular type of card can accept anybody's frames. On the wired side, what Eve would do is install what we call a tap or a redirect on the wire. This could be a simple three port bridge. The big difference here that's worth pointing out is on the wireless side we know that these radio waves are going everywhere. So what do we do? We often encrypt from the wireless station to the wireless access point or mobility controller if that's where we're going with our traffic. With the wireless being exposed at layer one here at the physical layer, then your user while Eve can definitely capture our frames, we have confidence with our confidentiality that Eve is not going to be able to do anything with it because she's not going to be able to break the encryption. Here, we have this sense of security that no one can tap the wire even though it's relatively easy to do. And so there's often no encryption being sent between your clients unless you do so in the application. What we can do though, is we can set up authentication, and that can be cryptographically strong. Network Reconnaissance, this is our malicious user. They will attempt to connect to the network and just gather information. Find out what network they're connected to. What's the address scheme? What are the protocols that are running on that network? What devices are on that network as well. And they do this in order to know what type of operating system so they can discover potential vulnerabilities. And then the next step that Mallory will do once she's discovered a particular juicy target where she wants to intercept traffic maybe between these two users, Bob and Alice. Or maybe Alice is trying to go to an internal financial server or something like that, and Mallory wants to capture that traffic. What Mallory would need to do is get the traffic from just going directly between Alice and Bob, and instead try to steer the traffic where it goes to Mallory first, and then it goes to Bob. And vice versa, when Bob goes to send the traffic back, it goes to Mallory and then it goes back to Alice. This type of attack that Mallory's attempting here is known as a Man-in-the-Middle, or MITM I guess, man-in-the-middle rolls off the tongue a bit better. If Mallory is successful, during this, Alice will think that she is actually communicating with Bob. And Bob will think that he is communicating back with Alice when in reality they're both talking to Mallory. It's a bit of passing notes in class where the person in the middle is reading everything and possibly making changes. The victim here is Bob at a coffee shop, and Bob wants to connect to the Web. Mallory wants to capture Bob's traffic to get his banking information or capture email or whatever else. What Mallory could do is pose as the coffee shop's access point. If the coffee shop has a broadcast SSID or the name of their wireless network is coffee shop XYZ, then Mallory could install what we would call a Soft AP. She could use her laptop or her device as a access point and just pretend to be CoffeeShop XYZ. If Bob joins her CoffeeShop XYZ SSID, Bob is actually connected to Mallory. It would be the same as if I walked up to you in the airport and plugged in and cable between my laptop and yours, and just say, hey, pay no attention to me, I'm the airport. So a soft AP is software that provides this access point function, and honeypot or an evil twin is where Mallory is set up a malicious AP that just simply imitates a valid SSID, which is essentially what she's doing here with the soft AP as well. To look at the attacks that govern address resolution. We do need a bit of a review of what address resolution is. If we have Alice and Bob and maybe they've got a gateway to get out to the Internet going on here. Alice wants to be able to send traffic over to Bob there. So, how does this work? Well, for Alice to be able to send a frame to Bob's known IP address, Alice still needs to know Bob's MAC address, that is not known. What Alice will do is look it up in her ARP table. And if her ARP table doesn't have an entry for Bob's .11 IP address with Bob's MAC address, then there's a mechanism for Alice to learn Bob's MAC address, and that's known as Address Resolution Protocol. First step, Alice will request who has the address 10.1.1.11, and that's sent out as a broadcast that floods the network. Bob and everyone else hears it. But only Bob responds because Bob has the desired IP address. So Bob replies back directly to Alice with his MAC address. And at the same time Bob learns Alice's MAC address just in case they're going to send some traffic back and forth, which is probably a good bet. When Alice receives Bob's ARP response, she can update her ARP table and cash that response for a few minutes to a few hours, depending on what type of device Alice is running on. If Alice wanted to get out to the World Wide Web, she knows what her default gateway is because she either typed it in or she pulled it through a DHCP request, just pulling IP addresses as you normally would on the network here. We don't have to get too deep into it, but we'll talk about DHCP in more detail later. Anyway, Alice has her IP address, she has her subnet, and she often gets the IP address for a default gateway. What she does not get is the MAC address of her default gateway, just like knowing Bob's IP address and not his MAC address. She knows her Gateway address, but not the MAC address of the gateway, it has MAC addresses too. So she might send an ARP request for her gateway and get an ARP response letting her know what that MAC address is. And all the while, she's cashing this information in her ARP table so that when she goes to send her Facebook request or her Google lookups or whatever, all that traffic can be framed up with the entire layer three IP address and the accompanied framing layer two information. A complete packet is ready to go. So then, what does the vulnerabilities that occur here? What are the vulnerabilities? Well, the request that Alice sends out, if you noticed our broadcast, those are flooded out to everybody, which means Mallory the malicious will be able to intercept those or capture those and be able to respond. And there is no authentication for the responses. Bob does not prove that Bob is Bob when he sends his reply. The gateway does not prove that the gateway is the gateway when the gateway replies. What we're going to look at in the next video then is how a malicious user like Mallory could poison Alice's ARP table, could poison Bob's ARP table in order to instantiate this man-in-the-middle. But let's stop for here. We covered quite a bit, and then we'll save that for the next video where we'll dive in a bit deeper. So, in this video we did cover quite a bit. We introduced a new character called Eve the eavesdropper, and promiscuous mode on network interface cards, as well as tapping into a wired network. We looked at the first step of any good hacker, which is to do proper network reconnaissance. And then looked at the man-in-the-middle attack and talked about how launching the man-in-the-middle attack can be done using a software based AP or a honeypot. In a wireless world, in the world of wireless or wired, we have ARP as a mechanism that is commonly used and has been used for decades. Because ARP has these vulnerabilities of being a broadcast and lacking authentication, it makes it susceptible to ARP poisoning attacks, which we are going to cover in the next video. So again, my name is Tyler McMinn with Aruba. I will see you guys in the next one.