 I have an omnidirectional mic. If you don't know if your questions have been heard, then that means you didn't watch any of the recordings. All right. You had to review, you had a midterm, right? All right. So we're going to play a answer questions, get candy type of lecture. So that should be super fun. I'll just stop asking questions. That's the key. Cool. All right. So we looked at basically what we're talking about now is network security. And we've been talking about the networking stack, specifically around TCP and IP. And we talked about kind of the physical layer, which we're going to ignore a little bit because we don't really care. We're not, I'm not an electrical engineer, so I don't really care how my data gets from one point to the other. I just care that it gets there. Or that the link layer can handle that. So the link layer has our actual physical hardware interface. So this is dealing with MAC addresses. So your hardware interface will have a MAC address, which is something that we're probably hopefully familiar with. Above that, we have the internet layer. So we have the IP protocol. I guess that's technically redundant, but we have the IP layer. And then above that, we'll have either TCP or UDP. And finally above that, we'll have our application. So cool. So then what's the purpose of ARP? That's where we stopped last week. Why? Because that's what it was designed to do. Oh my gosh. This is the problem. And apparently like six sour patch kids aren't enough of a heft to really throw. All right, so let's look at ARP. So we looked at where we were. There we go. So we looked at ARP and basically so what we looked at is when, so if two hosts are on the same physical network. So how would two hosts, so A, how would two hosts know if they're on the same physical network? The network ID, how would it use that? So your host A, you have a certain IP address and you want to talk to host B. How do you know if host B is on your local network right now? Yes, use anything. How do you check the network ID? How do you know what part, what is the network ID? By the subnet. Yes, boom. There we go. It's a lot easier if you're closer. By the set, the subnetwork, right? So either the subnet mask or the cider routing that we looked at, that will tell you how much of the three things that we need to use in order to, in order to tell if we're on the same network or not. So here we have 111, 10, 21, 21 that wants to talk to 111, 10, 2014. And the key problem here is that as a user, well, we haven't talked about the NS yet, but as a user essentially, we know we want to talk to that other IP address. We know also that it's on our local network, but we don't know what's the physical MAC address of how do we actually send a packet to that machine because it's on our local network, it should get that, it should get it. So that is where ARP translation, where ARP comes in because this packet from 121 to 114 has to be encapsulated in a link layer packet. Essentially what ARP does is allows this translation to happen of translating IP addresses to MAC addresses. Cool. And we saw this example where we actually looked at some traffic and we saw that by, we could see the ARP request and the ARP reply, so how this is actually done is at the link layers. That's why in that other diagram we just looked at, the link layer has ARP in it. Although, like I mentioned, what's the date of Tuesday? So it's on Thursday. That's a, it kind of blurs the layers, right? Because it's technically at the link layer, but it's translating between the IP layer and the link layer. Cool. So, if you've looked at this in a technical perspective, one of the things you want to think about is look at things adversarily. That's kind of something I want you to be thinking about in this class. So, think about what host A knows. So let's think about from host A's perspective. So host A wants to talk to 192.168.1.10. Right? That's a given. Host A knows that. So, host A does what? In order to do the ARP translation? Yeah. Yeah, everyone who is 192.168.1.10. Yes. By sending out an ARP request, right? So, host A sends out an ARP request to every single host in the network. How do we know that this packet goes to every single host in the local network? Because the destination MAC address is all one. Oops, sorry. Right? So now, host A gets a reply back. What does host A know for certain at this point? Something replied. So it knows that it got a reply to its initial request. Right? But does it actually know that this packet was sent from host B? Why not? I could say it actually is it, but they're doing actual ID. Right, so when we looked at the types of Ethernet frames, I guess I didn't make a diagram, but the destination can be controlled by the attacker. The source can be controlled by the attacker. The type, basically the data, everything in here can be controlled by an attacker. There's no authentication. There's no guarantee that this is actually coming from the MAC address. Here you want to start, right? I'm going to try to freeze B to toss it. Sorry for heads. There you go. That almost worked. So when we get to this reply back, host A actually doesn't know for certain anything. Right? All it knows is it got a packet that claims to be from this MAC address to its own MAC address. So it probably doesn't make sense to spoof the two MAC address because otherwise host A is just going to discard it. It's not for it. It has to be addressed to the right person. And it's saying, hey, 192.168.1.10 is that 0131D98B8. So and this is, the other thing to keep in mind is this is baked into the core of these protocols. There is no authentication, no authenticity about this packet. And so as adversaries now we can use this to our advantage. So what type of things could we possibly do? It's going faster than I thought. You already answered. Yeah. He's not your friend. He just stole your question. No, sorry. Go ahead. Right. So you could forge your own ARP reply to tell the host, hey, host B is actually me not actually host B. So let's see if we can do this over it. I'll write in between you two. That's perfect. Should have fought over it. So we can impersonate a host on the network so we can pretend to be something else. What types of things would we want to be as an adversary? What our goals would we want when we're on a local network? So let's take a step back a little bit. Chocolate at this time. What are the threats? What scenarios would you worry about a local area network attack? What does the adversary actually have to do? Right. So they need to physically possibly physically plug into the network or what else? Yeah. So they need to be physically connected to your network logged into the same wireless network or what else could they do? So there we go. Getting better at this. Those are the only ways that somebody could get onto your network. So if you prevent, let's say you prevent let's say you glue every Ethernet cable into one computer and into the other computer and you're using like titanium or if you want to go crazy like fake adamantium cabling so that nobody can actually cut that connection and all of the Ethernet ports are actually filled in except for the ones that are connected, are you safe? Do you not have to worry about a local network, local area network attack? Yeah, that's one. USB there's some way to get into the USB but they need to interfere the actual transmissions with some way it's completely shielded. It's 100% shielded cable. Yes, it's super awesome cable. Yeah. You can't cut the cable. You can't cut into the cable. It's impossible to open this cable. You can break the router. Routers behind like arm guards. Yeah. Why not? What would that mean? So how would you do that? Or just trick them to download say this is the corporate earning reports execute this file and somebody in the network will download it and execute it on their machine, right? We can do this. Oh, that was wrong. I can make it play back there. Right? So that's the key problem here is that when we think about posts on the network or local area attacks we typically always think about physically physically close but actually all you need is control over any node on the network and that can either be by injecting yourself as a new node on the network or by compromising and taking over an existing node on the network. So this is kind of the key one of the key issues here. So what else might we want to do if we were an attacker on the local network? We might want to monitor all the traffic, right? We might want to have better reflexes. Yeah, we might want to monitor all the traffic on the network, right? To see what's happening. Yeah. So yeah, we may want to open up different holes on the network. We may want to add persistence to our network. So what are some of the other... So we talked about basically we can kind of think of it as we can take over the integrity of the system by impersonating a node. We can compromise confidentiality by sniffing and swooping on traffic. What else can we do? Yeah, we could attack something else. What else can we do? Well, yeah. Yeah, we can perform a denial of service attack in the network and maybe we can take down, so this would be we're maybe robbing a bank. We could take down their security systems. We... or their alarm system. I'm sure their alarm system probably uses the internet because it's bad for some system that they probably do. So again, taking host down is actually really important or can be really important. All these types of things. So we kind of think of it in terms of sniffing, swooping are some main goals that we want to accomplish. We want to be able to sniff which means read the traffic that's happening on the network. We want to be able to spoof packets and pretend to be impersonate nodes on the network and we may want to even hijack connections between two computers and inject data into them. What's the difference between a hub and a switch? No, you're already answered. Anything? So the first thing are both networking devices. They're both used to route traffic, usually at the ethernet level. Switches? They take input and then split it out while a hub takes multiple inputs in in some way. Very close, very close. I'll allow it. Do you want to refine it in the back? Yes, so hubs are incredibly dumb. So whenever a packet comes into a hub on one of its ports it retransmits that packet on every single port. Think about a physical, you guys have seen big switches with just a bunch of ethernet ports on them. So for a hub, any packet comes in that same packet goes out on every single port. Whereas a switch is slightly smarter because a switch keeps track for every physical port it sees what Arthur replies have come back from that port, then it maps MAC addresses to ports and that way if a packet comes in destined for a certain MAC address it only sends it out on the ports that it's seen that MAC address. Does that make sense? And if it hasn't seen it, it will just broadcast that I believe to everyone. So all, basically the early networking switches are simple hubs and you gotta think, well this is a lot easier and cheaper to build so I'm sure you can get these pretty cheap. So basically all broadcast traffic, so all packets that are sent to the destination of all ones that's sent to every connected host otherwise it keeps track in its routing tables of which MAC addresses are associated with which port. Why is this important to us? Is this just a random technical detail that I'm throwing in? Yeah. Yeah, not even personally you just snip, right? You don't even have to do anything you just are plugging into the network by virtue of that you're getting every packet that's being sent on that network, right? Whereas if it's a switch you would not have that by default. So many, and this is important, yeah. I think mainly because it's cheaper like if you buy like a four port switch it's usually 10 bucks cheaper I think to get a hub or something so oftentimes you just choose a hub so for like a 24 or 48 so what's the main technical problem of one packet comes in and you repeat it on all the other ports? Use this information and you may actually saturate the bandwidth, right? The larger and larger the switch becomes you have 24 or 48 ports, right? You can only send out you know the entire network is limited to how fast you can broadcast kind of on all of those ports whereas with a switch it can be much more efficient, right? It's only using those things but it adds more processing capabilities it has to actually keep track of these things. Yes it would but it would I mean assuming you're downloading it from a remote source it's not going to be like your upload link is not going to be enough to saturate your local area network but when you start if you're trying to say you have these four computers and you're trying to transfer a 40 gig file from A to B and then a different file from B to C and then another file from C to D that's going to completely degrade the quality of your network so I would worry more about the inter-network speed rather than an external transfer. No we'll get into that there's actually a mechanism built in to prevent infinite packet transmissions although can you no anyways okay yeah we'll see kind of a slight instance of this because the idea is this so the technical implementations of these networking device that establish a local area network impact how we can perform sniffing right which is what we talked about and really as we'll see sniffing and being able to observe network traffic is a key to many many network attacks and it's disgustingly easy so if you've never done this before this is part of why you're taking this course so you can learn how easy it is to do these kinds of things so you can think about being more safe on the internet so all you have to do is set your network so by default your network interface card will only send you packets that are destined for your MAC address because it's filtering out it knows it's MAC address it sees packets comes in if it's on a hub it'll just ignore everything else but of course it's got a mode that you can set easily called promiscuous mode that will return every packet that happens there but and if we're on a hub this is it we're done we've changed our networking mode to promiscuous and now we're literally getting all of the traffic the network traffic that's being sent across the network right so our sniffing job is done but if we're on a switched network what do we have to do so let's think about it in terms of pretty pictures that I'm going to finger because I didn't get the thing alright possibly maybe not all it kind of depends so let's do a super so this is like this is going to be a four port switch and they all are connected to something real switches don't look like this alright cool so we're here we're the attacker and we have computer B and computer C here and computer B has a MAC address of somebody giving me a two digit hexadecimal you're too slow I'm going to do one two and I'm going to do two three because I think this is going to be easier to draw cool so B and C want to talk to each other they've never talked to each other before so host B maybe pings host C right what's the first thing that happens from host B's perspective ARP request so host B sends out an ARP request that request gets to the switch where does it go everywhere because it's a broadcast network so it gets sent out on every single connected port host C sees that request and does what says hey that's my MAC address and then does what replies and says hey one two host C is two three right and it will send that out so what actually happens to the switch then what happens to that packet it gets out of the table so it's inside the router it's going to keep a table that says hey I've seen MAC address two three on this port and we didn't talk about it but because I forgot but host B when it sends the request it's saying what MAC address it is so it will usually I think we'll keep track of that then or later it doesn't really matter so that way when host C does its ARP reply it replies to what MAC address one two so then where does the switch send that out yeah only to the port where one two sorry you guys getting any hungry you already have one alright somebody else answer so I can get rid of this otherwise I'm just yeah right so it only sends this packet out to host B and now host B and host C are going to communicate over IP all those IP traffic is encapsulated in a link layer frame as the destination of two three if it's going from B to C or the destination of one two if it's going from C to B and therefore the switch because of these mappings in here will only send those packets out on those ports so if we are the attacker and we connect and we just put our switch into promiscuous mode what types of packets will we get? ARP request or any other MAC broadcast request right because they get broadcasted the entire to every single port and if there's any that are destined for us whatever our MAC address is then we'll get that but we're not actually in this network so we should not be getting any traffic right so we do not like this situation we want to get their packets how do we do that as the attacker yeah so I'm going to say that our MAC address is three four so there's a couple ways we can go about this so one way would be if we wanted to snoop on this traffic B is going to send out hey an ARP request hey I want to talk to host C we get that and we reply with what? what? I'm host C at 34 and then this switch will do this we'll add 34 to its sorry okay there's two different ways we can do this actually sorry let's step back so there's already a communication between B and C what we can actually do most times with most switches is actually just make a fake ARP reply to nobody that says hey I'm 23 and nobody else will listen to that maybe or get that but the switch thinks that the MAC address is on that port and so it will send the traffic to 23 to both ports another thing that we can do is we can get to the switch versus things the switches fundamentally have a limited capacity think about it's a limited physical piece of hardware there's a limited amount of memory to do each of these mappings so we just send a bunch of ARP requests or ARP replies with different MAC addresses on 2, 2, 3 blah blah blah until we fill up this table and then the router goes into an OCRAP mode the MAC address is to keep track of so it just sends every packet to everywhere basically defaults into a hub which makes sense if you're designing a switch because you want to design it in such a way that it will fail open and everything will still work even if you plug in because one thing to remember is this could be a host or it could be another switch and that other switch could have 40 or 80 or 200 hosts on it and so that port it's not a one-to-one mapping between MAC address and port it could be multiple MAC addresses here cool so I don't know I'd have to do a little bit more research on that I don't know the current state of router security I would think I would imagine that nowadays memory is pretty cheap so it would be more difficult to do this but I'm sure it's not impossible so there's some other tricks that we can do which are super cool there we go with the eraser we can actually so one thing we can do is we can actually there's a tool called ARP pain which will try to do like an like a pain that'll basically we can try to figure out who's on our network by sending an ARP pain to all of the MAC the MAC machines and see if they can respond to us so this way we can see that hey there's host B which has MAC address 12 and host C which is MAC address 23 then what we can do so oftentimes so is there any so when we think back to the link layer were there any guarantees about delivery or that things would get there or that messages wouldn't be transmitted multiple times no there are absolutely no guarantees there right packets can get lost if the switch gets overrun you have absolutely no guarantees so because of that oftentimes what we can do is we can actually just spoof a alright so this is the ARP table of B oftentimes we can actually just spoof an ARP reply as if we were C to change the MAC address to 34 and it will just update its table even though it never actually made an ARP reply so rather than actually keeping track that it made these replies and it's getting responses so we can as A we can send a packet that says hey I'm C and I'm at 34 and then we can direct that to B and then we can get that and then it will, oh that's not the color one it's a lot harder it will update its ARP table so that now all packets when B wants to talk to C it will actually send all the packets to MAC address 34 which go where according to the switch yeah it goes to the port that A is connected to right so we're getting all the traffic from B to C is going to us so this actually allows us to completely impersonate C we can reply with whatever we want and B will think that we're actually using that IP address and we'll have no idea so this is how we can impersonate another host on the network we can actually go even further because now right we're not actually eavesdropping the communication between B and C because we're literally taking over host C so if we wanted to try to impart it just listen to the traffic between B and C what would we do? How can we do that? yeah you say that you're C but then when you get input or you get something that was meant for C you then forward it to C after receiving it yeah so we because we know the real C we know the real MAC address of C so we can actually take that packet that we get from B right take that data packet take it send it to C right we'll obviously record it or whatever store it but we can take that send it to C because we know that C is at MAC address 23 so we just change the frame and it goes out when it comes into the switch it only goes out on the port that C is attached to and then now but what happens now when C responds? it's going to respond to well so think about the packet so we got to think remember because there's layers right so in our outermost link layer we have so the source is the source is 1, 2 and the destination is 3, 4 right because we've tricked B into thinking that 3, 4 is IP address C but now inside the IP layer what's the source IP address B's IP address and the destination IP address C because this is the packet from B to C with then some other layer of some kind of data that we don't care about right so this is the packet we get from B because we've intercepted this right so what could we do well we can take off the outer layer this is surprisingly good I got two full of myself ok from 34 so from us to 23 is going to be the new layer but what are we actually going to put as the packet here do we change the source IP from B to A what would that mean if we did that we'd be changing the IP layer so from C's perspective when we get this packet it thinks that the adversary is trying to talk to it not host B right so there may be an IP trust relationship here if somebody logs in from IP address B then don't ask for a password right it may respond differently and we're trying to transparently man in the middle of this conversation and sniff all the traffic of this conversation so if we change the IP packet we're going to completely change the semantics of this conversation so we want to keep actually this entire packet exactly the same so let's see if I can visually represent this until it makes sense so this is like exactly the same packet as we have here right so then when C gets this what is it going to respond to it so yeah I guess the answer is more it depends so it actually doesn't usually doesn't look at the MAC address because you don't really care at a higher level what physical hosts you were talked to what you care about is what IP address that this packet close what IP address that this packet come to so that you can reply back to that IP address so using that logic then who's it going to try to respond to IP address B exactly and how does it know what what MAC address to use to talk to host B say again so usually well okay it may do that but it usually doesn't it all depends because it always goes back to the ARP table right so C will have its ARP table so the question is it wants to send a packet to B what is the ARP table entry for B right so it may do an ARP request and say hey who has IP address B now is the attacker now what do we want to do spoof it and reply and say we're B right so that in its ARP table hardware address 34 is mapped to B so now whenever these two machines actually want to talk to each other the packets will be routed through host A or adversary right so whenever C wants to send a packet to B it will actually send it to physical address 34 which will only go out on this port and then we take that do the same translation we did send that back to C host B and then the response comes back to us and we can do this again anybody ever admin a network where you have too many devices on like you have a subnet that's only like 128 and you have more than that many machines like DHCP runs out of addresses and it starts reusing new addresses now it's super annoying because this happened in our lab and I would SSH to machines and like sometimes it would work and sometimes I'd get like the server key doesn't match like you're not allowed to log in and it was super confusing until you would trace the network do a bunch of ARP pings to see what everybody was and you'd see that for that IP address you get two different ARP replies by default your computer does nothing about that it doesn't give you a warning it doesn't like warn you that the network is weird it just like things barely work so as an attacker you can use this to advantage to man the middle traffic to snoop on traffic even in a switched network so this was all about this third bullet if the switch Ethernet is used and we need to try to convince the switch that a copy of the so we can we can convince it by just pretending that we are the MAC addresses we're interested in so we get their traffic but if we want to actively man the middle of them we can do that by poison we'll see it's called ARP table poisoning so we basically poison the ARP tables of the two hosts to have them direct traffic to our physical address okay so sniffing is actually incredibly effective so I should probably do this at some point oh that would be a good exercise I'll just put up a Wi-Fi network and sniff all the traffic that you guys who connect to it send so this was very true at the dawn of the internet and it's still even true nowadays that a lot of the higher level protocols FTP pop HTTP IMAP all actually transmit information in the clear including your authentication information like your username and password so this is why if you are logging into a website and the login form is HTTP and not HTTPS literally anybody in your local area network could be could get that information and that password which is why and so you can do this and this actually happens a lot so when I was doing a pen test of this current processing company with just a tap of all the traffic coming out of that network and so we went into it for like half a day and then ran a program on it to detect if any of these authentication information and of course there was some I think it was a marketing person who'd set up a marketing website and was using FTP to connect and upload files and so we were able to get that username password login and upload our own like malicious software to their domain so it gave us a foothold into the network all because this is transmitted and sniffing is incredibly easy so there are lots of tools that you can use to collect, analyze and even replay traffic back they're actually incredibly handy to use even in a non-security context so if you ever do any network administration being able to use things like TCP dump and Wireshark are we'll get you out of a lot of jams and we'll make you look like a rockstar if other people don't know how to do that I had an issue with not this it must have been maybe a couple years ago with like a 545 class where I had a web hacking assignment and I was trying to break through the levels and I'd send a request and it would just hang and because I was running this in our lab I didn't know where the problem was and so I had a TCP dump like the actual machine like no request there and I had TCP dump our network gateway and I didn't see the request and I had TCP my computer to see like TCP dump to see yes the request was getting sent so I was able to deduce that it was a stupid network firewall that ASU had used and so I just put it behind HTTPS which encrypted everything and now the request went fine so only by like using these tools can you debug with that so TCP dump is a super very handy tool to collect traffic you can write it out to a file it can show you the summaries TCP flow is a nice one that actually as we'll see when we talk about TCP it reassembles flows you can replay things graphical tools, wireshark is actually really handy for digging in to network traffic so usually one of my flow for this is like I'll use TCP dump to actually capture the traffic to a file and then I'll copy that file to my local machine to use wireshark to analyze it because wireshark has a nice graphical interface and it parses the raw packet so you'll see TCP packet, TCP packet, TCP packet on port 80 and then you'll see that it actually identified it as an HTTP request and so it gives you the whole high level protocol for a lot of different protocols, cool so I recommend you play with these so ARB spoofing as we actually just saw we can go through this very quickly so this is what we just derived as a group is this is how we can sniff all traffic between two hosts in a switched environment oh sorry just a second I want to talk about why sniffing so this is actually one of the core reasons why using a public unsecured Wi-Fi network is so bad so have you heard that advice? the reason is because anybody on that unsecured Wi-Fi so if you're at a coffee shop and you connect to an unsecured Wi-Fi anyone in that network can have a Wi-Fi card that's in promiscuous mode sniffing your traffic and seeing all the packets that you send this is not possible in a in an encrypted or password protected Wi-Fi network so you're secure there I mean see it was Jamie Winserton is the director strategic director of the global security initiative had a really good analogy where she said that like using an unsecured Wi-Fi network is like going to a public restroom without any shoes on it's really, really gross but we don't actually feel or think of it that way because it's digital but that's what you should be feeling and thinking and you should be much more aware whenever you have to do that and there was so Facebook used to be HGDP most pages but HGDP has login but when we get to the web we'll see that web requests have a cookie that gets sent to different cookies that actually link all of your requests together and this cookie was sent over HGDP so I think it was called Firesheep was the name of this tool a graphical tool that would sniff all the traffic on your network look for any HGDP connections to Facebook steal all those cookies and then with like a one-button click it could log you in as that user on Facebook and you could start browsing as them and Facebook switched over to HGDP everywhere very quickly after that so there's a panel on how to call HGDPS anywhere is that actually I think it's HGDPS everywhere the idea is it all I believe it always tries HGDPS first but it still has to have the other end support it if the other end doesn't support it then there's nothing they could do yeah so I was going to figure that the website itself maybe you send them a perfect message yeah exactly even and yeah I mean you can get into weird things like technically you could if another host was impersonating them you could like tunnel the trap but it's you get an alert a lot of problems there so our yeah please you said Facebook kind of made that change but you still kind of hear easily people talking about Facebook accounts being kind of breached so there's a couple ways that people can compromise your Facebook account so it's all about credentials right so we talked about authentication all they need to do is you know you know you know you know you know you know you know you know you know you talked about authentication all they need to log into Facebook is either your username and password or maybe this cookie it's much and much they've increased the security essentially you can think of as the cookie so it's much harder to get but there are a lot of ways so there's a lot you know there's actually was scams there were like copy paste scams so if you copy a snippet of JavaScript and execute it in your URL bar that JavaScript will execute on the page and I think for a while Facebook had it so that JavaScript could access the cookies so somebody would be like oh check out this crazy new Easter egg in Facebook like copy this blob that's with a lot of percentages paste it into your URL bar and see what happens and people would do that and it would be JavaScript that was malicious so the other thing is to do is I would create a domain like Facebook or FlateBook or something and send you links to it and when you get to it you can see the Facebook login page just like you always see and you would just type in your username and password and when you click submit instead of going to Facebook it's going to my servers and then I redirect you back to Facebook so now you're on Facebook's actual site so you think like maybe the login didn't work so you'd login, get in and it'd be fine but that's an attacker how do you use that password so that's a phishing attack is that type of attack? The other one would be not to be honest I'm not sure how valuable a Facebook account is like how many dollars it sells for on the black market but the other way would be like we talked about a compromise local machine if I trick you to execute code which is my choosing I can have that code watch your internet traffic watch you login to Facebook see exactly what you type in take all that and then send it to me so I can steal your Facebook account and there on the computer I can steal any websites using a password that you visit so that would be kind of the third way Now when you mentioned the United States they get a cookie book you change your password it depends on Facebook's policy usually yes I would say I believe they should expire your cookie at that point but you have to think so yes the answer is yes they should I don't know whether they do the lifetime of cookies is an interesting problem would there be a lot of systems on websites that do login would there be a lot of sites that use a lot of login would there be a lot of those and just spray with the a lot of token and not put it in the pocket yes but I believe Facebook can check because Facebook, the way a lot of works one of the ways is Facebook has the endpoint where it sends your token to and so they can ensure that it's an HTTPS endpoint so I think a lot should be okay there what I'd be much more worried about is a phishing page on a lot so actually as we'll see I mean as we just talked about well as we'll get to with like art spoofing and these kinds of attacks you can actually inject replies into the connection so I can if you go to google.com and it's not encrypted I can actually reply back faster on your local network with yes I'm google.com here's the web page but it's actually a login form to my page and it literally looks like it came from google.com like it doesn't the URL bars it's not me spoofing the domain so all kinds of bad stuff so art spoofing so we have our host A, host B and we are host C that we want to sniff so we can so we have the art tables here of each of the hosts so we actually have host A and host B know about each other and have their art tables are all complete host C also knows from observing traffic what the actual art tables are and so we actually spoof replies to both host A and host B that say hey actually .10 is now in this MAC address and host A goes cool updates its art table we send the same a similar packet to host B but with .100 which is host A's IP address and it says cool updates its art table and now whenever host A wants to send a packet to host B it actually sends it to host C will take that packet send it off to host B and we've effectively made it in the middle and we're intercepting and sniffing out all of their communication between A and B and to actually do this effectively and we're having those tools will just continually span the network with art replies of the hosts that they want to impersonate because usually our caches are pretty short lived entries because you don't want this cache to become a sale of what's actually happening in the network so by continually sending these out you kind of ensure that those machines never actually talk to each other questions on this so it really goes back to thinking what types of things can an adversary play with right an adversary can play with the source and destination MAC addresses of the ethernet link layer yeah absolutely yes yes so you can definitely on a busy large network though I think it would be more difficult and intrusion detection systems are always a cat and mouse game because if I'm the way we always think about securities in terms of robustness so if I if I know exactly how your security system works like your to detection system can I still accomplish my goals the answer is usually always yes right so if I know you look for our replies and a certain you know if I know you only look for responses to replies then maybe I will I I'll always send the first reply right so in there's only one reply back so that that that request got blocked or dropped there's always kind of interesting ways around things and you got to think about you know an IDS if it if it's going to alert a lot on a lot of stuff you'll just disable it so I'd also can do like a boy who cried wolf attack right just make it you know you can do a lot of stuff right wolf attack right just make it pop up a lot of alarms that are nothing and then you'll disable it eventually and then I'll do what I want to do yeah not necessary I mean it could but that is not always an indication of maliciousness because you could have a you could want to keep your IP address and get a different like network interface card like this does happen a decent ish amount I mean not a ton but it doesn't or like I guess a good example now would be like a cloud environment right we have new systems spinning up that get assigned the same IP address of the different MAC address or the other good example is like when connecting to a to a new network oftentimes you don't know what your IP address is right so when you connect to a Wi-Fi network you get automatically assigned an IP address by that network IP address you don't know could have just been used by somebody else so you need a way for there to be this updating mechanism but if you think about if I'm an organization and I know 100% everything that's in my network you could statically put each of the art tables in every single machine which could possibly work but you may have some annoyed users when things don't work right cool so moving up one layer we can actually in a local network spoof IP packet so we can pretend to send IP packets from one person to the other which is actually just a simple extension of this ARP spoofing that we're doing because we're really when we're forwarding this packet from A to B as C we're actually spoofing and creating a new packet to make it seem like it came from A but really it came from us so we can use this very easily on a local network to spoof packets so what we can do is if we are one to one and we want to make a packet from this mobile phone to this computer so from .76 to .14 we can easily create that packet and we actually don't even need to spoof the MAC address necessarily of that machine because many times they don't at higher levels it doesn't really care about the MAC address it only cares about the IP address so from this machine from .14's perspective it looks like this is a packet that just came from this phone right so here we can spoof impersonate machines on the network and send whatever requests we want what about the reply it would go back to .76 so it all then depends on what this host thinks the MAC address is of .76 so if it thinks that it's ours then it actually comes right back to us so this goes we can just arp poison that machine and then we can talk to it and host 76 has actually no idea this is going on because they never get any packet to the country cool alright moving on up so moving up to the UDP layer so sorry to the transport layer there we go with UDP is the first protocol we're going to look at so UDP relies on IP to provide a connectionless unreliable best effort datagram delivery service where nothing is guaranteed not delivery, integrity, non-duplication ordering or bandwidth nothing is guaranteed here it's just like a best effort to send this piece of data to another host on the internet to another host great but it adds which actually seems a little superfluous right because UDP is this adding anything on top of IP so far is IP a best effort connectionless unreliable delivery service or yeah IP doesn't guarantee delivery integrity, non-duplication or ordering or bandwidth right but what UDP and what the transport level both of the transport level protocols actually provide is a nice abstraction called the port abstraction so the idea is so I think it's useful to think of maybe the computer as an apartment complex right so the address would define what apartment complex you're talking about right but an apartment complex there's many apartments so what do you need to distinguish where a letter goes to but back to the to the the address every apartment is going to have the same address right but how do you distinguish when you're writing a letter to an apartment yeah apartment number right so just give oh sorry that got caught by the wind I don't think that was my fault yeah that was good watch out he may have tampered with that so yeah so we need ways to talk to different residents in the same apartment complex similarly we have different applications running on our systems we need a way to talk to each of them so this is why the upper levels introduced this port abstraction which is the idea is you can address different message destinations to the same IP address so you can have multiple different applications or network services running on a single IP address and this port allows you to differentiate between them so this is why you can run an HGP server a DNS server a mail server all on one IP address one node because they have occupied different ports so each of those applications knows how to talk to each other so UDP as we briefly mentioned it doesn't provide anything you would like in a connection service so it's mostly used in multimedia because sometimes like we said if you're on a phone call and one packet is dropped you don't care but if you had to wait for all packets to be delivered to send more that would add latency and lag and there are some really important so actually the most important protocol that relies on UDP is DNS so DNS is the mapping of a domain name to an IP address and that all relies on UDP so going back to refresh so now we are at the transport layer so now we're at UDP and we can see that to do this so we have 16 bits for a source port and 16 bits for a destination port a message length a check sum and then the data so this actually is a very minimal header and additional information on top of the IP layer so how many ports can we have here yeah which is 2 to this 16 right so 65,000 whatever 5535 or something and when we look at this adversarily the source port in the destination port can all be spoofed and controlled by any attack right there's no again there's no authentication there's no repudiation it's just you get a packet and these are the values in the UDP header and so building up on our encapsulation so we have the Ethernet layer the IP layer and then the UDP in that IP data where finally we have our actual application level data here in the UDP data so we can do so does the UDP layer add any additional authentication or verification steps on top of IP what was that it has a check sum so does IP though yeah maybe more handy because I'm going to start raining so does it add anything is it more secure who said that the spinning is not really helpful right so just like the IP source and destination can be spoofed destination port here can be spoofed in some way or other it's from the other so we can go as fast yes okay so what does this mean about all the attacks that we just saw at the IP layer yeah it should happen here too right we should be able to achieve all the same attacks that we achieved at the IP layer on the UDP layer because it does not add any other security mechanisms so we can do UDP spoofing that's basically exactly the same as IP spoofing we can pretend we can send a UDP request to any machine and we can spoof the to IP address the from IP address the to port and the from port so as an attacker if we wanted to spoof a UDP request from this trusted client to the server we could send this request and we can put the IP address as the trusted client and we could put the destination port of whatever the server expects but what's going to happen to this reply maybe there's not so maybe we just deleted their whole database yes save that for a little bit we got to do more steps though so let's say there is a reply from the server what happens where does it go go to the trusted client it'll go to the trusted client so from the server's perspective it does not know that this is a spoof packet all it knows is the IP address source in that packet and the UDP source so that packet that one was my fault and the UDP source port and so it can make a reply and it will send the UDP reply back to the source IP which will go back to the client so as the attacker do we necessarily see this not necessarily exactly I think I may have cut too much it's alright so if we're on the same local network as we saw we will get we can see this reply if we're using our poisoning well I won't tell you about that we'll look maybe on Thursday about how this would work in other hops but just like with UDP so just like with IP spoofing we can actually we can do UDP hijacking so if we know of a UDP request that is sent from the client to the server and we want to spoof what here so let's say it's a DNS request somebody's asking hey what's the IP address of google.com spoof the server we spoof the server what yes and we have to do that how how do we convince the client that we did that yes so we need to reply right so we need to reply back to the client as if we were the server so we can because we can specify whatever we want for source IP and destination IP so we can say this is a packet from the server to the client that's a DNS reply right but one thing we definitely do have to do is the client so let's say the client makes five or six UDP requests to various servers and remember there's a connection list protocol there's no notion of we have a connection established it gets back four packets how does it know what those replies are to what requests maybe maybe not server it could be so the destination let's put it a different way so let's say we make five requests to a UDP service running on this server we get back four replies how do we know how do we match up those replies to the request so it's going to be the same in all those packets source and destination IPs will be the same the source port will probably be the same because it will be the port that we talked to right so what will be different the message may be different but that's more application specific we can actually tell without we can't UDP layer we don't want to make the upper layer figure things out the destination port so what we do is the client chooses unique random ports for each UDP request that it sends and that way the server replies back as a destination port of that same port number so that way the client can know that this is a response to that request in this case if we send it high effectively to the client we either have to send well if we want to brute force it how many packets will we have to send we have to send 65,000 packets so we can actually spoof 65,000 packets from the server to the client with trying every single destination port and we can cut that down by doing it smart and analyzing servers or we can somehow get a copy of this UDP request if we're on a local network and we can do art poisoning or we can see the traffic here we can see that request and spoof a UDP reply so if this is the key reason of when you're on a local network and you are and the server will reply at some point so if you're on a local network and you're doing a DNS query for google.com if I'm an attacker on your network I can respond with my IP address and this is kind of fundamentally a problem of UDP and IP stacks so alright, there we are