 Okay, folks, we want to see the results of 4-4. Okay, so y'all should be glad you're here. I was pretty impressed in many ways. Do you want to see the numbers of people that got scammed first? Yeah. So it was not as so. 49 of you signed an adversary's key, which was not bad. And then we looked at it. So it has a pretty long tail distribution. So one person signed four adversarial keys, the three people signed 30, and these amount to the rest of one. So, you know, you should get yourselves a round of applause for whatever you did. Okay, now we're about on scammers. So now you have to stand. Any bets? 100. All right, so there was only 13 scammers in the class. Oh, I didn't make it bigger, sorry. So the most successful scammers, you have 38 people. 4-4, 3-3, 2-2, and a handful of ones. So I think it's actually pretty promising in this deck, please. I think 38 is the most. You don't know what the other numbers are. That's like an insane amount. I talked to that person over email. It was all the stuff that we talked about in class on Tuesday, basically. They were just very persistent about trying to scam people. There was also, did I talk about the disinformation campaign that people tried to do? Because I think maybe that was the one technique we didn't talk about in class for the person. I think it was this person who made it from the other ones. They deliberately were ending and messing with other people's posts. So those people who waited until the end to do the assignment would be in such a panic that they would sign anything. Also, I think the other tactic was telling people that they would sign both of their keys so that they would sign their adversarial and their public key if they signed their key. But they used a fake, essentially an adversarial key where they changed the user ID to their name. And so when they signed, the adversarial keys were 0 points because it wasn't a real key. So, yeah, kind of using this incentive of, like, positively trying to get a few new points if I really need to signature on my key, but I'm trying to get people to sign. That's dedication. The techniques. There's a way around that. Yeah, any other questions? Yeah. When did you send the email? Last Tuesday night. Do you have any way to know if there were more scamming being done at the end of the assignment versus the earlier on? Probably, but I haven't been able to successfully run those numbers because I'm also trying to create a... Yeah, I still want that. I'm trying to create a diagram of all your key signing. And I have all the signs so I can do, like, an overtime thing, but that's all I want to work with. How many of those panzers were settled? Or were all the panzers pretty safe? Is an interesting question. I don't know. I don't want to pull up data by accidentally revealing something about that. So, yeah, I just want to keep the aggregates here. That's an interesting point. Was there a common safety mechanism? Like, could we have to spend saying what kind of... Was there a common manual with people with these hits hands? Like, was there one that was like, this was the most accessible? I read through a lot of briefings. I didn't correlate it between how much they got scanned or didn't get scanned. I'd say the best they could do was starting early. You know, like, when people didn't really... Like, the adversaries didn't have time to come up with all their methods of how to actually affect and scan people. So, but... Signing keys in an early part was, you know, very safe. And then, as long as you did it within the R4 by beta, you were pretty good. And then some people then turned their attention to how I scanned people after that. Some people deliberately waited to pray on people at the end because they knew they'd be desperate for signals. Any other questions? Alright, I'll do ten minutes of midterm questions and then we'll talk about it. No midterm questions? Alright, we'll go on. Would you have a test of true-false? No. Next question. Can you have a test of all true-false? No. Next question. Do you want it? No. What's the structural recount center? So, is it like ten questions or a total of twice a garden? And, like, three responses or...? Could be anything. I don't know. Is that going to help you study for it? If I say it's two questions or a hundred questions, does that help and change your study? No. No. Okay. Who you're targeting with right now? One of the major topics. Everything we covered up until now. Until after this last test. There was a question on the midterm review about, like, the approach you would take if there's two different groups and they're complicated and don't want to get it to be shared in between. And it seems like a lot of the different access controls doesn't really work in that case. Or do you just, like, justify... Like, to me, it seems like actually you basically work well and you just have an attribute of what the person is in and then disallow it with your right across the attributes. Yeah, but would you say disallowed with your right across the attributes? I mean, as long as you're clear that the people can't change their own permissions, right? So the idea there is that you put discretionary access control because everyone in the groups can be trusted to set the access control directly. That doesn't really make sense. Like, the point is you want to block that, like, communication between two groups which means you need something that the system is enforcing that where mandatory access control could enforce that, right? You could also... As long as you're justifying your response and it makes sense then that would be okay. But if you're bending over backwards and, you know, you're fundamentally misrepresenting and misunderstanding how something works then that's not going to do well. Okay. And I mean, like, mandatory discretionary access control exists with actually based access control, right? Sure. Definitely. Yeah. One of the questions you put security is the most important component in an organization? Is that true? I don't think that's true. But, um... What do we talk about in class? What do you think? The most important part? No. Yes? Security is the most important part of the most important part of an organization? Yes? No? And so the organization, the context... So is that a statement that's universally true? The statement says security is the most important part of an organization. So we're saying context matters and no set. We're going to fall apart. Okay. Yeah. So to me that is like a very questionable question. Is it? What about like security? There's other things besides security, right? Security is the most important thing you would have a system that nobody could use. So you need to balance the security of the organization with the other aspects and goals of the organization. It's an LIC. What's a what? LIC for like access control. I can't find that in this... Context. Uh, like there's MACDAC in the city like for access control something. I just don't want the LIC I can't find it. I think it's probably a techno. Yeah, that's weird. Yeah. There's a true or false that coming along to the one that said a good security system would capture all of the possible attacks. I think that's false. A security policy encounters all possible threats. So I think that's false. You think? Why? Because it depends. Sins go waste of effort. You go for it every time. And you fundamentally can't, right? So that's why we talked about you need to analyze the risks that are going to be a threat. And so your policy counters the ones that are most risky, like opposed to the most risky organization and are more likely to happen in some sense. Like, sure it's possible for aliens to come down and abduct your data, but, you know, you can't be a greater policy that defends against that possible miniscule threat. Who can't? So we may need this security policy in purpose because we don't know threats that are as high as possible. Louder. I think that was correct. Sure. So we may need this security policy in purpose because we know no threats that can actually affect security. I don't know how to answer that question. Let's see. I mean, in some sense, yes, there's fundamentally there's an infinite number of threats to a system, right? The policy can't address, there will always be some threat that comes with the policy doesn't address, right? So the point is, do you have this elaborate whatever system, but the front door isn't locked? That's like a common threat of somebody just opening a door and walking in, right? So if your policy doesn't handle that common threat, it's not a good policy, even though it's handling associated things that may or may not happen. The test we're going to be doing, like, by hand decoding versus another side question. Maybe. Maybe not. By hand, if I go to the front or not on the test, yeah? We have the whole class period of work on the test. Yes, you'll have the whole class period of work on the test, absolutely. 115 minutes just for you. Anything else? All right. One once. Stalling for them? I think the LAC type was lattice-based access control. What was that? L, B, A, C, lattice-based field. I think it's straight up a take-off. Or maybe I just add some acronyms on there to see if you put that as something. That would be a silly thing. You're just making up for the test. That's possible. It's more like the type of thing, so I don't know. It's not an hour or 15, right? It's going to be 10, 7, 5 minutes. Was it what? No. No cheat on the test? That's no. Cheat. Cheat. Nothing. No, no, it's nothing smarter than pencil. So Apple Watches, no cell phones, no anything out, just you writing a pencil, that. No. Was there any recommended ways to study? I mean, I don't understand this year that we've covered in class. I don't know what it's about. I don't know what you call Thursday morning or Tuesday morning. No, definitely not Thursday morning. I don't know until Tuesday morning when I remind myself what's on the test. Go through the practice midterm and talk about it. I hope that all the students make sure you're able to reason about what the things are we're talking about there. Yeah, I'm going to answer that. Yeah. Can you say that all the content that is on the test is included somewhere in the lecture slides or is there some stuff that is the only verbally said? I don't know. That's a tough question. Stuff we've covered in class. So anything we've talked about in class, anything. I'm fairly certain everything that we've talked about in class has been something that's been on a slide. So that would make sense. Yeah, everything that we've talked about up until the end of today. All right. Three more minutes. Yes, at the end of the lecture today. I don't have a set at any time. We're going to be tested on something we don't cover in class. I'm going to say good-bye. No, chichi. Because I thought I heard you say there was a chichi. No. Okay. So this says no chichi. That's such a tough question. 16. I don't know what that was. Probably. I don't know what the average is more in the past, so I can't answer that either. It depends on you how difficult it is, right? But test is a fixed quantity in some sense. So if you all do really, I mean, it's possible for everyone to ace the test. That's definitely feasible, right? But if you don't understand any material we've covered and you don't do well on the test, then you're not going to do well on the test. So, yeah, I don't know how to answer that. I'm just going to ask other students who take their lives, not me. Yeah. Is it going to curve, Dan? Uh, the test? Yeah. No. No. It's, well, just like the overall force. So we'll only curve the overall force that we need to, but normally I've never, and that's only curving the grades down, right? So, I'm never going to curve them up. Yeah. Um, so, I mean, you've got so many people that get scams. A lot of people have scams. Yeah. Where they show, like that, in their grade, like when they got a handbag. Yeah. In the email, it says exactly how many times you were scammed. Oh. Yeah. Um, just, just, can you go say the final grade or something? How can I compute your final grade if we haven't had all the assignments yet? Well, that means I come to that point. Okay. You don't like that? No. You can do it. You know that. You know, it's three, we have four assignments. Add them together, divide by four hundred, that's your curriculum. So, you can say more? Yeah, but it doesn't make sense because it's not your final grade because you don't have a grade yet until we're done with everything. We still have the midterm, all the percentages from the syllabus, so you can also calculate this. I have faith in your abilities. All right. List two last ones. Yeah? How long does it take to grade the test? I don't know. It should be, like, an average four weeks. A day. I don't know. Did that matter? No. Is it going to change how you approach the class? No, it is. I know you wanted to do that. Yeah, it was 194 of you, so, you know, it takes some time. As soon as we have grades, you will have them back. I think so. We're shooting for, we're probably on target right now for six, maybe one? I don't know. You'll have any homework starting on Tuesday as well after the exam? I've been holding it off, so you can start starting this on the exam and have that on the class. Alright, we are on art. So, what is in the context of every game that we've been talking about, what is the point of the address or resolution for an art? It's essentially to send out a response, you're like, I'm looking for this IP, who has this IP, and it basically matches MAC address with IP addresses? Yes, but flip it around. You're asking about IP address and then everyone's like, I don't have this and this person's like, I have it, here's my MAC address. Yes, I think the key thing, I think, just to be crystal clear, I think, maybe when you said something about the IP address, you're asking the IP address, but you're saying, you have the IP address, you're asking the question, who with this IP address has this MAC address? Right, because you want to be able to make, you want to be able to send the packets to that IP address, they're on their local network, you know who you're supposed to send it to on a local network, and so you need to be able to encapsulate that IP address packet in the IP packet in an Ethernet packet. Yeah. Just to make sure, when you send out a MAC address, you do not have that person's MAC address. Correct, if you had their MAC address, you would not need to send an ART request, you would just send them the packet directly. Right, and so what Ethernet address is used for an ART request? So you know your source, right, I know my MAC source address. Where do I send it to if I don't know that MAC address? The SCORP. There? The SCORP. Yeah, which is a what? Yes, but all one, so it's a 42, 48 minutes, one of those, all F's. Right, so here in this example we have our two machines, we're going to send out first a host A's and send out an ART request to the entire local network. We'll see in a second how that actually goes with all the hosts, but it goes out to all one, so every single Ethernet address that's on this network so it's what happens even when you're connected to a wireless network. If you need to talk to a system, a broadcast, you say, hey, who has this IP address then every single other device on that network gets that request and only the device that has that IP address responds and says hey, I'm that IP address and by the way I have this MAC address so the hardware reply is 192.168.1.10 is at that specific MAC address then once the host A gets that then finally they can reply and they can actually send the real message that they wanted to send this little bootstrap mechanism in order to map IP addresses to MAC addresses. How do they pay host A that host B was in its local network? Is that it? Yeah, so when that mask the number of IDs so in this example there's actually we don't have that information to even say that that isn't the case, right? The mask can be all the way to I think slash 31 so it can be like a tiny network with two hosts on it or three hosts or something maybe two or anything and so we need more information to know but if we say that they are in the local network then this process is what has to happen. Okay. Yeah, so, okay the question is does host B have to respond to host A? Host A knows the package to host B what if it doesn't reply? Yeah, then host A can't send any package to host B for all of its purposes the host A will think that host B is down so the technical answer is no there's nothing that host B doesn't have to respond but it may not necessarily know who host A is, right? So in that sense it can decide whether to drop or block the traffic once it knows the IP address maybe that's more information to know exactly who it is. Yeah. What if most B responds back to the logical information so most B sends back a specifically spoofed MAC address that does exist in the network but is not host B? Sure, so then okay, let's go over we gotta cover one thing and talk about that so let's do that and the context of what's the difference between a hub and a switch? What is what are these devices used for? A switch you can send connections to and they're gonna be able to route or not like route but like throw based on the MAC address and then hubs are basically it takes in data and then just floods it to the entire connections space. Yeah sometimes look at I can't show my people pictures but if we look we had an example we'll call it we'll use host A in most B right now so this is the specific thing we're talking about here, the switch right, so in this diagram we have two host A and B that are connected on a local network through a switch or some device and we have no, that'd be weird but we're gonna switch on here you have a Nintendo switch if you're studying your computer working switch there you go so all kinds of networking switches this is a 52 port switch so you connect a bunch of machines here and it will prove that right so old school switches you're gonna think Wi-Fi networks are essentially the same the exact communication medium is not over at internet corridor whatever but the basic ideas are the same so okay so we have these devices so we have host A and B and now we have those C that we're also gonna connect to this switch so package comes in from host A how does this switch know where to send it so there's 52 ports on that switch how does it know where that package goes out so the cheapest and easiest way to do it is to say who cares right I don't care where this goes I'm just gonna send it to everyone so whenever one package comes in on that port it goes out to all the other ports to everyone else right so this is the hub model so package comes in and then it gets sprayed to every single host that's connected here so here we have our 52 hosts a package comes in on A one of these ports and it gets sent to every single other port what is a problem there or what's potentially a problem with that yeah no privacy what's that yeah so A and C are communicating right every package that gets sent will also be sent to host B by default their network card will drop the package but you can set your network card to be in what they call permissuous mode that listens to everything and you can see all of that what else yeah potential for collisions potential for collisions in what sense if you have multiple or just a lot of data going over the network at once and you're getting constant flood of input data and it's like you could collide and then drop packets and then you lost data how do you say that yeah so you think about it let's say let's make it easy in some sense and say we'll talk about like let's say if a cable of each of these has a one gig of it per second because they're forever one gig of it per second in bandwidth on each of these links right if now I'm going to have another host here we'll call it D to just keep with this thing so A and B are transferring 100 gigabytes of a movie file or whatever and B and C are also sharing 100 gigabytes of a movie file what's the throughput going to be for those let's get our B and D A and B are sharing so A is able to send one gig of it per second that gets sent out on every other one of these links right so every link is using one gig of it per second transferring it at one gig of it per second now if if D and C start sharing and using a movie can they use one gig of it per second no why not there's already one gig of it per second already being used on this link to broadcast A's packets so you need so I don't know I don't know if this is it would definitely decrease I don't know the exact amount of points it's not really important we'll call it .5 the speed's going to be reduced because each of them have to share the total of all of these links does that make sense so you have a clear performance problem here so what's the problem of sending A's traffic to C to both D and B yeah we're wasting bandwidth right it seems crazy not only is it bad from a security perspective but these things were developed back when we just wanted to set the work we didn't care about security I think well let's check real quick we are on Amazon some of the cheap ones will do some of the cheap ones will be yeah that makes sense I think the answer is yes you can find some devices that are still like this so what does the switch need to do like so how can the switch know that it should send A is sending traffic and it should only send it on the port that D is connected to and not to C or D appended to what in p address okay so what do you mean appended to the IP address or appended to what to the IP address right okay and a confusing thing is that we're talking about here so we're running the port in another context later on but here we're talking about physical ports on the ethernet switch needs to know exactly how many ports it has okay so one way would be to use the IP address so to maybe look at the traffic and figure out what IP address goes where the sender is to specify the port in the penguin the sender has to specify the port and I have to change the whole IP TCP networking stack in order to because how does A know what port it's connected to right so then it would have to have some way to ask the switch what port am I connected to and send that information out yeah maybe like all the devices in order to connect to the port have to have to which have to tell it hey this is not when I connected this is my IP address and this is my MAC address so now if you ever receive something for that send it to me okay cool like why does the switch need why does A need to tell the switch that there's no pockets about the source that IP the destination IP is attached to them yeah so two things A I don't have a good answer for why I think there probably is one I understand they have it right on top of my head but the switch is going to essentially work only at the ethernet later and I think actually probably the argument would be for speed so it doesn't have to parse the ethernet header and then parse the IP header and to figure out where the packet goes and then send it so it's just basing it off of the ethernet information of where the packet goes the other nice thing is then your switch doesn't care if IPv4 IPv6 whatever you can connect it as long as it's talking ethernet over the local network they can figure out what's going on so the super interesting thing is that your router can or your sorry I gotta be careful the switch can actually spy on the arbor bus and the arbor they can look at all of the packets that are coming out on every switch and every torque on the switch and so here you can say oh host A sent an arbor so A can know that host A let's call it port 1 host A on so port 1 has the MAC address 80467 483 and now when somebody else sends a packet like here with a I know that between that MAC address is on port 1 what about 4 what does it do for this address it's a broadcast it deliberately needs everyone so this our request fundamentally we don't know who we're talking to yet so we need this to go everywhere if if the switch doesn't need you to tell it what your MAC address or your MAC address is what's your MAC MAC address is why can't I just ask the switcher be like hey you tell me where this person is at one reason would be that the Nevergreen protocol doesn't assume any specific Nevergreen device so the protocol doesn't care if you have a hub or switch or anything and the switch you can think of actually technically acts and I mean anyways it's kind of a crazy thing but they used to I don't know if it's actually over ethernet but before there was so we have A B I think this was before switches you can actually have a ring they call it a ring of local networks so you would get a packet if it was for you great if not it's the next person on the list and so you actually don't have a physical device on a switch but you could broadcast everything here because it will eventually get to everyone you can send a message to somebody to make a few physical hops to get there but there's no dedicated networking switch in this model so you can think of different ways to do a local network that doesn't involve exactly so this is the fundamental difference between a switch and a hub so this and why this is important somebody asked a question that brought us here that I don't remember it was it was asking about the reply sent back a fraudulent Mac address yes okay good good good okay yes let's keep that in mind as we go forward so now that we know the actually what is going on this is a good example of knowing how a networking equipment actually works impacts the security of the system and this is something that you all even pointed out maybe it's because we're the context of security class when you look at this hub the first thing somebody said was privacy or security right the problem is traffic from A to C is being transmitted to everyone else on the network which is clearly that as we focus our attention towards from learning how local networks work to now trying to attack them so imagine we are a malicious person on this network what do we want to do what are our goals as an attacker just the fact it's awarded for us yes so eavesdrop or sniff or traffic that was not intended for us to be able to read other types of communication disrupt traffic disrupt traffic so we may want to like so in the case of think about we're whenever breaking into a house and there's an alarm system that's connected to the internet or connected if we're able to disrupt those packets it's never able to say that there's been a break there or something send packets to machines as a network but we shouldn't be able to send packets yeah or maybe another way to think about that would be impersonate another machine on the network right if there's a trust relationship maybe you have a server at home that trusts your laptop so you can log in to your server without a password now if somebody else if I'm on the network if I can impersonate you and log in as if I was that IP address to that system yeah yeah so we may be able to maybe even more insidious is rather than getting access to their system if we're able to intercept and be like talk about a crypto like a man in the middle of the the file share traffic we can insert our own malicious content into those that communication anything else so how did you come up with these attacks imagination yes yeah and all of these goals right follow the three fundamental aspects of security right confidentiality and technical availability every single attack that you just mentioned follows from those three concepts so if you think about okay how do I manage confidentiality and traffic that's two machines are talking to that I shouldn't be able to read if you want to uh violate integrity you want to inject traffic that was never meant to be sent and availability was still there so they went through all of those right I think that's yeah okay cool so we're gonna we're gonna think about in the network context these have kind of slightly different names although they mean the same thing we want to sniff traffic so we want to eavesdrop on traffic that we're not supposed to see we want to spoof traffic make it appear as if it's coming from another machine and we want to hijack communications by being able to manipulate or add our own information to communications so now that we have a idea of how this works how do we perform sniffing if we're in a hub environment just plug in just exist right think about how bad security was if that's all it took right so and really all you need to do this is something I believe I mean you have to have a pseudo on your computer but you can easily do this this is usually a command fluid for you the tools will do it for you but for misuse modes it tells your network interface usually your network interface your network card will drop all packets that are not meant for your MAC address or not broadcast if you turn this on like your operating system gets all the packets so this allows you to inspect every packet that's being sent now we have this problem okay but if we're using switched internet we're not going to get the traffic from A to C right we just had in our example A and C here right on a switch network the communication between A and C right once the switch knows the math things are important to MAC addresses it's going to send that packet from A just to C on that port and the response back from C to A back on that port so as an attacker we won't be able to see that but as we talked about what actually prevents us from pretending to be C or think about a different way how does the switch know that C is on port 4 and not on port 2 yeah not just the machine but the port right fundamentally the switch has no idea who's on what port all it knows is I've seen a usually only listen to ARP message so I've seen an ARP reply that says that this machine is on this MAC address is on this physical port that's all it does and the thing to think about is switches are very fast some of them are like 10 gigabit per second 100 gigabit per second really fast switches so it needs to make a decision very quickly on where does this packet go and so it is not they're not smart devices really they're very intelligent they need to be very fast go to exactly how we can do this in a second but first why do we even want to sniff so why do we want to e-drop on communications maybe gather the information maybe gather the login information yeah so maybe gather the login information gather the login information so are authentication credentials useful yes yes we're talking about authentication very useful a lot of protocols that are much more common than you'd think actually still transmit login information in the clear meaning not encrypted so FTB POP is accessing email IMAP and other way to access email HTTP all of these things by default will transmit the credentials in the clear there exist I believe secure versions of all of these where it will do TLS or make some kind of cryptic connections to the other side in which case something doesn't help you steal the password but this is a very good way to collect username passwords it is email now not only do you have username passwords but all the emails are being transmitted in the clear you can read all the emails files that are downloaded if you're trying to break into a network would the websites that somebody is browsing going to be useful why? yeah so maybe that's where you can use the password what else I was thinking you could set up like a fake lightning page for the most commonly used websites yeah so you could make fake party and phishing pages deliberately targeting that person of what pages they're more likely to visit yeah blackmail if the site they shouldn't be seeing or shouldn't be looking at you during work hours yeah all good things and usually wow anyways the main way to do this is dump and file traffic to a file to analyze it later lucky for you if you want to do this on your own there are a lot of tools that help you collect, analyze and even replay traffic against a different machine these are incredibly useful tools for your future career if you're debugging anything network related yeah does hdps so hdps assuming it's set up correctly so they're at least from eavesdropping the answer is yes so if the website using hdps they can't see they can know what website you're talking to at the high level the domain name they won't be able to know the exact path that you're visiting and they also won't be able to know the content of anything you're sending or receiving you know the size of the data right the amount of the amount of data you're sending right so it doesn't like the tls it doesn't change the size of the data does it also technically it doesn't change the size of the data so people have done studies that look at inferring what pages on the website you're visiting based on the size of the encrypted communication that's definitely possible this is a couple years ago I was setting up a homework assignment it was like a web hacking assignment and it turned out that I couldn't connect to the system so I couldn't figure out exactly what was going on so I was running these commands to look at the traffic that my machine was sending that the other machine was getting that our router in the middle was getting and so I was able to determine that ASU firewall was walking my connection and that's why it was happening there's great command line tools I highly recommend that you're interested in security if you're familiar with this these are good tools to know about like oh I don't understand why this is happening or what's going on tcv dump is your friend it collects all the traffic so I use this all the time to analyze why I can't connect to the internet or why something is wrong tcv flow it collects more than tcv dump the tcv is a missed number other tools to break them up I will say one of the other most useful tools is a wire shark so wire shark is an awesome tool that is an open source tool that will either read the output of tcv dump from a file and show you visually all the packets that are being sent on there it will also parse the packet and show you all the different layers from the ethernet to the IP to tcv to the hvp or whatever protocol it is and it has a ton of different parsers for a lot of different options just because I'm feeling dangerous let's see what happens so here I'm testing I can't remember what I was doing but something I was trying to talk about before tcv dumps look at this there's a bunch of different options that take a long time to figure out what they all are so here's a bunch of traffic that's happening tcv packets um udp packets let's see is there any ethernet icmp pings and you can do different kind of filters on the end so it's just saying just show me all the hard packets for this so you can see our reply is 0 to 10 64.1 is that my address so this got sent out is this scanning on the classrooms that work this isn't the wifi yet so this is looking at what specifically my machine gets on the wifi I don't know if I'm on my maybe on edu drone so maybe different I'm on edu drone I guess it doesn't really depend on what you're trying to do but I just how would how does this depend on us I guess what do we get yeah so let's say I was going to do a pen test of this network right the first thing I would do is just connect run a tcv dump on this to see what other hosts do I see on this network and that gives me we'll talk about other ways to do reconnaissance on a network so to actively scan for hosts on a network but here I'm just passively listening it's very difficult to tell if anybody is passively listening on your network so here I'm just listening and I'm going to list of targets that I should go after so here I'm ready to go 10.1.3.64.1 is an IP address and I know it's mac address I can see what is that device is it a router is it a switch how do I talk to that we'll talk about that in a second it's also useful even on your own machine to see what are my programs doing like probably a lot of that traffic was I'd say the majority is like drop box like connecting to drop box and there's other stuff that happens if somebody just joined basically guess right why do we get the permission to see all the other hosts yeah so it the short answer is it depends like see here on this network I'm only getting hard for flies the router the wifi switch so it depends on specifically how the technology works so like a encrypted wifi network like a password wifi network you won't see anybody else's traffic except for your own or something that anyone else sends to you I can do a broadcast I mean depending on how the system works I can try to ping all the machines in the network and if they exist they'll talk back to me the router could prevent that though if it were the wifi router if you're on an open wifi you could literally just turn your wireless router or your wireless card to snip everybody's a package so unencrypted wifi is crazy bad because literally anyone it's like being on a hub or anyone in physical range can read what packets you're trying to send I'm not a lawyer so I don't know that I feel comfortable saying what is legal or feel legal I'd say ethically doing this on your own network is fine I mean like this is 100% passive right this is literally all the packets that are coming to my machine so I'm not actively doing anything into the network if I was deliberately doing this out of starbucks to smith use many passwords to me that would be unethical that would be something you can do at home to test that it works get a cheap router have no security on it connect to your laptop with another device and try to smith your own password way in a situation you can easily recreate at home there's no reason to smith other people's stuff besides trying to show off how cool you are but I think it's definitely a lot of bad ways so if you're interested in your particular scan and then look at the packet that would scan through your machine or if you're just asking a lot of questions so that we won't cover materials I hope you haven't been turned on ok so here I'm just listening on the wifi and now I'm telling you that W needs to write out to this file so I don't know how long this is going to take in the meantime I'll open up wire this diagnostic open up wire shark I'll kill this so I got 855 packets these are going to be all my machines so hopefully there's nothing crazy on them here actually a funny a funny story is so see you can set a wire shark to listen on one of these devices and then we'll auto-update as all the packets come in I would much rather use PCP don't to listen to stuff and then write out to a file very funny is that during the during death contract for the flag what people would do is they would find like zero-day vulnerabilities in wire shark where it would crash and receive certain packets and they would just flood the network with those packets so that if you were trying to sniff for a flag or exploit or something your system would crash cool so now that I've got this now it basically so I can see all of the DNS queries which is as we mentioned math domain names that we see like google.com IP addresses we can see exactly what query it made we could see yeah so it's asking for this WP query I don't really understand why I mean I haven't looked at all this stuff this is TLS traffic ping so somebody telling me that 8.8.8.8 is unreachable let's see where oh yeah 443 so 443 is HTTPS other things I can do is I can say follow this TCP string so this is showing me all the back of the SCX I said there's a dropbox there's a dropbox client connecting to see if there's any update and it's all a TLS connection so it's all encrypted you must have the IC and I can see basically the back and forth the red to the packets that I sent and the blue is the packets that the server sends yeah I can dive into essentially any one of these packets I can see what is the ethernet frame just as we saw has a source and a destination interesting thing to note is usually I think it's the first couple octets of the MAC address uniquely identify the manufacturer so that's why it's able to say this is Apple so Apple has its own thing that it uses for MAC address whereas what we're talking to is Cisco that's probably must be a Cisco Wi-Fi router that we're using and then I look at the IP vertical and again you'll notice if you look at the diagram these are exactly the same fields that we talked about in that header so I'm not lying so source IP destination IP all this stuff you can go through everything and see everything okay but then how do we actually so we saw we can just connect and listen and hope that something gets sent but how do we actually try to trick the system in order to eavesdrop a communication you were saying earlier that TCP was a misnomer what did you do? I meant that on these tools TCP no, TCP no, TCP no I applied everything TCP, UDP they'll send whatever you want so yeah I only notice that now okay we're going to do a network let's simplify this network we like simple A and C want to communicate we want to intercept that communication now nobody knows anybody's MAC address A wants to talk to C what does it do? it's going to put a wrong request to everyone hey what's the MAC associated with this IP yeah so it's going to blast the whole network within our request it's going to say who has what's the MAC address of IP address C when the switch gets that it's going to update internally A is at 1 so it has something that says A is at 4.1 in my switch because it saw a packet that had a source it uses the R request to figure that out that goes to everyone yeah sorry if you said this already do R request happen out of a regular interval because I saw on your your local cache times out that fixer value because that your operating system sets so yes you'll I don't know what the exact number is and I don't know if you can change it to 4.1 yeah let's hold that until later but yes there's another thing we could give it a part entirely we talked about that a little bit we just hard coded A to say that C's IP address is the C MAC address the problem is updating it as machines come and go and it gets insane ok so let's go through the normal case A sends an R request that says hey who has IP address C then what does C do so first where does that request go so the request goes into port A where does it go after that to everyone both 2 and 3 out on those ports B doesn't respond what does C respond to it an ARC reply that says hey I'm C and I have MAC address C so I'm going to say the MAC address of A so the ports also then at that point going to say ok the MAC address of C is at port 3 and then the switch gets that reply packet where does it send in port 1 because it has the destination of that ARC reply is the MAC address of A it uses this MAC that says oh the MAC address of A is at port 1 then it's going to go here awesome and then they start talking to each other and port 2 is never involved because it has the switch as this MAC A sends a reply now sorry A sends an ARC request hey who has the MAC address of C and the switch updates ok great the MAC address of A is at port 1 awesome this request goes everywhere what if we wanted to pretend to be C we should say it's us we should have ARC reply yeah what so as B we use that in an ARC reply and what does that ARC reply say what do I say C is that MAC address of what like B2 B right the MAC address of post B so if we reply what will the switch do when it sees this packet MAC address of C is at 2 no send it to B and C I hope B and C then will reply so B would have to get there faster than the C yes but let's ignore it so let's say that let's do it for one scenario let's get rid of C so C is offline actually but A is still trying to talk to it it doesn't know that it's offline so A sends a request says hey who has C we reply hey C is at the MAC address of B do we know the MAC address of C no no we don't care C is garbage, C is just some IP address so we say hey and we send this so the DEST is the MAC address of A we're trying to reply to A what's the source of this message the MAC address of B so we send this after the switch but what does the switch do with this cable MAC address of B goes to port 2 and now A wants to send an IP packet to C right so then A creates an IP at the IP level source is A destination is C it encapsulates that in a MAC in an Ethernet header what's the source of that of that Ethernet MAC address of A and the destination MAC address of B because we've tricked A thinking that C is at our MAC address and when that packet comes into the switch where does it go? 2 2 because it looks up the destination MAC address of B because out of port 2 we get it but B doesn't come from the IP address that you have but what does the switch know about that what does it care it's only looking at Ethernet frames it only needs to figure out how do I get this Ethernet from this source to this destination right and A only knew that it wanted to talk to C C's IP address it doesn't know what C's MAC address is because it could have changed how does A know C's offline C doesn't exist MAC address C when it uses this hard reply back all it knows is that it got a hard reply is that C is at the MAC address of B it'll start talking to that as if B was C exactly they don't know the MAC address that's supposed to be associated with that IP address no it's actually in this case the switch isn't really doing anything so the switch is just deciding where things go here we're impersonating a host that doesn't exist there's no trust in the switch we don't care about the switch at all the key problem here is how do you map an IP address to a MAC address to ask everyone and the problem is the protocol trusts that the response you get is correct that's the key problem I'm assuming that modern security measures aren't this simplistic where it's like oh the MAC address changed or I guess the better way of asking is if the ARP request has always had this specific MAC address and suddenly it gets a different one wouldn't that flag the system would say like hey that's odd so the past 10 years it's been this address and suddenly you would think but of course you can do that so a company could do that or we'll talk about more in defense but there's ways to authenticate ports so if any of you's ever worked in an organization where physical Ethernet ports you have to authenticate to even use it and talk to it that's so that they know so that there's trust in who's connecting to the network yeah so interesting so then let's go through a different scenario let's go to the scenario where C is online so the same thing happens A sends an ARP request to the entire network it goes to both B and C and then what happens they both reply what are those replies look like what does C's reply look like these both get sent out here so A gets so let's forget for a moment this issue of timing let's say it gets both of them how does it know which one is correct it doesn't fundamentally it doesn't there's information that it has to be able to differentiate which is which there's absolutely no way it can tell which is which yeah and that's assuming the switch is a layer to utilize because it doesn't come back to us yes I don't mean thinking about it in terms of layers like that but yes this switch is only acting on the Ethernet frame and even beyond that it really doesn't you get to know VLANs and all that stuff but it fundamentally doesn't change what's happening here when A decides to go the first time it's going to talk to C if it doesn't know what C is how does it know that it wants to talk to C what does it know about C I don't know that's what I'm saying so to talk to any machine on the network what do you need an IP address exactly so when we say C we mean C's IP address so this is 192 what does it say 0.10 I know I want to talk to that machine but how do we know we want to talk to that specific machine let's say we want to talk to that machine and that's and in here once you have that IP address you have no way so there's absolutely no way for A to know is this reply correct or is this reply correct and maybe it's a misconfiguration doesn't necessarily have to be an attack right it could be a misconfiguration here or something or maybe you have two hosts who legitimately think they have the right IP address actually this is one of the most insane problems you can ever have this has happened if you ever run a network and you run out of DHCP IP addresses and it starts reusing ones you go to SSH to do a machine and half the time it works half the time it doesn't it's like the most bizarre error you can have it's happened me a few times so what does A do so A has to have some way of knowing which one it's a little bit coin but the fact of the matter is these are not going to come in simultaneously right there has to be some ordering right yeah just take the latest one yeah you can just take the latest one and update your cache right if you look at the Rcache Rcache A you can look at all your arbor entries we can just say we'll take the latest one that comes in so if it's so let's go through both these scenarios so let's say it takes the first one that comes in and locks that in for 30 seconds or whatever then what does the attacker need to do in order to trick A to talk to it B is the fastest one B is the fastest one it has to be C and be the very first one right how can it do that one way would be maybe make C slower like DOS C with a bunch of traffic send it a bunch of traffic so you can be faster what else constantly send the reply constantly send the reply and just hope that in that next 30 second window you'll be the first one what if A takes the last one what does it do wait a while to reply it could wait a while to reply or it could just use the same technique of continually sending so if you want to impersonate another host of the network all you need to do is continually send our replies back to that and it will just continue updating its cache with your MAC address what would you really need to do it continuously if you're on the same network wouldn't you just get to reply and wait for that and then send after so if you yes but you don't know so you get the right request but you don't get C's reply because its destination is the MAC address of A so the switch never sends it to you so you don't know exactly when it's going to reply so if you just want it easy it doesn't send it to you I thought that there's a switch but ok so it says the MAC address of A is on 2 it does the MAC address of C is on 3 so in case of the reply this reply the ARC reply sees it the MAC address of C that's destination MAC address of A which means it only goes out on 4-1 so the only reason that B got A was because there was no request because it doesn't know what the request goes to a broadcaster goes to everyone not every single time but yes it has to know the so it catches it for about roughly 30 seconds but yeah after 30 seconds it will do another ARC request now so this allows us to impersonate C but what if we want to actually man in the middle of their connections and have all of their communication go through us so in this scenario we can convince A that we're C yeah exactly we can do it in the exact same logic convincing C that we're A and now if we're able to trick each of them so that their MAC catch says C is that MAC address of C and here we can convince C that A is that MAC address of C sorry I forgot who was who now whenever they try to talk to each other all of their traffic will flow through us so we can sniff it, we can spoof it we can change things we really own all of their communication so this is we'll just briefly walk through this and this is yeah anyways I'll let you go through this could we just go through this anyways there as we talked about most tools will if we're repeatedly sending our replies they want to do this and there's tools you can use EtherCAP is actually a tool to do this so on your local network choose two hosts and you can force all of their communication to go through them then you use TCP dump and now you can see all that traffic that's being sent through you so this is how a local area network is able to trick all of the traffic to come through you I have a warning though if you want to play with this can you at home don't use a wireless network because of the way like the wireless switch it's very difficult to impersonate other people and convince the wireless network that you are it depends I think you can do it in some wireless networks but not in others because fundamentally the switch knows who your MAC address should be because it started an encrypted session in UK but if you have a physical switch to play with it's very fun set up two machines, set up a third machine to intercept all the traffic between them and you'll see that you can access the internet from one machine