 Long time, a whole week, so quick run-through of this website, create an account, apply, oh that's not a real one so that's good, give your ASU ID if you somehow just enrolled in this course and it doesn't work, email the admin mailing list, your hacker name is so come up with a cool hacker name or you know whatever, this so some there will be for some assignments like a more or less public scoreboard so if you would like your name to be your hacker alias to be obfuscated on that scoreboard click this button so that way it'll be some random value that only you know so this way it's gonna hide because it's fun to have a competitive scoreboard we're all competing against each other and it's nice to be able to say like oh it's not like feeding me or whatever so but if you don't want people to know maybe you have your name or whatever just do that please run your password i like wrote all this and i haven't implemented a forgot my password functionality so you'll have to email us and then we'll give you a very terrible password that's all about how like sorry you are for forgetting your password and that would be your password forever all right once you've created an account log in you won't see these grading options because you're not an admin at least i hope not you'll be able to submit assignment one so the we shall challenge put in your username attach a read me and you're good to go then click submit that will just submit we will probably get a hundred percent automated grading on this very soon so just kind of chill for a little bit uh the c backdoor web server so they should be going so you attach your read me you attach your bank file you attach the source files here you may see so the idea of this is um so the two-phase process right so any notice smoke test is what is it basic yeah so when you're developing maybe you've made like a point zero zero one version increment change one line in the program rather than going through your huge test fleet you just watch the application to see if it watches right so that's so that's the idea of the smoke test the smoke test again like a hundred of them is i don't know pretty much unlimited the idea is it runs it and it compiles it and makes sure that your main file outputs an executable because you can't pass that test you can't pass any of the other tests so we click smoke test it's going to say successful submission for homework one part two smoke test so you have 96 out of 100 remaining then we can go over the status to see our part three smoke test so this is the latest submission i just made it's waiting it'll give you as you can tell when i did this when i had problems it'll give you output on if it failed it does exactly what it said on the the homework description it's uh gonna copy all your files to a single directory it's going to call make and then it's going to test is that file executable it didn't create a file called with a normal web server and is that file executable that's all it does and you will need to just refresh until this is done uh when you do get it you will get this thing where it says hey pass test compile the project then this is where you can decide if you want to submit this for actual grading for all of the grading when you do that we can do this it's the exact same thing it will do all this and then it will say so it will so there's two separate like things here these are your smoke tests and if you go down in part three back to our web server you'll see your submission grade so you actually get your raw score if it was late at all and some of the output of your program so some test cases are secret or you will not know what they are there's a problem in your code there's not a problem in our code so this happens a lot questions yes you talked about in those back valid bgp commands what about invalid informed commands you should handle it you should not crash you should keep being able to process i see requests okay thank you to that request you should just return whatever camera with the specs you can return a 404 or whatever but yeah but it can't crash your server right any other questions that means that we can do it 20 times yes you can now be the spit part three 20 times i feel like it's a lot but give yourself some breathing room make test cases locally test it locally right okay cool all right that's awesome other bit of housekeeping news before we go to content so we are going to have i want to do something new that i haven't done yet before and it's part of the reason why i'm trying to move to this material so quickly because one of the best ways you can learn about all this never security stuff is to actually do real life challenges so we're going to have an in-class ctf cat to the flag security competition next wednesday a week from now so we will not be in this room because i do not like this room for this kind of activity probably pretty bad but maybe we can spread out we have 100 people 175 person room anyways i'm trying to find a better room for us so be on the lookout so bring computing devices if you are not able to get one talk to us and we'll figure something out so this is just a heads up so this will happen it's going to be super awesome and we will be having so i'm the first one will be individuals so you're working on your own and then the next ones you'll get into your project groups and your project group will be your ctf group and you'll compete in occasionally depending on how much material we've done we'll do ctfs and then we will also have a final ctf at the end of the semester which would be awesome cool questions on that yes are we forming the groups or in the class that would be i want to do this ctf first because you guys are all like people will drop out so doing groups now is not a good idea i think so i want to do this first ctf and then after a few weeks we'll do the other one and we'll let you know with enough time in advance so you can all form groups but yeah start meeting and talking to people so you can get a group yeah some people can get by with like me could you get by yeah it'd be rough i've seen some people use like a surface uh one like a surface book i would say an ipad is probably not good enough or like an apple watch would probably not good enough so yeah i would say not top would be good great all right let's get back to you talking about art requests so what's the purpose of art in terms of the network was that finding the neighbors what idea address to mac address yeah so that mapping right because we know who we want to talk to in terms of an ip address what we need in order to be able to send an even a packet is what's their math address right so we saw that art is basically a way to make a request and when we make an art request it goes out to every single uh node on our local area network and we'll get a reply back from that person that says hey i'm this i address i'm at this location and then from then on we can actually communicate with them so even with this little bit you know we haven't studied everything yet we really focus just on the local network but even here we can actually have security problems so what we want to do so imagine this you're on some local area network you're an attacker what do you want to do what are your goals pretend to be an ip address what was that pretend to be an ip address yeah maybe pretend to be an ip address why would you want to do that though just for fun to get that packet i mean get that yeah so to get maybe try to get packets that are destined for so that ip address we may want to try to pretend to be that ip address what else just generally get data from other machines yeah we may not even want to impersonate them but if we can steal all the data that's directed towards them that may be good what else yeah for any other service if you want to adjust the IP address yeah for any other service maybe you want to maybe we want to take out the computer on the network right so it goes back to the cia grant right on it is generally we may be able to steal data that allows us to steal integrity we may be able to impersonate a machine on the network which let's say there's a trust relationship let's say there's some rule that says the database can only be accessed by the web server right that IP address and uses IP address for that well if we can pretend to be that web server's IP address when we're talking to the database now we get full access which we shouldn't have or availability we can try to kill or or knock off any of these computers on the network so these are really going to be our attacks we want to try to impersonate a host denial of service access information another thing related to integrity is tampering maybe we don't want to steal all the information maybe we want the web server and the database to talk to each other but maybe we just want to change something that's stored in that database where maybe somebody transfers money from uh transfers like a million dollars between their account and i changed the destination account to be my account right so the database stores that transaction and now we've got a million dollars on our bank account and it really boils down to kind of some key terms i'll talk about sniffing where we're trying to like listen for information spoofing where we want to pretend to be somebody else we want to try to send packets on the network as if we were other people and hijacking where we're trying to intercept and maybe modify the communication between two nodes on the network before we get into this so how do we know where so how do you actually know we're on a local area network here the summit and what's actually the physical piece of equipment that manages the summit a switch or what else a router gateway one of the difference between all those terms what else anybody a hub a hub yeah so we actually and this is one of the things um again it's one of the things i love about security is that you have a conceptual model of guests you have something that's routing traffic on our local area network but when you drill down to the details what is actually running there has interesting security implications implications and changes your attack so what is the main difference between a switch and a hub so so what do you think about it right so you're thinking about a networking device it has different physical ports so a hub let's say so let's say a bc and d or the ports when it gets a packet on port a it replicates that packet back out to ports bc and d and that's for any single packet any packet that comes out any port it gets replicated to any other port a switch is smarter a switch knows is it is every single computer connected to all of these ports no how can a switch based on the network traffic how can a switch know what computers are on what packet um what ports what was that what's the magnet disable also initially when a switch sends out a broadcast and somebody answers it keeps the track with that mic yes so what it's doing is when a switch does is it listens to those art replies that we saw and when it sees an art reply let's say on port d that says ah i'm not going to address food on port d it knows if anybody else sends a hardware packet with a destination mac address of food it only sends that out on port d so it and it does this with caching it keeps tracking looks at the traffic and sees about the art replies so early early switch it i mean early you know because it's not really good to call them switches since we have this distinction but in the beginning they were all hubs there was no difference here but modern devices actually keep track of which interface which hardware interface which mac addresses connected to which port so broadcast traffic so an art request which is broadcast on the network gets sent out on every single port so why is this important so let's say you want to sniff traffic and we're on a switch how do we do it today yeah we want to switch using marshaar what's what i mean what is that actually doing analyzes everything coming through that we just want to listen so remember we have a physical even at cable right we're connected to a hub if we just listen to every single packet that comes into that port we will get all the traffic on the entire network because it's a hub because every single packet that's sent on one port will be replicated to all the ports we can actually see all the communication in this network just from listening to one port and we can use a tool like wire shark or tcp that like we'll see which actually can do that but fundamentally the concept is very simple you just you just listen to every single packet that comes in on that port if you're on a switch can you do this so let's think about this can you just listen to all the packets coming in on that port on your interface i think some switches have a command line right but you can install so i have to close that off but you're so you're only worried about this assume that you can't touch the switch right so all you can touch is you have a cable i mean even as a visible cable coming into your computer just like before all you have to do is listen on all the packets that were coming on that table so if you do that in the switches case well like hey if you do that you should i mean you should just i mean if the switch likes any new connection set up you can just do it yeah i mean whatever the switch is gonna send you packets you can listen to those packets but what packets are you gonna get are you gonna get every single packet that is ever sent in this network oh wow yes you'll only get the packets on that port which means you'll only get broadcast packets or packets where the switch thinks that mac addresses on that port right so you see there's actually an interesting technical distinction based on a super low-level hardware thing so some of the ways you can get around this so switches are i would say really simple h devices they keep track you know who's on what port do they have the infinite memory no it physically can't right that thing has a good memory 120 gigs of memory seems like a lot but it's still not infinite so what you can actually do a lot of times is you can cause the switch to fail over into hub mode you can essentially make it think that a certain port the port you're on has no 65,000 mac addresses at which point it goes oh man i can't do traffic this i'll just send all pack all packets to all ports and so you've essentially caused the switch to act like a hub yeah okay there's little details here your default your kernel won't give you any packets that aren't destined for its mac address so when you use a tool like wireshark tzp up it usually this is why you need to run these tools as a root so that you can tell the network interface and the kernel hates sending every single packet you receive here okay we talked about why do we want to sniff right we want to sniff because well we want to get data right and a lot of protocols in a surprise you some of them on here ftp uh file transfer protocol these are traffic files um one of those is someone wants smtp by default pop oh no not smtp but pop htp imap these all transfer credentials and plain text and actually there's a so if you sniff the traffic you can get username passwords which is that helpful to an attacker yes 100 yes and so it's actually super interesting is there's and this is also true in wi-fi networks right because you're sending on an unencrypted wi-fi your packets are essentially broadcast in the clear and anybody can read those packets so at the DEF CON security comrades in vegas during the summer they have this usually have this booth called the wall of sheep which what they do DEF CON usually has an open wi-fi so they run a tool that's looking for username passwords on the wi-fi and they will post them to the wall of sheep so you want to be very careful to knock me on that list right so some of the tools we talked about so this is kind of just an overview of some tools i'll like you kind of review this uh on your own time so tcp dump is kind of the main tool to collect traffic it's pretty robust tcp flow will look at a network trace and break it up into the different flows tcp replay is pretty cool because it can resend traffic by maybe replacing so you can maybe listen to traffic in one way and then replay it to get another post wire shark is a graphical tool that's free and open source so i highly recommend it although the interesting thing is a lot of uh like after the five competitions what they'll do is they'll find some zero day vulnerability in the tool like wire shark and then they will send when they send their attacks out that include that so that way if you're trying to look at those packets because you're trying to analyze what's going on it'll crash or or worse to your machine so and this is something they deliberately do like before competition so and part of this is because it wire shark is great because it provides a parsing for a lot of protocols so it should be fun it definitely is fun so tcp dump uh super awesome like i said requires brute privileges of brief it has an insane number of options as i will try to harp again and again breathe the man page if you're ever stuck and don't know how to do something do man tcp dump which is for the manual it will show you the entire manual which probably has the question that you're looking for in there and i know it's shocking to believe but it is actually faster than googling because that manual is local and you can bring it up you can search you don't have to go to the internet it's amazing you don't have to leave your terminal it's awesome you may not want to filter you may not want when you're running tcp dump to listen to everything because there's a whole lot of junk so it provides options to filter so you can filter based on a host so you can do host by name host by id address subnet any kind of stuff so i'm just trying to give you an idea of kind of the functionality here again i don't know if i've said it yet but this class is mainly so rather than teach you how to use these tools i mean we can sit down i could go over through all these things i'm trying to teach you the principles behind them and how to build these tools so you can understand how to do these kinds of tools yeah lots of stuff i mean ethernet's ip packets art packets you can just look at all the art packets and this is you know something that's actually really fun and interesting to look at sometimes i mean you would be surprised by the you know packets that even your machine is sending like why is it sending this udp packet on this weird report like oh that's dropbox trying to look for other dropbox clients to do land syncing like crazy it's also so tcp dump is insanely useful for debugging any network related issues so if you're ever going to do something to touch a network i highly recommend you know how to use this so you can drop down so let's see what was it a couple years ago when i wanted a web security challenge i was running inside our labs network at asu and so i could see them like okay yes i'm getting the website and i ran my send across the scripting payload and then it just hung and i'm like i don't know what's happening is it is my server messed up is our lab because i have my server inside our lab network which is inside the asu network so where is it actually breaking up so i like put tzp dumps on all the machines that i controlled in between so that i could see okay when i make a request it does come in through here when i send my process scripting payload it never even makes it to our lab network which is when i realized aha asu must have a terrible web application firewall that's detecting this and stopping my traffic from coming through so i put it on hdps so they couldn't view my traffic and everything was fine so yeah we also we've had weird weird never thing issues so yes super awesome oh and you can do arbitrary i think the other interesting thing you can look for arbitrary bytes in the packet so you can say like byte number five or zero of the ip packet is one and you can look for flags that way store data to a file so normally what i do when i'm working on a remote server is all because the tzp dump output is not really user very user-friendly because i'll use that w option to write out the packet to a file do what i want to do and then copy that file to my local machine where i can open it up in the wire shark and actually look at it so actually take a dump from here and actually analyze it as a wire shark yes yes so if you use this dash w option on tzp dump it will output it and wire shark can read in that file format so this is really handy because wire shark is a graphical tool you won't want the nice duty on your local machine but the traffic you want to capture is usually on a remote server and it has a dump extension no so in basically in unix land file extensions don't matter at all so you can name it whatever you want and wire shark will still be able i usually name it dot pcap is usually what i do but yeah i could do anything so but you want to write your own sniffer right you don't necessarily want to use wire shark you want to write your own sniffer to do all kinds of weird crazy network stuff lib pcap is a library that you can write and see that is one of the most painful libraries i've ever had to deal with ever and this includes using things like open ssl and for some other libraries i've used yeah i think those are one of the two worst offenders i've ever had to deal with but lib pcap allows you to basically write your own wire shark and so as you'll see in probably one of your later homework assignments there are other better interfaces on top of this depending on different languages that give you this functionality but this is how you can do you can write all kinds of intrusion detection systems that are inspecting packets you can do all kinds of cool crazy network smithing stuff okay the problem is so now we can do this thing and we can use those tools we just talked about in a hub to sniff everything you can run these tools right now on an ally and you can listen to all the traffic that is if you're on like the ASU encrypted you'll get basically only the stuff that's directed to you so you will get packets that for you and any broadcast packets which is actually still pretty interesting because you can get a lot you know from those hard requests because you can know who's trying to talk to who and the different IP addresses so we can't directly sniff so one of the things we said is well we can flood so we can flood our switch with but how do we trick the switch in into thinking that a MAC address lives on this on this port that we're on yeah we can just send an artwork line right because a switch is fundamentally a simple networking device who's packets around right so when it adds an entry to its table for a specific port that says this MAC address is on this port all it does is look for an ARC reply on that port most most of the time it is not looking was there a request on that port and then this is an ARC reply to that request so we just put jump we have 36 bits we can play with for a MAC address right we can just make you know hundreds of thousands of ARC replies to make the switch think that we have 10 000 ethernet MAC addresses on that port and in some cases rather than just failing the switch will say oh no everything's fail so this is actually a security principle that will come up again I mean in this case what's the secure thing to do when the switch detects this yeah block that board or stop like stop working just pay your cash maybe just click yeah like reboot yourself essentially clear all your caches so you know nothing yeah yeah we're talking about the switch the switch came of course that the hosts and beside how they want to do it but the switch has to support this because you don't know what the switch is going to deploy right so so they could do this but would you buy a switch that when it detects a problem stops working have you ever mess with the switch that it's not working like one of those frustrating things you could ever deal with because like the network is working so you know from a business point of view when you're looking at risk and from if you're selling people a switch the selling point is not hey if this detects a problem they completely shuts down and then a human has to figure it out right if you want to buy a switch that's going to work no matter what happens right and so that's but we can use that as attackers in order to force a software or a piece of hardware in this case to do what we wanted to do so we can force it to turn into a hump then we just listen to all the traffic and we get everything so one thing we can do that's pretty interesting is we can just literally change our MAC address has any changed their MAC address before now would you do it for if you can admit to doing something definitely yeah what was that I changed my MAC to my so captain portal is actually a great one so an open wi-fi that requires you to register or something or a hotel wi-fi that requires you to put it in your room number so that usually what these do is they then map your MAC address and say yes this MAC address can access the network so if you do that on your laptop and you want to connect the device to this network that doesn't have an interface can log in from like an xbox then you can connect your laptop well you can do it two ways you need to change your laptop's MAC address to your xbox's MAC address then log in and then turn off your wi-fi and then now the xbox can connect I've done this before when being in I think it's like international airports when I didn't want to use my mobile traffic but they had this weird thing where you can only connect one device to the network and you had to get like a code like a code to connect your device to the network so I just changed my computer's MAC address to be my phone and turned my wi-fi off and then you're just connected to the network so this is actually a key thing to remember about security is a MAC address can be 100% change in spoof right so if we want to pretend to be a system we can just change our system's MAC address to be their MAC address and then now we'll get traffic sent to that machine because somebody will say hey who has this IP address and we can even change our computer to be that IP address and we'll say yes I have this this IP address and if we're going on a network that ran out of IP addresses like the DHCP we only had like a slash 24 but we had 300 yeah yeah so in our company we had a lot of mobile devices in the middle so it was they were more than good to be like so after the after someone started to try to connect they weren't able to do it yeah for the worst part was I had we had this happening in our lab where we had more machines and so I would try to ssh to my server which is on the local network and it would work about 50% of the time it was being really slow and sometimes it would say uh I don't know key host error or something and sometimes it wouldn't and tracking down that was a huge pain of realizing there are two machines with the same IP address on the network you can induce that scenario as an attacker right you just change your IP address to somebody else change your MAC address and then you'll probably get their traffic but what are the problems with these two what are what are some of the downsides of these approaches open one of the downsides of match line as a tackle yeah the downsides of an attacker so what why might you not use it so you're attacking what was that don't know you're attacking don't know yeah why would they know from what might they have been flooded with a bunch of packets and he's throwing a hundred thousand packets enough to overflow some buffer on a switch right so it's not very stealthy right you're not limiting your footprint you're basically just yelling really loud until they like give up and just give you whatever you want right and it might not work the switch might be very sophisticated might be you know they have really fancy expensive switches nowadays it may actually just not work right and so you may have spent all this kind of effort to create this environment where you don't actually know beforehand it's going to work enough so what about the MAC duplication and cloning basically you can not do spoofing very easily but I know that there is a functionality of R which is called R-precious or something like that which can be used to detect the duplication of the network automatically and so most of the systems we don't know are supported right now yeah that's on whom we're impersonating right but essentially if we duplicate it we've more or less taken them off the network right so depending on what that machine is somebody would probably notice if it's something important that it's no longer responding correctly or maybe they have some detecting capabilities in the network so we can actually do even better we can use ARP spoofing in order to essentially manage so to do two things a we can use this to sniff traffic between hosts and then once the traffic is routed between us we can then modify that traffic so okay let me go back to my either we're talking about either ARP spoofing or ARP poisoning where we're essentially poisoning the ARP tables of the two hosts of the network yeah it's gonna be a race yeah chaos will ensue so in a normal network machines don't do that right so that means you're up against somebody else who's doing that there's somebody else playing ARP games so yeah you're not gonna have another good time neither of you will it's like a mutually assured destruction thing right once one of you stops then the other one actually gets there can accomplish their nefarious goals you don't need a request to send back a reply correct so it's a stateless protocol yes absolutely but this the core problem is this is inherent in the protocol of ARP itself there is no way to link these two things together and so you have to change ARP but ARP is such a fundamental part of the infrastructure and it's not even clear how you do this because the machines don't even know you know you don't know who this machine is all you know is the IP address so it's what do you have to guarantee authenticity so yeah it's it's a super interesting problem you have to completely you know one way to do it is static ARP tables so every post has a static ARP table that never changes of all the local hosts on the network but that's a lot of overhead because if you have you know three thousand you know network not every post needs to know about every other host if they don't talk to each other all the time so yeah it's just it's an interesting trade off but yeah this is this one of these things you know these protocols were created in like this you know 70s and 80s right so before like you have to think they were trying to get things working rather than securing things and they worked so well that now everything uses it and we can't just like we can't have like a flag day like they had in the internet where they moved from the mcp to tcp and they just said okay on this day we'll shut off the internet and we'll all update our systems and we'll turn it back you can't have that nowadays so that's very pretty great cool all right so we went over this example we basically made our own example so this is good so there are tools that do this so dsniff is a collection of tools that will can't do interesting things so this is actually how so dsniff is how we talked about that the wall and sheet listens for these things so these tools will look at network traces network traffic and extract username passwords from there that you can use there's arcs spoof tools arc spoof is one tool specifically to do arc spoofing types of attacks there's ssa's man in the middle web man in the middle so once you have the track work in between you could maybe if it's a regular hdb connection you can change and modify any of the content between each other so you have super fun games to play enter cap is a tool that actually is very nice that you can just run to set up this to do this arc spoofing between the two posts so you basically put in what i have the addresses you want to do and you hit go and the tool does this for you so it's yeah it's very easy to do this so something to fence is so we talked about you can have static arc entries right so say but now you have you really kind of and this really doesn't work too well especially when you think of now where we have a lot of cloud instances where you have one you can you can kind of spin up servers at any time so you know if you want to have static arc tables if you're going to add a machine to the network you would have to add its mark entry to every single other machine in your network which could be costly you can you know ignore arc replies so you can if you get an unsolicited reply just drop it and don't listen to it right but we still have this problem of when you send a request and you get back to replies how do you know who's the truthful one right it's a difficult problem so there are tools like art watch that can monitor the network for changes and keep track of ethernet IP address pairs because they should be relatively constant right so we're seeing you know suspicious activities so here's an interesting technical problem how do we detect sniffers in our network so now we'll flip our hats and we'll go from the white uh from the black hat attacker side to the white hat defender side even though they're all white hats we're learning offense for defensive purposes but so a do we want to detect sniffers on our network right we wanted to normally by default a person running a machine or another network should not be sitting all the traffic on the network right that's even if we're in a hub environment they technically can you would not necessarily want them to be able to so how so we agree that we should how can we actually do that what makes this hard is this doesn't sound super easy like an easy problem it's hard I mean it's hard because we we're blind and inside of our our machine like we don't get to see who else is looking at yeah depending on our network environment right we like think about ASU you bring your phones and you connect to the ASU network right ASU doesn't force you to install software that can detect if sniffers are running on your phone could we I mean I guess could you if you had a known network and you had known traffic routes I mean could you somehow analyze like the time to live on packets and then would that let you know or is that decremented if a sniffer grabs it off already no all right so that would work correct right so it's difficult for one reason because we have no visibility into the end host on our network or if there's soon we don't we can't really relax wait what about why more reasons about why where are we detecting it from the host I mean the terminal or the switch uh let's say we're the network admin so we could run something on the switch we could run as another host to try to check sniffers on other hosts we could get a maybe a tap of network traffic to see I don't know try to connect something that way what's another reason why it's hard so we don't have visibility what is the sniffer like a hub what is the sniffer doing passive completely 100% passive it's actually not sending out any traffic or maybe all it sends is to our replies and then now it's just sniffing traffic right you know so one so if we have visibility we could look and see is the interface in promiscuous so that could give us some some insights you can actually see this if you run if config on an ethernet port you see this promiscuous flag but we can hide this by running in the kernel and we could you know I don't know it's kind of crazy we can look for art we talked about this we can look for weird art activities which things are doing relatively constant over time we can look for suspicious dns look-ups so this is actually one of the interesting things so when you first run a wired wired network well I noticed it more TCP don't you'll notice that it's slow when you first run it and the reason why is every IP address it sees it tries to do a reverse dns look-up of that IP address by default so that's why I always run tcp.n to do not do that and load lowercase n and that's like literally it's like burn to the migrate it's like not even I don't even think about tcp.n but because now you can actually trick the attacker to making dns requests and so you could detect a sniffer that way you could maybe try pinging all the hosts on your network from a certain IP address and then seeing who makes a dns look-up for that IP address because normally it doesn't do that so the other super interesting thing is you can look for latency so if you think about it your systems so if you think about the network interface right so the network card is running something firmware that's connected to your ethernet board right by default if ever it sees a packet that's not destined for that MAC address it just drops it it doesn't do anything which is super fast right because that's literally the network card right there it doesn't even have to talk to your cv you about it right but when you turn it in permissivism mode then it sends the package to the kernel the kernel has to handle this so you can actually detect this by using timing and seeing how long it causes um so you could basically from like your hope you can ping a host and see what the response time is when you and how that changes when you send traffic that's not destined to that host um so basically you can see whether host a is analyzing traffic because it shouldn't affect like traffic to other hosts should not affect their processing and pinging time so it's kind of an interesting side channel you can use here to detect sippers um yeah you can do interesting things so you can try to take advantage of weird stuff in the kernel so if the behavior so the important thing to figure out is the tcpig behavior right all this of art ig tcp as we'll see this all lives in the kernel right so if the kernel does something different depending on if you're permissivist mode or not you can actually use that as a signal to see if they're uh to see if they're in permissivist mode uh there's yeah all kinds of interesting interesting stuff here another way is just say hey let's lock down our network right and just say let's not have anyone else that we don't know connects to our network so all of these sniffing hijacking require usually physical access so coming in and plugging into uh so there's actually it's very cool there's a protocol it's it's one of these interesting problems of like well how do you authenticate a machine that just gets plugged in right so essentially you have to install certificates in every single machine in your enterprise and that way when they plug in they use this protocol in order to actually authenticate to the switch so the switch can give them an IP address and know that they're actually a valid person uh so this is something that's that's uh really really interesting cool and it's super important for actually running a real world you know you want to think about your system alone what was that isn't this how public um access some systems work like why because you still sign up right if you're going into starbucks you still sign up for something and then you i think because i think i think i did it and so i i believe i'm not i'm so sorry but i believe like the asu wi-fi or you have to log in with your asu username password that probably uses this other things like starbucks they use different kinds of things like they uh because you don't really have to sign up it's they want to see if they know your your mac address because it's the only thing they know and they say if they don't then redirect your web request to this login page and then once you've logged in and and accepted their terms of service then because i think you get you get the certificate on the atp and then they probably allocate and i give you know which i i don't know the details about how 802.11x or 802.11x yeah was that yeah so i i don't know but i bet if you read the spec it would tell you everything you want to know with the rsc and initially it was going to implement on the standard correct yes but there definitely are i'm fairly certain there are um yeah because otherwise there's another way of doing wirelessly at home right you just have your password so you give somebody the password and then you give it to somebody and then you give it to somebody right but here you want each device to be authenticated right cool okay other games we can play so always send an IP address pretending to be somebody else so this is actually a super important thing that really undermines all of their security is when an host gets a packet at the IP level it has no idea that this packet came from that IP address yeah send another packet in the response to the packet that we received and then checking that you know maybe there is a record that records the IP address that has some of the network and if somebody is moving that so no fundamentally clean the question is when you get a packet can you tell who this came from okay no no no job you don't say that when you get a packet can you tell who came from no this is the exact scenario we came from so why do you want to do this so why why why would we want to spoof IP addresses so actually that's a good that's a good point so let's go but that may not even be necessary so depending on what the thing is so um as we'll see certain types of protocols like DNS you can actually spoof this way okay so so the way to do this is you need to be able to as we said because your machine my default is not going to create a packet from another MAC address with another person's IP address so you need essentially raw access to a socket and to get that you want nice things on top of it and uh libnet also sucks i would say that scabby as hopefully you'll find is one of the best written well one of the best for library for doing this kind of network defense i and write these network tools i've actually gone back and forth about i do i want to force you guys to use libnet and lily cap because it's a huge pain so that way when you see scabby you can see it because otherwise you're just spoiled you just look at staff and you're like oh yeah it doesn't do everything i want it's much better than the previous okay so when we get there we'll get back to high decking and how to inject packets