1
00:00:00,690 --> 00:00:02,100
Welcome back.

2
00:00:02,100 --> 00:00:04,860
Let's see how our spoofing really works.

3
00:00:04,860 --> 00:00:05,340
All right.

4
00:00:05,520 --> 00:00:08,820
So now to two important our library.

5
00:00:08,820 --> 00:00:14,490
The first thing and the first step in order to actually perform they are spoofing is to create the malicious

6
00:00:14,490 --> 00:00:16,410
packet.

7
00:00:16,480 --> 00:00:17,500
So how can we do that.

8
00:00:18,310 --> 00:00:24,370
Well first of all we need to figure out which machines are trying to attack in this case.

9
00:00:24,370 --> 00:00:30,360
I will try to attack my Windows 10 main b c so this environment right here.

10
00:00:30,370 --> 00:00:36,520
Now you can also try to attack Windows machine but it can also be a Linux machine if you'd like.

11
00:00:36,520 --> 00:00:37,050
All right.

12
00:00:37,090 --> 00:00:43,180
So the first thing that we need to do is to pretend that we do not know how to communicate with our

13
00:00:43,180 --> 00:00:44,560
target machine.

14
00:00:44,560 --> 00:00:48,170
Therefore we need to find out its MAC address first.

15
00:00:48,190 --> 00:00:49,470
How can we do that.

16
00:00:49,480 --> 00:00:55,510
Well we can simply just send in our request through the broadcast MAC address which means that every

17
00:00:55,510 --> 00:01:00,880
machine on this local area network will receive the request and possibly send the reply.

18
00:01:00,910 --> 00:01:02,290
So how can we do that.

19
00:01:02,290 --> 00:01:10,000
Well first of all we need to create a packet which is going to cover the broadcast MAC address.

20
00:01:10,000 --> 00:01:14,380
We can set the broadcast MAC address inside of the outer layer of the packet.

21
00:01:14,770 --> 00:01:22,510
So it will simply just create the error packet with the destination of the broadcast MAC address which

22
00:01:22,510 --> 00:01:26,560
we all know to be f f f f f f and this.

23
00:01:26,560 --> 00:01:28,520
Now we specify six times.

24
00:01:28,550 --> 00:01:29,620
All right.

25
00:01:29,650 --> 00:01:36,700
Now if we go to the escapee right here from our terminal and we type Al s on the ETA packet we can see

26
00:01:36,700 --> 00:01:43,870
it on the three street fields which is the type the source and the destination if I create the packet

27
00:01:44,020 --> 00:01:49,780
which is going to be equal to Etter with the destination that which is specified of the broadcast MAC

28
00:01:49,780 --> 00:01:59,380
address and print packet show you will see that the source will automatically be set to the MAC address

29
00:01:59,620 --> 00:02:05,250
of my Kelly Linux machine and that type will be set as well as we can see right here.

30
00:02:05,320 --> 00:02:08,960
The destination is set to the broadcast MAC address.

31
00:02:09,370 --> 00:02:15,670
But if we want to we can actually add the R player to this at to layer in order to create a full packet.

32
00:02:15,700 --> 00:02:18,360
And that is what we are going to do.

33
00:02:18,550 --> 00:02:24,880
So what I'm going to do is before even coding it in departure form I'm going to restart KP right here

34
00:02:25,540 --> 00:02:30,030
and demonstrate the creation of packet first because we have visuals right here.

35
00:02:30,100 --> 00:02:32,380
Therefore we can understand it a whole lot better.

36
00:02:32,800 --> 00:02:40,460
Let's create the broadcast packets that we already typed in PI term that will have the added layer.

37
00:02:40,480 --> 00:02:47,410
We did this nation to be equal to the broadcast since we are sending out our request to everyone and

38
00:02:47,530 --> 00:02:52,860
hopefully getting a reply from someone who knows where our Windows 10 machine is located.

39
00:02:53,110 --> 00:03:00,970
All right now after we do that we need to also add the R player sledges create our player right here

40
00:03:02,170 --> 00:03:04,140
to be equal to the art.

41
00:03:04,810 --> 00:03:09,640
And here all we need to do is specify the IP address of our target machine.

42
00:03:09,640 --> 00:03:15,850
So I'm going to check the IP address of my windows 10 machine right here by opening up the command prompt

43
00:03:15,940 --> 00:03:18,750
and typing IP config.

44
00:03:18,820 --> 00:03:25,030
Press your enter and we can see that the IP address of my we understand machine is 1 8 2 that 168 that

45
00:03:25,030 --> 00:03:26,440
one 2.

46
00:03:26,560 --> 00:03:30,280
So that is what we need to specify inside of our our player.

47
00:03:30,280 --> 00:03:32,260
We are interested at the destination.

48
00:03:32,260 --> 00:03:39,870
So we will specify P DST to be equal to the IP address of Windows 10 machine.

49
00:03:39,880 --> 00:03:40,430
All right.

50
00:03:40,480 --> 00:03:42,970
So we got that ready.

51
00:03:42,970 --> 00:03:46,360
Let me enlarge this a little bit more.

52
00:03:46,510 --> 00:03:55,180
And now if I simply just type our player that show will have all of the fields filled automatically

53
00:03:55,180 --> 00:04:00,670
by default our IP address is there and our mac address is there as well.

54
00:04:00,670 --> 00:04:03,570
The OPI is also set to be in our request.

55
00:04:03,670 --> 00:04:09,130
Now in order to actually combine these two packets all we need to do is create another variable which

56
00:04:09,130 --> 00:04:11,230
will be called entire packet

57
00:04:14,480 --> 00:04:24,110
and this entire packet will be equal to broadcast slash ARP layer and that is how we can combine these

58
00:04:24,110 --> 00:04:25,480
two packets.

59
00:04:25,490 --> 00:04:30,840
Let me just show you right here so you can understand it better if I type and power packets that show

60
00:04:32,090 --> 00:04:32,840
you will see.

61
00:04:32,870 --> 00:04:40,130
Right now we have two layers to our entire packet the Ethernet layer which we set the destination to

62
00:04:40,130 --> 00:04:47,000
be the broadcast mac address and the other player which we set the IP destination to be the IP address

63
00:04:47,000 --> 00:04:49,950
of our Windows 10 machine.

64
00:04:49,970 --> 00:04:52,240
Now we can send out this packet.

65
00:04:52,280 --> 00:04:53,120
All right.

66
00:04:53,180 --> 00:05:02,080
So how can we do that while we can use a function which is called S R P and this function allows us

67
00:05:02,080 --> 00:05:04,060
to send the entire packet.

68
00:05:04,150 --> 00:05:10,150
We can also specify the time out to be equal to two seconds and we want to set the bill both to be equal

69
00:05:10,150 --> 00:05:12,430
to true.

70
00:05:12,430 --> 00:05:21,220
Now this actual function will retrieve two lists the first list will be the answered responses and the

71
00:05:21,220 --> 00:05:25,120
second this would be the unanswered machines.

72
00:05:25,110 --> 00:05:25,570
All right.

73
00:05:25,600 --> 00:05:31,270
So in order to actually print that list afterwards we first of all need to store it and let's call the

74
00:05:31,270 --> 00:05:32,890
variable answer.

75
00:05:32,890 --> 00:05:38,800
And since I just mentioned that it retrieves two lists we want to pick the first list by specifying

76
00:05:39,280 --> 00:05:45,350
this zero inside of square brackets since the first list our answer responses.

77
00:05:45,580 --> 00:05:50,660
If I press your enter it will tell us that it received one packets.

78
00:05:50,680 --> 00:05:53,280
Got one answers and the remaining zero packet.

79
00:05:53,280 --> 00:05:55,340
So everything worked properly.

80
00:05:55,360 --> 00:05:57,370
If I type your print answer

81
00:06:00,550 --> 00:06:01,800
it will tell you the results.

82
00:06:01,810 --> 00:06:03,970
Which means that we got other response.

83
00:06:03,970 --> 00:06:06,940
It was not the DCP answer or UDP or ICMP.

84
00:06:06,940 --> 00:06:12,290
It was under the other and by other it means we got the our response which is good.

85
00:06:12,320 --> 00:06:15,070
Now in order to print this response we can simply just type.

86
00:06:15,070 --> 00:06:24,310
Print answer and select the first element and you will see our packet right here.

87
00:06:24,340 --> 00:06:29,970
Now if we take a look at this packet we will see that this is our own packet.

88
00:06:30,220 --> 00:06:36,100
Since we have the Ethernet set for the destination to the broadcast and the our player is set to have

89
00:06:36,100 --> 00:06:39,590
the IP destination to the Windows machine.

90
00:06:39,970 --> 00:06:44,980
And this right here would be the response that we got.

91
00:06:44,980 --> 00:06:51,550
As we can see the destination MAC address is the mac address of our own Kelly next machine.

92
00:06:51,550 --> 00:06:55,900
The source is the MAC address from our Windows 10 machine.

93
00:06:55,900 --> 00:07:02,740
Since our Windows 10 machine sent this back and back to us telling us that this is its own MAC address

94
00:07:03,670 --> 00:07:10,480
we can also see it right here where the H W source is the MAC address of Windows 10 machine DP source

95
00:07:10,570 --> 00:07:16,920
is the source IP address of Windows 10 machine and this is where the windows 10 machine sent the packet

96
00:07:16,940 --> 00:07:19,390
through which is our next machine.

97
00:07:19,390 --> 00:07:21,420
Therefore we received it.

98
00:07:21,550 --> 00:07:27,890
Now what we want to get out of this entire packet is this MAC address right here.

99
00:07:28,070 --> 00:07:29,500
So how we can do that.

100
00:07:29,630 --> 00:07:32,070
Well we can simply just print.

101
00:07:32,100 --> 00:07:37,730
Well let's print something like this answer and says this has a bunch of elements we will select the

102
00:07:37,730 --> 00:07:52,150
first one which is this and then we can select the second element under the number one if we print it.

103
00:07:52,300 --> 00:07:55,000
Python 3 makes no sense.

104
00:07:55,040 --> 00:07:55,980
Wait.

105
00:07:56,030 --> 00:08:02,920
If we just type printed out the show here it is bound method.

106
00:08:02,930 --> 00:08:06,400
We only get the response now as we can see right here.

107
00:08:06,490 --> 00:08:14,170
We no longer get this part and all we want to select from this response is the H W source which is this

108
00:08:14,170 --> 00:08:14,800
right here.

109
00:08:14,800 --> 00:08:17,860
Since this is the MAC address of the Windows 10 machine.

110
00:08:18,280 --> 00:08:30,300
So let selected if we type here to target MAC address we can set it to be equal to answer first element

111
00:08:30,540 --> 00:08:37,290
which is the packet that we sent and the packets we received but since we only want the packets we received

112
00:08:37,290 --> 00:08:41,260
we said the second element and that is this part right here.

113
00:08:41,490 --> 00:08:49,190
And from the second element we want to get the H W source which is the MAC address of the windows then

114
00:08:49,200 --> 00:08:49,730
machine.

115
00:08:50,550 --> 00:08:54,540
If I press your enter and we print the target MAC address

116
00:08:59,070 --> 00:09:02,040
we get the just the MAC address of Windows 10 machine.

117
00:09:02,060 --> 00:09:02,450
All right.

118
00:09:02,460 --> 00:09:03,140
Great.

119
00:09:03,240 --> 00:09:04,120
How cool is that.

120
00:09:04,140 --> 00:09:09,810
We successfully retrieve the MAC address of Windows Time Machine by sending the art packet and getting

121
00:09:09,810 --> 00:09:16,250
the our response back to us now it is time to get to the hacking stuff.

122
00:09:16,260 --> 00:09:18,390
This was all just small networking.

123
00:09:18,390 --> 00:09:24,960
Right now we want to create a malformed or malicious R packet and send it once again.

124
00:09:24,960 --> 00:09:26,700
How can we do that.

125
00:09:26,700 --> 00:09:29,120
Well first we need to craft the packet.

126
00:09:29,160 --> 00:09:29,890
All right.

127
00:09:30,090 --> 00:09:31,830
So we already know how to do that.

128
00:09:31,920 --> 00:09:34,700
Let's create a variable called packet.

129
00:09:35,070 --> 00:09:39,410
And this packet variable will be equal to the art packet.

130
00:09:40,440 --> 00:09:42,080
First is this is a malicious packet.

131
00:09:42,090 --> 00:09:43,170
Let's see what we want.

132
00:09:43,170 --> 00:09:49,110
This packet to do well we want this packet to tell the Windows 10 machine that our clinic's machine

133
00:09:49,170 --> 00:09:56,610
is a router so it sends all of its packets to us first of all we need to set the o p value to be equal

134
00:09:56,610 --> 00:10:01,100
to two since we want our our packet to be the art response.

135
00:10:01,340 --> 00:10:04,190
We are telling the Windows 10 machine that we are the router.

136
00:10:04,200 --> 00:10:05,700
We are not requesting anything.

137
00:10:05,700 --> 00:10:12,600
Therefore we will set the speed to be equal to to the next thing we want to set is the cardboard destination

138
00:10:12,690 --> 00:10:15,290
or the MAC address of our Windows 10 machine.

139
00:10:15,420 --> 00:10:19,760
And this is why we needed MAC address that we received from this packet.

140
00:10:19,770 --> 00:10:21,970
Right here we got it in the target.

141
00:10:21,970 --> 00:10:29,760
My was variable so you can either specify the MAC address itself or you can specify target MAC address.

142
00:10:29,760 --> 00:10:31,200
All right.

143
00:10:31,200 --> 00:10:37,620
The next thing that we need to specify is the P destination which is the IP address to our target machine.

144
00:10:37,620 --> 00:10:45,570
In my case that is when I do it at 168 that wanted to and the last thing that we need to specify is

145
00:10:45,560 --> 00:10:53,760
the P source if I specified P S R C equals here we specified the machine that we want to impersonate

146
00:10:54,210 --> 00:10:56,150
in our case we want to be the.

147
00:10:56,160 --> 00:11:02,160
Therefore I will specify my routers IP address which is finite to that 168 that one that one in case

148
00:11:02,160 --> 00:11:04,520
you don't know what your routers IP addresses.

149
00:11:04,620 --> 00:11:11,970
You could simply just go open up your terminal and type in net stat dash and R under the Gateway you

150
00:11:11,970 --> 00:11:15,160
will see your routers IP address.

151
00:11:15,180 --> 00:11:20,790
All right so let's close this now that we have everything ready.

152
00:11:20,790 --> 00:11:25,830
Once again we are sending the equal to because we are saying that we are gateway.

153
00:11:25,950 --> 00:11:27,550
So this is a response.

154
00:11:27,760 --> 00:11:29,370
Let's press your enter.

155
00:11:29,490 --> 00:11:33,240
If I just type packets that show.

156
00:11:33,240 --> 00:11:36,700
Here is the contents of our packet.

157
00:11:36,780 --> 00:11:39,390
We got everything ready to go.

158
00:11:39,630 --> 00:11:45,420
But before we actually send out this packet let's see what are the ARP tables on our windows 10 machine.

159
00:11:45,450 --> 00:11:46,810
So how can we do that.

160
00:11:46,890 --> 00:11:48,480
Well open up your command prompt.

161
00:11:48,480 --> 00:11:57,270
Once again I will clear the screen and if we type our Dash 8 you will see the ARP table on our windows

162
00:11:57,270 --> 00:11:58,380
10 machine.

163
00:11:58,380 --> 00:12:02,900
We can see that the routers IP address is at this mac address right here.

164
00:12:03,060 --> 00:12:08,170
The clinic's IP address is at this MAC address right here.

165
00:12:08,430 --> 00:12:14,580
You will notice once we send the malicious packet that these two IP addresses which is the Walters IP

166
00:12:14,580 --> 00:12:19,980
address and the clinic's IP address will have the same mac addresses.

167
00:12:20,010 --> 00:12:26,820
That means that we successfully spoofed the we understand machine into thinking that we are the router

168
00:12:27,440 --> 00:12:33,330
and then it will send all of its packets to our mac address instead of developers MAC address.

169
00:12:33,380 --> 00:12:36,800
So let's see this for work in order to send this back.

170
00:12:36,790 --> 00:12:39,270
It will simply just use the Senate function.

171
00:12:39,290 --> 00:12:46,600
It will specify packet and then for both equals false since we don't need to see anything.

172
00:12:46,760 --> 00:12:51,400
We send the packet and let's go to our command prompt and run the same command once again.

173
00:12:53,520 --> 00:12:58,530
And here it is we successfully spoofed the Windows 10 machine.

174
00:12:58,530 --> 00:13:04,910
Now we got the 182 that 168 that wanted one which is our router and one eyed to that 168 that wanted

175
00:13:04,910 --> 00:13:11,660
four which is called Linux machine to have the same MAC address.

176
00:13:11,710 --> 00:13:12,880
How cool is that.

177
00:13:12,880 --> 00:13:15,370
We successfully spoofed the Windows 10 machine.

178
00:13:15,760 --> 00:13:18,940
And this is what's called the ARP spoofing.

179
00:13:19,000 --> 00:13:25,300
Now if you don't run this packet in a while loop this will most likely get reset after a few seconds

180
00:13:25,300 --> 00:13:25,750
or minutes.

181
00:13:25,750 --> 00:13:27,990
So let's see if we still have it.

182
00:13:28,000 --> 00:13:34,410
Yeah it already got reset back as you can see the router is already set back to its own real MAC address

183
00:13:34,780 --> 00:13:43,230
but if we send this once again and type the after shave once again with both the router one more time.

184
00:13:44,050 --> 00:13:44,410
OK.

185
00:13:44,530 --> 00:13:50,680
So we're going to see in the next video how we can do this in a while loop and how we can create the

186
00:13:50,680 --> 00:13:53,800
program that will automate this entire process.

187
00:13:53,800 --> 00:13:57,580
So thank you for watching and I will see you in the next tutorial by.