1 00:00:00,600 --> 00:00:02,150 In the last lesson, we talked about 2 00:00:02,150 --> 00:00:04,140 the concept of DNS poisoning. 3 00:00:04,140 --> 00:00:06,170 In this lesson, I want to cover the concept 4 00:00:06,170 --> 00:00:08,780 of ARP poisoning with you fairly quickly. 5 00:00:08,780 --> 00:00:11,510 Now, ARP stands for the address resolution protocol, 6 00:00:11,510 --> 00:00:13,210 like you learned back in Network+, 7 00:00:13,210 --> 00:00:16,450 and it's used to convert an IP address into a MAC address. 8 00:00:16,450 --> 00:00:17,890 If you remember back from Network+ 9 00:00:17,890 --> 00:00:20,440 and our OSI model lesson, as data moves down 10 00:00:20,440 --> 00:00:23,970 the OSI stack, it uses IP addresses to transmit packets 11 00:00:23,970 --> 00:00:26,180 all over the world from router to router. 12 00:00:26,180 --> 00:00:27,930 But once it finds the right router, 13 00:00:27,930 --> 00:00:29,770 that router converts that IP address 14 00:00:29,770 --> 00:00:32,660 into a MAC address and passes it on to the switches 15 00:00:32,660 --> 00:00:35,080 inside of its own network, and that is going to help it 16 00:00:35,080 --> 00:00:37,290 to deliver the information using frames 17 00:00:37,290 --> 00:00:39,270 inside the data link layer. 18 00:00:39,270 --> 00:00:41,320 Now, ARP poisoning is going to exploit the way 19 00:00:41,320 --> 00:00:43,340 that an ethernet network works. 20 00:00:43,340 --> 00:00:45,230 It's going to enable an attacker to steal, 21 00:00:45,230 --> 00:00:48,820 modify, or redirect frames of information on the network. 22 00:00:48,820 --> 00:00:51,170 The concept here is that the attacker is going to associate 23 00:00:51,170 --> 00:00:53,410 their MAC address with the IP address 24 00:00:53,410 --> 00:00:55,240 of another device within the network. 25 00:00:55,240 --> 00:00:57,710 This way, whenever the router asks for the MAC address 26 00:00:57,710 --> 00:00:59,250 that's associated with that IP, 27 00:00:59,250 --> 00:01:00,890 they get the attacker's MAC address 28 00:01:00,890 --> 00:01:02,960 instead of the legitimate user's. 29 00:01:02,960 --> 00:01:04,950 This allows the attacker to essentially take over 30 00:01:04,950 --> 00:01:07,410 any session that would involve MAC addresses 31 00:01:07,410 --> 00:01:09,920 at the layer two of the OSI model. 32 00:01:09,920 --> 00:01:12,690 Also, if the attacker wanted to get really creative here, 33 00:01:12,690 --> 00:01:14,010 they could set up a man in the middle 34 00:01:14,010 --> 00:01:16,980 using this technique by taking over the MAC address first, 35 00:01:16,980 --> 00:01:18,660 then passing the data back and forth 36 00:01:18,660 --> 00:01:20,720 between the victim and the rest of the network. 37 00:01:20,720 --> 00:01:22,890 To prevent ARP poisoning, you should set up 38 00:01:22,890 --> 00:01:25,170 good VLAN segmentation within your network, 39 00:01:25,170 --> 00:01:27,490 and also set up DHCP snooping to ensure 40 00:01:27,490 --> 00:01:29,190 that IP addresses aren't being stolen 41 00:01:29,190 --> 00:01:31,690 and taken over by an attacker.