All ECCouncil CEH certification exam dumps, study guide, training courses are prepared by industry experts. ECCouncil CEH certification practice test questions and answers, exam dumps, study guide and training courses help candidates to study and pass hassle-free!

Network Hacking - Post-Connection Attacks - MITM Attacks

16. Creating a Fake Access Point (Honeypot) – Theory

Now, from the previous lectures, we know that once we connect to a network, it's game over, because once connected, we can run an ARP spoofing attack to redirect the flow of packets so that they go through our computer. This allows us to become the man in the middle. And once we're the man in the middle, we can run so many dangerous and effective attacks that we can spy on all the users, steal their passwords, and redirect them to different websites.

And this is all just a small taste of what you can do. You'll actually see us build on this in the client-side attacks section, where we're going to completely hack into computers connected to the same network as us. And if you go and do my advanced network hacking course, then you'll see more advanced attacks that will allow us to do so much cool stuff on the network. Again, all of this is possible because, once we connect, we can run ARP spoofing and become the man in the middle. Now, in this section, I actually want to show you another method that will allow us to become the man in the middle.

And once we're the man in the middle, we'll be able to run all of the attacks that you've seen so far and all of the other man-in-the-middle attacks that you'll learn in the future. So let's go back to the first diagram that we learned in this course, when we were talking about how networks work in general. We said the only device that has access to the Internet is the access point. And whenever a client wants to access something, they send a request to the access point. The access point goes to the Internet, gets the response, and sends it back to the client.

Now, what if we replace this access point with our hacker computer? So what if we can use our machine to create a WiFi network that actually has Internet access, so people will actually try to come in and connect to our network to access the Internet? And then when they connect to our network, we will be the man in the middle because we are the router, so we won't really need to exploit anything. We are automatically the man in the middle, and the clients will automatically send us any requests because they want to access the Internet. And we will see these requests obviously go to the Internet, get them what they want, and give it back to them.

This way, we'll be able to launch all of the attacks that I showed you previously without the need to exploit the ARP protocol. So, instead of running ARP spoofing, all we'll have to do once our network is up and running and clients are connected is start sniffing with Wireshark or BetterCap. So for this to work, you need a computer. And we already have our hacker computer running Kali Linux. You also need Internet access. And you need a wireless device that's going to broadcast the WiFi signal and tell all the neighbouring devices that I am a network, so you can come in and connect to me. So, first and foremost, you will require an interface with an internet connection. This interface can be a WiFi interface connected to the internet.

It could be an Ethernet interface connected to an Ethernet network. It could be a dongle, or it could even be a virtual interface. And this is what I'm actually going to do. It's going to be my ETH Zero, the virtual interface that is connected to my Nat network. So this can be any network device as long as it has internet access. The next interface that you will need, like I said, is going to have to be a WiFi interface because it needs to be able to broadcast the signal for the network. And you can't use any WiFi interface. This interface needs to be able to act as an access point. So it needs to be capable of acting like a proper access point, like a raptor.

Now all of the WiFi adapters that I recommend support this mode, and I've already included a video in the sources when I first spoke about wireless adapters. But I'm also going to include this video in the resources for this lecture. So, if you're going to buy one or are unsure how to choose the right one, watch this video. It should be helpful for you. So once we have this set up properly, we can use our computer to start an access point, and it's going to act exactly like a router. So people will be able to see the network when they look for WiFi networks.

They'll be able to connect to it and get an internet connection. But when they connect, they will have to send us all of their requests because we are the router and the access point. So by default, we will be the man in the middle. Therefore, you'll be able to execute all man in the middle attacks that you have learned so far and any other man in the middle attacks that you will learn in the future. So basically, ARP spoofing is one method of becoming the man in the middle.

And what I'm going to show you right now is another method of creating demand in the middle. Now you can see that in order to use our computer as an access point, we need a number of components to be configured properly. So first of all, we need our wireless interface to broadcast the signal as if it were a real network. This will allow other clients to connect to it. But that's not the end of the road. The wireless interface needs to know when these clients are requesting websites.

It needs to be able to forward these requests to the other interface that is connected to the Internet. Then again, it will need to be able to know when the responses come back and forward all of this to the right client. Now, you can configure all of these things manually, and I actually cover this in my advanced network hacking course. And I cover a lot of advanced things that you can do with the fake access point, like launching an evil twin attack, hacking into WPA Two Enterprise, and so on.

But this would take at least 30 lectures. And this is not a network hacking course. This is a general ethical hacking course. Therefore, that would be out of the scope of this lecture. If you're interested in learning how to do this manually and how to run advanced attacks using the fake access point, then check out my advanced network hacking course in the bonus lecture. For the time being, the final lecture of this course is that for this course, I'm going to show you a great way of quickly creating a fake access point that will allow us to become the man in the middle, similar to.

17. Creating a Fake Access Point (Honeypot) – Practical

Now, before I do anything else, I want to show you the network settings of my Kali machine. So I'm going to select it here. I'm going to go to Settings Network, and as you can see, it's set to use an AT network. So now if I go to my Kali machine and run doif config, I will see we have an interface called Ethical. This interface is a virtual interface created by VirtualBox because we set this machine to use an app network. You can also see that this interface has an IP address, which means that it is properly connected to this Nat network and will provide the Kali machine with Internet access as long as my host machine right here has internet access.

So now on my computer, if I go and let's say I just go to Bing.com on my browser, you'll see that I can successfully go to the website because Kali is connected to the Internet through this virtual interface that is called ETH Zero. Now if we go back to our diagram that shows what we need to create an access point, you can see that we need an interface that is connected to the Internet. We don't care what type of interface this is as long as it has Internet access. So in our example, we're going to be using ETHZero to provide our fake access point with Internet access. The other interface that we need is a wireless adapter that can act as an access point. Again, if I go back to the result of my if configuration, you can see I already have a wireless adapter connected to this computer. It's called Land Zero.

Keep in mind that this is in managed mode; it's not in monitor mode, and it is not connected to anything. So you can see that it does not have an IP address. This is very, very important. It needs to be, first of all, in managed mode and, second, not connected to any network. So even if we go to the network manager in here, you can see we have wired connections. This is my ETH zero, and WiFi is not connected. Once we have everything configured properly, we can go ahead and start the fake access point. The programme we'll use is called WiFi Hotspot. It's preinstalled in the custom Caddy Linux that we made for this course.

So all you have to do is simply click on "Show Applications in Here" and type "WiFi," and you'll have the application in here. Now, if you're using the original Kali, I'm going to include a link in the resources that you can use to download and install this tool. But right now, we can simply click on it right here to start it. And as you can see, it has a really nice graphical user interface that is self-explanatory. But I'm just going to walk you through it real quick. You can see, first of all, that it's asking us for the SSID. This is the name of the network that the clients will see when they look for WiFi networks around them. So I'm going to keep this on the Internet. Next, it is asking us if we want to have a password on this network.

So I checked the "open" box, which basically means this will be an open network with no password because it makes more sense in our scenario so that we can attract more people and spy on their traffic. If, in your scenario, it makes more sense to have a password on the network, then you can uncheck this box and put the password in here. So I'm going to check it back in because I want it to be open. And next, it's asking us for the WiFi interface.

This is the interface that will be broadcasting the signal. So this is going to be the interface. And in our case, this is my wireless adapter, and it's called Land Zero, as we saw earlier. And next, it's asking us for the Internet interface. This is the interface that will provide the fake access point with Internet access. Again, going back to the diagram, this will be the interface in here, and we said it doesn't matter what type of interface it is; it could be a wireless card or a wired one; it doesn't really matter. In my case, I'm actually getting my Internet access from ethical, so it's already selected correctly, and that is my virtual interface that is connected to my virtual Nat network.

Now, before starting the access point, let's click on "advanced" just to have a look at the other options that we can set. So you can see, you can select the frequency band, you can set it to auto, or you can set this network to be hidden. You can use a pre-shared key. You could set the Mac address of the network. You could configure it to not use any virtual interfaces. This might be useful to try if it's failing to start, but we're going to keep it the way it is. You can specify the channel that you want the network to broadcast on. You can check this box to use Mac filtering and then specify the Mac addresses that you want to allow to connect to this network in this box, so that only the specified Mac addresses in here are allowed to connect to this network.

Again, we don't want to do this in here, and you can also select the standard in here for the end and the AC. We're just going to keep everything on the default settings in here. We really don't need to change anything in our specific scenario, but I just wanted to go through it real quick just so you have an idea in case any of these options make sense in a future scenario that you'll find yourself in in the future. So the main things that you'll really need to set when you're starting a fake access point are the name, the WiFi interface, and the Internet interface.

And once you're ready, click on Create Hotspot and perfect it. Now it's running, as you can see, and it's given us the process ID that it's running through just in case it freezes and you need to kill it through the terminal. But now we have a fake access point that looks like a real WiFi network with Internet access and is broadcasting within our range. And the name of this wireless access point is the Internet. So let's go to the Windows machine and see if this access point is working as expected. So right here, I have a Windows machine. It's another virtual machine, but I have another wireless adapter connected to this machine.

Do not test this from your host machine because the fake access point is getting its Internet access from the host machine through the NAT network. So if you test this network from the host machine, the network will not work. So either test it from another virtual machine with another wireless adapter, or if you don't have another wireless adapter, then you can test it from your phone, another laptop, or any other computer within range. But do not ever test it on the host machine.

So right here, I'm going to search for networks to connect to. And as you can see, I have a network called the Internet. It does not use a password, so I'm just going to connect to it. As you can see, I'm connected now, and I'm going to open Firefox just to check if I have an Internet connection. So I'm going to go to Bing.com, and as you can see, Bing.com is loading. So now I actually have Internet access. So now anything I do on this computer will have to be sent to the access point if I want to access any websites; if I enter any passwords or usernames, everything is going to go to the access point. And the access point is the hacker's machine.

So the hacker machine is already the man in the middle. So now you're in the same position that you would be after running an ARP spoofing attack. So you can go ahead and use Wireshark to sniff packets and analyse them, or you can go and use BetterCall exactly as I showed you before. The only thing that you need to keep in mind when using Wireshark or any other tool is that you need to set the interface to the interface that is broadcasting the signal. So this is the interface that you set in the phy option, not in the upstream. So in my case right now, this would be line zero. Not ethical. Once you're done and you want to stop this access point from running, don't click on the X. Make sure you click on Stop first to stop it properly, and then you can exit the programme and continue whatever you want to do.

Network Hacking - Detection & Security

1. Detecting ARP Poisoning Attacks

Right, so let's talk about how we can detect ARP poisoning attacks. First of all, let me show you the ARP table. So, in our Windows device, which is always under attack, I'll run a command called ARPA to list all the entries in the ARP table. So each computer has an ARP table, and that table associates IP addresses with Mac addresses. So we can see the IP address of the router, which is 1020-14. One is associated with the Mac address 5254, and it ends up in 350 zero.

So this is the Mac address for the IP for the router. So the way that ARP poisoning works, as we discussed before, is that each request is trusted, and clients accept responses even if they didn't send a request. So what the hacker does is send a response to the client telling them that they are the router, so the client will accept that it was trusted and that it's going to accept a response even though it didn't send a request. Then we'll send another response to the router, telling them that we are the client.

So, this will change the entries in the ARP tables in both the router and the client. And for the client, it's going to contain the hacker's Mac address and associate that with the router's IP address. So what's basically going to happen is that it's going to modify the Mac address here and change that to the attacker's Mac address instead of the router's real Mac address. So when that happens, the hacker will be in the middle of the connection, and they'll be able to read, analyze, and modify the packets because they're going to be flowing through the hacker device. So, let's run the ARP poisoning, the standard ARP poisoning attack. And when I go back here, I'm going to execute the same command.

So I'm going to do an ARPA again and note how the Mac address is going to be different. So the Mac address for the router used to be this one. And when we run the command, that Mac address changes to this one. And this Mac address right here is the Mac address of the network ad that the attacker is using.

So if I come here and just do an ifconfig, you'll see that this is the Mac address, the same one that's displayed here. As a result, this is the most straightforward method for detecting ARP poisoning attacks. It's not the easiest way, though, because you're going to have to keep doing this command and keep comparing the entries if you really want to check if you're being ARP poisoned. So there's a tool called Xarp that does that automatically for you, and it's available for Linux and Windows.

So I already downloaded it; you can just Google XRP, and you can download and install it very easily. and I'm just going to run it. I'm actually going to stop the attack first, and then I'm going to run the tool. Now, notice that when you stop the attack, the IP address is going to go back to what it was. As you can see, the router's Mac address has been reset to its default value. So I'm just going to run XRP now, and you can see that everything is good.

And you can see that the entries are very similar to what we did when we did an ARPA. So we have the IP addresses and the Mac addresses associated with it. What the tool basically does is it's just going to automatically monitor this. And whenever something changes, something wrong is happening. because each IP address should have a unique Mac address. There should be no duplication in the network.

So I'm going to do another ARP poisoning attack exactly like we did it before. And when we come here, you'll see that XRP is giving us a notification and telling us that something's happening. It's telling us that the Mac address for the router, which is 1020-14-oneIP, has changed from this to that. And if we look here, I'm going to click, OK? And if we look here, we can see that the affected machines are the router, which is my own machine right now, and the attacker. Sorry, that's me. and that's the attacker. So basically, we know that the machine at 1020-14-203 is trying to do an IRP poisoning attack because that's the one that the router's Mac address has changed to. Therefore, we know this is the attacker's machine. So this tool is really handy because it does the monitoring automatically for us and will tell us whenever someone is trying to ARP poison the network.

2. Detecting suspicious Activities In The Network

Okay, so now let's see how we can use Wireshark to discover suspicious activities in our network. And before I do anything, I'm going to go to the preferences, and I'm going to go to Protocols ARP, and I'm going to enable the option to detect ARP request terms.

What this will do is actually discover if anybody is trying to discover all the devices on the network, and it's going to give me a notification. So I'm going to click on OK, and I'm going to start my capture. And now I'm going to my California machine and running Net Discover. So I'm not going to do IRP poisoning; I'm only going to try to discover all the connected devices to my network. So we're using the same command that we used before the Net Discover interface and the range and hitting Enter, and we can see that NetDiscover completed and discovered all of our devices.

So if we come here even before we look at the output of the notifications, let's just look at the packets that have been generated. You can see that there's a device here; this source is broadcasting. So basically, it doesn't have a destination. It's asking about all the other devices in the network and inquiring about each possible IP. So it's basically asking who has this IP and telling the 67 IP, and then it's asking who has the 241 IP until the 67, who has the 251, and telling the 67. And it's doing this for every possible IP.

So it's basically checking if any possible IP in the range exists, and it's asking to return the response to the IP at 1020-1467. So from this, we can deduce that someone is trying to discover all the connected devices, and that someone is at 1020-1467. Now, if you go on the analyse and export information page, you'll see that we detected an ARP packet store. So basically, it means that there was a single device sending a very large number of ARP packets. So they're probably trying to discover connected devices or connected ports. So it's telling us that this person is trying to do something suspicious. Now let's go, and I'm going to do an ARP poisoning attack, and we'll see if we can get any notifications or warnings in wireshark.

Now I'm going to go to analyse and export information again, and if we look, we'll see we have a warning here, and the warning is telling us that there is a duplicate IP address configured. So again, this is telling us that the IP address of the router had two different Mac addresses. What this means is that, basically, someone was tampering with this and tampering with our ARP table, trying to place themselves in the middle using an ARP poisoning attack. Now, we've seen a number of methods to detect ARP poisoning. Let's discuss how we can prevent it or protect ourselves from it.

Now, I'm just going to run an ARPA, and we're going to look at our table. There are switches that will monitor this for you as well, and they'll notify you or even prevent ARP poisoning attacks. Another method is to look here, at your router, and notice that this entry in the table is dynamic. So the type of this entry is "dynamic." That basically means that this could change. The system allows this value to be changed. You can see right here that you have static values, which basically means the system will never allow these values to change. So you can use static ARP tables, which basically means that you'll have to configure each IP address. So you must actually configure your ARP table and map each IP address to the relevant Mac address.

But once you do that, even if someone tries to send a response to your computer trying to change it, the system will refuse to change anything because you configured your ARP table to be static. The only problem with that is that every time you connect to a network, and every time a new device connects to your network, you'll have to manually configure that device to work with your network.

So it's not a very useful solution. If you're in a big company or a big firm, but maybe in a small house or a small company, then this would be a really good solution to prevent ARP poisoning attacks because everything is going to be static. You're going to have to set it up manually. But when someone tries to do an ARP poisoning attack, even if they're successful and they use the best tools they can, your table is set up in such a way that it's fixed and can't be changed. So the system will always refuse to change the values of the Mac addresses, which basically means ARP poisoning attacks will never work against you.

CEH certification practice test questions and answers, training course, study guide are uploaded in ETE files format by real users. Study and pass ECCouncil CEH certification exam dumps & practice test questions and answers are the best available resource to help students pass at the first attempt.