WEBVTT 00:01.440 --> 00:02.440 The previous lecture. 00:02.440 --> 00:08.600 We get these responses from doing the ERP attack okay. 00:08.640 --> 00:09.840 ARP spoofing attack. 00:10.560 --> 00:15.240 And here we see that we are receiving this ERP packets okay. 00:15.280 --> 00:16.840 Or ERP layers. 00:16.840 --> 00:22.200 Here we have the OP that you see that it is a is at type. 00:22.240 --> 00:26.720 And also you see the source uh w source. 00:26.880 --> 00:29.560 And you see the IP you see the destination. 00:30.680 --> 00:31.040 Okay. 00:31.520 --> 00:40.440 So uh, the how can we create a program to detect this okay. 00:40.480 --> 00:41.280 We need to create. 00:41.320 --> 00:49.360 A program that check if these, um, IP address if this Mac address belongs to. 00:49.400 --> 00:53.200 This one to this IP, which is if source. 00:53.240 --> 00:53.640 Okay. 00:54.400 --> 01:00.720 Actually we need to get the real Mac address of the computer and also the response Mac address. 01:00.760 --> 01:02.400 So this is the response Mac address. 01:02.400 --> 01:07.400 And also we need to get the real Mac address. 01:07.800 --> 01:11.320 You know we had a function here called Get Mac. 01:11.560 --> 01:12.800 By using its IP. 01:12.840 --> 01:14.400 We get its Mac address. 01:15.040 --> 01:20.640 So we will be using this get Mac to get the real Mac address of a computer. 01:20.640 --> 01:25.560 And also we will be able to get the response Mac address from here. 01:25.600 --> 01:26.040 Okay. 01:26.080 --> 01:26.840 Very easy. 01:27.320 --> 01:33.280 Now let me copy this function from this program that is ARP spoof program. 01:33.280 --> 01:35.640 And I will be able to use it right here. 01:35.680 --> 01:36.080 Okay. 01:37.360 --> 01:41.080 Uh, let me put it up here. 01:41.320 --> 01:41.760 Okay. 01:42.680 --> 01:47.800 And this is one of the goodness of writing all your code in functions. 01:47.880 --> 01:54.080 Now, I don't care if it is good or not, if how it is working. 01:54.120 --> 01:55.240 Okay. 01:55.280 --> 01:59.440 And I will just use it, and I will collapse this. 01:59.440 --> 02:00.360 Space now? 02:00.920 --> 02:01.800 Right in here. 02:03.560 --> 02:09.440 Before, we were just showing the details inside this packet that we are. 02:09.480 --> 02:10.840 We were receiving. 02:11.840 --> 02:14.760 Now, I will get two things here. 02:14.800 --> 02:15.000 Okay. 02:15.040 --> 02:24.280 One of them is the real Mac address, which is equal to get Mac, get underscore Mac, which is a function. 02:24.280 --> 02:25.360 You know that okay. 02:25.400 --> 02:33.520 That we have it here by using its IP, it will give me the Mac address okay. 02:33.560 --> 02:34.720 The real Mac address. 02:34.920 --> 02:38.960 So how can we get the IP for this one. 02:39.120 --> 02:41.120 So we need to use packet. 02:41.160 --> 02:41.600 Okay. 02:44.080 --> 02:51.640 Here we need to use Scapy dot arp because the response is an ARP response okay. 02:52.160 --> 02:59.750 And also the source which is p is r c is r RC. 03:00.270 --> 03:00.630 RC. 03:00.670 --> 03:01.030 Okay. 03:02.350 --> 03:03.910 And let me show you that. 03:03.950 --> 03:07.310 Here we have P is RC. 03:07.350 --> 03:08.150 This is the IP. 03:08.190 --> 03:12.030 We will be giving this IP which is the color Linux IP address. 03:12.030 --> 03:17.790 And it will give me this Mac address which is the real Mac address for this machine. 03:17.830 --> 03:18.710 Okay. 03:18.750 --> 03:21.590 Let me show you that if I use ifconfig. 03:21.750 --> 03:26.630 Now you see that this is the real Mac address for this one. 03:26.750 --> 03:29.230 And also this is the real IP address. 03:29.430 --> 03:32.950 See that is here. 03:33.270 --> 03:36.510 Now by giving this IP address it will give me the Mac address. 03:36.590 --> 03:42.030 And that is called real Mac address here that I store it there. 03:42.470 --> 03:45.190 And also we need to get the response Mac address. 03:45.190 --> 03:49.150 So let's use response underscore Mac. 03:49.150 --> 03:51.030 It is equal to. 03:51.030 --> 03:54.630 Again we need to have packet okay. 03:55.470 --> 04:01.030 And also escape dot AARP because it is an AARP response. 04:01.510 --> 04:06.550 And here we need to use h w is r c y. 04:06.590 --> 04:15.470 H w is r c because that is here h w is r c c right now. 04:15.590 --> 04:18.630 This will give me the response Mac address. 04:18.630 --> 04:24.510 Now we will be checking if this uh is W is or C which is the response Mac address okay. 04:24.550 --> 04:28.790 If this is equal to real Mac address that is again this one okay. 04:28.830 --> 04:31.150 If that is this both are equal. 04:31.150 --> 04:32.710 So we are not under attack. 04:32.750 --> 04:35.030 If this both is not equal. 04:35.030 --> 04:37.430 So we were we are under attack okay. 04:38.710 --> 04:43.470 So uh here I need to check that. 04:44.190 --> 04:45.550 So how can I check that. 04:45.630 --> 04:46.910 I can check that like this. 04:46.910 --> 04:58.070 If this is a real Mac address is equal to response Mac address, we will be doing something here like. 05:04.470 --> 05:06.950 We will print a text here. 05:12.070 --> 05:13.510 Like you're not under attack. 05:13.510 --> 05:16.470 But let's check the opposite of this one. 05:16.470 --> 05:21.830 If real Mac address is not equal response okay, that is better. 05:23.070 --> 05:27.150 If this booth is not equal, then we are under attack. 05:27.150 --> 05:32.390 So I will say that you are under attack. 05:33.670 --> 05:34.030 Okay. 05:34.350 --> 05:38.030 So right now it will be working perfect. 05:38.230 --> 05:46.550 But sometimes this get Mac will not be able to get the Mac address for a computer okay. 05:46.630 --> 05:48.070 For this machine. 05:48.070 --> 05:50.590 So for that it will give me an error. 05:50.590 --> 05:54.790 And here we need to use and try an exception okay. 05:55.390 --> 05:57.790 To it will say that index error. 05:57.830 --> 05:57.990 Okay. 05:57.990 --> 05:59.070 Index out of range. 05:59.070 --> 06:00.030 Something like that. 06:00.030 --> 06:02.630 So we can handle that very easily. 06:02.630 --> 06:07.510 We use try here and in one tab. 06:09.630 --> 06:11.830 And here use accept. 06:14.110 --> 06:20.150 Add name of the error which is index error. 06:22.230 --> 06:24.430 And here let's use pass keyword. 06:24.430 --> 06:26.070 So it will be just passed. 06:26.670 --> 06:30.910 And you see we use sniff function here. 06:31.190 --> 06:33.630 Now let me save this okay. 06:33.670 --> 06:35.790 And come back right here. 06:38.910 --> 06:40.110 Let me clear this. 06:43.670 --> 06:44.230 Okay. 06:45.630 --> 06:47.350 Now if I execute this. 06:50.750 --> 06:54.990 Because we are not under attack, it will do nothing okay at all. 06:55.550 --> 06:58.180 Now let me come back to windows machine. 06:58.380 --> 07:01.260 Try to again execute this one. 07:01.380 --> 07:01.740 Okay. 07:05.420 --> 07:08.900 And you see that it is telling me that you are under attack. 07:09.220 --> 07:09.620 Okay. 07:10.260 --> 07:10.940 Perfect. 07:11.500 --> 07:13.940 It's packet that this is receiving. 07:14.180 --> 07:14.860 Okay. 07:14.900 --> 07:17.580 It will print me that you are under attack. 07:19.220 --> 07:19.580 See? 07:22.020 --> 07:23.300 Isn't that cool? 07:24.820 --> 07:26.260 It is very beautiful. 07:26.300 --> 07:27.420 Very cool. 07:27.820 --> 07:28.180 Okay. 07:28.820 --> 07:29.140 So. 07:31.100 --> 07:34.740 And you see that we are having some kind of mistake here. 07:34.740 --> 07:37.940 We don't need to put this inside this. 07:37.980 --> 07:40.460 We need to put them outside of. 07:42.580 --> 07:49.980 That curly brackets that will make it look more beautiful. 07:50.020 --> 07:51.260 Something like this. 07:51.300 --> 07:51.740 Okay. 07:53.260 --> 07:55.940 Now, if I use Ctrl C again. 07:55.940 --> 07:58.100 If I use like this. 07:58.180 --> 08:04.900 If still we are under attack, so we will be receiving if we are not under attack, if that tag is finished. 08:04.900 --> 08:07.100 So we don't have anything at all. 08:07.380 --> 08:09.180 Okay, let's see here. 08:09.380 --> 08:10.700 We are not under attack. 08:10.740 --> 08:11.180 Okay. 08:11.660 --> 08:15.060 You see, attack is 24 packets sent. 08:15.060 --> 08:19.580 And here you see that we receive a get Mac, uh, error. 08:20.100 --> 08:23.820 That means it could not get the Mac address for color Linux. 08:23.820 --> 08:26.460 So it gives me something like that. 08:26.500 --> 08:30.020 Again, if I execute that, once again, we see that attack. 08:30.020 --> 08:31.900 Right now, you see your under attack. 08:31.940 --> 08:33.180 We are receiving that. 08:33.700 --> 08:38.940 And you see that it is doing the attack on the machine. 08:38.980 --> 08:39.780 Okay. 08:39.820 --> 08:48.900 So here you learn how to create an ARP spoof detector program that is working perfect. 08:48.940 --> 08:55.780 Okay, so thanks for watching and I will see you in the next lecture, which is very, very cool.