Shopping Cart

No products in the cart.

No SPAN Port? No Tap? No Problem!

This webcast was originally published on July 14, 2021.

In this video, John Strand discusses the innovative techniques for home network defense by leveraging ARP cache poisoning and various security tools. He explains how ARP cache poisoning works and how it can be used to route all traffic through a single device for monitoring and analysis. The video also covers the setup and integration of tools like RITA and Security Onion to analyze and defend home networks effectively.

  • The webinar focuses on enhancing home network defense through ethical hacking techniques.
  • It highlights the use of open source tools like Rita and Security Onion for network monitoring and threat detection.
  • The presentation demonstrates practical applications of ARP cache poisoning for network traffic analysis.

Highlights

Full Video

Transcript

Jason Blanchard

All right, everybody, welcome to this black hole information security webcast. It is Thursday afternoon. but that doesn’t matter. You’re probably watching the recording or you just show. And it’s great to have you. Thank you so much for being here. If you’ve never been a part of Black Hills information security webcast before, well, you are now.

So John’s going to teach. We’re going to answer Q and A. We recommend that you join the Discord channel because there’s over a thousand of you right now, and we don’t scale very well.

So if you ask questions inside gotowebinar, we’re like, we’ll get to it the best we can. But if you ask the questions inside discord, then the whole community can respond to your question and help you there.

So if it’s hard for you to look at discord and watch and all the other things, then you do what’s best for you. All right, John, if anyone ever needs a pen test, where to find us.

John, it’s all yours.

John Strand

Yeah, we do. Oh yeah, marketing. Yeah, we do pen testing, network threat hunting, sock services, and sometimes hugs, I guess. Whatever. All right, so let’s get on with it.

So everyone, this is a, presentation I’ve been working on for quite a while. And it’s funny that Bo is on here because Bo is really the person that got me hooked into how to do this.

And we’ll talk about some products and things like that. And basically we’re doing better home network defense through hacking. And yes, I used Leet speak on hacking because we’re afraid that Google is using like OCR and anything to do with hacking or penetration testing.

They’re going to flag it and be like, well, that’s dangerous. And someone might learn something in the webcast about defending their network. So we got to shut those videos down. So that’s my attempt to fool the artificial intelligence algorithm for Google.

And I know it’s an absolutely weak attempt to do so. So what are we covering? The thing I want to get is building a home network sucks. Like trying to actually implement home network defense at like an open source enterprise grade level is an absolute nightmare.

Doctor parasite. A custom hug from me just means come to one of our conferences and come up and say, I need a hug. That’s all I need. I’m not afraid of physical contact with random strangers.

Probably a story that we’re not going to get into. But when you’re trying to lock down that home network, you have a lot of tools that require a span or a tap or a mirrored port to be able to track that.

In fact, we’ve actually done webcasts where we’ve talked about microtick routers and how some of the microtick routers that are out there have the ability of actually spanning that traffic over.

And that’s great. But people are freaked out by Microtik from eastern Europe. And then there’s other devices that you can get and you can buy them. and then you can also do things like pfSense.

Pfsense is awesome. I think Ralph runs pfsense at home. It’s an awesome product to get set up, doesn’t cost anything, has amazing functionality. But there’s a lot of people that look at pfsense and they’re just like, no, no, it’s a little bit more than they actually want to jump into.

Right? And Droghi brought up a good point. Setting up Vlans and mirrored span ports at home is a lot of fun, and you learn a lot. But once again, there’s a lot of people that have a lot of episodes of Schitt’s Creek or maybe Game of Thrones, which you shouldn’t be watching because it ends horribly that they want to watch.

So they want to get that enterprise grade level network threat detection, but they don’t necessarily want to put the time into it. And I can totally relate with that. So what do we do?

So what we tend to do in this industry and outside of this industry is we get complete garbage like Disney Circle, right? We’re gonna put in home network monitoring, and we’re gonna do it through the Disney Circle app, which is horrible, right?

You can say, okay, I wanna block porn, I wanna block video games. I wanna do these things, block videos, okay. But for a number of us are like, well, I wanna look at all the DNS requests that came through my network yesterday.

I want to be able to look at network bandwidth usage, ubiquity for the fail. Thank you. I want to look at the types of analytics. Maybe I want to do beaconing, maybe I want to run Sarakata at home and actually do intrusion detection.

And none of these products give you that capability to get down to the level where you can get analysis at network traffic like you would at work.

Right? Because all I ever really want is I want to run zeek security, onion and Rita at home, and I want to do it quickly and easily without buying a bunch of additional hardware, trying to set up my own wireless network and all these different things.

And, yeah, people are throwing up all kinds of different products, right? And we got edgerouter X, solid product from ubiquity, which of course they were compromised. We don’t know the extent of how bad it was, but bad seems to be the order of the day.

We got Microtek Tasman Sniffer protocol. There’s all kinds of different things. Greylog, right? Maybe you want to use Greylog and you want to be able to dump your network traffic into that. So there’s a whole bunch of options that you can do, but holy crap, unless what you’re doing, it’s, not something that’s just going to set up in like 1015 minutes at home.

So the 1015 minutes solutions, like Disney circle, which is total trash, by the way. It’s garbage. So what many of us do is we just roll with whatever the default crap that we get from our firewall vendor and hope that it’s okay.

Everybody wants to do better in this industry. There’s tons of us that want to get involved and they want to start learning these things. And many times we can’t learn how to do and play around with these technologies because we can’t do it at work.

So how are we going to fight that? So here’s my problem. Just these damn mental blocks we were talking about at the beginning of the show. Penetration testing for me means something very specific.

If we talk about promiscuous and non promiscuous backdoors, that means something very specific to me because I’m old in this industry. Whereas other people would hear me say that and be like, that just sounds dirty.

It gets into this weird block. The other thing that happens in this industry all the time, constantly, is this huge separation between defense and offense.

Like, we have people in the community that are very offensive in nature and they pretty much keep to themselves. And then we have people that are very much in defense side and they pretty much keep to themselves.

And for whatever reason, these two groups don’t mesh nearly as well as they should. Right? They just shouldn’t. I’ll give you an example.

You spend a lot of time these days looking at sims and looking at alerts from our customers doing purple teams. And there’s a ton of techniques that we do at, black Hills information security in our pen test, and the customers are like, why doesn’t our product detect that?

Now I can rip on the vendor. That’s absolutely something that we can do. We can have that conversation. But the reality is many of the defenders live and work in a room and many of the attackers live and work in a room, and they don’t communicate very well.

You got things like JP Cert, which does a really good job of breaking down attacks, which event alerts are generated from those. But we don’t see that percolate down to the products as fast as we would like to.

In fact, there’s techniques that we use in this industry that we use for years, and there’s no detects with it. So, once again, you have this separation between the two groups.

But the separation between these two groups isn’t just something that exists between the two groups. It also bifurcates us as individuals.

So, like, for me personally, for years, I would teach offensive techniques, right? I’d be teaching how to break into networks. I was breaking into networks up until the point I became upper management.

I just do PowerPoint presentations, and every once in a while, they let me out of an office so I can do something technical and fun. Please send help. But I did offensive stuff, and then we started working on defensive stuff, specifically things like Rita, real intelligence, threat analytics.

And really, I’ve noticed whenever I think about these two issues, I very much separate the way I look at these two issues. Like, I’ll be talking just about offensive when I’m talking about offensive things working Bhisde.

And then when I switch over to the defense, I talk defense. Now, there’s some stuff that bleeds, right? Like, I’ll say, hey, here’s the top ten things that we need to be able to detect in our SoC and our security operations center.

And that’s based on what we’re seeing again and again and again in our penetration test. There is some bleed over between those two things, but there’s very little in the way of actually going through infusing the defense and the offense together.

The closest I’ve got is cyber deception, where we use offensive tactics to trick the attackers to download and run malware, in the form of documents and spreadsheets, which we teach in our cyber deception class.

That’s one of the pay what you can classes, by the way, if you’re looking for a pay what you can class next week, I’m starting pay what you can core sock skills, and then it’ll go intro to security and then cyber deception.

It’s on a three month rotation, so that’s coming up. So check that out, and somebody will, hopefully, somebody hopefully will post a link on it here in just a little bit. We’ve had problems with Rita.

There’s lots of people that are like, I’d love to play with Rita, but I don’t have time at work, and I can’t set it up at home. So how do I get Rita to work in a small network without a tap or having to buy additional equipment?

Or they say my wireless network is just complete garbage. It’s like the cheapest Netgear I can find. I’m never going to be able to do anything with Rita on that for years. I’m just like, yeah, that sucks.

But hopefully you can find some equipment, and then you can start doing this. Also, we’re trying to get more people to use it at home. We have a couple of people that have reached out, to us, and they say, hey, they detected an attack, and they were able to see the attack through Rita, and they talked about setting it up at home, but their setups are usually fairly big, complicated setups that they have as well.

And it’s weird, because Chris Brenton and I like the whole gist of this entire presentation. Whenever I found out about it through Bo, actually, and I was talking about it with Chris and Bill Stearns, it was like, well, that’s stupid.

The solution is actually really stupid. Simple. If you just spend 30 seconds thinking about it, it just clicks, right? And honestly, you’re most likely going to feel dumb, too.

Like, I felt incredibly stupid whenever I actually figured this out. And I was like, oh, crap. So people don’t need to have a really expensive tap or a span port, or go buy a completely different equipment, or set up an entire pdfsense infrastructure to be able to pull the packets down and actually make it work.

So, yeah, it turns out Chris and I and Bill Stearns have been teaching for years how you can actually route all traffic on a network through one device without needing a tap or a mirror to do it at all.

Like, literally, we would teach this once, maybe twice a month, and we never clicked these things together. And we feel stupid for not figuring it out, like, for Rita and active countermeasures.

We’ve been teaching the damn stuff for, like, five years now, and we never, ever, like, put the two together. Some of you see it now. I’m actually seeing it pop up on discord, and people are like, oh, my, yes, we can actually do that.

But me, through sheer brilliance, stole the complete idea from these guys firewall. So I was talking with Bo, and I was complaining about just how unbelievably crappy all of the different home solutions are.

Because I have teenagers, I would like to have greater control over how I can actually protect the network without having to put up a span or a tab.

Now, some of you be like, well, just go buy this stuff. You do this for a living. True, but I’ve got a lot of crap I’ve got to do. Now. When he was explaining firewall to me, I was kind of pooh poohing it.

He’s like, dude, this thing works. It sets up, it routes all the traffic through. You have full ability to actually monitor. Let me actually bring up my firewall app that I have here.

So what do I have full access on my networks. So if I look at some of the things that firewall can do, I can shut the entire Internet down remotely. I can shut down gaming, I can shut down social media, I can shut down videos.

I can look at the data usage for each of the individual users on my network. I can block ads, I can open up ports. I can actually monitor the overall network and see what all people are using my network.

I can set up DNS or disable block DNS over HTTPs. Is it a hub? No, it’s not. It’s not a hub at all. And I can literally look at what web pages people are going to, how much traffic they’re actually using.

And here’s the kicker, you just plug the damn thing into an Ethernet port and it works. Now, what exactly is firewalla, doing under the hood?

Firewall is doing Arp cache poisoning. Like, seriously, you plug it into the network, it arp cache poisons the network, reroutes all the traffic through it, forwards it out to a gateway, and then you have full network monitoring.

Now, some of the devices that they have, actually, all their devices, some devices you plug into will actually lock down arp cache poisoning.

Then you can disable DHCP, and I’ll talk more about that here in a second. Then the firewall device will become the DHCP server, will become the gateway, and then hand out DHCP IP address leases.

So that’s. Did we crash their website, by the way? I’m not getting. Somebody can go on Twitter and tell them we said sorry, but we’re doing a webcast that has, let’s see, 1362 people on it, and we just basically hugged their website and brought it down.

So seriously, you plug it in, and in five minutes I have the level of control that I want, but I don’t have network visibility. I can’t do beaconing analysis.

I can’t set up security onion, I can’t set up Rita, but I totally can use the exact same techniques that firewall does to basically route the traffic to have me do these things as well.

So firewall hasn’t paid me. I’m not getting any commissions on this. Although just to be completely honest, I’m not adverse to that. If they wanted to say thank you in some way, I would appreciate that.

But their devices are stupid cheap. Like, I got the firewall a dark blue, I got two of them. And that’s really, really, really just super simple that you just know that firewall is freaking out right now.

But, hopefully they’re okay with it. And they’re like, wow, we’re sending lots of people. So anyone monitor this monitor makes sure it’s not doing shady shit. Paco, it is literally doing shady things.

I mean, not in a bad way, but it’s using arp cache poisoning to reroute the traffic through it. And for years, Arp cache poisoning is what we taught at every single class that I taught for a decade and a half in this industry.

It’s very, very, very, just super cool what they do. And once I found out what they were doing, I’m like, I can totally do this, and I can put whatever the hell I want.

I can put in security onion, I can put in Rita. And that’s what I’m going to talk about now let’s go through, and let’s talk about Arp, cash poisoning and cover what this is doing and why it works.

Okay, so arp cache poisoning sounds bad. And I liked how somebody said we should probably rename it to Arp cache grooming or Arp cache reconfiguration as well.

It’s cool. And Bo just basically said you can install it yourself. They have a GitHub repository as well. I personally like it better than pf sense. I think pfsense is more powerful, but just getting it up and running and locking things down, it works really, really, really well.

Let’s jump in and let’s talk about what it’s actually doing. And then I’m going to walk through the steps that I went through in about 1015 minutes to get a full configuration set up and ready to go.

All right, so let’s talk about address resolution protocol. Whenever you’re looking at networking, a lot of times you’ll hear about the OSI model. Please do not throw stale pizza away.

Everyone has to learn it. No one really knows what the actual layers do because it’s complete garbage. The OSI model is crap. I’m sorry if you’ve gotten that in job interview or it’s on a test.

It’s just crap. The reason why is basically the better model is the Stevens four layer model. The Stevens four layer model more tightly aligns to what you’re seeing whenever something actually routes on the network.

OSA is garbage. Stop asking people about it in interviews. If anybody asks you about it in an interview, go research the history of it. There was a company in Germany, they got into a huge argument about the application layer and they called it the presentation layer and they didn’t want to call it the application layer, so they just said screw it, we’re just going to add another layer and call it the presentation layer.

That’s not how standards should be written, but that’s just my rant. So predominantly when you’re looking at how computer systems actually connect out to the Internet, there’s a couple of key protocols that we’re actually going to be using.

Whenever your system first plugs in, it’s going to send out a DHCP request, dynamic host configuration protocol request. The way firewall works and the way that you can set it up is you can disable the DHCP server on your home router and just stand up your own and then have the gateway be your reta, security onion.

Maybe you’re going to download the GitHub repository for firewall and set it up. You can set all of that up and reroute it. That’s the more difficult way to do it. The way that it works on most devices is just by plugging it in and then it does ArP cache poisoning.

Now, what the hell does ARP do? So whenever you’re looking at layer two, whenever your computer system tries to connect out to the Internet, it has to learn where the gateway is.

Now it can get that through DHCP and it can also arp out a request where it basically broadcasts to every single IP address on the subnet.

And most subnets are slash 24 subnets. I’ve seen some devices that do like slash 16s, but it’ll hit out to 256 different IP addresses.

I want the Mac address for 10 dot zero dot zero dot two. I basically stole these graphics directly from Wikipedia because I’m now lazy and I can do that.

This Arp, request will be broadcast out to every single IP address on the network.

Now according to the rfcs, whenever the real system that’s at 10 dot zero dot zero dot two sees that ARP request, it’s supposed to return back its Mac address or its media access control address.

Now a media access control address is a unique identifier for every single ethernet adapter on the planet. I should have put that in the air quotes.

It’s air quote unique because we can actually change our Mac address. But by and large, most of the time, like actual hardware devices will have unique Mac addresses identified by the vendor.

A lot of times the first three bytes are the ouis, which is the unique identifier, organizational unique identifier for that device. So like if I buy a system 76, it has an intel card, the first three bytes actually identify it as.

I did think that too. I think there might be too many digits in that picture. But hey, it’s the Wikipedia, but there’s going to be a unique Mac address for this system, and then I will have another unique Mac address on this phone.

The reason why we do this is we need to make sure that we’re not going to run into any collisions. At, layer two, when traffic is being sent from one host going out to the Internet, you’re going to have a situation where we can uniquely identify the gateway, we can uniquely identify the other hosts that are on that switch.

So that system host a will store the Mac address IP address combination for the system on the right host b, it’ll store that combination in its ArP table.

The switch will also store in the cam table the content addressable memory table on the switch, which ports, IP addresses, and Mac addresses are being utilized.

This is how your little network that you have at home gives you the ability to actually remember where the gateway is, remember where the individual hosts are, and it allows your system to route the traffic out to the Internet by using this layer two.

Now what’s interesting is at layer two, whenever you connect to the Internet, let’s say I want to go to Google, eight dot, eight dot, eight dot, eight.

I can look at my network traffic and I can see the IP address for the destination will be Google’s IP address, but the destination Mac address will be the Mac address of the gateway.

So if my system is trying to connect out to the Internet, if it’s trying to go [email protected] or firewallet, uh.com or whatever those things are, that packet that is sent from your system is going to have the IP address of the system it’s trying to connect to, but the Mac address will be the gateway.

Now that gateway is set up, it has something in Linux systems that’s IP 40. So when it receives that packet and it looks at the Mac address, it’ll basically discard that Mac address and then it will route that packet out to its default gateway and send it out to the Internet and then it’ll basically go on in layer three on its way.

If you’re on a network, what you want to do is you want to become the gateway on the network. So all of the systems will send all of their traffic through your computer system so that you can see everything.

And that’s what firewall does, firewall, it goes to every system on the network and says, hey yo, I’m the gateway. Send all of your traffic to me. And then they do send all of their traffic through you and then out to the Internet.

Now, as an attacker or a tester, we would do that so we could sniff things like user ids and passwords. Sounds like running a production grade managed instance of responder.

Responder is very different if you’re looking at what responder is doing. Responder is responding to link local multicast name resolution, which is sent out broadcast, M MDNs, which is sent out broadcast, and then Netbios name service, which is sent out broadcast.

It’s similar, but it’s not actually address resolution protocol. So it’s a little bit different. And then actually doing that as well.

That’s how this works. We’re going to basically identify ARP. If we’re looking at how ARP cache poisoning works, one of the things that we want to do, and I love JD 50 saying this takes me back.

It absolutely does. If you’re running something like ARP spoof and you’re watching what ARP spoof is doing, ARP spoof basically sends out a broadcast addressed and sends ARP replies to every system on that network.

Absolutely every system on that network. So you can see that broadcast address is the fffffff. That’s 48 bits for that Mac address.

That FFF is the broadcast address on that network. Every single system, when you first plug it into a network, sends out DHCP requests to get their gateway routing information, IP address information, and they will send out broadcast packets via DHCP to get that DHCP server to respond.

So having packets go to a broadcast address isn’t abnormal. It actually happens all the time and it’s a very regular occurrence on networks.

So I’ve had some people say, well, we’re just going to block broadcast packets. That would be bad. Ray, don’t do that. That’s like crossing the streams. You’re going to shut down DHCP.

Now some smart enterprise devices will learn what port on the switch is the DHCP server and they will only allow that system to respond. But we’re not talking enterprise right now.

We’re talking home, talking about very, very basic things that we can actually pull. So we send out that broadcast address or send out that broadcast packet, then we send out an ARP reply.

Now what’s weird is there was no ARP requests. None. So because we’re sending out an ARP reply, it’s called a gratuitous ARp.

We’re just sending out these ARP packets saying, hey, this particular IP address, this is my gateway on my wireless network, on my phone. One nine, two dot, one six, eight, dot, one six, four, dot, two, two, nine is now at this Mac address.

So, like, before I set this up, this is literally how I set it up. I set a wireless hotspot. I joined my phone to the wireless hotspot, and then I immediately started ARP cache poisoning my wireless hotspot.

So what I’m basically telling any other device in this room that’s on my wireless hotspot is no longer get to the Internet through this thing, come through this thing instead.

Then all of that traffic comes through this computer, and then it forwards that traffic on to the real wireless hotspot, and then it allows it to go out to the Internet.

This effectively puts my ATT and CK computer this puts my ATT and CK computer in the middle of that stream. So I can see everything that is being sent out to the Internet.

Once again, yours NIA, for the nineties, yours, NIa, does something different. Jrsnia actually attacks routing protocols, spanning tree protocols, VRP protocols, still a layer two tool, but it takes advantage of other routing and switching mesh protocols, not necessarily address resolution protocol out there as well.

So you can see that this system is effectively becoming a new gateway for all of the systems on the network. Once again, that’s what firewall does.

So the impact on this, if you do this correctly, is you have your LAN user on a hub or a switch or a wireless network connecting out to a LAN gateway and going to the Internet.

When we do Arp cache poisoning, we’re basically running all of this traffic through this malicious user. So now the user can sniff absolutely everything.

Now, what’s interesting about this is, by and large, Arp cache poisoning attacks started falling out of favorite in the industry. The reason why was really twofold.

One, if you run this on a production server network, yeah, kind of run the risk of actually crashing something legitimate, especially if you don’t enable ip forwarding, where you echo into proc net ip forward, you set it to one instead of zero.

Then you’re just a dead end because you want your system to actually route that traffic through as well. Other than the coolness factor, what does Arf spoofing get you that you could not get just from changing the default route on the DHCP server?

Yampi has a good point. Number one, a whole crap ton of people will have no idea how to do that thing. Number two, I don’t have to make any configuration changes on the DHCP server with this.

You literally just plug it in, run a tool, and it’s working so it’s easier. Yampa. So that would be an example of how that would actually set up as well. So this would be possible with Pihole?

Yes, absolutely. You can do this with a raspberry PI. In fact, you can set up full reta, full zeek on a raspberry PI on a home network, and you won’t overtax it at all like one of the newer ones, that 64 bit, give it, some good memory.

It’s going to work great for these things as well. The question was, but if I am the gateway and I’m getting all the traffic, how do I forward that to the actual real gateway? Well, your system that’s doing the arp cache poisoning right here, it knows where the gateway is.

It knows where the gateway is. So it’s not arp cache poisoning itself. It knows where that gateway is when it receives that packet, that’s coming, going and going to the Internet.

It’s coming into it and going into the Internet. It has forwarding and you have effectively turned your Linux system into a router, and it’ll automatically route it to the Mac address of the real gateway.

And the gateway will handle it, will handle it really, really, really easily, out there as well. So that’s how this works, right? So we set up a Lan user, we can redirect all the traffic and we could send it out to the Lan gateway.

Well, what if instead of using like a firewall, or something like that, what if we set up security onion? Because you can totally set up arp cache poisoning on securityonion and Smithereen’s got it.

You don’t have to use firewall. I’m just basically saying we’re going to use the idea of what firewall it does as well. Use what? For raspberry PI?

Yeah, you can use zeek and Rita, you can install it on a Raspberry PI 64 bit. You have to do 64 bit so it’ll install mongo properly. But yep, you can totally set up Reta on a raspberry PI.

I’ll give you the instructions. Same instructions. Here are, the same instructions that you would set up there as well. So instead of setting that traffic through the gateway or being a malicious attacker that’s trying to route the traffic out to the Internet, let’s send it through security onion.

Or what we could do is we could send it through Rita real intelligence threat analytics. So we can do beaconing, blacklist detection or deny list detection. We can do long connection detection. We can do all these awesome things with free and open source tools that by and large you couldn’t actually do before.

So Goofy Admin said all the traffic to and from the lan gateway is only to and from the attacker. That is correct. But there’s also some issues with it as well. Would traffic bog down a standard network card?

No, because most, like home networks, are barely a gig. There just aren’t. And your adapter is a gigabit. So if you’re running a situation where you’re running more than a gig of not just your capacity on your bandwidth, but you’re actually sending sustained gig, yeah, you might overwhelm it.

You might want to make sure that you get a little bit better network card and kind of set it up that way. But yeah, this will work. Absolutely. It’ll actually set it up proxy Arp with service chaining to install a module.

Absolutely. Now, the other question was with craft dinner said, so you can only see the traffic going out. What about host to host communication within the network? We’re going to get to that here in just a couple of seconds.

Im actually going to talk about that as well. So well get there. All right. So now you can do both. Right. You can run Rita on a security onion box and you can set up ARP cache poisoning and then get full security onion.

And whats cool is securityonion has things for like Sysmon, it has Sarakata. Its like a full network threat analytics dashboard. You sprinkle reta on top of that and oh my gosh, youve got something really, really super powerful that you can actually work with.

So what I want to do is go through the steps that I did the other day. I set up a VM on this system and I was able to have Rita up and running ARP cache poisoning and Ubuntu, and it took me 1015 minutes to get it set up.

And I think that that really kind of speaks to why this is something really cool that we can do. So you can have like full network monitoring, full stack network monitoring at home on really crappy hardware devices as well, which is really really really cool that you can actually deal with as well.

All right, so first thing you need is Ubuntu 18.04. Now I used Ubuntu 18.04 because we have coming out in the next couple of weeks a version of Rita that works in Ubuntu 20.

But right now we support like Ubuntu and Centos and I security onion and a couple of other things. So I installed Ubuntu just because it’s long term support.

We don’t quite have the install script to the point where it completely supports 20. But it’s coming. But yeah, you just download it and you set it up as well.

So here we go. What do we have? You missed the anti, oh, okay, here we go. So, installing Rita. So this script that you can download from the Rita website, one of the things that we really tried to get away from with Rita was trying to make Rita a lot easier to actually use with Rita.

You can go through the install instructions. One of the first editions of Rita that came out, you had to install and configure your Golang environment, and you had to do all these different things. And it really made me mad.

So instead what we have is if you’re running on Ubuntu 18.04, Ubuntu 16.04, security onion, Centos, you just basically download and run this install script.

That’s it. It’s just real, real super easy to use. You have to schmod it to add executable. So you’re just doing Schmod X on the install script and then you run it, when you run it, it basically fires and it does everything for you.

Oops, that’s not cool. Here we go. Yeah, don’t do this on Windows subsystem for Linux, please. Networking on Windows subsystem for Linux is a hot mess.

And the reason why it’s a hot mess. Did you guys know that if you’re on Windows subsystem for Linux and you’re on the host of the Windows subsystem for Linux, localhost will be the local host and the Windows subsystem for Linux system.

It’s so dirty. It’s so wrong. Yeah, it’s weird, as that as well. So to run it, all you need to do is just become root. And then I do install and it automatically installs zeek, it automatically installs Mongo, it automatically sets up Rita, configures the entire thing for you and it’s done.

And this literally takes maybe, maybe five minutes to take your Ubuntu system and have it set up to the point where now you can do full zeek packet analysis and do that stream analysis and connection analysis, DNS analysis, x 509 certificate analysis.

It’s all set up and it all works right out of the gate for you. Now, next, one thing that you got to do is you have to install bettercap. Now if you follow the instructions at the Bettercap website, they’re hideous.

They’re like, well, yeah, you might have to do this thing with Libso, libpcap and whatever. They don’t tell you that you actually have to, create a soft link to basically link it from one part of the directory structure to another directory structure, the actual website on Linux.

Hint. And it’s in the, notes below. And I’m going to throw the notes in the Discord channel so you guys can see this.

Really probably the best instructions I found for getting bettercap up and running very quickly. There’s just a handful of things that you have to do to get it up and running, but really you download the precompiled binaries for bettercap and then once you have those set up, you install the proper packages, do the soft links, the symbolic links to basically make them so it finds the right libraries and it works.

So literally five, six minutes to actually get this set up as well. Installing zeek and Rita. super easy. Setting up bettercap super easy. Following the instructions, just really, just not hard.

Now you have pretty much all the ingredients that you need to have to get it set up properly and get it working. Then you just start better cap. Now Bettercap used to have a full command line interface, and you still have the command line interface present there.

Now they’ve moved everything in bettercap into a web UI, which actually is kind of nice if you’re looking for ease of use and trying to set all of this stuff up. Super easy to do to get it up.

And actually, the web interface I actually like better cap. Better than Raspberry PI. Please don’t freak out and start throwing things at me. It just, just, I like it better than Raspberry PI.

I think Raspberry PI is awesome from a hardware perspective. It’s really, really cool, but a whole bunch of stuff in the juice bar just doesn’t work as well as it should. And honestly, I’d like to get underneath the hood a lot.

And I don’t know the Raspberry PI is neat, but honestly, if I’m actually doing something, I would rather use Bettercap and set it up that way as well. So just my opinion, I know nothing against people at hack five, it’s just, I prefer this.

So when Bettercap starts, you can have it fire up and it’ll automatically try to identify systems that it sees. And then you can run a tool that’ll automatically discover all of the systems on that network segment.

So it’s pretty easy to do as well. Bettercap division by zero. You would install bettercap on the exact same system that you have Rita and Zeek and everything installed.

Literally, if you’re doing this, it’s all on one computer system, and it’s going to route all the traffic through this particular computer system. So no, you’re not going to set it up on multiple computers. You’re going to have one computer, you’re going to run the install script for Rita, you’re going to install bettercap.

That’s it. Once you get those two things installed, there’s nothing else installed on it as well. So next, what you do, if you look in Bettercap’s user interface in the top bar, you can see there’s advanced, and advanced gives all of the different things that Bettercap can do.

You can do DNS spoofing, you can run cap lets, you can run c two, you can do ARP spoofing. And I’m going to run through here with the ARP spoofing. Now, there’s a lot of evil stuff that you can do with Bettercaptain.

If you’re doing this on a home network, it’s your call. I mean, it’s your home network, but family members might get a little bit frustrated if you run some of the other modules that are running there.

So one of the things with Bettercap is you choose advanced, you select ARP spoof, and then you can select ARP spoof on, and it turns on ArP spoofing. Now, whenever you turn on ARP spoofing and you get it running, there are some weird things that you may not know about ArP cache poisoning.

If you go back to my Arp spoof example, there’s a number of you that very astutely noticed that in that ArP spoofing example, I didn’t specify t or R, which means I didn’t specify targets, and I didn’t do double arp cache poisoning.

We’re doing full duplex ARP cache poisoning. So let me show you what that actually looks like. So if you don’t do full duplex ArP cache poisoning. You’re arp cache poisoning the hosts on the network, but you’re not arp cache poisoning the gateway, which means you’re going to see all the traffic that’s going out to the Internet, but you’re not going to see the response because the gateway knows the Mac addresses of the hosts on that network.

It will send the responses directly to them. It’ll send the responses directly to them, bypassing you.

And that may be valuable. Right. You’re going to see DNS requests, you’re going to see URL’s, you’re going to see a lot of stuff, but you’re not going to see the responses. So you can see in this example, you can see that one nine two dot, one six eight dot, one dot, two is pinging eight dot, eight dot, eight dot, eight again and again and again and again.

And you’re noticing that eight dot, eight dot, eight dot, eight never responds, at least as far as the Ubuntu system that I have set up is concerned. It doesn’t see the responses.

So the traffic’s getting there, but when it’s coming back, it’s coming back directly to the host and bypassing your sniffing system. All right, so what you’re going to do with this is you’re going to change things up a little bit.

So if you’re looking at how this works, whenever you’re not doing full duplex arp cache poisoning, the lan traffic from the user will go to the malicious user, and the responses will come back to the LAN user directly.

The responses will come directly. You won’t see the lan responding back to the malicious user, going back to the standard user as well. Question was, how about putting everything in a docker image and using the interface?

You totally can. If you want to put it on Docker image, go for it. That’s awesome. Go for it. To fix that, bettercap has the ability to enable full duplex ArP cache poisoning.

What this is doing is it’s Arp cache poisoning all of the systems on the network. It’s also, as it’s identifying these systems, Arp cache poisoning the gateway.

It’s telling the gateway you’re the host, and it’s telling the hosts you’re the gateway. So you’ve become all things to this conversation. So now you’re seeing the traffic that’s going out to the Internet, and you’re seeing the traffic that’s coming back from the Internet coming back in as well.

So now you have everything. So now you can see one nine, two dot, one six, eight dot, one dot, two is pinging eight. Dot, eight. Dot, eight. Dot, eight. And then we can see the responses from eight dot, eight. Dot, eight dot, eight coming back in.

So how do you even do half duplex? It’s actually a setting inside of bettercap. You can see down here at the bottom it says ARp spoof full duplex by default.

It’s set to false. You have to go into that configuration setting in the Arp spoof and then you can basically set that to true and then it’ll do full duplex. Arp cache poisoning.

Does that answer your question? Yeah. And Smithereen said if you got time to set up in a docker image, that makes people’s lives easier going forward. And that’s true, but that’s up to you. I know I’m explaining this stuff and I’m probably making it sound more complicated than it actually is.

It’s really easy. You just run the install script, you install bettercap, and then you turn on Arp spoofing with the full duplex. It’s literally like three steps to get it up and running.

So super, super easy as well. Why not set up Rita server as a gateway? You can do that if you want to configure and mess around with, with actually setting up DHCP.

This is much easier than doing that. This is literally just plugging in a raspberry PI, plugging in a junkie computer, setting up a VM on your network that’s doing this, and then routing all the traffic back through as well.

Super easy. Now, Pangolin said, what if you stop poisoning? Will it go back to normal again? It does, but how it does that is interesting.

It re arp cache poisons the network with the right answers. So it’s telling everybody on the gateway, on the gateway. I’m the gateway, I’m the gateway, I’m the gateway. When you shut it down, it goes to all those systems and says the gateway is over here.

So it basically fixes the Arp cache poison or Arp tables on the guests and on the gateway to set them back up so they can run as well. So super easy if the reader box needs to be down for maintenance, does it stop the traffic?

No, everything. After a few seconds, we’ll just go back to the way it was. It’s very low impact on the network as a whole. Just very, very, super cool.

Once you have this set up, all of a sudden you have just some awesome things. Just in a matter of ten minutes, I went through three steps. Install Rita.

install bettercap. Start bettercap. Now I can go into my op Zeek logs directory. I can see that Zeek is actually generating con logs now.

I’m actually seeing the connections that are being made, and Zeek is logging it now. I’ve got full Zeek at home in under ten minutes on a really crappy wireless router with no span port, with no setting up pfsense, without doing any of those things.

It’s just easy. Easy like Sunday morning. What if the reader box crashes? Insect asks great question. Everything goes back to the way it was in about 10 seconds, because when the systems can’t find where they’re going, they’ll send out Arp requests, and then the systems will re Arp, reset the network, and everything will go back to the way it was in about ten to 15 seconds.

So, yeah, there’s very low risk for this that you have out there, so just very, very cool when you’re looking at it as well. Let’s see. So would you use this on a small pro engagement in a small office, small flat office?

It would work just fine. It would work just fine. You would be able to set it up very easily. But now I’ve got bro set up. Now with bro running, I can run Rita.

If I want to set up Rita to do analysis and see what’s going on with the traffic, I simply run Rita import optzeq logs, the date that I want to look at, and then I load it into a database.

Arprita is my example. It loads all of the zeek logs, then it actually analyzes the zeek logs. So it does host analysis, connection analysis, exploded DNS analysis, hostname analysis, beaconing analysis.

It does deny list analysis, all of it. For me to run this on Rita, with Rita being multi threaded in go, it took maybe 15 seconds to process an entire day’s worth of traffic on my home network that then I had all the analysis ready to go.

Very, very easy. Does it work on Wi Fi, or does it need to be hardwired? You can do it either way. What I recommend is actually setting up hardwired, though. You’re going to have better stability if you set it up hardwired than you would on the wireless network, but you can do it on the, hardwired network as well.

What makes the host answer from Arp snoop rather than the answer from the actual host with the real MACD? The reason why it works is you’re actually sending out, once per second those gratuitous arps so it’s refreshing those Arp cache tables immediately so the systems never send out an ARP request because they’re getting the answer back immediately that you’re giving them as well.

What, are the chances real Arp responses make it through very low and even with that, it’ll be overwritten relatively quickly. I didn’t run into any of those problems on, my network as well.

Traffic is doubled for every poison target on the network. M no, it doesn’t. It’s not going to be doubled in that situation. It’s still going to be sending it through.

You smartphone is required to use firewall? I think so. They might have a web interface. I just used a smartphone on it as well. But once again, I want to make it clear, you don’t need firewall for this. I’m just using firewall as an example of how bo showed me this cool product and literally opened up and wait.

We can use the same technique to get securityonion and Rita, and a whole bunch of other network security monitoring devices in there as well. Won’t arb spoofing make the network slow down?

No, it won’t. I haven’t seen any network slowdowns at all. My kids play video games while we’re streaming movies. We don’t see any network slowdowns from that anyway.

Just impact it as well. What should I make for dinner? Spaghetti with meatballs. All right, I beacons. Now that I have Reta, I can see what systems on, my network and what things are actually beaconing.

I can show the databases and then I can show beacons and I can get beacon data. I can have it dump it in human readable format so it’s a little bit easier to read. I can also generate an HTML report and I can see a full report of my network traffic at home.

This is awesome. It’ll even sort it by day. And this is all free. You can see that I have a perfect beacon score going out to this destination, this 2086, seven that’s open DNS.

You can see that my system is connecting out to opendns constantly. You can see my DNS backdoor that I set up bouncing through Google’s DNS server.

You can see these beacons on my network. I now have that visibility. I can also now see, I don’t know if you all have seen this, but Rita, added in the capability of not just doing beaconing analysis for IP addresses, but it also does beaconing analysis for fully qualified domain names.

So I can see what are the different connections. And what are the beacons that are going out of my environment by domain names as well? So I can get an idea of what’s running on this.

One of the things that kind of freaked me out is this API ring. I was like, I don’t have any ring devices in my house. Which kind of made me nervous, because, I mean, ring is like a camera, and I’m, just like, what the hell?

Why do I have this API ring.com making 759 connections for? Like, what is that? And what I found out is I actually had some rings that I had set up or I had bought, and they were just sitting around in my house because I play with that stuff.

And one of my kids decided to play around with the ring camera and the little doorbell thing. It was, like, kind of playing with it. So I found that, and I’m like, get that evil out of my house, son.

We don’t allow that here. So, yeah, that was something like, literally running this. I’m like, what the hell is ring doing on my network? This is my pop os, of course, is my.

That’s this system, system 76 running pop os as well. So very, very, very cool. Aren’t most bhis webcasts and ad for Rita? Pretty much.

But it’s free, right? Yeah. So it’s free. Yeah, pretty much, yeah. So, all right, Rita, you can set it up so it roles.

So instead of you having to do it manually to do analysis, you can set it up. So Rita actually goes through and just rolls every hour on the hour, and then you can get, like, a full data set in a 24 hours period for Rita as well.

So very, very simple to actually get this ready to go. All right, so does this have security onion install? No, because I barely got it with six minutes left in the webcast.

But securityonion is actually really, really super easy to actually set it up as well. So. So why do you use. I didn’t use firewall in the solution.

I didn’t use firewall at all. Once again, I just used firewall, as an example of how you can do this. So firewall is using arp cache poisoning. I’m like, I can use that for Rita and security onion and all these other tools like Zeek.

So, no, firewall is not required for this. It’s just firewall is how Bo showed me how this could be done. And then I realized we could do it for these other things as well.

All right, so what now? Almost any open source network tool is in play. Another really cool open source tool that you can run on the exact same system would be like nTop.

Since we’re throwing shade at things, I guess ntop is a great tool that does all kinds of different packet traffic recording, network probe traffic analysis.

You can see the protocols. They actually have free versions of, ntop that you can run. They actually have a commercial one as well. It’s like extra hop, but not like expensive.

It’s been around a lot longer too. So you can run ntop on the network, you can run security onion, you could run passer on the network as well. So just really, really super cool.

And John Bailey. Yep, it’s just ubuntu reta, and Bettercap. And then you can do it, or you can get security onion ISO spool it up and then just run bettercap on that.

So securityonion has a lot of these things set up as well. So as I mentioned, you’ve got open source networks, the whole bunch of awesome tools. They’re in play now.

They’re absolutely in play. Quick note on Arp versus DHCp. If your device has Arp cache poisoning protection built into it, you can also do the same trick by setting up your own DHCP server.

And then basically you’re making your system the gateway. That’s a little bit more difficult, but it still makes it possible to do it as well. Once again, there’s no reason not to have enterprise open source detection at home now.

Like, and I talked to so many people, like I’d like to work with security onion, but I don’t have the setup at home now you do. I’d like to play with Rita, but I don’t have a span or tap.

Don’t need it now. You can run it at home. Super easy to do as well. So sometimes the best place to learn is at home, right? You’re at work, you’re spending all this time on audit and compliance paperwork, and you’re talking about how you’re going to spent a lot of time on implementation of data loss protection.

And instead of wasting your time on those things, you could do this stuff at work. But you have a job to do. You have things that you have to get done at work. Now when you’re at home, it’s super simple to set these things up.

And really you have no excuse not to. Like, I’m not kidding. It took me ten minutes to get this set up from the beginning all the way to the end as well.

Sometimes home is literally the only place to learn. For many of the security professionals that I work with today, their day job is working with enterprise stuff.

Like they’re working with Cisco, they’re running with all of these different products, and they’re really expensive, and there’s really not a lot of ways that they can learn on their own.

And I also think that for many of these products, like security onion, because we can’t run them at home, it slows down the adoption in the enterprise because if the only place you can play with it is work, and work is just using enterprise grade things, you never get a chance to play with security on your retail.

You’re never going to use those things. But now if you can implement them at home to learn about your home network, you can learn how to use them. And now you can start basically feeling more confident in introducing those in your work network as well.

So just super cool stuff to do with. So like I said, it’s stupid. I apologize to all of you that it took me a decade to put these two things together. You can thank Bo for that.

And so big thanks to daft hack because I would have never figured this crap out if it wasn’t for him showing me a really cool device called the firewall that does this cool thing that all of a sudden cracks the stuff wide open as well.

I feel like I like the pfsense solution better. Sure, that’s fine. I’m not playing the game. What’s better? That’s a dumb game. We aren’t going to play that. But this is an option.

This is something that you can set up at home in 1015 minutes. PF Sense is far more powerful, has far more options that you can actually set up with. But ten minutes, I mean, on any network that you have, I mean, come on, that has its own pluses as well.

So let’s not play the game of what’s better, let’s play the game of what are the options that are available to get people into it as well. So there you go. So just tons of cool stuff.

I want to say. Thank you so much for coming and hanging out. I was really excited about this. Just super excited. Somebody said if you figured out how to get around firewall, hardcore hard code, your arp cache tables and firewall is not going to pick it up.

You can do that with Netsh and you can do it with arpennae on the command to bypass it as well. So there you go. That’s how you get around. But thanks for hanging out. My name is John Strand. If the first webcast you’ve ever attended, this guy is not me, don’t look at him and be like, that’s John without a beard and in great shape.

No, that’s a completely different individual. All, right. And also I want to open it up for questions. So anybody have any questions? We hit right at the top of the hour.

Just got enough time into it as well. So I really, really just appreciate you coming and hanging out. Am I on the keto dial diet now? No. No, I’m not.

Jason Blanchard

John, we got a question from Goodwebinar says, can you put together a how to guide, like a lab on this for the home?

John Strand

Shoot me an email, I’ll write a blog on it. I guess it’ll be one of those that I don’t do for like six months. But let’s shoot me an email, let’s get it set up as a blog.

Jason Blanchard

We need two network adapters.

John Strand

No, you can do this all in one network adapter. One network adapter is all you need and it works just fine. So, good question.

Jason Blanchard

I would say this is the top of the hour. What we’re going to do is go into a little bit of post show banter. If you can’t stay with us any longer, feel free to drop off, but this is the end of the actual webcast or.

So we’ll stick around for a few more questions. And then, John, if you don’t mind, going to do like a five to ten minute like crash course on how to do a really cool job hunting thing.

John Strand

Oh, that’d be awesome for anyone who.

Jason Blanchard

Wants to stick around. So we’ll answer a couple more questions and I’m going to do a quick demo tutorial on how to beef up your resume if you’re job hunting, especially for information security professionals, because I’ve been doing it for like the last year now on Twitch and it’s been working out.

John Strand

And I have some recommendations too, because I literally just hired five pen testers and for SoC analysts and I can talk about some of the things that I’m saying as well.

Jason Blanchard

so another question was, isn’t this the equivalent to Netflow? I’m trying to correlate it with Rita.

John Strand

Netflow is a different protocol. So if you’re looking at Netflow, Netflow is a Cisco protocol and they’re on Netflow version nine. So it’s similar to zeek, but not nearly as much fidelity.

You’re not going to get DNS information, you’re not going to get the HTTP URL information, you’re not going to get the full data size or the end time depending on the implementation and what device you’re running Netflow.

So this is similar. If you’re trying to grok this, think of zeek data with Rita as Netflow, but way better, and then you’ll have the right mindset for it.

Jason Blanchard

Next question is security onion? Is having Bro preinstalled? Does running Rita installation script affect the pre installed bro?

John Strand

No, it does not. It’ll basically identify that it’s already installed, and it’ll just basically, you just got to put it in the directory. Reto will accept the TSV log format for a lot of bro installations, and now it accepts the JSON format that is used in security onion.

It’ll accept both of those.

Jason Blanchard

This question happened a few times. What’s a good minimum hardware platform suggestions?

John Strand

We actually had a blog post on setting up Reta on a Raspberry PI, and I’m just running it on a, I think it’s a quad core Raspberry PI 64 bit, and I think it has like eight gigs of memory and it does just fine.

It depends on the size of the network. But most home networks, if you give your device or your system eight gigs and quad core, and you give it a little bit of no hard drive space to work with, you’re going to be able to handle it, no problem at all.

And the reason why is Rita is smart enough. When you’re running Rita with Zeek, Rita won’t smash Zeek. While Zeek’s running, Rita does its processing only whenever there’s enough headroom in the cpu utilization to allow it.

So if the zeek system is running at 100% cpu utilization, Rita takes a break. And then when Zeek starts dropping down to like 30 40%, then Rita takes up the extra cpu usage there.

So Rita plays really well on devices with Zeek. They just basically kind of dance around each other.

Jason Blanchard

Do the firewall? Firewall devices allow root level access?

John Strand

I haven’t played around with it. I don’t know if Bo is still on, but I don’t think they do. Maybe they do. Hell, I don’t know. I haven’t played around with it at that level.

But as Bo mentioned, they actually have a GitHub repository where you can install firewall on your own device. Then you would have root level access at that point.

Jason Blanchard

How do you see host to host traffic?

John Strand

Host traffic? Whenever you’re doing Arp cache poisoning, if hosts start communicating to each other, it will go through the system that’s doing the Arp cache poisoning. As soon as that system tries to communicate with another system on the network.

The Arp cache poisoning and better cap will capture that, and then traffic will be routed through as well. It’ll see all the traffic going to the Internet, and it’ll also see the layer two, host to host communication.

Because honestly, if you think about it, the connection to the gateway out is really host to host communication. It’s just host to host communication with a specific gateway device.

By doing that, Arp cache poisoning, you’re becoming all things to all systems on that network.

Jason Blanchard

Does Rita work well with JSON?

John Strand

Yes, it does. Rita does actually support JSON file formats as well, which is the default for security. Onion.

Jason Blanchard

See, I mean, there’s like a, in an incident handling scenario, can I use a similar setup?

John Strand

You totally can, and that should be something that we should talk about later. But, yeah, you can literally set up, like this box that I have, this vm. If I’m working in an IR engagement on a small network, I can plug it into the network, start arp cache poisoning, routing all the traffic through this system, and then I’ll be able to start intercepting the command and control traffic of the compromised computer system.

So you can use this as like a triage network security monitoring solution on a very tactical level, on the network where a system’s compromised, I think there is.

Jason Blanchard

I’m going to combine two questions. What about how much storage is needed to operate the setup? And then what happens to the logs? Are they overwritten or are they stored?

John Strand

So you can configure all of that? Right, so you can actually set it up. So your logs will only be stored for 48 hours, and it’ll basically wipe away the logs that are older than that. When you’re talking about storage, you’re not doing full packet capture.

You’re actually with the zeek logs. Worst case scenario, something like 12% of the total data amount that’s being transferred through for the actual logs that are being captured. So it’s really not that much traffic because you’re actually storing metadata about the network traffic more than you are storing the entire full packet capture of that data going through.

Jason Blanchard

Can one device support two separate broadcast domains?

John Strand

You would have to do Vlaning, and you would have to have the network adapters on two separate vlans for that to work.

Jason Blanchard

If anyone ever wanted to know what it’s like to take John Sock or intro to security course or active defense course, it’s like this. It’s just this back and forth with you, even though you’re like, I’m not there in the classroom.

It’s just this kind of back and forth. Let’s see. So what’s installed on John’s VM again?

John Strand

So what’s installed on the VM is it’s Ubuntu 18, Rita and Bettercap. That’s it. So Ubuntu, Rita and Bettercap.

And that’s it. So just, I could type that in. Ubuntu reta, bettercap.

There you go. So I did, if you’re wondering, like, why did I, why did I go through all the detail that I went through? I don’t like just saying, here’s what you can do. I like people to understand what our cache poisoning is.

I want them to understand what an ARP request is. So I kind of went into the details of how this actually works, and as Jason said, this is very similar to the way we run our training classes as well.

Jason Blanchard

The last question I think we’ll do, and then we’ll go into what you discovered while hiring nine people recently. Can you whitelist devices not to be poisoned? I think this is the person, like, did I just not put my auto.

John Strand

you can, and that’s actually a configuration setting where you can say, do not arp cache poison these systems. You can actually exclude those systems, and that’s in that configuration. On that better cap screen, subscribe our channel.