This series has been massively helpful. I know you are crazy busy running a community and a business, but I would really love to see this series completed
@@mrnmrk6191 are you in the network berg chat often talking about MTKs? If so we have talked. I concur that Mikrotiks rock and def easy to learn, but the certs are harder to get and require a lot more. The CCNA is more widely accepted and currently respected, so while MTKs rule and I love them and use them myself on a few networks, I would not say the CCNA cert is something one should give up, some of the tik language, and most of other routers, are based on cisco so all around a good cert, it is better than a network + for sure. Once Mikrotik makes their certs affordable and not a required class to get it, then will jump on that cert wagon lol
Has this series finished ? It has been 4 months since the last video 😔😢 Seriously .. you're the best instructor I've ever seen 🌹👍 Hope you complete the series very soon 😊
Chuck, A couple quick questions about the Shark Jack, 1. Where dies it get its power? Is it PoE or does it have a battery? 2. Could you have it grab MAC addresses connected? Like use a coupler, grab the mac(s) of a device/cable you are unplugging, then spoof that MAC via a script config? BTW: I love your videos, i have been digesting your whole channel and your way of teaching is similar to my own. It is obvious that you love and live what you do. Keep it up.
here's how I protect my network ports: my switch is in a rack that is physically locked. you would need a key to the rack to even plug that in. the only cables running to outside the server will only issue an IP address to the device with the mac address corresponding to the device that should be plugged into it. honestly, to me, that is secure enough to prevent most attacks. sure you could find the computer's mac address and spoof it then disconnect the computer and attach the sharkjack to the cable with a little adapter, but that is honestly more trouble than its worth and requires prolonged uninterrupted access to my PC
Chuck, I don't know how you do it but I've been going to school for IT for about 2 years now and every time i start a new class you cover something about that subject. Thanks for your guidance you make some of the subjects easier to understand!
With the situation you mentioned having someone unplug your existing device and plug in theirs is defeated just by them plugging the device into theirs, harvesting the other mac address & then modifying theirs to match it before connecting to the switch.
This solution would work for small network. In my company there is more than 100 switch so i cant enter a mac address for every port in every switch. Basicily we did 802.1x. Its more efficient.
I personally didn't learn anything new, but this was a good episode. I've never heard blackhole VLAN, everyone I've met in the industry for me personally has called it a quarantine VLAN. Port security is very important, thank you for sharing with everyone!
13:40 just don't put a label on the wire that shows the Mac-Adress - otherwise the attacker could just change the attacking-device's Mac-Adress to that one...
Thank you man this is good content .. im following network engineering and cyber security degree ..these videos good for studies and for additional knowledge ..keep up the good stuff
I guess you are a nightmare to other hackers And ironically you r successful youtuber because of those hackers 🎉 Im a great fan of your videos & thanks 4 dose videos
I have a question and I hope you can answer, so even though you have turned off all the unused switches, and as your example when someone just switches out a pot and plugs in their own device, what is stoping, just for example, me from mimic the computer that was connected to that port and act as the admin? If I can make my own device act like the same device that is connected, that would give me access to that port because I am "on the list" of devices that have access. Getting mac addresses and or ip addresses (some sort of identity) is not that hard if you know what you are doing. so I guess my question is, what would be the work around in stoping someone who knows how to work around? I know that may seem broad but Its a legit question.
0:20 Port-hole [*port*al]. You're welcome.😁 #ITjoke 6:50 Checking out those Harry Potter name themed devices.😏🪄 7:36 It's possible the RUclips algorithms sent me here because I just finished watching a #blackhole🌠⚫ video. 16:36-16:38 "And _>pop
What if you have a bad MAC address device plugged into a secure port & it’s err-disabled & you don’t know its still connected into the system & you shut them no shut the port will it auto go back into err-disable due to the MAC address still not being allowed?
How is the feature on Unifi „similar“? UniFi has a MAC-Filter like any other home use WiFi-Router. Am I missing something or does UniFi just not have the actual security feature to disable/react to violations?
You just configure your network devices in that IP range instead. Networks can mostly use whatever they want as long as it does not conflict with anything else in the same routing domain/context/network/vrf, the public internet reserved IPs if connected, or overlap other reserved IP address ranges defined in the IP engineering standards. 10.0.0.0/8 (10.0.0.0-10.255.255.255), 172.16.0.0/12 (172.16.0.0-172.31.255.255), and 192.168.0.0/16 (192.168.0.0-192.168.255.255) are ranges of IPs reserved specifically for private network use and cannot be routed/used by the public internet per the RFC1918 standards allowing users to do with them anything they need. I work for a telco. Every private network we build for customers uses the same RFC 1918 address spaces in varying patterns per the customers design needs. Most customers like to use 10.x.x.x because its huge and can be divided into thousands of smaller containers numbered in a logical fashion to their needs. ie. 10.1.x.x/16 is region 1, 10.2.x.x/16 is region 2 etc...
I've never seen this done so not sure if it can be done easily. Maybe someone else with more experience knows. I've see 802.1X done on ports that will be used with end clients for port security along with 802.1x on APs to secure wireless clients but haven't been at a buisness that secured between the switch and the AP with any port security. Considering the APs are often connected to our trunk ports for use with multiple SSIDs, if it's possible to port secure them to make sure only the specific access points can be connected would add security.
Hello everyone. Using packet tracer and switches 2960-24TTs. After making ports sticky and changing devices on a particular port, port was err-disabled. So went to configure (conf t) then told to 'shut' and then 'no shut'. Switch will go up and then immediately go back down due to err-disabled. What command am I missing to turn off err-disabled on these switches?
can you share your script you are using on the hak5 usb device? so i have an example how to send a slack message without (you dont know if it has) internet... otherwise I am still currious ;)
I have a question, sorry if it’s stupid, In reference to 13:00, couldn’t the attacker just plug your Pi into a laptop, read it’s MAC address, and then spoof it?
You can spoof Mac addresses. So if you unplug a Pi from the switch, you might just take the Mac of that Pi and the mac filter is irrelevant. This is an inconvenience for the attacker, but be careful not to overstate the gained security there. Mac addresses are often just written on devices, otherwise just plug it into your own switch and read the mac from there. Furthermore, in a real life scenario, you run in a huge problem if an attacker gains direct physical access to the switch, but I guess everyone is already aware of that ;) Overall nice content, thanks!
Security is all about layers. Usually when a device is hard linked to a port it provides a certain service. Sure you can spoof the mac address, but for a network printer I can disable most networking. I only have to open certain ports and when you spoof the MAC address, you can only do things that the device could, but nothing more. I'm an old-school administrator. By default I block/deny everything and than I open up the things I need. It is not user friendly and when something needs to be connected, I takes some time (sometimes several hours) to setup everything. This concept is working for me for over 25 years going back to my Netware days. Given enough time, opportunity and resources everything can be hacked. If someone is specifically targeting you, there is usually very little you can do about that. But by securing your switch in a proper way, you can guard against 99% of the attacks out there...
The most common approach is: a lock on the doors and security personnel The next step is authentication of each deive on the port 802.1X. The next step is IPSec.
@@AngryMarkFPV I definitely see it not being ideal but I believe even the DoD doesn’t label IP addresses as anything other than unclassified unless combined with subnet mask and maybe even something else.
@@AngryMarkFPV Not really. It's a private IP address and without knowing the inside global address there's not much you can do with it. Even then there would have to be some NAT/PAT for that address as well. Which raises the question why he even blurred it to begin with.
@@jolss0 its a best practice. @AngryMarkFPV said it the best, any insight to his network could be dangerous. We also don't know how often his network comes under attack, how much info somebody has collected etc.. Just better to blur it out.
VIRTUALIZE your debit cards and protect your financial identity with Privacy: ntck.co/privacy Watch the whole course: bit.ly/nc-ccna Go deeper: ntck.co/ncccna 🔥🔥Join the NetworkChuck Academy!: ntck.co/NCAcademy 🔎🔎Can you complete the lab???: ntck.co/ncccna This is CCNA Episode 14. Port security is a VITAL thing we must learn when becoming network engineers, especially when you have hackers running around using things like the Shark Jack from HAK5. In this video, I’ll show you the best practices for securing your switch ports on Cisco Switches and Unifi (Ubiquiti) switches. 🔥🔥Join the NetworkChuck membership: ntck.co/Premium **Sponsored by Boson Softwareruclips.net/user/sgaming/emoji/7ff574f2/emoji_u1f525.png
What if the attacker determines the MAC-Address from the allowed device, and sets the MAC-Adress to it's hacking device? MAC-Address can be changed I think. Is there any way to handle this?
This series has been massively helpful. I know you are crazy busy running a community and a business, but I would really love to see this series completed
Hey Chuck, First.... I love your channel and your teaching style is superb! Second, When do you think EP 15 might be coming? I'm hungry for more !
You're *REALLY* better than education channels. Thanks for information maan
1000%
Hey Chuck please complete this CCNA series...
I have started to see all your CCNA video.. it's fun to learn.
give up with CCNA and get to learn Mikrotik Router OS, 1000 times better and easier
@@mrnmrk6191 can you talk a bit about why it is better? just curious
@@mrnmrk6191 are you in the network berg chat often talking about MTKs? If so we have talked. I concur that Mikrotiks rock and def easy to learn, but the certs are harder to get and require a lot more. The CCNA is more widely accepted and currently respected, so while MTKs rule and I love them and use them myself on a few networks, I would not say the CCNA cert is something one should give up, some of the tik language, and most of other routers, are based on cisco so all around a good cert, it is better than a network + for sure. Once Mikrotik makes their certs affordable and not a required class to get it, then will jump on that cert wagon lol
Would love to see more of this series. I have found it really interesting and really enjoy the way you present the information.
Has this series finished ? It has been 4 months since the last video 😔😢
Seriously .. you're the best instructor I've ever seen 🌹👍
Hope you complete the series very soon 😊
Chuck, A couple quick questions about the Shark Jack,
1. Where dies it get its power? Is it PoE or does it have a battery?
2. Could you have it grab MAC addresses connected? Like use a coupler, grab the mac(s) of a device/cable you are unplugging, then spoof that MAC via a script config?
BTW: I love your videos, i have been digesting your whole channel and your way of teaching is similar to my own. It is obvious that you love and live what you do. Keep it up.
Thanks man, Cisco auto learning makes it soooo complicated to digest while your course is easy to follow and understand!
here's how I protect my network ports: my switch is in a rack that is physically locked. you would need a key to the rack to even plug that in. the only cables running to outside the server will only issue an IP address to the device with the mac address corresponding to the device that should be plugged into it. honestly, to me, that is secure enough to prevent most attacks. sure you could find the computer's mac address and spoof it then disconnect the computer and attach the sharkjack to the cable with a little adapter, but that is honestly more trouble than its worth and requires prolonged uninterrupted access to my PC
You are such an underratedly effective teacher of this stuff
Shark jack is pretty cool, can't wait for the rubber ducky vid tho 😁👍
Chuck, I don't know how you do it but I've been going to school for IT for about 2 years now and every time i start a new class you cover something about that subject. Thanks for your guidance you make some of the subjects easier to understand!
Thank you for the course! Will you proceed with it ? Will we get new EPs ?
I know like nothing talked about in any of your videos but I have amazing interest in cyber security and everything you talk about
Contact our support team on Instagram @Networkchucksupport to join our tutorial classes
With the situation you mentioned having someone unplug your existing device and plug in theirs is defeated just by them plugging the device into theirs, harvesting the other mac address & then modifying theirs to match it before connecting to the switch.
Hypothetically then you need the device password that you plugged into.
@@j.kaimori3848 not to do a basic arp request
This just makes me curious about other cool tech we can put on our key rings that are useful for IT guys, even for those who do this stuff as a hobby
Makes me want a good switch for my home network.
I bought a C3750 for cheap on EBay, amazing switch, would recommend.
@@ethanedwards8296 That's a lot more then I need but it makes me smile just looking at it. Thanks for the recommendation I may just buy one.
@@jmr haha :)
This solution would work for small network. In my company there is more than 100 switch so i cant enter a mac address for every port in every switch. Basicily we did 802.1x. Its more efficient.
You should have a list with all your CCNA videos.
Ah yes the good old shark jack. Slip one into your neighbors Modem while you’re at dinner at their house. You all know the rest.
I personally didn't learn anything new, but this was a good episode. I've never heard blackhole VLAN, everyone I've met in the industry for me personally has called it a quarantine VLAN. Port security is very important, thank you for sharing with everyone!
Your videos make my day
please continue CCNA series
I think that Shark Jack with a LAN port can spoof the MAC and bypass port security.
21:54 missed opportunity for "jumped the shark jack"
Thanks for the amazing content brother. Any chance you're able to tell us when this course might end and in how many episodes?
I ordered a Shark Jack recently and I'm super stoked to test it out on some ethical plugs, look pretty awesome.
thanks for all information, it is very useful ✌
13:40 just don't put a label on the wire that shows the Mac-Adress - otherwise the attacker could just change the attacking-device's Mac-Adress to that one...
Use something like clearpass.
Heyyy chuck, you leaving us hanging man. where can we find the rest of the course.
Can you do a series on pentesting
I really appreciate it bcoz reading the title I need that topic cool
If going for CCNA which would be better Boson or IT Pro TV?
that summer 21 discount code saved me $70 on the ccna netsim and exsim. nice.
Are there ways to get the mac address of a device which is already plugged into the switch so you can mimic it's mac and subvert mac security?
port security*
Thank you man this is good content .. im following network engineering and cyber security degree ..these videos good for studies and for additional knowledge ..keep up the good stuff
Well done, however one can still spoof an existing / allowed mac address :')
Maybe cover 802.1x?
I believe he briefly talke about that near the end.
Good content for the newbies...
VVIOLATION MODE PROTECT THIS MAN AT ALL COST!!!!
You did a greak work providing us a lot of hacking knowledge but so many adds in middle of time limit creates a virtual brainwash in mind..lol😁
I guess you are a nightmare to other hackers
And ironically you r successful youtuber because of those hackers 🎉
Im a great fan of your videos & thanks 4 dose videos
I love chucks videos every one is a learning curve great content chuck
Are you going to continue with this course?
whats the difference between disable and blachole vlan? both you cant use devices on that port, both you need configuration if you want to use it
your videos are amazing
Great t-shirt! Great video!
Network "You need to learn X Now!!" Chuck
He needs to learn "Man-buns are not cool, and never were" Right Now!
I have a question and I hope you can answer, so even though you have turned off all the unused switches, and as your example when someone just switches out a pot and plugs in their own device, what is stoping, just for example, me from mimic the computer that was connected to that port and act as the admin? If I can make my own device act like the same device that is connected, that would give me access to that port because I am "on the list" of devices that have access. Getting mac addresses and or ip addresses (some sort of identity) is not that hard if you know what you are doing. so I guess my question is, what would be the work around in stoping someone who knows how to work around? I know that may seem broad but Its a legit question.
You like a "Blender Guru" and I really love this!
ruclips.net/video/QZ7FRQ8HyE4/видео.html
what about scanning Raspberry mac-addr first? Then reassign short-jack mac-addr and Theeeeen using short-jack =)
great video sir
0:20
Port-hole [*port*al]. You're welcome.😁 #ITjoke
6:50
Checking out those Harry Potter name themed devices.😏🪄
7:36
It's possible the RUclips algorithms sent me here because I just finished watching a #blackhole🌠⚫ video.
16:36-16:38
"And _>pop
Thanks for the great video. Keep up the good work!!
Can you make a vid on how to get WiFi on kali vb
Loved it! Excited for more videos😁
Hey Chuck, great work buddy. Please tell which software do you use for writing on your pen tablet.
Thank u man, Could u send one of these Shark Jack to me 🙂
So it says that the course will be continued but then it goes into subnetting. Did you finish this?
What’s your thoughts on using AR to identify all your physical port locations? Gimmick or practical?
Awesome video!
short command for daily use: sh int | i down
Is there a current available Boson discount code for course purchasing?
kali linux... raspberry pi.... mac changer??? would that get around it
#
What if you have a bad MAC address device plugged into a secure port & it’s err-disabled & you don’t know its still connected into the system & you shut them no shut the port will it auto go back into err-disable due to the MAC address still not being allowed?
that was pretty easy, didnt even have to take a sip of coffee
How is the feature on Unifi „similar“? UniFi has a MAC-Filter like any other home use WiFi-Router.
Am I missing something or does UniFi just not have the actual security feature to disable/react to violations?
thx chuck
How do you get your home network to have 10.0.0.0 IP range like I've noticed in your other videos. Great channel btw, learning tons!
You just configure your network devices in that IP range instead. Networks can mostly use whatever they want as long as it does not conflict with anything else in the same routing domain/context/network/vrf, the public internet reserved IPs if connected, or overlap other reserved IP address ranges defined in the IP engineering standards. 10.0.0.0/8 (10.0.0.0-10.255.255.255), 172.16.0.0/12 (172.16.0.0-172.31.255.255), and 192.168.0.0/16 (192.168.0.0-192.168.255.255) are ranges of IPs reserved specifically for private network use and cannot be routed/used by the public internet per the RFC1918 standards allowing users to do with them anything they need.
I work for a telco. Every private network we build for customers uses the same RFC 1918 address spaces in varying patterns per the customers design needs. Most customers like to use 10.x.x.x because its huge and can be divided into thousands of smaller containers numbered in a logical fashion to their needs. ie. 10.1.x.x/16 is region 1, 10.2.x.x/16 is region 2 etc...
@@eltreum1 thank you so much.
Wow!! I never knew that thanks man
Thank you, you have benefited a lot
securing ports on the switch. to lock the switch ports if they aren't in use😏
How does shark jack gets power if switch is not PoE switch?
Can you use port security on ports that have your AP?
I've never seen this done so not sure if it can be done easily. Maybe someone else with more experience knows. I've see 802.1X done on ports that will be used with end clients for port security along with 802.1x on APs to secure wireless clients but haven't been at a buisness that secured between the switch and the AP with any port security. Considering the APs are often connected to our trunk ports for use with multiple SSIDs, if it's possible to port secure them to make sure only the specific access points can be connected would add security.
Goodness gracious!!🔥👌
Great video ... but what about those pants though?
Only i do not see ep 15?(
Hello everyone. Using packet tracer and switches 2960-24TTs. After making ports sticky and changing devices on a particular port, port was err-disabled. So went to configure (conf t) then told to 'shut' and then 'no shut'. Switch will go up and then immediately go back down due to err-disabled. What command am I missing to turn off err-disabled on these switches?
Bam... :) love it
can you share your script you are using on the hak5 usb device? so i have an example how to send a slack message without (you dont know if it has) internet... otherwise I am still currious ;)
I love how excited you get, “BLACKHOLE!”
Subbed. 🦄
Really hate the 666 winks & giggles at evil
when is the next video?
Sir how to find a lost mobile using a IMEI number
Ur awesome. Lots of love 💗😍 from india
Great video😅
Wait. This isn't Tuesday Newsday.
So, technically… if there was a USB version of this Shark 🦈 Jack…. Couldn’t this be ran on a PC or VM with trusted access to the port?
AWESOMEEEEEEEEEEEEEEEEEEEEEEEEEEE :)
This is so cool!
Taking advantage of holes, are ya? 😏
I think you leaked your SSH IP address in the MAC address security part of the video? the blur didnt last long enough 14:02
yeah, but it's only a local ip, there was no real need to even blur it, unless you're on his local network that IP is useless
@@ItsDrike yea, the fact it was blurred in the first place made me think he'd wanna know
this is internal network ip :)
🤦♂️🤦♂️🤦♂️🤦♂️
"Hacking (ETHICALLY WITH CHUCKS PERMISSION) the RUclips Algorithm."
I have a question, sorry if it’s stupid,
In reference to 13:00, couldn’t the attacker just plug your Pi into a laptop, read it’s MAC address, and then spoof it?
MAC's are easily cloned. Which is why you need to pair up port security with 802.1x machine certificates
He mentions that at 21:19
Have you watched the whole video? He mentioned this...
You can spoof Mac addresses. So if you unplug a Pi from the switch, you might just take the Mac of that Pi and the mac filter is irrelevant. This is an inconvenience for the attacker, but be careful not to overstate the gained security there. Mac addresses are often just written on devices, otherwise just plug it into your own switch and read the mac from there. Furthermore, in a real life scenario, you run in a huge problem if an attacker gains direct physical access to the switch, but I guess everyone is already aware of that ;)
Overall nice content, thanks!
sticky ports my friend
@@rob7328 802.1x*
Security is all about layers. Usually when a device is hard linked to a port it provides a certain service. Sure you can spoof the mac address, but for a network printer I can disable most networking. I only have to open certain ports and when you spoof the MAC address, you can only do things that the device could, but nothing more.
I'm an old-school administrator. By default I block/deny everything and than I open up the things I need. It is not user friendly and when something needs to be connected, I takes some time (sometimes several hours) to setup everything. This concept is working for me for over 25 years going back to my Netware days.
Given enough time, opportunity and resources everything can be hacked. If someone is specifically targeting you, there is usually very little you can do about that. But by securing your switch in a proper way, you can guard against 99% of the attacks out there...
not to mention that in his example, the sharkjack has already cloned the MAC of the existing raspberry Pi. which makes his example terrible.
@@mathbee It's not cloned. The last two digits of the MAC were indeed different. The Pi was d9, the sharkjack was a9.
The most common approach is: a lock on the doors and security personnel
The next step is authentication of each deive on the port 802.1X.
The next step is IPSec.
@14:03 If you’re gonna blur out your switch’s IP address, you should probably blur it out completely… ;)
Wouldn’t you have to be connected locally to do anything with that IP?
@@tnasty15 any insight into the internals of another network can be of use. especially being his core switch.
@@AngryMarkFPV I definitely see it not being ideal but I believe even the DoD doesn’t label IP addresses as anything other than unclassified unless combined with subnet mask and maybe even something else.
@@AngryMarkFPV Not really. It's a private IP address and without knowing the inside global address there's not much you can do with it. Even then there would have to be some NAT/PAT for that address as well. Which raises the question why he even blurred it to begin with.
@@jolss0 its a best practice. @AngryMarkFPV said it the best, any insight to his network could be dangerous. We also don't know how often his network comes under attack, how much info somebody has collected etc.. Just better to blur it out.
VIRTUALIZE your debit cards and protect your financial identity with Privacy: ntck.co/privacy
Watch the whole course: bit.ly/nc-ccna
Go deeper: ntck.co/ncccna
🔥🔥Join the NetworkChuck Academy!: ntck.co/NCAcademy
🔎🔎Can you complete the lab???: ntck.co/ncccna
This is CCNA Episode 14. Port security is a VITAL thing we must learn when becoming network engineers, especially when you have hackers running around using things like the Shark Jack from HAK5. In this video, I’ll show you the best practices for securing your switch ports on Cisco Switches and Unifi (Ubiquiti) switches.
🔥🔥Join the NetworkChuck membership: ntck.co/Premium
**Sponsored by Boson Softwareruclips.net/user/sgaming/emoji/7ff574f2/emoji_u1f525.png
Yessss!!
Thank you for posting!!!
Goveaway
Cool thank you and thanks for the educational videos!
What if the attacker determines the MAC-Address from the allowed device, and sets the MAC-Adress to it's hacking device? MAC-Address can be changed I think. Is there any way to handle this?
favorite dialog of chuck : Let,s hack youtube today ethically ,off course🔥🔥🔥🔥😂😂