let's hack your home network // FREE CCNA // EP 9

scroll down to security click on firewall and I'll make sure this sucker is on and it is, but that's not the only problem you may have that it doesn't close all the ports. You can still allow ports through even with

your

firewall turned on. There's a little thing called port forwarding and let's make sure nothing gets through our firewall. so for that I'm going to scroll up a little bit to nat forwarding, that's what you might see on

your

router. I'll click on that forwarding and then port forwarding. Every entry you see here is a hole in your

network

.

Port 1080 Port 80 ports. 21 to 45. These are allowed. You may have made them yourself to try to get something working, like maybe you have a Plex server. do it with the command nmap dash lowercase s capital t and then dash p for port and put the port you want three two four hundred for plex and then your public IP address will tell you if it is open or not so the best practice is to close all your ports stinkers, don't let anything finish from the outside, you might be thinking, chuck, but I want to access my stuff from the outside I want to do that, no, I'll show you a better way, but don't do it this way, please, and that was number two, by the way, so number one, turn on your firewall, number two, turn off port forwarding, don't forward things. on your

network

three and one of the largest oh my God, don't do this, please go to the system and go to administration.

I'm going to scroll down here to try to find the settings. Let me scroll here. Where is? Where is? Oh sure. Here remote management turns that shit off right now. This right now allows someone from the outside. A nefarious

hack

er with a beard. A guy who really doesn't do any good. He will be allowed to access your public IP address, whatever it is on port 443. He will arrive at this portal. and you have the ability to try to log in now for sure you will need a username and password and if you change that it might be well you changed your username and password on your router because if you didn't it has defaults you might be admin admin, it could be the admin password, it could be something else, but those things can be found easily, oh my gosh, stop, don't do it, log into your router, change your default username and password right now, that was number four, so number three was disable remote management, you don't need people to manage your router from the outside, you don't need that and change your username and password right now, you might be wondering, well, what? why do they have remote administration on the router if it is dangerous?

At best the router is secure and you can access it remotely and it is https secure. The thing is, many routers have firmware and software that is currently vulnerable, meaning

hack

ers could find this, access this page, and exploit it to get into your network. So, why take the risk? Just disable that feature, it's not that important to have it talking about updating the firmware, updating your damn firmware, updating the software on your router. I'm going to go right here to update the firmware and I'm going to update to whatever. update i found done now i won't be so fast this is an emulation here but literally before this video i updated my firmware on my network my unifi hardware why do you think they have updates? why do you think they have one available for you?

Either they're doing one of two things, they have a new feature or they found a vulnerability in your hardware and software and they're patching it, they're fixing it, so if you have hardware on your network right now that hasn't been updated, chances are that has a vulnerability that hackers can exploit, man, you might already be hacked right now, oh that's scary, and number six, this comes down to wireless. I'm going to go wireless right now. Wireless setup just two, just two very quick things. actually three security, make sure you always use wpa2 and wpa3 when you come out, always use the most secure standard out there.

Two men, don't use a password like this please, and don't use an ssid like this when you go to connect to your wi-fi, this is the name of your wireless network if your network is called tp-link or something default that tell the hacker while driving, what they do is called war driving, they will drive around neighborhoods and try to find wireless networks that they have like this crazy powerful Wi-Fi detector, they will try to find wireless networks so they can hack them and if They see the one that says tp-link, they just found out what type of router you have and They will start looking for vulnerabilities in tp-link and that's it, you're ready, so name your ssid something else, something random, coffee, harry potter, whatever i do, harry potter themed on my network and then create a strong password, make it crazy.

I make randomly generated strings that are like 20 characters long, it sucks that those fools trust me and you might be thinking, well how do I give that password to my guest? That would be a pain, don't give that password to your guest it doesn't allow guests onto your main network, don't do that, give them their own network that doesn't touch your stuff, that's one thing I would do, so this device wireless in particular, this router has a guest networking feature if it has one. check if it does and enable it if it doesn't you might want to get a new router we'll cover that here in a bit I'll give you my recommendations oh and a bonus I forgot so I said six here's the number seven seven. good luck anyway go back to uh let's look at security and firewall here respond to lan and wan pings what this means is if you send a ping to your network device which means just a simple hey he will respond saying yes.

I'm here, it's a common thing on the net that we do all the time just to see if things are working for security. You don't want that, you want everything off, especially your wan, so turn it off, why? Well, because like a hacker he's trying. to scan network ranges to see if there is a network device available that you can hack if you scan your public IP address you don't want your router to respond you don't want that to happen you want your router to work no, no, no one here just passes by, that's it what you want to happen, you want to go unnoticed, stay safe anyway, so adjust your router, in fact, don't just use your router, go to your family's house, go to your friends' houses and make sure that your routers are secure, they harden your router, they protect your routers and that's really for your benefit because when you go to your family and friends' houses, they probably use their wi-fi networks, do you want to connect to an insecure network, man, so sure, sure, too sure? coffee, so we just covered number one and number three people coming into your network from the outside and also securing and strengthening your wi-fi, make sure you have a good password and stuff, but now I think the most dangerous thing that there is don't expect it to be hard to find and realize it's the things on your network number two that are really scary because they're the devices that you don't expect to be bad alexa um light bulbs your smart light bulbs that have a wi-fi connection all those iot devices, that's risky, man why let me show you real quick.

You may have done a great job of not allowing anything from the outside into your network. Great, great, but everything on your internal network you like to use your phone, your computer, everything on your internal network. they are allowed to access pretty much anything they want on the internet so they can log in or out and then any server that they communicate with, let's say you go to facebook or youtube, like now you're watching youtube, well then youtube has permission to send you stuff back, this is how it works if I go to youtube and say, hey youtube, talk to me, send me some videos, it will send you videos back and that's allowed through the firewall, that communication is allowed, so if it's allowed for you, your computer, your phones, it's also allowed for your smart light bulb here and your smart TV, all of those devices are communicating to the Internet, they are right now, just like you, the problem is we don't know who they are. contacting it again could be a legitimate service they need, like your bulb could be communicating with its manufacturer's server and getting a firmware update.

Okay, that's a good thing or this light bulb could be communicating with a foreign website, maybe a Chinese website. maybe a hacker was able to find a vulnerability with that particular light bulb and through that communication was able to hack your light bulb and suddenly that hacker is on your network, it could be your light bulb, it could be your TV, your smart toilet, whatever. want. because almost everything in our house is smart now, at least in mine, all of that would be considered legitimate communication on your firewall, a basic firewall, I'll explain what I mean by that here in a moment and it would be allowed and right now your network could be compromised and you wouldn't even know it.

That's terrifying. So what are your options right now? Let me show you what I do with my network. Here is my design. Current network. Chuck's network. This is how I handle my dangerous IoT devices. now like all of you i have a wireless network that i access and use i call it portkey anyone know where it's from let me know below this is my main wireless network where all my phones tablets laptops anything whatever people use, we get it. basically devices that I rely on quite a bit for my iot devices. I tell you that I don't trust you at all, so I'm going to put you on your own network separate from my things that I trust so that you can't affect me. either way because just like on my personal network, I have things that are important, like my network attached storage, my nas, my file systems, and all the videos I make and save.

I don't want hackers to have access to any of that. I don't want my IoT devices to have access to any of that, so I put them on their own network and this wireless network that I actually call truth finder, someone knows where it's from. This network is separate because it is on its own VLAN or virtual LAN. The virtual network is on VLAN 6. This one is actually also on VLN 7. And on this one I have devices that I don't trust, like Alexa and Philips, color my smart light bulbs. Now what makes this network special is that again. can't access my other network, my firewall prevents it from also going a step further by doing what's called client isolation or device isolation, which means Alexa can't talk to anyone else on that network.

Philips hue, those bulbs can't talk. with anyone else on that network you could normally talk to philips hue phillips you could talk to her that's how a network works, it connects devices so they can talk, but with client isolation it prevents those devices from talking to any other devices on the network do you want that for your iot devices golden now i go a step further i'm a little paranoid i have another network i created another isolation section i call this network horcruxes because you don't want to touch any of these devices this is where i put my iot devices on which I don't really trust, like the cheap bulbs I buy on Amazon because I don't want to pay full price for a Philips Hue bulb, so yeah, just cheap iot. off-brand devices that probably don't get firmware updates that talk to servers I don't really know and of course they'll be on their own VLAN because it's a separate VLN, let's just say eight.

Now I can do this because I have networking hardware that allows it. I'll get into what I have in a moment, but here are your options if you want to do something like this now that I was showing you the tp-link router. and other routers like that can't do this, so if you want this kind of client isolation for iot devices and other things, maybe even for your guest, you should get something else, the good news is that it's not too expensive to get features . so here are my three recommendations, there is a software called dd-wrt, you can take your standard router that you have now, be it linksys, asus netgear, if the model is supported, you can load this custom firmware on your router, now I am going to do a video covering which models are supported and how to go through that process to set up a network.

It will be super fun, but for now just know that it is an option and with that custom firmware you can do those fun and cool things now if you are studying. for your

ccna

, if you're a cisco nerd (i hope you are), getting cisco gear is totally an option. Go to eBay, find some cheap routers, switches and create your own custom network. Cisco can definitely do everything we talked about in this video and that's what I have on my network right now, I actually have two separate networks, two separate physical manufacturers on my network, one of them being Cisco and the other being Cisco, which is what what do I use formy core network and that's ubiquity or you'll see it called unify, this is kind of a prosumer option because it feels like you're using enterprise equipment, but it's not expensive like you might find in an enterprise, so let me show you what what I'm using and what I have now. go to my portal now im a big fan of unifi this is how they work they are controller based so basically you have a controller this could be your own device your own server which will then control your network devices it is You may have a router change access points usually on a unifi network you will have separate devices like you might find on enterprise network that's why I call it prosumer it feels more enterprise because you get more features that's what happens when Invest in a network like this, now what?

They did it recently and I made a video about it and I love it. I love it so much that they created a product called a dream machine. You can learn more about that at a link here. I checked everything basically, it's a device that has a built-in controller, a wireless access point, a switch, a firewall, everything, all of that is amazing, you should get one that costs about 300 dollars, the same price as what you could get for a normal router, but it is infinitely better now for me, I have the dream. machine pro or udm pro the main difference here is that it is a little faster and this is what I have my network I have the dream machine pro which is my firewall my router and it also does what is called ids and ips this is very important If you have iot on your network, something most of us have.

I'll show you why here in a Right now, also on my network I have two switches and three access points, one is obviously down right now and even though it's technically a

home

network, it's more like a business network, here's how It could feel like a typical business network, so if you want to put a business network in your

home

and have that look, go with this, I love it now. I want to show you one thing real quick because it came up today and it's under threat management. My identifiers and ips. I'm going to go to threat management right now. my IDs and IPs, my intrusion detection system, and my intrusion protection system found three threats on my network.

Now these were threats that came from the outside and they were threats that came from the inside. Accessing something external. Let me show you. I'll go to my traffic log. here it tells me that a network trojan has been detected, it shows me what devices we are trying to reach and where it was going with the ids, it will just tell you what is happening and tell you, hey, fix it with the IPs, it will actually do it . do something about it it will detect it and protect it it will block it this is what you want on your home network what you want is that separating your iot devices into a separate network is the first best step you should take but then have a active monitoring system. where you constantly download the latest vulnerabilities and threats and check your network to see if that's what you want.

This is becoming a unified commercial. Sorry, but what we did before when scanning networks with nmap, this actually does all the time. It's called endpoint scans and it's scanning my network identifying my devices tell me what kind of operating system they have and let me know what open ports they have and look at all this stuff it's crazy and they will also test and see if there are any vulnerabilities so that's how it is How could I see those two devices. By the way, we are having a problem. If you want to do something like this on your network, you can run nmap inside your network.

Obviously you'll need Linux, but just run the command, say nmap dash s. lowercase uppercase t and then your subnet, you might have 192.168.1.0 and then slash 24. that will cover it, just you know, make sure you put in the correct subnet mask that will tell you what ports you have. add a capital dash o or and that will tell you what operating systems all the devices on your network are running, that's great and now lastly I wanted to cover the connection between you and your business, you're probably working from home right now and this connection here It is vital because you are accessing your company files.

You are possibly exposing your company to viruses and malware largely on your home network, like a kind of wild west for your company. You are your company's biggest weakness. You know that? So what do we do about it? In most cases, we don't have to do anything. The company takes care of this now. The reason I say this is because you may find yourself in a situation where you might be an Engineer or studying to get your certification to make these types of communications secure, so what do we do? I mean, we have to make sure that this connection here over the Internet is secure.

Well, VPN, VPN is how we do it. Two options for companies. what we see now one way is with vpn remote access you're probably using this right now if you're working from home your laptop whatever software you have on your computer maybe it's openvpn maybe it's cisco anyconnect actually let me know below What Are you curious about how many different ones are being used in nature right now. You will use the software similar to any other VPN like Cyber ​​Ghost or VPN or Private Internet Access. You will click on it to activate it and suddenly you will have got the secure tunnel for your company that protects you from hackers who see that traffic and also protects your company.

Alternatively, instead of running software on your computer to connect you to VPN companies, you could actually provide it with a firewall and device. In fact, my mom just made this. I just started working at a financial company and they actually gave you a firewall to put inside your network, so it looks like they gave you a small firewall. I think it was a Sophos firewall, but from Cisco's perspective it could be a Cisco Asa. 5506 I love them and the Cisco Asa would actually just connect to your home router just like that and then to your work computer instead of connecting directly to your home router like it normally would.

You would connect to the Cisco Asa, your VPN device. Now the Asa is one thing to maintain a secure connection between your corporate office and your company at all times. Companies do this because they have tighter control over the security of their network. They don't have to worry about their home network and everything that happens. there they put a device on their network and ultimately they can control what goes into their network, whereas the one who has software on their computer that's called remote access, this is called site-to-site. Now, one last thing we covered a lot of security. this video and if your network is not secure then you have your work cut out for you, but I promised to touch on this so I'm going to do it right now.

I'm telling you to turn off your network, don't let anything in, nothing at all. but there may be things on your network that you want to access when you're away. I completely understand that your file servers maybe you have a complex server that you want to watch movies on and things like that, so how do you do that when you're here? With your beard and your phone, how do you get into your network if you're blocking all outside connections? VPN VPN so you can have your own VPN on your own home network. The good news and as we saw with that tp-link router, your home router.

You may already have a VPN service or a server, you just need to enable it properly, so go in there, enable your VPN server, check your router documentation and then your phone can connect to that server and that essentially allows you to connect. securely to your home and suddenly it's like your phone is on your home network, you can access everything as you normally would which is great now, if your home router doesn't currently support it then we'll see the point above, you may need a The new custom router firmware will definitely do it for you ddwrt, there is a tomato sense that I will cover later in another video and of course unifi will do it.

This is what I use to access my home network remotely. I use unify. Secure your network. Sure, maybe you haven't been attacked yet. It could happen today. It could happen tomorrow. It could have already happened and you don't know it. Again, the bottom line is to harden and secure your router. Your friends' routers. Your family's routers. And if you feel they are not safe. just get a new one, it's a good investment and if you're studying for a cisco certification, if you're trying to get your

ccna

ccmp, it's worth the investment to buy some cisco equipment on ebay and make your home network as fun. experience you should definitely try it guys that's all I have let me know what you think of the video in the comments below and if you liked the video hit the like button if you want to subscribe please subscribe and hit the notification bell so they can be.

I am notified when I post videos and again, a big thank you to our sponsor Boson Software again. The best ccna laboratory. It is teaching material, practice exams. Everything is the best. It's what I'm currently using to study for my ccnp encore. Actually, I'm doing some studying, right? Now I'm on Twitch every morning and live streaming my study process, so if you want to watch that's not very entertaining, but if you want to get up early and be study buddies, let's do it, so follow me on Twitch below. Yes, yes, that's all I have. I'll see you next time.