Sniffing Basics

 

What is Sniffing ?

  • Sniffing is the process of monitoring and capturing all data packets that are passing through a computer network using packet sniffers.
  • Packet Sniffers are used by network administrators to keep track of data traffic passing through their network
    • These are called network protocol analyzers.
  • In the same way, malicious attackers employ the use of these packet sniffing tools to capture data packets in a network.
  • Data packets captured from a network are used to extract and steal sensitive information such as passwords, usernames, credit card information, etc
  • Attackers install these sniffers in the system in the form of software or hardware.
  • There are different types of sniffing tools used and they include
    • Wireshark, Ettercap, BetterCAP, Tcpdump, WinDump, etc.

Difference Between Sniffing and Spoofing

 

In sniffing,


the attacker listens into a networks’ data traffic and captures data packets using packet sniffers.


In spoofing,


the attacker steals the credentials of a user and uses them in a system as a legitimate user



Types of Sniffing


There are two types of sniffing attacks, active sniffing and passive sniffing.


Active Sniffing

  • this is sniffing that is conducted on a switched network.
  • A switch is a device that connects two network devices together.
  • Switches use the media access control (MAC) address to forward information to their intended destination ports.
  • Attackers take advantage of this by injecting traffic into the LAN to enable sniffing.

Following are the Active Sniffing Techniques −

  • MAC Flooding
  • DHCP Attacks
  • DNS Poisoning
  • Spoofing Attacks
  • ARP Poisoning

Passive Sniffing

  • passive sniffing uses hubs instead of switches
  • Hubs perform the same way as switches only that they do use MAC address to read the destination ports of data.
  • All an attacker needs to do is to simply connect to LAN and they are able to sniff data traffic in that network.

Sniffing is detrimental to the user or a network system since a hacker can sniff the following information :
 

email traffic, FTP Passwords, web traffics, telnet passwords, router configuration, chat sessions, DNS Traffic etc



How to Prevent Sniffing Attacks

  • Users should avoid connecting to unsecured networks, which includes free public Wi-Fi
    • These unsecured networks are dangerous since an attacker can deploy a packet sniffer that can sniff the entire network.
    • Another way an attacker can sniff network traffic is by creating their own fake–free public Wi-Fi.
  • Use Encryption
    • Encryption is the process of converting plaintext into gibberish in order to protect the message from attackers.
    • Before leaving the network, the information should be encrypted to protect it from hackers who sniff into networks.
    • This is achieved through the use of a virtual private network (VPN).
  • Network scanning and monitoring
    • Network administrators should scan and monitor their networks to detect any suspicious traffic
    • This can be achieved by bandwidth monitoring or device auditing.

How is packet sniffing used for attacking?

  • Packet sniffing, a network attack strategy, captures network traffic at the Ethernet frame level
  • After capture, this data can be analyzed and sensitive information can be retrieved.
  • Such a network attack starts with a tool such as Wireshark.


Let’s discuss some of the attack implementations in the network


MAC flooding:

Flooding the switch with MAC addresses so that the CAM table is overflowed and sniffing can be done.


DNS Cache Poisoning:

Altering the DNS cache records so that it redirects the request to a malicious website where the attacker can capture the traffic. The malicious website may be a genuine-looking website which has been set up by the attacker so that the victims trust the website. The user may enter the login details and they are sniffed right away.



Evil Twin Attack:

The attacker uses malicious software to change the DNS of the victim. The attacker has a twin DNS set up already (evil twin), which will respond to the requests. This can be easily used to sniff the traffic and reroute it to the website that the attacker wishes.



MAC Spoofing:

The attacker can gather the MAC address(s) that are being connected to the switch. The sniffing device is set with the same MAC address so that the messages that are intended for the original machine are delivered to the sniffer machine since it has the same MAC address set.


How to Identify a Sniffer ?

  • Identifying the type of sniffer can depend on how sophisticated the attack is.
  • It is possible that the sniffer may go undetected for a large amount of time hiding in the network.
  • There is some anti-sniffer software available in the market to catch the intruders but it may be possible that the sniffers get away with it creating a false sense of security.
  • A sniffer can be software installed onto your system, a hardware device plugged in, sniffer at a DNS level or other network nodes, etc.
  • Practical networks are complex and so it becomes difficult to identify sniffers.

Protocols vulnerable to sniffing attacks

  • HTTP
  • TELNET
  • FTP
  • POP
  • SNMP

Top Sniffing Tools

  • Wireshark
  • dSniff
  • Debookee
  • BetterCAP
  • EtterCAP
  • TCPdump
  • Omnipeek
  • EtherAPE
  • MSN Sniffer
  • WinDUMP
  • NetWitness NextGen

 

Post a Comment

Previous Post Next Post