CEH 8-Sniffing
What is Sniffing?
- Sniffing is the process of monitoring and capturing all data packets passing through a given network.
- Sniffing is a form of wiretap applied to computer networks.
- We can sniff data packets using tools like Wireshark.
- We can sniff data from wired networks or wireless networks.
- Any protocol that do not encrypt data are vulnerable to sniffing attacks.
- Attackers use sniffers to capture data packets containing sensitive information such as passwords, account information, etc.
- Sniffers works in the Datalink Layer.
Disclaimer: The
articles provided on HackWithV is purely for informational and
educational purpose only, and for those who are willing and curious to
know & learn about Ethical Hacking, Security and Penetration
Testing. Anytime the word "Hacking" that is used on this site shall be
regarded as Ethical Hacking.
Types of sniffing:
- Sniffing is classified into two types based on the way they interact with the data packet to capture and provide the user, ability to alter the packet.
- Active sniffing
- Passive sniffing
1. Active Sniffing:
- Active Sniffing involves injecting address resolution (ARP) packets into the network to modify Content Addressable Memory (CAM) Table which resides in the switch.
- CAM keeps track of which host is connected to which port on the switched network.
2. Passive sniffing:
- Passive sniffing involves listening and capturing traffic, in a network connected by hubs.
Protocols Vulnerable to Sniffing:
- FTP - 20/21
- SSH - 22
- Telnet - 23
- SMTP - 25
- HTTP - 80
- POP3 - 110
- NTP - 123
- IMAP - 123
- RDP - 3389
- SNMP - 25
What is Sniffer?
- A sniffer is a software tool that monitors the data flowing through computer network links in real time.
- It can be a self-contained software program or a hardware device with the appropriate software or firmware to perform sniffing.
- Sniffers can capture copies of data packets without redirecting or altering it.
- Some sniffers work only with TCP/IP packets, but the more sophisticated tools can work with many other network protocols and at lower levels, including ethernet frames.
List of Sniffing Tools:
- Bettercap − Bettercap is a powerful, flexible and portable tool created to perform various types of MITM attacks against a network, manipulate HTTP, HTTPS and TCP traffic in real-time, sniff for credentials, and much more.
- Ettercap − Ettercap is a comprehensive suite for man-in-the-middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
- Wireshark − It is one of the most widely known and used packet sniffers. It offers a tremendous number of features designed to assist in the dissection and analysis of traffic.
- Tcpdump − It is a well-known command-line packet analyzer. It provides the ability to intercept and observe TCP/IP and other packets during transmission over the network. Available at www.tcpdump.org.
- WinDump − A Windows port of the popular Linux packet sniffer tcpdump, which is a command-line tool that is perfect for displaying header information.
1. Port Mirroring (SPAN Port):
- Port mirroring is used by the network switch to send a copy of all network traffic to SPAN port on the switch.
- This is commonly used for monitoring network traffic by system administrators to detect suspicious activities in the network.
2. ARP Spoofing:
Address Resolution Protocol:
- Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given network layer address.
- This mapping is a critical function in the Internet Protocol suite.
- It is communicated within the boundaries of a single network never routed across internetworking nodes.
- ARP uses a simple message format containing one address resolution request or response.
- The size of the ARP message depends on the link layer and network layer address sizes.
ARP Spoofing:
- In computer networking, ARP spoofing is a technique by which an attacker sends spoofed ARP messages onto a local area network.
- Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway.
- This results any traffic meant for that IP address to be sent to the attacker instead of gateway.
- ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic.
- Often this attack leads to other attacks, such as Denial of service (DoS), Man in the middle (MITM), or Session hijacking attacks.
3. DNS Spoofing:
- DNS spoofing is a technique of introducing corrupt Domain Name System
details into the DNS resolver cache causing the name server to return an incorrect result record. - This results in traffic being diverted to the attacker's computer.
- A Domain Name System translates human-readable domain name into a numerical IP address.
- This IP address is used to route communications between nodes.
- If a DNS server is poisoned, it returns an incorrect IP address that diverts the traffic to another computer.
4. Man in the Middle attack:
- Man in the Middle attack is where an attacker positions himself in a conversation between a user and an application.
- This results either to eavesdrop or to impersonate regular conversations.
- The attacker tries to steal personal information, such as login credentials, account details, and credit card numbers.
- Information obtained during attacks can be used to perform identity theft, unapproved fund transfers or an illicit password change.
Methods to Detect Sniffing:
- Observing Network Traffic.
- Observing ARP Table to Detect ARP Poisoning.
- Use XARP Advanced ARP Poisoning Detection Tool.
Mitigations:
- Use HTTPS instead of HTTP to protect usernames and passwords.
- Use switch instead of the hub, as switch delivers data only to the intended recipient.
- Use SFTP, instead of FTP for secure transfer of files.
- Use PGP and S/MIME, VPN, IPSec, SSL/TLS, SSH and One-time passwords.
- Always encrypt the wireless traffic with a strong encryption protocol such as WPA and WPA2.
- Retrieve MAC directly from NIC instead of OS, this prevents MAC address spoofing.
- Use tools to determine if any NIC’s are running in the promiscuous mode.
Comments
Post a Comment