Masters of Computer Science Cyber Security

What is Sniffing?

What is Sniffing?

Network Sniffing

  • Sniffing is a process of monitoring and capturing all data packets passing through a given network using sniffing tools.
  • It is a form of wiretap applied to computer networks.
  • Many enterprises’ switch ports are open.
  •  Anyone in the same physical location can plug into the network using an Ethernet cable.

Protocol Vulnerable: For Sniffing

  • HTTP: Data sent in clear text
  • Telnet and Rlogin: Keystrokes including user names and passwords
  •  POP: Passwords and data sent in clear text
  • IMAP: Passwords and data sent in clear text
  • SMTP : Passwords and data sent in clear text
  •  FTP: Passwords and data sent in clear text

Types of Sniffing

# Passive Sniffing

  • Passive sniffing means sniffing through a hub, on a hub the traffic is sent to all ports.
  •  It involves only monitoring of the packets sent by others without sending any additional data packets in the network traffic.

# Active Sniffing

  • Active sniffing is used to sniff a switch-based network.
  •  Active sniffing involves injecting Address Resolution Packets (ARP) into the network to flood the switch’s Content Addressable Memory (CAM) table.

Active Sniffing Techniques

MAC Flooding

  • The idea behind a MAC flooding attack is to send a huge amount of ARP replies to a switch, thereby overloading the cam table of the switch.
    • This fills in the switch’s CAM table, thus new MAC addresses can not be saved, and the switch starts to send all packets to all ports, so it starts to act as a hub, and thus we can monitor all traffic passing through it.
    •  macof is a toolset mainly used to flood the switch on a local network with MAC addresses

# macof –i eth0 –n 15

# macof –i eth0 –d –n 25

  • How to Defense: Against MAC Flooding Attack ??Deploy Port Security  Port security can be used to restrict inbound traffic from only a selected set of MAC addresses and limit MAC flooding attack.

 DNS Poisoning

It results in substitution of a false IP address at the DNS level where web addresses are converted into numeric IP addresses. It allows attacker to replace IP address entries for a target site on a given DNS server with IP address of the server he/she controls. Attacker can create fake DNS entries for the server (containing malicious content) with same names as that of the target server.

 ARP Poisoning

  • Address Resolution Protocol (ARP) is a stateless protocol used for resolving IP addresses to machine (MAC) addresses.
    •  All network devices (that needs to communicate on the network) broadcasts ARP queries in the network to find out other machines’ MAC addresses.
    • When one machine needs to communicate with another, it looks up its ARP table. If the MAC address is not found in the table, the ARP_REQUEST is broadcasted over the network.
    •  All machines on the network will compare this IP address to their MAC address.
    •  If one of the machine in the network identifies with this address, it will respond to ARP_REQUEST with its IP and MAC address. The requesting machine will store the address pair in the ARP table and communication will take place.
    • The ARP Poisoning attack consists of poisoning the ARP table of a victim, making it believe that the router is the attacker, with the aim that the victim forwards all its traffic to this attacker to perform a sniffing of each and every one of the connections that perform.
    • In this way, a victim device could unknowingly send all its network traffic to this attacker, and carry out two different types of attacks known as DoS and MIM
    • Threats of ARP Poisoning
      • Packet Sniffing
      •  Session Hijacking Ø
      • VoIP Call Tapping
      • Man-in-the-Middle Attack
      • Data Interception
      •  Connection Hijacking
      •  Stealing Passwords
      • Denial-of-Service (DoS) Attack

 DHCP Attacks

  •  This is a denial-of-service (DoS) attack on the DHCP servers where attacker broadcasts forged DHCP requests and tries to lease all of the DHCP addresses available in the DHCP scope.
    •  As a result legitimate user is unable to obtain or renew an IP address requested via DHCP, failing access to the network access.
    • How to Conduct DHCP Starvation Attack in Kali

 Switch Port Stealing

 Spoofing Attack

Network Sniffing Tools: Lists

  • Auvik
  •  SolarWinds Network Packet Sniffer
  • Wireshark
  •  Paessler PRTG
  •  ManageEngine NetFlow Analyzer
  • TCPdump
  •  WinDump
  •  NetworkMiner

How to Defend Against Sniffing ??

  • Use Dynamic ARP Inspection
  •  Use DHCP Snooping
  •  Use IPv6 instead of IPv4 protocol.
  • Use encrypted sessions such as SSH instead of Telnet, Secure Copy (SCP) instead of FTP, SSL for email connection, etc. to protect wireless network users against sniffing attacks.
  • Use HTTPS instead of HTTP to protect user names and passwords.
  •  Use switch instead of hub as switch delivers data only to the intended recipient.
About Author

ICT Byte