08 - Sniffing

Sniffing is performed to collect basic information from the target and its network. It helps to find vulnerabilities and select exploits for the attack. It determines network information, system information, and organizational information.

Module Objective

The objective of this lab is to familiarize students with how to sniff a network and analyze packets for any attacks on the network. The primary objectives of this lab are to:

  • Sniff the network
  • Analyze incoming and outgoing packets
  • Troubleshoot the network for performance
  • Secure the network from attacks

Scenario

Sniffing is a technique used to intercept data in information security, where many of the tools that are used to secure the network can also be used by attackers to exploit and compromise the same network. The core objective of sniffing is to steal data, such as sensitive information, email text, etc.

Network sniffing involves intercepting network traffic between two target network nodes and capturing network packets exchanged between nodes. A packet sniffer is also referred to as a network monitor that is used legitimately by a network administrator to monitor the network for vulnerabilities by capturing the network traffic and should there be any issues, proceeds to troubleshoot the same.

Similarly, sniffing tools can be used by attackers in promiscuous mode to capture and analyze all the network traffic. Once attackers have captured the network traffic they can analyze the packets and view the username and password information in a given network as this information is transmitted in a clear text format. An attacker can easily intrude into a network using this login information and compromise other systems on the network.

Hence, it is very crucial for a network administrator to be familiar with network traffic analyzers and he or she should be able to maintain and monitor a network to detect rogue packet sniffers, MAC attacks, DHCP attacks, ARP poisoning, spoofing, or DNS poisoning, and know the types of information that can be detected from the captured data and use the information to keep the network running smoothly.

I. Sniffing the Network Using the OmniPeek Network Analyzer

From the previous scenario, now you are aware of the importance of network sniffing. As an expert ethical hacker and penetration tester, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning.

Lab Objectives

The objective of this lab is to reinforce concepts of network security policy, policy enforcement, and policy audits.

II. Spoofing MAC Address Using SMAC

In the previous lab, you learned how to use OmniPeek Network Analyzer to capture network packets and analyze the packets to determine if any vulnerability is present in the network. If an attacker is able to capture the network packets using such tools, he or she can gain information such as packet source and destination, total packets sent and received, errors, etc., which will allow the attacker to analyze the captured packets and exploit all the computers in a network.

In this lab, you have learnt how to reinforce concepts of network security policy, policy enforcement, and policy audits. In this lab, you will learn how to spoof a MAC address.

Lab Analysis

Analyze and document the results related to the lab exercise.

III. Sniffing a Network Using the WinArpAttacker Tool

You have already learned in the previous lab that you can conceal your identity by spoofing the MAC address. An attacker too can alter his or her MAC address and attempt to evade network intrusion detection systems, bypass access control lists, and impersonate as an authenticated user and can continue to communicate within the network when the authenticated user goes offline. Attackers can also push MAC flooding to compromise the security of network switches.

As an administrator, it is very important for you to detect odd MAC addresses on the network; you must have sound knowledge of footprinting, network protocols and their topology, TCP and UDP services, routing tables, remote access (SSH or VPN), and authentication mechanisms. You can enable port security on the switch to specify one or more MAC addresses for each port. Another way to avoid attacker sniffing on your network is by using static ARP entries. In this lab, you will learn to run the tool WinArpAttacker to sniff a network and prevent it from attacks.

Lab Objectives

The objectives of this lab are to:

  • Scan, Detect, Protect, and Attack computers on local area networks (LANs):
  • Scan and show the active hosts on the LAN within a very short time period of 2-3 seconds
  • Save and load computer list files, and save the LAN regularly for a new computer list
  • Update the computer list in passive mode using sniffing technology
  • Freely provide information regarding the type of operating systems they employ?
  • Discover the kind of firewall, wireless access point and remote access
  • Discover any published information on the topology of the network
  • Discover if the site is seeking help for IT positions that could give information regarding the network services provided by the organization
  • Identify actual users and discover if they give out too much personal information, which could be used for social engineering purposes

In this lab you have learnt how to:

  • Scan, Detect, Protect, and Attack computers on local area networks (LANs):
  • Scan and show the active hosts on the LAN within a very short time period of 2-3 seconds
  • Save and load computer list files, and save the LAN regularly for a new computer list
  • Update the computer list in passive mode using sniffing technology
  • Freely provide information regarding the type of operating systems they employ?
  • Discover the kind of firewall, wireless access point and remote access
  • Discover any published information on the topology of the network
  • Discover if the site is seeking help for IT positions that could give information regarding the network services provided by the organization
  • Identify actual users and discover if they give out too much personal information, which could be used for social engineering purposes

Lab Analysis

Analyze and document the scanned, attacked IP addresses discovered in the lab.

IV. Sniffing Passwords Using Wireshark

As in the previous lab, you are able to capture TCP and UDP conversations; an attacker, too, can collect this information and perform attacks on a network. Attackers listen to the conversation occurring between two hosts and issue packets using the same source IP address. Attackers will first know the IP address and correct sequence number by monitoring the traffic. Once the attacker has control over the connection, he or she then sends counterfeit packets. These sorts of attacks can cause various types of damage, including the injection into an existing TCP connection of data and the premature closure of an existing TCP connection by the injection of counterfeit packets with the FIN bit set.

As an administrator, you can configure a firewall or router to prevent the damage caused by such attacks. To be an expert ethical hacker and penetration tester, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning. Another use of a packet analyzer is to sniff passwords, which you will learn about in this lab using the Wireshark packet analyzer.

Lab Objectives

The objective of this lab is to demonstrate the sniffing technique to capture from multiple interfaces and data collection from any network topology.

Lab Analysis

In this lab, you have learnt how to sniff to capture from multiple interfaces and data collection from any network topology. Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and “exposure” through public and free information.

V. Performing Man-in-the-Middle Attack Using Cain & Abel

You have learned in the previous lab how you can get username and password information using Wireshark. By merely capturing enough packets, attackers can extract the username and password if the victim authenticates themselves in a public network especially into a website without an HTTPS connection. Once the password is hacked, an attacker can simply log into the victim’s email account or use that password to log in to their PayPal and drain their bank account. They can even change the password for the email. Attackers can use Wireshark to decrypt the frames with the victim’s password they already have.

Lab Analysis

In this lab you have learnt how to sniff network traffic and perform ARP poisoning, launching a man-in-the-middle attack and sniffing the network for the password. Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and “exposure” through public and free information.

VI. Detecting ARP Attacks with the XArp Tool

You have already learned in the previous lab to capture username and password information using Cain & Abel. Similarly, attackers, too, can sniff the username and password of a user. Once attackers have a username and password, they can simply gain access to a network’s database and perform illegitimate activities. If that account has administrator permissions, attackers can disable firewalls and load fatal viruses and worms on the computer and spread that onto the network. They can also perform different types of attacks such as denial-of-service attacks, spoofing, buffer overflow, heap overflow, etc.

Lab Analysis

In this lab, you have learnt how to detect ARP attacks. Analyze and document the results related to the lab exercise.

VII. Detecting Systems Running in Promiscuous Mode in a Network Using PromqryUI

With an ARP storm attack, an attacker collects the IP address and MAC address of the machines in a network for future attacks. An attacker can send ARP packets to attack a network. If an ARP packet with a forged gateway MAC address is pushed to the LAN, all communications within the LAN may fail. This attack uses all resources of both victim and non-victim computers.

As a network administrator, you must always diagnose the network traffic using a network analyzer and configure routers to prevent ARP flooding. Using a specific technique with a protocol analyzer you should be able to identify the cause of the broadcast storm and a method to resolve the storm. Identify susceptible points on the network and protect them before attackers discover and exploit the vulnerabilities, especially on ARP-enabled LAN systems, a protocol with known security loopholes that allow attackers to conduct various ARP attacks.

Attackers may also install network interfaces to run in promiscuous mode to capture all the packets that pass over a network. As an expert ethical hacker and penetration tester, you must be aware of the tools to detect network interfaces running in promiscuous mode as it might be a network sniffer. In this lab, you will learn to use the tool PromqryUI to detect such network interfaces running in promiscuous mode.

Lab Objectives

The objective of this lab to accomplish:

  • To detect promiscuous systems in a network

Detecting Systems Running in Promiscuous Mode in a Network Using PromqryUI

Lab Analysis

In this lab, you have learnt how to detect promiscuous systems in a network. Analyze and document the results related to the lab exercise.

VIII. Sniffing Password from Captured Packets using Sniff – O – Matic

Attackers may install a sniffer in a trusted network to capture packets and will be able to view every single packet that is going across the network if the network uses a hub or a router for data transmission. With the captured packets, attackers can learn about vulnerabilities and sniff the username and password and log in to the network as an authenticated user. Once logged in successfully to a network, the hacker can easily install viruses and Trojans to steal data, sensitive information, and cause serious damage to that network.

As an expert ethical hacker and penetration tester, you should have sound knowledge of sniffing, network protocols, and authentication mechanisms and encryption techniques. You should also regularly check your network and close the unnecessary ports that are open. Always ensure that if any sensitive data is required to be sent over the network, you use an encrypted protocol to minimize the data leakage.

Lab Objectives

The objective of this lab to sniff passwords using the tool Sniff – O – Matic through captured packets.

Lab Analysis

In this lab you have learnt how to sniff passwords using the tool Sniff – O – Matic through captured packets. Analyze and document the results related to the lab exercise.

Module Syllabus

  • Lawful Intercept
    • Benefits of Lawful Intercept
    • Network Components Used for Lawful Intercept
  • Wiretapping
  • Sniffing Threats
  • How a Sniffer Works?
  • Hacker Attacking a Switch
  • Types of Sniffing: Passive Sniffing
  • Types of Sniffing: Active Sniffing
  • Protocols Vulnerable to Sniffing
  • Tie to Data Link Layer in OSI Model
  • Hardware Protocol Analyzers
  • SPAN Port
  • MAC Flooding
    • MAC Address/CAM Table
    • How CAM Works?
    • What Happens When CAM Table is Full?
    • Mac Flooding Switches with macof
    • MAC Flooding Tool: Yersinia
    • How to Defend against MAC Attacks?
  • How DHCP Works?
    • DHCP Request/Reply Messages
    • IPv4 DHCP Packet Format
    • DHCP Starvation Attack
    • Rogue DHCP Server Attack
    • DHCP Starvation Attack Tool: Gobbler
    • How to Defend Against DHCP Starvation and Rogue Server Attack?
  • What is Address Resolution Protocol (ARP)?
    • ARP Spoofing Attack
    • How Does ARP Spoofing Work?
    • Threats of ARP Poisoning
    • ARP Poisoning Tool: Cain and Abel
    • ARP Poisoning Tool: WinArpAttacker
    • ARP Poisoning Tool: Ufasoft Snif
    • How to Defend Against ARP Poisoning? Use DHCP Snooping Binding Table and Dynamic ARP Inspection
  • Configuring DHCP Snooping and Dynamic ARP Inspection on Cisco Switches
  • MAC Spoofing/Duplicating
    • Spoofing Attack Threats
    • MAC Spoofing Tool: SMAC
    • How to Defend Against MAC Spoofing? Use DHCP Snooping Binding Table, Dynamic ARP Inspection and IP Source Guard
  • DNS Poisoning Techniques
    • Intranet DNS Spoofing
    • Internet DNS Spoofing
    • Proxy Server DNS Poisoning
    • DNS Cache Poisoning
    • How to Defend Against DNS Spoofing?
  • Sniffing Tool: Wireshark
    • Follow TCP Stream in Wireshark
    • Display Filters in Wireshark
    • Additional Wireshark Filters
  • Sniffing Tool: CACE Pilot
  • Sniffing Tool: Tcpdump/Windump
  • Discovery Tool: NetworkView
  • Discovery Tool: The Dude Sniffer
  • Password Sniffing Tool: Ace
  • Packet Sniffing Tool: Capsa Network Analyzer
  • OmniPeek Network Analyzer
  • Network Packet Analyzer: Observer
  • Session Capture Sniffer: NetWitness
  • Email Message Sniffer: Big-Mother
  • TCP/IP Packet Crafter: Packet Builder
  • Additional Sniffing Tools
  • How an Attacker Hacks the Network Using Sniffers?
  • How to Defend Against Sniffing?
  • Sniffing Prevention Techniques
  • How to Detect Sniffing?
  • Promiscuous Detection Tool: PromqryUI
  • Promiscuous Detection Tool: PromiScan