Version: Next

Sniffing overview

Networking concepts

Can enable Wi-Fi (wireless, WLAN) and Ethernet (wired, LAN) connection.
Can be a NIC (Network interface card)
- Physical card that connects to an expansion slot in a computer
Modern systems has usually an integrated network adapter (e.g. on motherboard).
As default it discards messages that's not destined to it
- See promiscuous mode for the opposite behavior.

Allows sniffing the packets after connecting to an access point
📝 Network interface controller pass all traffic it receives, rather than only destined ones.
Works on both wired and wireless connections
See also • libpcap | Sniffing tools • Turning on promiscuous mode | Wireshark

Allows sniffing the packets in the air without connecting (associating) with any access point.
❗ Wireless connection only

Does not require any packets to be sent
Monitors and captures incoming packets
Used in networks which use hubs i.e. shared ethernets
- A hub forwards every frame to all ports but the sources filters

Require a packet to have a source and destination addresses in order to be sent to its destination
Used in networks which use switches i.e. switched ethernets
- A switch maps MAC addresses into ports, based on source addresses
- A switch operates at data link layer (2) to forward data to MAC addresses
  - Some switches can run on network layer (3) with additional routing functionality.
    - Also known as layer-3 switches, or multilayer switches.
E.g.
- Port mirroring where each packet is also sent to a port that attacker listens to
- Lawful interception where electronic surveillance on a target is authorized by a judicial or administrative order.

Used on a network switch
Sends copy of network packets seen on one switch port (or an entire VLAN) to another port
Often used in Intrusion Detection Systems.
Also known as span port
- In Cisco system, it's commonly referred as Switched Port Analyzer (SPAN)
See also STP attack for an exploitation

Packet sniffing programs
Designed to capture packets that contain information such as passwords, router configuration, traffic.
📝 Works at data link layer (2) of the OSI model where MAC addresses work
- It may then translate frames to higher level packets.
Allows attackers to access the network traffic from a single point.
Turns the network adapter into promiscuous mode or monitor mode

Also known as telephone tapping or wire tapping
Monitoring of telephone and Internet-based conversations by a third party.
Legal wiretapping by a government agency is also called lawful interception (LI)
Active wiretapping: Alters communication by e.g. interjecting something.
Passive wiretapping: Only monitors or records the traffic.
🤗 NSA wiretaps Internet going through using out-of-band signaling with their tool called PRISM
Out-of-band vs In-band signaling
- In-Band signaling: Method where signalling is sent over the voice/data circuit.
- Out-of-band signaling: Data transmission through different channels (or frequencies) than normal ones.

Restrict the physical access to the network media
📝 Encryption is, by far, the best option.
- E.g. • SSH instead of Telnet • Secure Copy (SCP) instead of FTP • SSL for email connection • HTTPS instead of HTTP • SFTP instead of FTP • WPA2 or WPA3 for wireless traffic
- See also encrypting communication
📝 Use Access Control Lists (ACLs) on router/firewall to only allow authorized devices/IP ranges.
Permanently add the MAC address of the gateway to the ARP cache.
Use static IP addresses and static ARP tables
Use switch instead of hub as switch delivers data only to the intended recipient.
Use • PGP and S/MIPE • VPN • IPSec • SSL/TLS • Secure Shell (SSH) • One-time passwords (OTP).
Retrieve MAC directly from NIC instead of OS to prevent MAC address spoofing.
Use tools to determine if any NICs are running in the promiscuous mode.