sniffing Sniffing overview Version: 1.0.2 On this page
Sniffing overview Capturing data packets on a network using a program or a device. Networking conceptsβ Network adapterβ Can enable Wi-Fi (wireless, WLAN) and Ethernet (wired, LAN) connection. Can be a NIC (Network interface card)Physical card that connects to an expansion slot in a computer Modern systems has usually an integrated network adapter (e.g. on motherboard). As default it discards messages that's not destined to it Promiscuous modeβ Monitor modeβ Allows sniffing the packets in the air without connecting (associating) with any access point. β Wireless connection only Sniffing typesβ Passive sniffingβ Does not require any packets to be sent Monitors and captures incoming packets Used in networks which use hubs i.e. shared ethernetsA hub forwards every frame to all ports but the sources filters Active sniffingβ Require a packet to have a source and destination addresses in order to be sent to its destination Used in networks which use switches i.e. switched ethernetsA switch maps MAC addresses into ports, based on source addresses A switch operates at data link layer (2) to forward data to MAC addressesSome switches can run on network layer (3) with additional routing functionality.Also known as layer-3 switches, or multilayer switches. E.g.Port mirroring where each packet is also sent to a port that attacker listens toLawful interception where electronic surveillance on a target is authorized by a judicial or administrative order. Port mirroringβ Used on a network switch Sends copy of network packets seen on one switch port (or an entire VLAN) to another port Often used in Intrusion Detection System s. Also known as span port In Cisco system, it's commonly referred as Switched Port Analyzer (SPAN) See also STP attack for an exploitation Snifferβ Packet sniffing programs Designed to capture packets that contain information such as passwords, router configuration, traffic. π Works at data link layer (2) of the OSI model where MAC addresses workIt may then translate frames to higher level packets. Allows attackers to access the network traffic from a single point. Turns the network adapter into promiscuous mode or monitor mode Wiretappingβ Also known as telephone tapping or wire tapping Monitoring of telephone and Internet-based conversations by a third party. Legal wiretapping by a government agency is also called lawful interception (LI) Active wiretapping : Alters communication by e.g. interjecting something.Passive wiretapping : Only monitors or records the traffic.π€ NSA wiretaps Internet going through using out-of-band signaling with their tool called PRISM Out-of-band vs In-band signaling In-Band signaling : Method where signalling is sent over the voice/data circuit.Out-of-band signaling : Data transmission through different channels (or frequencies) than normal ones.Sniffing countermeasuresβ Restrict the physical access to the network media π Encryption is, by far, the best option. π Use Access Control Lists (ACLs) on router/firewall to only allow authorized devices/IP ranges. Permanently add the MAC address of the gateway to the ARP cache. Use static IP addresses and static ARP tables Use switch instead of hub as switch delivers data only to the intended recipient. Use β’ PGP and S/MIPE β’ VPN β’ IPSec β’ SSL/TLS β’ Secure Shell (SSH) β’ One-time passwords (OTP) . Retrieve MAC directly from NIC instead of OS to prevent MAC address spoofing. Use tools to determine if any NICs are running in the promiscuous mode.