In this article you will learn about network sniffing, passive sniffing, active sniffing and different types of sniffing techniques. We will also consider a scenario wherein how attackers hacks network using sniffers.
What is a sniffer in hacking?
This section describes network sniffing and threats, how a sniffer works, active and passive sniffing, how an attacker hacks a network using sniffers, protocols susceptible to sniffing, sniffing within the data link layer of the OSI model, hardware protocol analyzers, SPAN ports, wiretapping, and lawful interception.
Packet sniffing may be a process of monitoring and capturing all data packets passing through a given network sniffer by using a software application or a hardware device, Sniffing is simple in hub-based networks, because the traffic on a segment passes through all the hosts related to that segment. However, most networks today work on switches. A switch is a complicated computer networking device. the main difference between a hub and a switch is that a hub transmits line data to every port on the machine and has no line mapping, whereas a switch looks at the Media Access Control (MAC) address related to each frame passing through it and sends the data to the specified port. A MAC address may be a hardware address that uniquely identifies each node of a network,
An attacker must manipulate the functionality of the switch so as to see all the traffic passing through it. A packet sniffing program (also known as a Ip sniffer) can capture data packets only from within a given subnet, which suggests that it cannot sniff packets from another network. Often, any laptop can plug into a network and gain access to it. Many enterprises’ switch ports are open. A packet sniffer placed on a network in promiscuous mode can capture and analyze all of the network traffic. Sniffing programs close up the filter employed by Ethernet network interface cards (NICs) to stop the host machine from seeing other stations’ traffic. Thus, sniffing programs can see everyone’s traffic.
Though most networks today employ switch technology, packet sniffing remains useful. this is often because installing remote sniffing programs on network components with heavy traffic flows like servers and routers is comparatively easy. It allows an attacker to watch and access the whole network traffic from one point. Packet sniffers can capture data packets containing sensitive information like passwords, account information, syslog traffic, router configuration, DNS traffic, Email traffic, web traffic, chat sessions, FTP password, etc. It allows an attacker to read passwords in clear-text, the particular emails, credit card numbers, financial transactions, etc. It also allows an attacker to smell SMTP, POP, IMAP traffic, POP, IMAP, HTTP Basic, Telnet authentication, SQL database, SMB, NFS, and FTP traffic. An attacker can gain a lot of data by reading captured data packets then use that information to interrupt into the network. An attacker carries out attacks that are simpler by combining these techniques with the active transmission. You can learn more in practical about network sniffing by becoming an EC-Council Certified Ethical Hacker from Infosavvy, Mumbai
“The science of today is the Technology of Tomorrow”
The following diagrammatic representation depicts an attacker sniffing the data packets between two legitimate network users:
How do WIFI sniffers work?
The most common way of networking computers is through an Ethernet. A computer connected to an area network (LAN) has two addresses: a MAC Address and an internet Protocol (IP) Address. A MAC address uniquely identifies each node during a network and is stored on the NIC itself. The Ethernet protocol uses the MAC address to transfer data to and from a system while building data frames. the data Lin k Layer of the 0SI model uses an Ethernet header with the MAC address of the destination machine rather than the IP address, The Network Layer is liable for mapping IP network addresses to the MAC address as needed by the data Link Protocol. It initially looks for the MAC address of the destination machine during a table, usually called the ARP cache. If there’s no entry for the IP address, an ARP broadcast of an invitation packet goes bent all machines on the local sub-network. The machine with that particular address responds to the source machine with its MAC address. The source machine’s ARP cache adds this MAC address to the table. The source machine, altogether its communications with the destination machine, then uses this MAC address.
There are two basic sorts of Ethernet environments, and sniffers work differently in each. the two sorts of Ethernet environments are:
In a shared Ethernet environment, one bus connects all the hosts that compete for bandwidth. During this environment, all the opposite machines receive packets meant for one machine. Thus, when machine 1 wants to speak to machine 2, it sends a packet out on the network with the destination MAC address of machine 2, alongside its own source MAC address. The opposite machines within the shared Ethernet (machine 3 and machine 4) compare the frame’s destination MAC address with their own and discard the unequaled frame. However, a machine running a sniffer ignores this rule and accepts all the frames. Sniffing during a shared Ethernet environment is passive and hence difficult to detect.
In a switched Ethernet environment, the hosts connect with a switch rather than a hub. The switch maintains a table that tracks each computer’s MAC address and therefore the physical port on which that MAC address is connected, then delivers packets destined for a specific machine. The switch may be a device that sends packets to the destined computer only, and doesn’t broadcast it to all or any the computers on the network. This leads to a far better utilization of the available bandwidth and improved security. Hence, the method of putting a machine NIC into promiscuous mode to collect packets doesn’t work. As a result, many of us think that switched networks are totally secure and resistant to sniffing. However, this is often not true.
Though the switch is safer than a hub, sniffing the network is feasible using the subsequent methods:
ARP is stateless. The machine can send an ARP reply even without asking for it and accepts such a reply. When a machine wants to sniff the traffic originating from another system, it can ARP spoof the gateway of the network, The ARP cache of the target machine will have a wrong entry for the gateway. During this way, all the traffic destined to undergo the gateway will now undergo the machine that spoofed the gateway MAC address.
Switches keep a translation table that maps various MAC addresses to the physical ports on the switch. As a result, they will intelligently route packets from one host to a different. However, switches have limited memory. MAC flooding makes use of this limitation to bombard switches with fake MAC addresses until the switches cannot continue. Once this happens to a switch, it’ll enter into the fail-open mode, wherein it starts acting as a hub by broadcasting packets to all or any the ports on the switch. Once that happens, it becomes easy to perform sniffing, MAC of may be a utility that comes with the sniff suite and helps the attacker to perform MAC flooding.
Once a switch turns into a hub, it starts broadcasting all packets it receives to all or any the computers within the network. By default, promiscuous mode is turned off in network machines, therefore the NICs accept only those packets that are addressed to a user’s machine, and discard the packets sent to the opposite machines. Sniffer turns the N IC of a system to the promiscuous mode in order that it listens to all or any the info transmitted on its segment. A sniffer can constantly monitor all the network traffic to a computer through the NIC by decoding the knowledge encapsulated within the data packet. Attackers configure the NIC in their machines to run in promiscuous mode, in order that the ca rd sta its accepting all the packets. During this way, the attacker can view all the packets that are transmitting within the network,
Types of Sniffing
Attackers run sniffers to convert the host system’s NIC to promiscuous mode. As discussed earlier, the NIC in promiscuous mode can then capture the packets addressed to the specific network,
There are two sorts of sniffing. Each is used for various sorts of networks. The two types are
- Passive sniffing
- Active sniffing
Passive sniffing involves sending no packets. It just captures and monitors the packets flowing within the network. A packet sniffer alone isn’t preferred for an attack because this works only during a common collision domain, a standard collision domain is that the sector of the network that’s not switched or bridged (i.e., connected through a hub). Common collision domains are present in hub environments. A network that uses hubs to attach systems uses passive sniffing. In such networks, all hosts within the network can see all the traffic. Hence, it’s easy to capture traffic browsing the hub by using passive sniffing.
Attackers use the subsequent passive sniffing methods to get control over the target network:
- Compromising the physical security: An attacker who succeeds in compromising the physical security of the target organization can walk into the organization with a laptop and check out to plug into the network and capture sensitive information about the organization.
- Using a Trojan horse: Most Trojans have built-in sniffing cap ability. An attacker can install Trojans with built-in sniffing capabilities on a victim’s machine to compromise it. After compromising the victim’s machine, the attacker can install a packet sniffer and perform sniffing.
Most modern networks use switches rather than hubs. A switch eliminates the danger of passive sniffing. However, a switch remains susceptible to active sniffing.
Note: Passive sniffing provides significant stealth advantages over active sniffing.
Active sniffing searches for traffic on a switched LAN by actively injecting traffic into the LAN. Active sniffing also refers to sniffing through a switch. In active sniffing, the switched Ethernet doesn’t transmit information to all or any the systems connected through LAN because it does during a hub-based network. For this reason, a passive sniffer is unable to sniff data on a switched network. it’s easy to detect these sniffer programs and highly difficult to perform this sort of sniffing.
Switches examine data packets for source and destination addresses, and then transmit them to the acceptable destination. Therefore, it’s cumbersome to sniff switches. However, attackers can actively inject ARP traffic into a LAN to sniff around a switched network and capture the traffic. Switches maintain their own ARP cache during a Content Addressable Memory (CAM). CAM may be a special sort of memory that maintains the record of which host is connected to which port. A sniffer takes all the knowledge visible on the network and records it for future review; An attacker can see all the knowledge within the packet, including data that ought to remain hidden.
To summarize sorts of sniffing, passive sniffing doesn’t send any packets; it only monitors the packets sent by others. Active sniffing involves sending out multiple network probes to spot access points.
What are the types of sniffing techniques?
The following is that the list of various active sniffing techniques:
- MAC flooding
- DNS poisoning
- ARP poisoning
- DHCP attacks
- Switch port stealing
- Spoofing attack
Learn More about Sniffing techniques in CEH from Infosavy, Mumbai
“In the very near future, cyber security exercises are going to be absolutely expected of all companies by regulators.”
– Michael Vatis
How an Attacker Hacks the Network Using Sniffers?
Attackers use sniffing tools to sniff packets and monitor network traffic on the target network, the steps that an attacker follows to form use of sniffers to hack a network is illustrated below.
Step 1: An attacker who decides to hack a network first discovers the acceptable switch to access the network and connects a system to at least one of the ports on the switch.
Step 2: An attacker who succeeds in connecting to the network tries to work out Network information like topology of the network by using network discovery tools.
Step 3: By analyzing the topology, the attacker identifies the victim’s machine to focus on his/her attacks.
Step 4: An attacker who identifies a target machine uses ARP spoofing techniques to send a fake (spoofed) Address Resolution Protocol (ARP) messages.
Step 5: The previous step helps the attacker to divert all the traffic from the victim’s computer to the attacker’s computer. This is often a typical man-in-the-middle (MITM) sort of attack.
Step 6: Now the attacker can see all the info packets sent and received by the victim. The attacker can now extract the sensitive information from the packets, like passwords, usernames, card details, PINs, etc.
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com