In this post, I will talk about various techniques used to sniff traffic across a network. In
order to fully understand this chapter, I would recommend you to spend some time reading
about how TCP/IP works. A majority of the techniques we will discuss would
work only on the local area network and not across the Internet. So the target needs to be on the same local area network for our attacks to work. These attacks are really helpful when you are performing internal penetration tests. The only way to make them work remotely is by compromising a host remotely and then using that compromised host to sniff traffic on its local network.
order to fully understand this chapter, I would recommend you to spend some time reading
about how TCP/IP works. A majority of the techniques we will discuss would
work only on the local area network and not across the Internet. So the target needs to be on the same local area network for our attacks to work. These attacks are really helpful when you are performing internal penetration tests. The only way to make them work remotely is by compromising a host remotely and then using that compromised host to sniff traffic on its local network.
Sniffing can be performed on both wired and wireless networks. Wired networks would be what we will discuss in this chapter.
The main goal of this post is to familiarize the reader with the following topics:
The main goal of this post is to familiarize the reader with the following topics:
1. Hubs and switches and how they distribute traffic
2. ARP protocol flaws
3. Different types of man-in-the-middle (MITM) attacks
4. Different tools that can be used to sniff traffic
5. DNS spoofing by using an MITM attack
2. ARP protocol flaws
3. Different types of man-in-the-middle (MITM) attacks
4. Different tools that can be used to sniff traffic
5. DNS spoofing by using an MITM attack
INTRODUCTION
Network sniffing, aka eavesdropping, is a type of attack where an attacker captures the packets across a wire or across air (wireless connection). The main goal is to capture unencrypted credentials across the network. The common target protocols include FTP, HTTP, and SMTP.
The best way to protect against sniffing attacks is to use protocols that support encrypted communication. Therefore, even if an attacker is able to capture the traffic, he will not be able to use it as it would be encrypted. However, with extra effort, we can also sniff traffic from protocols that use encrypted communications.
The best way to protect against sniffing attacks is to use protocols that support encrypted communication. Therefore, even if an attacker is able to capture the traffic, he will not be able to use it as it would be encrypted. However, with extra effort, we can also sniff traffic from protocols that use encrypted communications.
TYPES OF SNIFFING
Sniffing can be primarily divided into two main categories:
1. Active sniffing
2. Passive sniffing
1. Active sniffing
2. Passive sniffing
ACTIVE SNIFFING
Active sniffing is where we directly interact with our target machine, by sending packets and requests. ARP spoofing and MAC flooding are common examples. Active sniffing is what we will focus more on.
PASSIVE SNIFFING
In passive sniffing, the attacker does not interact with the target. They just sit on the network and capture the packets sent and received by the network. This happens in the case of hub-based networks or wireless networks, which we will discuss in the following.
HUBS VERSUS SWITCHES
In order to fully understand how sniffing works, you need to understand the difference between hub-based and switch-based networks. Unlike hubs, which operate on the physical layer (Layer 1) of the OSI model, switches operate on layer 2 of the OSI model on which almost all modern networks are based.
Let’s assume that this topology runs on a hub-based network and that “Host A” would like to communicate with “Host B.” It will forward the traffic to the hub. A hub is designed in such a way that it broadcasts all the traffic, meaning that it will forward the traffic to all the hosts on a network. Since the IP header contains the destination address of “Host B,” any other device receiving the frames will drop it. The technical flaw in this design is that lots of bandwidth is utilized and broadcast storms are created. The security flaw in the design is that an attacker could run a sniffer to capture all the traffic that is received on his computer as the traffic is broadcasted on a hub-based network.
To mitigate this issue, switch was introduced. Switch is a smarter device because, unlike hubs, it does not broadcast the traffic to every host on the network; it will forward the frames only to the host the traffic is destined for. The switch uses an ARP protocol to perform this job. We will talk about ARP and its security flaws in the following sections.
To mitigate this issue, switch was introduced. Switch is a smarter device because, unlike hubs, it does not broadcast the traffic to every host on the network; it will forward the frames only to the host the traffic is destined for. The switch uses an ARP protocol to perform this job. We will talk about ARP and its security flaws in the following sections.
PROMISCUOUS VERSUS NONPROMISCUOUS MODE
Before we try to sniff traffic on a network, we would need to understand the difference between a promiscuous mode and a nonpromiscuous mode, which are associated with our network cards.Bydefault, our network card is in the nonpromiscuous mode, in which we will be able to capture only the traffic that is destined for our computer. However, we can change our network card to the promiscuous mode, which will allow us to forcefully capture the traffic that is not destined for our computer. So rule number 1 for sniffing is that all the network cards should be in the promiscuous mode.
MITM ATTACKS
The idea behind a MITM attack is that the attacker places himself in the middle of the com-
munication between a client and a server. Therefore, any communication that is being performed between a client and a server will be captured by the attacker.
munication between a client and a server. Therefore, any communication that is being performed between a client and a server will be captured by the attacker.
Once an attacker successfully becomes the man in the middle, he can perform many attacks
on the target network such as capturing all the traffic, denial of service attacks, dns spoofing, and session hijacking, to name a few.
on the target network such as capturing all the traffic, denial of service attacks, dns spoofing, and session hijacking, to name a few.
No comments:
Post a Comment