Sniffing is the process of monitoring and capturing all data packets passing through a given network. Sniffing is a form of wiretap applied to computer networks. We can sniff data packets using tools like Wireshark. Any protocol that does not encrypt data are vulnerable to sniffing attacks. Attackers use sniffers to capture data packets containing sensitive information such as passwords, account information, etc.
Sniffers Works in the Datalink Layer. If the initial layer is compromised, then the rest of the layers are also compromised in the OSI model
A sniffer is a software tool that monitors the data flowing through computer network links in real time. It can be a self-contained software program or a hardware device with the appropriate software or firmware to perform sniffing.
Sniffers can capture copies of data packets without redirecting or altering it. Some sniffers work only with TCP/IP packets, but the more sophisticated tools can work with many other network protocols and at lower levels, including ethernet frames.
Sniffing is classified into two types based on the way they interact with the data packet to capture and provide the user the ability to alter the packet.
Active Sniffing involves injecting address resolution (ARP) packets into the network to modify Content Addressable Memory (CAM) Table which resides in the switch; CAM keeps track of which host is connected to which port on the switched network.
Passive sniffing involves listening and capturing traffic, in a network connected by hubs.
| HTTP – 80 | FTP – 20/21 |
| POP3 – 110 | SMTP – 25 |
| RDP – 3389 | SSH – 22 |
| NTP – 123 | Telnet – 23 |
| IMAP – 123 | SNMP – 25 |
Port mirroring is used by the network switch to send a copy of all network traffic to the SPAN port on the switch. This is commonly used for monitoring network traffic by system administrators to detect suspicious activities in the network.
Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given network layer address. This mapping is a critical function in the Internet Protocol suite. It is communicated within the boundaries of a single network never routed across internetworking nodes. ARP uses a simple message format containing one address resolution request or response. The size of the ARP message depends on the link layer and network layer address sizes.
In computer networking, ARP spoofing is a technique by which an attacker sends spoofed ARP messages onto a local area network. Generally, the aim is to associate the attacker’s MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.
ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often this attack leads to other attacks, such as Denial of service (DoS), Man in the middle (MITM), or Session hijacking attacks.
DNS spoofing is a technique of introducing corrupt Domain Name System details into the DNS resolver cache causing the name server to return an incorrect result record. This results in traffic being diverted to the attacker’s computer.
A domain name system translates human-readable domain name into a numerical IP address that is used to route communications between nodes. If a DNS server is poisoned, it returns an incorrect IP address that diverts the traffic to another computer.
Man in the Middle attack is where an attacker positions himself in a conversation between a user and an application either to eavesdrop or to impersonate regular conversations. The attacker tries to steal personal information, such as login credentials, account details, and credit card numbers. Information obtained during attacks can be used to perform identity theft, unapproved fund transfers or an illicit password change.
Use tools to determine if any NIC’s are running in the promiscuous mode.