Sniffing
What is sniffing?
Sniffing is simply the art of capturing packets as they pass on a wire to review for interesting information
A sniffer is the tool used to accomplish this and it needs your NIC to run in promiscuous mode
Tools
Wireshark
Ettercap
EtherPeek
Snort
Important items regarding the process of sniffing
State of the NIC
Medium you are connected to
Tool you are running
What is a MAC (Media Access Control) address?
A unique identifier assigned to a NIC for communications at the Data Link Layer of a network segment
It is 48 bits long
Broadcast and multicast messages inside a network have their own MAC addresses
What are collision domains?
Collision domains are composed of all the machines sharing any given transport medium
Hubs share the same collision domain
Switches split collision domains so each system connected to the switch is in its own little collision domain
What is ARP?
Address Resolution Protocol resolves IP addresses to MAC addresses
Gratuitous ARP
is a special packet that updates the ARP cache of other systems before they even ask for it.
It is used to do identity theft, you can use a spoofed MAC address and receive packets meant for someone else
What are the differences between active and passive sniffing
Active sniffing
involves injecting something into the communication
requires either packet injection or manipulation
Span port (port mirroring) - required on a switch configuration to send a copy of all frames from one port or a group of ports to another
Passive
only monitors and records the data
only works if your NIC is part of the same collision domain as the target
PRISM (Planning Tool for Resource Integration, Synchronization, and Management) is the data tool used to collect foreign intelligence passing through government resources
Sniffing Tools and Techniques
- What is MAC flooding?
MAC flooding
is to confuse the switch that it simply goes bonkers and sends all messages to all ports
it is achieved by sending so many MAC addresses to the CAM table so that it can't keep up, effectively turning it into a hub.
Switches store MAC addresses in the Content Addressable Memory (CAM) table, if it is empty or full everything is sent to all ports
Sometimes called switch port stealing:
flood the CAM with unsolicited ARPs
instead of filling the table you only want to update the information about a specific port, causing a "race condition" where the switch keeps flipping back and forth between the bad MAC and the real one.
- What is ARP poisoning?
The process of maliciously changing an ARP cache on a machine to inject faulty entries.
ARP considerations
ARP is a broadcast condition
ARP entries need updating frequently to maintain your control, you will need to have your fake entry updated before any real update comes past
ARP poisoning can trigger alerts quickly
Speed always wins
ARP Poisoning Tools
Cain and Abel
WinArpAttacker
Ufasoft
dsniff
- How does DHCP Starvation works?
Attacker sends unending, forged DHCP request to the server on the subnet
The server tries to fill all requests and quickly runs out of available IP address pools
Legitimate systems trying to access the subnet will not be able to pull a new IP or renew its current lease
DHCP Starvation Tools
Yersinia
DHCPstarv
DHCP Snooping mitigates this attack.
- What is spoofing?
Spoofing is simply pretending to be an address you are not
MAC spoofing - simple process of figuring out the MAC address of the system you are trying to sniff traffic from and changing your MAC to match it.
SMAC is a tool for achieving this
Port Security is a security feature on switches that allows an administrator to manually assign MAC addresses to a specific port
IRDP spoofing - hacker sends spoofed ICMP Router Discovery Protocol messages through the network, advertising whatever gateway he wants all the system to start routing messages to
Other Spoofing Tools
WireShark
tcpdump
tcptrace
Related Notes
IPv6 Fundamentals
DHCP
Last updated