7.1 Sniffing Conecpts
Network Sniffing and Threats
- Sniffing is a process of monitoring and capturing all data packets passing through a given network using sniffing tools.
- It is a form of wiretap applied to computer networks.
- Many enterprises' switch ports are open.
- Anyone in the same physical location can plug into the network using an Ethernet cable.
How a Sniffer Works (重要)
- Promiscuous Mode: Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment.
- Decode Information: A sniffer can constantly monitor all the network traffic to a computer through the NIC by decoding the information encapsulated in the data packet.
Types of Sniffing: Passive Sniffing
- Passive sniffing means sniffing through a hub, on a hub the traffic is sent to all ports.
- It involves only monitoring of the packets sent by others without sending any additional data packets in the network traffic.
- In a network that use hubs to connect systems, all hosts on the network can see all traffic therefore attacker can easily capture traffic going through the hub.
- Hub usage is out-dated today. Most modern networks use switches.
Types of Sniffing: Active Sniffing
- Active sniffing is used to sniff a switch-based network.
- Active sniffing involves injecting address resolution packets (ARP) into the network to flood the switch's Content Addressable Memory (CAM) table, CAM keeps track of which host is connected to which port.
- Active Sniffing Techniques:
- MAC Flooding
- DNS Poisoning
- ARP Poisoning
- DHCP Attacks
- Switch Port Stealing
- Spoofing Attack
How an Attacker Hacks the Network Using Sniffers
- An attacker connects his laptop to a switch port.
- He runs discovery tools to learn about network topology.
- He identifies victim's machine to target his attacks.
- He poisons the victim machine by using ARP spoofing techniques.
- The traffic destined for the victim machine is redirected to the attacker.
- The hacker extracts passwords and sensitive data from the redirected traffic.
Protocol Vulnerable to Sniffing
- HTTP: Data sent in clear text
- Telnet and Rlogin: Keystrokes including user names and passwords
- POP: Passwords and data sent in clear text
- IMAP: Passwords and data sent in clear text
- SMTP and NNTP: Passwords and data sent in clear text
- FTP: Passwords and data sent in clear text
Sniffing in the Data Link Layer of the OSI Model (重要)
- Sniffers operate at the Data Link layer of the OSI model.
- Networking layers in the OSI model are designed to work independently of each other; if a sniffer sniffs data in the Data Link layer, the upper OSI layer will not be aware of the sniffing.
Hardware Protocol Analyzer
- A hardware protocol analyzer is a piece of equipment that captures signals without altering the traffic in a cable segment.
- It can be used to monitor network usage and identify malicious network traffic generated by hacking software installed in the network.
- It captures a data packet, decodes it, and analyzes its content according to certain predetermined rules.
- It allows attacker to see individual data bytes of each packet passing through the cable.
Hardware Protocol Analyzers
SPAN Port (Port Mirror)
- SPAN port is a port which is configured to receive a copy of every packet that passes through a switch.
- Wiretapping is the process of monitoring telephone and Internet conversations by a third party.
- Attackers connect a listening device (hardware, software, or a combination of both) to the circuit carrying information between two phones or hosts on the Internet.
- It allows an attacker to monitor, intercept, access, and record information contained in a data flow in a communication system.
- Types of Wiretapping:
- Active Wiretapping: It monitors, records, alters and also injects something into the communication or traffic.
- Passive Wiretapping: It only monitors and records the traffic and gain knowledge of the data it contains.
- Lawful interception refers to legally intercepting data communication between two end points for surveillance on the traditional telecommunications, VoIP, data, and multiservice networks.
Wiretapping Case Study: PRISM
- PRISM stands for "Planning Tool for Resource Integration, Synchronization, and Management," and is a "data tool" designed to collect and process "foreign intelligence" that passes through American servers.
- NSA wiretaps a huge amount of foreign internet traffic that is routed through or saved on U.S. servers.