SNIFFING
Sinffing allows you to see all sorts of traffic, both protected and unprotected. In the right conditions and with right protocols in place, an attacking party may be able to gather information that can be used for further attacks or to cause other issues for the network or system owner.
So what can be sniffed ?
- Email traffic
- FTP passwords
- Web traffic
- Telnet passwords
- Router configuration
- Chat sessions
- DNS traffic
PROMISCUOUS MODE
Promiscuous mode refers to the unique way of Ethernet hardware - Network Interface Card (NIC), that allows an NIC to receive all the traffic on the network, even if the traffic is not addressed to the NIC of sniffer device.
By default NIC ignores all the traffic that is not addressed to it, which is done by comparing the destination address of the Ethernet packet with the hardware address (MAC) of the device.
HOW IT WORKS ?
A sniffer normally turns the NIC of the ystem to the Promiscuous mode so that it listens to all the data transmitted on its segment.
A sniffer can continously monitor all the traffic to a computer through NIC by decoding the information encapsulated in the data packets.
TYPES OF SNIFFING
Active Sniffing - the traffic is not only locked and monitored, but it may also be altered in some way as determined by the attack. Active sniffing is used to sniff a switch-based network. It involves injecting address resolution packets (ARP) into a target network to flood on the switch content addressable memory (CAM) table. CAM keeps track of which host is connected to which port.
- MAC Flooding
- DHCP Attacks
- DNS Poisoning
- Spoofing Attacks
- ARP Poisoning
Passive Sniffing - the traffic is locked but it is not altered in any way. Passive sniffing allows listening only. It works with Hub devices. On a hub device, the traffic is sent to all the ports. In a network that uses hubs to connect systems, all hosts on the network can see the traffic. Therefore, an attacker can easily capture traffic going through.
The good news is that hubs are almost obsolete nowadays. Most modern networks use switches. Hence, passive sniffing is no more effective.
PROTOCOLS WHICH CAN BE
Protocols such as the tried and true TCP/IP were never designed with security in mind and therefore do not offer much resistance to potential intruders. Several rules lend themselves to easy sniffing −
HTTP − It is used to send information in the clear text without any encryption and thus a real target.
SMTP (Simple Mail Transfer Protocol) − SMTP is basically utilized in the transfer of emails. This protocol is efficient, but it does not include any protection against sniffing.
NNTP (Network News Transfer Protocol)− It is used for all types of communications, but its main drawback is that data and even passwords are sent over the network as clear text.
POP (Post Office Protocol) − POP is strictly used to receive emails from the servers. This protocol does not include protection against sniffing because it can be trapped.
Telnet − Telnet sends everything (usernames, passwords, keystrokes) over the network as clear text and hence, it can be easily sniffed.
FTP (File Transfer Protocol) − FTP is used to send and receive files, but it does not offer any security features. All the data is sent as clear text that can be easily sniffed.
IMAP (Internet Message Access Protocol) − IMAP is same as SMTP in its functions, but it is highly vulnerable to sniffing.
Sniffers are not the dumb utilities that allow you to view only live traffic. If you really want to analyze each packet, save the capture and review it whenever time allows.
0 Comments