• Articles
  • Tutorials
  • Interview Questions

Sniffing Attack - Types, Examples, and Prevention

What is Sniffing Attacks?

Sniffing attacks refer to data thefts caused by capturing network traffic through packet sniffers that can unlawfully access and read the data which is not encrypted. The data packets are captured when they flow through a computer network. The packet sniffers are the devices or media used to do this sniffing attack and capture the network data packets. They are called network protocol analyzers. Unless the packets are encrypted with strong network security, hackers will be able to steal and access the data. There are different packet sniffers such as Wireshark, Dsniff, Etherpeek, etc.

Examples of Sniffing Attacks

Some of the examples of Sniffing attacks are:

Get 100% Hike!

Master Most in Demand Skills Now!

Types of Sniffing Attacks

Broadly, sniffing attacks are classified into 2 categories:

Active Sniffing attacks 

Active sniffing attacks majorly refer to attacks triggered by injecting Address Resolution Protocols (ARPs) into a network to flood the Switch Content address memory (CAM) table. The redirected legitimate traffic finally allows the attacker to perform the sniffing of the traffic from the switch.

Passive Sniffing attacks

This kind of sniffing usually occurs at the hub. Contrary to active sniffing, here the hub can be directly injected with a sniffing device to easily extract the data packets. However, hubs hardly are used these days and hence passive sniffing attacks are barely reported.

There are various types of sniffing attacks such as

  • LAN Sniff – The sniffer attacks the internal LAN and scans the entire IP gaining access to live hosts, open ports, server inventory, etc. A port-specific vulnerability attack happens in LAN sniffing.
  • Protocol Sniff – The sniffer attacks occur based on the network protocol used. Different protocols such as ICMP, UDP, Telnet, PPP, DNS, etc., or other protocols might be used.
  • ARP Sniff – ARP Poisoning attacks or packet spoofing attacks occur based on the data captured to create a map of IP addresses and associated MAC addresses.
  • TCP Session stealing – TCP session stealing is used to monitor and acquire traffic details between the source & destination IP address. All details such as port number, service type, TCP sequence numbers, data are stolen by the hackers.
  • Application-level sniffing – Applications running on the server are attacked to plan an application-specific attack.
  • Web password sniffing – HTTP sessions created by users are stolen by sniffers to get the user ID, password, and other sensitive information.

Tools used for Packet Sniffing

Various sniffing tools used currently and widely in the industry –

Wireshark

These are open-sourced and widely used packet analyzers that are utilized for network troubleshooting, analysis, software, and communications protocol development. Wireshark is cross-platform and is extensively used to monitor network and packet flows in the network.

Tcpdump

Usually running under a command user interface, Tcpdump allows users to display TCP/IP and other packets being transmitted or being received over an attacked computer network. It has lesser security risk and requires few resources only. In Windows, it runs as WinDump.

Dsniff

Dsniff was developed to parse different protocols and extract relevant information. It is a set of password sniffing and network traffic analysis tools, used to sniff different protocols in UNIX and Linux systems only.

sniffing attract tools

NetworkMiner

It is an open-source NFAT for Windows. NetworkMiner is one of the most commonly used tools that make network analysis simple, to detect host and open ports through packet sniffing. It can operate offline too.

Kismet

Specifically used to sniff in wireless networks, even from hidden networks and SSIDs. In simpler terms, Kismet is a network detector, packet sniffer, and intrusion detection system. KisMac is used for MAC and OSX environments and works with any wireless card which supports raw monitoring mode.

There are various other packet sniffing tools such as EtherApe, Fiddler, OmniPeek, PRTG Network monitor, and so on.

Hardware Protocol Analyzer:

A protocol analyzer usually captures, analyzes the signal and data traffic in a network channel. These devices can attach themselves at the hardware level and are used to monitor traffic. It is used to capture data packet, decodes and analyzes the data. It is a hardware device that enables the hacker to see individual data bytes in the network.

MAC attacks & Flooding Switches

MAC attacks are also known as CAM table overflow attacks, here the attacker does not attack the host machine directly, but he attacks the network switches. A network switch is used to connect the devices together in the same computer network. MAC flooding compromises the security of the network switches by flooding the switches with fake address/port mapping. The switch cannot save a lot of MAC addresses; hence it enters into a fail-open mode and so it starts broadcasting all the incoming data to the ports. So the attacker gains access to the victim’s data packets.
To prevent a MAC flooding attack, we need to use Port Security (Cisco Switches), Authentication with AAA servers, Security measures to prevent ARP or IP spoofing, and Implementing IEEE 802.1X suites.

Sniffing Detection

Detecting sniffers can be quite tedious since they are mostly passive (collect data only) especially in a shared Ethernet. When the user is functioning on a switched Ethernet network segment, it is easier to detect the sniffing using the following techniques:–

Ping Method

Sending a ping request of the IP address of the affected machine, the sniffer machine might respond to the ping if the suspect machine is still running. It is not a strongly reliable method.

ARP method

Machines always capture and cache ARP. Upon sending a non-broadcast ARP, the sniffer/promiscuous machine will cache the ARP and it will respond to our broadcast ping

On Local Host

Logs can be used to find if the machine is running on a sniffer attack or not.

Latency method

Ping time is used to detect the sniffing, the time is generally short. If the load is heavy by the sniffer, it takes a long time to reply to pings.

ARP Watch

Used to trigger alarms when it sees a duplicate cache of the ARP.

Using IDS

Intrusion detection systems monitor for ARP spoofing in the network. It records packets on networks with spoofed ARP addresses.

The better way to prevent sniffing is the usage of encryption tools, adding MAC address of gateway permanently to ARP cache, switching to SSH, HTTPS instead of HTTP, and so on.

Precautionary Measures on Sniffing Attacks

Some of the sniffing prevention techniques can be:

Anti-virus tools

Installing an updated anti-virus program may prove to be beneficial in tackling sniffing.

Data Encryption

Encrypting your data with a VPN is considered one of the most feasible options in securing data from sniffing.

Unencrypted websites

Website URLs with HTTPS are secure while the ones with just HTTP don’t guarantee that nobody will be watching your activities and the data. Visiting unsecured websites should be prevented to avoid exposure to sniffing attacks.

Unencrypted messaging apps

Usage of such messaging apps should also be prevented in order to reduce the risk of sniffing attacks.

Internet Security Suite

Adopting a full-fledged internet security suite for your organizations or personal systems is one of the most trusted solutions to prevent cyber attacks.

Training

It is advisable to train the staff of the organization to thoroughly check the links and e-mail addresses before clicking on them and mails. Keeping the employees informed about cybersecurity threats, modes and precautions by conducting training sessions has become crucial nowadays.

Endpoint Protection

There are networks that are remotely bridged to devices. Laptops, computers, and mobile devices are connected to corporate networks paving the way for security threats. Such paths need endpoint protection software.

Firewall

Installing a firewall has been proven to have defied major cyberattacks. Firewalls tend to block any brute force attacks meant for the computer system before they could damage the network or files.

Course Schedule

Name Date Details
Cyber Security Course 14 Dec 2024(Sat-Sun) Weekend Batch View Details
21 Dec 2024(Sat-Sun) Weekend Batch
28 Dec 2024(Sat-Sun) Weekend Batch

About the Author

Lead Penetration Tester

Shivanshu is a distinguished cybersecurity expert and Penetration tester. He specialises in identifying vulnerabilities and securing critical systems against cyber threats. Shivanshu has a deep knowledge of tools like Metasploit, Burp Suite, and Wireshark.