What is Sniffing Attacks?
Sniffing attacks refer to data thefts caused by capturing network traffic through packet sniffers that can unlawfully access and read the data which is not encrypted. The data packets are captured when they flow through a computer network. The packet sniffers are the devices or media used to do this sniffing attack and capture the network data packets. They are called network protocol analyzers. Unless the packets are encrypted with strong network security, hackers will be able to steal and access the data. There are different packet sniffers such as Wireshark, Dsniff, Etherpeek, etc.
Examples of Sniffing Attacks
Some of the examples of Sniffing attacks are:
- Spoofing attacks
- DHCP attacks
- DNS poisoning
Types of Sniffing Attacks
Broadly, sniffing attacks are classified into 2 categories:
Active Sniffing attacks
Active sniffing attacks majorly refer to attacks triggered by injecting Address Resolution Protocols (ARPs) into a network to flood the Switch Content address memory (CAM) table. The redirected legitimate traffic finally allows the attacker to perform the sniffing of the traffic from the switch.
Passive Sniffing attacks
This kind of sniffing usually occurs at the hub. Contrary to active sniffing, here the hub can be directly injected with a sniffing device to easily extract the data packets. However, hubs hardly are used these days and hence passive sniffing attacks are barely reported.
There are various types of sniffing attacks such as
- LAN Sniff – The sniffer attacks the internal LAN and scans the entire IP gaining access to live hosts, open ports, server inventory, etc. A port-specific vulnerability attack happens in LAN sniffing.
- Protocol Sniff – The sniffer attacks occur based on the network protocol used. Different protocols such as ICMP, UDP, Telnet, PPP, DNS, etc., or other protocols might be used.
- ARP Sniff – ARP Poisoning attacks or packet spoofing attacks occur based on the data captured to create a map of IP addresses and associated MAC addresses.
- TCP Session stealing – TCP session stealing is used to monitor and acquire traffic details between the source & destination IP address. All details such as port number, service type, TCP sequence numbers, data are stolen by the hackers.
- Application-level sniffing – Applications running on the server are attacked to plan an application-specific attack.
- Web password sniffing – HTTP sessions created by users are stolen by sniffers to get the user ID, password, and other sensitive information.
Join our CEH certification course online and become a professional certified Ethical Hacker!
Tools used for Packet Sniffing
Various sniffing tools used currently and widely in the industry –
These are open-sourced and widely used packet analyzers that are utilized for network troubleshooting, analysis, software, and communications protocol development. Wireshark is cross-platform and is extensively used to monitor network and packet flows in the network.
Usually running under a command user interface, Tcpdump allows users to display TCP/IP and other packets being transmitted or being received over an attacked computer network. It has lesser security risk and requires few resources only. In Windows, it runs as WinDump.
Dsniff was developed to parse different protocols and extract relevant information. It is a set of password sniffing and network traffic analysis tools, used to sniff different protocols in UNIX and Linux systems only.
It is an open-source NFAT for Windows. NetworkMiner is one of the most commonly used tools that make network analysis simple, to detect host and open ports through packet sniffing. It can operate offline too.
Specifically used to sniff in wireless networks, even from hidden networks and SSIDs. In simpler terms, Kismet is a network detector, packet sniffer, and intrusion detection system. KisMac is used for MAC and OSX environments and works with any wireless card which supports raw monitoring mode.
There are various other packet sniffing tools such as EtherApe, Fiddler, OmniPeek, PRTG Network monitor, and so on.
Hardware Protocol Analyzer:
A protocol analyzer usually captures, analyzes the signal and data traffic in a network channel. These devices can attach themselves at the hardware level and are used to monitor traffic. It is used to capture data packet, decodes and analyzes the data. It is a hardware device that enables the hacker to see individual data bytes in the network.
Learn about various Cyber Security types and threats from our resourceful blog on Types of Cyber Security!
MAC attacks & Flooding Switches
MAC attacks are also known as CAM table overflow attacks, here the attacker does not attack the host machine directly, but he attacks the network switches. A network switch is used to connect the devices together in the same computer network. MAC flooding compromises the security of the network switches by flooding the switches with fake address/port mapping. The switch cannot save a lot of MAC addresses; hence it enters into a fail-open mode and so it starts broadcasting all the incoming data to the ports. So the attacker gains access to the victim’s data packets.
To prevent a MAC flooding attack, we need to use Port Security (Cisco Switches), Authentication with AAA servers, Security measures to prevent ARP or IP spoofing, and Implementing IEEE 802.1X suites.
Detecting sniffers can be quite tedious since they are mostly passive (collect data only) especially in a shared Ethernet. When the user is functioning on a switched Ethernet network segment, it is easier to detect the sniffing using the following techniques:–
Sending a ping request of the IP address of the affected machine, the sniffer machine might respond to the ping if the suspect machine is still running. It is not a strongly reliable method.
Machines always capture and cache ARP. Upon sending a non-broadcast ARP, the sniffer/promiscuous machine will cache the ARP and it will respond to our broadcast ping
Get a deep understanding of information system Security through this blog!
On Local Host
Logs can be used to find if the machine is running on a sniffer attack or not.
Ping time is used to detect the sniffing, the time is generally short. If the load is heavy by the sniffer, it takes a long time to reply to pings.
Used to trigger alarms when it sees a duplicate cache of the ARP.
Intrusion detection systems monitor for ARP spoofing in the network. It records packets on networks with spoofed ARP addresses.
The better way to prevent sniffing is the usage of encryption tools, adding MAC address of gateway permanently to ARP cache, switching to SSH, HTTPS instead of HTTP, and so on.
Precautionary Measures on Sniffing Attacks
Some of the sniffing prevention techniques can be:
Installing an updated anti-virus program may prove to be beneficial in tackling sniffing.
Encrypting your data with a VPN is considered one of the most feasible options in securing data from sniffing.
Website URLs with HTTPS are secure while the ones with just HTTP don’t guarantee that nobody will be watching your activities and the data. Visiting unsecured websites should be prevented to avoid exposure to sniffing attacks.
Unencrypted messaging apps
Usage of such messaging apps should also be prevented in order to reduce the risk of sniffing attacks.
Internet Security Suite
Adopting a full-fledged internet security suite for your organizations or personal systems is one of the most trusted solutions to prevent cyber attacks.
It is advisable to train the staff of the organization to thoroughly check the links and e-mail addresses before clicking on them and mails. Keeping the employees informed about cybersecurity threats, modes and precautions by conducting training sessions has become crucial nowadays.
There are networks that are remotely bridged to devices. Laptops, computers, and mobile devices are connected to corporate networks paving the way for security threats. Such paths need endpoint protection software.
Installing a firewall has been proven to have defied major cyberattacks. Firewalls tend to block any brute force attacks meant for the computer system before they could damage the network or files.
How sniffing is different from spoofing? Have a look at our blog on Sniffing and Spoofing to learn more.