Sniffing attack means capturing the data packets when it flows through a computer network. Packet sniffer is the device or medium used to do this sniffing attack. They are called network protocol analyzer. Unless the packets are encrypted with strong network security, any hacker might steal the data and analyze it. There are different packet sniffers such as wireshark, Dsniff, Etherpeek etc..
Cyber security & Ethical hacking Tutorial Video:
Types of Sniffing Attacks:
There are various types of sniffing attack such as –
- LAN Sniff – The sniffer attacks the internal LAN and scans the entire IP gaining access to live hosts, open ports, server inventory etc.. A port specific vulnerability attacks happens in LAN sniffing.
- Protocol Sniff – Based on the network protocol used, the sniffer attacks occurs. The different protocol such as ICMP, UDP, Telnet, PPP, DNS etc. or other protocols might be used.
- ARP Sniff – ARP Poisoning attacks or packet spoofing attacks occur based on the data captured to create a map of IP address and associated MAC addresses.
- TCP Session stealing – TCP session stealing is used to monitor and acquire traffic details between the source & destination IP address. All details such as port number, service type, TCP sequence numbers, data are stolen by the hackers.
- Application level sniffing – Applications running on the server are attacked to plan an application specific attack.
- Web password sniffing – HTTP session created by users are stolen by sniffers to get the user ID, password and other sensitive information.
Tools used for Packet Sniffing:
Lets see various sniffing tools used currently and widely in the industry –
- Wireshark – Widely used network protocol analyzer to monitor network and packet flows in the network. It is free and works in multi platforms.
- Tcpdump – It has less security risk, requires few resource only. In windows it runs as WinDump.
- Dsniff – Used to sniff different protocols in UNIX and Linux systems only, to sniff and reveal passwords.
- NetworkMiner – Makes network analysis simple, to detect host and open ports through packet sniffing. It can operate offline.
- Kismet – Specifically used to sniff in wireless networks, even from hidden networks and SSIDs. KisMac is used for MAC and OSX environment.
There are various other packet sniffing tools such as EtherApe, Fiddler, OmniPeek, PRTG Network monitor and so on.
Hardware Protocol Analyzer:
A protocol analyzer usually captures, analyzes the signal and data traffic in a network channel. These devices can attach themselves at the hardware level and used to monitor traffic. It is used to capture data packet, decodes and analyzes the data. It is a hardware device which enables the hacker to see individual data bytes in the network.
MAC attacks & Flooding Switches:
MAC attacks are also known as CAM table overflow attack, here the attacker does not attack the host machine directly, but he attacks the network switches. A network switch is a used to connect the devices together in the same computer network. MAC flooding compromises the security of the network switches by flooding the switches with fake address/port mapping. The switch cannot save a lot of MAC address; hence it enters into a fail-open mode and so it starts broadcasting all the incoming data to the ports. So the attacker gains access to the victim’s data packets.
To prevent a MAC flooding attack, we need to use Port security (Cisco Switches), Authentication with AAA servers, Security measures to prevent ARP or IP spoofing and Implementing IEEE 802.1X suites.
Sniffing Detection and Prevention techniques:
Detecting sniffers can be difficult since they are mostly passive (collects data only) especially in a shared Ethernet. When he is functioning on a switched ethernet network segment it is easier to detect the sniffing using the following techniques, they are –
- Ping method – Sending ping request of the IP address of the affected machine, the sniffer machine might respond to the ping if the suspect machine is still running. It is a not strongly reliable method.
- ARP method – Machines always capture and caches ARP. Upon sending a non-broadcast ARP, the sniffer/promiscuous machine will cache the ARP and it will respond to our broadcast ping
- On Local Host – Logs can be used to find if the machine is running on a sniffer attack or not.
- Latency method – Ping time is used to detect the sniffing, the time is generally short. If the load is heavy by sniffer, it takes long time to reply for pings.
- ARP Watch – Used to trigger alarms when it sees a duplicate cache of the ARP.
- Using IDS – Intrusion detection systems monitors for ARP spoofing in the network. It records packets on network with spoofed ARP addresses.
The better way to prevent sniffing is usage of encryption tools, adding MAC address of gateway permanently to ARP cache, switching to SSH, https instead of http and so on.