Sniffing - Monitor the network

-

 

Sniffing is capturing data through netwrk. It basically means the monitoring process of the network. We can recognize hosts, services, device types, protocols, subnets, ip addresses, etc on the network.

With a good sniffer we can easily capture any protocol even though it doesn't recognize. For example wireshark supports thousands of protocol.

You will be astonished that even an encrypted data can be sniffed. But you can't read them. To read those data, either you need secret keys or manually decrypt using different algorithm. 

How sniffing works?

Sniffing app puts the the device network interface into promescuse mode. The app starts capturing all traffic that reaches the interface, regardless of who it's destined for.

You can stop the capture at any time and:

- Filter the results based on protocol, port, IP address, or payload key word - Perform some analysis on the traffic - Recreate entire TCP conversations - Recreate certain file types - Save the captured traffic in a pcap file for later analysis

Active and Passive Sniffing:

Passive sniffing involves collecting packets as they pass by your network interface. You don't transmit anything. You just promiscuously receive.

Active sniffing involves sending out multiple network probes to achieve an objective.

Examples: - MAC flooding - DNS poisoning & ARP poisoning - DHCP attacks - Switch port stealing - Spoofing attacks

By this techniques, hackers can eavesdrope you phone call.

Additional sniffing methods:

■ Port spanning   

- Switch configuration that makes the switch send a copy of all frames from other ports to a specific port

-AKA span port or port mirroring

- Not all switches have the ability to do this.
-Modern switches sometimes don't allow span ports to send data - you can only listen.

■ Network tap - Purpose-built hardware device that sits in a network segment between two appliances (router, switch or firewall). - Allows you to capture all traffic passing through it.


Lawful Interception

- Legal interception of data communication between end-points.
- Some jurisdictions, require a court order.
- For surveillance on traditional phone, VoIP, data, multi-service networks.
- PRISM - System used by NSA to collect internet communications from various U.S. internet companies.

Eavesdropping

- Secretly listening to private conversations or communications. - Capture speech or telephone conversations. - Plant a sniffer on a network. - Secretly place a camera or microphone in a room. - Capture VoIP packets off the network and replay them. - Use a phone to record someone entering a password or PIN from across a room. - Use a Wi-Fi Pineapple or other man-in-the-middle device to capture wireless traffic.

TCP/IP core protocols are vulnerable to sniffing:

The protocols are:
- ARP - IGMP - ICMP - TCP shows sequence numbers (usable in session hijacking)
- TCP and UDP show open ports - IP (both versions) shows source and destination addresses

Vulnerable 7 layer protocols are given below (TCP & UDP):

                                            img: Vulnerable 7 layer protocols(TCP).
                                                    img: Vulnerable 7 layer protocols (UDP)

Tools for sniffing:
What is a sniffer?
A sniffer is
- AKA Protocol Analyzer or Packet Analyzer - Records all network traffic that reaches its interface - Can be software- or hardware-based - Depending on the product, can capture different Layer 2 protocols on various media types - Typically requires a driver to place the interface in promiscuous mode - Allows the sniffer to intake frames even if they are not destined for the sniffing machine

Tools:
1. Wireshark
2. TCP Dump
3. Wind Dump
4. EtherPeek
5. Tcp Trace
6. PRTG Network Monitor
7. Network Miner

Sniffing tools for android app:
- Wi.cap.Network Sniffer Pro - FaceNiff - Sniffer - zAnti - cSploit - Packet Capture - Debug Proxy - WiFinspect - tPacketCapture - Android tcpdump

Look at the image. Wireshark is capturing all the browsing history.


MAC Flooding:

- This is a common attack on a network switch - The goal is to force a switch to behave like a hub     > Forward all frames out all ports     > The attacker can sniff any traffic - Intentionally overwhelming a switch with phony MAC addresses
   > Specially crafted Ethernet frames are rapidly sent into a switch port
   > Typically the frames have random spoofed source MAC addresses - The switch will enter the spoofed MAC addresses into its MAC table - The MAC table fills and cannot take in any new MAC addresses - Vulnerable switches will then change into hub mode      >They repeat any incoming frame out all ports - This allows the attacker to sniff traffic from all nodes on the switch - Most modern switches are not vulnerable

Modern switches are not vulnerable. But the older ones are.

ARP (Address Resolution Protocol):

- A core TCP/IP protocol - Maps MAC addresses to IP addresses     > In Ethernet and Wi-Fi, you cannot transmit a packet until the Layer 2 header contains the source and destination MAC addresses ARP process:   - Sender transmits an ARP request     > Layer 2 broadcast (FFFFFFFFFFFF)    > Asks which MAC "owns" the specified IP address .- All nodes on the same segment receive and process the request .- The "owner" sends an ARP reply     > Layer 2 unicast     > Affirms it owns the IP address -The sender updates its ARP cache, mapping MAC to IP     > Mappings must be refreshed periodically

ARP Spoofing

- Used for sniffing someone else's traffic. - Transmit spoofed ARP frames into the switch.     > Pretend to have the same MAC as the node(s) you want to eavesdrop on.     > The IP address is irrelevant, because the switch only deals in MAC addresses. - The switch will add the spoofed MAC to its table, associating it with your port.
    > The switch will actually have the same MAC associated with two switchports. - Any traffic destined for the other node will also be forwarded out your port.

ARP Poisoning

- The deliberate effort to corrupt another device's ARP cache. - Send fake ARP replies that associate attacker's MAC with target's IP. - Used for man-in-the-middle attacks.     > Corrupt both sides of a conversation (client-server / sender - gateway).     > Each node thinks the other has your MAC address.     > The two sides will unknowingly relay their conversation through you.

For sniffing and spoofing you can use ettercap. Which is preinstalled in kali linux. This also can be used as MITM (Man In The Middle Attack).

I am not writing this article on hacking, so I have skipped some topic on this. Such as Raspberry pi in MITM, Name Resolution Attack etc. If you want then you can study. But don't do any kinds of unethical act. If you will do so and face any kind of problems... I will not be responsible for that.

Comments

Post a Comment

Popular posts from this blog

Nest js

-
Image
The article is Written by Md Tareq Shah Alam .  Feel free to share.. Nest js is a progressive node framework. It doesn't give you a lot of structure. This is efficient when you have already a lot of sturcture in the backend. The syntax or the structure is very similar to Angular. To install nest, you will be needed node js into your system at first as it is a node framework. The installation process is here.... In the structure of the nest project, you will see that it uses typescript in the source folder.  To see the structure, first follow the documentation from the given link, install nest into your system. Now, you have nest and the project into your system. img: Nest structure In the src foleder you will get the ts files where you will do your project. You should install controller into your project by this command: $ nest g controller items  Then you will get this folder: img: Controllers To run the server, you can use - $  npm start. If you will use this comma...
Read more

Malware Analysis

-
Image
  Malware analysis is the process of studying a malware sample to determine the origin of malware, it's functionality and potential impact. This is one of the major part of the cyber security field. When you will detect malware, you must need to analyze this so that you can protect your system from this malware. You will get several malwares for analysis on the internet. I will share some sample sites for you. Remember, this can be dengerous for your system, so do analysis into virtual machine.  The sites are:  - github.com/vxunderground/MalwareSourceCode/ - Virustotal.com (accessing samples requires a VT Enterprise subscription) - Malware-traffic-analysis.net - zeltser.com/malware-sample-sources/ Techniques in Malware analysis: There are three types of malware analysis. Static analysis, Dynamic analysis, Hybrid analysis. Static Analysis: This is also known as code analysis. You can analyze this without running by this method. - Analyze binaries without actually running t...
Read more

Internet Computer (ICP) - Blockchain

-
Image
  ICP What is ICP? Internet computer or ICP is a secured and transparent blockchain based network that can be used to host data and programs. The programs and data both are being hosted on chain on the internet computer and they're often  reffered to as decentralized applications. DAPPs are created by the development smart contracts, which on the internet computer are known as canisters. It aims to create a decentralized internet where applications can run without traditional servers. The cannisters contains programs codes and state. Lets dive into deep: Purpose: To extend the functionality of the internet, enabling it to host smart contracts and decentralized applications (dApps) at scale. ICP Tokens Utility: ICP tokens are used to pay for computation and storage on the Internet Computer network. Staking and Governance: Holders can stake ICP tokens in neurons to participate in governance and earn rewards. How ICP Works It basically works on two things. Canisters and Cy...
Read more