Jump to content

Venom Academy/Ethical Hacking/Sniffing

From Wikibooks, open books for an open world


Now in this chapter we will look into sniffing. Sniffing can be defined as a method of harvesting data by capturing packets across a network either wired or wireless. The main goal in sniffing is to capture unencrypted communication. Lets look into it a bit more in detail

Types of sniffing

[edit | edit source]

Sniffing is basically divided into two categories, they will be explained below:

  • Active Sniffing
  • Passive Sniffing

Active Sniffing

[edit | edit source]

Active sniffing happens when the attacker directly interacts with the victim machine by sending packet requests and listening for responses. Some examples may include ARP spoofing and Man in the middle attacks.

Passive sniffing

[edit | edit source]

Passive sniffing happens when the attack does not directly interact with the target machine, This only happens when the attacker sniffs for packets only without performing an attacks.

Promiscuous and nonpromiscuous mode

[edit | edit source]

Before any sniffing can be done on a network, you first need to understand the differences between promiscuous and nonpromiscuous mode in this case they are associated with network cards. By default your network card is set to nonpromiscuous mode, which means that the machine will only receive packets that are only mentioned for you. In promiscuous mode, the network card will forcefully allow us to capture all the traffic that is not intended for our computer.

Man in the Middle attack(MITM)

[edit | edit source]

The main goal of a MITM attack is that the attacker can place himself in the middle of a communication between two machines. For example someone logging into Facebook, if we are using MITM attacker will place ourself between the victim and the Facebook server. Therefore all communications can be captured by the attacker.

ARP Poisoning

[edit | edit source]

ARP Poisoning is the most popular attack used to intercept a communication between two machines. This is achieved by sending fake ARP replies to both the possible target and server. The way it works is that the attacker would send a fake ARP reply to any computer on the network to make the computer believe that the IP of the attacker is associated with a certain address. Therefore the computer becomes confused and might send the packets to the attacker thinking that it is the legitimate server.

Lab exercise

[edit | edit source]

Before we get to perform a MITM attack, we first need to enable IP forwardings that the traffic can be forwarded to its intended destination. To do this use the following command:

root@venom [$]~ echo 1 > proc ipfoward

Now that we have enabled IP forwarding, we need to gather information to perform a MITM attack the required information are:

  1. The attackers IP address
  2. The Victims IP address
  3. The default gateway values

To find your IP you can use the ifconfig command. Then to find the victim's IP we can use the following command:

netdiscover

Netdiscover will list all the machines in the Network, all you need to do is copy the IP address of the victim. The default gateway will also be shown on netdiscover. Now to perform a MITM attack we first need to perform a ARP Poisoning attack using arpspoof the command syntax is shown below:

arpspoof -i <the interface you are using> -t <target host> <gateway  address>

Here we will show you an example and its output.

root@venom [$]~ arpspoof -i eth0 -t 192.168.75.142 192.168.75.2
0a:12:18:1a:2b:16:32:8c 0806 ARP reply 192.168.75.2 is-at 0a:12:18:1a:2b:16:32:8c

As we can see above our ARP spoof attack is working brilliantly. Now we need to send all the traffic that we are receiving to a tool called dSniff. Now execute the command below

dsniff

Here in our example, dsniff returned with the output shown below:

root@venom [$]~ dsniff
dsniff: listening on eth0 
---------------------------------------
07/23/13/ 07:14:20 tcp 192.168.75.142 -> venom.machines.com 21 (ftp)
USER anonymous
PASS IFuser

As shown in our example, dsniff managed to return back with passwords that were harvested during the MITM attack

Please know that there are many tools to use for sniffing, at around with them, we can't mention them all here.

Promiscuous and nonpromiscuous