Ethical Hacking: Sniffing Concepts and Attacks

Practice flashcards covering sniffing concepts, types of attacks (MAC, DHCP, ARP, DNS), tools, and detection techniques based on ethical hacking lecture notes.

Sniffing

The process of monitoring and capturing all data packets passing through a given network using sniffing tools, acting as a form of wiretap applied to computer networks.

Promiscuous Mode

A state where a sniffer turns the Network Interface Card (NIC) of a system to listen to all the data transmitted on its segment.

Passive Sniffing

A type of sniffing through a hub where traffic is sent to all ports, involving only the monitoring of packets without sending any additional packets.

Active Sniffing

A technique used to sniff switch-based networks by injecting ARP packets to flood the Content Addressable Memory (CAM) table.

Hardware Protocol Analyzer

A piece of equipment, such as the Agilent Advisor J2300E, that captures signals without altering the traffic in a cable segment to monitor network usage.

MAC Address

A unique hardware identifier consisting of $48$ bits or $4$ bytes.

CAM Table

A fixed size dynamic Content Addressable Memory table in a switch that stores MAC addresses available on physical ports with associated VLAN parameters.

MAC Flooding

The act of flooding a switch's CAM table with fake MAC address and IP pairs until it is full, forcing the switch to broadcast packets like a hub.

Switch Port Stealing

A sniffing technique using MAC flooding to create a race condition, allowing an attacker to eventually direct packets intended for a target host toward their own switch port.

DHCP Starvation Attack

A denial-of-service (DoS) attack where an attacker broadcasts forged DHCP requests to lease all available IP addresses in a scope; tools include Dhcpstarv and Yersinia.

Rogue DHCP Server Attack

An attack where a rogue server responds to DHCP requests with bogus IP addresses, often used in conjunction with a DHCP Starvation attack.

DHCP Snooping

A security feature that allows a switch to accept DHCP transactions coming only from a trusted port to defend against rogue servers.

Address Resolution Protocol (ARP)

A protocol used for resolving IP addresses to machine (MAC) addresses.

ARP Poisoning

Also known as ARP spoofing, this involves constructing forged ARP request and reply packets to overload a switch or flood a target computer's ARP cache with forged entries.

XArp

An ARP spoofing detection tool used to defend against ARP poisoning.

SMAC

A specialized tool used for MAC Spoofing/Duplicating attacks.

DNS Poisoning

A technique that tricks a DNS server into believing it has received authentic information, resulting in the substitution of false IP addresses at the DNS level.

DNS Cache Poisoning

The act of altering or adding forged DNS records into the DNS resolver cache so that queries are redirected to a malicious site.

Wireshark

A tool that captures live network traffic from various sources like Ethernet, Bluetooth, and USB, allowing users to interactively browse the traffic.

Ping Method

A sniffing detection technique that sends a ping request with the suspect's IP address but an incorrect MAC address; a machine in promiscuous mode will respond while others will reject it.

ARP Method

A detection technique where only a machine in promiscuous mode caches ARP information from a ping request and replies, while others send an ARP probe.

DNS Method

A detection technique based on the fact that most sniffers perform reverse DNS lookups to identify machines from IP addresses.

PromqryUI

A security tool from Microsoft used to detect network interfaces that are running in promiscuous mode.

nmap --script=sniffer-detect

The specific Nmap Scripting Engine (NSE) command used to check if a target on a local Ethernet has its network card in promiscuous mode.

What is the primary function of sniffing in network security?

To monitor and capture data packets traversing a network to analyze traffic patterns and identify potential threats.

In what scenarios is hardware protocol analysis preferred over software-based tools?

In environments requiring high accuracy and low latency for monitoring signals without altering the transmission of data.

Explain the significance of a MAC address in network communications.

It serves as a unique identifier for network interfaces, allowing devices to be distinguishable within a network segment.

Discuss the implications of MAC flooding on a switch's performance and security.

It can lead to a broadcast storm, where the switch operates inefficiently, increasing the risk of intercepting sensitive data.

Describe the DHCP Starvation Attack process in detail.

An attacker floods a DHCP server with requests using spoofed MAC addresses to exhaust the available IP addresses, preventing legitimate access.

What measures can be implemented to mitigate the risks of ARP poisoning?

Deployment of ARP monitoring tools, implementation of static ARP entries, and restricting ARP requests to trusted devices.

How does DNS cache poisoning exploit vulnerabilities in a DNS system?

By inserting false DNS records into the cache, redirecting legitimate queries to malicious IP addresses, thus compromising user security.

Why is passive sniffing generally less intrusive than active sniffing?

Because it relies on unmodified traffic flow, without the introduction of extraneous packets that can alert network defenses.

Analyze the differences between DNS Poisoning and DNS Cache Poisoning.

DNS Poisoning involves tricking a DNS server into accepting false information, while DNS Cache Poisoning is specifically about altering stored DNS responses in the resolver's cache.

What ethical considerations must be taken into account when conducting network sniffing?

Maintaining user privacy, legal compliance, and ensuring that such activities are conducted with explicit permission from the network owner.