Ch-4 (1)

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker: Sniffing Module

Outline of Sniffing Module Flow

• 1. Sniffing Concepts

• 2. Sniffing Tools

• 3. Sniffing Techniques

• 4. Countermeasures

• 5. Sniffing Detection Techniques

Sniffing Concepts

• Definition of Network Sniffing: Network sniffing refers to the monitoring and capturing of data packets traversing through a network.

• How a Sniffer Works: Sniffers can be hardware or software tools that allow intercepting data traffic on a network.

• Active Sniffing vs. Passive Sniffing:

  • Active Sniffing: Involves injecting packets into the network for the purpose of interception.

  • Passive Sniffing: Monitors packets without injecting any additional traffic, often capturing data as it flows.

• Protocols Vulnerable to Sniffing:

  • Common Protocols: Telnet, Rlogin, SMTP, HTTP, IMAP, POP, FTP. These transmit data in cleartext, making them vulnerable to sniffing.

• Layer of OSI Model: Sniffers typically operate at the Data Link Layer of the OSI model, allowing them to capture Ethernet frames and other protocols.

Sniffing Tools

• Wireshark:

  • A network protocol analyzer that captures and interactively analyzes network traffic.

• SteelCentral:

  • Provides graphical analysis for high-speed packet monitoring.

• OmniPeek:

  • Offers real-time traffic monitoring and analysis across network segments.

• Packet Capture Apps:

  • Tools like FaceNiff and Packet Capture that run on mobile devices for sniffing network traffic.

Sniffing Techniques

• Packet Sniffing:

  • Monitors and captures all data packets passing through a network segment, exploited by attackers to gather sensitive information.

• ARP Spoofing:

  • An attacker sends forged ARP messages, connecting an attacker's MAC address to the IP address of a target, redirecting traffic.

• MAC Flooding:

  • Overflows the switch's MAC table with bogus entries, forcing the switch to broadcast traffic, making it possible to sniff data.

• DNS Poisoning:

  • The attacker manipulates DNS entries so that users are redirected to malicious sites instead of legitimate ones.

Countermeasures

• Encryption:

  • Use protocols like HTTPS, SSH, and SSL/TLS to secure data transmitted over the network.

• Network Segmentation:

  • Dividing a network into segments can limit the exposure of sensitive data to sniffing.

• Using Switches:

  • Switching technology helps in reducing the risk of packet sniffing by ensuring that data cannot be seen by all network devices.

• Monitoring and Logging:

  • Implementing robust monitoring and logging systems can help identify unauthorized sniffing attempts.

Sniffing Detection Techniques

• Check NICs for Promiscuous Mode:

  • Monitor network interface card (NIC) settings to ensure devices are not set to promiscuous mode unless specifically required.

• Intrusion Detection Systems (IDS):

  • Utilize systems that can detect unusual activity patterns associated with sniffing tools.

• Reverse DNS Lookups:

  • Can reveal if non-standalone devices are responding unusually, potentially indicating a sniffer.

• Traffic Analysis:

  • Observing network traffic anomalies that deviates from normal patterns can indicate the presence of sniffing activities.

Conclusion

Understanding sniffing techniques, tools, and countermeasures is crucial for maintaining network security. Continuous monitoring and proactive strategies can significantly mitigate the risks associated with sniffing attacks.