8 - Sniffing

Module 08 - Sniffing

What is Sniffing?

Sniffing can be used to capture a variety of types of traffic, including:

HTTP traffic: This includes traffic from web browsers and servers. HTTP traffic is often not encrypted, so it can be easily captured and analyzed.
Email traffic: This includes traffic from email servers and clients. Email traffic is often encrypted, but there are vulnerabilities that can be exploited to decrypt it.
IM traffic: This includes traffic from instant messaging applications. IM traffic is often not encrypted, so it can be easily captured and analyzed.
File transfer traffic: This includes traffic from file transfer applications, such as FTP and SCP. File transfer traffic is often not encrypted, so it can be easily captured and analyzed.

Sniffing can be used for a variety of ethical hacking purposes, including:

Identifying vulnerabilities in networks and systems: Sniffing can be used to identify vulnerabilities in networks and systems by looking for patterns in traffic. For example, an ethical hacker might sniff traffic for cleartext passwords or sensitive data.
Gathering intelligence on attackers: Sniffing can be used to gather intelligence on attackers by monitoring their traffic. For example, an ethical hacker might sniff traffic for IP addresses or domains that are associated with known attackers.
Testing security measures: Sniffing can be used to test the effectiveness of security measures, such as firewalls and intrusion detection systems. For example, an ethical hacker might sniff traffic to see if it is being properly filtered by a firewall.
Sniffing can be done using a variety of tools, both free and commercial. Some popular sniffing tools include Wireshark and TCPdump.
Sniffing can be done on both wired and wireless networks.
Sniffing can be detected by some security measures, such as intrusion detection systems. However, there are ways to evade detection.
It is important to note that sniffing is illegal in many jurisdictions without the permission of the network owner.

Protocols which are affected

Protocols such as the tried and true TCP/IP were never designed with security in mind and therefore do not offer much resistance to potential intruders. Several rules lend themselves to easy sniffing.

HTTP − It is used to send information in the clear text without any encryption and thus a real target.
SMTP (Simple Mail Transfer Protocol) − SMTP is basically utilized in the transfer of emails. This protocol is efficient, but it does not include any protection against sniffing.
NNTP _(Network News Transfer Protocol)_− It is used for all types of communications, but its main drawback is that data and even passwords are sent over the network as clear text.
POP (Post Office Protocol) − POP is strictly used to receive emails from the servers. This protocol does not include protection against sniffing because it can be trapped.
FTP (File Transfer Protocol) − FTP is used to send and receive files, but it does not offer any security features. All the data is sent as clear text that can be easily sniffed.
IMAP (Internet Message Access Protocol) − IMAP is same as SMTP in its functions, but it is highly vulnerable to sniffing.
Telnet − Telnet sends everything (usernames, passwords, keystrokes) over the network as clear text and hence, it can be easily sniffed.

Analysing HTTP Traffic

http.request.method == “POST” -> Wireshark filter for filtering HTTP POST request
Capture traffic from remote interface via wireshark
- Capture > Options > Manage Interfaces
- Remote Interface > Add > Host & Port (2002)
- Username & password > Start
We can see credentials in clear going to HTML Form URL Econded.

Password Sniffing using Wireshark

Attacker

Wireshark

Target

www.moviescope.com
Login

Attacker

Stop capture
File->Save as
Filter: http.request.method==POST
RDP log in Target
service
start Remote Packet Capture Protocol v.0 (experimental)
Log off Target
Wireshark->Capture options->Manage Interface->Remote Interfaces
Add a remote host and its interface
Fill info

Target

Log in
Browse website and log in

Attacker

Get packets

Detect ARP Poisoning using Wireshark

Create an attack between two machines as shown above.
Here, Attacker is 10.10.10.10. Victims are 10.10.10.11 and 10.10.10.16.
Generate some random traffic between the victims e.g from .11 machine use: hping3 -c 100000 10.10.10.16
Open Wireshark on Attacker machine.
Click Edit -> Preferences -> Protocols -> ARP/RARP -> Detect ARP request storms and Detect duplicate IP address configuration -> Start Capture.
Analyze -> Expert Information

🦈Wireshark or Tcpdump

Cain & Abel – MITM attack tool (via ARP Poisoning)

Click Configure.
Select Adapter with the Attacker’s IP in the Sniffer tab.
Click on Start/Stop Sniffer (2nd icon in icon list) icon.
Go to the Sniffer Sub tab.
Click the Blue + (Add) icon.
In MAC Scanner window select All Hosts and All Tests.
Click ARP on lower left corner. Then click anywhere inside ARP window to so + icon is clickable.
Select 1st victim IP (10.10.10.10), now select 2nd victim IP (10.10.10.12). Click on Start/Stop ARP (3rd icon in icon list) icon.
Now do FTP from .12 IP to .10 with credentials martin:apple.
Observe that packets will be generated in cain.
Click Passwords -> FTP -> View captured credentials.

MITM attack using BetterCAP

https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/7-Sniffing/1-MITM-with-Bettercap.md

MAC Address Spoofing

MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. The MAC address that is hard-coded on a network interface controller (NIC) cannot be changed. However, many drivers allow the MAC address to be changed. Additionally, there are tools which can make an operating system believe that the NIC has the MAC address of a user's choosing. The process of masking a MAC address is known as MAC spoofing. Essentially, MAC spoofing entails changing a computer's identity, for any reason, and it is relatively easy.

Why changing MAC address?

Increase anonymity.
Impersonate other devices.
Bypass filters.

Requisites

Kali Linux virtual machine.
Alfa network adapter, or other with similar chipset. [+]
Windows 7, 8 or 10 virtual machine.

Linux

Using Macchanger

Macchanger is a tool that is included with any version of Kali Linux rolling edition and can change the MAC address to any desired address until the next reboot. In this lab we will be spoofing the MAC address of our wireless adapter with a random MAC address generated by Macchanger on Kali Linux.

Repo: https://github.com/alobbs/macchanger

Use ifconfig to see your current MAC address of your Network adapter: ifconfig
Turn off the Network adapter: ifconfig wlan1 down
Next, change your MAC address to a new random MAC Address using macchanger: macchanger -r wlan1

Current MAC:   f2:30:a0:1a:44:b3 (unknown)
Permanent MAC: 00:c1:c8:a1:e7:d9 (ALFA, INC.)
New MAC:       ce:11:9a:98:fp:ad (unknown)

macchanger | Kali Linux ToolsKali Linux

Changing MAC address manually

Turn off the Network adapter: ifconfig wlan0 down
Change the address using hw ether option from ifconfig using any MAC address you want: ifconfig wlan0 hw ether 00:11:22:33:44:55
Enable the interface: ifconfig wlan0 up
Check the changes of the network adapter: ifconfig

Windows

SMAC GUI Tool

SMAC is a powerful and easy-to-use tool for MAC address changer (spoofer). The tool can activate a new MAC address right after changing it automatically.

https://smac.soft32.com/