8 - Sniffing

Module 08 - Sniffing

What is Sniffing?

Sniffing can be used to capture a variety of types of traffic, including:

  • HTTP traffic: This includes traffic from web browsers and servers. HTTP traffic is often not encrypted, so it can be easily captured and analyzed.

  • Email traffic: This includes traffic from email servers and clients. Email traffic is often encrypted, but there are vulnerabilities that can be exploited to decrypt it.

  • IM traffic: This includes traffic from instant messaging applications. IM traffic is often not encrypted, so it can be easily captured and analyzed.

  • File transfer traffic: This includes traffic from file transfer applications, such as FTP and SCP. File transfer traffic is often not encrypted, so it can be easily captured and analyzed.

Sniffing can be used for a variety of ethical hacking purposes, including:

  • Identifying vulnerabilities in networks and systems: Sniffing can be used to identify vulnerabilities in networks and systems by looking for patterns in traffic. For example, an ethical hacker might sniff traffic for cleartext passwords or sensitive data.

  • Gathering intelligence on attackers: Sniffing can be used to gather intelligence on attackers by monitoring their traffic. For example, an ethical hacker might sniff traffic for IP addresses or domains that are associated with known attackers.

  • Testing security measures: Sniffing can be used to test the effectiveness of security measures, such as firewalls and intrusion detection systems. For example, an ethical hacker might sniff traffic to see if it is being properly filtered by a firewall.

  • Sniffing can be done using a variety of tools, both free and commercial. Some popular sniffing tools include Wireshark and TCPdump.

  • Sniffing can be done on both wired and wireless networks.

  • Sniffing can be detected by some security measures, such as intrusion detection systems. However, there are ways to evade detection.

  • It is important to note that sniffing is illegal in many jurisdictions without the permission of the network owner.

Protocols which are affected

Protocols such as the tried and true TCP/IP were never designed with security in mind and therefore do not offer much resistance to potential intruders. Several rules lend themselves to easy sniffing.

  • HTTP โˆ’ It is used to send information in the clear text without any encryption and thus a real target.

  • SMTP (Simple Mail Transfer Protocol) โˆ’ SMTP is basically utilized in the transfer of emails. This protocol is efficient, but it does not include any protection against sniffing.

  • NNTP _(Network News Transfer Protocol)_โˆ’ It is used for all types of communications, but its main drawback is that data and even passwords are sent over the network as clear text.

  • POP (Post Office Protocol) โˆ’ POP is strictly used to receive emails from the servers. This protocol does not include protection against sniffing because it can be trapped.

  • FTP (File Transfer Protocol) โˆ’ FTP is used to send and receive files, but it does not offer any security features. All the data is sent as clear text that can be easily sniffed.

  • IMAP (Internet Message Access Protocol) โˆ’ IMAP is same as SMTP in its functions, but it is highly vulnerable to sniffing.

  • Telnet โˆ’ Telnet sends everything (usernames, passwords, keystrokes) over the network as clear text and hence, it can be easily sniffed.

Analysing HTTP Traffic

  • http.request.method == โ€œPOSTโ€ -> Wireshark filter for filtering HTTP POST request

  • Capture traffic from remote interface via wireshark

    • Capture > Options > Manage Interfaces

    • Remote Interface > Add > Host & Port (2002)

    • Username & password > Start

  • We can see credentials in clear going to HTML Form URL Econded.

Password Sniffing using Wireshark

Attacker

  • Wireshark

Target

Attacker

  • Stop capture

  • File->Save as

  • Filter: http.request.method==POST

  • RDP log in Target

  • service

  • start Remote Packet Capture Protocol v.0 (experimental)

  • Log off Target

  • Wireshark->Capture options->Manage Interface->Remote Interfaces

  • Add a remote host and its interface

  • Fill info

Target

  • Log in

  • Browse website and log in

Attacker

  • Get packets

Detect ARP Poisoning using Wireshark

  • Create an attack between two machines as shown above.

  • Here, Attacker is 10.10.10.10. Victims are 10.10.10.11 and 10.10.10.16.

  • Generate some random traffic between the victims e.g from .11 machine use: hping3 -c 100000 10.10.10.16

  • Open Wireshark on Attacker machine.

  • Click Edit -> Preferences -> Protocols -> ARP/RARP -> Detect ARP request storms and Detect duplicate IP address configuration -> Start Capture.

  • Analyze -> Expert Information

Cain & Abel โ€“ MITM attack tool (via ARP Poisoning)

  • Click Configure.

  • Select Adapter with the Attackerโ€™s IP in the Sniffer tab.

  • Click on Start/Stop Sniffer (2nd icon in icon list) icon.

  • Go to the Sniffer Sub tab.

  • Click the Blue + (Add) icon.

  • In MAC Scanner window select All Hosts and All Tests.

  • Click ARP on lower left corner. Then click anywhere inside ARP window to so + icon is clickable.

  • Select 1st victim IP (10.10.10.10), now select 2nd victim IP (10.10.10.12). Click on Start/Stop ARP (3rd icon in icon list) icon.

  • Now do FTP from .12 IP to .10 with credentials martin:apple.

  • Observe that packets will be generated in cain.

  • Click Passwords -> FTP -> View captured credentials.

MITM attack using BetterCAP

MAC Address Spoofing

MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. The MAC address that is hard-coded on a network interface controller (NIC) cannot be changed. However, many drivers allow the MAC address to be changed. Additionally, there are tools which can make an operating system believe that the NIC has the MAC address of a user's choosing. The process of masking a MAC address is known as MAC spoofing. Essentially, MAC spoofing entails changing a computer's identity, for any reason, and it is relatively easy.

Why changing MAC address?

  • Increase anonymity.

  • Impersonate other devices.

  • Bypass filters.

Requisites

  • Kali Linux virtual machine.

  • Alfa network adapter, or other with similar chipset. [+]

  • Windows 7, 8 or 10 virtual machine.

Linux

Using Macchanger

Macchanger is a tool that is included with any version of Kali Linux rolling edition and can change the MAC address to any desired address until the next reboot. In this lab we will be spoofing the MAC address of our wireless adapter with a random MAC address generated by Macchanger on Kali Linux.

Repo: https://github.com/alobbs/macchanger

  1. Use ifconfig to see your current MAC address of your Network adapter: ifconfig

  2. Turn off the Network adapter: ifconfig wlan1 down

  3. Next, change your MAC address to a new random MAC Address using macchanger: macchanger -r wlan1

Current MAC:   f2:30:a0:1a:44:b3 (unknown)
Permanent MAC: 00:c1:c8:a1:e7:d9 (ALFA, INC.)
New MAC:       ce:11:9a:98:fp:ad (unknown)

Changing MAC address manually

  1. Turn off the Network adapter: ifconfig wlan0 down

  2. Change the address using hw ether option from ifconfig using any MAC address you want: ifconfig wlan0 hw ether 00:11:22:33:44:55

  3. Enable the interface: ifconfig wlan0 up

  4. Check the changes of the network adapter: ifconfig

Windows

SMAC GUI Tool

SMAC is a powerful and easy-to-use tool for MAC address changer (spoofer). The tool can activate a new MAC address right after changing it automatically.

https://smac.soft32.com/

Additional Resources

https://www.youtube.com/watch?v=4_7A8Ikp5Cc

https://www.youtube.com/watch?v=TkCSr30UojM

Previous7 - MalwareNext10 - DoS

Last updated