ETHICAL HACKING – SNIFFING
Sniffing is the process of monitoring and capturing all the packets passing through a given network using sniffing tools. It is a form of “tapping phone wires” and get to know about the conversation. It is also called wiretapping applied to the computer networks.
There is so much possibility that if a set of enterprise switch ports is open, then one of their employees can sniff the whole traffic of the network. Anyone in the same physical location can plug into the network using Ethernet cable or connect wirelessly to that network and sniff the total traffic.
In other words, sniffing allows us to see all sorts of traffic, both protected and unprotected. In the right conditions and with the right protocols in place, an attacking party may be able to gather information that can be used for further attacks or to cause other issues for the network or system owner.
What can be sniffed?
One can sniff the following sensitive information from a network –
-
Email traffic
-
FTP passwords
-
Web attacks
-
Telnet passwords
-
Router configuration
-
Chat sessions
-
DNS traffic
How it works?
A sniffer normally turns the NIC of the system to the promiscuous mode so that it listens to all the data transmitted on its segment.
Promiscuous mode refers to the unique way of Ethernet hardware, in particular, network interface cards( NICs ),that allows an NIC to receive all traffic on the networks, even if it is not addressed to this NIC. By default, a NIC ignores all traffic that is not addressed to it, which is done by comparing the destination address of the Ethernet packet with the hardware address ( a.k.a. MAC ) of the device. While this makes perfect senses for networking, non-promiscuous mode makes it difficult to use network monitoring and analysis software for diagnosing connectivity issues or traffic accounting. A sniffer can continuously monitor all the traffic to a computer through the NIC by decoding the information encapsulated in the data packets.
Protocols which are not affected
Protocols such as the tried and the TCP/IP were never designed with security in mind and therefore do not offer much resistance to potential intruders. Several rules for easy sniffing are given below:
-
HTTP – It is used to send information in the clear text without any encryption and thus a real target.
-
SMTP – It is basically utilized in the transfer if emails. This protocol is efficient, but it does not include any protection against sniffing.
-
NNTP – It is used for all types of communications, but its main drawback is that data and even passwords are sent over the network as clear text.
-
POP – It is strictly used to receive emails from the servers. This protocol does not include protections against sniffing because it can be trapped.
-
FTP – It is used to send and receive files, but it does not offer any security features. All the data is sent as clear text that can be easily sniffed.
-
IMAP – IMAP is same as SMTP in its functions, but it is highly vulnerable to sniffing.
-
Telnet – It sends everything( usernames, passwords, keystrokes ) over the network as clear text and hence, it can be easily sniffed.
Some of the sniffing tools are given below:
-
BetterCAP
-
Ettercap
-
Wireshark
-
Tcpdump
-
WinDump
-
OmniPeek
-
Dsniff
-
EtherApe
-
MSN Sniffer
-
NetWitness NextGen
