Dr.

Ashok Kumar Nanda

Associate Professor, CSE Department
B V Raju Institute of Technology
Vishnupur, Narsapur,
Medak (Dist.), Telengana State – 502313
 B. Tech. (CSE) Syllabus
III – B. Tech. – II Sem. (R – 22)
• Unit-IV:
– Malware Threats & Sniffing
Malware Concepts, APT Concepts, Trojan Concepts, Virus and Worm
Concepts, Fileless Malware Concepts, Malware Analysis,
Countermeasures, Anti-Malware Software
Sniffing Concepts, Sniffing Techniques: MAC Attacks, DHCP Attacks,
ARP Poisoning, Spoofing Attacks,and DNS Poisoning, Sniffing Tools,
Countermeasures, Types of Sniffing Detection Techniques

Dr. Ashok Kumar Nanda,

Associate Professor, CSE Department, 2
BVRIT Narsapur
 UNIT – IV
– Malware Threats & Sniffing
Malware Concepts, APT Concepts, Trojan Concepts, Virus and Worm
Concepts, Fileless Malware Concepts, Malware Analysis,
Countermeasures, Anti-Malware Software
Sniffing Concepts, Sniffing Techniques: MAC Attacks, DHCP Attacks,
ARP Poisoning, Spoofing Attacks,and DNS Poisoning, Sniffing Tools,
Countermeasures, Types of Sniffing Detection Techniques

Dr. Ashok Kumar Nanda,

Associate Professor, CSE Department, 3
BVRIT Narsapur
 Malware Concepts
• Malware (short for malicious software) refers to any software that
is intentionally designed to cause damage to a computer, server,
client, or computer network.
• Attackers use malware to steal, encrypt, delete sensitive data, hijack
core functions, spy on computer activities, or gain unauthorized
access to systems.
• Malware Propagation Techniques: Malware spreads from one
system to another using various propagation techniques.
– Here are some key techniques:
1. Email Attachments: Malware can be embedded in email
attachments and spread when users download or open the
attachment.
– Example: An email attachment containing a Word
document with a malicious macro.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 4
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
2. Drive-by Downloads: Malware gets automatically downloaded
to the victim’s machine when visiting a compromised or
malicious website.
– Example: A compromised website that silently downloads
malware when the victim visits the page.
3. Removable Media: Malware spreads via USB drives or other
removable media devices. Once inserted, the malware can
automatically execute.
– Example: Autorun malware that executes when a USB
drive is plugged into a system.
4. Exploiting Software Vulnerabilities: Attackers exploit
vulnerabilities in software or systems to install malware
without user interaction.
– Example: WannaCry ransomware exploited a vulnerability
in Windows SMB protocol to spread rapidly.
Dr. Ashok Kumar Nanda,
Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 5
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
5. Network Propagation: Some malware spreads through a
network using network shares or other protocols.
– Example: Conficker worm exploited weak passwords to
spread over network shares.
6. Social Engineering: Attackers deceive users into executing
malware by making it look legitimate.
– Example: A fake software update that actually installs
malware.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 6
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 APT Concepts
• An Advanced Persistent Threat (APT) is a targeted cyber attack
where an unauthorized person gains access to a network and remains
undetected for an extended period.
• APTs are often used for state-sponsored espionage or to steal data
from high-profile targets like corporations or governments.
• Characteristics of APT:
– Advanced: The attackers use sophisticated techniques to exploit
vulnerabilities.
– Persistent: The attack maintains long-term access to the target
system.
– Threat: The attacker has specific goals like data theft or
espionage.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 7
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
• APT Attack Phases:
– Reconnaissance: Gathering information about the target.
– Initial Compromise: Exploiting vulnerabilities to gain initial
access.
– Establish Foothold: Installing backdoors and malware to
maintain access.
– Escalate Privileges: Gaining higher-level privileges in the
system.
– Internal Reconnaissance: Mapping the internal network to
identify valuable data.
– Exfiltration: Stealing and transferring sensitive data.
– Maintaining Presence: Using additional tools to maintain access.
o Example: The Stuxnet worm was an APT that targeted Iran's
nuclear centrifuges using advanced techniques.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 8
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 Trojan Concepts
• Trojans: Trojans, or Trojan horses, are types of malware disguised
as legitimate software. Unlike viruses and worms, Trojans do not
self-replicate but require user interaction to execute.
• Types of Trojans:
1. Backdoor Trojans: Allow remote control of the infected machine.
– Example: DarkComet – a RAT (Remote Access Trojan) used
to control compromised systems.
2. Banking Trojans: Target online banking information to steal
financial data.
– Example: Zeus – a Trojan that intercepts banking credentials.
3. Remote Access Trojans (RATs): Provide remote control of the
victim’s computer, allowing attackers to perform any operation.
– Example: njRAT – a popular RAT used by attackers to spy on
victims.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 9
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
4. Infostealers: Collect sensitive information like passwords,
screenshots, or keystrokes.
– Example: Emotet – initially an infostealer and later evolved
into a botnet.
• How Trojans Infect Systems:
– Social Engineering: Trick users into downloading fake software
or clicking on malicious links.
– Malicious Attachments: Spread via email attachments or instant
messaging.
– Fake Software: Trojan embedded in pirated or fake software
downloads.
– Drive-by Downloads: Hidden within compromised websites.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 10
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 Virus and Worm Concepts
• Viruses and worms are types of malware that replicate to spread.
While viruses need a host file to spread, worms are self-replicating
and do not need a host.
• Viruses:
– Attach themselves to legitimate files or programs.
– Activate when the infected file or program is executed.
• Types:
1. File Infector Virus: Attaches to executable files (e.g., .exe).
– Example: CIH Virus – a destructive file infector virus.
2. Macro Virus: Infects documents containing macros (e.g., Word,
Excel).
– Example: Melissa Virus – a macro virus that spread via email.
3. Boot Sector Virus: Infects the master boot record (MBR) of a
hard drive.
– Example: Michelangelo Virus – activated on a specific date.
Dr. Ashok Kumar Nanda,
Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 11
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
• Worms:
– Self-replicating malware that spreads across networks.
– Often cause network congestion and system slowdowns.
• Types:
1. Internet Worm: Spreads through network vulnerabilities.
– Example: Morris Worm – the first Internet worm.
2. Email Worm: Spreads through email attachments.
– Example: ILOVEYOU – an email worm that spread rapidly
through email.
3. File-sharing Worm: Spreads through peer-to-peer (P2P) networks.
– Example: Sasser Worm – exploited a Windows vulnerability.
• How They Infect Files:
– File Infector Viruses: Modify executable files by injecting
malicious code.
– Worms: Use vulnerabilities or weak passwords to spread
automatically across networks.
Dr. Ashok Kumar Nanda,
Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 12
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 Fileless Malware Concepts
• It does not use files or the filesystem for malicious activities.
Instead, it operates directly from memory, making it difficult to
detect with traditional antivirus solutions.
• Characteristics of Fileless Malware:
– Leaves minimal traces on the filesystem.
– Executes directly from memory using tools like PowerShell.
– Relies on legitimate system processes (e.g., powershell.exe).
• Example: A PowerShell script that downloads malicious payloads
directly into memory and executes them.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 13
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 Malware Analysis
• Malware analysis is the process of studying malware to understand
its functionality, behavior, and impact. It helps in identifying
indicators of compromise (IOCs) and developing countermeasures.
• Types of Malware Analysis:
– Static Analysis: Analyzing malware without executing it.
o Techniques: Checking file signatures, decompiling code, and
extracting strings.
o Tools: IDA Pro, Ghidra, PE Explorer.
– Dynamic Analysis: Executing the malware in a controlled
environment to observe its behavior.
o Techniques: Using a sandbox, analyzing network traffic,
observing file modifications.
o Tools: Cuckoo Sandbox, Remnux, Wireshark.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 14
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
– Behavioral Analysis: Monitoring the malware's behavior to
identify patterns and triggers.
o Tools: Process Monitor, RegShot, Autoruns.
• Malware Analysis Steps:
1. Collection: Obtain the malware sample from infected systems or
threat feeds.
2. Environment Setup: Create an isolated lab environment (e.g.,
VM, sandbox).
3. Static Analysis: Perform a preliminary examination without
executing the malware.
4. Dynamic Analysis: Execute the malware to observe its behavior.
5. Documentation: Record findings, indicators of compromise
(IOCs), and generate a report.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 15
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 Countermeasures
• Countermeasures against malware threats involve strategies,
practices, and tools to prevent, detect, and respond to malicious
software. A multi-layered security approach is essential to reduce the
risk of infections and minimize the impact of any malware attacks.
• Here are key countermeasures for protecting against malware:

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 16
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
1. Anti-Malware Software: Anti-malware software (or antivirus) is a
primary defense against malware. It detects, blocks, and removes
malicious software using signatures, heuristics, and behavior
analysis.
• Examples:
– Bitdefender: Offers real-time protection, scans for
malicious behavior, and uses machine learning to detect
threats.
– Malwarebytes: Specializes in detecting and removing
advanced threats, including fileless malware.
– Kaspersky Antivirus: Provides comprehensive protection,
network monitoring, and anti-ransomware tools.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 17
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
• Case Study: WannaCry Ransomware Incident: Organizations
that had up-to-date anti-malware software like Symantec
Endpoint Protection were able to detect and block the
WannaCry ransomware attack using signature-based and
heuristic detection.
2. Network Segmentation: Segmenting a network divides it into
different parts with specific security controls, limiting the
movement of malware within the network.
• Example: A company creates separate networks for critical
servers and user workstations, ensuring that malware infection
on a workstation cannot easily reach sensitive data on the
server.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 18
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
3. Regular Software Updates and Patch Management: Malware
often exploits vulnerabilities in outdated software. Keeping
operating systems, applications, and firmware updated helps close
potential entry points for malware.
• Example: Organizations that applied the patch for the
EternalBlue vulnerability in Windows (MS17-010) before the
WannaCry outbreak were immune to the attack.
4. Email Filtering and Web Filtering: Many malware infections start
with phishing emails or malicious websites. Email filtering can
block emails with suspicious attachments or links, while web
filtering prevents users from accessing known malicious sites.
• Example: Google implemented aggressive email filtering with
machine learning, which resulted in a significant reduction in
phishing emails reaching users' inboxes.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 19
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
5. User Awareness and Training: Educating users about common
malware tactics like phishing, social engineering, and fake
software downloads is critical. Training helps them identify
potential threats and take preventive actions.
• Example: Regular cybersecurity training programs helped
reduce the number of phishing-related incidents in
organizations by 30%.
6. Implementing Least Privilege: The principle of least privilege
ensures that users have the minimum level of access necessary to
perform their duties, reducing the potential damage from malware
attacks.
• Example: A company configures administrative accounts with
elevated privileges, while regular users have standard access,
minimizing the risk of privilege escalation.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 20
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
7. Intrusion Detection Systems (IDS) and Intrusion Prevention
Systems (IPS): IDS and IPS monitor network traffic for signs of
malware infections. An IDS detects suspicious behavior, while an
IPS blocks it.
• Example: Snort (an open-source IDS/IPS) can detect and
block known exploits by monitoring network traffic patterns.
8. Firewalls and Network Security Controls: Firewalls can be
configured to block malicious traffic and unauthorized
connections, while network access control (NAC) ensures only
trusted devices can connect to the network.
• Example: Cisco ASA Firewall provides deep packet
inspection, detects suspicious traffic, and blocks malicious IP
addresses.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 21
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
9. Application Whitelisting: Application whitelisting allows only
approved applications to run, blocking all unauthorized software
and reducing the chance of malware execution.
• Example: Using tools like Microsoft AppLocker to define
and enforce application whitelists on Windows systems,
preventing unauthorized programs from running.
10.Sandboxing and Behavior Analysis: Sandboxing involves
executing suspicious files in a controlled environment to analyze
their behavior. It helps detect malware that might be obfuscated
or using advanced evasion techniques.
• Example: Cuckoo Sandbox is an open-source sandboxing
solution that detects malicious behaviors without risking the
production environment.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 22
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
11.Endpoint Detection and Response (EDR): EDR solutions provide
continuous monitoring, detection, and response capabilities for
endpoint devices. They identify malicious behavior in real time
and respond quickly to threats.
• Example: CrowdStrike Falcon uses EDR to detect anomalies
and investigate incidents, providing detailed insights into
malware behavior.
12.Data Backup and Disaster Recovery: Regular data backups
ensure that critical data can be restored in case of a ransomware
attack or data corruption. Offline backups are crucial to avoid
being affected by network-based ransomware.
• Example: Organizations with regular backups during the
NotPetya ransomware attack were able to restore their data
without paying the ransom.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 23
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 Anti-Malware Software
• Anti-malware software is specialized in detecting, blocking, and
removing malware from devices and networks. The effectiveness of
anti-malware software depends on its ability to detect new and
emerging threats, using various technologies like machine learning,
cloud-based analysis, and signature updates.
• Popular Anti-Malware Tools:
1. Bitdefender Total Security: Real-time threat detection, anti-
phishing, anti-ransomware, multi-layer protection.
• Example: Prevented millions of attacks by leveraging its
Global Protective Network (cloud intelligence) to detect
malware in real time.
2. Norton 360: Advanced virus protection, secure VPN, password
manager, dark web monitoring.
• Example: Norton 360's SONAR technology provides real-
time threat detection using behavior-based analysis, stopping
threats before they can cause damage.
Dr. Ashok Kumar Nanda,
Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 24
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
3. Malwarebytes Anti-Malware: Behavior-based threat detection,
rootkit scanning, ransomware protection.
• Example: Malwarebytes' behavior-based detection stopped
zero-day threats and blocked sophisticated malware like
fileless attacks.
4. Kaspersky Internet Security: Web protection, email filtering, anti-
phishing, cloud-based detection.
• Example: Kaspersky's machine learning algorithms blocked
thousands of new malware samples within hours of discovery.
5. ESET NOD32 Antivirus: Features: Multi-layered security,
ransomware shield, exploit blocker.
• Example: Detected and prevented advanced malware targeting
industrial control systems (ICS) by using machine learning and
heuristic analysis.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 25
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
• Case Study: Target Data Breach (2013)
• Incident: Target, a major US retailer, suffered a data breach where
attackers stole payment card information of over 40 million
customers.
• Attack Method: The attackers used a credential-stealing malware
to infiltrate the network through a third-party HVAC vendor.
• Countermeasures Used:
o Network Segmentation: If network segmentation had been in
place, the attackers wouldn't have been able to move laterally
to point-of-sale (POS) systems.
o Intrusion Detection System (IDS): Proper monitoring of the
network could have identified the suspicious activity earlier.
o Endpoint Security: Advanced endpoint security solutions could
have detected the credential-stealing malware.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 26
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 Sniffing Concepts
• Sniffing is the process of capturing, intercepting, and logging traffic
that passes through a network.
• This is often used by attackers to capture sensitive information, such
as usernames, passwords, and other private data, which is sent across
a network.
• In ethical hacking, sniffing can be used to analyze network traffic for
troubleshooting and ensuring secure network configurations.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 27
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 Sniffing Techniques
1. MAC Flooding: MAC flooding is a technique attackers use to
overload the MAC table of a network switch.
• By sending a large volume of MAC addresses to the switch,
attackers can cause it to switch to “fail-open” mode, behaving
like a hub.
• This makes it easier to capture traffic intended for other hosts on
the network.
• Example: An attacker uses a tool like MAC of to send fake MAC
addresses to the switch, causing it to flood and operate like a hub.
– This allows the attacker to sniff all traffic on the network
segment.
• Case Study: A corporate network was underperforming due to a
MAC flooding attack where the attacker flooded the network
switch, capturing sensitive data such as login credentials.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 28
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
• Outcome: The company implemented MAC filtering and VLAN
segmentation to isolate network traffic and limit the spread of
such attacks.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 29
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
2. DHCP Starvation and Rogue DHCP Attack: DHCP attacks
include DHCP starvation and rogue DHCP attacks.
• In DHCP starvation, an attacker sends numerous DHCP requests
to exhaust the DHCP server’s IP address pool, preventing
legitimate users from obtaining IP addresses.
• A rogue DHCP server attack involves an attacker setting up a fake
DHCP server to assign IP addresses and redirect traffic.
• Example: An attacker uses yersinia to send a flood of DHCP
requests, exhausting the IP address pool.
– Then, the attacker sets up a rogue DHCP server to control
network configurations and monitor traffic.
• Case Study: An attacker in a university network launched a
DHCP starvation attack, followed by deploying a rogue DHCP
server.
– They were able to reroute student traffic to malicious sites.
Dr. Ashok Kumar Nanda,
Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 30
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
• Outcome: The IT team implemented DHCP snooping on network
switches to prevent unauthorized DHCP responses and protect
against rogue DHCP servers.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 31
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
3. ARP Poisoning (ARP Spoofing): Address Resolution Protocol
(ARP) poisoning is a technique in which the attacker sends fake
ARP responses on a network, associating their MAC address with
the IP address of a legitimate device.
• This enables them to intercept or modify the traffic intended for
the target.
• Example: An attacker uses ARP spoof to associate their MAC
address with the gateway’s IP, allowing them to intercept data
sent by other devices to the gateway.
• Case Study: In an organization, attackers conducted an ARP
poisoning attack, redirecting all traffic through their device.
– They collected sensitive data, such as login credentials and
financial information.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 32
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
• Outcome: The company implemented network segmentation and
instructed employees to use HTTPS to ensure encrypted
communication, reducing the risks associated with ARP
poisoning.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 33
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
4. DNS Poisoning (DNS Spoofing): DNS poisoning involves altering
DNS records to redirect users to malicious websites.
• Attackers can either modify DNS cache on a DNS server or
poison the local DNS cache on a victim’s machine.
• Example: An attacker alters DNS cache entries so that requests to
bank.com are redirected to a phishing site that resembles the
legitimate site.
• Case Study: An attacker launched a DNS poisoning attack on a
financial institution’s network, redirecting employees to a fake
login page to capture credentials.
• Outcome: The financial institution used DNSSEC to ensure that
DNS responses were verified, protecting against DNS poisoning
attacks.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 34
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
5. ICMP Redirect Attack: In an ICMP redirect attack, attackers send
ICMP redirect messages to modify the routing table on a target host.
• This allows the attacker to reroute network traffic through their
device, enabling them to sniff and monitor the redirected traffic.
• Example: By sending fake ICMP redirect messages, an attacker
can convince the target to send traffic through the attacker’s
device rather than the intended router.
• Case Study: In a corporate network, an attacker used ICMP
redirects to reroute traffic from key workstations through their
device, allowing them to capture sensitive information.
• Outcome: The IT team disabled ICMP redirect messages in their
network configuration to mitigate this attack.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 35
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
6. FTP Sniffing: FTP traffic is often unencrypted, allowing attackers to
capture sensitive information transmitted over the FTP protocol,
including usernames, passwords, and file contents.
• Example: An attacker uses Wireshark to monitor FTP traffic and
captures login credentials as they are transmitted in plaintext.
• Case Study: An e-commerce company was using FTP to transfer
order data. Attackers intercepted the FTP traffic and gained
access to sensitive customer information.
• Outcome: The company transitioned to SFTP (Secure FTP) for
encrypted data transfer, eliminating plaintext vulnerabilities.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 36
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
7. Telnet Sniffing: Telnet is an insecure protocol that transmits data,
including credentials, in plaintext.
• Attackers can capture Telnet packets and extract sensitive
information like usernames and passwords.
• Example: An attacker captures Telnet traffic using tcpdump or
Wireshark to obtain login credentials from a target.
• Case Study: An organization was using Telnet for remote server
management. Attackers intercepted Telnet sessions, obtaining
credentials that allowed them unauthorized access to internal
servers.
• Outcome: The organization switched to SSH, which uses
encryption to secure remote access.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 37
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
8. Email Sniffing: Email protocols like SMTP, POP3, and IMAP often
transmit credentials and content in plaintext.
• Attackers can capture this information if these protocols are not
secured with TLS or SSL.
• Example: An attacker uses Wireshark to capture POP3 email
traffic and retrieves the credentials sent from a user to the mail
server.
• Case Study: An attacker in a coffee shop’s public Wi-Fi captured
email credentials from customers using insecure email protocols.
• Outcome: The coffee shop encouraged users to enable SSL/TLS
for email access and to avoid accessing sensitive information over
public networks.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 38
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
9. HTTPS Sniffing (SSL Stripping): SSL stripping downgrades
HTTPS traffic to HTTP, allowing an attacker to capture information
that would otherwise be encrypted.
• Attackers intercept the HTTPS request and modify it, making the
communication insecure.
• Example: Using a tool like sslstrip, an attacker downgrades
HTTPS traffic to HTTP and captures sensitive information such
as login credentials.
• Case Study: An attacker in a public Wi-Fi network performed an
SSL stripping attack to capture users’ login credentials for various
online services.
• Outcome: The affected websites enforced HSTS (HTTP Strict
Transport Security) to prevent such attacks by forcing browsers to
connect only over HTTPS.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 39
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
10.SNMP Sniffing: Simple Network Management Protocol (SNMP) is
used for managing devices on IP networks but often lacks
encryption.
• Attackers can capture SNMP traffic to gather information about
network devices and configurations.
• Example: By sniffing SNMP traffic, an attacker gains access to
details about network configurations, enabling them to plan
further attacks.
• Case Study: An attacker sniffed SNMP traffic within an
organization and gathered details about network devices,
including IP addresses and system names.
• Outcome: The organization upgraded to SNMPv3, which
includes encryption and authentication to protect against sniffing
attacks.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 40
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
11.SMB Relay Attack: SMB relay attacks target the Server Message
Block (SMB) protocol, commonly used for network file sharing.
• Attackers intercept legitimate SMB traffic and relay it to
authenticate themselves with the victim’s credentials.
• Example: An attacker uses responder to capture SMB traffic and
gain access to shared network resources.
• Case Study: During a penetration test, an SMB relay attack was
demonstrated in a healthcare network, where patient data could
have been accessed.
– This test revealed the need for SMB signing and encryption in
the organization’s policy to prevent unauthorized access.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 41
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 Sniffing Tools
1. Wireshark: A popular network protocol analyzer used for capturing
and inspecting network traffic.
• Example Command: wireshark (GUI-based tool, no command
required)
2. Tcpdump: A command-line packet analyzer for capturing and
inspecting TCP/IP packets.
• Example Command: tcpdump -i eth0 (to capture packets on the
eth0 interface)
3. Ettercap: A network security tool that supports both active and
passive dissection of network packets, especially for MITM
attacks.
• Example Command: ettercap -T -M arp /victim IP// /gateway
IP// (ARP poisoning between victim and gateway)

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 42
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
4. dsniff: A suite of tools for network auditing and penetration testing,
specifically designed for sniffing.
• Example Command: dsniff -i eth0 (to capture data on the eth0
interface)
5. Cain & Abel: A Windows-based tool used for password recovery,
which also includes ARP poisoning capabilities.
• Example: Cain & Abel's GUI interface can be used to perform
ARP spoofing attacks.
5. Nmap: Primarily a network discovery and vulnerability scanning
tool, but also has some basic sniffing capabilities.
• Example Command: nmap -sP [network address] (to perform a
network sweep to find active devices)

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 43
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 Sniffing Countermeasures
• Use Encrypted Protocols: Use encrypted protocols like HTTPS,
SSH, and TLS, as they secure communication channels and make
intercepted data unreadable.
– Example: Ensuring web traffic is encrypted with HTTPS
mitigates risks of sensitive information being exposed during
transmission.
• Implement VLAN Segmentation: Virtual LANs (VLANs) isolate
network segments, limiting sniffing attacks within individual
segments.
– Example: A company segments its user and server networks,
preventing sniffers from accessing critical data.
• Enable Port Security on Switches: Port security limits the number
of MAC addresses allowed on a port, blocking attempts to flood the
network.
– Example: Configuring switch ports to only allow pre-approved
MAC addresses can stop MAC flooding attacks.
Dr. Ashok Kumar Nanda,
Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 44
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
• Use DHCP Snooping: DHCP snooping validates DHCP messages
to ensure they originate from trusted sources, preventing rogue
DHCP servers.
– Example: An administrator enables DHCP snooping on switches
to avoid unauthorized IP assignments by a rogue DHCP server.
• Monitor ARP Tables Regularly: Checking ARP tables periodically
can detect ARP poisoning by verifying if IP-MAC mappings are
correct.
– Example: Using arp -a in Windows or Linux to display the
current ARP table and identify any anomalies.
• Employ Intrusion Detection Systems (IDS): IDS like Snort or
Suricata can detect and alert on suspicious activity related to sniffing
attacks.
– Example: Snort can be configured to detect ARP spoofing,
sending an alert when suspicious ARP replies are detected.
Dr. Ashok Kumar Nanda,
Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 45
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 Types of Sniffing Detection Techniques
• Promiscuous Mode Detection: Devices in promiscuous mode can
intercept traffic not intended for them. Detecting this mode can
indicate unauthorized sniffing.
– Example: Network administrators use tools like nmap -sP with
the --script=sniffer-detect option to identify devices in
promiscuous mode.
• ARP Detection: Monitoring ARP tables for unusual or frequent
changes helps identify potential ARP poisoning attacks.
– Example: Using ARP detection tools like XArp to monitor
changes in IP-MAC mappings, alerting administrators to possible
ARP spoofing attempts.
• DNS Detection: Monitoring DNS responses and validating DNS
entries can identify DNS poisoning or spoofing attempts.
– Example: DNS monitoring tools like dnstop track changes in
DNS queries, alerting administrators when unexpected DNS
responses appear.
Dr. Ashok Kumar Nanda,
Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 46
CSE Department, BVRIT Narsapur
BVRIT Narsapur
 (cont…)
• MAC Address Flood Detection: Monitoring the number of MAC
addresses on a port helps detect MAC flooding attacks.
– Example: Switches can be configured to send alerts or shut down
a port if too many MAC addresses are detected in a short period.

Dr. Ashok Kumar Nanda,

Dr.Associate
Ashok Kumar Nanda, Associate
Professor, Professor
CSE Department, 47
CSE Department, BVRIT Narsapur
BVRIT Narsapur