Sniffers

Syllabus

Sniffers : Protocols Susceptible to Sniffing, Active ahd Passive Sniffing, ARP Poisoning, MAC Flooding, DNS
Spoofing Techniques, S~iffing Countermeasures

6.1 Protocols Susceptible to Sniffing

Network sniffing, also known as packet sniffing or protocol analysis, is the practice of intercepting and examining
the data flowing over a computer netwo.rk. While network sniffing itself is a legitimate and valuable tool for network
troubleshooting and analysis, it can become a security concern when employed by malicious actors for unauthorized
(

interception of sensitive information. Some protocols are more susceptible to sniffin~ than others due to the lack of
encryption or weak security measures. Here are a few _examples :
i) H'ITP (Hypertext Transfer Protocol) : Traditional HTTP 'traffic is transmitted in plaintext, making it
susceptible to sniffing. Anyone intercepting the network traffic can easily read the content of HTIP requests and
responses. To address this vulnerability, websites are increasingly adopting HTIPS (HTIP Secure), which
encrypts the communication between the client and server.
ii) FTP (File Transfer Protocol) : FfP is another protocol that typically transmits data in plaintext, including
usernames and passwords. FfP does have a secure counterpart called Ff PS (FfP Secure) or can be replaced with
more secure file transfer protocols like SFTP (SSH File Transfer Protocol) or SCP (Secure Copy Protocol).
iii) Telnet: Telnet is aprotocol used for remote command-line access to a system. Like FI'P, Telnet transmits data,
including login credentials, in plaintext Secure alternatives such as SSH (Secure Shell) are recommended for
remote access due to their.encryption capabilities.
. .
iv) SNMP (Simple Network Management: Protocol) : SNMP is used for network management and monitoring.
SNMPv1 and SNMPv2 transmit data in plaintext, which can be intercepted. SNMPv3 addresses this vulnerability
by incorporating encryption and authentication features.
v) SMTP (Simple Mail Transfer Protocol) : SMTP is commonly us·ed for email transmission. Without encryption,
the content of emails, jncludi.i:ig login credentials, can be intercepted. Secure alternatives like SMTP over TLS/SSL
(SMTPS) or encrypted email protocols like I~APS and POP3S are recommended.
vi) POP3 (Post Office Protocol 3) : POP3 is an email retrieval protocol. Like SMTP, it can transmit data, including
login credentials, in plaintext. Encrypted alternatives like POP3S (POP3 Secure) or IMAPS (Internet Message
Access Protocol Secure) provide a more secure opt_ion.
vii) IMAP (Internet Message Access Protocol) : IMAP is another email protocol for accessing and managing email
messages on a mail server. Without encryption, the contents of emails and login credentials can be exposeci.
IMAPS is the secure version of IMAP. •

►
 r

~
p~~::~~~~;~;;;!;;;;;~;~~~;;:::::::::6:-2:::::::::::::::::::::::::::::~~S~nl ~ f~.
!thlcal Hacking 1
""

-;----____
6.2 ~dive and Passive Sniffing
hs an lndlvld
to network packet capturing, whete
Active and passive sniffing refer to two different approac ek. Whtie network sniffing can be used for Jegiti Ual
tra 'tted over a networ • ll'late
intercepts and analyzes data packets nsmi be exploited for malicious activities Here'
ortng, it can a1so. • s an
purposes such as network troubleshooting an d mon lt .
ovetview of active and passive sniffing :

L Active Sniffing : . _ , •. . . . .
• • • . • ·-. ; . • •• • ; • _.1.1:,:nnal•• •·keis into.-the ~twork to manipulate or interact
pac.
IS Definition : Active sniffing uivolves uvecting oau...v . . . . .: • •• . , . •_ _. .
wit.h tM msting traffic.. '· a:, •• ' .... :_··. • • • ••• I.-. ' ' ' ,, ':.._. i ;

Oiaracteristics :

• May generate additional network traffic.

• Can be more detectable by intrusion detection system·s.
• Can be used to perform more targeted attacks, such as AR~ (Address Res~~ution Pr~tocol) spoofing or DNS
. .-,
. ,•
(Domain Name System) poisoning. ' '

Use cases: • I

• Man-in-the-middle attacks : An attacker positions th~mseives betw~en communication endpoints to intercept

and manipulate data. • • . _· · ) •• .• • • • •• .
. • : . .• I . .

• ARP spoofing : The attacker sends fake ARP messages to associate their· MAC address with the IP address of
another host. redirecting traffic through their system. •- : ·, • •' • • •• •• ,
• DNS poisoning: The attacker alters DNS responses to redirect users • I • •
to malicious websites.•.' .
• \ • ,.,
. . ... . . .' ..
2. Passive Sniffing : • .. •
.. •. 1;.
::, • j,'
•

.
•

• •
,

•
I)

'
•
~
<
'
•• ••

. .
'
.
.• •
.
'••· -,-- _• • _,-~, '·t • • ~ •••~t• ,,.1:•• '~•,•·, ,,-.~,,-, 1-~~<f'.'\.-.'..-~•,-..,!",, ..•,•,-_:,•::\•'\,-,•-'• _,_·•1£,;"'••1,1'•_.,,t7,~ J•,':.•,:••'f_,,•· ,"{··/J. • ~•J • .•_ 1 ~

~ Definition : Ptissive sniffing involves "'f'~~ng ~~rk}iuflic'fuuiJ;ui ·actiJ~i/ i';{j~cti_ng. dt; additional
paclu!ts into the network. • ~ .-_>·._··.:·> ;~>/ ·;:.:/:/'.·,~/~:;_i~•:'~,:~;_·;-~:--r: tL:'.<~>:\~:· ../.\ .
•I • •• •.••: - .: ••• ·_ • < ' " . .• I • .

Characteristics : . .- •, . ,
► • ,,. •. ' ", • •• I. '

• Observes and analyzes existing network traffic. ': . ... I,

•• Does not generate additional traffic on the network. . • • ••

• Less likely to be detected by lntrusfon detection systems. · ·'
, .

• Typically relies on promiscuous mode, where _the network interface card (NIC) ca tures all ackets on the
network. not just those addressed to the host , . • p p
Use.Cases:
(

• Network monitoring for perl'ormance analysis.

• Troubleshooting network issues,
• Detecting unauthorized activities.

6.2.1 Detection and Prevention

Detecting and preventing network sniffing, wheth .

security. Here are some strategies : er passive or active. Is essential for maintaining network
l) Encryption : Encrypt sensitive data using
intercepted even if sniffed. secure protocols (e.g., HTTPS, SSH) to prptect it from being
 Ethical Hacking 6-3 Sniffers

ii) lntruSlon Detection and Prevention Systems {IDPS) : Implement JDPS to detect unusua1 or malicious network
activity, including sniffing attempts.
Iii) Network Segmentation : Segment the network to Hmit the scope of potential sniffing attacks. This makes it
more challenging for an attacker to access sensitive segments.
Iv) Promiscuous Mode_ Monitoring : Regularly monf tor network interfaces for promiscuous mode and detect
unauthorized sniffing activities. •
•
v) Security Polides : Enforce strict security po)icfes to control access to sensitive areas of the network and
monitor for policy violations.
vi) Secure Protocols : Prefer the use of secure and encrypted protoco]s to protect data in transit
vii) Regular Auditing : Conduct regular security audits and network assessm~nts to identify and address
wlnerabilities.
By implementing these measures, organizations can significantly reduce the risk of unauthorized network
sniffing and protect sensitive data from interception and manipulation. ,

6.3 ARP Poisoning

ARP (Address Resolution Protocol) poisoning. also known as ARP spoofing, is a technique used by mali~ous
actors to manipulate the mapping between IP addresses and MAC ~ddresses on a local area network (LAN). The goal
of ARP poisoning is typically to interc~pt or manipulate network traffic, allowing_· an attacker to perform various
malicious activities. Here's an overview of how ARP po~soningw~rks andrsonie potential countermeasur~s:.

How ARP Poisoning Works?

ARP Protocol Basics :
• ARP is used to map an IP address to a corresponding MAC address wit~in a local _network. When a device wants
to communicate with another device on the same network, it uses-ARP to discover the· MAC address associated
with the target's IP address.
ARP Poisoning Process :
; ,,

• An attacker sends malicious ARP messages to the network, prov~ding incorrect MAC addr~ss mappings.

• The attacker can :

• Associate their MAC address with the IP add~ess of the default gateway, redirecting all traffic through their
. system (Mari-in-the-Midd]e attack).

• Associate their MAC address with the' IP address o~ another legitimate .d~vice, int~rcepting communicatio~
between that device and the network. , J

Effects of ARP Poisoning:

The attacker can intercept, mo~ify, or drop network traffic, leading t~ various. malicious activities.- such
. ' .
as
eavesdropping, session liijacldng, or injecting malicious content i~to the communication.

6.3.1 Countermeasures-against ARP ~olsonlng

I) Static ARP Entries : Manually configure static ARP entries on critical devices to specify the correct IP-to-MAC
address mappings.' This prevents ARP poisoning attacks fro~ alt~ring these mappings. • '

' ,..............
. Publlcatlons

, I
 6•4 Sniffe
~
rs
Ethical Hacking •
can detect
Ii) ARP Spoofing Detection Tools t Use network
monf tort ng tools or fntrusf on detection systems that
MAC address mappings•.
-anomalies in ARP traffic, such as unexpected changes In
network switches support ARP Inspection, a security
iii) ARP Inspection (Dynamic ARP Inspection) : Many
MAC address ma_pplngs are legitimate. Suspicious ARp
feature that validates ARP packets to ensure that the IP-to-
.
packets are dropped. ed on a
Iv) Port Security: Configure port security on netw
ork switches to limft the _number of MAC ~ddres~es a1Jow
thorized devices to ~~ network.
port. This can help prevent attackers from connecting unau
attacker
v) Network Se~e ntat ion : Segment the netw
ork ·to reduce the impact of ARP poisoning. lf an
k fs limited.
successfully poisons one segment,.the scope of the attac if an
S, SSL/TLS) to protect s.en itive data in transit· Even
5
vi) E~cr yption : Use encry pted protocols (e.g., HTTP
helps_ maf ntain confidentiality.
attacker intercepts the traffic, encrypt~d communication
or
,· especially when acce,sing networks. over untrusted
v:ii) VPN (Virtual Private Network) : im.plement VPNs
b~tween the client and serv_er. . •
public networks. VPNs encrypt th~ entire communication
e of
of connecting to un~ sted networks and the importanc
v:iii) Security Awareness: Educate users.about the risks •
•' ., . . .
verifying the security of Wi-Fi networks.
izations should _employ a combination of technical
ARP poisoning is a serious security, concern, and organ ar
mitigate the risks· associatid with ~is type of attack. Regul
measures, security best practices, and user ed~cation to
nd to ARP poisoning attempts promptly~
secu~ty audits and monitoring can help detect ~nd r~spo • • ,
''
C • '

1· '

6.4· MAC Flooding

MAC address tabl~ o~erflow attack, is a type of netwo
rk
MAC flooding, also ~ow n as MAC flooding attack·~r h's MAC
of a MAC flooding attack is to ov~~ helm the switc
security attack that targets the network switches. The goal on the
~e~aves· ~~ke a hub, forwarding traffic to all .devices
address table~ causing.it to enter into a state w~ere. it_ er to
MAC addresse~. This_ can' potentialJy -enable an attack
network, rather than selectively fo~~ ding it b3:.s.ed ~n. ' -· • • •
••' • •
capture, ~odify, or eavesdrop on network traffic. .
countermeas~~s : ;.-: ': ·: •·... . •:; ••••
Here's an ovelView of how MAC flooding works and some
• . . .
, ..
How MAC Flooding Works 7 . . '. .
•l

MAC Address Tables: •• I ,

• •
I

betw • AC ad.dresses and• the - ·

Switches use MAC addre·ss tables to keep track of th~ association
. . ~en
M,
corresponding
· h · Th' • ·. • • . •
SWJtc ports. 1s mformation fs used. to effici ently foiward frames only .t 0 th
, e 1ntended recipient.
. .
• •'
Normal Switc h Operation :
1

a~dr •• • .• .
In a well-functioning network, the switch updates Its MAC tahle dynam~cally ~s d~vices commu_mcate.
addre ess
When a frame arrives, the switch learn~ the source MAC 55 an~ associates it with the port through which the
· · _
frame arrived.

MAC Flooding Attack: .

. '
h with a large numb ~r of fake • , •
. An ~ttacker flood s the switc
•
• (spoofed) MAC addresses, overwhelming the switch s
capacity to store them fn its MAC address table,
i ,
• Once the t.able is full, the switch enters a state known as "i fl ,, • •fie
. h d a ·open or "fall-close d.'' dependjng on the spec1 i
switc :1110 el. In either case, the SMtch starts behavfn s on
the network, regardless of the Intended recipient g like a h~b, forwarding incoming frames to all device
== == =T ~
--: --- --: ./: --- '-- -~ ::: ..: ::: ::~ ~~ ~- --~ --= == publlC atlO
 .

-
.

Ethical Hacking
6-5 Sniffers
EffedS of MAC Fl~ding:
By causing the switch to act like a hub tta k '
.. . . , an a c er can capture network traffic that was meant for other devices,
facibtattng eavesd~ppmg or po~ential interception of sensitive information.

6.4.1 Counterm~sures against MAC Flooding

i) Port Security : Enab~e port security on network switches to Jimit the number of MAC addresses a11owed on a
specific port. This helps prevent a~ attacker from flooding the switch with numerous fake MAC addresses.
ii) Dynamic ARP Inspection (DAI) . DAI • & ' •
• is a ,eature that validates ARP (Address Reso]ution Protoco1) packets
preventing ARP spoofing attacks h' h · • ,
, w 1c are often used m conJunction with MAC flooding.
iii) Static MAC Address Entries : Manually configure static MAC address· entries on critica] devices to en~ure that
the switch always associates the
correct MAC a ddresses with
. the· correspondmg
. ports.•
iv) Rate Limiting : Implement rate limiting on switch ports to restrict the number of MAC address changes within a
certain timeframe. This can help mitigate the impact of MAC flooding.
v) ln~sion Detection Systems (IDS) / Intrusion Prevention Systems (JPS) : Emp1oy IDS/JPS so]utions that can
• d~tect abnormal patterns of network traffic indicative of MAC flooding atta~ks. • • "
VI1 Network_ Segmentation : Segment the network to limit the scope of a potential MAC flooding attack. If an
attacker succeeds in flooding one segment, it wo~'t affect the entire network. .
vhl Switch Firmware Updates : Regularly update switch firmware to patch vulnerabi1ities and ensure that the •
switch has the latest security features.
I

By implementing these countermeasures, network administrat<_>rs can reduce the risk of MAC flooding attacks
and help maintain the security and integrity of their network infrastructure.

6.5 DNS Spoofing Techniques

I
'
DNS (Domain Name System) spoofing, also known as DNS cache poisoning or DNS spoof attack, is a technique
used by attackers to manipulate the DNS resolution process. The goal is to provide false DNS information to redirect
users to malicious websites or intercept their network traffic. Here are some common DNS spoofing techniques·:
i) Cache Poisoning: In DNS cache poisonfng, an attacker injects false DNS ~ecords into the each~ _of a DNS resolver.
The objective is to overwrite legitimate records with ma1ici~us ones, causing subsequent DNS queries· for a
particular domain to be redirected to a i:na1icious IP address. • •
-
; . .
U) Man-in-the-Middle (MltM) Attacks : _In a Man-in-the-Middle attack, an attacker intercepts and alters
communication between two parties. For DNS spoofing, the attacker positions themselves between the victim
and the DNS seiver, allowing them to modify DNS re~ponses before th~y reach the victim, ,
Iii) DNS Packet Sniffing and Injection : An attacker may use packet sniffing tools to intercept DNS traffic. By
capturing DNS query packets, the attacker ca·n inject forged DNS responses, providing false information to the
target device. -
Iv) • DNS Server Compromise : If an attacker gain~ unauthorized access to a DNS server, they can modify DNS
•records directl;. This could \involve changing the IP address associated with a domain or introducing new,
• malicious DNS entries. . .
• •

a
' 4 • •

v) . Rogue DNS server : An attacker can set up rogue DNS server on the network. When unsuspectl~g devices use
·- this malicious DNS seiver for reso]ution, the attacke~ can control the DNS responses and redirect users to
malicious websites.

- -.
,............
Publltatlons

,
)
,.
 Ethical Hacking
6-6 Sniffers
vi) DNS Spoofing through Malldous Software : Malicious software, such as malware or a Trojan horse, may alter
the DNS configuration on an infected device. This can lead to DNS requests being resolved through malicious 1
servers controlled by the attacker.
vii) DNS Tunne~lng: DNS tunneling involves encoding data in DNS queries or responses to bypass security controls.
While not typical DNS spoofing. it is a method to exfiltrate data or control compromised systems covertly.

6.5.1 Counte"':'easures against DNS Spo~flng

I) DNSSEC (DNS Security Extensions) : DNSSEC is a suite of extensions to DNS that adds an additional layer of
security by digitally signing DNS data. It helps ensure the integrity and authenticity of DNS responses.
U) Use of DNS Filtering : Implement DNS filtering services or solutions that can detect and block known malicious
domains. This helps prevent devices from resolving malicious JP addresses.
Ill) Network Segm~ntation : Segmenting the network can limit the impact of DNS spoofing attacks. Compromising
one segment may not necessarily affect other parts of the network.
Iv) Regular DNS Cache Clearing : Regularly clear the DNS cache to remove _any potentially poisoned entries. This is
especially important for DNS resolvers and servers.
v) Intrusion -Detection and Prevention Systems (IDPS) : Deplo·y JDPS so.lutions that can detect abnormal
patterns of DNS traffic indicative of spoofing attacks. •
vi) Firewall Rules : Configure firewall rules to restrict DNS traffic to trusted DNS servers and prevent unauthorized
DNS traffic. • '
vii) Secure Conftguratlon of DNS Servers : Ensure that DNS servers are securely configured, with strong
authentication mechanisms and regular security updates.
vlU) Endpoint Security: Maintain strong endpoint security by using updated antivirus and anti-malware solutions to
detect and
. remove malicious software that.may alter DNS configurations.
By i~plementing these countermeasures~ organizations can reduce. the ~sk of falling victim to DNS spoofing
attacks and enhance the overall security of their network infrastructure.

6.6 Sniffing Countermeasures

Network sniffing poses a significant security threat, as it allows attackers to intercept an~ analyze data packets
flowing over a network. Implementing effective countermeasur~s is crucial to protect agai~st unauthonzecl packet
sniffing. Here are some·countermeasures to mitigate the risks associated with sniffing; "
J) Encryption ; Use encryption for sensitive data in transit Protocols like HTfPS (for web ~ ~ (lw
secure communications), and VPNs '(Virt4al Private Networks) help e~crypt data. maktna lt fflQfl . . . . . . . . . .
attackers to decipher.
ll) Switched Networks : Use switches Instead of hubs. Unlike hubs, switches only send di'- W . , ~ (fllc.'I
for. which it is Intended, reducing the likelihood of packet sniffing. Switched networq. ~vkl....... atfOI
over traffic compared to shared media networks.
- Iii) Port Security : lm~lement port security on network switches to restrict die nu1111aff QIMAC ld4.-..• allowed
on a specific port. This helps prevent attackers from connecting rogue devlc:n wClio ~ '- •
• Iv) Network Segmentation : Segment the network Into logical or physlc:al 1op1111W.,J'A aua..- pins access to
one segment. it limits their ability to sniff traffic on other segments.

..... ,
Tldlll11■l1 ..1
...... ,

• I
 '
Ethical Hacking • 6-1 Sniffers
-
v) lntntslon Detection Systems (IDS) : Deploy IDS solutions to detect abnormal network behavior indicative of
sniffing activities. IDS can alert administrators to potential security Incidents In real-time.
vi) Use of Virtual LANs (VLA.Ns) : VLANs can be used to logically segregate network traffic, creating Isolated
broadcast d~mains. This helps tn containing the scope of packet sniffing within specific VLANs.
vii) Network Monitoring : Regularly monitor network traffic for anomalies. Analyzing •traffic patterns and
identifyi~ unexpected behavior ~an help detect packet sniffing activities. .

vlll)ARP Spoofing Detection : Employ tools or mechanisms to detect ARP spoofing, which is often used in
conjunction with pa~ket sniffing attac~: Tools like ARPwatch can help monitor and alert on changes in ARP
m~ppings.

Ix) Static ARP Entries : Configure static ARJ> entries on critical devices to ensure that the MAC-to-IP mappings are ,,
not manipulated by attackers.
x) Use of Encrypted Protocols : Favor the use of encrypted protocols for sensitive applications. For example, use
SS~ instead ofTelne~ for secure remote access.
. .
xi) . Regularly Clear DNS Cache : Regulariy clear the DNS cache on DNS servers to eliminate potentially poisoned
entries introduced by attackers.
~ . . ' ..
xii) Implement Network Forensics : Establish network forensic cap~bilities to investigate and trace_ unauthorized
activities. This involves logging network activities for later analysis."
Dll) ~ Configuration of Network _Devices : Ensure th~t- routers, switches, and other network de~ces are
•
configured securely. Regularly update firmware and ap~ly security best practices to minimize vulnerabilities.
'" xiv) Security Awareness Training: Educa'te users an~ network administrators about the risks of packets~iffing and
the importance of security measures. Encourage the reporting of suspicious activities. • •
' .
·By combining these coun~ermeasures, organizations can significantly reduce the risk of unauthorized packet _
sniffing and enhance the overall security of their ne~orks: A holistic and multi-layered approach is essential to
address the v~ous aspects of network security effectively. - • •

5 Review' Quesilonsf}

Q. 1 What are ONS SJ)OOfing techniques?

Q. 2 Explain protocols susceptibl~ to s~iffing.

Q. 3 • What is ARP spoofing? Explain in detail. r

I
Q.4 Write short note on MAC flooding.
□Cl□
I ,

'
\

.. I
.I ., .'

,. ,.• • r '

t •.
• '
I,

. ' ,.
/ • '