NETWORK SNIFFING

UNIT -3
 Network sniffing
• Network sniffing is a type of attack where an attacker
captures the packets across a wire or across air
(wireless connection).
• The main goal is to capture unencrypted credentials
across the network.
• The common target protocols include FTP, HTTP,
and SMTP.
 Types of Sniffing
• Sniffing can be primarily divided into two main categories:
• 1. Active sniffing
• 2. Passive sniffing

• Active Sniffing Active sniffing is where we directly interact

with our target machine, by sending packets and requests.
• ARP spoofing and MAC flooding are common examples.

• Passive Sniffing In passive sniffing, the attacker does not

interact with the target. They just sit on the network and
capture the packets sent and received by the network
 Vulnerability Assessment
• Vulnerability scanners scan computers, networks, or
applications looking for potential weaknesses that could
be used by attackers to compromise the target.
• it can determine many things such as the following:
Open ports
Services
Operating System
Vulnerabilities.
 Pros and Cons of a Vulnerability
Scanner
• The main advantage of any vulnerability scanner is
task automation.
• it can automate many tasks such as reconnaissance,
port scanning, service, and version detection.
• This can make your work faster and more effective
than doing everything manually.
• One of the main disadvantages is that the
vulnerability scanners are very loud by nature and can
be easily detected since we are sending lots of traffic
over the network.
 Promiscuous versus
Nonpromiscuous Mode
• which are associated with our network cards. By default, our
network card is in the non promiscuous mode, in which we
will be able to capture only the traffic that is destined for our
computer.
• However, we can change our network card to the promiscuous
mode, which will allow us to forcefully capture the traffic that
is not destined for our computer
 Testing SCADA Environments with
Nmap
• SCADA (Supervisory Control and Data Acquisition) is a
special device used for monitoring industrial systems..
• Testing Guide Therefore, using automated scanners such as
Nessus, OpenVas, or Netexpose could be very dangerous
and can cause such systems to crash.
• Luckily, we have a great alternative with nmap’s new script
called vulscan.nse.
• The script would require two arguments to run:
• the first argument is “–sv”, which is commonly used to
perform service detection with nmap.;
• the second argument is “–script=vulscan.nse”, which is the
default syntax for using an nmap script
• Installation
• A vulnscan.nse script is not installed in nmap, we
need to download the script and extract its contents to
the usr/local/share/nmap/scripts directory.
• Here is how we can do it:

• root@root: cd/usr/local/share/nmap/scripts
• root@root:/usr/local/share/nmap/scripts# wget
• Usage Now that we have installed vulscan.nse script,
we will use the following command to run it:

• nmap –sV –script=vulscan.nse <target IP>

 Nessus Vulnerability Scanner
• Nessus vulnerability scanner is often called the Swiss
army knife of vulnerability scanners, the Nmap
scripting engine has limited numbers of scripts and is
only capable of detecting a few vulnerabilities, the
reason you cannot completely rely on nmap for
vulnerability assessment.
• The most common approach used by Nessus is to
look at the banners/version headers, which most of
the times reveal interesting information about the
target such as the version of the service that is
running.
As you can see here, I have connected to a website’s FTP server on
port 21. From the banner, we can see that it is running Pure-FTPd.
• Nessus comes in two flavors:
• 1. Home feed
• 2. Professional feed
• Home Feed :
• Home feed is for personal use, and it contains
information about everything from a vulnerability
scanning perspective.
• Professional Feed:
• Professional feed is for commercial usages mostly
related to compliance checks and auditing purposes.
This scanner is not available for free.
Installing Nessus on BackTrack
• Nessus comes preloaded in BackTrack. However, in
order for nessus to work, we need the activation code,
which can be obtained by signing up on the Nessus
website, which will help us fetch the latest plug-ins
from the Nessus website.
• http://www.tenable.com/products/nessus/nessus-
plugins/obtain-an-activation-code
• Next, you will have an option to choose “work feed”
or “home feed.”
• Choose home feed and provide the e-mail address to
which you want the activation code to be delivered.
• Once you receive the code, you can issue the
following command from your BackTrack console to
register it: /opt/nessus/bin/nessus-fetch --register
• Adding a User After we have successfully updated
the plug-ins, we need to register a user to nessus,
• The command for that would be as follows:
/opt/nessus/sbin/nessus-adduser
• Nessus Control Panel
• Nessus control panel is divided into the following six
main components:
• Reports
• This would be our actual findings compiled in the
form of a report.
• Mobile
• This is a new feature added to the latest version of
nessus for scanning mobile devices located on a
network
• Scan
• This tab is where we would spend most of our time after the
policies tab. This enables us to scan the targets for
vulnerabilities.
• Policies Policies are a core component of Nessus. In policies,
we define what type of scan we want to perform on the target,
which plug-ins to use, what targets should be excluded, what
types of scans should be excluded, and so on.
• Users This is where we can add and delete users that can
access the nessus.
• Configuration Configuration allows us to use a proxy and a
bunch of other options for scanning.
• Creating a New Policy
• We will now create a new custom policy for scanning
a Windows machine on my local area network. To
create a policy, click on “Policies” at the top and then
the “+add” button.
• You will see a screen similar to the one shown here:
Enter the name of the policy. In my case, I entered “WindowsBox” since
I am scanning a Windows machine on my network. The visibility is set
to private, which means that the policy will not be shared with other
users
 Hubs versus Switches
• In order to fully understand how sniffing works, you
need to understand the difference between hub-based
and switch-based networks.
• Unlike hubs, which operate on the physical layer
(Layer 1) of the OSI model, switches operate on layer
2 of the OSI model on which almost all modern
networks are based.
 Hub and switch
• A hub is designed in such a way that it broadcasts all the traffic, meaning
that it will forward the traffic to all the hosts on a network.
• The technical flaw in this design is that lots of bandwidth is utilized and
broadcast storms are created.
• The security flaw in the design is that an attacker could run a sniffer to
capture all the traffic that is received on his computer as the traffic is
broadcasted on a hub based network.
• Switch is a smarter device because, unlike hubs, it does not broadcast the
traffic to every host on the network; it will forward the frames only to the
host the traffic is destined for. The switch uses an ARP protocol to perform
this job.
MITM Attacks
 MITM Attacks
• The idea behind a MITM attack is that the attacker
places himself in the middle of the communication
between a client and a server.
• Therefore, any communication that is being
performed between a client and a server will be
captured by the attacker
 address resolution protocol
• ARP stands for address resolution protocol.
• Its purpose is to resolve an IP address to a MAC
address.
• Any piece of hardware that connects to the Internet
has a unique MAC address associated with it
How ARP
Works
• So let’s imagine the scenario shown in the image, where on a
switch-based network, “Host A” with an IP 192.168.1.2 would like
to communicate with “Host B” with an IP 192.168.1.3.
• In order to communicate on a local area, Host A would need to have
the MAC address of Host B. Host A will look inside its ARP cache
and see if the entry for Host B’s IP address is present inside the ARP
table. If it’s not present, Host A will send an ARP broadcast packet
to every device on the network asking “Who has Host B’s IP
address?” Once Host B receives the ARP request, it will send an
ARP reply telling Host A “I am Host B and here is my MAC
address.”
• The MAC address would be then saved inside the ARP table. An
ARP cache contains a list of the IP and MAC addresses of every
host we have communicated with
 ARP Attacks
• There are two types of attack vectors that
could be utilized with ARP:
• 1. MAC flooding
• 2. ARP poisoning or ARP spoofing
 MAC Flooding
• MAC flooding attack is to send a huge amount of
ARP replies to a switch.
• thereby overloading the cam table of the switch. Once
the switch overloads, it goes into hub mode, meaning
that it will forward the traffic to every single
computer on the network.
• All the attacker needs to do now is run a sniffer to
capture all the traffic.
ARP Poisoning
 ARP Poisoning
• ARP poisoning is a very popular attack and can be
used to get in the middle of a communication.
• The way it works is that the attacker would send a
spoofed ARP reply to any computer on a network to
make it believe that a certain IP is associated with a
certain MAC address, thereby poisoning its ARP
cache that keeps track of IP to MAC addresses
 Denial of Service Attacks

• Another attack that is possible with ARP

spoofing is a denial-of-service attack.
• The attack works by associating the victim
router’s IP to an IP that does not exist, thereby
denying the victim access to the Internet: when
the victim tries to connect to the Internet, he
will reach a nonexisting place.
 Sniffing the Traffic with Dsniff
• Dsniff is a Swiss army knife of command line sniffing tools.
• To run dsniff, we will execute “dsniff” command inside our
terminal. What this would do is capture any clear text
password going across the network.
• So while running dsniff, I logged in to an ftp account, and
since ftp is a plain text protocol, dsniff managed to capture it
 Sniffing Pictures with Drifnet
• If we want to see what the victim is viewing in his
browser, we have a great tool called “driftnet,” which
comes preinstalled with BackTrack.
• We can use it to capture all the images that victim is
browsing through. We can do it by executing the
following command:

• root@bt:~# driftnet –v
Sniffing Pictures with Drifnet
 Urlsnarf and Webspy
• Urlsnarf and webspy is part of the dsniff
toolset; urlsnarf tells us about the URL that the
victim has visited,
• whereas the webspy tool will open up all the
web pages that the victim has visited in our
browser
Urlsnarf
 Urlsnarf and Webspy
• root@bt:~# webspy –I eth0
192.168.75.142
• where eth0 is the interface and
192.168.75.142 is the IP address of the victim.
Urlsnarf and Webspy
ARP Poisoning with Ettercap
 Ettercap
• Ettercap is said to be the Swiss army knife of
network-based attacks. With ettercap, you can
perform different types of ARP spoofing attacks.
• In addition, it has lots of interesting plug-ins you can
use.
• It is recommended to use ettercap over arpspoof and
other tools in the dsniff toolset because it has more
features and you can do pretty much any task with
ettercap, to accomplish which you will need multiple
tools in dsniff
• ARP Poisoning with Ettercap Let’s start by
performing an ARP poisoning attack with Ettercap.
Just follow these steps:
• Step 1—Launch ettercap by executing the following
command:
• root@bt:#ettercap –G
• Step 2—Next, click on the “Sniff” button at the top
and then “Unsniffed bridging” and finally select your
appropriate interface
• Step 3—Next, click on “Host List” at the top and
click on “Scan for host.” It will scan the whole
network for all live hosts.
• Step 4—Once the scan is complete, from the
hosts menu, click on “Hosts List.” It will
display all the hosts that it has found within
your network.
• Step 5—Next, we need to choose our targets. In this
case, I would like to perform sniffing between my
victim host running Windows XP machine on
192.168.75.142 and our default gateway
192.168.75.2.
• We will add 192.168.75.142 to target 1 and add
192.168.75.2 to target 2.
• Step 6—Next click on the “MITM” tab at the top and
click on “ARP Poisoning” and then click “Ok” to
launch the attack
• Step 7—now ,we are capturing all the traffic going to
and from the default gateway and the victim.
• Step 8—Finally click on “Start sniffing,” and it will
start sniffing the traffic.
• We can check if ARP cache has been successfully
poisoned by using the “chk _ poison” plug-in from
Ettercap.
ARP Poisoning with Cain and Abel
• Entire process of ARP poisoning a network with Cain
and Abel can be divided the process into five steps:
• Step 1—Download “Cain and Abel” from the
following link, install it, and launch it.
http://oxid.it/cain.html
• Step 2—Turn on the sniffer by clicking on the green
button at the top just above the decoder tab.
• Next, scan for the MAC addresses by clicking on the
plus sign (+) at the top.
• This will bring us all the hosts inside our subnet.
Alternatively, you can also define your own range and set your targets
• Step 3—Once you have scanned all the MAC
addresses and IP addresses, it’s time to perform an
ARP spoofing attack.
• To do that, click on the “APR” tab at the bottom and
then click on the white area in the top frame.
• This will turn the “+” sign into blue color
• Step 4—Next click on the “+” sign; lists of hosts will
appear. Select the hosts that you want to intercept the
traffic between.
• In my case, at the left side would be my default
gateway and on the right would be my victim hosts.
• Step 5—Click “Ok” and then finally click on the
yellow button just under the file menu.
• And it will begin poisoning the routes in a short span
of time and you will start to see traffic being captured
by Cain and Abel.
 Sniffing with Wireshark
• Wireshark is an extensive tool. We will use
Wireshark to capture plain text passwords sent
across the wire. :
• Step 1—Launch Wireshark by executing
“Wireshark” command from the terminal. Once
launched, click on the “Capture” button at the top
and click on the “Analyze” button.
• Step 2—Next, select the interface you would like
to sniff on and click “Start”; in my case, it is eth0
Step 3—Wireshark will start capturing all the packets going across the
network. On the victim’s machine afer that log into a website that supports
http authentication and will stop the capture on my attacker machine once I
have logged in.
Step 4—Since we have so many packets, we need to ask Wireshark to
filter out only HTTP POST requests. So, inside of the filter tab, we will
type “http.request.method==POST.”
The first request you see is a “POST” request performed to the
destination 75.98.17.25 from our victim, which has a source IP
192.168.75.142

Step 5—Next, we will right-click on the packet and click on “Follow tcp
stream,” which will show us the original post request generated from the
victim’s browser. The output would look something like the following
As you can see, the POST request contains the username “admin” and the
password “pass.” There are many different types of filters in Wireshark used
to filter out different types of traffic.
 Urlsnarf and Webspy
• Urlsnarf and webspy is part of the dsniff toolset;
urlsnarf tells us about the URL that the victim has
visited, whereas the webspy tool will open up all the
web pages that the victim has visited in our browser
• An example of attacker running urlsnarf to sniff the
URLs that victim has visited.
• The websnarf works the same way; however, we need
to specify additional arguments.
• Here is how the command would look like:
root@bt:~# webspy –i eth0 192.168.75.142
• where eth0 is the interface and 192.168.75.142 is the
IP address of the victim
• As urlsnarf keeps track of the URL’s visited by
the victim, as soon as the victims connects to a
new url using his browser or browser would
automatically connect to it too, we would
know what pages the victim is curently on
Using ARP Spoof to Perform MITM
Attack
• Before we perform a man in the middle attack, we
need to enable IP forwarding so that the traffic
could be forwarded to the destination.
• In order to enable it, we will use the following
• command: echo 1 >/proc/sys/net/ipv4/ip_forward
• We can confirm that port forwarding is enabled
by using the cat command to display the contents
of the ip _ forward file. “1” means that IP
forwarding is enabled; “0” means it’s disabled.
Now that we have enabled IP forwarding, we need to gather the following
information to perform an man in the middle attack:
1. Attacker’s IP
2. 2. Victim’s IP
3. 3. Default gateway

Attacker’s IP—This will be the IP address of my BackTrack machine,

which is 192.168.75.138
• Default gateway—The default gateway is the
IP address of my router, which is
192.168.75.142. Next, we would take a note of
the victim’s MAC addresses associated with
each of them. We can view the MAC addresses
in the ARP cache
• Usage
• The basic syntax for arpspoof is as follows:
• arpspoof –i [Interface] –t [Target Host]
• In this case, our interface is “eth0,” and our
targets are 192.168.75.2 (gateway) and
192.168.75.142 (victim).
• So our command would be as follows:
• arpspoof –i eth0 –t 192.168.75.142 192.168.75.2
 Sniffing Session Cookies with
Wireshark
• We can capture the session cookies of the victim so we
can hijack his/her session.
• Every site has its own session cookie that it uses to
authenticate a user.
• For demonstration purposes, I will capture the session
cookies of Facebook, which are c _ user and xs.
• In Wireshark is that we apply a filter to filter out all the
HTTP cookies containing the word “c _ user” or “xs”,
since they are the session cookies.
• If you can’t find them, I would suggest that you use
http.cookie and then manually check for the cookies
 Hijacking the Session

• Now that we have the authentication cookies of the

victim, we would need to inject these cookies in our
browser to hijack the session.
• Personally, I prefer the “Cookie Manager” plug-in
inside of Firefox. It’s very simple to use.
• Step 1—To inject our cookies, we will browse
facebook.com, and from our tools menu, will select the
“Cookie manager” plug-in.
• Step 2—Once the plug-in is launched, we would need
to inject our cookies. We will click on the “Add” button
at the bottom and will add both of our cookies. Here is
an example
Step 3—Once both of our cookies are injected, we will just refresh the page,
and we will be logged in to our victim’s account