Questions about this topic? Sign up to ask in the talk tab.

Sniffing

From NetSec
Revision as of 10:21, 20 October 2012 by LashawnSeccombe (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Sniffing is the process of electronic eavesdropping at the network layer.


There are two very commonly used network devices. One of these devices is a switch, the other is a hub. A hub repeats traffic from its uplink port down all child lines, while a switch translates traffic and sends it across the specific wire and interface associated with the traffic’s destination. On a hub based network, sniffing is easy – one can simply look at all the traffic coming over the wire with a common tool like “Cain and Abel” after only turning the sniffer on.

Common sniffers are in programs like

  • Net Tools
  • WireShark
  • IP Tools
  • IPTraf
  • NetMon
  • ettercap
  • ethereal

All encryption protocols including GPG/PGP, DES, 3DES, DSA, DSA, SSL, and TLS rely on something called key exchange. If the attacker is able to monitor the connection at the beginning during the key exchange, all the data is compromised, including HTTPS, SSH, SFTP, TLS connections, etc.

Once a host has become the victim of a man in the middle, there are multiple exploitable vulnerabilities based on posing as the router. Several vulnerabilities affect DNS (Dynamic Name Service).

The two most prominent vulnerabilities involving DNS and man in the middle exploitation are DNS cache poisoning and DNS request hijacking. Both vulnerabilities have the same affect, merely on different scopes.



When a victim of a DNS man in the middle attempts to connect to one server by its DNS name, a false IP address is returned instead of the server’s actual IP address. An attacker could use this vulnerability in order to harvest data and authentication credentials more easily, or use this to deploy an exploit or even combine it with a Social Engineering attack in order to trick an administrator into disclosing credentials or activating another process that would aid the attacker’s timing during a second-order-injection attack. All in all, dynamic ARP caches are considered a “critical” vulnerability because of the amount of information which can be gleaned from an MITM attack.


MITM affects every TCP/IP protocol and as mentioned previously, can be used for connection hijacking and spoofing. Not only can packets be spoofed and forged TO the victim machine, however, they can also be spoofed and forged FROM the victim machine. While this can be used for attacking, there are also several other exploitations that performing an MITM will allow an attacker to do.

VoIP or SIP hijacking refers to exploiting Voice over IP using a vulnerability in the SIP during an MITM attack. This will allow an attacker to intercept VoIP phone calls made to or from a victim VoIP phone.

Another main feature of Cain is its authentication engine. On windows-based networks, Cain is capable of spoofing challenge reset requests, and spoofing checksum packets during a network authentication (connections for file or printer sharing) that tell the client machine that the server does not support NTLM Version 2. Spoofing challenge resets forces the client machine to release multiple challenges, which gives the cracker and cryptanalysis engine (also built into Cain) better ability to decrypt the hashes – reducing the time taken to crack them. Spoofed checksums force a downgrade of the network NTLM authentication, tricking the client computer into using NTLM Version 1, a much weaker and more easily cracked encryption algorithm than NTLM Version 2. This allows an attacker to crack password hashes faster and therefore gain access more quickly.

There are other ways to hijack connections, however most of them have been antiquated due to upgrades in the TCP/IP protocol. Years ago, attackers would hijack connections with what is called TCP Sequence hijacking, or ISN Hijacking.