Sniffing is the act of monitoring and capturing the network traffic. An attacker sniffs the network traffic by inserting a software or hardware into the network between the sender and receiver. Sniffing is also referred as Network Sniffing which is a type of Eavesdropping.
Types of Sniffing
Passive Sniffing is where the attacker passively listens to the network traffic by inserting a packet capture system running in promiscuous mode. In this mode, the system listens and captures all the traffic coming on the port to which the monitoring system is connected. In a hub, the frame sent from a sender to receiver is sent on all ports and thus other nodes in other ports will get the data but drops it as the destination MAC Address in the frame doesn’t match to their NIC MAC address. At attacker connects a rogue system whose NIC card is promiscuous mode listening to all traffic sent on the hub.
Active Sniffing is where the attacker actively connects to the target system and injects packets into the existing network connection between systems. Active Sniffing is prevalent in Switched Network as passive sniffing can be done only hub-based networks. A switched network doesn’t send traffic that is sent between two systems across all the ports and hence passive can’t be done in a switched network. To overcome this, attackers use Active Sniffing in switched network. Following are various techniques used for Active Sniffing:
MAC Flooding is a technique in which, the attacker floods the switch with fake MAC addresses and fills the CAM table. If the CAM table fills, the switch can’t learn MAC address anymore and hence starts flooding frames through all ports, this process is known as Broadcast Mode. The attacker already has a system in promiscuous mode connected to the switch and hence starts getting all data.
DNS poisoning is a technique, where attacker poisons DNS and redirects clients to malicious websites from where user data is collected.
ARP poisoning is a technique, where attacker listens to ARP requests on the LAN and sends a forged ARP reply informing that, the attacker’s machine is the intended machine holding the IP address that the client is seeking for after which the client starts sending data to the attacker instead of the actual destination system. This allows attacker to get data from the client.
DHCP attack is done in two phases. In the first phase, attacker does DHCP Starvation attack sending multiple fake DHCP requests and exhausting IP addresses on the DHCP server leading to DoS attack and thus making DHCP server to not give IP addresses to requesting client. In the second phase, the attacker introduces a rogue DHCP server in the network which sends IP address and network configuration which has default gateway controlled by the attacker. All the traffic then starts going through this roque gateway and the attacker can sniff the network traffic.
MAC Spoofing attack is a technique, where the attackers listen on the network and pickups legitimate system’s MAC address. This MAC address is assigned to the attacker’s machine and thus attacker will get all traffic destined to the spoofed MAC Address.
Reference
MITRE – Network Sniffing, Technique T1040 – Enterprise | MITRE ATT&CKĀ®