- Capturing data packets on a network using a program or a device.
- Can enable Wi-Fi (wireless, WLAN) and Ethernet (wired, LAN) connection.
- Can be a NIC (Network interface card)
- Physical card that connects to an expansion slot in a computer
- Modern systems has usually an integrated network adapter (e.g. on motherboard).
- As default it discards messages that's not destined to it
- See promiscuous mode for the opposite behavior.
- Allows sniffing the packets after connecting to an access point
- 📝 Network interface controller pass all traffic it receives, rather than only destined ones.
- Works on both wired and wireless connections
- See also • libpcap | Sniffing tools • Turning on promiscuous mode | Wireshark
- Allows sniffing the packets in the air without connecting (associating) with any access point.
- ❗ Wireless connection only
- Does not require any packets to be sent
- Monitors and captures incoming packets
- Used in networks which use hubs i.e. shared ethernets
- A hub forwards every frame to all ports but the sources filters
- Require a packet to have a source and destination addresses in order to be sent to its destination
- Used in networks which use switches i.e. switched ethernets
- A switch maps MAC addresses into ports, based on source addresses
- A switch operates at data link layer (2) to forward data to MAC addresses
- Some switches can run on network layer (3) with additional routing functionality.
- Also known as layer-3 switches, or multilayer switches.
- Some switches can run on network layer (3) with additional routing functionality.
- E.g.
- Port mirroring where each packet is also sent to a port that attacker listens to
- Lawful interception where electronic surveillance on a target is authorized by a judicial or administrative order.
- Used on a network switch
- Sends copy of network packets seen on one switch port (or an entire VLAN) to another port
- Often used in Intrusion Detection Systems.
- Also known as span port
- In Cisco system, it's commonly referred as Switched Port Analyzer (SPAN)
- See also STP attack for an exploitation
- Packet sniffing programs
- Designed to capture packets that contain information such as passwords, router configuration, traffic.
- 📝 Works at data link layer (2) of the OSI model where MAC addresses work
- It may then translate frames to higher level packets.
- Allows attackers to access the network traffic from a single point.
- Turns the network adapter into promiscuous mode or monitor mode
- Also known as telephone tapping or wire tapping
- Monitoring of telephone and Internet-based conversations by a third party.
- Legal wiretapping by a government agency is also called lawful interception (LI)
- Active wiretapping: Alters communication by e.g. interjecting something.
- Passive wiretapping: Only monitors or records the traffic.
- 🤗 NSA wiretaps Internet going through using out-of-band signaling with their tool called PRISM
- Out-of-band vs In-band signaling
- In-Band signaling: Method where signalling is sent over the voice/data circuit.
- Out-of-band signaling: Data transmission through different channels (or frequencies) than normal ones.
- Restrict the physical access to the network media
- 📝 Encryption is, by far, the best option.
- E.g. • SSH instead of Telnet • Secure Copy (SCP) instead of FTP • SSL for email connection • HTTPS instead of HTTP • SFTP instead of FTP • WPA2 or WPA3 for wireless traffic
- See also encrypting communication
- 📝 Use Access Control Lists (ACLs) on router/firewall to only allow authorized devices/IP ranges.
- Permanently add the MAC address of the gateway to the ARP cache.
- Use static IP addresses and static ARP tables
- Use switch instead of hub as switch delivers data only to the intended recipient.
- Use • PGP and S/MIPE • VPN • IPSec • SSL/TLS • Secure Shell (SSH) • One-time passwords (OTP).
- Retrieve MAC directly from NIC instead of OS to prevent MAC address spoofing.
- Use tools to determine if any NICs are running in the promiscuous mode.