Jamaica's blog
Unveiling the Secrets of Sniffing Attacks: Techniques, Detection, and Defense

Unveiling the Secrets of Sniffing Attacks: Techniques, Detection, and Defense

Unveiling the Threat: Sniffing Attacks and ARP Poisoning

Nwarienne Michael's photo
Nwarienne Michael
·

5 min read

Table of contents

sniffing attack

Sniffing is the process of scanning and monitoring the captured data packets passing through a network using network sniffers. By sniffing a network an attacker can monitor all sorts of traffic either protected or unprotected data which might be helpful to him/her for further attacks which can lead to session hijacking, DOS attacks, MITM, etc. Note that sniffers are not hacking tools, they are diagnostic tools typically used for observing network and troubleshooting issues.

How does the attacker perform this attack? They do this by enabling the promiscuous mode function on the connected network interface which allows capturing all traffic even when traffic is not intended for them. An attacker can capture packets like Syslog traffic, DNS traffic< Web traffic, Email, and other types of data traffic flowing across the network. By capturing these packets, an attacker can reveal information such as data, usernames, and passwords from protocols such as HTTP, POP, IMAP, SMTP, NMTP, FTP, Telnet, Rlogin, and other information.

There are two types of sniffing➖

  1. Passive sniffing

  2. Active sniffing

passive sniffing:- Passive sniffing is the sniffing type in which there is no need of sending additional packets or interfering with the device such as Hub to receive packets.

Active sniffing:- active sniffing is the sniffing type in which the attacker has to send additional packets to the connected device such as a switch to start receiving packets. To achieve this an attacker uses certain techniques such as MAC flooding, DHCP attacks, DNS poisoning, Switch port stealing, ARP poisoning, and spoofing to monitor traffic passing through the switch.

In my next post, I will be talking about these techniques. stay connected…

ARP POISONING

ARP stands for Address Resolution Protocol which is a stateless protocol used within a broadcast domain to ensure communication by resolving the IP address to MAC address mapping. It is also a communication protocol used for discovering the link-layer address.

How is an ARP send a request?

ARP broadcasts a request packet to all the machines on the LAN and asks if any of the machines are using that particular IP address, When a machine recognizes the IP address as its own, it sends a reply so ARP can update the cache for future reference and proceed with the communication

ARP spoofing Attack.

In ARP spoofing, the Attacker sends a forged ARP packet over the Local Area Network (LAN). In this case, the switch will update the attacker’s MAC address with the IP address of a legitimate user or server. Once the attacker’s MAC address is learned with the IP address of a legitimate user, the switch will start forwarding the packets to the attacker intending that it is the MAC of the user.

Using ARP spoofing attack, an attacker can steal information by extracting from the packet received intended for a user over LAN. It can also be used for session hijacking, DoS attacks, Man-in-the-middle attacks, packet sniffing, and data interception.

To carry out this Attack, an attacker configures his Kali instance machine in a way to forward the IP packets using this command echo 1 > /proc/sys/net/ipv4/ip_forward. The attacker does this so as to forward captured packets to the correct destination otherwise the communication between the victim hosts will not work and remain undetected in the network.

After the above configuration, the attacker can start the attack using this syntax arpspoof -i eth0 -t 192.168.43.124 -r 192.168.43.123

After he initiated the command above the attacker can then start its Wireshark to enable him to capture all the packets intended for those IPs he chooses to perform ARP poisoning on.

Sniffing Detection Techniques.

There are three methods of approach one can adopt in detecting sniffing attacks. They include:

  1. Ping method

ping technique is used to detect sniffers. A ping request is sent to the suspected IP address with a spoofed MAC address, if the NIC is not running in the promiscuous mode it will not respond to the packet but if it is running a sniffer or in the promiscuous mode it will respond to the packet. This method is not reliable, although some organizations still adopt this method.

  1. ARP method

ARP can be used to detect sniffers with the help of an ARP cache. It does this by sending a non-broadcast ARP packet to the suspect, in this way the MAC address of the attacker will be cached if NIC is running in promiscuous mode. The next step is to send a broadcast ping with a spoofed MAC address which helps to check if the machine is running promiscuous mode and if it is running promiscuous mode it will reply to the packet as it has already learned the actual MAC address from the sniffed non-broadcast ARP packet.

  1. Using the Promiscuous detection tool

Promiscuous detection tools such as promqryUI or Nmap can be used for the detection of Network Interface Card (NIC) running in promiscuous mode. These tools are GUI-based application software.

Defending against sniffing.

Best practice against sniffing includes applying the following approaches to protect the network traffic.

  1. use HTTPS instead of using HTTP

  2. use SFTP instead of FTP

  3. use a switch instead of Hub

  4. configure port security

  5. configure DHCP snooping

  6. configure dynamic ARP inspection

  7. use a sniffing detection tool to detect NIC functioning in a promiscuous mode

  8. use strong encryption protocols

By Nwarienne, Cybersecurity Expert and Data Protection Advocate

General ProgrammingLinkedIn#cybersecuritycybersecuritypentesting