Chapter 9: Sniffers Flashcards Preview

CEH - Certified Ethical Hacker > Chapter 9: Sniffers > Flashcards

Flashcards in Chapter 9: Sniffers Deck (34):

Sniffers (not a hacking tool)

used to capture & scan traffic moving across a NW (captures packets)


For effective Sniffing, switch interface to: Promiscuous mode

doesn't discriminate between traffic, captures ALL traffic


Active vs Passive Sniffing

ACTIVE - traffic is monitored & possibly altered

PASSIVE - traffic is only monitored


HW protocol Analyzers

Besides sniffers, there are HW protocol analyzers which plug directly into the NW at the HW level & can monitor traffic w/ out manipulating traffic

Not easily accessible by ethical hackers & are extremely pricey


Lawful Inception (LI)

aka Wiretapping; legally sanctioned access to communications NW data such as telephone calls or e-mail msgs


How successful sniffing is depends on

the inherent insecurity of certain NW protcols;

TCP/IP, Telnet/rlogin Keystrokes, HTTP, SMTP (transfer of email), NNTP (nW news transfer Protocol - all communication including PWs & data sent in the clear), POP (post office protocol; retrieving mail from server), FTP, IMAP (internet msg access protocol - like SMTP)


In terms of LI, sniffing process is looked at as having 3 components

1) IAP (Intercept Access Point) - where info is fathered for the LI

2) Mediation device supplied by 3rd party that handles information processing

3) Collection function that stores &processes info intercepted by the 3rd party


Wireshark filter breakdown

Example ip.addr ==

First is the protocol, next is the field, then operator, then the value

ne means NOT EQUAL

eq means EQUAL


Wireshark CLI (command-line interface) tools (don't need to memorize)

1) tshark //cmd line version of Wireshark (like TCPdump)

2) dumpcap //capture traffic

3) capinfos //reads capture & returns stats

4) editcap //edits or translates the format of captured files

5) mergecap //combines multiple capture files into one

6) text2cap //creates a capture file from an ASCII hexdump of packets



//cmd based sniffer; native to linux, but its equivalent for windows is WINdump

tcpdump //allows you to start capturing packets from lowest NIC

tcpdump -w tel_capture.log //saves the capture into tel_capture.log


Switched Network Sniffing

A wired switch doesn't allow you to sniff the whole NW; each switchport is a collosion domain, so traffic within the switch doesn't travel between ports (traffic is separate to each switchport)


MAC Flooding

Most common method for enabling sniffing on a switch is to turn it into a device that does allow switching. We want to convert it to a hub-like environment

A switch keeps track of MAC addresses received by writing them to a content addressable memory (CAM) table;

If a switch is flooded with MAC addresses, it may overwhelm the switches ability to write its own CAM table; in turn it makes the switch fall into a giant hub

Tool: Macof


CAM table

Content Accessible Memory table with a fixed size that stores information such as MAC address of each client, port they are attached to, & any VLAN info;

A CAM table is used by the switch to help get traffic to its destination, but when it's older switches, it would cause the switch to fail "open" & act as a hub, the flood would spill over affecting adjacent switches

Must maintain flood to keep switch acting as a hub; if flooding stop, the time outs that are set on the switch will start clearing out the CAM table entries, allowing switch to go to normal operations

(in newer switches, the success rate of mac flooding is much lower)


Overflowing a CAM table using Ubuntu

Standard repositories store the tools needed for a successful attack; obtained with APTITUDE

1) su to root
2) aptitude install dsniff //install DSNIFF (include Macof)
3) enter cmd: macof //will start flooding CAM table
4) Ctrl +Z to stop


ARP Poisoning

Address Resolution Protocol poisoning //attempts to contaminate NW w/ improper gateway mappings

What ARP does is it maps IP addresses to specific MAC addresses thereby allowing switches to know most efficient path for data being sent

CON: ARP doesn't have prerequisites for its sending or receiving process; ARP broadcasts free to roam NW at will;

PRO: Attacker takes advantage of this open traffic concept by feeding incorrect ARP mappings to the gateway itself or to the hosts of the NW

Tools: Ettercap, Cain & Abel, Arpspoof


IP DHCP snooping feature

Some switches have IP DHCP Snooping feature that verifies MAC-to-IP mappings & stores valid mappings in a DB


Sniff a public NW

so much ARP traffic will appear, you will see new machines hopping on and off


MAC spoofing

when an attacker changes their MAC address to the MAC address of an existing authenticated machine already on the NW

Not a technique used for NW-side sniffing, but gives unauthorized access onto NW w/ out much effort


Port security

low level security that allows a specific # of MAC addresses to attach to a switchport; If this is enabled, it allows MAC spoofing easier


Port Mirror or SPAN port

This technique is through physical means; here you can need physical access to the switch & use port mirroring or Switched Port Analyzer (SPAN)

This technique sends a copy of every NW packet encountered on one switchport or a whole VLAN to another port where it may be monitored

Used to monitor traffic for diagnostic purposes or implementing devices such as NIDS (NW intrusion detection systems)


5 Defenses against attacks for Switches & WAP

1) Use a hardware-switched NW for the most sensitive portions of your NW in an effort to isolate traffic to a single segment or collision domain

2) Implement IP DHCP Snooping on switches to prevent ARP-poisoning & spoofing attacks

3) Implement policies preventing promiscuous mode on NW adapters

4) Be careful when deploying wireless access points, knowing that all traffic on the wireless NW is subject to sniffing

5) Encrypt your sensitive traffic using an encrypting protocol such as SSH or IPSec


6 ways to harden your NW against sniffing

1) Static ARP entires (preconfiguring a device w/ the MAC address)

2) Port Security - used by switches that have the ability to be programmed to allow only specific MAC addresses to send & receive data from each port; can specify max # of MAC addresses switchport can learn

3) IPv6 instead of IPv4 (IPv6 has more security options)

4) Replacing protocols such as FTP & Telnet w/ SSH (or if SSH is not avail, use IPsec

5) VPNs can provide an effective defense against sniffing due to their encryption

6) SSL with IPsec


What is SSH?

Soft Shell used to Tunnel data (encrypt), securely get access to remote computer, widely used by NW admins to control servers and web remotely


What is SSL?

Secure Sockets Layer that encrypts data to keep prying eyes from altering traffic or seeing it


Each switchport represents a

collision domain therefore limiting sniffing to only the clients residing on that port


Wireless access points function as a

HUB in which they do not segregate traffic as a traditional wired switch does


MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client?

A reverse ARP request maps to two hosts


What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts

ARP poisoning; the attacker maps all traffic to the attacker's interface before traveling to proper destination


Cain and Abel is known for

ARP poisoning, password cracking, and sniffing


Which cmd launches a CLI (command line interface) version of Wireshark?



Using TCPdump, what is the command used to save the capture for later review & what is the command to read the capture

tcpdump -w capture.log //save
tcpdump -r capture.log //read


What is the generic syntax of a Wireshark filter?


(TCP.PORT == 23)


Tiffany is analyzing a capture from a client's NW, she is interested in NetBIOS traffic, what port does Tiffany filter for?

(TCP.PORT eq 139)

Port 139


What device will limit the traffic to one port and what device will not?

A switch will, A hub will not