Ready to Start Your Career?

[Part 1] - Networking Sniffing and How to Defend Against It

Antr4ck 's profile image

By: Antr4ck

April 7, 2016

One of the first dangers on networks is that some people can "play" content that's not intended for them. In a network in broadcast mode (WiFi or Ethernet using a hub), anyone can read the packets of all. As with Ethernet, promiscuous mode for the network card does not filter packets that do not match the MAC address of the machine. The RisksHere's a very short list of information that circulates on the network:
  • SMTP, POP, IMAP email content
  • POP, IMAP, HTTP Basic, Telnet passwords
  • HTTP: page content has restricted access
  • SMB, NFS, FTP: File Contents
  • SQL: table contents
We can access information that's needed, without having to get into the system ... We must not forget that many people use the same password everywhere. How a Sniffer Works On a hub or WiFi, there's nothing special to do. One can also do it on a router or gateway.In the case of a switch, it's a little different. You should know that switches send packets destined for the broadcast that have MAC addresses not listed in their ARP table (this is often configurable). One can impersonate another machine during the applications of updates to MAC addresses by the switch, and play the role of bridge (then, not to cut the original machine network). An easier technique to establish is overwhelming the switch by adding queries, as the table of the switch has a limited size - this one will end up behaving like a hub. This technique creates a strong montee in charge of traffic. We can also forge an ARP request that redefines the default gateway of the switch ( Finally, there are other basic techniques if one has physical access to the switch (port monitoring).As you know, sniffing can also be used to detect suspicious network trafficHow to Detect SniffingSince this technique is passive, it's quite difficult to detect. You can see if a network card is in promiscuous mode, because these cards meet some MAC addresses that do not exist on the network. By forging an ARP request with a destination MAC address not on broadcast, with a fake MAC  address, promiscuous mode card traffic will not be filtered, and the kernel will answer it anyway. This technique does not work if the machine in promiscuous mode has no IP or if the machine is not accessible with ARP requests.In the case of ARP spoofing, using a tool like arpwatch logge will show all suspicious ARP requests immediately.The best solution is still to encrypt its communications (HTTPS, SSH, VPN...). Thanks and I hope this will be helpful to you.By: Antr4ck
You might also enjoy Networking Sniffing and How to Defend Against It [Part 2]SaveSaveSaveSaveSaveSaveSave
Schedule Demo