In this post, we are going to see a simple and easy way to detect a network sniffer, or Man In The Middle, who is intercepting our network and can sniff our password over the network. This is a basic and simple way to do a basic check for any interception inside your network. It should be noted that this is not enough to check these types of network attacks, but this can come in handy when you are dealing with some script kiddie who is just using some script and doesn't know anything about what he is doing.
What You Need To Know
You need to know about the basics of networking. And apart from this, I will tell you every step and will give you info about the command we are going to use.
Steps For Detecting an MITM Attack
Before checking for the network interception, I am going to capture a plaintext password to show you that we are intercepting the network, so that we can see if this method actually works or not.
1. So first, I will start intercepting my network as shown below.
2. Now, I will capture a plaintext password. This will tell us that our network is being watched.
As we can see above, we got the plaintext password of our victim. Now, suppose you are a victim and don't know if someone is inside your network and capturing your credentials. You want to make sure your network is secure, so we will do a quick check to detect the sniffer.
Detecting the Sniffer
1. I will use a simple technique to detect the sniffer. To do this, open your terminal and type nmap -sn --script=sniffer-detect 192.168.0.102
Command We Used Above
"sn" This command is for "ping" scan, but it will not necessarily do a ICMP request.
"--script" This will tell nmap to run a script. In this case, it was "sniffer-detect."
"sniffer-detect" This was the script name that we used for detecting the sniffer.
"192.168.0.108" This is the target network which may be compromised. In this case, this may not always work, so you can also scan the whole network by adding /24 after the gateway address. For example, in this case, it would be 192.168.0.1/24.
2. Now, nmap will do the scan and will report to you if your network is in in promiscuous mode. As we can see below, nmap has found the sniffer inside our network.
As I said above, this is not enough to check these types of network attacks but, this can come handy when you are dealing with some script kiddie who is just using some script and doesn't know anything about what he is doing. So in our upcoming post, I will cover some other ways to detect network sniffers.