Hi. Welcome back to the course and the last module. We finished up our discussion on malware, so we talked about things like viruses, worms and Trojans.
In Module six. We're gonna talk about sniffing.
So sniffing is essentially a scanning a network in capturing traffic. From that, networks were capturing packets. So you see what's inside those packets?
There's two forms of sniffing. We've got passive where we're just listening to the traffic and then we've got AC active. We're monitoring listening, but we also might alter the information.
So several different protocols are kind of easy for sniffing. So things like tell meant three keystrokes can be easily sniffed so that you could gather things like usernames passwords, Http. And that's actually designed to say in clear text, so we can read what's in it SMTP or a simple male transfer protocol. There's no protection against sniffing and built into that,
and in TP or network news transfer protocol, it sends it is clear text
the same with pop post office protocol. You can you can harvest ah passwords and usernames FTP sensitive clear Texas well or file transfer protocol And then I am map Internet message access protocol similar SMTP So basically there's no protection against sniffing
so several different sniffing tools. Wire shark is probably the most popular one on the market now, but there are some other ones that you can use as well.
So this is a nice, quick, quick screen capture of wire shark. Now, we will be using it in the actual lab for this module now, But I just want to show you what this looks like.
So we have different filters for wire shark. You'll just wanna try to memorize this stuff. Your exam. The equal stuff is pretty straightforward. That not equals. You might just have to kind of memorize that stuff. The first one's easier than that lower case any you may forget what that means
and then also the operator contained so contains a specified value.
And also you want to know the command line interface tools for the certified ethical hacker exam. So again, just a little more memorization of what types of command line tools there are.
So TCP dump is another tool is just a screenshot of it. I've been actually works a similar wire shark. It just doesn't have a gooey interface
wind up is another one.
and then also net witness next. Gen. And this one's popular with a lot of federal law first,
So SEC tools, not organs, actually, good website. It just It's not specifically for sniffing, but it just talk about some sniffing tools but a lot of security tools in general. So if you're newer to the industry, this is a good Web site to go to, to just get some information on some different tools that are out there and use some of the more popular ones and a little bit about where you can get them from and
information about how they function.
So again, that's SCC tools dot or GE SEC tools that order quote unquote security tools
on again. It's just a listing. They come out with every so often about the kind of the top tools that are in use in the industry.
So Mac flooding. So the goal here and newer switches are pretty much immune to this in most capacities. But the goal here is to convert, to switch, to act like a hug. So essentially it. We wanted to fail open, so it allows us t to do what whatever we want.
So what they talked does is they flip the switch with Mac addresses. And so basically the switches, then unable to right to its own camp table or content addressable memory table. And if you're if you are familiar with that, basically the camp table is where the switch will normally write the Mac address and say, OK, this I p addresses this Mac address.
So again, I mentioned that is not seeing ah whole lot with newer switches. It's mostly older switches that you see it with simply because it in how the security features in place
are poisoning our address resolution protocol poisoning. So basically, we're trying to connect terminate the network with improper gateway mapping. So again, our map C I p addresses to the actual Mac addresses. And so we're trying to poison that with all sorts of full stated right. So I want to say that this Mac address actually is with this I p address just so we can confuse it.
So again, the attacker fees and nowhere Coast and even the gateway with these incorrect mapping is to try toe take control. But we could use different tools for that. Like enter Cap Cain and Abel and Harpy Spoof.
So export analyzer, A span port. And there's definitely some You'll probably be tested on the exam, So generally this is going to require some kind of physical access to the machine. However, with some switches that can be done remotely
So, basically what it does is gonna copy every network packet from one switch port and then put it to another port for monitoring. So if you look at our example here, we get the traffic in our ingress trafficker traffic coming in and then it comes into our source fan port. And then what that does is a drops a daughter destination span poor to our sniffer.
And then also the same traffic is going up to the egress Traffics. It was going out that way as well.
So we're able to sniff the traffic, were able to get a copy of it and sniff it and analyze the traffic. And the traffic is normally flowing as well, from ingress to egress.
So some sniffing defense, what can we do? So we can obviously encrypt sensitive data on that helps helps prevent against the attacker actually being able harvest like user names and passwords. We could also use a hardware switch network for the most sensitive parts of our network. Again, there's gonna be a cost related to that now. But what that allows us to do is try to isolate.
Are the traffic to a single segment?
We could envelopment i p d a c p snooping on cisco switches to prevent our poisoning. We could also implement policies that prevent promiscuous mode on network adapters.
So just one quick post assessment question. What's the goal with Mac flooding?
All right. So again, we wanna try to poison that, that a camp table and take control
and basically do what we want with the system.
All right, so in this video, we wrapped up module six on sniffing. We're gonna have a couple of laps coming up and then in Montreuil several we're gonna jump in a social engineering and then that module we're gonna get to do a lab with social engineering, reconnaissance