Network Sniffing Techniques Quiz

Questions and Answers

Sniffing is a technique that enables monitoring and capturing data packets traversing a network through tools designed for such purposes.

True (A)

Passive sniffing refers to injecting data packets into the network to monitor network traffic.

False (B)

In active sniffing, an attacker can flood the switch's CAM table with address resolution packets.

True (A)

Most modern networks utilize hubs for connecting systems due to their efficiency in data traffic management.

False (B)

An attacker can connect their laptop to an open switch port to begin monitoring network traffic.

True (A)

The technique of ARP poisoning is not an effective method for active sniffing.

False (B)

Sensitive information such as FTP passwords can be captured through network sniffing.

True (A)

Active sniffing involves only monitoring the packets sent by others in a network environment.

False (B)

Protocols such as HTTP and Telnet are secure from sniffing attacks.

False (B)

A hacker can extract passwords from redirected traffic during a sniffing attack.

True (A)

Sniffers operate only at the Application layer of the OSI model.

False (B)

A hardware protocol analyzer can capture signals without altering the traffic.

True (A)

Data sent over protocols like POP and IMAP is inherently secure from sniffing.

False (B)

The upper layers of the OSI model can detect if a sniffer is active in the Data Link layer.

False (B)

Sensitive data, such as usernames, can be compromised if transmitted over unsecured protocols.

True (A)

All network traffic can be captured indiscriminately by sniffers at the Physical layer.

False (B)

Wiretapping is a method used to monitor and intercept data conversations without the need for legal consent.

False (B)

Active wiretapping involves monitoring, recording, altering, and injecting data into communications.

True (A)

Passive wiretapping can modify the data being transmitted.

False (B)

Lawful interception requires a court order to intercept data communications legally.

True (A)

PRISM is a data tool used by the NSA to monitor domestic internet traffic exclusively.

False (B)

Hardware protocol analyzers can decrypt data packets for analysis.

True (A)

The FLUKE Networks OneTouch™ AT Network Assistant is an example of a hardware protocol analyzer.

True (A)

Interception of communication can occur without the involvement of a service provider.

False (B)

An attacker can gain access to a network through MAC duplicating by re-using an address of an active client.

True (A)

Wireshark can capture packets on any networking protocol without limitations.

False (B)

DNS poisoning allows an attacker to create false IP address entries for a website on a DNS server.

True (A)

Packet sniffing is an attack method that can only capture data from VoIP calls.

False (B)

ARP poisoning can redirect communications between two machines through injected fake ARP messages.

True (A)

Active sniffing refers to the practice of simply observing the network without altering traffic.

False (B)

A denial-of-service (DoS) attack is a potential outcome of ARP poisoning.

True (A)

Captured files through Wireshark cannot be edited programmatically via the command line.

False (B)

MAC flooding can make a switch behave like a hub by broadcasting packets to all devices on the network.

True (A)

Configuring port security on a Cisco switch allows multiple MAC addresses to be used on a single switch port without restrictions.

False (B)

ARP is a protocol that resolves machine names to IP addresses.

False (B)

In an ARP spoofing attack, forged ARP packets are used to overload a network switch.

True (A)

One defense against MAC flooding attacks is limiting the number of MAC addresses allowed on switch ports.

True (A)

ARP requests are sent only to specific devices on the network and not broadcasted to all.

False (B)

The SNMP server can be configured to send traps for port security violations at a rate of 5.

True (A)

Port security settings on a Cisco switch can be adjusted for aging time and inactivity type.

True (A)

Flashcards

Sniffing

Monitoring and capturing data packets on a network.

Passive Sniffing

Monitoring network traffic without sending data packets.

Active Sniffing

Monitoring network traffic by sending data packets to disrupt or obtain information.

Promiscuous Mode

A network interface card (NIC) setting that listens to all network traffic.

Hub

A network device that broadcasts all data to all connected devices.

MAC Flooding

Overloading a switch's CAM table to gain access to all network traffic.

ARP Poisoning

A network attack where the attacker manipulates ARP tables to redirect data.

Switch

A network device that directs data packets only to the intended recipient.

Vulnerable Protocols (Sniffing)

Protocols that send data in plain text, making them susceptible to interception.

Data Link Layer

Layer of the OSI model where sniffing often occurs due to its direct access to data packets.

Hardware Protocol Analyzer

A device that captures network traffic without affecting it.

Network Sniffer

Software or hardware used to intercept network data without changing the communication.

Compromised Data Layer

Data link layer is the initial point of entry for a sniffer in the OSI model.

Clear Text Protocols

Protocols that send data without encryption.

Wiretapping

Monitoring communication by a third party, often intercepting and recording data.

Active Wiretapping

Wiretapping that not only monitors but also modifies or inserts data into the communication.

Passive Wiretapping

Wiretapping that only monitors and records communication without altering it.

Lawful Interception

Legally accessing and monitoring data communications by authorities.

PRISM

A data collection and processing tool, used for collecting foreign intelligence data on U.S. servers.

Protocol Analyzer

A device used to capture and examine the data being passed between computers.

Wiretapping Legal Offense

It is a criminal offense to perform wiretapping without permission or warrant.

CAM Table

A table in a network switch that maps MAC addresses to switch ports.

ARP Spoofing

An attack that manipulates ARP (Address Resolution Protocol) messages to redirect traffic to an attacker's machine.

Address Resolution Protocol (ARP)

A network protocol that maps IP addresses to MAC addresses.

Port Security (Cisco)

A Cisco switch feature that controls allowed MAC addresses on a port to prevent MAC flooding attacks.

ARP Table

A table on a device that stores IP-to-MAC address mappings, for faster communication.

ARP Request

A request sent by a device to discover the MAC address corresponding to a known IP address.

MAC Address

A unique hardware address for networking devices, like a device's ID.

ARP Table Flooding

An attacker floods the ARP table with spoofed entries, allowing them to intercept network traffic.

Packet Sniffing

Capturing and inspecting network traffic.

Session Hijacking

Taking over an active network session.

Wireshark

A network protocol analyzer to capture and analyze network traffic.

MAC Duplicating Attack

An attack where an attacker copies a valid MAC address and uses it to intercept traffic.

Study Notes

Sniffing Overview

• Sniffing is monitoring and capturing data packets on a network.
• It's a form of wiretapping.
• Tools used are called sniffing tools.
• Sensitive information can be obtained through sniffing, such as passwords and configuration details from logs, telnet, etc.

Network Sniffing Threats

• Many network switch ports are open.
• Anyone in the same physical area can plug into the network using Ethernet.
• Sensitive data can be obtained through sniffing via network traffic (syslog traffic, Telnet passwords, router configurations, FTP passwords, DNS traffic, email traffic, web traffic, chat sessions).

Sniffer Functionality

• A sniffer turns the network interface card (NIC) to promiscuous mode.
• This enables it to listen to all data transmitted on the network segment.
• Attackers use sniffers through the network interface card (NIC) to decode information encapsulated in data packets and constantly monitor network traffic.

Passive Sniffing

• Passive sniffing only monitors packets sent by other hosts.
• No additional data packets are sent in the network traffic.
• It's done via a hub, with all traffic sent to all ports.
• This is less stealthy compared to active sniffing due to the presence of a hub.
• Hub use is outdated and mostly replaced by switches in modern networks.

Active Sniffing

• This involves injecting address resolution protocol (ARP) packets to flood a switch's content addressable memory (CAM) table.
• This is to discover which host is connected to a specific port on the switch, then sniff all related traffic.
• Techniques for active sniffing include MAC flooding, DNS poisoning, ARP poisoning, DHCP attacks, switch port stealing, and spoofing attacks.

Attacker Network Hacking Actions

• Attackers connect their laptop to the network switch port.
• They will use discovery tools to identify the network topology.
• Identify the victim machine
• Poison the victim machine through ARP spoofing.
• Redirect traffic intended for the victim machine towards the attacker.
• Extract sensitive data and passwords from the redirected traffic.

Protocols Vulnerable to Sniffing

• Protocols that send data in clear text are vulnerable.
• Examples include HTTP, Telnet, Rlogin, POP, IMAP, SMTP, NNTP, and FTP.

Sniffing in OSI Model

• Sniffers function at the Data Link layer of the OSI model.
• They operate independently of upper layers, so upper layers are unaware of sniffing activity.

Hardware Protocol Analyzers

• Hardware devices used to capture network traffic without altering the flow of traffic in a cable segment.
• Identifies malicious network traffic generated by hacking software.
• Decodes and analyzes packet content based on predetermined rules.
• Allows the observation of individual data bytes in captured packets.
• Examples of hardware protocol analyzers include Keysight N2X N5540A, Keysight E2960B, RADCOM PrismLite, RADCOM Prism UltraLite, FLUKE Networks OptiView XG, FLUKE Networks OneTouch.

Wiretapping

• Wiretapping is monitoring telephone and internet conversations by unauthorized parties.
• It uses hardware, software, or a combination to intercept communications between devices.
• Allows attackers to monitor, intercept, access, and record information.

Lawful Interception

• Legally intercepting communications for surveillance.
• Court order is required for lawful interception.
• Systems are used for real-time reconstruction of data.
• Law enforcement agencies have access.

Wiretapping Case Study: PRISM

• PRISM is data collection tool for resource integration.
• NSA uses it to collect foreign intelligence via American servers
• Huge amounts of foreign internet traffic pass through American servers.

MAC Flooding

• Attack that floods the CAM table of a network switch with fake MAC addresses.
• Switch acts as a hub, then allowing attackers to sniff traffic.

Defending Against MAC Attacks

• Configure port security on a Cisco switch.
• Restrict inbound traffic, only allowing predefined MAC addresses.

Address Resolution Protocol (ARP)

• ARP is used to resolve IP addresses to machine MAC addresses.
• Network devices broadcast ARP queries.
• ARP table is used for storing resolved IP-MAC address pairs.

ARP Spoofing Attacks

• Forging ARP requests to send data to an attacker's machine.
• Flooding a switch with spoofed ARP replies to gain control of network traffic.
• Also known as ARP cache poisoning.

ARP Poisoning Threats

• Packet sniffing.
• Session hijacking.
• VoIP call tapping.
• Data manipulation.
• Man-in-the-middle attack.
• Connection resetting.
• Password stealing.
• Denial-of-service (DoS) attacks

MAC Spoofing/Duplicating

• Sniffing a network for MAC addresses and using legitimate addresses to gain access.
• Gaining access to the network and taking over someone's identity.

DNS Poisoning

• Tricking DNS server to accept incorrect DNS information
• Replace entries for target site with malicious entries.
• DNS server issues incorrect IP addresses.

Sniffing Tool: Wireshark

• Captures network traffic from various technologies (ethernet, wifi, etc.).
• Uses Winpcap libraries.
• Data can be programmatically edited via command line.
• Can filter to refine display.

Defending Against Sniffing

• Using HTTPS instead of HTTP for secure communication.
• Secure File Transfer Protocol (SFTP) instead of FTP.
• Secure encrypted protocols like PGP, VPN, IPSec, SSL/TLS, SSH, or One-time passwords (OTP).
• Retrieving MAC addresses directly from NIC and avoiding OS MAC addresses.
• Using tools to identify if NICs are operating in promiscuous mode.

Detecting Sniffing

• Check for machines running in promiscuous mode.
• Use Intrusion Detection Systems (IDS) to identify if MAC addresses have changed.
• Employ network tools to monitor and analyze traffic.

Description

Test your knowledge on network sniffing techniques including passive and active sniffing, their implications, and related security protocols. This quiz explores the details of packet monitoring, ARP poisoning, and traffic management in modern networks.