Network Sniffing Techniques Quiz

Questions and Answers

Sniffing is a technique that enables monitoring and capturing data packets traversing a network through tools designed for such purposes.

True

Passive sniffing refers to injecting data packets into the network to monitor network traffic.

False

In active sniffing, an attacker can flood the switch's CAM table with address resolution packets.

True

Most modern networks utilize hubs for connecting systems due to their efficiency in data traffic management.

False

An attacker can connect their laptop to an open switch port to begin monitoring network traffic.

True

The technique of ARP poisoning is not an effective method for active sniffing.

False

Sensitive information such as FTP passwords can be captured through network sniffing.

True

Active sniffing involves only monitoring the packets sent by others in a network environment.

False

Protocols such as HTTP and Telnet are secure from sniffing attacks.

False

A hacker can extract passwords from redirected traffic during a sniffing attack.

True

Sniffers operate only at the Application layer of the OSI model.

False

A hardware protocol analyzer can capture signals without altering the traffic.

True

Data sent over protocols like POP and IMAP is inherently secure from sniffing.

False

The upper layers of the OSI model can detect if a sniffer is active in the Data Link layer.

False

Sensitive data, such as usernames, can be compromised if transmitted over unsecured protocols.

True

All network traffic can be captured indiscriminately by sniffers at the Physical layer.

False

Wiretapping is a method used to monitor and intercept data conversations without the need for legal consent.

False

Active wiretapping involves monitoring, recording, altering, and injecting data into communications.

True

Passive wiretapping can modify the data being transmitted.

False

Lawful interception requires a court order to intercept data communications legally.

True

PRISM is a data tool used by the NSA to monitor domestic internet traffic exclusively.

False

Hardware protocol analyzers can decrypt data packets for analysis.

True

The FLUKE Networks OneTouch™ AT Network Assistant is an example of a hardware protocol analyzer.

True

Interception of communication can occur without the involvement of a service provider.

False

An attacker can gain access to a network through MAC duplicating by re-using an address of an active client.

True

Wireshark can capture packets on any networking protocol without limitations.

False

DNS poisoning allows an attacker to create false IP address entries for a website on a DNS server.

True

Packet sniffing is an attack method that can only capture data from VoIP calls.

False

ARP poisoning can redirect communications between two machines through injected fake ARP messages.

True

Active sniffing refers to the practice of simply observing the network without altering traffic.

False

A denial-of-service (DoS) attack is a potential outcome of ARP poisoning.

True

Captured files through Wireshark cannot be edited programmatically via the command line.

False

MAC flooding can make a switch behave like a hub by broadcasting packets to all devices on the network.

True

Configuring port security on a Cisco switch allows multiple MAC addresses to be used on a single switch port without restrictions.

False

ARP is a protocol that resolves machine names to IP addresses.

False

In an ARP spoofing attack, forged ARP packets are used to overload a network switch.

True

One defense against MAC flooding attacks is limiting the number of MAC addresses allowed on switch ports.

True

ARP requests are sent only to specific devices on the network and not broadcasted to all.

False

The SNMP server can be configured to send traps for port security violations at a rate of 5.

True

Port security settings on a Cisco switch can be adjusted for aging time and inactivity type.

True

Study Notes

Sniffing Overview

• Sniffing is monitoring and capturing data packets on a network.
• It's a form of wiretapping.
• Tools used are called sniffing tools.
• Sensitive information can be obtained through sniffing, such as passwords and configuration details from logs, telnet, etc.

Network Sniffing Threats

• Many network switch ports are open.
• Anyone in the same physical area can plug into the network using Ethernet.
• Sensitive data can be obtained through sniffing via network traffic (syslog traffic, Telnet passwords, router configurations, FTP passwords, DNS traffic, email traffic, web traffic, chat sessions).

Sniffer Functionality

• A sniffer turns the network interface card (NIC) to promiscuous mode.
• This enables it to listen to all data transmitted on the network segment.
• Attackers use sniffers through the network interface card (NIC) to decode information encapsulated in data packets and constantly monitor network traffic.

Passive Sniffing

• Passive sniffing only monitors packets sent by other hosts.
• No additional data packets are sent in the network traffic.
• It's done via a hub, with all traffic sent to all ports.
• This is less stealthy compared to active sniffing due to the presence of a hub.
• Hub use is outdated and mostly replaced by switches in modern networks.

Active Sniffing

• This involves injecting address resolution protocol (ARP) packets to flood a switch's content addressable memory (CAM) table.
• This is to discover which host is connected to a specific port on the switch, then sniff all related traffic.
• Techniques for active sniffing include MAC flooding, DNS poisoning, ARP poisoning, DHCP attacks, switch port stealing, and spoofing attacks.

Attacker Network Hacking Actions

• Attackers connect their laptop to the network switch port.
• They will use discovery tools to identify the network topology.
• Identify the victim machine
• Poison the victim machine through ARP spoofing.
• Redirect traffic intended for the victim machine towards the attacker.
• Extract sensitive data and passwords from the redirected traffic.

Protocols Vulnerable to Sniffing

• Protocols that send data in clear text are vulnerable.
• Examples include HTTP, Telnet, Rlogin, POP, IMAP, SMTP, NNTP, and FTP.

Sniffing in OSI Model

• Sniffers function at the Data Link layer of the OSI model.
• They operate independently of upper layers, so upper layers are unaware of sniffing activity.

Hardware Protocol Analyzers

• Hardware devices used to capture network traffic without altering the flow of traffic in a cable segment.
• Identifies malicious network traffic generated by hacking software.
• Decodes and analyzes packet content based on predetermined rules.
• Allows the observation of individual data bytes in captured packets.
• Examples of hardware protocol analyzers include Keysight N2X N5540A, Keysight E2960B, RADCOM PrismLite, RADCOM Prism UltraLite, FLUKE Networks OptiView XG, FLUKE Networks OneTouch.

Wiretapping

• Wiretapping is monitoring telephone and internet conversations by unauthorized parties.
• It uses hardware, software, or a combination to intercept communications between devices.
• Allows attackers to monitor, intercept, access, and record information.

Lawful Interception

• Legally intercepting communications for surveillance.
• Court order is required for lawful interception.
• Systems are used for real-time reconstruction of data.
• Law enforcement agencies have access.

Wiretapping Case Study: PRISM

• PRISM is data collection tool for resource integration.
• NSA uses it to collect foreign intelligence via American servers
• Huge amounts of foreign internet traffic pass through American servers.

MAC Flooding

• Attack that floods the CAM table of a network switch with fake MAC addresses.
• Switch acts as a hub, then allowing attackers to sniff traffic.

Defending Against MAC Attacks

• Configure port security on a Cisco switch.
• Restrict inbound traffic, only allowing predefined MAC addresses.

Address Resolution Protocol (ARP)

• ARP is used to resolve IP addresses to machine MAC addresses.
• Network devices broadcast ARP queries.
• ARP table is used for storing resolved IP-MAC address pairs.

ARP Spoofing Attacks

• Forging ARP requests to send data to an attacker's machine.
• Flooding a switch with spoofed ARP replies to gain control of network traffic.
• Also known as ARP cache poisoning.

ARP Poisoning Threats

• Packet sniffing.
• Session hijacking.
• VoIP call tapping.
• Data manipulation.
• Man-in-the-middle attack.
• Connection resetting.
• Password stealing.
• Denial-of-service (DoS) attacks

MAC Spoofing/Duplicating

• Sniffing a network for MAC addresses and using legitimate addresses to gain access.
• Gaining access to the network and taking over someone's identity.

DNS Poisoning

• Tricking DNS server to accept incorrect DNS information
• Replace entries for target site with malicious entries.
• DNS server issues incorrect IP addresses.

Sniffing Tool: Wireshark

• Captures network traffic from various technologies (ethernet, wifi, etc.).
• Uses Winpcap libraries.
• Data can be programmatically edited via command line.
• Can filter to refine display.

Defending Against Sniffing

• Using HTTPS instead of HTTP for secure communication.
• Secure File Transfer Protocol (SFTP) instead of FTP.
• Secure encrypted protocols like PGP, VPN, IPSec, SSL/TLS, SSH, or One-time passwords (OTP).
• Retrieving MAC addresses directly from NIC and avoiding OS MAC addresses.
• Using tools to identify if NICs are operating in promiscuous mode.

Detecting Sniffing

• Check for machines running in promiscuous mode.
• Use Intrusion Detection Systems (IDS) to identify if MAC addresses have changed.
• Employ network tools to monitor and analyze traffic.

Description

Test your knowledge on network sniffing techniques including passive and active sniffing, their implications, and related security protocols. This quiz explores the details of packet monitoring, ARP poisoning, and traffic management in modern networks.