Networking Security: Sniffing Techniques

Questions and Answers

Which of the following describes passive sniffing?

Primarily uses tools to inject malicious packets into a network.

Is only effective in switch-based networks.

Involves sending additional data packets to monitor traffic.

Occurs on a hub where everyone can see all traffic. (correct)

What is the primary function of a sniffer in promiscuous mode?

To restrict the data traffic being monitored.

To ignore specific data packets.

To encrypt the data being transmitted.

To capture all data packets on its segment. (correct)

Which of the following is NOT a technique associated with active sniffing?

ARP Poisoning

MAC Flooding

DNS Poisoning

Packet Sniffing (correct)

What vulnerability arises from open switch ports in enterprises?

Physical access to the network by unauthorized users.

What is the main function of a protocol analyzer?

To capture, decode, and analyze data packets

What is the role of the Content Addressable Memory (CAM) table in a switch?

To maintain a record of MAC addresses associated with switch ports.

Which type of traffic is least likely to be sensitive information obtained through sniffing?

Hardware Specifications

Which type of wiretapping involves altering or injecting data into the communication?

Active Wiretapping

Which of the following protocols is NOT vulnerable to sniffing?

SSH

How does ARP poisoning contribute to network attacks?

It maps attackers' MAC addresses to legitimate IP addresses.

How do sniffers interact with the OSI model layers?

They function at the Data Link layer without impacting upper layers.

Which hardware protocol analyzer is NOT explicitly listed?

Cisco Packet Analyzer

What is the primary function of a hardware protocol analyzer?

To capture and monitor network signals without altering traffic.

What significant limitation does the use of hubs present in network sniffing?

Hubs broadcast all traffic to all ports, exposing it to all nodes.

What legal requirement is necessary for lawful interception of data communication?

Obtaining a court order or request for wiretap

What type of data is most vulnerable to interception by sniffers?

Passwords transmitted in clear text.

What does PRISM primarily aim to collect?

Foreign intelligence that passes through American servers

Which of the following characteristics best describes the Data Link layer in relation to sniffing?

It is unaware if sniffing is occurring at this layer.

What characterizes passive wiretapping?

It only monitors and records the traffic.

Which of the following statements is true regarding wiretapping?

It is only permissible with a valid warrant in most countries.

Which of the following is a consequence of data being sent in clear text?

Easy interception by unauthorized parties.

Identify the type of data most commonly targeted by attackers in sniffing attacks.

Usernames and passwords.

What does the term 'central management server (CMS)' refer to in lawful interception?

The system coordinating data requests from law enforcement agencies

What potential risk is associated with protocols like POP and IMAP in the context of network security?

They can expose sensitive data when used without encryption.

What is the primary consequence of ARP poisoning on a network?

It can divert communications between devices through the attacker's PC.

Which of the following best describes MAC duplicating?

Reusing a legitimate user’s MAC address to capture their traffic.

What does DNS poisoning fundamentally alter?

The true IP addresses associated with domain names.

Which of the following is NOT a possible outcome from packet sniffing?

Changing the routing path of network traffic.

What feature of Wireshark enhances its functionality for network analysis?

Use of Winpcap to capture packets only from supported networks.

What is the primary purpose of using forged ARP replies in a network attack?

To enable an attacker to intercept and redirect traffic.

What technology does Wireshark utilize to enhance its packet capturing capability?

Command-line interface for editing captures.

Which attack typically involves creating fake DNS entries that resemble legitimate sites?

DNS poisoning.

What is the primary consequence of MAC flooding on a network?

The switch behaves like a hub and broadcasts to all devices.

Which command is NOT part of configuring port security on a Cisco switch?

switchport port-security aging time 0

What is Address Resolution Protocol (ARP) primarily used for?

To resolve IP addresses to MAC addresses.

Which of the following best describes ARP spoofing?

Forging ARP requests and replies to redirect traffic.

What happens if a MAC address is not found in an ARP table?

An ARP request is broadcasted across the network.

What is one of the primary goals of implementing port security on a switch?

To restrict inbound traffic from selected MAC addresses.

Which statement about the ARP protocol is accurate?

ARP queries are broadcasted to find MAC addresses on a local network.

When configuring port security, what does the command 'snmp-server enable traps port-security trap-rate 5' achieve?

It sets the rate of port-security SNMP traps to 5 per minute.

Study Notes

Sniffing Overview

• Sniffing is a process of monitoring and capturing all data packets passing through a network
• It's a form of wiretapping applied to computer networks
• Many enterprise switch ports are open, allowing anyone in the same physical location to plug into the network using an Ethernet cable
• Sensitive information obtained through sniffing includes syslog traffic, telnet passwords, router configuration, and FTP passwords
• Data includes email traffic, web traffic, and chat sessions
• Sniffing can be passive or active. Passive involves monitoring without sending additional data packets whereas active involves injecting requests into the network

How a Sniffer Works

• A sniffer turns the network interface card (NIC) of a system to promiscuous mode, allowing it to listen to all transmitted data on its segment
• Attackers use the NIC to monitor all network traffic to a device
• Attackers decode the encapsulated information in the data packets

Passive Sniffing

• Passive sniffing involves monitoring packets sent by others without sending additional data packets
• It is performed through a hub, where all traffic is sent to all ports
• Attackers can easily capture traffic going through the hub in a network that employs hubs
• Hub usage is outdated, as modern networks use switches

Active Sniffing

• Active sniffing is used on switch-based networks
• It involves injecting address resolution packets (ARP) into the network to flood the switch's Content Addressable Memory (CAM) table
• The CAM table tracks which host is connected to which port
• Active sniffing techniques include MAC Flooding, DNS Poisoning, ARP Poisoning, DHCP Attacks, Switch Port Stealing, and Spoofing Attack.

Attacker Hacks the Network Using Sniffers

• Attacker connects laptop to a network switch port
• Uses discovery tools to learn network topology
• Identifies victim's machine to target attacks
• Poisons victim using ARP spoofing techniques
• Redirects victim's traffic to the attacker
• Extracting passwords and sensitive data from redirected traffic

Protocols Vulnerable to Sniffing

• Protocols that send data in clear text are vulnerable
• This includes protocols like HTTP, Telnet, Rlogin, POP, IMAP, SMTP, NNTP and FTP

Sniffing in the Data Link Layer of the OSI Model

• Sniffers operate at the Data Link layer of the OSI model
• Layers in OSI model work independently
• Independent functioning of layers ensures that the upper layers aren't aware of the lower-layer sniffing

Hardware Protocol Analyzer

• A specialized hardware equipment for capturing network traffic signals without altering the traffic or cable segment
• Used to monitor network usage and identify malicious network traffic
• Decodes data packets and analyzes their content based on certain rules
• Allows attacker visibility into individual data bytes of each passing packet

Hardware Protocol Analyzers (Examples)

• Keysight N2X N5540A
• Keysight E2960B
• RADCOM PrismLite Protocol Analyzer
• RADCOM Prism UltraLite Protocol Analyzer
• FLUKE Networks OptiView® XG Network Analyzer
• FLUKE Networks OneTouch™ AT Network Assistant

Wiretapping

• Monitoring telephone and internet conversations by a third party
• Attackers connect listening devices to circuits carrying information
• Allows attackers to monitor, intercept, access, and record data in a communication system.
• Active and Passive techniques exist, with Passive only monitoring while Active monitors, records, alters or injects traffic within the system.

Lawful Interception

• Legally intercepting data communication to conduct surveillance on communications, VoIP, data, and multiservice networks
• Requires court order/request for wiretap.
• System for real-time reconstruction of intercepted data
• Law enforcement access to intercepted data whenever required.

Wiretapping Case Study - PRISM

• PRISM is a planning tool for resource integration, synchronization, and management designed to collect and process foreign intelligence that passes through American servers
• NSA wiretaps a huge amount of foreign internet traffic routed through or saved on U.S. servers

MAC Flooding

• Flooding the CAM table of a switch with fake MAC addresses and IP pairs until it is full
• Switch then behaves as a hub, broadcasting packets to all machines
• Attackers can sniff the traffic easily.

How to Defend Against MAC Attacks

• Use port security on Cisco switches to restrict inbound traffic
• Limit the number of allowed MAC addresses per switch port

Address Resolution Protocol (ARP)

• Stateless protocol for resolving IP addresses to machine (MAC) addresses.
• Network devices broadcast ARP queries to discover other machines' MAC addresses

ARP Spoofing Attack

• Forged ARP packets to send data to the attacker's machine
• ARP spoofing involves creating numerous forged ARP requests and reply packets
• Overloads the switch, enabling sniffers to access all network traffic
• Spoofing involves flooding target computers' ARP cache with forged entries

ARP Poisoning Threats

• Packet sniffing
• Session hijacking
• VoIP call tapping
• Data manipulation
• Man-in-the-middle attack
• Denial-of-service (DoS) attack

MAC Spoofing/Duplicating

• Launching a MAC attack by sniffing a network for MAC addresses of active clients
• Re-using a legitimate user's MAC address to intercept traffic intended for that user.

DNS Poisoning Techniques

• Tricks a DNS server into accepting false IP addresses for a specified domain
• Attacker inserts malicious code into the DNS server
• Victims get redirected to malicious websites (DNS cache poisoning).

Sniffing Tool: Wireshark

• A network protocol analyzer for capturing and interactively browsing network traffic (Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI networks)
• Usable on computer networks
• Allows capture of live traffic and capturing files editable by command line using filters.

How to Defend Against Sniffing

• Use HTTPS to secure user credentials
• Employ switches instead of hubs for targeted traffic delivery
• Utilize Secure File Transfer Protocol (SFTP)
• Enable strong encryption protocols (WPA2) on wireless networks
• Retrieve MAC addresses directly from the network interface card (NIC)
• Use tools that determine if network interface cards (NICs) are running in promiscuous mode

How to Detect Sniffing

• Identify machines running in promiscuous mode
• Monitor IDS for MAC address changes (e.g., router's MAC changes)
• Use network tools like Capsa Network Analyzer to detect unusual packets.

Description

Test your knowledge of networking security concepts related to sniffing techniques. This quiz covers passive and active sniffing, highlighting the differences and functionalities of sniffers in various modes. Perfect for students studying cybersecurity or network security.