In the world of networking, sniffing is a process of monitoring and capturing all the packets flowing through a network.
Sniffing is one of the most common and used attack in the terms of networking. Broadly its been classified in two categories :
PASSIVE SNIFFING
So passive sniffing uses hubs instead of switches. The working of hubs are not much different in comparison to switches, they use MAC (Media Access Control) address to read the destination ports of the data. But one problem with hubs is that it’s not smart enough, as in sense it cannot determine the traffic exact destination and will send to every connected device, which makes it easier to monitor.
ACTIVE SNIFFING
Active sniffing is done in a switched network environment, which is smarter then hub because the packets are only send to the destined port, according to their MAC address.
The advantage of switched environment is that the devices are only sent packets that are meant for them, so the promiscuous devices aren’t able to sniff any additional packets. But this environment isn’t as strong as it look like. There are clever ways to sniff packets of other devices, although the methodology is quite complex as compare to previous one. To have better understanding of hack like these, the underlying architecture of the protocol must be examined carefully, and that’s we are going to do next.
Source address is an important aspect in the network communication, if manipulated carefully it can have interesting effect , the reason behind this is that there is no provision to check the integrity of originating address, means nobody can ensure that source address in packet is really the address of the source machine. This act of forging the source address is known as “spoofing”. To add this spoofing in your arsenal of hacking techniques will increase the chances as most system expect this address to be valid.
Spoofing is just the first and basic step to sniff the packets in the switched network. The other interesting detail are found in ARP.
When an ARP (Address Resolution Protocol) reply comes in with an IP address that already exists in ARP cache (which is a small repository of data used to connect IP address to MAC address), the receiving system will overwrite the prior MAC address information with the new information found in reply (unless the entry in ARP cache explicitly marked as permanent).
The other detail of ARP to focus upon is the “no state information” about the traffic. Means that no information about the traffic is kept stored because it would require additional space and complex the otherwise simple protocol, resulting the system will accept an ARP reply even if they didn’t send out the ARP request.
So when these three are exploited properly, allow an attacker to sniff network traffic on switched network using a technique called ARP Redirection. The attacker sends spoofed ARP replies to a device that will poison the ARP cache of that device and the entries will be overwritten with the attacker’s data this is popularly called ARP poisoning.
Let’s understand this with an example, for instance if attacker wants to sniff traffic between two points between A and B, it needed to firstly poison the ARP cache of ‘A’ to make him believe that the IP address of B is at the attacker’s MAC address as well as poison the the ARP cache of ‘B’ to cause B to believe that A’s IP address is also the attacker’s MAC address. Then the attacker needs to just forward the packets to their respective destination, the traffic flow would be through attacker machine.
Since in the switched networks the node will wrapped their ethernet header on the basis of the ARP cache values, so now the A’s IP traffic meant for B is actually redirecting to attacker machine and same is happening for machine B. As the switch only works on filtering via MAC address, so its working won’t be effected, it’s the victim machine that is tricked into redirecting the traffic through attacker machine.
Align to these the machines periodically sends a timeout value, use to refreshing the state of the connection, this can be a threat to attack as it will send the real ARP request and receive the real ARP reply, to prevent this attacker must keep the victim machine ARP table poisoned, a simple way to accomplish this is by sending the ARP replies to both A and B at a constant time-interval (ex: every 10 seconds).
So this is how the Active sniffing works, there are more scenario in this attack such as if the victim machine is gateway then the attack methodology would changed a bit, that will be covered in the next part of article.
REFERENCES
THE ART OF EXPLOITATION — BY JON ERICKSON
