Sniffing in Action
4.2. Sniffing in Action
Types of Sniffing:
Passive Sniffing
Active Sniffing
MAC Flooding
ARP Poisoning
4.2.1. Passive Sniffing
Passive sniffing attacks are performed by just watching packets on a network in order to gather sensitive information such as userids, passwords, and other sensitive information.
They are difficult to be detected due to their "hands off" approach to gathering information.
The only tool you need is a sniffer, such as Wireshark.
4.2.2. Active Sniffing
Active sniffing is performed by actively (malicious) operations (MAC flooding or ARP poisoning) on the network. This means that we will inject packets on the network in order to redirect the traffic.
Types of Active Sniffing:
MAC Flooding MAC flooding is meant to stress the switch and fill its CAM table. A CAM table keeps all the info required to forward frames to the correct port:
<MAC address-port number-TTL>.
When the space in the CAM is filled with fake MAC addresses, the switch cannot learn new MAC addresses. The only way to keep the network alive is to forward the frames meant to be delivered to the unknown MAC address on all the ports of the switch, thus making it fail open, or act like a Hub.
ARP Poisoning ARP poisoning (a.k.a. ARP spoofing) is probably the most stealthy among the Active sniffing techniques. It does not need to bring down switch functionalities, instead it exploits the concept of traffic redirection. This is one of the most used attacks to perform Man in the Middle Attacks.
By exploiting the network via ARP poisoning, the attacker is able to redirect the traffic of the selected victims to a specific machine (usually the attackers machine). Doing this will enable the attacker to not only monitor, but also modify the traffic.
Notice that although ARP poisoning is mainly used to mount a MitM attack, it can also be used to DoS the network.
Last updated