📔
eCPPTv2 Notes
  • About
  • 1-System Security
    • Architecture Fundamentals
      • Security Implementations
      • References
    • Assembler Debuggers and Tool Arsenal
      • Compiler
      • NASM
      • Tool Arsenal
      • References
    • Buffer Overflow
      • Finding Buffer Overflows
      • Exploiting Buffer Overflow
      • Security Implementations
      • References
    • Shellcoding
      • Types of Shellcode
      • Encoding of Shellcode
      • Debugging a Shellcode
      • Creating our First Shellcode
      • More Advanced Shellcode
      • Shellcode and Payload Generators
      • References
    • Cryptography and Password Cracking
      • Cryptography Hash Function
      • Public Key Infrastructure
      • Pretty Good Privacy (PGP)
      • Secure Shell (SSH)
      • Cryptographic Attack
      • Security Pitfalls
      • Windows 2000/XP/2k3/Vista/7/8 Passwords
      • References
    • MALWARE
      • Techniques Used by Malware
      • How Malware Spreads
      • Samples
      • References
  • 2-Network Security
    • Information Gathering
      • Search Engines
      • Social Media
      • Infrastructures
      • Tools
      • References
    • Scanning
      • Detect Live Hosts and Ports
      • Service and OS detection
      • Firewall/IDS Evasion
      • References
    • Enumeration
      • NetBIOS
      • SNMP
      • References
    • Sniffing and MitM Attacks
      • What is Sniffing
      • Sniffing in Action
      • Basic of ARP
      • Sniffing Tools
      • Man in the Middle Attacks
      • Attacking Tools
      • Intercepting SSL Traffic
      • References
    • Exploitation
      • Vulnerability Assessment
      • Low Hanging Fruits
      • Exploitation
      • References
    • Post Exploitation
      • Privilege Escalation and Maintaining Access
      • Pillaging / Data Harvesting
      • Mapping the internal network
      • Exploitation through Pivoting
      • References
    • Anonymity
      • Browsing Anonymously
      • Tunneling for Anonymity
      • References
    • Social Engineering
      • Types of Social Engineering
      • Samples of Social Engineering Attacks
      • Pretexting Samples
      • Tools
      • References
  • 3-Powershell for Pentesters
    • Introduction
      • Why PowerShell ?
      • References
    • PowerShell Fundamentals
      • Cmdlets
      • Modules
      • Scripts
      • Objects
      • References
    • Offensive PowerShell
      • Downloading & Execution
      • Obfuscation
      • Information Gathering & Recon
      • Post-Exploitation With Powershell
      • References
Powered by GitBook
On this page

Was this helpful?

  1. 2-Network Security
  2. Sniffing and MitM Attacks

What is Sniffing

4.1. What is Sniffing

Network eavesdropping or network sniffing, is a network layer attack consisting of capturing packets transmitted by other computers.

Having these packets will not only allows us to read the data, but also search for sensitive information like passwords, session tokens, or various types of confidential information.

In sniffing, sometimes we have to mount Man-in-the-Middle (MitM) attacks to achieve our goals.

4.1.1. MitM, Hubs, and Switches

A MitM is an attack where the malicious user is able to intercept communications between 2 systems. For example, in an HTTP transaction, the target is the TCP connection between client and server.

In a MitM attack scenario, the attacker can split the original TCP connection into 2 new connections, one between the victim and the attacker and the other between the attacker and the destination.

Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert, and modify the data in the intercepted connection.

4.1.2. Hubs and Switches

Until the early 90's all the Ethernet networks used Hubs to build meshed network topology. Hubs are layer 1 device that do not deal with packets, but just with bits. Hubs are repeaters, they receive electric signals on the port and repeat the same signal on all other ports.

In such environments, packets meant for one machine are received by all the other machines. Every time a packet arriving at a NIC does not have that NIC's MAC in the destination field of the Layer 2 frame, the packet is dropped.

NIC drivers were developed to let NICs still accept and handle those packets. This NIC behavior was called promiscuous mode and it is still available today on most NICs in the market.

When switches were introduced, they gradually replaced hubs. Switches are layer 2 devices (sophisticated ones includes layer 3) capable of dealing with frames instead of just electric signals. They have a certain level of logic that allows them to handle addresses and forwarding rules.

To make thing clearer, the main difference between hubs and switch is the forwarding mechanism: switches are capable of forwarding frames only to the real destination or at least forward the packet on the port on which the destination is registered.

Hub instead just propagate the electric signal received from one port to all the others. They are physical layer devices.

With the introduction of switches, sniffing became more difficult. In a normal and not stressed switched network sniffing for data is impossible. Efficient attack techniques have been introduced to force switches to behave like a hub and then forward frames on all the ports.

PreviousSniffing and MitM AttacksNextSniffing in Action

Last updated 4 years ago

Was this helpful?