8.1 Sniffers, identify types of sniffing, and understand active and passive sniffing
Exam Focus: Sniffers, identify types of sniffing, and understand active and passive sniffing.
Objective includes:




Understand lawful intercept and wiretapping
Understand sniffing and protocols vulnerable to it.
Identify types of sniffing.
Understand active and passive sniffing.
Lawful intercept
As authorized by judicial or administrative order, lawful intercept allows a Law Enforcement
Agency (LEA) to perform electronic surveillance on a target. Wiretaps on the traditional
telecommunications and Internet services in voice, data, and multiservice networks are used to
perform the surveillance. The LEA provides a request for a wiretap to the target's service
provider. The target's service provider intercepts data communication to and from the individual.
The service provider determines the edge router that handles the target's traffic by using the
target's IP address or session. The service provider then intercepts the target's traffic as it passes
via the router and forwards a copy of the intercepted traffic to the LEA without the target's
knowledge.
Benefits of lawful intercept
The following are the benefits of lawful intercept:






It permits multiple LEAs to run a lawful intercept on the same target without each other's
knowledge.
It hides information regarding lawful intercepts from all but the most privileged users.
It supports wiretaps in both the input and output direction.
It does not affect the subscriber's services on the router.
It supports wiretaps of the individual subscribers who share a single physical interface.
It provides two secure interfaces. One interface is for setting up the wiretap and the other
one is for sending the intercepted traffic to the LEA.
Network components used for lawful intercept
The following are network components used for lawful intercept:



Internet Access point (IAP): Provides information for the lawful intercept.
Mediation device: Manages most of the processing for the lawful intercept.
Collection function: Stores and processes the traffic that is intercepted by the service
provider.
Wiretapping
Wiretapping is the process used to monitor telephone and Internet conversations by third party.
Attackers connect a listening device to the circuit that carries information between two phones or
hosts on the Internet. The listening device may be hardware, software, or a combination of both
hardware and software. The following are the types of wiretapping:


Passive wiretapping: It is used to monitor and record the traffic.
Active wiretapping: It is used to monitor, record, and alter the traffic.
Sniffers
A sniffer is a software tool that is used to capture any network traffic. A sniffer changes the NIC
of the LAN card into promiscuous mode due to which the NIC begins to record the incoming and
outgoing data traffic across the network. A sniffer attack is a passive attack because the attacker
does not directly connect with the target host. Most of the time, this attack is used to grab logins
and passwords from network traffic. Tools such as Ethereal, Snort, Windump, EtherPeek, and
Dsniff are some good examples of sniffers. These tools provide many facilities to users, such as
graphical user interface, traffic statistics graph, and multiple sessions tracking. Sniffers work at
the Data Link layer of the OSI model. They do not stick to the same rules as applications and
services that are further up the stack. If one layer of the OSI model is hacked, communications
are compromised without the other layers being aware of the problem.
Examples of sniffers
The following are examples of sniffers:


Dsniff: Dsniff is a set of tools that are used for sniffing passwords, e-mail, and HTTP
traffic. Some of the tools of Dsniff include dsniff, arpredirect, macof, tcpkill, tcpnice,
filesnarf, and mailsnarf. Dsniff is highly effective for sniffing both switched and shared
networks. It uses the arpredirect and macof tools for switching across switched networks.
It can also be used to capture authentication information for FTP, telnet, SMTP, HTTP,
POP, NNTP, IMAP, etc.
Ethereal: Ethereal is a network protocol analyzer that is used in the UNIX and Windows
operating systems. It can read and analyze data from various network resources such as
Ethernet, FDDI, PPP, Token-Ring, IEEE 802.11, Classical IP over ATM, and loopback

interfaces. It has many features, such as the ability to display filter languages and view
the reconstructed stream of a TCP session.
EtherPeek: EtherPeek is an Ethernet network traffic and protocol analyzer that is used to
capture and analyze network data traffic. It has the following features:
o It has Internet attack plug-ins that are used to test for various attacks such as
Land, Rip Trace, Tear Drop, Jolt, Pimp, Oversize IP, and WinNuke attacks.
o It has a Napster plug-in that pinpoints Napster traffic on the network.
o It has sound notification, which allows a user to assign sounds to important
network events.
Wireless sniffers
The following are some wireless sniffers:



Kismet: Kismet is a Linux-based 802.11 wireless network sniffer and intrusion detection
system. It can work with any wireless card that supports raw monitoring (rfmon) mode.
Kismet can sniff 802.11b, 802.11a, and 802.11g traffic. Kismet can be used for the
following tasks:
o To identify networks by passively collecting packets
o To detect standard named networks
o To detect masked networks
o To detect the presence of non-beaconing networks via data traffic
AiroPeek: AiroPeek is a Windows-based commercial wireless LAN analyzer for IEEE
802.11b. It supports all high level protocols, such as TCP/IP, NetBEUI, and IPX. It can
be used to perform the following tasks:
o Site surveys
o Security assessments
o Channel scanning
o Real time and post capture WEP decryptions
o Client troubleshooting
o WLAN monitoring
o Remote WLAN analysis
o Application layer protocol analysis
AirSnort: AirSnort is a Linux-based WLAN WEP cracking tool that recovers encryption
keys. It operates by passively monitoring transmissions. AirSnort uses Ciphertext Only
Attack to decrypt WEP keys. It captures approximately 5 to 10 million packets and
guesses the encryption password in a single second.
Types of sniffing
The following are the types of sniffing:

Passive sniffing: It implies sniffing via a hub. The traffic is sent to all ports on a hub. In
passive sniffing, no packets are sent and packets sent by others are monitored. Multiple
network probes are sent out to identify APs in passive sniffing.

Active sniffing: In active sniffing, sniffing is carried out on a switched network. Active
sniffing relies on injecting packets (ARP) into the network. This creates traffic. MAC
flooding, MAC duplicating, DHCP starvation, and ARP spoofing are active sniffing
techniques. MAC flooding is difficult to sniff. MAC duplication is easy to detect.
Working of a sniffer
A sniffer turns the NIC of a system to the promiscuous mode to listen to all data transmitted on
its segments. The sniffer decodes the information encapsulated in the data packet to constantly
read all information entering the computer via the NIC.
Sniffing threats
An attacker sniffs the network to steal the following sensitive information:








Email traffic
Web traffic
Chat sessions
FTP passwords
Router configuration
DNS traffic
Syslog traffic
Telnet passwords
Packet information within a given subnet can only be captured by a packet sniffer. Any laptop
can usually be plugged into the network and the network can be accessed. Switch ports of many
enterprises are open. The attacker can capture and analyze all the network traffic by placing a
packet sniffer on a network in promiscuous mode.
Protocols vulnerable to sniffing
The following protocols are vulnerable to sniffing:







Telnet and Rlogin
HTTP
SMTP
NNTP
POP
FTP
IMAP
Hacking the network using sniffers
The following steps are taken by an attacker for hacking the network using sniffers:
1. Connect the laptop to a switch port.
2. Run discovery tools in order to learn about the network topology.
3. Identify the victim's machine in order to target the attack.
4. Use ARP spoofing techniques to poison the victim machine. The traffic destined for the
victim's machine is redirected to the attacker.
5. Extract passwords and sensitive data from the redirected traffic.
Hardware protocol analyzer
A hardware protocol analyzer is an equipment that captures signals without changing the traffic
in a cable segment. It can be used for monitoring network usage and identifying malicious
network traffic that is generated due to hacking software installed in the network. It captures a
data packet, decodes, and analyzes its content based on specific predetermined rules.
SPAN port
The SPAN port is configured in order to receive a copy of every packet that passes via a switch.
8.2 Understand Address Resolution Protocol (ARP), and the process of ARP spoofing
Exam Focus: Understand Address Resolution Protocol (ARP), and the process of ARP spoofing.
Objective includes:



Understand Address Resolution Protocol (ARP).
Understanding the process of ARP spoofing.
Understand ARP poisoning.
Address Resolution Protocol (ARP)
Address Resolution Protocol (ARP) is a network maintenance protocol of the TCP/IP protocol
suite. It is responsible for the resolution of IP addresses to media access control (MAC)
addresses of a network interface card (NIC). The ARP cache is used to maintain a correlation
between a MAC address and its corresponding IP address. ARP provides the protocol rules for
making this correlation and providing address conversion in both directions. ARP is limited to
physical network systems that support broadcast packets.
The Address Resolution Protocol uses a simple message format that contains one address
resolution request or response. The size of the ARP message depends on the upper layer and
lower layer address sizes, which are given by the type of networking protocol (usually IPv4) in
use and the type of hardware or virtual link layer that the upper layer protocol is running on. The
message header specifies these types, as well as the size of addresses of each. The message
header is completed with the operation code for request (1) and reply (2). The payload of the
packet consists of four addresses, the hardware and protocol address of the sender and receiver
hosts.
Address Resolution Protocol (ARP) spoofing
Address Resolution Protocol (ARP) spoofing is also known as ARP poisoning or ARP Poison
Routing (APR). It is a technique used to attack an Ethernet wired or wireless network. ARP
spoofing may permit an attacker to perform the following actions:



Sniff data frames on a local area network (LAN).
Modify the traffic
Stop the traffic altogether
The attack can only be used on networks that actually use ARP and do not use another method of
address resolution. Sending fake ARP messages to an Ethernet LAN is the principle of ARP
spoofing. Generally, the motive is to link the attacker's MAC address with the IP address of
another node (such as the default gateway). Any traffic that is meant for that IP address will be
mistakenly sent to the attacker instead. The attacker can forward the traffic to the actual default
gateway (passive sniffing) or modify the data before forwarding it. ARP spoofing attacks can be
run from a compromised host or from an attacker's machine that is connected directly to the
target Ethernet segment. Arpspoof (part of the DSniff suite of tools), Cain and Abel, and Ettercap
are the tools that can be used to carry out ARP poisoning attacks. DHCP Snooping Binding table
and Dynamic ARP Inspection should be used to defend against ARP poisoning.
WinArpAttacker, and Ufasoft Snif are also ARP poisoning tools. Ufasoft Snif is an automated
ARP poisoning tool. It sniffs passwords and email messages on the network. It also works on
Wi-Fi networks.
ARP spoofing attack
ARP packets can be forged in order to send data to the attacker's machine. In ARP spoofing, a
large number of forged ARP requests and reply packets are constructed to overload a switch. A
target computer's ARP cache is flooded with forged entries by attackers. This is also referred to
as poisoning. After the ARP table is flooded with spoofed ARP replies, a switch is set in
forwarding mode and attackers can sniff all the network packets.
An ARP request is broadcasted using user B's IP address and user A waits for user B to respond
with a MAC address when user A starts a session with user B in the same Layer 2 broadcast
domain. A malicious user eavesdrops on this unprotected Layer 2 broadcast domain. The
malicious user can respond to broadcast the ARP request and use user B's MAC address to reply
to user A.
Threats of ARP poisoning
An attacker can divert all communications between two machines by using fake ARP messages
to exchange traffic through his/her computer. The following are threats of ARP poisoning:





Denial of Service (DoS) attack
Data interception
VoIP call tapping
Stealing passwords
Manipulating data
ARP Watch
ARP watch can be used to monitor the ARP cache of a machine to see if there is duplication for a
system. If there is duplication or the system is in the promiscuous mode, arpwatch can trigger
alarms and lead to detection of sniffers.
8.3 Understand MAC duplicating
Exam Focus: Understand MAC duplicating. Objective includes:


MAC duplicating attack
VLAN hoping attack
MAC duplicating attack
In a MAC duplicating attack, the attacker confuses the switch and the switch begins to think that
two ports have the same MAC address. To perform a MAC duplicating attack, the attacker
changes the MAC address on the sniffer to one that is the same in another system on the local
subnet. This differs from ARP spoofing because, in ARP spoofing, the attacker confuses the host
by poisoning its ARP cache. SMAC is a MAC spoofing tool. DHCP Snooping Binding table,
Dynamic ARP Inspection, and IP Source Guard are used to defend against MAC spoofing.
Suppose, there is a legitimate user whose MAC address is A:B:C:D:E, and a switch that permits
access to the network if the MAC address is A:B:C:D:E. The attacker sniffs the network for
MAC addresses of the currently associated users and then attacks other users associated to the
same switch port by using that MAC address.
Spoofing attack threats
The following are MAC spoofing threats:


The network can be accessed by an attacker if MACs are used for network access.
Someone's identity already on the network can be overtaken by an attacker.
The following are IP spoofing threats:



Ping of death
ICMP unreachable
SYN flood

Trusted IP addresses can be spoofed
DHCP servers
DHCP servers maintain TCP/IP configuration information in a database. The TCP/IP
configuration information may include valid TCP/IP configuration parameters, valid IP
addresses, and duration of the lease provided by the server. It delivers address configuration to
DHCP-enabled clients in the form of a lease offer. DHCPDISCOVER, DHCPOFFER,
DHCPREQUEST, DHCPACK, DHCPNAK, DHCPDECLINE, DHCPRELEASE, and
DHCPINFORM are DHCP request/ reply messages.
An attacker broadcasts a discovery request for the entire DHCP and attempts to lease all the
DHCP addresses present in the DHCP scope.
A rogue DHCP server is set by attackers in the network. It provides DHCP addresses to the user.
An attacker can send incorrect TCP/IP settings by running a rogue DHCP server. The following
are the potential problems with incorrect information:



Wrong Default Gateway: Attacker is the gateway.
Wrong DNS server: Attacker is DNS server.
Wrong IP address: Denial of service with incorrect IP.
Gobbler
Gobbler is a DHCP starvation attack tool. Port security should be enabled to defend against
DHCP starvation attack. DHCP snooping should be enabled to defend against DHCP rogue
server attack.
VLAN hoping attack
VLAN hopping (Virtual LAN Hopping) is a computer security exploit, which is a method of
attacking a network by passing traffic to a port that is generally not accessible. It is a method of
attacking networked resources on a VLAN. VLAN hopping attacks are generally performed in
the Dynamic Trunking Protocol (DTP) and the encapsulation protocol (802.1q or ISL). There are
two primary methods of VLAN hopping:
1. Switch spoofing: In a switch spoofing attack, the attacker attempts to place a network
switch for auto-trunking and emulates either ISL or 802.1q signaling together with the
Dynamic Trunk Protocol (DTP) signaling. If the attacker becomes successful, he can see
the traffic for all VLANs.
2. Double tagging: In a double tagging attack, the attacker tries to send two VLAN tags
with the transmitted data, one tag for the victim switch and the other for the attacking
switch. The victim switch accepts the data frames as the incoming data, and then the
target switch forwards these data frames to the destination based on the VLAN identifier
in the second 802.1q header.
Protection from MAC duplication and VLAN hoping
There are various methods to protect again these attacks. Some of these methods are applicable
to both the non-switched and switched environments.



IP filtering: By enabling IP filtering on the switch, a network administrator directly
specifies which traffic is allowed to flow to and from each port.
Port security: By enabling port security, a network administrator can avoid the MAC
flood and MAC spoofing attacks.
Routing security: Routing should only be performed by the designated routers.
Role of port security in MAC attacks
Port security is required to limit MAC flooding. It locks down ports and sends an SNMP trap. It
restricts the MAC addresses that can connect through a particular port of the switch. This feature
permits a specific MAC address or a range of MAC addresses to be specified for a particular
port.
8.4 Learn ethereal capture and display filters
Exam Focus: Learn ethereal capture and display filters. Objective includes:



Ethereal
Wireshark
Wireshark filters
Ethereal
Ethereal is a network protocol analyzer that is used in the UNIX and Windows operating
systems. It can read and analyze data from various network resources such as Ethernet, FDDI,
PPP, Token-Ring, IEEE 802.11, Classical IP over ATM, and loopback interfaces. It has many
features, such as the ability to display filter languages and view the reconstructed stream of a
TCP session.
Wireshark
Wireshark is a free packet sniffer computer application. It is used for the following purposes:




Network troubleshooting
Network analysis
Software and communications protocol development
Education
Although wireshark is very similar to tcpdump, it has a graphical front-end, and more
information sorting and filtering options. By putting the network interface into promiscuous
mode, wireshark permits a user to view all traffic being passed over the network. Wireshark
captures packets using pcap to only capture the packets on the networks supported by pcap. It
has the following features:






Capturing data "from the wire" from a live network connection or reading from a file that
records the already-captured packets
Reading live data that can be read from a number of types of network, including Ethernet,
IEEE 802.11, PPP, and loopback
Browsing captured network data through a GUI, or through the terminal (command-line)
version of the utility, tshark
Programmatically editing captured files or converting captured files through commandline switches to the "editcap" program
Refining data display using a display filter
Creating plugins for dissecting new protocols
Wireshark filters
The following are Wireshark filters:





tcp.flags.reset=1: It displays all TCP resets.
http.request: It displays all HTTP GET requests.
tcp contains traffic: It displays all packets that include the word 'traffic'.
udp contains 33.27.58: It sets a filter for the HEX values of 0x33 0x27 0x58 at any
offset.
tcp.analysis.retransmission: It displays all retransmissions in the trace.
Few important filters of ethereal
The following are the important filters of ethereal:







ip.dst eq www.eccouncil.org: This command sets the filter to capture only packets
destined for the web server http://www.eccouncil.org/.
ip.src == 192.168.1.1: This command sets the filter to capture only packets coming from
the host 192.168.1.1.
eth.dst eq ff:ff:ff:ff:ff:ff: This command sets the filter to capture only Layer 2 broadcast
packets.
host 172.18.5.4: This sets the filter to capture only traffic to or from IP address
172.18.5.4.
net 192.168.0.0/24: This command sets the filter to capture traffic to or from a range of
IP addresses.
port 80: This command sets the filter to capture traffic to destination port 80 (HTTP).
port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420: This command sets the
filter to capture HTTP GET requests. The filter looks for the bytes "G", "E", "T", and " "
(hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2"
figures out the TCP header length.
8.5 Understand MAC flooding, understand DNS spoofing techniques, and DNS spoofing
countermeasures
Exam Focus: Understand MAC flooding, understand DNS spoofing techniques, DNS spoofing
countermeasures. Objective includes:



Understand MAC flooding.
Understand DNS spoofing techniques.
Identify sniffing countermeasures.
MAC flooding
MAC flooding is a technique employed to compromise the security of network switches. In a
typical MAC flooding attack, a switch is flooded with packets, each containing different source
MAC addresses. The intention is to consume the limited memory set aside in the switch to store
the MAC address-to-physical port translation table. The result of this attack causes the switch to
enter a state called failopen mode, in which all incoming packets are broadcast out on all ports
(as with a hub), instead of just down the correct port as per normal operation. A malicious user
could then use a packet sniffer (such as Wireshark) running in promiscuous mode to capture
sensitive data from other computers (such as unencrypted passwords, e-mail and instant
messaging conversations), which would not be accessible were the switch operating normally.
Yersinia is a MAC flooding tool.
MAC address/ CAM table
All Content Addressable Memory (CAM) tables hold a fixed size. It includes information such
as MAC address that is available on physical ports with their associated VLAN parameters.
Working of CAM:
An additional ARP request will flood every port on a switch once the CAM table on the switch is
full. This will basically turn the switch into a hub. The CAM tables of adjacent switches will also
be filled by this attack.
Macof
Macof is a tool of the dsniff tool set, and it is used to flood the local network with random MAC
addresses. It causes some switches to fail open in repeating mode, and facilitates sniffing. It
generates random MAC addresses exhausting the switch's memory and is capable of generating
155,000 MAC entries on a switch per minute. Due to this effect, most of the switches revert to
act like a hub.
Cache poisoning
Cache poisoning is also known as DNS cache poisoning. When a DNS server cannot answer the
query within its cache, the DNS server forwards the query to another DNS server on behalf of
the client. If the query passed to the other DNS server holds incorrect information, then cache
poisoning can occur. Malicious cache poisoning is also known as DNS spoofing.
DNS spoofing
DNS spoofing is a MITM attack that is used to supply false DNS information to the users when
they attempt to browse. For example, if there is a website www.bankofamerica.com residing at
the IP address XXX.XX.XX.XX, the users of the website can be sent to a fake
www.bankofamerica.com residing at IP address YYY.YY.YY.YY, which an attacker has created
in order to steal online banking credentials.
DNS poisoning
DNS poisoning tricks a DNS server and makes it believe that it has received authentic
information, but in reality it has not. DNS poisoning leads to substitution of a false Internet
provider address at the domain name service level. At the domain name service level, web
addresses are converted into numeric Internet provider address. The following are DNS
poisoning techniques:



Intranet DNS spoofing: A user must be connected to the local area network (LAN) and
be able to sniff packets for Intranet DNS spoofing. Intranet DNS spoofing operates well
against switches with ARP poisoning.
Internet DNS poisoning: In Internet DNS poisoning, an attacker infects a machine of a
user with a Trojan and changes the user's DNS IP address with that of the attacker.
DNS cache poisoning: In DNS cache poisoning, records are changed or added in the
resolver cache of a DNS. An IP address of a fake website established by an attacker is
returned by a DNS query for a domain. The server will cache the incorrect entries locally

and serve them to users making the same request if the server cannot validate that DNS
responses have arrived from an authoritative resource.
Proxy Server DNS poisoning: Attackers send a Trojan to a user's machine that changes
the user's proxy server settings in Internet Explorer to that of the attackers.
Defend against DNS poisoning
The following actions are taken to defend against DNS poisoning:







All DNS queries should be resolved to a local DNS server.
DNS requests should be blocked from going to external servers.
DNSSEC should be implemented.
A DNS resolver should be configured to use a new random source port from its available
range for each outgoing query.
The firewall should be configured to restrict external DNS lookup.
DNS recursing service, either full or partial, to authorized users should be restricted.
DNS Non-Existent Domain (NXDOMAIN) Rate Limiting should be used.
Sniffing prevention techniques
The following are sniffing prevention techniques:






Using PGM and S/MIME
Using Virtual Private Networks (VPNs)
Using Secure Shell (SSH)
Using IP Security (IPSec)
Using One-time passwords (OTP)
Using SSL/TLS protocol
Defend against sniffing
The following actions are taken to defend against sniffing:







The physical access to the network media should be restricted so that it can be ensured
that a packet sniffer cannot be installed.
Encryption should be used so that confidential information can be protected.
The MAC address of the gateway should be permanently added to the ARP cache.
Static IP addresses and static ARP tables should be used so that attackers can be
prevented from adding the spoofed ARP entries for machines in the network.
Network identification broadcasts should be turned off and the network should be
protected from being discovered with sniffing tools if it is possible to restrict the network
to authorized users.
IPv6 protocol should be used instead of IPv4.
Encrypted sessions (SSH instead of Telent, Secure Copy (SCP) instead of FTP, and SSL
for email connection) should be used for protecting wireless network users against
sniffing attacks.
Countermeasures against DNS spoofing
Due to the attacks being mostly passive by nature, DNS spoofing is difficult to defend. However,
the following steps can be taken as countermeasures against the DNS spoofing attacks:




Secure internal machines - Since DNS spoofing is performed via network, if the internal
network devices are secure, then there are very few chances of internal servers to be
compromised.
Don't rely on DNS for secure systems.
Use IDS - A network administrator should install an intrusion detection system to give
alarms on ARP cache poisoning and DNS spoofing.
Use DNSSEC to secure DNS records.
8.6 Know various sniffing tools, identify sniffing detection and defensive techniques
Exam Focus: Know various sniffing tools, and identify sniffing detection and defensive
techniques. Objective includes:


Know various sniffing tools.
Identify sniffing detection and defensive techniques.
Sniffing tools
The following are sniffing tools:





















EtherDetect Packet Sniffer
Ettercap
dsniff
Windump
CACE Pilot
EffeTech HTTP Sniffer
SmartSniff
Ntop
EtherApe
Network Probe
Maa Tec Network Monitor
Snort
Alchemy Network Monitor
Colasoft MSN Monitor
CommView
Sniff'em
NetResident
Kismet
IE HTTP Analyzer
AIM Sniffer
MiniStumbler












Netstumbler
PacketMon
Packet Sniffer
EtherScan Analyzer
NaDetector
PRTG Network Monitor
Microsoft Network Monitor
Sniff-O-Matic
NetworkMiner
Network Security Toolkit
Jitbit Network Sniffer
Atelier Web Ports Traffic Analyzer (AWPTA)
The following are some important sniffing tools:






Tcpdump: It is a powerful command line interface packet sniffer. It runs on Linux and
Windows.
Ace: It is a password sniffing tool. Ace Password Sniffer can be used to monitor and
capture passwords via FTP, POP3, HTTP, SMTP, Telnet, and webmail passwords.
Capsa Network Analyzer: It is a packet sniffing tool. It is used to capture all data
transmitted over the network. It delivers a wide range of analysis statistics in an intuitive
and graphical manner.
OmniPeek sniffer: It displays a Google Map in the OmniPeek capture window. In the
Google Map, OmniPeek sniffer shows the location of all the public IP addresses of
captured packets. OmniPeek sniffer is a great way used to monitor the network in real
time. It is used to show locations in the world from where the traffic is coming.
Observer: It delivers a comprehensive drill-down into network traffic. It provides backin-time analysis, reporting, trending, alarms, application tools, and route monitoring
capabilities.
Big-Mother: It is an eavesdropping program. It captures and analyzes communication
traffic over a home network by using a switch sniffer. It has the following features:
o It logs in real time URL visits, email, chats, games, FTP, and data flows.
o It takes webpage snapshots, duplicates email and FTP copies, records MSN
messenger content, and gives statistical reports.
EtherApe
EtherApe is a packet sniffer/network traffic monitoring tool, developed for Unix. Network traffic
is displayed using a graphical interface. Each node represents a specific host. Links represent
connections to hosts. Nodes and links are color coded to represent different protocols forming
the various types of traffic on the network. Individual nodes and their connecting links grow and
shrink in size with increase and decrease in network traffic. EtherApe supports Ethernet, FDDI,
Token Ring, ISDN, PPP and SLIP devices.
Dsniff
Dsniff is a set of tools used for sniffing passwords, e-mail, and HTTP traffic. Dsniff tools include
the following:







dsniff
arpredirect
macof
tcpkill
tcpnice
filesnarf
mailsnarf
Dsniff is highly effective for sniffing both switched and shared networks. It uses the arpredirect
and macof tools to switch across switched networks. It can also be used to capture authentication
information for the following:







FTP
Telnet
SMTP
HTTP
POP
NNTP
IMAP
EtherPeek
EtherPeek is an Ethernet network traffic and protocol analyzer that is used to capture and analyze
network data traffic. It has the following features:



It has Internet attack plug-ins that are used to test for various attacks such as Land, Rip
Trace, Tear Drop, Jolt, Pimp, Oversize IP, and WinNuke attacks.
It has a Napster plug-in that pinpoints Napster traffic on the network.
It includes a sound notification, which allows a user to assign sounds to important
network events.
Mailsnarf
Mailsnarf is a tool that captures and outputs SMTP mail traffic sniffed on the network. Once the
attacker gets access to the target subnet, he can use mailsnarf to capture mail traffic that passes
through the network subnet or Ethernet switch. Mailsnarf reassembles and displays e-mail traffic
in a proper format; hence, the attacker can easily read other users' e-mail.
Webspy
Webspy is a tool that allows the network administrator to see all the Web pages visited by an
attacker. For example, let the IP address of the attacker be 222.222.222.222, running the Webspy
222.222.222.222 command intercepts all HTTP traffic to and from the IP addresses
222.222.222.222 and passes it off to a local browser. However, Webspy does not follow targets
over SSL connection. Besides this, it does not reveal information entered into form fields (like
passwords).
Form Scalpel
Form Scalpel is a hacking tool that is used to assess the resilience of Web sites to various forms
of attacks. It supports HTTP/HTTPS, Proxy servers, Cookies, Java/javascript/vbscript/XML
pages and forms. It also provides detailed analysis of certificates as well as real-time
manipulation of HTML data.
Hping
Hping is a free packet generator and analyzer for the TCP/IP protocol. Hping is one of the de
facto tools for security auditing and testing of firewalls and networks. The new version of hping,
hping3, is scriptable using the Tcl language and implements an engine for string based, human
readable description of TCP/IP packets, so that the programmer can write scripts related to low
level TCP/IP packet manipulation and analysis in very short time. Like most tools used in
computer security, hping is useful to both system administrators and crackers (or script kiddies).
Discovery tools
The following are discovery tools:


NetworkView: It is a network and discovery management tool for Windows. It uses
DNS, SNMP, ports, NetBIOS, and WMI to discover TCP/IP notes and routes.
Dude sniffer: It scans all devices within the specified subnets and draws a detailed layout
map.
Sniffers detection techniques
The following are sniffers detection techniques:




Ping method: In this method, a ping request is sent with the IP address of the suspect
machine but not its MAC address. Hence, this packet should not be used, as each
Ethernet Adapter will reject it as it does not match its MAC address. However, if the
system is in the promiscuous mode, it will respond as it does not bother rejecting packets
with a different Destination MAC address.
ARP2 method: This method is based on the concept that a system in the promiscuous
mode will be in the promiscuous mode and it will cache ARP address. In the next step,
we send a broadcast ping packet with our IP, but a different MAC address. Only a system
in promiscuous mode will have the correct MAC address from the sniffed ARP frame.
So, the system in promiscuous mode will be able to respond to the broadcasted ping
request.
Latency method: This method is on the assumption that most sniffers do some parsing.
If the system is in promiscuous mode, it will parse the data. This will increase the load on
it and it will take extra time to respond to the ping packet.
ARP Watch: It can be used to monitor the ARP cache of a machine to see if there is
duplication for a system. If there is duplication or the system is in the promiscuous mode,
arpwatch can trigger alarms and lead to detection of sniffers.



Promiscuous mode: It permits a network device to intercept and read every packet that
enters in its entirety. Machines that are running in the promiscuous mode are checked.
PromqryUI and PromiScan are promiscuous detection tools. It is a security tool from
Microsoft. It detects network interfaces running in promiscuous mode.
IDS: It can be used to alert administrators regarding suspicious activities. It is run and
checked if the MAC address of specific machines has changed.
Network tools: Network tools such as HP Performance Insight can be run in order to
monitor the network for strange packets. Network tools are useful to collect, consolidate,
centralize, and analyze traffic data across different network resources and technology.
Countermeasures against sniffer attacks
It is quite difficult to overcome sniffer attacks. However, the following steps can be taken as
countermeasures against such attacks:





Use encrypted protocols for all communication.
Segment the network to limit the spread of information.
Use switches instead of hubs since they switch communications, which means that
information is delivered only to the predefined host.
Use a sniffer detector that checks whether an NIC is in promiscuous mode or not.
For wireless networks, reduce the range of the network so that it can cover only the
necessary surface area.
MAC flooding
MAC flooding is a technique employed to compromise the security of network switches.
Chapter Summary
In this chapter, we learned about sniffers, types of sniffers, ARP spoofing, MAC duplicating, and
ethereal capture and display filters. In this chapter, we discussed MAC flooding, DNS spoofing
techniques, and DNS spoofing countermeasures. This chapter focused on various sniffing tools
and sniffing detection and defensive techniques.
Glossary
ARP watch
ARP watch can be used to monitor the ARP cache of a machine to see if there is duplication for a
system.
DNS poisoning
DNS poisoning tricks a DNS server into believing that it has received authentic information, but
in reality it has not.
DNS spoofing
DNS spoofing is a MITM attack that is used to supply false DNS information to the users when
they attempt to browse.
Dsniff
Dsniff is a set of tools that are used for sniffing passwords, e-mail, and HTTP traffic.
Ethereal
Ethereal is a network protocol analyzer that is used in the UNIX and Windows operating
systems.
Macof
Macof is a tool of the dsniff tool set and it is used to flood the local network with random MAC
addresses.
Sniffer
A sniffer is a software tool that is used to capture any network traffic. The sniffer changes the
NIC of the LAN card into promiscuous mode due to which the NIC begins to record the
incoming and outgoing data traffic across the network.
VLAN hopping
VLAN hopping (Virtual LAN Hopping) is a computer security exploit, which is a method of
attacking a network by passing traffic to a port that is generally not accessible.
Wireshark
Wireshark is a free packet sniffer computer application. It is used for network troubleshooting,
analysis, software and communications protocol development, and education.