Sniffing Attacks – Packet Capture Techniques Used by Attackers
September 5, 2022
Sniffing attacks are data thefts caused by capturing network traffic with packet sniffers, which can illegally access and read unencrypted data. Unencrypted email messages, login credentials, and financial information are common targets for these attacks. Sniffing attack tools and packet sniffers are used by attackers to inject malicious code into otherwise innocuous data packets in order to hijack a target’s computer or other devices.
An attacker can capture packets passing through a network in a variety of ways. Setting up a packet sniffer on a computer connected to the network in question is a popular method. This computer acts as a proxy between the targeted devices and the rest of the world, allowing the attacker to intercept all traffic.
Types of Sniffing Attacks
There are two primary sniffing attack types: passive and active. Passive Sniffing: In a passive sniffing attack, the hacker observes network traffic without interfering in any way. This type of attack can be helpful for gathering information about network targets and the types of data (e.g., login credentials, email messages) they send. It is also less likely to raise suspicion than other attacks because it does not involve any interference with the target systems. Active Sniffing: Active sniffing is a type of attack in which crafted packets are sent to one or more targets on a network in order to extract sensitive data. Attackers can frequently circumvent security measures that would otherwise prevent data from being intercepted by using specially crafted packets. Active sniffing may also entail injecting malicious code into target systems, allowing attackers to take control of them or steal sensitive data.Packet Capturing Tools & Techniques
Tshark: Tshark is a command-line packet capture tool or program available on both Windows and Linux. Tshark has the capability to capture bytes over a computer network and display the capture on-screen or save it in a file. By default, Tshark is available on Linux operating systems only. On Windows, During the installation of Wireshark, this tool is also installed. Following is the command to capture traffic from a specific interface, sudo tshark -i wlan0 Tcpdump: Tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that are received or transferred over a network on a specific interface. when the tcpdump command is executed it will capture from all the interfaces, however with -i switch only capture from the desired interface. tcpdump -i wlan0 Sniffpass: SniffPass is small password monitoring software that listens to your network, captures the passwords that pass through your network adapter, and displays them on the screen instantly. SniffPass can capture the passwords of the following Protocols: POP3, IMAP4, SMTP, FTP, and HTTP (basic authentication passwords). In the past, APT33 has used SniffPass to collect credentials by sniffing network traffic. Impacket: Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Impacket can be used to sniff network traffic via an interface or raw socket. NBTScan: NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human-readable form. For each responded host it lists the IP address, NetBIOS computer name, logged-in user name, and MAC address (such as Ethernet). It has been used by state groups to conduct internal reconnaissance within a compromised network. Also, it has the capability to dump and print whole packet content. In the past, many groups like Mustang Panda, Turla, APT39 have used this tool for attacks. Intercepter-ng: Intercepter-ng is a next-generation sniffer including a lot of features: capturing passwords/hashes, sniffing chat messages, performing man-in-the-middle attacks, etc. Intercepter-ng got a new console version that has the capability to intercept and analyze unencrypted communications over WiFi networks. In the past, Sandworm Team has used intercepter-NG to sniff passwords in network traffic. Python Scapy: Scapy is a Python program that enables the user to send, sniff and dissect and forge network packets. This capability allows construction of tools that can probe, scan or attack networks.In other words, Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. Scapy can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discoveryConsequences of a Sniffing Attack
A successful sniffing attack can have several severe consequences for the targets. These can include:- Loss of sensitive data, such as login credentials, financial information, and email messages Injection of malicious code into target systems, allowing attackers to control devices or access sensitive information
- Interruption of network traffic, can cause communication problems and slow down network performance
- Exposure of confidential information, such as trade secrets and proprietary data
- Damage to the reputation of the organization whose network has been compromised
Prevention
There are many ways to protect your network against sniffing attacks. Some key measures include:- Using packet encryption to protect sensitive data from being intercepted
- Never send sensitive information over an unencrypted connection
- Ensuring that all computers on a network are adequately protected with antivirus and firewall software
- Make sure the wireless network is secured using WPA or WEP encryption
- Regularly updating all software and devices with the latest security patches
- Staying aware of what type of traffic passes through the network and taking steps to protect sensitive information
- Using a VPN when connecting to public Wi-Fi networks
- Continuously monitoring the network for unusual activity
Detection
- Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network
- Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network