Computers communicate using networks. These networks could be on a local area network LAN or exposed to the internet. Network Sniffers are programs that capture low-level package data that is transmitted over a network. An attacker can analyze this information to discover valuable information such as user ids and passwords.
In this article, we will introduce you to common network sniffing techniques and tools used to sniff networks. We will also look at countermeasures that you can put in place to protect sensitive information been transmitted over a network.
What is network sniffing?
Computers communicate by broadcasting messages on a network using IP addresses. Once a message has been sent on a network, the recipient computer with the matching IP address responds with its MAC address.
Network sniffing is the process of intercepting data packets sent over a network.This can be done by the specialized software program or hardware equipment. Sniffing can be used to;
Capture sensitive data such as login credentials
Eavesdrop on chat messages
Capture files have been transmitted over a network
The following are protocols that are vulnerable to sniffing
Telnet
Rlogin
HTTP
SMTP
NNTP
POP
FTP
IMAP
The above protocols are vulnerable if login details are sent in plain text
Passive and Active Sniffing
Before we look at passive and active sniffing, let’s look at two major devices used to network computers; hubs and switches.
A hub works by sending broadcast messages to all output ports on it except the one that has sent the broadcast. The recipient computer responds to the broadcast message if the IP address matches. This means when using a hub, all the computers on a network can see the broadcast message. It operates at the physical layer (layer 1) of the OSI Model.
The diagram below illustrates how the hub works.
A switch works differently; it maps IP/MAC addresses to physical ports on it. Broadcast messages are sent to the physical ports that match the IP/MAC address configurations for the recipient computer. This means broadcast messages are only seen by the recipient computer. Switches operate at the data link layer (layer 2) and network layer (layer 3).
The diagram below illustrates how the switch works.
Passive sniffing is intercepting packages transmitted over a network that uses a hub. It is called passive sniffing because it is difficult to detect. It is also easy to perform as the hub sends broadcast messages to all the computers on the network.
Active sniffing is intercepting packages transmitted over a network that uses a switch. There are two main methods used to sniff switch linked networks, ARP Poisoning, and MAC flooding.
Hacking Activity: Sniff network traffic
In this practical scenario, we are going to use Wireshark to sniff data packets as they are transmitted over HTTP protocol. For this example, we will sniff the network using Wireshark, then login to a web application that does not use secure communication. We will login to a web application on http://www.techpanda.org/
The login address is admin@google.com, and the password is Password2010.
Note: we will login to the web app for demonstration purposes only. The technique can also sniff data packets from other computers that are on the same network as the one that you are using to sniff. The sniffing is not only limited to techpanda.org, but also sniffs all HTTP and other protocols data packets.
Sniffing the network using Wireshark
The illustration below shows you the steps that you will carry out to complete this exercise without confusion
Select the network interface you want to sniff. Note for this demonstration, we are using a wireless network connection. If you are on a local area network, then you should select the local area network interface.
The login email is admin@google.com and the password is Password2010
Click on submit button
A successful logon should give you the following dashboard
Go back to Wireshark and stop the live capture
Filter for HTTP protocol results only using the filter textbox
Locate the Info column and look for entries with the HTTP verb POST and click on it
Just below the log entries, there is a panel with a summary of captured data. Look for the summary that says Line-based text data: application/x-www-form-urlencoded
You should be able to view the plaintext values of all the POST variables submitted to the server via HTTP protocol.
What is a MAC Flooding?
MAC flooding is a network sniffing technique that floods the switch MAC table with fake MAC addresses. This leads to overloading the switch memory and makes it act as a hub. Once the switch has been compromised, it sends the broadcast messages to all computers on a network. This makes it possible to sniff data packets as they sent on the network.
Counter Measures against MAC flooding
Some switches have the port security feature. This feature can be used to limit the number of MAC addresses on the ports. It can also be used to maintain a secure MAC address table in addition to the one provided by the switch.
Authentication, Authorization and Accounting servers can be used to filter discovered MAC addresses.
Sniffing Counter Measures
Restriction to network physical media highly reduces the chances of a network sniffer been installed
Encrypting messages as they are transmitted over the network greatly reduces their value as they are difficult to decrypt.
Changing the network to a Secure Shell (SSH)network also reduces the chances of the network been sniffed.
Summary
Network sniffing is intercepting packages as they are transmitted over the network
Passive sniffing is done on a network that uses a hub. It is difficult to detect.
Active sniffing is done on a network that uses a switch. It is easy to detect.
MAC flooding works by flooding the MAC table address list with fake MAC addresses. This makes the switch to operate like a HUB
Security measures as outlined above can help protect the network against sniffing.
Wireshark is a widely used network monitoring and WiFi troubleshooting tool. However, with Wireshark tool is that you can only gather information from the network but cannot send this information.
Here, is a curated list of top 11 tools which are capable of replacing Wireshark. This list includes commercial as well as open-source tools with popular features and latest download link.
1) Cloud Shark
A web-based platform which allows you to view analyze, and share packet capture files in a browser. It helps you to solve network problems faster with packet captures.
Features:
Drag and drop capture right into your browser, or upload using your API key
Cloud Shark can act like a drop-box for the files you generate
Allows readers to access advanced analysis from any device without any special software
You can instantly link your work to share with co-workers or customers
Sysdig is an open source tool to monitor and secure containers both for windows and mac. It comes with a command line interface which allows the user to track the system acidity in real time.
Features:
The tool support application tracking
Helps you to enhance software reliability and bring an ideal resolution
Accelerate your transition to containers
Allows you to protect and assure you’re critical applications
Colasoft nChronos is a Network Performance Analysis Solution. It allows IT professionals to collect and save the high amount of packet-level network data. This data allows the user to navigate time specific periods of the data.
Features:
Allows you to monitor your network and application performance in real-time
Analyze and troubleshoot all types of abnormalities in your system
Debookee is a network monitoring tool which allows you to the intercept and motor the traffic of any device in the same subnet. You can capture data from the mobile device on your Mac, Printer, Tv, without the need of any proxy.
Features:
Allows users to see what is happing on their work
Helps you to find out who is using your WIFI bandwidth
Scan your LAN or any IP range and helps you to find all the connected devices
Display all Wi-Fi clients covers in the radio range and to which API they’re associated
Omnipeek is the best tool for network analytics and performance diagnostics. It offers advanced capabilities for security investigations. The tool helps to compare, discover, and reduce your mean-time-to-resolution(MTTR).
Features:
You can scan packets for signs of trouble or detect changes in transfer speeds
The traffic analyzing feature can report on end-to-end performance for connections
Ettercap is a comprehensive network monitor tool. It also supports both active and passive dissection of different protocols. It also includes features for network and host analysis.
Features:
SSH3 and SSL support
Packet filtering/dropping
Remote traffic sniffing with the help of tunnels and route mangling
SmartSniff is a network monitoring alternative tool for Wireshark. It allows you to captured data in conversation-like sequence between servers and clients.
Features:
Helps you to capture TCP/IP packets on the network without installing a capture driver
Allows you to capture driver of Microsoft Network Monitor
Smartsniff helps you to capture data from other unsecured wireless networks
EtherApe is a graphical network monitoring solution. It supports Ethernet, FDDI, ISDN, SLIP, PPP, and WLAN devices. EtherApe allows you to select the level of the protocol stack to concentrate on.
Features:
You can use refined data network filter with the help of pcap syntax
The display is averaging and node persistence times are fully configurable
Helps you to display protocol summary dialog shows global traffic statistics by the protocol
SolarWinds offers advanced network monitoring for on-premises, hybrid, and cloud services. The tool helps you to reduce network outages and improve the performance of your network.
PRTG monitor allows all systems, devices, traffic, and applications of your IT infrastructure. The tool also offers to monitor several networks from various locations.
Features:
Full featured web interface which is based on AJAX with high-security standards
SSL-secured local and remote access which can be used simultaneously
Visualize your network with the help of real time maps with real time status information
Allows you to monitors several networks in different locations
Helps you to run reports on demand or schedule regular reports
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source.
A DoS or DDoS attack is analogous to a group of people crowding the entry door of a shop, making it hard for legitimate customers to enter, thus disrupting trade.
Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks or credit card payment gateways. Revenge, blackmail and can motivate these attacks.
Attack techniques
Attack tools
In cases such as MyDoom and Slowloris the tools are embedded in malware and launch their attacks without the knowledge of the system owner. Stacheldraht is a classic example of a DDoS tool. It uses a layered structure where the attacker uses a client program to connect to handlers which are compromised systems that issue commands to the zombie agents which in turn facilitate the DDoS attack. Agents are compromised via the handlers by the attacker using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents.
Application-layer attacks
Application-layer attacks employ DoS-causing exploits and can cause server-running software to fill the disk space or consume all available memory or CPU time. Attacks may use specific packet types or connection requests to saturate finite resources by, for example, occupying the maximum number of open connections or filling the victim’s disk space with logs. An attacker with shell-level access to a victim’s computer may slow it until it is unusable or crash it by using a fork bomb. Another kind of application-level DoS attack is XDoS (or XML DoS) which can be controlled by modern web application firewalls (WAFs).
Degradation-of-service attacks
Pulsing zombies are compromised computers that are directed to launch intermittent and short-lived floodings of victim websites with the intent of merely slowing it rather than crashing it. This type of attack, referred to as degradation-of-service, can be more difficult to detect and can disrupt and hamper connection to websites for prolonged periods of time, potentially causing more overall disruption than a denial-of-service attack. Exposure of degradation-of-service attacks is complicated further by the matter of discerning whether the server is really being attacked or is experincing higher than normal legitimate traffic loads.
Denial-of-service Level II
The goal of DoS L2 (possibly DDoS) attack is to cause a launching of a defense mechanism which blocks the network segment from which the attack originated. In case of distributed attack or IP header modification (that depends on the kind of security behavior) it will fully block the attacked network from the Internet, but without system crash.
Distributed DoS attack
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example, a botnet) flooding the targeted system with traffic. A botnet is a network of zombie computers programmed to receive commands without the owners’ knowledge. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This, after all, will end up completely crashing a website for periods of time.
DDoS extortion
In 2015, DDoS botnets such as DD4BC grew in prominence, taking aim at financial institutions. Cyber-extortionists typically begin with a low-level attack and a warning that a larger attack will be carried out if a ransom is not paid in Bitcoin. Security experts recommend targeted websites to not pay the ransom. The attackers tend to get into an extended extortion scheme once they recognize that the target is ready to pay.
HTTP slow POST DoS attack
First discovered in 2009, the HTTP slow POST attack sends a complete, legitimate HTTP POST header, which includes a ‘Content-Length’ field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate. Due to the entire message being correct and complete, the target server will attempt to obey the ‘Content-Length’ field in the header, and wait for the entire body of the message to be transmitted, which can take a very long time. The attacker establishes hundreds or even thousands of such connections until all resources for incoming connections on the server (the victim) are used up, hence making any further (including legitimate) connections impossible until all data has been sent. It is notable that unlike many other (D)DoS attacks, which try to subdue the server by overloading its network or CPU, an HTTP slow POST attack targets the logical resources of the victim, which means the victim would still have enough network bandwidth and processing power to operate. Further combined with the fact that will, by default, accept requests up to 2GB in size, this attack can be particularly powerful. HTTP slow POST attacks are difficult to differentiate from legitimate connections and are therefore able to bypass some protection systems. OWASP, an open source web application security project, released a tool to test the security of servers against this type of attacks.
Challenge Collapsar (CC) attack
A Challenge Collapsar (CC) attack is an attack that standard HTTP requests are sent to a targeted web server frequently, in which the Uniform Resource Identifiers (URIs) require complicated time-consuming algorithms or database operations, in order to exhaust the resources of the targeted web server.
In 2004, a Chinese hacker nicknamed KiKi invented a hacking tool to send these kinds of requests to attack a NSFOCUS firewall named “Collapsar”, and thus the hacking tool was known as “Challenge Collapsar”, or CC for short. Consequently, this type of attack got the name “CC attack”.
Internet Control Message Protocol (ICMP) flood
A smurf attack relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The attacker will send large numbers of IP packets with the source address faked to appear to be the address of the victim. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim’s computer will be flooded with traffic. This overloads the victim computer and can even make it unusable during such attack.
Ping flood is based on sending the victim an overwhelming number of ping packets, usually using the “ping” command from Unix-like hosts (the -t flag on Windows systems is much less capable of overwhelming a target, also the -l (size) flag does not allow sent packet size greater than 65500 in Windows). It is very simple to launch, the primary requirement being access to greater bandwidth than the victim.
Ping of death is based on sending the victim a malformed ping packet, which will lead to a system crash on a vulnerable system.
The BlackNurse attack is an example of an attack taking advantage of the required Destination Port Unreachable ICMP packets.
Nuke
A Nuke is an old denial-of-service attack against computer networks consisting of fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data, thus slowing down the affected computer until it comes to a complete stop.[52]
A specific example of a nuke attack that gained some prominence is the WinNuke, which exploited the vulnerability in the NetBIOS handler in Windows 95. A string of out-of-band data was sent to TCP port 139 of the victim’s machine, causing it to lock up and display a Blue Screen of Death (BSOD).
Peer-to-peer attacks
Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks. The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. With peer-to-peer there is no botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a “puppet master,” instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim’s website instead.
Permanent denial-of-service attacks
Permanent denial-of-service (PDoS), also known loosely as phlashing, is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. Unlike the distributed denial-of-service attack, a PDoS attack exploits security flaws which allow remote administration on the management interfaces of the victim’s hardware, such as routers, printers, or other networking hardware. The attacker uses these vulnerabilities to replace a device’s firmware with a modified, corrupt, or defective firmware image—a process which when done legitimately is known as flashing. This therefore “bricks” the device, rendering it unusable for its original purpose until it can be repaired or replaced.
The PDoS is a pure hardware targeted attack which can be much faster and requires fewer resources than using a botnet or a root/vserver in a DDoS attack. Because of these features, and the potential and high probability of security exploits on Network Enabled Embedded Devices (NEEDs), this technique has come to the attention of numerous hacking communities. BrickerBot, a piece of malware that targeted IoT devices, used PDoS attacks to disable its targets.
PhlashDance is a tool created by Rich Smith (an employee of Hewlett-Packard’s Systems Security Lab) used to detect and demonstrate PDoS vulnerabilities at the 2008 EUSecWest Applied Security Conference in London.
Reflected / spoofed attack
A distributed denial-of-service attack may involve sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target. (This reflected attack form is sometimes called a “DRDOS”.)
ICMP Echo Request attacks (Smurf attack) can be considered one form of reflected attack, as the flooding host(s) send Echo Requests to the broadcast addresses of mis-configured networks, thereby enticing hosts to send Echo Reply packets to the victim. Some early DDoS programs implemented a distributed form of this attack.
Mirai botnet
This attack works by using a worm to infect hundreds of thousands of IoT devices across the internet. The worm propagates through networks and systems taking control of poorly protected IoT devices such as thermostats, Wi-Fi enabled clocks and washing machines.W the device becomes enslaved usually the owner or user will have no immediate indication. The IoT device itself is not the direct target of the attack, it is used as a part of a larger attack. These newly enslaved devices are called slaves or bots. Once the hacker has acquired the desired number of bots, they instruct the bots to try to contact an ISP. In October 2016, a Mirai botnet attacked Dyn which is the ISP for sites such as Twitter, Netflix, etc. Assoon as this occurred, these websites were all unreachable for several hours. This type of attack is not physically damaging, but it will certainly be costly for any large internet companies that get attacked.
R-U-Dead-Yet? (RUDY)
RUDY attack targets web applications by starvation of available sessions on the web server. Much like Slowloris, RUDY keeps sessions at halt using never-ending POST transmissions and sending an arbitrarily large content-length header value.
SACK Panic
Manipulating maximum segment size and selective acknowledgement (SACK) it may be used by a remote peer to cause a denial of service by an integer overflow in the Linux kernel, causing even a Kernel panic. Jonathan Looney discovered CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 on June 17, 2019.
Shrew attack
The shrew attack is a denial-of-service attack on the Transmission Control Protocol where the attacker employs man-in-the-middle techniques. It uses short synchronized bursts of traffic to disrupt TCP connections on the same link, by exploiting a weakness in TCP’s re-transmission timeout mechanism.[73]
Slow Read attack
A slow read attack sends legitimate application layer requests, but reads responses very slowly, thus trying to exhaust the server’s connection pool. It is achieved by advertising a very small number for the TCP Receive Window size, and at the same time emptying clients’ TCP receive buffer slowly, which causes a very low data flow rate.
A sophisticated low-bandwidth DDoS attack is a form of DoS that uses less traffic and increases their effectiveness by aiming at a weak point in the victim’s system design, i.e., the attacker sends traffic consisting of complicated requests to the system. Essentially, a sophisticated DDoS attack is lower in cost due to its use of less traffic, is smaller in size making it more difficult to identify, and it has the ability to hurt systems which are protected by flow control mechanisms.
(S)SYN flood
A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets are handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server can make, keeping it from responding to legitimate requests until after the attack ends.
Teardrop attacks
A teardrop attack involves sending mangled IP fragments with overlapping, oversized payloads to the target machine. This can crash various operating systems because of a bug in their TCP/IP fragmentation re-assembly code. Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to versions 2.0.32 and 2.1.63 are vulnerable to this attack.
(Although in September 2009, a vulnerability in Windows Vista was referred to as a “teardrop attack”, this targeted SMB2 which is a higher layer than the TCP packets that teardrop used).
One of the fields in an IP header is the “fragment offset” field, indicating the starting position, or offset, of the data contained in a fragmented packet relative to the data in the original packet. If the sum of the offset and size of one fragmented packet differs from that of the next fragmented packet, the packets overlap. When this happens, a server vulnerable to teardrop attacks is unable to reassemble the packets – resulting in a denial-of-service condition.
Telephony denial-of-service (TDoS)
Voice over IP has made abusive origination of large numbers of telephone voice calls inexpensive and readily automated while permitting call origins to be misrepresented through caller ID spoofing.
TTL expiry attack
It takes more router resources to drop a packet with a TTL value of 1 or less than it does to forward a packet with higher TTL value. When a packet is dropped due to TTL expiry, the router CPU must generate and send an ICMP time exceeded response. Generating many of these responses can overload the router’s CPU.
UPnP attack
This attack uses an existing vulnerability in Universal Plug and Play (UPnP) protocol to get around a considerable amount of the present defense methods and flood a target’s network and servers. The attack is based on a DNS amplification technique, but the attack mechanism is a UPnP router which forwards requests from one outer source to another disregarding UPnP behavior rules. Using the UPnP router returns the data on an unexpected UDP port from a bogus IP address, making it harder to take simple action to shut down the traffic flood. According to the Imperva researchers, the most effective way to stop this attack is for companies to lock down UPnP routers.
learngram.wordpress.com 
