Sniffing is the process of collecting information as it crosses the network. Sniffing is similar to eavesdropping or wiretapping and can be active or passive. It allows the PenTester to examine network traffic to better understand the characteristics and structure of the traffic flow. Sniffing traffic will passively identify network information such as the following:
-
Hosts
-
Services
-
Protocols
-
Subnets
-
IP addresses
-
MAC addresses
If traffic is flowing across the network in cleartext, sensitive data such as credentials, files, images, messages, and data meant for other users and machines can be captured as well.
To effectively sniff a network, the PenTester must select an appropriate location to intercept the traffic from. A network sniffer can only capture packets from a network it is connected to, not any remote networks. Typically, the PenTester will connect their laptop to an open network port and then use a packet sniffing program like Wireshark to begin capturing packets.
To capture packets across the network, the network adapter must be in promiscuous mode. Normally, an interface is set to only grab onto frames that are directed to its MAC address. Turning on promiscuous mode gives the interface permission to grab onto every frame that comes its way, even if it’s addressed to someone else.
Network sniffing can be either passive or active. Passive sniffing occurs without sending any packets into the network. Active sniffing requires packets to be injected into the network. The above attacks are examples of active sniffing.
Since most networks today rely on switches, passive sniffing is practically impossible. Many of the security features built in to today’s switches will prevent active sniffing as well. For example, if a switch has enabled sticky ports, which means that the port is locked to a specific MAC address, a MAC flooding attack will not work.