PACKET SNIFFING

By
Paul Mutinda

Packet Sniffing - Cyber Roam Africa Technologies LTD

 Packet Sniffing (Eavesdropping)

• Packet sniffer is a packet-capturing or frame-capturing tool.

• In sniffing, the data is intercepted, read, and either sent on
to the intended recipient or just discarded.
• It basically captures and displays the data as it is being
transmitted from host to host on the network.
• Sniffer are used to discover usernames, passwords, and
other confidential information transmitted on the
network

Packet Sniffing - Cyber Roam Africa Technologies LTD

 Packet Sniffing (Eavesdropping)
• Typically eavesdropping is used for:
a) Information gathering – Network intruders can identify
usernames, passwords, or information carried in the packet such as
credit card numbers or sensitive personal information.
b) Information theft – Network eavesdropping can lead to
information theft.
• The theft can occur as data is transmitted over the internal or
external network.
• The network intruder can also steal data from networked
computers by gaining unauthorized access.
Packet Sniffing - Cyber Roam Africa Technologies LTD
 How a Sniffer Works
• Sniffer software works by capturing packets not destined for the sniffer system’s MAC
address but rather for a target’s destination MAC address. This is known as
promiscuous mode.
• Normally, a system on the network reads and responds only to traffic sent directly to its
MAC address.
• However, many hacking tools change the system’s NIC to promiscuous mode.
• In promiscuous mode, a NIC reads all traffic and sends it to the sniffer for
processing.
• Promiscuous mode is enabled on a network card with the installation of special driver
software
• Many of the hacking tools for sniffing include a promiscuous-mode driver to facilitate
this process.

Packet Sniffing - Cyber Roam Africa Technologies LTD

Packet Sniffing - Cyber Roam Africa Technologies LTD
Packet Sniffing - Cyber Roam Africa Technologies LTD
 How a Sniffer Works
• Any protocols that don’t encrypt data are susceptible to sniffing.
• Protocols such as HTTP, POP3, Simple Network Management
Protocol (SNMP), and FTP are most commonly captured using a
sniffer and viewed by a hacker to gather valuable information such
as usernames and passwords.

Packet Sniffing - Cyber Roam Africa Technologies LTD

Packet Sniffing - Cyber Roam Africa Technologies LTD
 Types of sniffing

• Passive sniffing involves listening and capturing traffic, and is

useful in a network connected by hubs;
• Active sniffing involves launching an Address Resolution
Protocol (ARP) spoofing or traffic-flooding attack against a
switch in order to capture traffic.
• As the names indicate, active sniffing is detectable but passive sniffing
is not detectable.

Packet Sniffing - Cyber Roam Africa Technologies LTD

 Packet sniffing -Hacking Tools
• Wireshark - freeware sniffer that can capture packets from a wired or wireless
LAN connection.
• EtherFlood - is used to flood an Ethernet switch with traffic to make it revert
to a hub
• Dsniff - designed to perform network auditing as well as network penetration.
• Sshmitm- and webmitm implement active man-in-the-middle attacks against
redirected Secure Shell (SSH) and HTTPS sessions.
• IP Restrictions Scanner (IRS) - is used to find the IP restrictions that have
been set for a particular service on a host.
• IRS can find servers and network devices like routers and
switches and identify access contro lfeatures like access control
lists (ACLs),
Packet Sniffing - Cyber RoamIP
Africafilters, and firewall rules.
Technologies LTD
 Using Wireshark

• Wireshark is the most popular, widely used Network

Protocol Analyzer tool across commercial, governmental,
non-profit and educational organizations.
• It is a free, open source tool available for Windows,
Linux, MAC, BSD, Solaris and other platforms natively.
• First download and install Wireshark for Windows or Use
Wireshark for Kali Linux, under sniffing category

Packet Sniffing - Cyber Roam Africa Technologies LTD

Packet Sniffing - Cyber Roam Africa Technologies LTD
Packet Sniffing - Cyber Roam Africa Technologies LTD
Packet Sniffing - Cyber Roam Africa Technologies LTD
 Click on start , then monitor the network traffic.

Packet Sniffing - Cyber Roam Africa Technologies LTD

 Monitoring Network traffic

• For the traffic captured by the Wireshark sniffer, note

the following column details
• Source – IP address of the host where the traffic is originating
• Destination -IP address of the host where the traffic is sent to
• Protocol - the protocol type used to send the traffic
• Length – size of traffic
• Info – Human readable data transmitted on the network

Packet Sniffing - Cyber Roam Africa Technologies LTD

 Analyzing TCP based protocols

• Working on TCP based protocols can be very helpful

by using Follow TCP stream feature.
• To examine the data from a TCP stream in the way
that the application layer sees it.
• Perhaps you are looking for passwords in a Telnet
stream.

Packet Sniffing - Cyber Roam Africa Technologies LTD

 Analyzing TCP based protocols : Example

Packet Sniffing - Cyber Roam Africa Technologies LTD

 Analyzing TCP based protocols : Example

Discover the
username and
password Values

Packet Sniffing - Cyber Roam Africa Technologies LTD

 Using Wireshark Filters
• Wireshark Filters: used to query specific type of request:
E.g
• ip.src==172.21.254.206
• ip.dst == 10.43.54.65
• ip.addr == 192.168.0.1
• http.request.method ==POST
• http.request.method == GET
• ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
• tcp.port == 80
• tcp.port == 80 || tcp.port == 443 || tcp.port == 8080
• Etc…..
Packet Sniffing - Cyber Roam Africa Technologies LTD
Using Wireshark Filters : Example
• Identify an URL
• Use ping command to get the IP Addess.
• E.g ping altoromutual.com

Packet Sniffing - Cyber Roam Africa Technologies LTD

 Type: ip.dst==65.61.137.117, then
click apply filter

Packet Sniffing - Cyber Roam Africa Technologies LTD

Packet Sniffing - Cyber Roam Africa Technologies LTD
 Using Wireshark to Discover
User Credentials
• One of the popular use of packet sniffers by
malicious hackers is to steal username and password
on unsecured network.
• This is done by use of wireshark filter
http.request.method ==POST or http.request.method
==GET
• These protocols query only data submitted through
the forms
Packet Sniffing - Cyber Roam Africa Technologies LTD
 Type: http.request.method ==POST, on
wireshark filter field, then press apply
filters

Packet Sniffing - Cyber Roam Africa Technologies LTD

Log to http://altoromutual.com/login.jsp ,
Note the Domain
- Type the username and password, then login. vulnerable to sniffing
- Go to Wireshark and check the results because it has not
SSL certificate.

Packet Sniffing - Cyber Roam Africa Technologies LTD

 Note this packet stream, then
double click in it

Packet Sniffing - Cyber Roam Africa Technologies LTD

 Note the username and
Password discovered

Packet Sniffing - Cyber Roam Africa Technologies LTD

Packet Sniffing - Cyber Roam Africa Technologies LTD
 Sniffing
1. Encryption Countermeasures
• The best security defense against a sniffer on the network is encryption.
• Although encryption won’t prevent sniffing, it renders any data captured
during the sniffing attack useless because hackers can’t interpret the
information.
• Encryption such as AES and RC4 or RC5 can be utilized commonly used
to prevent sniffing on a network.
2. Enforcing a policy
• Implementing and enforcing a policy directive that forbids the use of
protocols with known susceptibilities to eavesdropping
3. Using switched networks
Packet Sniffing - Cyber Roam Africa Technologies LTD