In the realm of cyber-security, it’s sometimes the case that what works as a defense or deterrent in preserving the integrity of computer networks may also be turned against them as a weapon. This is certainly true of sniffing.
What is Sniffing?
Sniffing (or packet sniffing) is the process of capturing packets of data as they flow across a computer network. The process involves capturing, inspecting, decoding, and interpreting the information inside a packet on a TCP/IP (Transmission Control Protocol/Internet Protocol) network. It’s analogous to wire tapping on a telephone circuit or network.
Packet sniffing may be accomplished through dedicated hardware, but is more commonly achieved using a software tool or application known as a sniffer. Sniffer software can read, monitor, and capture exchanges of data on a network, and read network data packets. If these packets are unencrypted, a sniffer may provide a full view of the information inside them.
Even tunneled or encapsulated data packets (such as those passing through a protected data stream) may be broken open and read – unless they’re encrypted, and the person using the sniffer doesn’t have an encryption key. Packet sniffing software runs by default in “promiscuous mode” – a setting on which it’s capable of intercepting and capturing all packets on a network.
There’s anecdotal evidence that the generic terms “sniffer” and “sniffing” may have derived from Sniffer (a trademark owned by NetScout), which has been acknowledged as the first packet capturing and decoding software that was marketed for the purpose of network troubleshooting and analysis. And it’s this association that’s the first side of the double-edged sword which sniffing represents.
Sniffing for Legitimate Purposes
As information is transmitted on a computer network, a network router reads every packet of data which passes to it, to establish whether that data is intended for a destination within the router’s own network, or needs to be passed on to a wider or external network such as the internet. A router working with a sniffer may be able to read the data within each packet, as well as their source and destination addresses.
Packet sniffers intercept and log any network traffic that they can “see” – depending on the segment or channel of a wired or wireless network to which the sniffer software has access. Raw data from the packets is analyzed and presented in a form that’s readable by the human operator of the software – who can then see details of the interchanges going on between the various nodes of a network.
For administrators, this level of knowledge can be extremely useful in detecting and preventing traffic bottlenecks, and troubleshooting potential problems. So sniffing has an important place in the legitimate monitoring and analysis of computing networks.
Sniffing for Profit or Malice
On the darker side of things, hackers and cyber-criminals with access to sniffing software may eavesdrop on any unencrypted data in the packets traveling across a network, to find out what information is being exchanged between parties communicating on it. If information such as user credentials, passwords, or authentication tokens are being transmitted in an unencrypted form, they may readily gain access to these.
Packets may also be captured to be played back later in staging various forms of attacks to which networks may be vulnerable.
Types of Sniffing Attacks
Sniffing software typically includes network drivers and a memory buffer, so that it’s capable of capturing large numbers of data packets. These may be exploited against a targeted network in a number of ways.
Application-level sniffing may yield opportunities for hackers ranging from a listing of potentially vulnerable applications being run on a network to individual capture files which may be used to perform database SQL query analysis, operating system fingerprinting, or to identify port and application-specific data and lines of attack.
ARP sniffing allows hackers to draw up a map of IP addresses and their corresponding MAC addresses, as a possible prelude to packet spoofing, ARP poisoning, or the exploitation of vulnerabilities in network routers.
LAN sniffing deploys sniffer software on an internal LAN to scan its entire range of IP addresses promiscuously. Information such as server inventories, or lists of live hosts and open ports may be gleaned, to assist in staging attacks on specifically vulnerable ports.
TCP session stealing occurs when a network interface operating in promiscuous mode intercepts and captures data traffic between two IP addresses. Service types, port numbers, TCP sequence numbers, and high-value data are the principal targets here. Once enough packets have been captured, an attacker can create spoofed TCP sessions, and stage a “man-in-the-middle” assault on the source or destination IP addresses.
Web password sniffing occurs when HTTP sessions are hijacked and captured data is scoured for user credentials and passwords. This typically targets unsecured communications, but weak levels of encryption may also prove vulnerable to deciphering tools.
Guarding Against Sniffing
Sniffing is a passive activity, with packet sniffers sitting silently on a network observing and analyzing without giving out obvious clues to their presence. So guarding against malicious sniffing requires specialized forms of detection.
Host-based detection methods use lightweight utilities to establish whether the NIC (network interface controller) is running in promiscuous mode on any host on a network. Manually disabling this mode on the network interface provides an additional layer of security against rogue sniffers.
Specialist anti-sniffer software may be deployed to detect the presence of data packets with specific signatures, in network-based detection. Scripts may also be compiled and run on each network host to look for known processes or sniffers.
Configuring a network to rely on switches rather than a central hub reduces the possibility of sniffing, as data packets are delivered to their destination without making them visible to all network nodes.
Intrusion detection systems (IDS) have anti-sniffing protocols written into them as an integrated feature, used to verify the mode of the network interface, and the state of various applications and processes on network hosts and servers.
SSL and TLS encryption may be used to protect data traffic at the session layer. For the token-based protection of packets in the network infrastructure, IPSec encryption (deployed on firewalls, routers, and other network elements) may be called upon to guard against sniffing.
Share this Post