With the evolution of technology, network activities have increased excessively. Many day-to-day tasks are intertwined with the internet to function. On one level of the infamous OSI model, the data exchanged between devices is broken down into smaller units and transmitted in the network in the form of packets. These packets contain information that is useful for investigators and network administrators for analysis and troubleshooting purposes. Unfortunately, the bits they contain are equally revealing for threat actors to use for nefarious purposes.
Packet sniffing is the technique of capturing and monitoring data packets that traverse the network. This can be done through a software application or a device. A software packet sniffer is an installed application that collects all the network traffic that passes through the physical network interface. It does so by changing the configuration into a promiscuous listening mode to receive all the traffic of the network. A hardware packet sniffer is a physical device that is plugged into a network that reads all the data packets.
Legal uses and benefits of packet sniffing
Sniffing one’s own network is perfectly legal for an administrator or security analyst. The following uses are in instances where the owner or the administrator of the network is aware of the packet sniffing operation without any malicious intent involved.
- To troubleshoot network-related issues – Packet sniffers aid in detecting deep-rooted network issues and pinpointing and identifying the error. It helps the network administrators to clearly understand what the problem is and to implement solutions for it.
- To monitor network bandwidth and traffic – The bandwidth and the amount of traffic that passes through the network are used to analyze to examine applications or services which use high amounts of bandwidth and to optimize the performance of the network.
- For security analysis – To detect and analyze security threats and identify security configuration vulnerabilities of the network.
Illegal uses and risks of packet sniffing
If a packet is not encrypted, threat actors can examine its contents, and it is a very viable method for them to obtain sensitive information such as usernames and passwords. Threat actors use packet sniffing techniques to conduct various packet sniffing attacks.
There are two types of packet sniffing attack methods –
- Active sniffing - Active sniffing attacks use switches in a network. Since switches send packets according to specified Media Access Control (MAC) addresses, in active sniffing attacks Address Resolution Protocols (ARPs) requests are injected into a network to overflow the switch Content Address Memory (CAM) table. This causes the CAM table to overflow and legitimate traffic is redirected to other ports, which allows the threat actor to sniff packets from the switch. Most modern manufacturers have remediated this vulnerability, but some switches are still at risk from this exploit.
- Passive sniffing - Passive sniffing attacks use network hubs, or a device known as a vampire tap to sniff packets. A packet sniffer will be directly connected to read packets since the hub doesn`t possess any packet addressing functions. This type is very difficult to detect but less of a threat since hubs are rarely used in networks nowadays. A vampire tap needs to be installed in a main entry point to a server or a switch, which would signal an insider threat.
A packet sniffing attack is known as the unlawful capture of network traffic to access unencrypted packet data. A threat actor is also capable of using sniffing tools to inject malicious code into the packet, which will be executed when it reaches the target device.
There are several packet sniffing attack methods –
- Password sniffing – This method is a man-in-the-middle (MITM) cyberattack common in public Wi-Fi networks. The purpose is to obtain the victim`s password by breaching the connection.
- Transmission Control Protocol (TCP) session hijacking – The threat actor collects the session ID to masquerade as the authorized user in a web user session, which allows all the privileges of that user in the network.
- Domain Name Server (DNS) poisoning – The act of redirecting traffic to phishing websites.
- JavaScript sniffing attack – Inserts malicious code onto a website that harvests personal information such as online forms that collects names, addresses, and passwords.
- Dynamic Host Configuration Protocol (DHCP) attack – A DHCP server dynamically assigns IP addresses, default gateway, and subnet mask to client devices. The DHCP client device sends broadcast traffic during startup, which may be intercepted and manipulated.
Defending against malicious packet sniffers
- Avoid using open public Wi-Fi networks.
- Use a trusted Virtual Private Network (VPN) connection to encrypt network communications.
- When browsing, look for Hypertext Transfer Protocol Secure (HTTPS) protocols, which ensure that the data is encrypted before it is sent to a server.
- Use anti-malware software to detect any software sniffers on endpoint devices.
- Implement an Intrusion Detection System (IDS) that analyzes network traffic for suspicious behavior.
Conclusion
Packet sniffing is both a very beneficial and, sadly, a malicious technique used to capture and analyze data packets. It serves as a useful tool for network administrators to identify network issues and fix them. Meanwhile, threat actors use it for malicious purposes such as data theft and to distribute malware. Organizations need to be aware of the benefits and uses of packet sniffing while also implementing security controls to prevent malicious sniffing activity.
About the Author:
Dilki Rathnayake is a Cybersecurity student studying for her BSc (Hons) in Cybersecurity and Digital Forensics at Kingston University. She is also skilled in Computer Network Security and Linux System Administration. She has conducted awareness programs and volunteered for communities that advocate best practices for online safety. In the meantime, she enjoys writing blog articles for Bora and exploring more about IT Security.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
5 Things Your FIM Solution Should Be Doing for You
Discover the pivotal role of File Integrity Monitoring in maintaining system security and compliance with major standards. Tripwire Enterprise stands out as an advanced solution, offering real-time detection and detailed context for system changes, making it a superior choice for robust cybersecurity.