Website Toolbase

Module 08: Sniffing

Lab 1: Perform Active Sniffing

Active sniffing involves sending out multiple network probes to identify access points. The following is the list of different active sniffing techniques:

  • MAC Flooding: Involves flooding the CAM table with fake MAC address and IP pairs until it is full

  • DNS Poisoning: Involves tricking a DNS server into believing that it has received authentic information when, in reality, it has not

  • ARP Poisoning: Involves constructing a large number of forged ARP request and reply packets to overload a switch

  • DHCP Attacks: Involves performing a DHCP starvation attack and a rogue DHCP server attack

  • Switch port stealing: Involves flooding the switch with forged gratuitous ARP packets with the target MAC address as the source

  • Spoofing Attack: Involves performing MAC spoofing, VLAN hopping, and STP attacks to steal sensitive information

Task 1: Perform MAC Flooding using macof

macof -i eth0 -n 10

-i: specifies the interface and -n: specifies the number of packets to be sent (here, 10).

You can also target a single system by issuing the command macof -i eth0 -d [Target IP Address] (-d: Specifies the destination IP address).

Task 2: Perform a DHCP Starvation Attack using Yersinia

 ## To open yersenia into interactive mode
 yersinia -I

Lab 2: Perform Network Sniffing using Various Sniffing Tools

Task 1: Perform Password Sniffing using Wireshark

HTTP password & username harvesting using the wireshark

http.request.method == POST

Remote Packet Capture Protocol v.0 (experimental) service can be used to add remote interface using machinIP , access credentials

Lab 3: Detect Network Sniffing

Network sniffing involves using sniffer tools that enable the real-time monitoring and analysis of data packets flowing over computer networks. These network sniffers can be detected by using various techniques such as:

  • Ping Method: Identifies if a system on the network is running in promiscuous mode

  • DNS Method: Identifies sniffers in the network by analyzing the increase in network traffic

  • ARP Method: Sends a non-broadcast ARP to all nodes in the network; a node on the network running in promiscuous mode will cache the local ARP address

Task 1: Detect ARP Poisoning and Promiscuous Mode in a Switch-Based Network

Tool used in this section :

Cain & Abel

Sniffer detector script in wireshark 

nmap --script=sniffer-detect [Target IP Address/ IP Address Range]
PreviousModule 07: Malware ThreatsNextModule 09 : Social Engineering

Last updated