CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [54]
Any protocols that don't encrypt data are susceptible to sniffing. Protocols such as HTTP, POP3, Simple Network Management Protocol (SNMP), and FTP are most commonly captured using a sniffer and viewed by a hacker to gather valuable information such as usernames and passwords.
The term packet refers to the data at layer 3 or the network layer of the OSI model whereas frame refers to data at layer 2 or the data link layer. Frames contain MAC addresses, and packets contain IP addresses.
Hacking Tools
Ethereal is a freeware sniffer that can capture packets from a wired or wireless LAN connection. The latest version has been renamed WireShark. Ethereal is a common and popular program because it is free but has some drawbacks. An untrained user may find it difficult to write filters in Ethereal to capture only certain types of traffic.
Snort is an intrusion detection system (IDS) that also has sniffer capabilities. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, Server Message Block (SMB) probes, and OS fingerprinting attempts.
WinDump is the Windows version of tcpdump, the command-line network analyzer for Unix. WinDump is fully compatible with tcpdump and can be used to watch, diagnose, and save to disk network traffic according to various rules.
EtherPeek is a great sniffer for wired networks with extensive filtering and TCP/IP conversation tracking capabilities. The latest version of EtherPeek has been renamed OmniPeek.
WinSniffer is an efficient password sniffer. It monitors incoming and outgoing network traffic and decodes FTP, POP3, HTTP, ICQ, Simple Mail Transfer Protocol (SMTP), Telnet, Internet Message Access Protocol (IMAP), and Network News Transfer Protocol (NNTP) usernames and passwords.
Iris is an advanced data- and network-traffic analyzer that collects, stores, organizes, and reports all data traffic on a network. Unlike other network sniffers, Iris is able to reconstruct network traffic, such as graphics, documents, and e-mails including attachments.
Understand Active and Passive Sniffing
There are two different types of sniffing: passive and active. Passive sniffing involves listening and capturing traffic, and is useful in a network connected by hubs; active sniffing involves launching an Address Resolution Protocol (ARP) spoofing or traffic-flooding attack against a switch in order to capture traffic. As the names indicate, active sniffing is detectable but passive sniffing isn't.
In networks that use hubs or wireless media to connect systems, all hosts on the network can see all traffic; therefore a passive packet sniffer can capture traffic going to and from all hosts connected via the hub. A switched network operates differently. The switch looks at the data sent to it and tries to forward packets to their intended recipients based on MAC address. The switch maintains a MAC table of all the systems and the port numbers to which they're connected. This enables the switch to segment the network traffic and send traffic only to the correct destination MAC addresses. A switch network has greatly improved throughput and is more secure than a shared network connected via hubs.
Understand ARP Poisoning
ARP allows the network to translate IP addresses into MAC addresses. When one host using TCP/IP on a LAN tries to contact another, it needs the MAC address or hardware address of the host it's trying to reach. It first looks in its ARP cache to see if it already has the MAC address; if it doesn't, it broadcasts an ARP request asking, "Who has the IP address I'm looking for?" If the host that has that IP address hears the ARP query, it responds with its own MAC address, and a conversation can begin using TCP/IP.
ARP poisoning is a technique that's used