sniffing-network-traffic.md 3.6 KB


title: Sniffing network traffic course: intro_pentest section: Exploitation

layout: lesson

Another popular technique that can be used to gain access to systems is networking sniffing. Sniffing is the process of capturing and viewing traffic as it is passed along the network. Several popular protocols in use today still send sensitive and important information over the network without encryption. Network traffic sent without using encryption is often referred to as clear text because it is human-readable and requires no deciphering. Sniffing clear text network traffic is a trivial yet effective means of gaining access to systems.

Before we begin sniffing traffic, it’s important that you understand some basic network information. The difference between promiscuous mode and non-promiscuous modes will be discussed first.

By default, most network cards operate in non-promiscuous mode. Non-promiscuous mode means that the network interface card (NIC) will only pass on the specific traffic that is addressed to it. If the NIC receives traffic that matches its address, the NIC will pass the traffic onto the CPU for processing.

If the NIC receives traffic that doesn’t match its address, the NIC simply discards the packets. In many ways, a NIC in non promiscuous mode acts like a ticket taker at a movie theater. The ticket taker stops people from entering the theater unless they have a ticket for the specific show.

Promiscuous mode, on the other hand is used to force the NIC to accept all packets that arrive. In promiscuous mode, all network traffic is passed onto the CPU for processing regardless of whether it was destined for the system or not.

To successfully sniff network traffic that ain’t normally destined for your PC, you must make sure your network card is in promiscuous mode.

You may be wondering how it is possible that network traffic would arrive at a computer or device if the traffic was not addressed to the device. There are several possible scenarios where this situation may arise. First, any traffic that is broadcast on the network will be sent to all connected devices. Another example is networks that use hubs rather than switches to route traffic.

A hub works by simply sending all the traffic it receives to all the devices connected to its physical ports. In networks that use a hub, your NIC is constantly disregarding packets that don’t belong to it. For example, assume we have a small 8-port hub with 8 computers plugged into the hub. In this environment, when the PC plugged into port number 1 wants to send a message to the PC plugged into port number 7, the message (network traffic) is actually delivered to all the computers plugged into the hub. However, assuming all the computers are in non promiscuous mode, machines 2-6 simply disregard the traffic.

Many people believe that you can fix this situation by simply swapping your hubs with switches. This is because, unlike hubs, that broadcast all traffic to all ports, switches are more discrete. When you first plug a computer into a switch, the MAC address of the computer’s NIC is registered with the switch. This information (the computer’s MAC address and switch’s port number) is then used by the switch to intelligently route traffic for a specific machine to the specific port. Going back to your previous example, if a switch is being used and PC 1 sends a message to PC 7, the switch processes the network traffic and consults the table containing the MAC address and port number. It then sends the message to only the computer connected to port number 7. Devices 2 – 6 and 8 never receive the traffic.