№5 Ethical Hacking Labs. Sniffing

13 April 2023 6 minutes

Detecting Malware Threats: Protecting Your Computer System

Sniffing is the interception and inspection of network traffic to capture data as it moves through a computer network. This is done using software tools called packet analyzers or network analyzers that are designed to capture and analyze network traffic in real time. Sniffing can be used for both legitimate purposes, such as network troubleshooting, and malicious purposes, such as stealing sensitive information such as passwords, credit card numbers, or other sensitive data. It is important to have adequate network security measures in place to prevent unauthorized interception and protect against potential data breaches. In computer networks, sniffing is a technique used to monitor and capture network traffic. This involves intercepting and analyzing network packets being transmitted between different devices on the network, often without the knowledge or consent of the users.

Sniffing can be used for a variety of purposes, including network troubleshooting, performance analysis, security testing, and malicious attacks. Analysis tools or software can be used to capture network packets and analyze the data they contain. Sniffing can reveal sensitive information, including passwords, usernames, and other sensitive data, which poses a security threat. Therefore, it is important for organizations to take steps to protect their networks from unauthorized interception, such as encrypting sensitive data, using secure protocols, and monitoring network traffic for signs of suspicious activity. With passive sniffing, movement is blocked, but it is not changed in any way. Passive sniffing allows you to listen only. It works with Hub devices. On the hub device, traffic is sent to all ports. With active sniffing, traffic is not only intercepted and monitored, but it can also be modified in some way as determined by the attack. Active analysis is used to analyze a switch-based network.

MITM attack using BetterCAP

BetterCAP — is a powerful, easily extensible, and portable framework written in Go that aims to offer security researchers, teams of specialists, and reverse engineers an easy-to-use, end-to-end solution with all the features they might need for reconnaissance and attack. WiFi networks, Bluetooth Low Energy devices, HID wireless devices and Ethernet networks.

MITM — is a form of active eavesdropping in which an attacker establishes independent connections with victims and passes messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is being monitored by the attacker.


Inspect network traffic and perform ARP poisoning. Launch a Man in the Middle attack. Scan network traffic for passwords.


Kali Linux virtual machine. Any Windows virtual machine (7, 8, 10 or Server).

Install BetterCAP

Start Kali Linux, open a new terminal window and enter the following commands:

BetterCAP modules

To run the program, type bettercap and specify the current network interface:

The events.stream module works by default, this module is enabled by default and is responsible for reporting events generated by other modules during an interactive session. Additionally, it can be used to programmatically execute commands when certain events occur.

Configuring modules for ARP spoofing

Run the prober module to send different types of probe packets to each IP address on the current subnet for the net.recon module to detect.

Start searching for network hosts:

Set the arp.spoof module parameter fullduplex to true. If you set it to true, both the target and the gateway will be attacked, otherwise only the target (if the router has ARP spoofing enabled, this will cause the attack to fail).

Specify a target for forgery. (A comma-separated list of MAC addresses, IP addresses, IP ranges, or aliases for spoofing).

Run the ARP spoofer:

Run the packet analyzer:

Type help to get a list of running modules:

ARP spoofing

Bettercap fools the router and the target machine (Windows) by placing the attacking machine (Kali) in the middle of the connection.

On my Windows machine, I use the arp table command to see what’s going on:

As you can see, the Windows machine “thinks” the router’s MAC address is the same as Kali’s because the ARP table is spoofed.

Generate general traffic on the target machine.

Log in to your Windows virtual machine. Start your browser and enter the URL: (http://testhtml5.vulnweb.com). Log in to this website for vulnerability testing with sample credentials: user: admin | password: password.

Collection and analysis of each request

As you can see, we have captured the credentials sent to the website. Everything sent and received by the target machine will be captured by the Kali Linux machine.

Automate BetterCAP with Caplets

To increase efficiency, you can automate some of the module configuration by creating a simple Caplet file and adding commands on each line.

MAC address spoofing

MAC address spoofing is a technique used to change the Media Access Control (MAC) address of a network interface, which can be used to bypass network filters or impersonate other devices on the network. This involves changing the device’s hardware address to make it look like another device on the network. This can be useful for both legitimate purposes (such as testing network security) and malicious activities (such as evading MAC-based access control or launching man-in-the-middle attacks). However, MAC address spoofing is also a form of cybercrime and can lead to serious legal consequences.

Why change the MAC address?

Increasing anonymity. Impersonate other devices. Bypass filters.


Change the MAC address on Kali Linux. Change the MAC address in Windows.


Kali Linux virtual machine. An Alfa network adapter or another with a similar chipset. A Windows 7, 8, or 10 virtual machine.

Using macchanger(Kali)

Macchanger — this is a tool that comes with any Kali Linux rolling edition and can change the MAC address to any desired address before the next reboot. In this lab, we will spoof the MAC address of our wireless adapter using a random MAC address generated by Macchanger on Kali Linux.

Change the MAC address manually (Kali)

Turn off the network adapter:

Change the address using the hw ether option of ifconfig using any MAC address:

Enable the interface:

Check the network adapter changes:

SMAC GUI Tool (Windows)

SMAC (Spoof MAC Address) — is a Windows utility used to change the MAC address of a network adapter. It allows users to change the MAC address of their network adapters to bypass filters or disguise their identity on the network. SMAC can be used for both legitimate and malicious purposes, so it is important to use it responsibly and within legal and ethical guidelines.


Found an error?
If you find an error, take a screenshot and send it to the bot.