This chapter describes network inspection and threats, how a sniffer works, active and passive inspection, how an attacker hacks a network using sniffers, protocols vulnerable to interception, Open Systems Interconnection (OSI) data link layer interception, switch analyzer ports ports (SPAN), eavesdropping and lawful interception. The section discusses programs that can be used to study packets in the network. The article describes the principle of operation of the sniffer and how exactly traffic can be intercepted. You will learn that Wireshark allows you to capture and interactively view traffic on a computer network. SteelCentral Packet Analyzer provides a graphical console for high-speed packet analysis. You will learn what Capsa Network Analyzer, OmniPeek is. Also sniffers for mobile devices: FaceNiff, Sniffer Wicap. It will also describe the different types of attacks that can be carried out using traffic interception, such as Man-in-the-Middle (MITM) attacks, password cracking attacks, and possible ways to protect against these attacks.
Possible consequences for users and companies in the event of a successful network hack will also be considered, as well as methods for detecting and eliminating problems related to the interception of network traffic. A sniffer is not always harmful. In fact, this type of software is often used to analyze network traffic in order to detect and eliminate anomalies and ensure smooth operation. However, the sniffer can be used with malicious intent. Sniffers analyze everything that passes through them, including unencrypted passwords and credentials, so hackers with access to the sniffer can get hold of users’ personal information. In addition, the sniffer can be installed on any computer connected to the local network, without the need for its mandatory installation on the device itself – in other words, it cannot be detected during the entire connection time.
Traffic interception can be carried out:
By ordinary “listening” of the network interface (the method is effective when used in the segment of concentrators (hubs) instead of switches (switches), otherwise the method is ineffective, since only individual frames fall on the sniffer).
By connecting the sniffer to the channel gap.
By branching (software or hardware) traffic and directing its copy to the sniffer.
Through the analysis of side electromagnetic emissions and the recovery of the traffic that is thus eavesdropped.
Through an attack at the channel (2) (MAC-spoofing) or network (3) level (IP-spoofing), which leads to the redirection of the victim’s traffic or the entire traffic of the segment to the sniffer, with the subsequent return of the traffic to the proper address.
Wireshark allows you to capture and interactively view traffic on a computer network. This tool uses WinPcap to capture packets on supported networks. It captures real-time network traffic from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, and FDDI networks. Captured files can be edited programmatically via the command line. A set of filters for displaying data that is configurable can be refined using a display filter.
SteelCentral Packet Analyzer provides a graphical console for high-speed packet analysis. This tool integrates with Riverbed AirPcap adapters to analyze and troubleshoot 802.11 wireless networks. As it captures terabytes of packet data traversing the network, this tool reads that traffic and displays it in a graphical user interface (GUI). It can analyze multi-gigabyte recordings from locally presented trace files or remote SteelCentral NetShark probes (physical, virtual or embedded in SteelHeads) without transferring large files to detect network anomalies or diagnose and troubleshoot complex network and application performance issues at the bit level.
It is a network monitoring tool that collects all data transmitted over the network and provides a wide range of analytical statistics in an intuitive graphical form. The tool helps to analyze and fix the problem that occurred (if any) in the network. It can also perform robust network forensics, advanced protocol analysis, in-depth packet decoding, and automated expert diagnostics.
OmniPeek Network Analyzer provides real-time visibility and expert analysis of every part of the target network. This tool will analyze, drill down and eliminate performance bottlenecks in multiple network segments. Analytics modules provide targeted visualization and search capabilities in OmniPeek. A plug-in Google Maps module extends OmniPeek’s analysis capabilities. It displays a Google map in the OmniPeek capture window that shows the location of all public IP addresses of the captured packets. Attackers can use OmniPeek to monitor and analyze the network traffic of a target network in real-time, determine the location of the source of this traffic and attempt to obtain sensitive information, and find any loopholes in the network.
FaceNiff is an Android app that can eavesdrop and intercept web session profiles over a Wi-Fi connection with a mobile phone. This app works on rooted Android devices. The Wi-Fi connection must be over open WEP, WPA-PSK, or WPA2-PSK networks when listening to sessions.
This tool is a mobile network packet analyzer for ROOT ARM droids. It works on rooted Android mobile devices. Attackers can use this tool to capture packets from different types of connections, such as Wi-Fi, 3G, and LTE.