A packet sniffing attack (or simply a sniffing attack) is a network-created threat. A malicious entity captures network packets intending to intercept or steal data traffic that may have been left unencrypted. This article explains how packet sniffing works, its types, typical examples, and the best practices to address this.
Table of Contents
- What Is a Packet Sniffing Attack?
- Methods Used for Packet Sniffing Attacks
- Packet Sniffing Attack Examples
- Packet Sniffing Attack Prevention Best Practices for 2022
What Is a Packet Sniffing Attack?
A packet sniffing attack (or simply a sniffing attack) is a network-created threat where a malicious entity captures network packets intending to intercept or steal data traffic that may have been left unencrypted.
Sniffing attacks are data thefts perpetrated by capturing network traffic with packet sniffers, which can illegally access and read unencrypted data. The data packets are collected when they pass through a computer network. The sniffing devices or media used to perform this sniffing attack and collect network data packets are known as packet sniffers.
Generally speaking, a packet sniffer refers to hardware or software that keeps track of network traffic by capturing packets. It is also known as a packet analyzer, protocol analyzer, or network analyzer. Sniffers analyse data packet streams that pass between computers on a network as well as between networked systems and the Internet. These packets are designed for specific machines, but utilizing a packet sniffer in “promiscuous mode,” IT professionals, end-users, or malevolent intruders can inspect any packet, regardless of destination.
Sniffers can be configured in two ways. The first is “unfiltered,” which will capture all possible packets and save them to a local hard drive for subsequent inspection. The next option is “filtered,” which means that analyzers will only collect packets containing particular data components. System administrators frequently use sniffing to troubleshoot or investigate the network. However, hackers may take advantage of this technology to break into a network, which leads to a packet sniffing attack.
How does packet sniffing work?
A network interface card (NIC) is a hardware component that contains a circuit board in every computer network. By default, NICs ignore non-addressed traffic. Sniffing attacks require the NICs to be set to promiscuous mode, which allows the NICs to receive all network traffic. Sniffers can listen in on all traffic passing through the NICs by decoding the encoded information in the data packets. Sniffing attacks are made more accessible by weakly encrypted data packets.
The act of sniffing can be classified into two types: active and passive.
- Active sniffing: It is the technique of inserting address resolution protocols (ARPs) into a network to overload the switch content address memory (CAM) table. As a result, legitimate traffic is redirected to other ports, allowing the attacker to sniff traffic from the switch. Active sniffing methodologies are used for spoofing attacks, dynamic host configuration protocol (DHCP) attacks, and domain name system (DNS) poisonings.
- Passive sniffing: It consists solely of listening and is typically used in networks connected by hubs. The traffic is visible to all hosts in this form of network. To discreetly monitor a company’s network, hackers will often employ one of two approaches to passive sniffing.
- In the case of organisations that use hubs to connect several devices on a single network, hackers can use a sniffer to passively “spy” on all the traffic flowing through the system. This sort of passive sniffing is incredibly difficult to detect.
- Passive monitoring, however, does not provide access to all network traffic when a more extensive network is involved, leveraging several connected computers and network switches to direct traffic exclusively to specified devices. Whether for lawful or illegitimate objectives, sniffing would be useless in this instance – thus, compelling hackers to work around the limits imposed by network switches, which necessitates active sniffing.
See More: Top 10 Best Practices for Network Monitoring in 2022
Methods Used for Packet Sniffing Attacks
When carrying out a passive sniffing attack, threat actors may employ various methods:
1. Password sniffing
Password sniffing is a type of cyber-attack that includes monitoring a victim’s connection to a remote database that they are attempting to access. This is common on public Wi-Fi networks, where it is relatively easy to snoop on unencrypted or weak communications. As the name implies, its purpose is to obtain the victim’s password. Password sniffing is a man-in-the-middle (MITM) cyberattack in which a hacker breaches the connection and then steals the user’s password.
2. TCP session hijacking
Session hijacking, also known as Transmission Control Protocol (TCP) session hijacking, takes over a web user session by secretly collecting the session ID and masquerading as the authorized user. Once the attacker has gained the user’s session ID, he or she can masquerade as that user and do anything the user is allowed to do on the network.
Session sniffing is one of the most fundamental techniques used in application-layer session hijacking. The attacker captures network information containing the session ID between a website and a client using a sniffer, such as Wireshark, or a proxy like OWASP Zed. Once the attacker has this value, they can exploit it to obtain illegal access.
3. DNS poisoning
DNS poisoning, sometimes referred to as DNS cache poisoning or DNS spoofing, is a deceptive cyberattack in which hackers redirect internet traffic to phishing websites or phony web servers. DNS poisoning is a threat to both individuals and corporations. One of the most significant problems of DNS poisoning (more specifically, DNS cache poisoning) is that once a device has been affected, addressing the issue might be difficult since the device would default to the illegitimate site.
Additionally, DNS poisoning may be difficult for consumers to detect, particularly when hackers establish a phony website that seems to be authentic. Hence, in many circ*mstances, visitors are unlikely to realise the website is a hoax and proceed to enter sensitive information, unaware that they are putting themselves and/or their companies at risk.
4. JavaScript card sniffing attacks
In a JavaScript sniffing attack, the attacker injects lines of code (i.e., a script) onto a website, which subsequently harvests personal information entered by users into online forms: generally, online store payment forms. Credit card numbers, names, addresses, passwords, and phone numbers are the most commonly targeted user data.
Foam Jacking is a sort of attack that is similar to JavaScript sniffing because it too relies on malicious JavaScript – however, it is less focused. Foam Jacking attacks target any type of information in any online form, whereas JavaScript sniffing attacks are designed specifically for online payment systems.
5. Address resolution protocol (ARP) Sniffing
ARP is a stateless protocol that converts IP addresses to machine media access control (MAC) addresses. It is used to convert addresses between different networks. To discover the MAC addresses of other computers on the network, any networked devices that need communication will broadcast ARP queries.
Poisoning of ARP (also known as “ARP spoofing,” “ARP poison routing,” and “ARP cache poisoning”) refers to the technique of delivering false ARP messages across a local area network (LAN). These attacks are designed to reroute traffic away from their intended destination and towards an attacker. The attacker’s MAC address is linked to the target’s IP address, which only works against networks that are ARP-enabled.
6. DHCP Attack
An active sniffing technique attackers use to acquire and manipulate sensitive data is called a DHCP attack. DHCP is a client/server protocol that allocates an IP address to a machine. The DHCP server provides configuration data like the default gateway and subnet mask along with the IP address. When a DHCP client device starts, it initiates broadcasting traffic, which may be intercepted and manipulated using a packet sniffing attack.
See More: Top 10 Cybersecurity Companies in 2022
Packet Sniffing Attack Examples
Let us look at five examples of how hackers can carry out a packet sniffing attack:
1. BIOPASS RAT and Cobalt Strike
In 2021, cybersecurity researchers detected a destructive operation that targeted online gambling organizations in China using a watering hole attack. It could deploy either Cobalt Strike beacons or a Python-based backdoor known as BIOPASS RAT, which had previously gone undetected. This made use of the live-streaming feature provided by Open Broadcaster Software (OBS) Studio to grab its victims’ display feeds.
The BIOPASS and Cobalt Strike attack began with a social engineering technique aimed to deceive website users into installing a loader for obsolete software. While the installer downloads the actual application, it also creates scheduled tasks in order to infect the machine with BIOPASS RAT malware.
2. Packet-sniffing as a technique for hacking Wi-Fi networks
Compromising WPA/WPA2 encryption protocols was time-consuming. It involved waiting for a legitimate user to log into the secure network and physically positioning oneself to use an over-the-air tool to intercept the information sent between the client-server and Wi-Fi router during the four-way handshake process used for authorization. When a user connects to an access point using a WPA/WPA2-secured router, this handshake confirms the pairwise master key identifier (PMKID).
A novel packet sniffing approach, on the other hand, enables an attacker to retrieve the PMKID from the router instantaneously. This occurs without the need to wait for a user to log in or for the user to gain visibility into the four-way handshake to complete. This new cracking technique only works on WPA and WPA2-secured routers that use 802.11i/p/q/r protocols and have roaming features based on PMKID. Kismet and CommView are examples of packet sniffers that threat actors may use for such attacks.
3. The history-sniffing attack
In a 2018 paper titled “Browser history re:visited,” researchers demonstrated two unpatched flaws that website owners can use to track millions of visitors. The vulnerabilities allow websites to construct a list of previously visited domains even after users have cleared their browsing history and tag visitors with a tracking cookie that will survive even after users have deleted all standard cookies. Ironically, the tactics exploited the recently implemented security functions in Google Chrome and Mozilla Firefox. While these attacks were limited to these two browsers, they may eventually make their way into other mainstream browsers.
4. Password sniffing cyberattack
In 2017, FireEye, a security consulting firm, discovered a phishing-based cyber campaign by Russian-based APT28 hackers targeting hotel guests in Europe and the Middle East. The attack involves using an infected document, Wi-Fi sniffing, and the EternalBlue exploit – a computer vulnerability developed by the United States National Security Agency that refers to a variety of Microsoft Software vulnerabilities.
This exploit was also utilised in the WannaCry ransomware attack in the same year. When a user opens the infected document, a macro is launched, releasing code that infiltrates the hotel’s network. It then uses EternalBlue to traverse networks, impersonating sites visited by the victim to capture usernames and passwords.
5. Heartland Payment Systems security breach
Another notable sniffing attack occurred in 2009, when Heartland Payment Systems experienced a security breach, allowing sniffers access to credit cardholder data. The online payment processing corporation was fined $12.6 million for failing to protect customers from the sniffing attack adequately.
See More: What Is a Man-in-the-Middle Attack? Definition, Detection, and Prevention Best Practices for 2022
Packet Sniffing Attack Prevention Best Practices for 2022
Unfortunately, packet sniffing attacks are relatively common since hackers may use widely available network packet analyzers to engineer these attacks. However, there are some precautions you may take in 2022 to guard against this sort of threat:
1. Avoid using unsecured networks
Since an unsecured network lacks firewall protection and anti-virus software, the information carried across the network is unencrypted and easy to access. Sniffing attacks can be launched when users expose their devices to unsecured Wi-Fi networks. Attackers utilize such insecure networks to install packet sniffers, which intercept and read any data transferred across that network. In addition, an attacker can monitor network traffic by building a fake “free” public Wi-Fi network.
2. Leverage a VPN to encrypt your communication
Encryption improves security by making it more difficult for hackers to decrypt packet data. Encrypting all incoming and outgoing communication before sharing it via a virtual private network (VP is an efficient approach to prevent sniffer attempts. A VPN is a type of tech that encrypts all network traffic. Anyone spying on or sniffing on individuals would be unable to see the websites visited or the information they transmit and receive.
3. Regularly monitor and scan enterprise networks
Network administrators should secure their networks by scanning and monitoring them using bandwidth monitoring or device auditing to optimize the network environment and detect sniffing attacks. They can leverage network mapping tools, network behavior anomaly detection tools, traffic analysis tools, and other aids.
Alongside network monitoring, one should also use a powerful firewall. To optimize device and network security, it’s best to have a firewall running at all times. Installing a firewall has been shown to prevent big cyberattacks as they typically prevent sniffing attempts aimed at the computer system from accessing the network or files.
4. Adopt a sniffer detection application
A sniffer detection application is purpose-built to detect and preempt a sniffing attack before it can cause any damage. Some of the popular apps one can explore include:
- Anti-Sniff: Anti Sniff is a program by L0pht Heavy Industries. It can monitor a network and detect whether or not a PC is in promiscuous mode.
- Neped: It discovers promiscuous network cards on the network by exploiting a weakness in the ARP protocol as implemented on Linux PCs.
- ARP Watch: ARPWatch monitors Ethernet/IP address pairings. This is important if users suspect they are getting ARP-spoofed.
- Snort: Snort is a fantastic Intrusion Detection System, and one may use its ARP-spoof version to detect occurrences of ARP spoofing.
See More: What Is Zero Trust Security? Definition, Model, Framework and Vendors
5. Before browsing online, look for secure HTTPS protocols
Encrypted websites begin with “HTTPS” (which stands for hypertext transfer protocol secure), indicating that user activity on those websites is safe. Websites that start with “HTTP”,can’t offer the same level of protection. The “s” in “HTTPS” stands for secure and indicates that it’s utilising a secure sockets layer (SSL) connection. This ensures that the data is encrypted before being sent to a server. Thus, it is best to browse websites that begin with “HTTPS” to avoid packet sniffing.
6. Strengthen your defenses at the endpoint level
Laptops, PCs, and mobile devices are linked to corporate networks, and these endpoints could allow security threats like packet sniffers to penetrate. Such approaches necessitate the use of endpoint security software. Also, a strong antivirus program can keep malware from infiltrating a machine by detecting anything that shouldn’t be on one’s computer, such as a sniffer. Apart from that, it can also assist the user in removing it.
Internet security suites are another solution that provides core antivirus protection to your devices. Furthermore, the best suites include extra tools and features that are not available in essential tools, such as an integrated VPN, password manager, rescue disks, secure file vaults for your critical data, and a secure browser for online banking and shopping.
7. Implement an intrusion detection system
An intrusion detection system (IDS) is software that evaluates network traffic for all unexpected activities, with an alerting mechanism for potential intruders. It is a software program that analyses a network or system for malicious activities or policy violations. Any potentially harmful activity or breach usually is reported to an administrator or centralized via a security information and event management (SIEM) system. IDS scans the network for ARP spoofing and captures packets on networks that use faked ARP addresses.
See More: What Is Intrusion Detection and Prevention System? Definition, Examples, Techniques, and Best Practices
Takeaways
In a world where we are becoming more reliant on networked technology to perform personal and professional activities, sniffing represents a grave danger. It allows hackers to gain access to data traffic passing through a network – and with so much confidential information shared over the internet, it is vital to protect against packet sniffing attacks. Sophisticated sniffers may even break into Internet of Things (IoT) devices, which can compromise large and connected enterprises.
The best defense against packet sniffing is regularly monitoring of the network landscape, keeping an eye out for unusual behavior or anomalies. Advanced artificial intelligence can detect even the slightest change in network behavior, which IT administrators can immediately address.
Did this article help you understand how packet sniffing works? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!
MORE ON SECURITY
- 10 Best Data Loss Prevention (DLP) Tools for 2021
- Top 10 Open Source Cybersecurity Tools for Businesses in 2022
- Top 11 Malware Scanners and Removers in 2021
- Top 10 Endpoint Detection and Response Tools in 2022
- 10 Best Password Managers for 2021
