Eavesdropping: A General Walkthrough

Sniffing or Eavesdropping pertains to the act of acquiring or intercepting data by capturing the communication flow within a network using a packet sniffer tool. This technique involves monitoring the packets of information passing through the network, allowing unauthorized access to sensitive data, akin to theft or unauthorized interception of information.

During the transmission of data across networks, if the data packets lack encryption, they become vulnerable to interception, enabling unauthorized parties to read the contents of these network packets with the use of a sniffer. In essence, the absence of encryption exposes the data, making it susceptible to eavesdropping, where the network traffic can be captured and analyzed, potentially leading to a compromise of sensitive information.

In the context of a sniffing or eavesdropping attack, cybercriminals have the capability to illicitly acquire any information that victims transmit across the network, granted that the data is not encrypted. The range of information at risk encompasses critical elements such as passwords, usernames, financial details, and various credentials. By exploiting the lack of encryption, attackers can intercept and analyze the unsecured network traffic, thus gaining unauthorized access to sensitive personal and financial data, potentially leading to severe consequences for the affected individuals.

Let’s delve into the two major categories of Sniffing/Eavesdropping attacks.

Active and Passive Sniffing attacks are two distinct categories of network sniffing techniques used by attackers to intercept and analyze data traffic.

1. PASSIVE SNIFFING

• Passive Sniffing is performed through a Hub which is difficult to detect.
• It involves silently capturing and monitoring network traffic without altering or modifying the data being transmitted.
• The attacker’s presence is relatively discreet, as they do not actively participate in the communication process. They just observe the data that flows through the network, looking for sensitive/crucial information that is not encrypted.
• The attacker can thus capture the sensitive data such as usernames, passwords, emails and other sensitive information.
• An essential point to consider is that passive sniffing operates discreetly without interrupting the normal data flow, making detection challenging and facilitating the attacker’s covert acquisition of information.

2. ACTIVE SNIFFING

• Active Sniffing is performed through a Switch and it is easy to detect.
• It involves more direct interaction with the network traffic. Instead of just observing and capturing data, the attacker actively injects or modifies packets within the communication flow. This type of sniffing attack is more intrusive and can be more damaging to the network and its users.
• Active sniffing attacks can lead to more severe security breaches and disruptions. Attackers can redirect users to malicious websites, steal sensitive information, alter communication contents, and even perform session hijacking to gain unauthorized access to user accounts.

TOOLS USED FOR SNIFFING

• Wireshark

Wireshark is one of the most popular and widely used packet sniffing and network analysis tools. It is an open-source software (previously known as Ethereal) that allows users to capture and inspect network packets in real-time. Wireshark supports various platforms, including Windows, macOS, and Linux, making it accessible to a broad user base.

• Snort

Snort is a powerful and widely used open-source intrusion detection and prevention system (IDS/IPS) that is renowned for its effectiveness in network security. Snort has become a popular choice for detecting and mitigating various types of network-based threats. It is well-regarded for its flexibility, extensibility, and community-driven development.

• WinDump

Windump, also known as “WinDump,” is a packet sniffing and network analysis tool for Windows operating systems. It is the Windows port of the popular Unix-based packet capture tool “tcpdump.” Like tcpdump, Windump allows users to capture and analyze network packets in real-time, providing valuable insights into network traffic.

• Bettercap

Bettercap is a powerful, modern, and extensible network attack and monitoring framework primarily designed for network penetration testing and security assessments. It is a successor to the popular Ettercap project, offering an improved set of features and capabilities. Bettercap is open-source and supports multiple platforms, including Linux, macOS, and Windows.

• Mitmproxy

Mitmproxy (short for Man-in-the-Middle proxy) is an open-source interactive HTTPS proxy used for intercepting, inspecting, modifying, and replaying web traffic. It is primarily designed for security testing, debugging, and analyzing HTTP(S) traffic. Mitmproxy is available for multiple platforms, including Linux, macOS, and Windows.

• netsniff-ng

netsniff-ng (short for “network sniffer next generation”) is a high-performance, Linux-based packet sniffing and analysis tool designed for capturing and processing network traffic. It is an evolution of the original “netsniff” tool, featuring improved capabilities, performance, and support for modern networking technologies. netsniff-ng is open-source and supports various Linux platforms.

Let’s explore further and attempt to capture login credentials through an Eavesdropping attack using Wireshark.

Launch the Wireshark software on your computer and choose the ‘eth0’ option

After selecting ‘eth0’, the packets captured by this interface will appear on the screen.

Now, within your web browser, we will input the URL we want to capture login credentials from. The URL we’ll be using for this demonstration is http://testphp.vulnweb.com/login.php. Please note that this is a PHP application deliberately designed to be vulnerable to web attacks, making it suitable for testing various tools and honing manual hacking skills.

Next, input the login credentials, which are ‘test’, and then click on the login button.

Proceed to Wireshark and click on the stop button. This action will halt Wireshark from capturing any further network packets.

As HTTP is utilized by http://testphp.vulnweb.com/login.php, we will apply a filter.

After entering ‘http’ in the filter section, the captured packets using the HTTP protocol will be shown.

At this point, perform a right-click and choose ‘Follow’ to access additional options, then select ‘http stream’ from the available choices.

Explore the provided information, and you will uncover the login credentials.

Preventing sniffing attacks involves implementing various security measures to protect sensitive information from being captured and analyzed by unauthorized individuals. Here are some key steps to help prevent sniffing attacks:

1. Encryption: Implement strong encryption protocols such as SSL/TLS to protect data while it travels over the network. This makes it difficult for attackers to interpret the intercepted data even if they manage to capture it.
2. Virtual Private Network (VPN): Use VPNs to create secure and encrypted tunnels for data transmission, making it difficult for attackers to sniff the data flowing through the network.
3. Network Segmentation: Segment your network into separate subnets or VLANs to restrict access to sensitive information. This helps contain the impact of any potential sniffing attempts.
4. Use WPA2/WPA3 for Wi-Fi: Secure your wireless networks using the latest WPA2 (Wi-Fi Protected Access 2) or WPA3 protocols, as they provide better security against sniffing attacks compared to older protocols like WEP (Wired Equivalent Privacy).
5. Network Monitoring and Intrusion Detection: Employ network monitoring tools and intrusion detection systems to detect and alert you of any suspicious activities, including sniffing attempts.
6. MAC Address Filtering: Use MAC address filtering to allow only authorized devices to connect to your network. However, keep in mind that MAC addresses can be spoofed, so this should not be relied upon as the sole security measure.
7. Disable Unnecessary Services: Disable unused network services and ports to reduce the potential attack surface and limit the opportunities for sniffing.

In conclusion, eavesdropping attacks pose a significant threat to the security and privacy of sensitive information transmitted over networks. These attacks involve malicious actors intercepting and analyzing data packets, potentially leading to the exposure of confidential data, login credentials, or other sensitive information. To safeguard against eavesdropping, implementing robust encryption protocols, such as SSL/TLS, using secure VPNs, and employing network segmentation, are crucial steps. Regular monitoring and intrusion detection can help in detecting and mitigating eavesdropping attempts.