Hey Hackers!!
Today we will be discussing about Network Sniffing aka eavesdropping A type of attack wherein attacker captures the packets across wired or wireless networks, The intention is to capture unencrypted traffic across the network, such as FTP, SMTP and HTTP.
Types of Sniffing
Sniffing can primarily defined into two main categories.
- Active Sniffing.
- Passive Sniffing.
Active Sniffing
It is a type of attacke wherein we directly interact with target by send packets & requests, ARP Poisoning and MAC flooding are the two main attacks performed.
Passive Sniffing
It is a type of attack wherein we don’t interact with the target, we stay in the middle and monitor the traffic, capture it and analysis the flow instead of altering the packets in the communication.
Understanding ARP
ARP (Address Resolution Protocol) is a protocol that is responsible for resolving IP address to MAC address, Any piece of hardware that connects to the Internet has a unique MAC address associated with it.
WORKING
As you can see in above picture “Host A” having an IP of 192.168.1.2 and “Host B” with an IP of 192.168.1.3, Now both the machines are a part of switch based network, In order to communicate on a local area, Host A would need to have the MAC address of Host B.
Host A will look inside its ARP cache and see if the entry for Host B’s IP address is present inside the ARP table. If it’s not present, Host A will send an ARP broadcast packet to every device on the network asking “Who has Host B’s IP address?”
Once Host B receives the ARP request, it will send an ARP reply telling Host A “I am Host B and here is my MAC address.” The MAC address would be then saved inside the ARP table. An ARP cache contains a list of the IP and MAC addresses of every host we have communicated with.
Now that we know how ARP works lets perform an ARP poisoning attack.
The ARP Poisoning Attack
For the attack, I Have linux machine with an IP “192.168.2.207“, victim running a WIN 10 with an IP of “192.168.2.24“and my router having a gateway of “192.168.2.1“.
Before we perform a man in the middle attack, we need to enable IP forwarding so that the traffic could be forwarded to the destination. In order to enable it, we will use the following command:
echo 1 > /proc/sys/net/ipv4/ip_forward
Now that we have enabled IP_Forwarding we need to note below info to start the attack.
Victims IP, Default gateway, Attackers IP.
we also check the MAC address of our Victim and the router before poisoning it.
Let’s invoke arpspoof and start poisoning.
The basic syntax for arpspoof is as follows:
arpspoof –i [Interface] –t [Target Host]
In this case, our interface is “eth0,” and our targets are 192.168.2.1 (gateway) and 192.168.2.24 (victim). So our command would be as follows:
arpspoof –i eth0 –t 192.168.2.24 192.168.2.1
We also need to issue the same command in a reverse manner because when we are in the middle and we need to send ARP replies both ways.
arpspoof –i eth0 –t 192.168.2.1 192.168.2.24
It should look like below image.
Take sometime to review your output and try comprehending whats happening.Now lets check the MAC address after poisoning.
To confirm a success i used wireshark to check whats crawling through the network and i see my spoofing went well as my MAC addr is on both router and victim.
MITM attacks can cause a lot of damage when it comes to credential harvesting, stealing session cookies, Spoof DNS and many more, though encrypted traffic are safe as attacker cannot read through the packets.However, with extra effort, we can also sniff traffic from protocols that use encrypted communications.
Happy Hacking!!!