Secure Digital Life #35
Recorded October 3, 2017 at G-Unit Studios in Rhode Island!
I love the smell of TCP in the morning...
- What is Packet Sniffing? -- Basically, it means to capture packets off of the wire
- What about Snorting/Snarfing -- Same thing but from WIFI which is a lot easier
- Why? -- Well, packets contain both header and data payloads all of which contain a LOT of information
In the Clear (ASCII) -- means the data or header is visible to the naked eye so you could literally reconstruct usernames and passwords
- Well, you need a NIC that can enter promiscuous mode (that means it listens). Most any will do
- On WIFI, this is particularly easy since everyone is just broadcasting everything
- On a switched network, you would need to either mirror traffic to a port you control or have access to a device that is seeing all the traffic (hub). (Describe the hub insert tactic)
In the old days, you had to roll your own analysis script which looks for certain things:
- DEST PORT 23 == Telnet, has a username and password, all sent in the clear
- DEST PORT 25 == SMTP, often has a username and password, all sent in the clear
- http PORT 80 == may contain unencrypted data
Later programs like DSNIFF (monkey.org) started automating this process for script kiddies. Today, Wireshark and commercial products are widely available to grab traffic and analyze it. Packet sniffing is the basis for IDS, IPS, and pretty much all types of protocol analysis in a network.
- Critical point: If you are sniffing locally, you will only see your traffic on a switched network.
- A "free wifi" node is put up in a hotel room. All traffic through that node can be sniffed easily.
- A hub is placed in front of a switch in a hotel which is connected to a laptop over the ceiling
So, isn't this illegal?
- Yes. But you can sniff yourself to see what is going on in your network.
- This means where do you sniff? Best spot is just inside the border, it smells like cinnamon.
Next Week, Wireshark Demo 1