SDL Episode35

From Security Weekly Wiki
Jump to navigationJump to search

Secure Digital Life #35

Recorded October 3, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Coming Soon!


  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  • Russell Beauchemin
    Cybersecurity & Network Security Program Advisor and Director of Instructional Support & Learning Innovation at Roger Williams University.
  • Packet Sniffing

    I love the smell of TCP in the morning...

    1. What is Packet Sniffing? -- Basically, it means to capture packets off of the wire
    2. What about Snorting/Snarfing -- Same thing but from WIFI which is a lot easier
    3. Why? -- Well, packets contain both header and data payloads all of which contain a LOT of information

    In the Clear (ASCII) -- means the data or header is visible to the naked eye so you could literally reconstruct usernames and passwords

    So, how?

    • Well, you need a NIC that can enter promiscuous mode (that means it listens). Most any will do
    • On WIFI, this is particularly easy since everyone is just broadcasting everything
    • On a switched network, you would need to either mirror traffic to a port you control or have access to a device that is seeing all the traffic (hub). (Describe the hub insert tactic)

    In the old days, you had to roll your own analysis script which looks for certain things:

    • DEST PORT 23 == Telnet, has a username and password, all sent in the clear
    • DEST PORT 25 == SMTP, often has a username and password, all sent in the clear
    • http PORT 80 == may contain unencrypted data

    Later programs like DSNIFF ( started automating this process for script kiddies. Today, Wireshark and commercial products are widely available to grab traffic and analyze it. Packet sniffing is the basis for IDS, IPS, and pretty much all types of protocol analysis in a network.

    • Critical point: If you are sniffing locally, you will only see your traffic on a switched network.


      1. A "free wifi" node is put up in a hotel room. All traffic through that node can be sniffed easily.
      2. A hub is placed in front of a switch in a hotel which is connected to a laptop over the ceiling

    So, isn't this illegal?

    • Yes. But you can sniff yourself to see what is going on in your network.

    Sensor placement:

    • This means where do you sniff? Best spot is just inside the border, it smells like cinnamon.

    Next Week, Wireshark Demo 1