Chapter 9
Sniffers

CEH EXAM OBJECTIVES COVERED IN THIS CHAPTER:

1. II. Analysis/Assessment
   • A. Data analysis
2. IV. Tools/Systems/Programs
   • B. Network/wireless sniffers (e.g., Wireshark, Airsnort)

Sniffing allows you to see all sorts of traffic, both protected and unprotected. In the right conditions and with the right protocols in place, an attacking party may be able to gather information that can be used for further attacks or to cause other issues for the network or system owner.

Once you have gotten to the point of sniffing, it is possible to move on to other types of attacks, including session hijacking, man-in-the-middle, and denial-of-service attacks. Taking over authenticated sessions, manipulating data, and executing commands are within the realm of possibility once sniffing can be performed. Of course before we get to these attacks, you must learn about sniffing and how sniffers work.

---

In this chapter we spend a lot of time working with network sniffers. Sniffers are not a hacking tool; they are a completely valid and extremely useful tool for diagnosing a network’s functioning at a very low level. Over the years sniffers have proven their worth time and time again to network administrators who need to solve problems that cannot be viewed or analyzed easily or at all using other tools.

---

Understanding Sniffers

Sniffers are utilities that you, as an ethical hacker, can use to capture and scan traffic moving across a network. Sniffers are a broad category that encompasses any utility that has the ability to perform a packet-capturing function. Regardless of the build, sniffers perform their traffic-capturing function by enabling promiscuous mode on the connected network interface, thereby allowing the capture of all traffic, whether or not that traffic is intended for them. Once an interface enters promiscuous mode, it doesn’t discriminate between traffic that is destined for its address; it picks up all traffic on the wire, thereby allowing you to capture and investigate every packet.

Sniffing can be active or passive in nature. Typically, passive sniffing is considered to be any type of sniffing where traffic is looked at but not altered in any way. In active sniffing, not only is traffic monitored, but it may also be altered in some way as determined by the attacking party. Know the difference for your exam.

---

When on a switched network, your traffic capture is limited to the segment you are connected to regardless of the mode of your interface card. We’ll discuss this in more detail later. For now, just remember that for your sniffer to be effective your interface card must be in promiscuous mode.

---

Most sniffer utilities have basic options that are fairly consistent across the gamut of versions. This consistency holds true regardless of whether it’s a Linux-based utility or a Windows version. We’ll dig more into types and specifics later, but first let’s look at the commonalities. On most sniffers a main pane displays the incoming packets and highlights or lists them accordingly. It is usually linear in its listing unless you specify otherwise via filters or other options. Additionally, there is commonly a subpanel that allows an in-depth view of the packet selected. It’s important to be familiar with your sniffer of choice as it will save you a lot of time and frustration in the long run. Also, having a good grasp of a sniffer’s basic functions will allow you to use many different sniffers without too many problems. So, from here, a sniffer usually has an interface selection or activation option that begins the capture phase.

---

Pop quiz: What happens when the capture button is activated? You got it! The NIC switches to promiscuous mode!

---

Once you choose the capture button, you should see packets populating your capture pane; if not, check your network interface selection. All sniffers give you the ability to select from all available interfaces on your computer. You can easily choose a disconnected interface and sit there irritated because your sniffer isn’t working. Just double-check and you’ll be happily rewarded with real-time traffic!

---

Use that save capture function! Real-time capture and analysis is impressive and flashy, but it’s also an immense pain in the butt! Also keep in mind that the exam offers you four hours to mull over those 150 questions, and there are no live streaming feeds to anxiously digest. Take one packet at a time and make sure you understand all its pieces and parts.

---

Remember that a sniffer is not just a dumb utility that allows you to view only streaming traffic. A sniffer is a robust set of tools that can give you an extremely in depth and granular view of what your (or their) network is doing from the inside out. That being said, if you really want to extrapolate all the juicy tidbits and clues of each packet, save the capture and review it when time allows. I prefer to review my 20,000 packets of captured data at my local coffee shop with a hot vanilla latte and a blueberry scone. Make it easy on yourself; your target is not going anywhere soon.

Also, before we go too much into sniffers, it is important to mention that there are also things called hardware protocol analyzers. These devices plug into the network at the hardware level and can monitor traffic without manipulating traffic. Typically these hardware devices are not easily accessible to most ethical hackers due to their enormous cost in many cases (some devices have price tags in the six-figure range).

---

Law Enforcement Agencies and Sniffing

Lawful interception (LI) is defined as legally sanctioned access to communications network data such as telephone calls or e-mail messages. LI must always be in pursuance to a lawful authority for the purpose of analysis or evidence. Therefore, LI is a security process in which a network operator or service provider gives law enforcement officials permission to access private communications of individuals or organizations. Almost all countries have drafted and enacted laws to regulate lawful interception procedures; standardization groups are creating LI technology specifications. Usually, LI activities are taken for the purpose of infrastructure protection and cyber security. However, operators of private network infrastructures can maintain LI capabilities within their own networks as an inherent right, unless otherwise prohibited. LI was formerly known as wiretapping and has existed since the inception of electronic communications.

---

How successful sniffers are depends on the relative and inherent insecurity of certain network protocols. Protocols such as the tried and true TCP/IP were never designed with security in mind and therefore do not offer much in this area. Several protocols lend themselves to easy sniffing:

Telnet/rlogin Keystrokes, such as those including usernames and passwords, that can be easily sniffed.

HTTP Designed to send information in the clear without any protection and thus a good target for sniffing.

Simple Mail Transfer Protocol (SMTP) Commonly used in the transfer of e-mail, this protocol is efficient, but it does not include any protection against sniffing.

Network News Transfer Protocol (NNTP) All communication, including passwords and data, is sent in the clear.

Post Office Protocol (POP) Designed to retrieve e-mail from servers, this protocol does not include protection against sniffing because passwords and usernames can be intercepted.

File Transfer Protocol (FTP) A protocol designed to send and receive files; all transmissions are sent in the clear.

Internet Message Access Protocol (IMAP) Similar to SMTP in function and lack of protection.

Using a Sniffer

We touched on some of the basics of using a sniffer in the previous section, but now let’s get down and dirty. Quite a few sniffer builds are available that perform nearly identical functions. The real advantage of one over the other is the robustness of functionality in how the sniffer displays that data and what options are available to help you digest and dissect it.

---

In terms of LI, typically the sniffing process is looked at as having three components. The first component is an intercept access point (IAP) that gathers the information for the LI. The second component is a mediation device supplied by a third party that handles the bulk of the information processing. The third component is a collection function that stores and processes information intercepted by the third party.

---

Sniffing Tools

Sniffing tools are extremely common applications. A few interesting ones are:

Wireshark One of the most widely known and used packet sniffers. Offers a tremendous number of features designed to assist in the dissection and analysis of traffic.

TCPdump A well-known command-line packet analyzer. Provides the ability to intercept and observe TCP/IP and other packets during transmission over the network. Available at www.tcpdump.org.

Windump A port of the popular Linux packet sniffer TCPdump, which is a command-line tool that is great for displaying header information.

Omnipeek Manufactured by WildPackets, OmniPeek is a commercial product that is the evolution of the product EtherPeek.

Dsniff A suite of tools designed to perform sniffing with different protocols with the intent of intercepting and revealing passwords. Dsniff is designed for Unix and Linux platforms and does not have a complete equivalent on the Windows platform.

EtherApe A Linux/Unix tool designed to graphically display a system’s incoming and outgoing connections.

MSN Sniffer A sniffing utility specifically designed for sniffing traffic generated by the MSN messenger application.

NetWitness NextGen Includes a hardware-based sniffer, along with other features, designed to monitor and analyze all traffic on a network; a popular tool in use by the FBI and other law enforcement agencies.

---

The sniffing tools listed here are only a small portion of the ones available. It is worth your time to investigate some of these, or all if you have the time, to improve your skills. We will cover only Wireshark in this book because it is the recognized leader. Anything you learn with this sniffer will work with the others—it’s just a matter of learning a new interface.

---

Wireshark

As of this writing, Wireshark reigns supreme as perhaps the best sniffer on the market. Wireshark has been around for quite some time, and it has proven its worth time and time again. Wireshark is natively available on both Windows and Linux.

Sniffer builds include TCPdump, Kismet, and Ettercap, among others. A great resource for sniffers and many other security tools is www.sectools.org. All sniffers have their place in the sniffing universe, but for our purposes we will be focusing on Wireshark. Wireshark is natively available on Linux as well as Windows. First, let’s do a quick run through on Wireshark basics in Exercise 9.1.

---

You do not necessarily need to know how to run Wireshark, but you will be expected to be able to understand how a sniffer works and be able to dissect and understand captured packets. Wireshark is a de facto industry standard, so being comfortable with it will aid you in the exam and the real world.

---

---

EXERCISE 9.1: Sniffing with Wireshark

1. Make sure Wireshark is running on your BackTrack r3 client, as shown here.

   

2. Choose Capture Interfaces to open the window shown here. This step is identical on Linux and Windows versions.

   

3. Once you’ve successfully begun the capture, you’re all set to start sending your test packets across the wire. For this exercise use Telnet to send TCP traffic from a Windows 7 client to a Windows XP client.

   

   1. You have several options for generating traffic. Remember that a wireless connection (802.11) works as a hub-like environment, meaning you can capture all traffic floating in the network. Connecting to your home wireless and selecting the appropriate NIC in your sniffer will pull ample traffic for this exercise.
4. Once you have a good number of packets captured (or those specific packets you are looking for), you can stop the capture and save it for later review. Saving a capture for later investigation is a good habit to get into. It’s the same as saving any other file: Choose File Save As, and then name the file and save it to the appropriate location.
5. Next, open your saved capture and use search strings and filtering to find what you want. Opening a saved capture is just like opening any document: Choose File Open and then select the file.

---

---

In Exercise 9.1, you used Telnet but the exam will focus on your understanding of traffic flow and packet dissection. I chose client OSs at random for this exercise. Specific operating system vulnerabilities and unique identifying actions are covered in Chapter 6, “Enumeration of Services.”

---

---

Search strings in Wireshark are testable items—you will definitely see questions regarding their syntax and use. For a good resource, check out www.wireshark.org/docs.

---

As you can see from the live capture and saved capture, there’s a lot going on! One powerful feature of Wireshark is its search string and filtering capabilities. In a real-world capture, it is likely to be sniffing a connection that has a large number of attached clients. This is when search strings and filtering become a pen tester’s best friend. Table 9.1 shows common search string options for Wireshark. The CEH exam tests whether you can apply your understanding of this tool and its options.

TABLE 9.1 Wireshark filters

Operator	Function	Example
==	Equal	ip.addr == 192.168.1.2
eq	Equal	tcp.port eq 161
!=	Not equal	ip.addr != 192.168.1.2
ne	Not equal	ip.src ne 192.168.1.2
contains	Contains specified value	http contains "http://www.site.com"

Table 9.1 lists the basic filters that you will most likely use (and may see on the exam). As you review the examples used in the table, notice the structure or syntax of each statement and how it relates to what the filter is doing. To see how each of these examples maps to the syntax, refer to Table 9.2.

TABLE 9.2 Wireshark filter breakdown

Protocol	Field	Operator	Value
ip	Addr	==	192.168.1.2
tcp	port	eq	161
ip	addr	!=	192.168.1.2
ip	src	ne	192.168.1.2
http	*	contains	http://www.site.com

---

Wireshark filters can look like literal strings of code, but keep the syntax in mind and stick with what makes sense.

---

Table 9.3 covers Wireshark’s command-line interface (CLI) tools.

TABLE 9.3 Wireshark CLI tools

Command	Function
tshark	A command-line version of Wireshark (similar to TCPdump)
dumpcap	Small program with the sole intent of capturing traffic
capinfos	Reads a capture and returns statistics on that file
editcap	Edits or translates the format of capture files
mergecap	Combines multiple capture files into one
text2cap	Creates a capture file from an ASCII hexdump of packets

---

Wireshark command-line tools are important, but for the exam focus on learning the interface; memorizing the list of CLI commands is sufficient.

---

TCPdump

Now that you’ve seen the basics of how to use Wireshark, let’s move directly to getting our hands dirty with TCPdump. This utility is a command line–based sniffer that is quite robust in comparison to its GUI counterparts. TCPdump has been around for quite some time, and it was the tool of choice well before Wireshark came on the scene. TCPdump is native to Linux; the equivalent Windows tool is called Windump. In Exercise 9.2, you will use TCPdump to capture packets.

---

The following exercise is best completed using a virtual lab setup that has at least two computers linked to the same network. The operating system you use is your choice. In my lab I use a mix of Linux and Windows clients.

---

---

EXERCISE 9.2: Sniffing with TCPdump

1. First get your sniffing client ready by launching TCPdump on your BackTrack installation. If you run TCPdump without any switches or options, you can use the first or lowest numbered NIC and begin to catch traffic from that interface. This exercise works fine with the defaults. The following image shows the application up and running.

   

2. Next you need to create some traffic. There are a few ways you can do this. In this exercise you will use your Telnet client and make a connection between two Windows clients.
   1. Once the Telnet clients are talking and traffic is flowing, you can see what’s coming across the wire.

   

3. The TCPdump output in the terminal window view is fairly clear, but it’s still a little clunky to work with. Go ahead and perform the same sniffing session again, but this time save the output to a file for future reference. Note the command syntax in the following graphic; this command takes the traffic captured by TCPdump and writes it to a file named tel_capture.log.

   

4. There are a couple of ways to read the captured log file. One is with TCPdump, but let’s do it the fancy way and use Wireshark to open the capture.

   

---

---

TCPdump has a substantial number of switches and options. Just pull up the main page and you can see for yourself. For the CEH exam, focus on the common usable options, which we cover shortly.

---

---

As of this writing, the CEH exam does not have any hands-on simulations, so don’t freak out if you’re not a TCPdump or Wireshark master just yet (however, you should still practice these skills for the real world). Knowing how they work and how to read the output are the important parts. Take the time to play around with both utilities and learn all their little nuances.

---

Sniffing a network in a quiet and effective manner is an integral skill in an ethical hacker’s toolkit. Setting up the connection properly and capturing traffic successfully is extremely important, but as a hacker you must also possess the ability to dig into the packets you’ve captured. In the next section you’ll learn how to do that. The ability to read output from a sniffer is not just a CEH exam skill. It truly is one of those integral skills that every hacker must have.

Reading Sniffer Output

Remember the original Jaws movie? Remember when Hooper and Brody cut the shark open in the middle of the movie and Hooper started pulling stuff out of the stomach...yuck! So how does this relate to sniffer output? Well, the concept is very similar. When packets are captured, each one has a slew of innards that you can dissect one piece at a time. Just as Hooper digs into the open-bellied shark, you too dig through the packet innards to find those specific morsels that will tell you what you need to know. The point here isn’t movie trivia (although I love killer shark flicks); the point you should take away from this is that each packet captured really does have an immense amount of data that you can use for reconnaissance or setting up future attacks. It’s even extremely useful as a legitimate troubleshooting tool. Figure 9.1 shows a captured packet of a basic TCP handshake. Can you find the basic three-way handshake steps?

FIGURE 9.1 TCP three-way handshake packet

Lines 2, 3, and 4 in Figure 9.1 are the SYN, SYN-ACK, and ACK that we discussed in Chapter 2, “System Fundamentals.”

---

Pay close attention to the pieces of a captured packet, and ensure that you can convert hex and apply that conversion to the binary scale for octet recognition. This skill is critical for eliminating at least two of the possible answers to a question.

---

Packet sniffing and its interpretation can be likened to an art. There are some people who can think like a computer, take one glance at a packet, and tell you everything you ever wanted to know about where it’s going and what’s it doing. This is not your goal, nor are you expected to be able to do this for the CEH exam. As ethical hackers, we are methodical, deliberate, patient, and persistent. This applies to reading packet captures as well. In Exercise 9.3 you will step through a captured packet bit by bit. This skill will prove invaluable not just for the exam, but also for protecting your own network through traffic analysis.

---

In Exercise 9.3 you will use Wireshark because it lets you read dissected packets easily. On the CEH exam and in the real world, the output style may be slightly different, but the pieces are essentially the same.

---

---

EXERCISE 9.3: Understanding Packet Analysis

1. From your Wireshark installation on BackTrack, you’re going to pull up the saved capture from Exercise 9.1. Open the file using the Wireshark File menu and select tel_capture.log. The log should look familiar.

   

2. Check the two bottom panes of the Wireshark display, where all the packet details are available for review. Notice the highlighted portion in the bottom pane when you select an item from the middle pane.

   

3. Select the TCP portion of the packet in the middle pane.

   

4. Now take this one step further and apply your knowledge of hexadecimal while taking advantage of Wireshark’s packet breakdown display. In the following graphic, I have expanded the IP portion of the packet. Looking at the bottom pane of the Wireshark display, notice that the hex number highlighted (c0 a8 01 02) is the same as the decimal highlighted source IP (192.168.1.2) in the middle pane. Pretty cool, huh? So what you’ve accomplished here is to relate something fairly clear cut—a source IP address—to something not so clear—the hex guts of a packet.

   

---

---

The CEH exam will expect you to know how to identify packet details such as hexadecimal IP addresses, at least on paper. Remember, in a test environment if you can determine the first octet and eliminate one or more of the possible answers, do it! If you are rusty on breaking down IP addresses into hex, refer to Chapter 2 and practice until you feel comfortable with the process.

---

Switched Network Sniffing

Switched networks present an inherent initial challenge to sniffing a network in its entirety. A wired switch doesn’t allow you to sniff the whole network. As you saw in Chapter 2, each switchport is a collision domain, so traffic within the switch doesn’t travel between ports.

Okay, enough switch talk. Your goal is to be able to sniff the network portions you want to at will. To achieve this you can use the various techniques that we’ll explore in this section.

MAC Flooding

One of the most common methods for enabling sniffing on a switch is to turn it into a device that does allow sniffing. Because a switch keeps traffic separate to each switchport (collision domain), you want to convert it into a hub-like environment. A switch keeps track of MAC addresses received by writing them to a content addressable memory (CAM) table. If a switch is flooded with MAC addresses, it may easily overwhelm the switch’s ability to write to its own CAM table. This in turn makes the switch fall into a giant hub. There are a few utilities available to accomplish this technique. One common Linux utility is Macof. Check out Figure 9.2 to see Macof in action.

FIGURE 9.2 Macof MAC flood

---

What is a CAM Table

All CAM tables have a fixed size in which to store information. A CAM table will store information such as the MAC address of each client, the port they are attached to, and any virtual local area network (VLAN) information required. In normal operation, a CAM table will be used by the switch to help get traffic to its destination, but when it is full something else can happen.

In older switches, the flooding of a switch would cause the switch to fail “open” and start to act like a hub. Once one switch was flooded and acting like a hub, the flood would spill over and affect adjacent switches.

In order for the switch to continue acting like a hub, the intruder needs to maintain the flood of MAC addresses. If the flooding stops, the time outs that are set on the switch will eventually start clearing out the CAM table entries, thus enabling the switch to return to normal operation.

It is worth noting that in newer switches this has a decreased chance of being successful.

---

Overflowing a CAM table using Ubuntu is a simple matter. The standard repositories store the tools needed for a successful attack and can be easily obtained with aptitude. To use aptitude to obtain the required tools, su to root (or sudo) and type the following to install the dsniff suite (which includes Macof):

aptitude install dsniff

Once installation is complete, at the command prompt enter the following:

macof

At this point the utility will start flooding the CAM table with invalid MAC addresses. To stop the attack, press Ctrl+Z.

ARP Poisoning

Address Resolution Protocol (ARP) poisoning attempts to contaminate a network with improper gateway mappings. As explained in Chapter 2, ARP essentially maps IP addresses to specific MAC addresses, thereby allowing switches to know the most efficient path for the data being sent. Interestingly enough, ARP traffic doesn’t have any prerequisites for its sending or receiving process; ARP broadcasts are free to roam the network at will. The attacker takes advantage of this open traffic concept by feeding these incorrect ARP mappings to the gateway itself or to the hosts of the network. Either way, the attacker is attempting to become the hub of all network traffic. Some tools you can use to ARP-poison a host are Ettercap, Cain and Abel (see Figure 9.3), and Arpspoof.

FIGURE 9.3 Cain and Abel

---

Enabling the IP DHCP Snooping feature on Cisco switches prevents ARP poisoning. Questions regarding ARP-poisoning should make you think IP DHCP Snooping. IP DHCP Snooping verifies MAC-to-IP mappings and stores valid mappings in a database. For the CEH exam, focus on what the command is and what it prevents.

---

---

Take your newly honed sniffing skills and run a sniffer on a public Wi-Fi network just for fun. Take a few minutes to watch how much ARP traffic is captured. On a public network with new machines hopping on and off, there’s usually a ton of traffic.

---

MAC Spoofing

MAC spoofing is a simple concept in which an attacker (or pen tester) changes their MAC address to the MAC address of an existing authenticated machine already on the network. The simplest example of when this strategy is employed is when a network administrator has applied port security to the switches on their network. Port security is a low-level security methodology that allows only a specific number of MAC addresses to attach to each switchport (usually one or two). If this number is exceeded (for example, if you take off the original machine and attach one or two unrecognized units), the port will usually shut down depending on the configuration applied. MAC spoofing isn’t necessarily a technique used to allow network-wide sniffing, but it does work to allow an unauthorized client onto the network without too much administrative hacking effort.

Port Mirror or SPAN Port

Another way to circumvent switches is through the use of physical means—getting physical access to the switch and using port mirroring or a Switched Port Analyzer (SPAN) port. This technique is used to send a copy of every network packet encountered on one switchport or a whole VLAN to another port where it may be monitored. This functionality is used to monitor network traffic either for diagnostic purposes or for the purpose of implementing devices such as network intrusion detection systems (NIDSs).

On the Defensive

As an ethical hacker, your work could very likely put you in a position of prevention rather than pen testing. Based on what we’ve covered so far in this chapter, what you know as an attacker can help you prevent the very techniques you employ from the outside in. Here are defenses against the attacks we just covered from a pen tester’s perspective:

• Use a hardware-switched network for the most sensitive portions of your network in an effort to isolate traffic to a single segment or collision domain.
• Implement IP DHCP Snooping on switches to prevent ARP-poisoning and spoofing attacks.
• Implement policies preventing promiscuous mode on network adapters.
• Be careful when deploying wireless access points, knowing that all traffic on the wireless network is subject to sniffing.
• Encrypt your sensitive traffic using an encrypting protocol such as SSH or IPSec.

---

Technologies such as SSL and IPSec are designed not only to keep traffic from being altered, but also to prevent prying eyes from seeing traffic they shouldn’t.

---

Here are other methods of hardening a network against sniffing:

• Static ARP entries, which consist of preconfiguring a device with the MAC addresses of devices that it will be working with ahead of time. However, this strategy does not scale well.
• Port security is used by switches that have the ability to be programmed to allow only specific MAC addresses to send and receive data on each port.
• IPv6 has security benefits and options that IPv4 does not have.
• Replacing protocols such as FTP and Telnet with SSH is an effective defense against sniffing. If SSH is not a viable solution, consider protecting older legacy protocols with IPSec.
• Virtual private networks (VPNs) can provide an effective defense against sniffing due to their encryption aspect.
• SSL is a great defense along with IPSec.

Mitigating MAC Flooding

You can mitigate the CAM table-overflow attack by configuring port security on the switch. This will allow MAC addresses to be specified on a particular switchport, or you can specify the maximum number of MAC addresses that the switchport can learn.

Cisco IOS Mitigation

Listing 9.1 shows a sample of configuration options on the Cisco IOS.

---

Listing 9.1: Configruation of a Cisco device

switch(config-if)# switchport mode access

!Set the interface mode as access!
switch(config-if)# switchport port-security

!Enable port-security on the interface!
switch(config-if)# switchport port-security mac-address { <mac_addr> | sticky }

!Enable port security on the MAC address as H.H.H or record the first MAC address connected to the interface!

switch(config-if)# switchport port-security maximum <max_addresses>

!Set maximum number of MAC addresses on the port!
switch(config-if)# switchport port-security violation { protect | restrict | shutdown }

!Protect, Restrict, or Shutdown the port.

---

Cisco recommends the shutdown option.

Juniper Mitigation

Listing 9.2 shows configuration options for Juniper.

---

Listing 9.2: Configuration Options for Juniper

root@switch# set interface { <interface> | all } mac-limit <limit> action { none | drop | log | shutdown }

# Set the maximum number of MAC addresses allowed to connect to the interface

root@switch# set interface { <interface> | all } allowed-mac <mac_address>

# Set the allowed MAC address(es) allowed to connect to the interface

---

Netgear Mitigation

Listing 9.3 shows configuration of a Netgear device.

---

Listing 9.3: Netgear options

(Config)# interface <interface>

!Enter the interface configuration mode for <interface>!
(Interface <interface>)# port-security

!Enables port-security on the interface!
(Interface <interface>)# port-security max-dynamic <maxvalue>

!Sets the maximum of dynamically locked MAC addresses allowed on a specific port!
(Interface <interface>)# port-security max-static <maxvalue>

!Sets the maximum number of statically locked MAC addresses allowed on a specific port!
(Interface <interface>)# port-security mac-address <vid> <mac-address>

!Adds a MAC address to the list of statically locked MAC addresses. <vid> = VLAN ID!
(Interface <interface>)# port-security mac-address move

!Converts dynamically locked MAC addresses to statically locked addresses!
(Interface <interface>)# snmp-server enable traps violation

!Enables the sending of new violation traps designating when a packet with a disallowed MAC address is received on a locked port!

---

---

The examples here come from official documentation from each of the vendors mentioned. Since each vendor has multiple models, the actual code will change on a model-by-model basis. Before using these exact steps, check your documentation.

---

Detecting Sniffing Attacks

Aside from pure defensive tactics, it is possible to be proactive and use detection techniques designed to locate any attempts to sniff and shut them down. These methods include:

• Look for systems running network cards in promiscuous mode. Under normal circumstances there is little reason for a network card to be in promiscuous mode and as such all cards running in this mode should be investigated.
• Run an NIDS to detect telltale signs of sniffing and track it down.
• Tools such as HP’s Performance Insight can provide a way to view the network and identify strange traffic.

Exam Essentials

Know the purpose of sniffing. Sniffing is a technique used to gather information as it flows across the network. Sniffing can be performed using software-based systems or through the use of hardware devices known as protocol analyzers.

Understand your targets. For each target, know what type of information you are looking for—passwords, data, or something else.

Know what makes sniffing possible. Sniffing is possible due to traffic being sent in the clear as well as access to the network. Also, having the ability to switch a network card into promiscuous mode allows you to view all traffic on the network as it flows by.

Know your defenses. Know that techniques such as encryption, IPSec, SSL, SSH, and VPNs can provide effective countermeasures against sniffing.

Summary

This chapter covered what a sniffer is and how it works. You learned about two common sniffing utilities, Wireshark and TCPdump. You saw the importance of Wireshark search strings for real-world filtering and exam preparation. This chapter briefly touched on CLI commands for Wireshark that allow similar functionality to that of the GUI version. You also captured some packets with both Wireshark and TCPdump, and learned how to dissect and analyze those packets by taking advantage of Wireshark’s robust detailed interface. You explored some basic techniques to overcome a switched network’s inherent sniffing limitations, and reviewed defensive actions that you can take to protect your networks from sniffing and subsequent attacks.

Review Questions

1. On a switch, each switchport represents a ____________.

   1. VLAN
   2. Broadcast domain
   3. Host
   4. Collision domain

2. Wireless access points function as a ____________.

   1. Hub
   2. Bridge
   3. Router
   4. Repeater

3. What mode must be configured to allow an NIC to capture all traffic on the wire?

   1. Extended mode
   2. 10/100
   3. Monitor mode
   4. Promiscuous mode

4. Which of the following prevents ARP poisoning?

   1. ARP Ghost
   2. IP DHCP Snooping
   3. IP Snoop
   4. DNSverf

5. Jason is a system administrator who is researching a technology that will secure network traffic from potential sniffing by unauthorized machines. Jason is not concerned with the future impact on legitimate troubleshooting. What technology can Jason implement?

   1. SNMP
   2. LDAP
   3. SSH
   4. FTP

6. MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client?

   1. The MAC address doesn’t map to a manufacturer.
   2. The MAC address is two digits too long.
   3. A reverse ARP request maps to two hosts.
   4. The host is receiving its own traffic.

7. Bob is attempting to sniff a wired network in his first pen test contract. He sees only traffic from the segment he is connected to. What can Bob do to gather all switch traffic?

   1. MAC flooding
   2. MAC spoofing
   3. IP spoofing
   4. DOS attack

8. What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts?

   1. ARP redirection
   2. ARP poisoning
   3. ARP flooding
   4. ARP partitioning

9. Which Wireshark filter displays only traffic from 192.168.1.1?

   1. ip.addr =! 192.168.1.1
   2. ip.addr ne 192.168.1.1
   3. ip.addr == 192.168.1.1
   4. ip.addr − 192.168.1.1

10. What common tool can be used for launching an ARP-poisoning attack?

    1. Cain and Abel
    2. Nmap
    3. Scooter
    4. TCPdump

11. Which command launches a CLI version of Wireshark?

    1. Wireshk
    2. dumpcap
    3. tshark
    4. editcap

12. Jason is using TCPdump to capture traffic on his network. He would like to save the capture for later review. What command can Jason use?

    1. tcpdump −r capture.log
    2. tcpdump −l capture.log
    3. tcpdump −t capture.log
    4. tcpdump −w capture.log

13. What is the generic syntax of a Wireshark filter?

    1. protocol.field operator value
    2. field.protocol operator value
    3. operator.protocol value field
    4. protocol.operator value field

14. Tiffany is analyzing a capture from a client’s network. She is particularly interested in NetBIOS traffic. What port does Tiffany filter for?

    1. 123
    2. 139
    3. 161
    4. 110

15. Based on the packet capture shown in the graphic, what is contained in the highlighted section of the packet?

    

    1. The frame value of the packet
    2. The MAC address of the sending host
    3. Source and destination IP addresses
    4. The routed protocol value

16. Jason is using TCPdump to capture traffic on his network. He would like to review a capture log gathered previously. What command can Jason use?

    1. tcpdump −r capture.log
    2. tcpdump −l capture.log
    3. tcpdump −t capture.log
    4. tcpdump −w capture.log

17. Wireshark requires a network card to be able to enter which mode to sniff all network traffic?

    1. Capture mode
    2. Promiscuous mode
    3. pcap mode
    4. Gather mode

18. Which network device can block sniffing to a single network collision domain?

    1. Hub
    2. Switch
    3. Router
    4. Bridge

19. What device will not limit the abilities of a sniffer?

    1. Hub
    2. Router
    3. Switch
    4. Gateway

20. The command-line equivalent of Windump is known as?

    1. Wireshark
    2. TCPdump
    3. Windump
    4. Netstat