Chapter 5. Sniffing and Spoofing

Network sniffing helps you understand which users are using services you can exploit, and IP spoofing can be used to poison a system's DNS cache, so that all their traffic is sent to a man in the middle (your designated host, for instance), as well as being an integral part of most e-mail phishing schemes. Sniffing and spoofing are often used against the Windows endpoints in the network, and you need to understand the techniques that the bad guys are going to be using:

You have most likely noticed the motto of Kali Linux, The quieter you are the more you are able to hear. This is the heart of sniffing network traffic. You quietly listen to the network traffic, copying every packet on the wire. Every packet is important or it wouldn't be there. Think about that for a moment with your security hat on. Do you understand why sending passwords in clear text is so bad? Well, protocols like Telnet, FTP, and HTTP send the passwords in clear text, instead of an encrypted hash. Any packet sniffer will catch these passwords, and it doesn't take a genius to launch a search of the packet capture for terms like Password. No need to crack a hash, it's just there. You can impress a manager or a client by just pulling their clear-text password out of thin air. The bad guys use the same technique to break into networks and steal money and secrets.

More than just passwords can be found within your copied packets. Packet sniffers are not only useful for packet purposes. They can be useful when looking for an attacker on the network. You can't hide from a packet sniffer. Packet sniffers are also great for network diagnostics. For instance, a sluggish network could be caused by a server with the dying NIC that is talking away to no one, or a runaway process tying up many others with responses.

If sniffing is listening to the network, then spoofing is lying to the network. What you are doing is having the attacking machine lie to the network and having it pretend to be someone else. With some of the tools below, and with two network cards on the attacking machine on the network, you can even pass the traffic onto the real host and capture all traffic to and from both the machines. This is a man-in-the-middle attack (MitM). In most cases of pen testing you are really only after the password hashes, which can be obtained without a full MitM attack. Just spoofing without passing the traffic on will reveal password hashes in the ARP broadcasts from NetBIOS.