Certified Ethical Hacker - Part 7-1 Sniffing

by Riazul H. Rozen
Dec. 15, 2017 0 comments 3 minute read Certifications CEH sniffer
Download PDF


This is a reconnaissance method, used by attackers to extract sensitive information from victim machines. This occurs when packets being transmitted from a source location, to a destination location, are intercepted and monitored.

Sniffing is carried out by switching the NIC of the target system to promiscuous mode, which allows for decrypting and gaining information from packets being transmitted. Sniffing methods work well with information that has not been encrypted before transmission; HTTP, IMAP, SMTP, NNTP, FTP, POP, Telnet and Rlogin.

Some of sniffing tools used are - Wireshark Cain and Abel Tcpdump Kismet Ettercap Netstumbler dsniff Ntop ngrep EtherApe NetworkMiner l P0f inSSIDer KisMAC

Sniffing is usually done in the data link layer in the OSI. This is somewhat beneficial because the upper layers are unable to detect sniffing on the lower layer. Sniffing can be carried out using a hardware protocol analyser. This monitors and discovers signals, without changing information in the transmitted traffic. The analyser is used to detect malicious sniffing techniques from hackers, by capturing packet data and investigating its properties, using some set rules to filter out malicious packets from traffic.

Sniffing methods

Sniffing can be done in two ways -

The passive method

Network systems are usually connected through a hub, but this system is out-dated. Sniffing with this method is easy and does not need additional material from the attackers, as all hosts are allowed to be connected to the hub, and as such be privy to information being transmitted from one position to the other.

passive sniffing method

The active method

This method is a lot trickier to pull off, than its passive counterpart. This is because it is done on a switch type network, and these switches have a detective system called the content accessible memory, which takes not of all the hosts connected to the system. This makes it necessary for attackers to attach an address resolution packet into the victim machine.

The CAM table houses the MAC addresses of all ports connected to it, and once it is full, attackers can interject the ARP which resets the CAM to its learning mode, making it possible for malicious users to connect and intercept packets.

Interception and flooding can be prevented through the port security, by limiting the incoming traffic to certain MAC addresses.

Attackers usually make take pertinent steps to ensure their target system, is hacked successfully. These steps are -

  • Connect the sniffing machine to the switch type system
  • Explore and discover the network topology of the victim machine
  • Locate the target system
  • Use the address resolution packet to speed up the sniffing process
  • Intercept the traffic, and redirect it to the attackers system
  • Extract sensitive information


This is the process of listening in on phone or internet conversations by attackers. Attackers connect to the circuits between the two ports, with hardware, software or both. The process that allows the attacker gain information without altering the data being sent is known as passive wiretapping. Active wiretapping allows the attacker observe, record, change and include an alien entity for the purpose of malicious information gathering.

When communication points are connected to, and information is gathered without the approval of the law, wiretapping becomes criminal. There are legal interception measures, carried out for surveillance between two points. For instance; normal methods, multiservice networks and VoIP. These legal procedures have to be ordered by the court, and are only done when individuals or corporations are under investigation for criminal activities.


This houses information on TCP/IP configuration from clients from valid IP addresses to TCP/IP configuration parameters, address configurations, and the duration of the lease as described by the server. DHCP can be intercepted by attackers, using DOS attackers. Denial-of-service attacks ensures that all the DHCP configurations are leased, thereby preventing legitimate clients from being able to renew IP addresses, once their lease is expired. DHCP attacks can be carried out with these tools -


This request for leases in specific areas saves them and renews them once they are expired. This keeps the DHCP in constant starvation, and out of the reach of legitimate clients.

Dhcpstarv Mechanism


This attack tool acts as a front for investigating and testing deployed networks, but it is actually a device for determining weaknesses in the system.


The starvation attacker ensures that users cannot gain access to legitimate servers that lease DHCP, but this is just a pre-attack measure for the DHCP rouge server attack. The rouge attack provides false IP addresses to clients, when it is placed in the network system. This in turn compromises the target system, making it vulnerable to subsequent attacks from malicious individuals.

Security measures against DHCP starvation attacks and rouge attacks

Activating port security is one of the ways to prevent these attacks. This can be done by placing a limit on the packets being transmitted through switch ports on certain MAC addresses, such that once the limit is reached, other packets are dropped.

DHCP snooping is also a means for protecting the DHCP from interception. This can be done by setting pre-determined rules to allow only trusted DHCP transmissions through accepted port.

ARP spoofing

This occurs when the ARP cache is poisoned. A legitimate user requests for the MAC address from another user, the attacker intercepts this request, and responds with a false MAC address.

ARP spoofing

MAC spoofing

This is used to take the identity of a legitimate user connected to a switch port. The attacker listens in on the transmission from source to destination, intercepts the Mac address and transfers the traffic on transmission to the attacker’s machine. This is done by sniffing out the MAC addresses of users on a particular port, and taking over that address.

Preventing attackers from successfully carrying out a MAC spoofing technique

  • It can be prevented using DHCP snooping binding table, IP source guard and dynamic ARP inspection.
  • These tools should be used to compare the MAC and IP addresses during transmission. If the addresses are not on the binding table, the packet should be discharged.
  • It is also important to ensure that the MAC and IP addresses are on the binding table, and if this is nugatory, the traffic should be blocked.

Published with the express permission of the author.