Certified Ethical Hacker - Part 7-2 Sniffing

by Riazul H. Rozen
Dec. 17, 2017 0 comments 3 minute read Certifications
Download PDF

How to discover Sniffing in systems

  • Setting the NIC in promiscuous mode allows the network device access to intercept and read all packet data that comes into the system. This makes it necessary to determine which machines are set to promiscuous mode.
Setting the NIC in promiscuous mode
  • IDS is used to determine and alert the administrators on distrustful activities. Hence, to discover sniffing activities, it is necessary to consistently check the systems to figure out if the MAC addresses have changed.
Mechanism of generic IDS to detect sniffing
  • The Capsa network analyser can be used to determine if there are any on-going suspicious activities in the system. It allows administrators access to collect and analyse traffic across dissimilar network means.
Capsa network analyser
  • The ping method can be used to determine if a suspect machine is running sniffing protocols. This works when the user sends a ping request with its IP address and an incorrect MAC address. The suspect machine does not reject the incorrect MAC address because it has been set to accept all MAC addressees, whereas this MAC address gets rejected at the Ethernet stage.
  • The ARP technique only works with systems set to promiscuous mode. When the ping is sent, if the suspect machine replies, it means this machine has information on the system sending the ping, and as such is guilty of sniffing. A machine that has no suspicious activities sends a probe to the system requesting an audience, in order to determine the source.
  • The DNS method uses a specific means to determine systems running a sniffer. If the suspect machine generates a reverse DNS lookup traffic, it means the suspect system is carrying out sniffing activities.

How to determine machines in promiscuous mode.

It is important to determine if the machines are running in promiscuous mode. This can be done using a detection tool. One of such tools is PromqryUI


Nmap can also be used to determine if a machine is set to promiscuous mode, by sending a request to the Ethernet, asking if the network card is set to promiscuous.

Sniffing pen testing

This is used to determine how safe data transmission of an organizations system is from sniffing and interception attacks. In addition to this, the sniffing penetration technique is used to:

  • Check the network for mischievous content
  • Ensure the network is secure by implementing SSL and VPN measures.
  • Determine tough sniffing application in the network.
  • Identify unauthorized networks in the system.

How to run a sniffing pen testing technique

  • Implement the MAC flooding attack with tools like Macof
  • Carry out DHCP attacks with tools such as Yerisina and Dhcpstarv
  • Implement rouge server attacks by responding with false IP addresses to the rouge DHCP server put in the system.
  • Implement ARP poisoning by using tools such as WinArpAttacker.
  • Implement MAC spoofing tools with SMAC.
  • Send fake router advertisement messages in order to implement IRDP spoofing
  • DNS spooking techniques can be implemented with tools like arpspoof and dnspoof.
  • Implement cache poisoning with a Trojan, which changes the proxy server settings, and redirects the user to a fake website.
  • Implement a rouge DNS, to run a proxy server DNS poisoning.
  • When this is completed, document all the findings for future purposes.

How to prevent Sniffing

  • Ensure that usernames and passwords are protected, by using HTTPS as opposed to HTTP.
  • Switch is a better connector to use, as it transmits data only to the recipient.
  • Secure files by using SFTP as opposed to FTP.
  • WPA and WPA2 are strong encryption protocols, and should be used to encode wireless traffic.
  • Prevent MAC spoofing by retrieving MAC directly from NIC as opposed to OS.
  • Ensure NICs are scanned to determine which machines have been set to promiscuous mode.

DNS poisoning

DNS servers are hubs for collecting and receiving information, and are a point of attack for malicious persons. DNS poisoning happens when the attacker creates a false sense of security, by allowing the DNS servers think it is receiving legitimate information. The attacker tricks the DNS server into thinking this by developing fake DNS entries for the server, and substituting these entries for files on the target system, with the same names.

For DNS poisoning, the attacker is able to connect to the target system, by intercepting and exchanging IP addresses. This occurs on the DNS level on the server page, when the IP addresses are being converted to numeric addresses.

DNS poisoning Technique

  • There are different techniques to DNS spoofing, one of which is Intranet DNS spoofing. This attack is carried out in the Local Area Network of the target system, and is best used on a switch type of system.

  • The internet spoofing technique is used for Wide Area Networks. Attackers infect the target system with Trojans (Trojans get into a target’s system when employees download or access untrusted sites). The Trojans are programmed to alter the DNS address of the target system, replacing it with the attackers DNS address.

  • Proxy server DNS poisoning also works through the Trojan route. Here, the Trojan alters the proxy server settings in the browser (internet explorer), and changes the target system’s initial browsing route by rerouting to a fake website.

DNS cache poisoning

DNS queries from legitimate users can be redirected to a malicious site; this is called DNS cache poisoning. This is done by adding false or changed DNS records to the DNS resolver cache. The resolver cache is tasked with validating DNS responses, and ensuring they are sent to users who request for them. When the cache is poisoned, the DNS resolver cannot determine the authenticity of the entries coming in, but it still stores these poisoned caches to be sent to users later. You will find a tutorial on DNS cache poisoning here.

Defensive measures for DNS cache poisoning

Setting up preventive methods to prevent cache poisoning is necessary, as it keeps the victim machine protected from attackers with malicious intentions.

  • Direct all DNS queries to the DNS local server.
  • Set policies for the DNS resolver to change ports with each query.
  • Limit the DNS recusing service to authenticated users.
  • Initiate IDS.
  • Configure firewall
  • Limit DNS lookup to internal machines
  • Prevent DNS requests from being transmitted to external servers.

Published with the express permission of the author.