Phases of Ethical

Hacking
 Footprinting & Reconnaissance
 Scanning
 Enumeration
 System Hacking
 Escalation of Privileges
 Covering Tracks
Sniffing

 Monitor all sorts of traffic either

protected or unprotected
 Media Access Control (MAC) Attacks
 Dynamic Host Configuration
 Protocol (DHCP) Attacks
 Address Resolution Protocol (ARP)
Poisoning
 MAC Spoofing Attack
 DNS Poisoning
 diagnostic tools
Sniffing
 Sniffing
is the process of scanning and
monitoring of the captured data packets
passing through a network using Sniffers.
 The process of sniffing is performed by
using Promiscuous ports.
 By enabling promiscuous mode function on
the connected network interface, allow
capturing all traffic, even when traffic is not
intended for them.
 Once the packet is captured, you can easily
perform the inspection.
Sniffing
 Using Sniffing, the attacker can capture
packet like Syslog traffic, DNS traffic, Web
traffic, Email and other types of data traffic
flowing across the network.
 By capturing these packets, an attacker can
reveal information such as data, username,
and passwords from protocols such as HTTP,
POP, IMAP, SMTP, NMTP, FTP, Telnet, and
Rlogin and other information.
 Anyone within same LAN, or connected to
the target network can sniff the packets.
Packet Sniffing
 Once the attacker captures the packets, it can decrypt these packets
to extract information.
 if you are connected to a target network with a switch, broadcast,
and multicast traffic is transmitted on all ports.
 Switch forward the unicast packet to the specific port where the
actual host is connected.
 Switch maintain its MAC table to validate who is connected to
which port.
 attacker alters the switch configuration by using different techniques
such as Port Mirroring or Switched Port Analyzer (SPAN).
 All packets passing through a certain port will be copied onto a
certain port (the port on which attacker is connected with
promiscuous mode).
 If you are connected to a hub, it will transmit all packet to all ports.
Packet Sniffing
Sniffers
 In the process of Sniffing, an attacker gets connected
to the target network in order to sniff the packets.
 Using Sniffers, which turns Network Interface Card
(NIC) of the attacker's system into promiscuous mode,
attacker captures the packet.
 Promiscuous mode is a mode of the interface in which
NIC respond for every packet it receives.
 As you can observe in the figure below, the attacker is
connected in promiscuous mode, accepting each
packet even those packet which is not intended for
him.
Types of Sniffing

 Passive Sniffing
 Active Sniffing
Passive Sniffing

 sniffing type in which there is no

need of sending additional packets
or interfering the device such as Hub
to receive packets.
 Hub broadcast every packet to its
ports, which helps the attacker to
monitor all traffic passing through
hub without any effort.
Active Sniffing
 sniffingtype in which attacker has to send
additional packets to the connected device
such as Switch to start receiving packets.
 a unicast packet from the switch is
transmitted to a specific port only.
 The attacker uses certain techniques such
as MAC Flooding, DHCP Attacks, DNS
poisoning, Switch Port Stealing, ARP
Poisoning, and Spoofing to monitor traffic
passing through the switch.
Hardware Protocol
Analyzer
 Hardware Protocol Analyzers are the
physical equipment which is used to
capture without interfering the
network traffic.
 A major advantage offered by these
hardware protocol analyzers are
mobility, flexibility, and throughput
Hardware Protocol
Analyzer
Using these hardware analyzers, an
attacker can: -
 Monitor Network Usage
 Identify Traffic from hacking software
 Decrypt the packets
 Extract the information
 Size of Packet

 Example: KEYSIGHT, RADCOM and

Fluke.
Local SPAN
Configuration

 Switch Port Analyser (SPAN)

 Demo
Wiretapping

 Wiretapping is the process of gaining

information by tapping the signal
from wire such as telephone lines or
the Internet
 Wiretapping is basically electrical tap
on the telephone line.
 Legal Wiretapping is called Legal
Interception which is mostly
performed by governmental or
security agencies.
Types of Wiretapping

Active Wiretapping
 monitoring, recording of information by wiretapping,
additionally active wiretapping includes alteration of
the communication
Passive Wiretapping
 Monitoring and Recording the information by
wiretapping without any alteration in
communication.
Lawful Interception

 Lawful Interception (LI) is a process of

wiretapping with legal authorization
which allows law enforcement agencies
to wiretap the communication of
individual user selectively.
 Telecommunication standardization
organization standardized the legal
interception gateways for the
interception of
communication by agencies.
Planning Tool for Resource
Integration (PRISM)
 PRISM Planning Tool for Resource Integration
stands for, Synchronization and Management.
PRISM is a tool that is specially designed to
collect information and process, passing through
American servers.
 PRISM program is developed by Special Source
Operation (SSO) division of National Security
Agency (NSA).
 PRISM is intended for identification and
monitoring of suspicious communication of
target. Internet traffic routing through the US, or
data stored on US servers are wiretap by NSA.
MAC Attacks/MAC Address
Table / CAM Table
CAM
 MAC address table or Content-Addressable Memory
(CAM) table is used in Ethernet switches to record
MAC address, and it's associated information which
is used to forward packets.
 CAM table records a table in which each MAC
address information such as associated VLAN
information, learning type, and associated port
parameters.
 These parameter helps at data-link layer to forward
packets.
CAM
 To Learn the MAC address of devices is the fundamental
responsibility of switches.
 The switch transparently observes incoming frames.
 It records the source MAC address of these frames in its MAC
address table.
 It also records the specific port for the source MAC address.
 Based on this information, it can make intelligent frame
forwarding (switching) decisions.
 Notice that a network machine could be turned off or moved at
any point.
 As a result, the switch must also age MAC addresses and
remove them from the table after they have not been seen for
some duration.
Switch
 The switch supports multiple MAC addresses on all
ports so we can connect individual workstation as well
as multiple devices through switch or router as well.
 By the feature of Dynamic Addressing, switch updates
the source address received from the incoming packets
and binds it to the interface from which it is received.
 As the devices are added or removed, they are updated
dynamically.
 By default, aging time of MAC address is 300 seconds.
 The switch is configured to learn the MAC addresses
dynamically by default.
MAC Table from Switch
MAC flooding
 MAC flooding is a technique in which attacker sends
random mac addresses mapped with random IP to
overflow the storage capacity of CAM table.
 As we know CAM table has its fixed length, switch
then acts as a hub.
 It will now broadcast packet on all ports which help
the attacker to sniff the packet with ease.
 For MAC Flooding, Unix / Linux utility “macof”
offers MAC flooding.
 using macof, random source MAC and IP can be sent
on an interface.
Switch port stealing
 packet sniffing technique that uses MAC flooding to sniff the
packets.
 the attacker sends bogus ARP packet with the source MAC
address of target and destination address of its own as the
attacker is impersonating the target host let's say Host A.
 When this is forwarded to switch, the switch will update the
CAM table.
 When Host A sends a packet, Switch will have to update it
again.
 This will create the winning the race condition in which if the
attacker sends ARP with Host A’s MAC address, the switch will
send packets to the attacker assuming Host A is connected to
this port.
 Defend against MAC Attacks
 Port Security is used to bind the MAC address of known
devices to the physical ports and violation action is also
defined.
 Configuring Port Security
 Cisco Switch offers port security to prevent MAC
attacks.
 You can configure the switch either for statically defined
MAC Addresses only, or dynamic MAC learning up to
the specified range, or you can configure port security
with the combination of both as shown below
How Content Addressable
Memory Works