Join Lisa Bock for an in-depth discussion in this video Exploring network sniffing, part of IT Security Foundations: Network Security.
- "Network Sniffing" uses a packet sniffer, network monitor, or analyzer. This sniffer captures the packets and deciphers the bits. It then displays the field values in the packet. This can help the network administrator with troubleshooting network issues. However, this can be done for malicious reasons. Sniffing can also be used as a reconnaissance technique. Many times, packets are in plain text and not encrypted while they are in transit so that contents can be read.
When doing packet sniffing, it's easier to sniff wireless networks than wired ones, because traffic off of a switch comes through the switch through the port, and then to your device. You do not see any other traffic. However, on a wireless access point, this acts more like a hub, and you could potentially see all the traffic. So, in order to reduce the threat of a sniffing attack, encrypt data transmitted over the network and physically secure your devices. I'm going to show you three examples of packet sniffing and how we can see data that is not encrypted.
I'm going to this website which is a sample captures website from wireshark.org. If you'd like to follow along, you can. I'm not going to show you how to use Wireshark. If you're interested, you can see my course, "Troubleshoot Your Network with Wireshark." Let's just take a look. I'm at this packet capture "sample captures," and I'm going to select "mysql_complete.pcap". Your screen might look a little different, because I've increased the font, so we can see this.
Now, this is the entire packet capture, and I'm just going to show you that here, "Stream index: 0" this is one single packet capture of a "mysql" transaction. Now, this is not encrypted, so I'm going to right-click, and I'm going to say, "Follow the TCP Stream." Any of those packets we can do that, and we can simply right-click and see the contents of this data transaction. Here we can see "SELECT DATABASE" show the tables.
Now, we can see the names of the tables. Now, this is something we wouldn't want anyone to see, the innards of your database, including table names. This packet capture shows what happens when we can see data that's not encrypted. This next one is Telnet. I'm at this website, again at "Sample Captures", and I'm going to select "telnet-cooked.pcap". Telnet is a protocol that used to be used for terminal emulation. It is deprecated in Windows operating systems, meaning, it is off by default.
One of the things is, Telnet can still be used, but you should encrypt it using PuTTY, or a secure shell. In this Telnet transaction, again, it is not encrypted, I'm just simply going to right-click, and "Follow the TCP Stream." Here we can see the user name and password. Of course, this is simply a test, and as you can see, "login: fake, password: user." But the data is not encrypted. My third example is if I go to this website, and again, "Sample Captures", "Network_join_Nokia_Mobile.pcap".
In this case, we can see that it is broadcasting the SSID. Now, I am going to pull over these column values here, because I want you to see that the SSID is broadcast, and this is something you would probably not want to do. Broadcasting makes it one step closer for a hacker to get access to your network. So, a lot of times they encourage you to disable SSID broadcasting. So, as you can see, network sniffing can be used for reconnaissance techniques, and if the data is not encrypted, I can see it in plain text which can make things very vulnerable, and risk a lot of data leakage.
Note: This training maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals exam (98-367). See https://www.microsoft.com/learning/en-us/exam-98-367.aspx for more information.
- Implementing secure content management (SCM)
- Implementing unified threat management (UTM)
- Introducing VLANs
- NAT addressing
- Network sniffing
- Understanding common attack methods, such as password attacks
- Protecting clients with antivirus software
- Implementing physical security