Packet Sniffing in LAN

Arpit SutharSoftware Consultant

Knoldus Software

• Packet sniffing is a technique of monitoring every packet that crosses the network.

Host A

Host BRouter

A Router

B

Packet Sniffing in LAN

Uses of Packet Sniffers• Capturing clear-text usernames and passwords• Capturing and replaying Voice over IP telephone conversations• Mapping a network

• Breaking into a target computer and installing remotely controlled sniffing software.

• Redirecting communications to take a path that includes the intruder’s computer.

• Conversion of Network traffic into human readable form.• Network analysis to find the bottlenecks.• Network intrusion detection to monitor for attackers.

•IP –Based sniffing : This is the original way of packet sniffing. It works by putting the network card into promiscuous mode and sniffing all packets matching the IP address filter

•MAC-Based Sniffing : This method works by putting the network card into promiscuous mode and sniffing all packets matching the MAC address filter.

•ARP-Based Sniffing : We will take this in detail.

Sniffing Methods-

What is ARP

➢ ARP () converts an IP Address to its corresponding physical network address(MAC). operating at Layer 2 of the OSI model.

➢ ARP works on Ethernet networks as follows. Ethernet network adapters are produced with a physical address embedded in the hardware called the Media Access Control (MAC) address. Manufacturers take care to ensure these 6-byte (48-bit) addresses are unique, and Ethernet relies on these unique identifiers for message delivery. When any device wishes to send data to another target device over Ethernet, it must first determine the MAC address of that target given its IP address These IP-to-MAC address mappings are derived from an ARP cache maintained on each device. If the given IP address does not appear in a device's cache, that device cannot direct messages to that target until it obtains a new mapping. To do this, the initiating device first sends an ARP request broadcast message on the local subnet. The host with the given IP address sends an ARP reply in response to the broadcast, allowing the initiating device to update its cache and proceed to deliver messages directly to the target.

ARP Cache Table :-

ARP Poisoning :-

➢ ARP Spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. Once the attacker’s MAC address is connected to an authentic IP address the attacker will begin receiving any data that is intended for that IP address. ARP spoofing can enable malicious parties to intercept, modify, or even stop data in-transit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol.

➢ The effects of ARP spoofing attacks can have serious implications for enterprises. In their most basic application ARP spoofing attacks are used to steal sensitive information. Beyond this, ARP spoofing attacks are often used to facilitate other attacks such as: ▪ Denial-of-service attack: DoS attacks often leverage ARP spoofing to

link multiple IP addresses with a single target’s MAC address. As a result, traffic that is intended for many different IP addresses will be redirected to the target’s MAC address, overloading the target with traffic.

▪ Session hijacking: Session hijacking attacks can use ARP spoofing to steal session IDs, granting attackers access to private systems and data.

▪ Man-in-the-middle attack: MitM attacks can rely on ARP spoofing to intercept and modify traffic between victims.

ARP Spoofing Attacks:-

Man-in-the-middle Attack :-

Packet Sniffing tools:-

➢ WireShark➢ Cain and Abel➢ Kismet➢ Tcpdump➢ Ettercap➢ NetStumbler➢ Dsniff➢ Ntop➢ Ngrep➢ And many more…

Practical of Packet Sniffing and ARP poisoning:-

➢ We will use tool “Cain and Abel” for this.

➢ Its very easy and handy tool for beginners.

➢ Scenario: A LAN with 5 PC (192.168.0.101,192.168.0.102, 192.168.0.103, 192.168.0.105 192.168.0.107(hacker) and a default gateway(192.168.0.1)

➢ So here are screenshots for this.

Step 1:- Main window of Cain and Abel

Step 2:- Click on Sniffer tab

Step 3 :- Turn on the Sniffer

Step 4:- Click on + so a window “MAC Add scanner” will appear click on OK

Step 5:- So now all the connected host will appear.

Step 6:- Now Click on the down tab “APR”

Step 7:- Now click on the + button

Step 8:- Now a window “New ARP Poison Routing” will come and all the host and the default gateway will shown

Step 9:- So click on your default Gateway, so all the host will come.

Step 10 :- Select all them and click OK

Step 11 :- Now click on Start APR logo.

Step 12:- Poisoning starts!!!

Step 13 :- Now when a Host open any website which contain any form and type his/her info that will be sniffed…!!!

Step 14 :- GOT…!!! ☺