Editing Sniffing & Spoofing

== Sniffing & Spoofing ==

Sniffing inspects network traffic in real-time, extracting headers, payloads, and session metadata. It uncovers credentials, tokens, and protocol weaknesses, and establishes situational awareness before or during exploitation.

=== Common Techniques ===

Capturing raw packets with promiscuous or monitor mode interfaces
Filtering traffic by IP, port, or protocol to isolate valuable data
Reassembling TCP streams to read clear-text credentials
Following unencrypted protocols (HTTP, Telnet, SMTP, FTP) for rapid intel
Leveraging port mirroring, SPAN, or hub-based topologies for full-duplex capture
Decrypting TLS when private keys or session secrets are available
Extracting files, images, and VoIP calls directly from packet flows
=== Tools ===

[[Wireshark]] (GUI packet analyzer with deep protocol dissection)
[[tcpdump]] (lightweight CLI sniffer for scripted captures)
[[tshark]] (Wireshark’s CLI engine for remote or headless use)
[[Bettercap]] (modular MITM framework with live packet capture)
[[Zeek]] (formerly Bro; network security monitor that logs and scripts traffic events)
[[Scapy]] (Python library for custom packet crafting and sniffing)
[[pcapplus]]-based scripts (custom automation around libpcap)
== Spoofing ==

Spoofing forges network identity to redirect traffic, hijack sessions, or bypass access controls. By masquerading as trusted hosts or infrastructure, an operator gains man-in-the-middle positions, network access, and lateral movement capability.

=== Common Techniques ===

MAC spoofing to bypass wireless MAC filtering or port-based NAC
ARP cache poisoning to position a MITM node inside switched LANs
DNS spoofing to deliver malicious IPs for trusted domains
IP spoofing in stateless protocols (e.g., UDP) to mask source or trigger reflection
DHCP spoofing for rogue gateway injection and traffic capture
Email header spoofing to improve phishing credibility
LLDP/CDP spoofing to influence network device topology views
=== Tools ===

[[arpspoof]] (classic ARP poisoning utility in dsniff suite)
[[Bettercap]] (real-time ARP, DNS, and DHCP spoofing with interactive console)
[[Ettercap]] (MITM framework supporting ARP, DNS, and SSL stripping)
[[macchanger]] (quick MAC address changer for Linux)
[[Responder]] (rogue SMB/HTTP/MDNS/NBT-NS responder that coerces credential hand-offs)
[[Scapy]] (crafts arbitrary Ethernet/IP packets for advanced spoofing scenarios)
[[hping3]] (raw-packet generator for IP-level spoofing, testing, and DoS research)