Editing
Sniffing & Spoofing
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Sniffing == Sniffing inspects network traffic in real-time, extracting headers, payloads, and session metadata. It uncovers credentials, tokens, and protocol weaknesses, and establishes situational awareness before or during exploitation. === Common Techniques === Capturing raw packets with promiscuous or monitor mode interfaces Filtering traffic by IP, port, or protocol to isolate valuable data Reassembling TCP streams to read clear-text credentials Following unencrypted protocols (HTTP, Telnet, SMTP, FTP) for rapid intel Leveraging port mirroring, SPAN, or hub-based topologies for full-duplex capture Decrypting TLS when private keys or session secrets are available Extracting files, images, and VoIP calls directly from packet flows === Tools === * [[Wireshark]] (GUI packet analyzer with deep protocol dissection) * [[tcpdump]] (lightweight CLI sniffer for scripted captures) * [[tshark]] (Wireshark’s CLI engine for remote or headless use) * [[Bettercap]] (modular MITM framework with live packet capture) * [[Zeek]] (formerly Bro; network security monitor that logs and scripts traffic events) * [[Scapy]] (Python library for custom packet crafting and sniffing) * [[pcapplus]]-based scripts (custom automation around libpcap) == Spoofing == Spoofing forges network identity to redirect traffic, hijack sessions, or bypass access controls. By masquerading as trusted hosts or infrastructure, an operator gains man-in-the-middle positions, network access, and lateral movement capability. === Common Techniques === * MAC spoofing to bypass wireless MAC filtering or port-based NAC * ARP cache poisoning to position a MITM node inside switched LANs * DNS spoofing to deliver malicious IPs for trusted domains * IP spoofing in stateless protocols (e.g., UDP) to mask source or trigger reflection * DHCP spoofing for rogue gateway injection and traffic capture * Email header spoofing to improve phishing credibility * LLDP/CDP spoofing to influence network device topology views === Tools === * [[arpspoof]] (classic ARP poisoning utility in dsniff suite) * [[Bettercap]] (real-time ARP, DNS, and DHCP spoofing with interactive console) * [[Ettercap]] (MITM framework supporting ARP, DNS, and SSL stripping) * [[macchanger]] (quick MAC address changer for Linux) * [[Responder]] (rogue SMB/HTTP/MDNS/NBT-NS responder that coerces credential hand-offs) * [[Scapy]] (crafts arbitrary Ethernet/IP packets for advanced spoofing scenarios) * [[hping3]] (raw-packet generator for IP-level spoofing, testing, and DoS research) * [[ip link set / `ifconfig]] (manual MAC spoofing by taking interface down, changing MAC, and bringing it up)
Summary:
Please note that all contributions to HackOps may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
HackOps:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
Namespaces
Page
Discussion
English
Views
Read
Edit
Edit source
View history
More
Search
Navigation
Tools
What links here
Related changes
Special pages
Page information