Sniffing & Spoofing: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
== Sniffing | == Sniffing == | ||
Sniffing inspects network traffic in real-time, extracting headers, payloads, and session metadata. It uncovers credentials, tokens, and protocol weaknesses, and establishes situational awareness before or during exploitation. | Sniffing inspects network traffic in real-time, extracting headers, payloads, and session metadata. It uncovers credentials, tokens, and protocol weaknesses, and establishes situational awareness before or during exploitation. | ||
| Line 14: | Line 14: | ||
=== Tools === | === Tools === | ||
[[Wireshark]] (GUI packet analyzer with deep protocol dissection) | * [[Wireshark]] (GUI packet analyzer with deep protocol dissection) | ||
[[tcpdump]] (lightweight CLI sniffer for scripted captures) | * [[tcpdump]] (lightweight CLI sniffer for scripted captures) | ||
[[tshark]] (Wireshark’s CLI engine for remote or headless use) | * [[tshark]] (Wireshark’s CLI engine for remote or headless use) | ||
[[Bettercap]] (modular MITM framework with live packet capture) | * [[Bettercap]] (modular MITM framework with live packet capture) | ||
[[Zeek]] (formerly Bro; network security monitor that logs and scripts traffic events) | * [[Zeek]] (formerly Bro; network security monitor that logs and scripts traffic events) | ||
[[Scapy]] (Python library for custom packet crafting and sniffing) | * [[Scapy]] (Python library for custom packet crafting and sniffing) | ||
[[pcapplus]]-based scripts (custom automation around libpcap) | * [[pcapplus]]-based scripts (custom automation around libpcap) | ||
== Spoofing == | == Spoofing == | ||
| Line 27: | Line 28: | ||
=== Common Techniques === | === Common Techniques === | ||
MAC spoofing to bypass wireless MAC filtering or port-based NAC | * MAC spoofing to bypass wireless MAC filtering or port-based NAC | ||
ARP cache poisoning to position a MITM node inside switched LANs | * ARP cache poisoning to position a MITM node inside switched LANs | ||
DNS spoofing to deliver malicious IPs for trusted domains | * DNS spoofing to deliver malicious IPs for trusted domains | ||
IP spoofing in stateless protocols (e.g., UDP) to mask source or trigger reflection | * IP spoofing in stateless protocols (e.g., UDP) to mask source or trigger reflection | ||
DHCP spoofing for rogue gateway injection and traffic capture | * DHCP spoofing for rogue gateway injection and traffic capture | ||
Email header spoofing to improve phishing credibility | * Email header spoofing to improve phishing credibility | ||
LLDP/CDP spoofing to influence network device topology views | * LLDP/CDP spoofing to influence network device topology views | ||
=== Tools === | === Tools === | ||
Latest revision as of 17:50, 17 May 2025
Sniffing[edit | edit source]
Sniffing inspects network traffic in real-time, extracting headers, payloads, and session metadata. It uncovers credentials, tokens, and protocol weaknesses, and establishes situational awareness before or during exploitation.
Common Techniques[edit | edit source]
Capturing raw packets with promiscuous or monitor mode interfaces Filtering traffic by IP, port, or protocol to isolate valuable data Reassembling TCP streams to read clear-text credentials Following unencrypted protocols (HTTP, Telnet, SMTP, FTP) for rapid intel Leveraging port mirroring, SPAN, or hub-based topologies for full-duplex capture Decrypting TLS when private keys or session secrets are available Extracting files, images, and VoIP calls directly from packet flows
Tools[edit | edit source]
- Wireshark (GUI packet analyzer with deep protocol dissection)
- tcpdump (lightweight CLI sniffer for scripted captures)
- tshark (Wireshark’s CLI engine for remote or headless use)
- Bettercap (modular MITM framework with live packet capture)
- Zeek (formerly Bro; network security monitor that logs and scripts traffic events)
- Scapy (Python library for custom packet crafting and sniffing)
- pcapplus-based scripts (custom automation around libpcap)
Spoofing[edit | edit source]
Spoofing forges network identity to redirect traffic, hijack sessions, or bypass access controls. By masquerading as trusted hosts or infrastructure, an operator gains man-in-the-middle positions, network access, and lateral movement capability.
Common Techniques[edit | edit source]
- MAC spoofing to bypass wireless MAC filtering or port-based NAC
- ARP cache poisoning to position a MITM node inside switched LANs
- DNS spoofing to deliver malicious IPs for trusted domains
- IP spoofing in stateless protocols (e.g., UDP) to mask source or trigger reflection
- DHCP spoofing for rogue gateway injection and traffic capture
- Email header spoofing to improve phishing credibility
- LLDP/CDP spoofing to influence network device topology views
Tools[edit | edit source]
- arpspoof (classic ARP poisoning utility in dsniff suite)
- Bettercap (real-time ARP, DNS, and DHCP spoofing with interactive console)
- Ettercap (MITM framework supporting ARP, DNS, and SSL stripping)
- macchanger (quick MAC address changer for Linux)
- Responder (rogue SMB/HTTP/MDNS/NBT-NS responder that coerces credential hand-offs)
- Scapy (crafts arbitrary Ethernet/IP packets for advanced spoofing scenarios)
- hping3 (raw-packet generator for IP-level spoofing, testing, and DoS research)
- ip link set / `ifconfig (manual MAC spoofing by taking interface down, changing MAC, and bringing it up)