Sniffing & Spoofing: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Sniffing | == Sniffing == | ||
Sniffing inspects network traffic in real-time, extracting headers, payloads, and session metadata. It uncovers credentials, tokens, and protocol weaknesses, and establishes situational awareness before or during exploitation. | Sniffing inspects network traffic in real-time, extracting headers, payloads, and session metadata. It uncovers credentials, tokens, and protocol weaknesses, and establishes situational awareness before or during exploitation. | ||
| Line 14: | Line 14: | ||
=== Tools === | === Tools === | ||
[[Wireshark]] (GUI packet analyzer with deep protocol dissection) | * [[Wireshark]] (GUI packet analyzer with deep protocol dissection) | ||
[[tcpdump]] (lightweight CLI sniffer for scripted captures) | * [[tcpdump]] (lightweight CLI sniffer for scripted captures) | ||
[[tshark]] (Wireshark’s CLI engine for remote or headless use) | * [[tshark]] (Wireshark’s CLI engine for remote or headless use) | ||
[[Bettercap]] (modular MITM framework with live packet capture) | * [[Bettercap]] (modular MITM framework with live packet capture) | ||
[[Zeek]] (formerly Bro; network security monitor that logs and scripts traffic events) | * [[Zeek]] (formerly Bro; network security monitor that logs and scripts traffic events) | ||
[[Scapy]] (Python library for custom packet crafting and sniffing) | * [[Scapy]] (Python library for custom packet crafting and sniffing) | ||
[[pcapplus]]-based scripts (custom automation around libpcap) | * [[pcapplus]]-based scripts (custom automation around libpcap) | ||
== Spoofing == | == Spoofing == | ||
| Line 27: | Line 28: | ||
=== Common Techniques === | === Common Techniques === | ||
MAC spoofing to bypass wireless MAC filtering or port-based NAC | * MAC spoofing to bypass wireless MAC filtering or port-based NAC | ||
ARP cache poisoning to position a MITM node inside switched LANs | * ARP cache poisoning to position a MITM node inside switched LANs | ||
DNS spoofing to deliver malicious IPs for trusted domains | * DNS spoofing to deliver malicious IPs for trusted domains | ||
IP spoofing in stateless protocols (e.g., UDP) to mask source or trigger reflection | * IP spoofing in stateless protocols (e.g., UDP) to mask source or trigger reflection | ||
DHCP spoofing for rogue gateway injection and traffic capture | * DHCP spoofing for rogue gateway injection and traffic capture | ||
Email header spoofing to improve phishing credibility | * Email header spoofing to improve phishing credibility | ||
LLDP/CDP spoofing to influence network device topology views | * LLDP/CDP spoofing to influence network device topology views | ||
=== Tools === | === Tools === | ||
[[arpspoof]] (classic ARP poisoning utility in dsniff suite) | * [[arpspoof]] (classic ARP poisoning utility in dsniff suite) | ||
[[Bettercap]] (real-time ARP, DNS, and DHCP spoofing with interactive console) | * [[Bettercap]] (real-time ARP, DNS, and DHCP spoofing with interactive console) | ||
[[Ettercap]] (MITM framework supporting ARP, DNS, and SSL stripping) | * [[Ettercap]] (MITM framework supporting ARP, DNS, and SSL stripping) | ||
[[macchanger]] (quick MAC address changer for Linux) | * [[macchanger]] (quick MAC address changer for Linux) | ||
[[Responder]] (rogue SMB/HTTP/MDNS/NBT-NS responder that coerces credential hand-offs) | * [[Responder]] (rogue SMB/HTTP/MDNS/NBT-NS responder that coerces credential hand-offs) | ||
[[Scapy]] (crafts arbitrary Ethernet/IP packets for advanced spoofing scenarios) | * [[Scapy]] (crafts arbitrary Ethernet/IP packets for advanced spoofing scenarios) | ||
[[hping3]] (raw-packet generator for IP-level spoofing, testing, and DoS research) | * [[hping3]] (raw-packet generator for IP-level spoofing, testing, and DoS research) | ||
* | * [[ip link set / `ifconfig]] (manual MAC spoofing by taking interface down, changing MAC, and bringing it up) | ||
Latest revision as of 17:50, 17 May 2025
Sniffing
Sniffing inspects network traffic in real-time, extracting headers, payloads, and session metadata. It uncovers credentials, tokens, and protocol weaknesses, and establishes situational awareness before or during exploitation.
Common Techniques
Capturing raw packets with promiscuous or monitor mode interfaces Filtering traffic by IP, port, or protocol to isolate valuable data Reassembling TCP streams to read clear-text credentials Following unencrypted protocols (HTTP, Telnet, SMTP, FTP) for rapid intel Leveraging port mirroring, SPAN, or hub-based topologies for full-duplex capture Decrypting TLS when private keys or session secrets are available Extracting files, images, and VoIP calls directly from packet flows
Tools
- Wireshark (GUI packet analyzer with deep protocol dissection)
- tcpdump (lightweight CLI sniffer for scripted captures)
- tshark (Wireshark’s CLI engine for remote or headless use)
- Bettercap (modular MITM framework with live packet capture)
- Zeek (formerly Bro; network security monitor that logs and scripts traffic events)
- Scapy (Python library for custom packet crafting and sniffing)
- pcapplus-based scripts (custom automation around libpcap)
Spoofing
Spoofing forges network identity to redirect traffic, hijack sessions, or bypass access controls. By masquerading as trusted hosts or infrastructure, an operator gains man-in-the-middle positions, network access, and lateral movement capability.
Common Techniques
- MAC spoofing to bypass wireless MAC filtering or port-based NAC
- ARP cache poisoning to position a MITM node inside switched LANs
- DNS spoofing to deliver malicious IPs for trusted domains
- IP spoofing in stateless protocols (e.g., UDP) to mask source or trigger reflection
- DHCP spoofing for rogue gateway injection and traffic capture
- Email header spoofing to improve phishing credibility
- LLDP/CDP spoofing to influence network device topology views
Tools
- arpspoof (classic ARP poisoning utility in dsniff suite)
- Bettercap (real-time ARP, DNS, and DHCP spoofing with interactive console)
- Ettercap (MITM framework supporting ARP, DNS, and SSL stripping)
- macchanger (quick MAC address changer for Linux)
- Responder (rogue SMB/HTTP/MDNS/NBT-NS responder that coerces credential hand-offs)
- Scapy (crafts arbitrary Ethernet/IP packets for advanced spoofing scenarios)
- hping3 (raw-packet generator for IP-level spoofing, testing, and DoS research)
- ip link set / `ifconfig (manual MAC spoofing by taking interface down, changing MAC, and bringing it up)