Sniffing & Spoofing

From HackOps
Revision as of 17:45, 17 May 2025 by Vegard (talk | contribs) (Created page with "== Sniffing & Spoofing == Sniffing inspects network traffic in real-time, extracting headers, payloads, and session metadata. It uncovers credentials, tokens, and protocol weaknesses, and establishes situational awareness before or during exploitation. === Common Techniques === Capturing raw packets with promiscuous or monitor mode interfaces Filtering traffic by IP, port, or protocol to isolate valuable data Reassembling TCP streams to read clear-text credentials Fol...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Sniffing & Spoofing

Sniffing inspects network traffic in real-time, extracting headers, payloads, and session metadata. It uncovers credentials, tokens, and protocol weaknesses, and establishes situational awareness before or during exploitation.

Common Techniques

Capturing raw packets with promiscuous or monitor mode interfaces Filtering traffic by IP, port, or protocol to isolate valuable data Reassembling TCP streams to read clear-text credentials Following unencrypted protocols (HTTP, Telnet, SMTP, FTP) for rapid intel Leveraging port mirroring, SPAN, or hub-based topologies for full-duplex capture Decrypting TLS when private keys or session secrets are available Extracting files, images, and VoIP calls directly from packet flows

Tools

Wireshark (GUI packet analyzer with deep protocol dissection) tcpdump (lightweight CLI sniffer for scripted captures) tshark (Wireshark’s CLI engine for remote or headless use) Bettercap (modular MITM framework with live packet capture) Zeek (formerly Bro; network security monitor that logs and scripts traffic events) Scapy (Python library for custom packet crafting and sniffing) pcapplus-based scripts (custom automation around libpcap)

Spoofing

Spoofing forges network identity to redirect traffic, hijack sessions, or bypass access controls. By masquerading as trusted hosts or infrastructure, an operator gains man-in-the-middle positions, network access, and lateral movement capability.

Common Techniques

MAC spoofing to bypass wireless MAC filtering or port-based NAC ARP cache poisoning to position a MITM node inside switched LANs DNS spoofing to deliver malicious IPs for trusted domains IP spoofing in stateless protocols (e.g., UDP) to mask source or trigger reflection DHCP spoofing for rogue gateway injection and traffic capture Email header spoofing to improve phishing credibility LLDP/CDP spoofing to influence network device topology views

Tools

arpspoof (classic ARP poisoning utility in dsniff suite) Bettercap (real-time ARP, DNS, and DHCP spoofing with interactive console) Ettercap (MITM framework supporting ARP, DNS, and SSL stripping) macchanger (quick MAC address changer for Linux) Responder (rogue SMB/HTTP/MDNS/NBT-NS responder that coerces credential hand-offs) Scapy (crafts arbitrary Ethernet/IP packets for advanced spoofing scenarios) hping3 (raw-packet generator for IP-level spoofing, testing, and DoS research)

Retrieved from "https://hackops.wiki/index.php?title=Sniffing_%26_Spoofing&oldid=78"