In this practical activity, you will use various tools to perform sniffing attacks.
Prerequisite Knowledge: Basic networking knowledge; Kali Linux Requirements: Kali + Windows Target (Lab Environment Setup) Duration: 60+min Files: None Related Videos:
Network Sniffing Network, or Packet, sniffing is the process of monitoring and capturing all data packets passing through a given network using a software application or hardware device. Packet sniffing allows a person to observe and access the entire network’s traffic from a given point. Sniffing is considered an attack and is performed either via physical access (i.e., to a network port) or through malware.
MAC Flooding: An active sniffing attack that involves flooding the CAM table with fake MAC address and IP pairs until it is full. The switch then acts as a hub by broadcasting packets to all machines on the network and therefore, the attackers can sniff the traffic easily.
MACOF: Macof sends the packets with random MAC and IP addresses to all active machines in the local network. If you are using multiple targets, you will observe the same packets on all target machines. DSNIFF
If macof is not installed, you will be prompted to install the dsniff suite that includes macof and other tools. Go through the quick installation process and then run the command above.
Expert Mode
Run Wireshak on both Kali and the Windows 10 target
Use the macof tool to send random IP and MAC addresses to all devices on the network
Compare the Wireshark traffic on both Kali and Windows 10
Launch Wireshark on Kali and start capturing packets on the eth0 interface
Launch Wireshark on Windows 10 and start capturing packets on the Ethernet0 interface
Run the following command sudo macof –i eth0 –n 10
Stop Wireshark capture on both Kali and Windows, and compare the IPv4 traffic IPv4 packets on both VMs are exactly the same since all active machines on the network will get the packets
ARP Spoofing: A technique that falsifies an attacker's MAC address with the IP address of a legitimate host on the network.
The attacker overloads the switch with large number of forged ARP responses
The attacker tricks both the switch and host, poisoning their ARP cache
ARP: Address Resolution Protocol (ARP) is a stateless protocol used for resolving IP address to machine MAC address. The ARP table is used to maintain a correlation between each MAC address and its corresponding IP address.
Expert Mode
In Windows 10, display the ARP table, and note down the MAC address of the router or gateway
Get and note down the MAC address of Kali
Perform ARP Spoofing using arpspoof. Basically, tell the gateway that the client IP address has Kali's MAC address
Note down the MAC address of the gateway during the attack
Stop the attack and note down the MAC address after
In Windows 10, display the ARP table using this command arp -a
Note down the MAC address of the router or gateway (the IPv4 address would end in .1 or .2)
Get Kali's MAC address using ip a
Get the IP address of the target machine nmap -sn 192.168.135.0/24
Perform ARP Spoofing using sudo arpspoof –t 192.168.135.150 192.168.135.2
Back in Windows 10, display the ARP table during the attack arp -a
In Kali, stop the attack (Ctrl+C)
Back in Windows 10, display the ARP table after you stopped the attack arp -a During the attack, the gateway's MAC changed and became equal to Kali's MAC address. After the attack, it reverts back.
