Samer Aoudi
EH Lab Environment Network Traffic Wi-Fi Security Malware Analysis Reconnaissance Social Engineering Scanning Sniffing
Courses CTF Platform Security Tools Commands Cheatsheet Awareness Blog About
Sniffing Attacks

In this practical activity, you will use various tools to perform sniffing attacks.

Prerequisite Knowledge: Basic networking knowledge; Kali Linux
Requirements: Kali + Windows Target (Lab Environment Setup)
Duration: 60+min
Files: None
Related Videos:

Task #1: MAC Flooding
Network Sniffing Network, or Packet, sniffing is the process of monitoring and capturing all data packets passing through a given network using a software application or hardware device. Packet sniffing allows a person to observe and access the entire network’s traffic from a given point. Sniffing is considered an attack and is performed either via physical access (i.e., to a network port) or through malware.
MAC Flooding: An active sniffing attack that involves flooding the CAM table with fake MAC address and IP pairs until it is full. The switch then acts as a hub by broadcasting packets to all machines on the network and therefore, the attackers can sniff the traffic easily.
MACOF: Macof sends the packets with random MAC and IP addresses to all active machines in the local network. If you are using multiple targets, you will observe the same packets on all target machines.
DSNIFF If macof is not installed, you will be prompted to install the dsniff suite that includes macof and other tools. Go through the quick installation process and then run the command above.
Expert Mode
  1. Run Wireshak on both Kali and the Windows 10 target
  2. Use the macof tool to send random IP and MAC addresses to all devices on the network
  3. Compare the Wireshark traffic on both Kali and Windows 10
Regular Mode
Task in details »
  1. Start Kali and the Windows 10 target
  2. Launch Wireshark on Kali and start capturing packets on the eth0 interface
  3. Launch Wireshark on Windows 10 and start capturing packets on the Ethernet0 interface
  4. Run the following command sudo macof –i eth0 –n 10
  5. Stop Wireshark capture on both Kali and Windows, and compare the IPv4 traffic
    Wireshak Traffic
    IPv4 packets on both VMs are exactly the same since all active machines on the network will get the packets
ARP Spoofing: A technique that falsifies an attacker's MAC address with the IP address of a legitimate host on the network.
  1. The attacker overloads the switch with large number of forged ARP responses
  2. The attacker tricks both the switch and host, poisoning their ARP cache 
ARP: Address Resolution Protocol (ARP) is a stateless protocol used for resolving IP address to machine MAC address. The ARP table is used to maintain a correlation between each MAC address and its corresponding IP address.
Expert Mode
  1. In Windows 10, display the ARP table, and note down the MAC address of the router or gateway
  2. Get and note down the MAC address of Kali
  3. Perform ARP Spoofing using arpspoof. Basically, tell the gateway that the client IP address has Kali's MAC address
  4. Note down the MAC address of the gateway during the attack
  5. Stop the attack and note down the MAC address after
  6. What are your observations?
Regular Mode
Task in details »
  1. Start Kali and Windows 10 if not already running
  2. In Windows 10, display the ARP table using this command arp -a
  3. Note down the MAC address of the router or gateway (the IPv4 address would end in .1 or .2)
  4. Get Kali's MAC address using ip a
  5. Get the IP address of the target machine nmap -sn 192.168.135.0/24
  6. Perform ARP Spoofing using sudo arpspoof –t 192.168.135.150 192.168.135.2
  7. Back in Windows 10, display the ARP table during the attack arp -a
  8. In Kali, stop the attack (Ctrl+C)
  9. Back in Windows 10, display the ARP table after you stopped the attack arp -a
    During the attack, the gateway's MAC changed and became equal to Kali's MAC address. After the attack, it reverts back.
Coming soon.
               
© Samer Aoudi 2005-2024