Sniffing and Evasion Flashcards
From a legal standpoint, sniffing is equivalent to:
Wiretapping
MAC address
Physical or burned in address of a network interface. 48 bits long, 12 hex characters separated by colons
MAC address format
First 3 bytes are the organization unique identifier or NIC manufacturer code. The last 3 bytes are unique within the manufacture code.
NIC must run in this mode to sniff all frames
Promiscuous mode. Driver like WINPCAP for Windows systems is required and libpcap for Linux systems.
Collision Domain
All the devices sharing any given transport medium.
Why switches can restrict sniffing
Switches restrict visibility of network conversations by splitting each port into its own collision domain.
Hardware Protocol Analyzers
Fluke, RADCOM, Keysight
Which protocol passes everything in clear text?
TFTP as well as SNMP and NTP prior to V3, also IMAP and POP3, HTTP
Address Resolution Protocol (ARP)
Maps IP addresses to MAC addresses by sending an ARP_REQUEST. The relevant system will respond with an APR_REPLY and provide its MAC address.
Display current ARP cache
ARP -a
Delete entries from the ARP cache
ARP -d * or NETSH interface ip delete arpcache
Technique of spoofing a MAC address
Sending a gratuitous ARP
Unicast
A packet addressed to a single device
Multicast
A packet addressed to a group of devices
Anycast
A packet addressed to a group, but the nearest device in terms of routing distance opening it.
IPV6 Link Local address
FE80 - equivalent to APIPA
IPV6 Unique Local address
fc00::/7: Equivalent to private IPV4 addresses
IPV6 Global addresses
Equivalent to public IPV4 addresses
Lawful Interception
Process of legally intercepting communications between two or more users for surveillance of telecommunications, VOIP and multiservice networks
Planning Tool for Resource Integration (PRISM)
US data tool for collecting foreign intelligence
Passive sniffing
Plugging in a sniffer and capturing what is seen but limited to a collision domain
Active sniffing
Packet injection, port spanning also known as port mirroring to open up other collision domains. Some routers only allow a port to be mirrored for read and not for transmit
MAC flooding
Force a switch’s content addressable memory (CAM) table to fill up after which subsequent traffic will be flooded to all ports. Also known as switch port stealing
ARP poisoning
Also known as ARP spoofing and gratuitous ARP. Process of maliciously changing an ARP cache on a machine to inject faulty entries,