Back to Subject
Practice MCQ

Unit 4 - Notes

INT244

Unit 4: Sniffers, Social Engineering, Denial of Service

Part 1: Sniffing Attacks and Network Analysis

1. Understanding Sniffers

Network Sniffing involves using software or hardware tools to capture and monitor data flowing over a network. Sniffers allow an individual to view the contents of data packets, including protocols, ports, IP addresses, and potentially sensitive payloads (passwords, messages) if the data is unencrypted.

  • Promiscuous Mode: For a sniffer to operate effectively, the Network Interface Card (NIC) must be set to "Promiscuous Mode." This forces the NIC to pass all traffic it receives to the CPU, not just frames addressed to its specific MAC address.
  • Passive Sniffing: Occurs on hubs. The attacker silently captures data without altering network traffic. It is extremely difficult to detect.
  • Active Sniffing: Occurs on switches. The attacker must inject traffic into the network (e.g., ARP spoofing) to redirect packets to their machine.

2. Using a Sniffer

Sniffing involves three main steps:

  1. Collection: Switching the network interface to promiscuous mode and capturing binary data from the wire.
  2. Conversion: Translating the binary data into readable formats.
  3. Analysis: Filtering and dissecting the protocol headers and payloads to extract meaningful information.

Common Tools:

  • Wireshark: The industry-standard graphical network protocol analyzer. It can decode hundreds of protocols.
  • Tcpdump: A powerful command-line packet analyzer common in Linux/Unix environments.

3. Switched Network Sniffing

Legacy networks used Hubs, which broadcasted all data to all ports, making sniffing easy. Modern networks use Switches, which operate at Layer 2 (Data Link) and build a CAM (Content Addressable Memory) Table.

  • How Switches Work: The switch maps MAC addresses to physical ports. When a packet arrives, the switch looks up the destination MAC and sends the packet only to that specific port (Unicast).
  • The Challenge: A sniffer plugged into Port A cannot see traffic between Port B and Port C.
  • The Solution for Attackers: To sniff a switched network, attackers must force the switch to behave like a hub or redirect traffic through their machine (Man-in-the-Middle).

4. MAC Flooding

MAC Flooding is a brute-force technique used to compromise the security of network switches.

  • Mechanism: The attacker sends a massive volume of fake Ethernet frames with different source MAC addresses to the switch.
  • Goal: To fill up the switch's CAM table storage capacity.
  • Result (Fail-Open): When the CAM table is full, the switch cannot learn new MAC addresses. To ensure traffic delivery, most switches enter "Fail-Open" mode, broadcasting incoming packets to all ports (acting like a Hub).
  • Tool: macof (part of the Dsniff suite) is commonly used to generate thousands of random MAC entries per second.

5. ARP Poisoning (ARP Spoofing)

Address Resolution Protocol (ARP) resolves IP addresses (Layer 3) to MAC addresses (Layer 2). ARP is stateless and lacks authentication.

  • The Attack: An attacker sends falsified "Gratuitous ARP" messages to the LAN.
  • The Mapping:
    • The attacker tells the Victim: "The Router's IP belongs to My MAC address."
    • The attacker tells the Router: "The Victim's IP belongs to My MAC address."
  • Result: All traffic between the victim and the router flows through the attacker’s machine. This enables Man-in-the-Middle (MitM) attacks, allowing the attacker to read, modify, or drop packets.

6. MAC Spoofing

Every NIC has a unique, hard-coded Media Access Control (MAC) address assigned by the manufacturer.

  • Definition: Changing the MAC address in the software driver to masquerade as a different device.
  • Purposes:
    1. Bypassing Access Control Lists (ACLs): If a WiFi network only allows specific MAC addresses (whitelisting), an attacker can spoof a valid MAC to gain access.
    2. Anonymity: Making it difficult to trace malicious activity back to the physical hardware.

7. Port Mirroring and SPAN Port

These are legitimate switch features used for network management and intrusion detection, but can be exploited.

  • SPAN (Switched Port Analyzer): A configuration on a switch that copies traffic from one or more ports (or VLANs) and sends it to a designated destination port.
  • Usage: Network administrators connect an IDS (Intrusion Detection System) or a sniffer (like Wireshark) to the SPAN port to troubleshoot or monitor traffic without disrupting the network flow.
  • Security Risk: If an attacker gains physical access to the SPAN port or administrative access to configure it, they can capture all network traffic seamlessly.

8. Detecting Sniffing Attacks

Passive sniffing is nearly undetectable locally. Active sniffing leaves footprints.

  • Ping Method: Send a ping request with the correct IP address but a fake MAC address. If the machine is in promiscuous mode, the OS might still process the packet and reply, whereas a normal machine would drop it at the NIC level.
  • ARP Monitoring: Tools like ARPwatch or XArp monitor the network for duplicate MAC addresses or sudden changes in IP-to-MAC mappings, indicating ARP poisoning.
  • DNS Reverse Lookup: Many sniffers perform reverse DNS lookups to resolve IP addresses to hostnames. A sudden surge in reverse DNS traffic from a single node can indicate a sniffer.
  • Time Domain Reflectometry (TDR): Hardware-based detection of physical taps on the wire (rarely used in standard IT).

Part 2: Social Engineering

1. What is Social Engineering?

Social Engineering is the art of manipulating people so they give up confidential information. It targets the "Human Firewall," often considered the weakest link in security. It relies on cognitive biases and psychological triggers rather than technical exploits.

Psychological Triggers:

  • Authority: "I am the CEO, do this now."
  • Urgency: "Your account will be locked in 5 minutes."
  • Trust/Likability: Building rapport before asking for data.
  • Fear: Threatening legal action or job loss.

2. Social Engineering Phases

  1. Research (Reconnaissance): Gathering information about the target (Dumpster diving, LinkedIn, company website). Identifying employees and organizational structure.
  2. Hook: Initiating the interaction. Creating a backstory (pretext) to engage the target.
  3. Play: Executing the attack. Manipulating the target to perform the desired action (clicking a link, revealing a password).
  4. Exit: Ending the interaction without raising suspicion and covering tracks.

3. Commonly Employed Threats

  • Phishing: Sending fraudulent emails appearing to be from reputable sources to induce individuals to reveal personal information.
  • Spear Phishing: Highly targeted phishing aimed at a specific individual or organization.
  • Whaling: Phishing attacks targeting high-profile executives (C-suite).
  • Vishing (Voice Phishing): Using the telephone to scam the user into surrendering private information.
  • Smishing (SMS Phishing): Phishing via text message.
  • Dumpster Diving: Searching through trash to find discarded documents (bills, notes, manuals) containing sensitive info.
  • Shoulder Surfing: Looking over someone's shoulder to see their password or screen content.
  • Tailgating/Piggybacking: Following an authorized person into a secure area without their knowledge or consent.
  • Pretexting: Creating an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information.

4. Identity Theft

A crime where an imposter obtains key pieces of PII (Personally Identifiable Information), such as Social Security or driver's license numbers, to impersonate someone else.

  • Financial Identity Theft: Using the identity to obtain credit, goods, or services.
  • Criminal Identity Theft: Posing as another person when apprehended for a crime.
  • Medical Identity Theft: Using another’s identity to obtain medical care or drugs.
  • Synthetic Identity Theft: Combining real (e.g., SSN) and fake information to create a new identity.

Part 3: Denial of Service (DoS)

1. Understanding DoS

A Denial of Service (DoS) attack aims to make a machine or network resource unavailable to its intended users. It does not usually involve theft of data, but rather the disruption of service.

  • Logic: Typically involves one attacker targeting one victim.
  • Crash Attacks: Sending malformed packets to exploit a bug in the target OS, causing it to crash or freeze (e.g., Ping of Death).
  • Flooding Attacks: Saturating the target's bandwidth or resources (CPU/RAM) so it cannot respond to legitimate requests (e.g., SYN Flood).

2. Understanding DDoS

Distributed Denial of Service (DDoS) occurs when multiple compromised systems (forming a Botnet) are used to target a single system.

  • Architecture:
    1. Attacker: The mastermind.
    2. Handler/C&C Server: Command and Control server that issues instructions.
    3. Zombies/Bots: Compromised computers (often IoT devices) infected with malware.
    4. Victim: The target.
  • Amplification Attacks: The attacker sends a small request to a third-party server (like NTP or DNS) with a spoofed source IP (the victim's IP). The server sends a much larger response to the victim, magnifying the bandwidth impact.

3. DoS Tools

Tools used to generate high-volume traffic or malformed packets for stress testing or attacking.

  • Hping3: A command-line packet assembler/analyzer. It can send custom TCP/IP packets and is often used for SYN flooding.
  • Nemesis: A command-line packet injection suite.
  • Slowloris: Opens many connections to the target web server and keeps them open as long as possible (sending partial HTTP requests), exhausting the server's concurrent connection pool.

4. DDoS Tools

  • LOIC (Low Orbit Ion Cannon): An open-source network stress testing application. It requires voluntary participation (users must download it) or is used by script kiddies.
  • HOIC (High Orbit Ion Cannon): An upgrade to LOIC, capable of using "booster" scripts to randomize traffic and evade detection.
  • Botnets (e.g., Mirai): Malware that scans the internet for IoT devices with default passwords, infects them, and recruits them into a botnet to launch massive volumetric attacks.

5. DoS Pen-Testing Considerations

Testing a system's resilience against DoS requires strict adherence to ethics and safety.

  1. Legal Authorization: Explicit, written permission is mandatory. DoS attacks are illegal in most jurisdictions without consent.
  2. Scope and Timing: Tests should be performed during off-peak hours to minimize impact on real users.
  3. Coordination with ISPs/Cloud Providers: You must inform the hosting provider (e.g., AWS, Azure) and the ISP. If you don't, they will flag the traffic as malicious and block your testing IP.
  4. Controlled Environment: Preferably test in a staging environment (sandbox) rather than production.
  5. Threshold Testing: The goal is often not to crash the system, but to identify the "breaking point" or verify that auto-scaling and mitigation protections (like Cloudflare or AWS Shield) activate correctly.