Sniffing is a straightforward way to passively obtain a lot of information about the network. You can use it to identify hosts, services, device types, protocols, subnets, IP addresses, and much more. Sniffing particularly takes advantage of cleartext protocols such as TCP, UDP, IP, ARP, ICMP, IGMP, LDAP, SNMP, SMB, FTP, DNS, DHCP, SMTP/POP3/IMAP, telnet, HTTP, TFTP, unsecured versions of SIP, unencrypted routing protocols, and many others. If the traffic is in cleartext, you can extract credentials, capture files and images, read messages, and obtain data meant for other users and machines.
Sniffers such as Wireshark have the ability to re-create entire TCP sessions and capture whole documents and images from the network. Even if the traffic payload is encrypted, you can still extrapolate source and destination addresses and ports, WLAN SSIDs and initialization vectors (encryption key data), and accompanying cleartext messages. If the traffic is encapsulated inside a VPN, you can still see VPN handshakes and outside wrapper IP addresses. Some packets, such as ARP messages, are distinct in structure and easily recognized, even when encrypted. They can still be captured and replayed in chosen ciphertext attacks such as WEP cracking.
Successful sniffing requires two conditions to be true:
- The sniffer's interface must be in promiscuous mode. This means it will pick up all traffic, no matter what the destination MAC is. Otherwise, it would ignore traffic not specifically addressed to it.
- The traffic you want to sniff must directly pass by the sniffer's interface. In other words, the sniffer must be on the same shared network segment as the traffic it is sniffing. This means you cannot sniff remotely!
- If the devices are plugged into a hub, it will be no problem, as a hub will repeat all frames out all ports.
- If the devices are plugged into a switch, you must poison the MAC table of the switch so it will repeat desired traffic out the port the sniffer is connected to.
- If the devices are on a different subnet or VLAN, you must plant a sniffer on that segment and poison the switch's MAC table to repeat the frames to the proper port.
- If the segment is wireless, the sniffer must be within radio range.
- If all of the desired traffic passes through a router, you can compromise the router to forward copies of that traffic to the attacker. Using a simple Generic Routing Encapsulation (GRE) tunnel will allow routers with access to the Internet to forward traffic anywhere in the world.
Eavesdropping
In general usage, eavesdropping is defined as the act of secretly listening to someone else's private conversation. You can be within hearing range of the speaker, though perhaps in a place where they cannot see you, such as behind a door or partition, around the corner, or listening to another telephone extension on the same line. You could also plant a bug somewhere in the room that will transmit what it hears to a receiver some distance away.
In the world of penetration testing, although eavesdropping could include listening in on someone's speech or a telephone conversation, it can also refer to other types of surveillance, including:
- Planting a sniffer on a network.
- Secretly placing a camera or microphone in the room.
- Capturing VoIP packets off the network and replaying them.
- Using your phone to record someone entering a password or PIN across the room.
- Using a WiFi Pineapple or other man-in-the-middle device to capture wireless traffic.
- Using an IMSI-catcher man-in-the-middle device to intercept cell phone calls.