Common Network Attack Strategies: Packet Sniffing
Packet sniffing, a network attack strategy, captures network traffic at the Ethernet frame level. After capture, this data can be analyzed and sensitive information can be retrieved. Such a network attack starts with a tool such as Wireshark. Wireshark allows you to capture and examine data that is flowing across your network. Any data that is not encrypted is readable, and unfortunately, many types of traffic on your network are passed as unencrypted data — even passwords and other sensitive data.
Obviously, this situation represents a danger to your corporate data. Many applications that house corporate data (even those with slick Windows-based GUIs) still use Telnet as the data transfer mechanism. Telnet is a clear text, unencrypted data transfer mechanism. A person with a packet sniffer can view this data as it crosses your network.
FTP logon data captured behind the FTP window is shown, showing the user’s password. Having your FTP password known allows the attacker to have your level of access to your FTP site, and any secret data that may be there; on top of that, many users who use the same password for all systems on the network. Now the attacker may have access to several of your corporate systems.
In addition to capturing cleartext sessions, such as login traffic, an attacker can have an application that captures only specific data from a network, such as network authentication packets, which she then reviews to crack network passwords.
If you are using switch-based network, you make packet sniffing a little tougher. On a switch-based network, the sniffer will see only data going to and from the sniffer’s own network device or broadcast traffic, unless the attacker uses a monitoring port on a switch. If you have not secured your switches and your switch configuration documentation with a strong password, you are leaving yourself open to a packet-sniffing attack.
A packet-sniffing attack on a switch-based network happens like this: The attacker connects to a switch and uses information from that switch to locate his own MAC address. The attacker locates his MAC address via show address-database, which lets him know what port the address is seen on.
The attacker can follow the path until he finds the switch to which he is connected. From there, the attacker can enable a monitor port as the port to which he connected. Now he can see all the traffic on that switch and can start a packet capture of data.
Switch security is the first line of your network security from internal hacking. Switch security is the path attackers must go through to get to the rest of your network. If you can keep attackers from connecting or restrict their ability to gain sensitive information, you beat them.