Ruslan Rakhmetov, Security Vision
IT and cybersecurity professionals often hear about sniffers (Sniffer, literally - sniffers, sniffers), but the name itself, the principle of operation, and the capabilities of these solutions are not completely clear to many people. The confusion is increased by the fact that attackers often use sniffers for their own purposes (realising so-called Sniffing and Wiretapping attacks), and besides, there is a type of malware that is also called a sniffer (JavaScript Sniffer). In today's article, let's understand what sniffers are and how they are used for defence and attack.
So, a sniffer - or more precisely a network traffic (network packet) analyser - is a program or device for listening (capturing), storing, analysing data transmitted over a network. In the simplest case, the sniffer software is installed on a device, displays and writes to a file the data transmitted and received by the device over wired and wireless networks. Traffic analysers can also be a complex device - a hardware-software complex (PAC) for gaining access to the data transmitted over the network by connecting ‘in the gap’ of the network connection (TAP, Test Access Point method) or by obtaining a copy of the traffic from the network device (connection via SPAN / RSPAN / ERSPAN ports, also called mirroring). Such PACs are configured to access wired (e.g., fibre-optic lines, twisted pairs, coaxial cables) and wireless (e.g., Wi-Fi, Bluetooth, GSM/LTE/5G) networks, and then either store a full copy of the received traffic on fast, large capacity embedded storage devices for further analysis by built-in tools, or send the received data to an IPS (e.g., NTA solutions). However, most often IS specialists have to deal with simpler software traffic analysers, the most popular of which is Wireshark.
Wireshark is a free cross-platform solution (released under the GPL licence) that runs on Windows, MacOS, Linux, FreeBSD, and also supports building from source code. The product supports protocols used in Internet, local networks, wireless communication (Wi-Fi, Bluetooth, IrDA) and telephony (VoIP, SS7, PSTN, etc.), allows to capture data transmitted over Ethernet/WLAN/USB, contains decoders (called ‘protocol dissectors’ by the authors) for more than 3000 protocols of different levels, and also supports functionality extension with Lua-scripts.
The first version of the solution, which was called Ethereal, was released in 1998, in 2006 the solution received the modern name Wireshark, and in 2008 the full-fledged and completed release of Wireshark 1.0 was released and annual educational conferences SharkFest for developers and users of the product began to be held. At the moment of writing this article the current version of Wireshark is 4.4.0, and the authors are constantly adding new decoders for network protocols, improving the functionality and performance of the solution.
The main users of Wireshark are network engineers (detect and fix problems in data networks), software developers (check correctness of network protocols implementation in software), testers (check network applications), cybersecurity specialists (detect network security problems), and those who want to understand how networks work. Before installing and working with Wireshark, you should first make sure that applicable legal and corporate regulations and rules allow you to listen to (capture) and record network traffic. Further, in order to capture traffic using Wireshark, you should install Npcap library and drivers - in Windows environment they are installed together with Wireshark, during installation you will need administrator rights, and without administrative rights Wireshark capabilities will be limited only to opening previously saved traffic dumps (records). Optionally, in Windows environment you can configure a restriction to run Npcap for traffic capture only for administrator, in Linux systems root rights for traffic capture are required by default. When connecting to a wired network via a hub, you can set the network adapter to promiscuous mode to prevent the discarding of packets not intended for this network adapter (this will increase the traffic analysis surface); however, in modern networks based on switches (switches), enabling this mode makes no sense, unless an additional MAC flooding attack is performed on the switch. When connecting to a wireless network, if the task is to study or modify the traffic circulating in all wireless networks available nearby, a wireless adapter with support for monitor mode and packet injection will be required.
Another popular task may be to inspect encrypted web traffic. In order for Wireshark to see the contents of HTTPS traffic transmitted from/to the device, one should use the vendor's recommendations and configure the SSLKEYLOGFILE environment variable in the OS, create a readable and writable log file and specify the path to this file in Wireshark settings (Edit - Options - Protocols - TLS - specify the path to the created log file in the lower part of the window). After restarting the browser (Firefox, Chrome, Edge are supported), you will be able to view in Wireshark the contents of HTTPS traffic encrypted with the latest TLS v1.3 protocol. However, you should be careful and after finishing work with Wireshark delete the created environment variable and the log file containing information that can be used by intruders for unauthorised decryption of HTTPS traffic.
If Wireshark is configured correctly, you will be able to see the detailed network activity of your device, and the extensive functionality of capture and display filters, search queries, data flow tracking and object export will help you understand the nuances of operation and security of various network protocols, applications, operating systems and network devices. Readers can try their hand at analysing samples of various traffic, presented as pcap / pcapng format files that can be opened in Wireshark:
Common Traffic Samples:
https://wiki.wireshark.org/SampleCaptures
https://www.netresec.com/?page=PcapFiles
https://weberblog.net/the-ultimate-pcap/
Traffic samples with network attack artefacts and VPOs:
https://github.com/chrissanders/packets
https://github.com/sbousseaden/PCAP-ATT
https://github.com/markofu/pcaps/
https://github.com/elcabezzonn/Pcaps
https://www.malware-traffic-analysis.net/index.html
Traffic samples collected in the ACS, SCADA and OT infrastructure segments:
https://github.com/ITI/ICS-Security-Tools/tree/master/pcaps
https://github.com/automayt/ICS-pcap/
https://github.com/EmreEkin/ICS-Pcaps/
Of course, besides Wireshark there are other useful free tools for working with network traffic, for example:
- tcpdump - a utility built into most Linux distributions that allows you to listen, analyse and save (in pcap files supported by Wireshark) network traffic;
- pktdump - utility built into modern Microsoft Windows operating systems, allows to perform diagnostics of network connections, listen, analyse and record (in pcapng files supported by Wireshark) network traffic;
- Telerik Fiddler Classic - a tool for debugging and detecting security problems in web applications, with support for decrypting HTTPS traffic through the implementation of MitM inspection using a root certificate installed in the OS;
- HTTP Toolkit - a tool for capturing, analysing, editing HTTP/HTTPS traffic.
Methods of capturing, intercepting, redirecting, analysing and decrypting network traffic are also actively used by attackers, often using the same tools as IT/IS specialists. Attacks involving the processing and spoofing of network traffic are called Sniffing and Wiretapping attacks. Let's look at a number of examples of these types of network attacks:
1. ARP spoofing (or ARP cache poisoning) - An attack to overwrite the APR table (which maps IP addresses and MAC addresses of devices on the local network) by sending multiple ARP alerts to the attacker to match the target attacked IP address (e.g., the IP address of the default gateway) to the MAC address of the attacker's NIC. As a result, devices on the local network will start sending gateway-specific messages to the attacking host and the attacker will be able to analyse the network segment traffic and then implement further MitM attacks. The simplest defence against this type of attack is to create static entries in ARP tables on hosts (e.g., hard-code the mapping of the gateway's IP address to its MAC address).
2. MAC flooding - an attack to overflow the address table of the switch, as a result of which it can switch to the mode of sending traffic on all ports (in fact, to the fail-open mode of the hub). Protection against this type of attacks is the use of Port Security mechanism and/or implementation of device authentication at the link layer using Dot1x technology (IEEE 802.1x).
3. DHCP Spoofing / DHCP Starvation - attacks on the DHCP protocol in which an attacker injects a malicious DHCP server into a corporate network, disables a legitimate DHCP server by flooding it with fake requests (DHCP Starvation - literally DHCP exhaustion), and then, on behalf of the ‘new’ DHCP server, begins to provide DHCP clients with false information (fake DNS server IP address, fake default gateway IP address) to launch further MitM attacks. The protection against such attacks is the use of DHCP Snooping technology, which allows DHCP service messages (DHCPOFFER and DHCPACK) to pass only through a specific switch port.
4. VLAN Hopping / VLAN double tagging / VLAN double encapsulation - an attack on VLAN (virtual local area network) technology that allows bypassing the restriction on the attacker's access to network traffic of other VLANs. The protection against this type of attacks will be the configuration of network devices: for example, disabling dynamic trunking (Auto Trunking technology / DTP protocol) and prohibiting the use of the default administrative VLAN with ID=1 (moving the Native VLAN to any other number, for example, 999).
5. DNS spoofing (or DNS cache poisoning) - an attack based on the lack of authentication of information transmitted via the DNS protocol and the use of the UDP protocol for DNS requests/responses, as a result of which the attacker can pass to a caching (local, recursive) DNS server with fake data about the mapping of the DNS name of the requested site to the IP address of a server that is controlled by the attacker and on which a MitM attack is performed (e.g., malicious scripts are injected, credentials are stolen, invalid information is displayed). DNSCrypt, DNSSEC, DNS-over-TLS, and DNS-over-HTTPS technologies will protect against such attacks. In addition, website owners can use modern technologies to protect their visitors' traffic, such as Certificate Transparency (an evolution of the outdated SSL Pinning and HTTP Public Key Pinning technologies) and HSTS (HTTP Strict Transport Security). However, as is often the case, technologies aimed at protecting user privacy introduce challenges to the process of analysing traffic for cybersecurity purposes: Certificate Transparency technology prevents network security solutions from performing authorised TLS inspection of encrypted web traffic for security threats (although there are methods for setting exceptions), DNS-over-TLS and DNS-over-HTTPS technologies prevent network IPSs from analysing DNS traffic for maliciousness, and attackers can hide malicious payloads, VPO control commands and stolen data in encrypted DNS traffic.
6. Malicious content injection attacks are a type of attack that allows attackers to exploit browser vulnerabilities, download VPOs, ‘spoof’ website traffic, and steal account and bank card data. For example, attacks to inject malicious content into web traffic can be realised if an attacker eavesdrops on the network and can inject their data - for example, if ARP spoofing or DNS spoofing attacks have previously been implemented, and the user visits unsecured HTTP resources, or the site is not configured with HTTPS, does not use HSTS, SOP (Same Origin Policy), CORS (Cross-Origin Resource Sharing), CSP (Content Security Policy), or allows third-party site elements (scripts, images, web forms) to be uploaded over insecure HTTP.
Malicious content injection attacks are carried out by attackers who have compromised a website and gained unauthorised access with rights to modify the website code - in this case they can inject malicious content into the website pages that will try to ‘break through’ visitors' browsers (ie. exploit one or more web browser vulnerabilities using a bunch of exploits), ‘spoof’ traffic or visitor numbers on third-party sites, induce a user to download and run an RPO (e.g., by displaying a fake message about an outdated browser version and offering to download and run a malicious file), and steal data from web forms where users enter their credentials (logins, passwords, one-time codes) or bank card data. This type of VPO is called JavaScript Sniffer - it injects itself into compromised sites and sends the information entered by the user in the web form to attackers, which is especially dangerous for the sites of banks, payment systems and payment gateways, marketplaces, travel agencies, transport and insurance companies that process huge amounts of personal data and payment information.
7. Attacks on wireless networks are a whole class of attacks that are realised by attackers in the range of wireless networks of companies, hotels, cafes, and individuals, including such attacks as:
7.1. Evil twin - an attacker creates a fake copy of an access point (or Wi-Fi router), and devices running some OS versions will connect to the fake wireless network, even if only the network name (SSID) matches the real access point, and the MAC address (BSSID) of the fake access point may differ from the MAC address of the real point. All network traffic of a user connected to a fake AP will be available for viewing and analysing by attackers who will try to launch further MitM attacks to steal user credentials (logins/passwords) and inject malicious scripts into the pages displayed to the user, especially if the websites visited by the user do not use HSTS, SOP, CORS, CSP, Certificate Transparency technologies and the user ignores browser warnings about certificate problems and/or insecurity of the visited web page. In addition, under the pretext of user registration in a Wi-Fi network (ostensibly to fulfil the requirements for the provision of communication services and identification of Wi-Fi users in public places imposed by Russian Government Resolutions No. 2606 and 2607), attackers can set up a Captive portal that, when a user first connects, asks for his or her phone number, passport details, login/password for a social network, or an SMS code from the Gosudservices portal, ostensibly to ‘identify the user’ - all this data will end up in the hands of the attackers. Attackers can also trick users of Apple devices into installing fake configuration profiles or enrollment profiles for iOS, ostensibly for correct operation of the gadget on a public Wi-Fi network, which will allow attackers to take full control of the device.
7.2 Exploiting vulnerabilities in Wi-Fi security technologies - attackers hack wireless networks with WEP encryption (trivial selection of the network password due to the low strength of the cryptographic scheme used), WPA or WPA2 (decryption of Wi-Fi traffic via PMKID or KRACK attacks).
7.3 War driving - using a mobile (e.g. minibus-based) point of unauthorised connection to Wi-Fi networks.
7.4. War shipping - sending a hacker device (e.g., Raspberry Pi or Flipper Zero) to the office of the attacked company by mail or courier; it is also possible to covertly install such devices in meeting rooms or places with free access to visitors (reception, lobby, hall).
7.5. Bluetooth attacks: BlueSnarfing (unauthorised access to device data via early versions of the Bluetooth protocol), BlueJacking (sending unwanted or abusive messages via Bluetooth), BlueSmack (a variant of the Bluetooth DoS attack), BlueBorne (exploiting a bundle of vulnerabilities to remotely execute code and leak information via Bluetooth on Android platforms, iOS, Linux, Windows), BlueDucky (emulation of keystrokes on a Bluetooth keyboard without the user's knowledge), BLUFFS (breaking the Bluetooth session encryption key, injecting malicious traffic and decrypting intercepted messages between devices), and several others.
To protect Wi-Fi networks, you should use equipment that supports the latest WPA3 security standard, use EAP technology to authenticate devices with certificates when connecting to a wireless network, use an AP Isolation mechanism and filter MAC addresses of devices connecting to the wireless network.
 2 - копия.jpg)
