Sniffing.  Sniffing is the act of monitoring traffic that passes through a network or device.  Sniffing can make use of software and/or hardware.  Some consider it to be a more passive attack.  But it really requires at least some active penetration of a system.  The results of sniffing are almost always intended to pave the way for more elaborate and invasive attacks.

A sniffer is a hardware and/or software technology that allows a device to monitor all of the packets that pass by/through the device.  This includes both wire and wireless traffic.  When a device is listening to all the traffic that passes by/through it, the device is said to be in promiscuous mode.

Since it was first created, TCP/IP has made quite a few assumptions about the people using it to communicate in networks.  Some call these friendly assumptions in that they assume users will abide by certain standards.  The validity of these assumptions were probably at least somewhat naive in the environment they were first developed in, academics interacting with US military establishments.  But they have persisted through IPv4.  They are being replaced with more secure standard operations in IPv6.  But IPv6 is still not very widespread.

Normally a network device that is connected to a network is configured to ignore all of the traffic/packets that are not intended to be observed by the user of the device.  It is not that difficult to reconfigure many network interfaces to get them to monitor more or all of the traffic moving by the device.

Ironically, the ability to monitor all traffic to at least some extents is important to network administrators.  Administrators typically need to monitor traffic levels in order to improve designs and monitor for breakdowns.  Though, privacy about actual content and connections is much more likely to be treated with respect by administrators than attackers.

One of the most blatant attempts I have seen at sniffing was when a small box was found underneath the desk of one of the School of Business secretaries at Quinnipiac University.  The cat 5 cabling from the back of the desktop computer ran into this device and then another segment of cabling ran out of the sniffer to the network port.  Whoever was making use of this device was able to see all kinds of things like emails and passwords being used by anyone who used this computer.

Some of the most common sniffers are

  • tcpdump - for UNIX and Linux
  • snoop - for Solaris machines
  • WireShark - comes in many varieties -

Both tcpdump and snoop are command line based and cause all of the packets to be dumped in a readable format.  WireShark has a GUI and is actually able to reassemble TCP streams and sessions.

KeyloggersKeylogging refers to a particular type of sniffing that keeps track of all the keys typed by a user.  This means passwords, accounts, usernames are just some of the things that can be picked up by keyloggers.  Some keyloggers even take screenshots regularly.

Typically, keyloggers are programs that have somehow been installed on a particular computer.  They run hidden from the operating system.  There must also be ways for the information to get back to the attacker(s) that make use of the software.

Protection.  One of the best ways to protect from sniffing is to make sure you are using high quality encryption in all your packet transmissions and receptions.  It is also very important to make sure that all users have up to date anti-virus and anti-spyware programs.

More will be added.