NETWORK SNIFFING AND SPOOFING

What is network sniffing?

Network sniffing monitors the flow of data over different computer lines using a software tool that is referred to as a network sniffer. This sniffer can be a closed software package or a hardware device that is governed by the appropriate software. As data flows past the sniffer, the tool takes a picture of the data but does not alter or redirect that data. It is a tool that is also used by hackers togain vital information. It is possible for a network sniffer to capture passwords as they flow by.

Sniffing is the process in which all the data packets passing in the network are monitored. Sniffers are usually used by network administrators to monitor and troubleshoot the network traffic. Whereas attackers use Sniffers to monitor and capture data packets to steal sensitive information containing password and user accounts. Sniffers can be hardware or software installed on the system.

What is network spoofing?

The boiled down definition of network spoofing is getting access to computer data that you have not been authorized to access. To correctly perform network spoofing, the hacker or unauthorized user needs to assume the identity of another computer or computer program.There are different types of spoofing including e-mail spoofing, network spoofing, and IP spoofing. A hacker who wished to use the spoofing method must find the identity of a trusted computer or program, assumethat identity, and gain access to private information. Since the spoofed ID is trusted, the hacker usually has no trouble entering restricted areas.

Spoofing is the process in which an intruder introduces fake traffic and pretends to be someone else (legal source or the legitimate entity). Spoofing is done by sending packets with incorrect source address over the network. The best way to deal and tackle with spoofing is to use a digital signature.

Though Kali Linux comes packed with many tools for sniffing and spoofing the ones listed below, are mostly used by attackers these days.

Top three Network sniffing and spoofing tools 

 To get to the best sniffing and spoofing tools, you will have to consider the type of operating system that you use. Some may be designed specifically for Windows, others for Linux, and so on.

1. Wireshark

- This is a sniffing tool that is compatible with Windows, Linux, and other operating systems. Its specialty is going deep to monitor the lower levels of your computer.You can use it to get live captures and offline analysis that captured data can be seen on GUI and other devices. It also has very powerful display filters and supports a variety of protocols including WPA and WPA2.

2. Smartsniff

- Is a free sniffing tool that captures TCP/IP data lowing over your computer and lets you see it through simulated conversations. This sniffer is compatible with Windows 2000/XP or higher. The only exception is its WinPcapture Driver, which can be used with all Windows operating systems. One strong feature this sniffing tool comes with is that it allows you to view the captured data in ASCII mode. An alternative viewing mode is the hex dump function.

3. Mailinator

- This is a spoofing tool that is special in various ways. It allows you to be anonymous while using it. In addition, you can create a new e-mail account using its domain.On top of it all, it gives you access to email accounts that already exist.You just have to type in the e-mail address and this tool grants you access.You can use this link to access their website and get all the informationyou need.

Network sniffing with wireshark

In this section, we are going learn how to sniff network using Wireshark. This tool comes with graphical user interface which make it easy to use. 

Step-1: Open Wireshark by going to the applications menu and under

"Sniffing and Spoofing," click on the Wireshark.

There are two filters on the home screen of Wireshark. The first is the display filter and the second is the capture filter. If we run Wireshark as default, it captures a lot of packets which can make things a bit confusing, so we use filters to limit our result. The display filter is used

to filter traffic after capturing all the traffic, but if we use a capture filter, then Wireshark captures the only filter which we specify. Under capture filter, we have options to capture traffic by the network interface. If we do not use any filter, then Wireshark will capture all the

traffic by default. Let's capture wlan0 packets without specifying any filter.

Step-2: To run Wireshark, just click on the interface you want to capture packets from. I'm using wlan0 because I'm connected using a wireless adapter. We can see every packet has its time, source IP, destination IP, protocol, length, and info. If we scroll down, we can see it captured more than 1000 packets in a few minutes.

Step-3: Let us use a display filter to limit our results. Before applying the filter, we have to stop Wireshark capturing packets. There is a red square above of display filter. Click on it to stop Wireshark.Now, let's narrow our result by applying a display filter. As we can see, I applied a TCP display filter and now I can see only TCP packets.

Wireshark Top Filters

1. Protocol Filter

We can use a display filer or capture filter to capture packets from a specific protocol. Just specify the protocol you want to capture packets from the filter.We can see only HTTP packets 

2. Port Filter

We can use a port filter to filter packets from specific port numbers. First, we have specified a protocol, then port to tell Wireshark that you want to filter packets from a specific port number, and then == (port number).i.g. tep.port == 80

3. IP Address Filter

We can use the IP address filter to filter packets from a specific IP address. This can be very helpful if we have a target and we want to monitor traffic. Just type ip.addr == (ip address) to see packets associated with the IP address.We can see only packets from a specific IP adress 

4. Source and Destination Filter

We can also filter packets from a certain source IP and destination IP address. Use Ip.scr == (ip address) to filter packets from a source IP and use ip.dst == (ip address) to filter packets from a destination IP address.

5. Multiple Protocol Display Filter

If we want to filter packets from multiple protocols, then we can use or syntax. Type (first protocol) or (second protocol) to filter traffic form multiple protocols.We can see packets from only two protocols TCP and HTTP

6. Removing Unwanted Packets

When we work with Wireshark for a long time, it captures a lot of packets, so to make things simple first, we have to remove the unwanted packets from the data. We can use! (first protocol or second protocol or third protocol) to remove unwanted packets.

7. TCP, HTTP stream

We can use a TCP stream filter to follow a single TCP connection. Select the source you want to see TCP stream, right-click on it and under follow click on the TCP stream.

it will one the content inside that stream, but if we close the popup, we can see  the packets from the TCP stream 

8. Contains filter

If we are looking for username and passwords,then we can use a contains filter. with this, we can filter packets that contain the words we specify. First, we have to specify the protocol, then contains,and then a word from which you want to filter the result. As we can see, there are only three packets which Wireshark filtered,and each contain the keyword named.

Wireshake have a lot of filters. Take time to explore them.

 In the next section.

ARP Spoofing Using Bettercap.

we are going to learn how to perform men in the middle attack using a tool called Bettercap.

In this section, we are going to perform ARP poisoning also known as amen in the middle attack using Bettercap. Bettercap is an APR poisoning tool used for network security and to perform men in the middle attack. 

Follow the given steps below to perform the attack.

• ARP is short for Address Resolution Protocol and ARP spoofing is where a hacker or any other unauthorized person sends false ARP messages to your computer or network. 
• There is usually a link between the hacker's MAC address and a legitimate IP address.
•  Once this connection is made, the hacker receives any information sent to the legitimate IP address.
• The good news is that this type of spoofing can only occur on local networks that use ARP. A hacker's reasons for using this spoofing method vary and may include stopping data, altering it, or interception of key messages

Connect with me on LinkedIn