Sniffers are utilities that you, as an ethical hacker, can use to capture and scan traffic moving across a network. Sniffers are a broad category that encompasses any utility that has the ability to perform a packet-capturing function.
Regardless of the build, sniffers perform their traffic-capturing function by enabling promiscuous mode on the connected network interface, thereby allowing the capture of all traffic, whether or not that traffic is intended for them.
Once an interface enters promiscuous mode, it doesn’t discriminate between traffic that is destined for its address; it picks up all traffic on the wire, thereby allowing you to capture and investigate every packet.
Sniffing can be active or passive in nature. Typically, passive sniffing is considered to be any type of sniffing where traffic is looked at but not altered in any way. Essentially, passive sniffing means listening only. In active sniffing, not only is traffic monitored, but it may also be altered in some way as determined by the attacking party.
Remember that a sniffer is not just a dumb utility that allows you to view only streaming traffic. A sniffer is a robust set of tools that can give you an extremely in-depth and granular view of what your (or their) network is doing from the inside out. That being said, if you really want to extrapolate all the juicy tidbits and clues of each packet, save the capture and review it when time allows. I prefer to review my 20,000 packets of captured data at my local coffee shop with a hot vanilla latte and a blueberry scone. Make it easy on yourself; your target is not going anywhere soon.
Before we go too much into sniffers, it is important to mention that there are also hardware protocol analyzers. These devices plug into the network at the hardware level and can monitor traffic without manipulating it. Typically these hardware devices are not easily accessible to most ethical hackers due to their enormous cost in many cases (some devices have price tags in the six-figure range).
How successful you are at the sniffing process depends on the relative and inherent insecurity of certain network protocols. Protocols such as the tried and true TCP/IP were never designed with security in mind and therefore do not offer much in this area. Several
protocols lend themselves to easy sniffing:
- Telnet/rlogin Keystrokes, such as those including usernames and passwords, can be easily sniffed.
- HTTP Designed to send information in the clear without any protection and thus a good target for sniffing.
- Simple Mail Transfer Protocol (SMTP) Commonly used in the transfer of email, this protocol is efficient, but it does not include any protection against sniffing.
- Network News Transfer Protocol (NNTP) All communication, including passwords and data, is sent in the clear.
- Post Office Protocol (POP) Designed to retrieve email from servers, this protocol does not include protection against sniffing because passwords and usernames can be intercepted.
- File Transfer Protocol (FTP) A protocol designed to send and receive files; all transmissions are sent in the clear.
- Internet Message Access Protocol (IMAP) Similar to SMTP in function and lack of protection.