Difference between revisions of "Network Eavesdropping"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
  
{{Template:Stub}}
 
  
 
==Description==
 
==Description==
  
This article should cover attacks based on sniffing the network.
+
The Network Eavesdropping or network sniffing is a network layer attack consisting in capturing packets from the network transmitted by others computers and reading the data content in search of sensitive information like passwords, session token or yet any kind of confidential information.
  
 +
The attack could be done using tools called network sniffers, these tools act collecting packets on the network and, depending on the quality of the tool, this could offer facilities to analyze the collected data like protocol decoders or stream reassembling.
 +
 +
Depending on the network context, to be the sniffing effective, some condition must be attended:
 +
 +
'''• Lan environment with HUBs'''
 +
 +
This is the ideal case because the hub is a network repeater that duplicates every network frame received to all ports. So the attack is very simples to be implemented because no other condition must be attended.
 +
 +
'''• Lan environment with switches'''
 +
 +
To be effective the eavesdropping a preliminary condition must be attended. Because a switch by default only transmit a frame to the port is necessary a mechanism that will duplicate or will redirect the network packets to evil system. For example to duplicate traffic to one port to another port is necessary to implement a special configuration on the switch.
 +
To redirect the traffic from one port to another it’s necessary a preliminary exploitation like the arp spoof attack. In this attack the evil system act like a router between the victim’s communication making, in this way, possible to sniff the exchanged packets.
 +
 +
'''• Wan environment'''
 +
 +
In this case to make a network sniff is necessary that the evil system became a router between the client server communications. One way to implement this exploit is done by a dns spoof attack to thr client system.
 +
 +
 +
Network Eavesdropping is a passive attack very difficult to be discovered, it could be identified by the effect of the preliminary condition or, in some cases, by inducing the evil system to respond a fake request directed to the evil system IP but with the MAC address of a different system.
 +
 +
== Severity ==
 +
 +
High
 +
 +
== Likelihood of exploitation ==
 +
 +
Medium
 +
 
==Examples ==
 
==Examples ==
 +
 +
When a network device called HUB is used on the Local Area Network topology, the Network Eavesdropping become easier, it´s because the device repeat all traffic received on one port to all other ports. Using a protocol analyzer, the attacker can capture all traffic on the LAN discovering sensitive information.
 +
 +
<center>
 +
 +
https://www.owasp.org/images/4/48/Eavesdropping.jpg
 +
 +
Figure 1. Local Eavesdropping attack.
 +
 +
</center>
 +
 +
== External References==
 +
 +
*http://www.ethereal.com/
  
 
==Related Threats==
 
==Related Threats==
 +
 +
[[:Category:Logical Attacks]]
  
 
==Related Attacks==
 
==Related Attacks==
 +
 +
*[[Man-in-the-middle attack]]
  
 
==Related Vulnerabilities==
 
==Related Vulnerabilities==
 +
 +
* [[Data Leaking Between Users]]
  
 
==Related Countermeasures==
 
==Related Countermeasures==
 +
 +
[[:Category:Encryption]]
 +
 +
 +
[[Category:Sniffing Attacks]]
 +
  
 
[[Category:Attack]]
 
[[Category:Attack]]

Revision as of 07:36, 6 November 2007

This is an Attack. To view all attacks, please see the Attack Category page.



Description

The Network Eavesdropping or network sniffing is a network layer attack consisting in capturing packets from the network transmitted by others computers and reading the data content in search of sensitive information like passwords, session token or yet any kind of confidential information.

The attack could be done using tools called network sniffers, these tools act collecting packets on the network and, depending on the quality of the tool, this could offer facilities to analyze the collected data like protocol decoders or stream reassembling.

Depending on the network context, to be the sniffing effective, some condition must be attended:

• Lan environment with HUBs

This is the ideal case because the hub is a network repeater that duplicates every network frame received to all ports. So the attack is very simples to be implemented because no other condition must be attended.

• Lan environment with switches

To be effective the eavesdropping a preliminary condition must be attended. Because a switch by default only transmit a frame to the port is necessary a mechanism that will duplicate or will redirect the network packets to evil system. For example to duplicate traffic to one port to another port is necessary to implement a special configuration on the switch. To redirect the traffic from one port to another it’s necessary a preliminary exploitation like the arp spoof attack. In this attack the evil system act like a router between the victim’s communication making, in this way, possible to sniff the exchanged packets.

• Wan environment

In this case to make a network sniff is necessary that the evil system became a router between the client server communications. One way to implement this exploit is done by a dns spoof attack to thr client system.


Network Eavesdropping is a passive attack very difficult to be discovered, it could be identified by the effect of the preliminary condition or, in some cases, by inducing the evil system to respond a fake request directed to the evil system IP but with the MAC address of a different system.

Severity

High

Likelihood of exploitation

Medium

Examples

When a network device called HUB is used on the Local Area Network topology, the Network Eavesdropping become easier, it´s because the device repeat all traffic received on one port to all other ports. Using a protocol analyzer, the attacker can capture all traffic on the LAN discovering sensitive information.

Eavesdropping.jpg

Figure 1. Local Eavesdropping attack.

External References

Related Threats

Category:Logical Attacks

Related Attacks

Related Vulnerabilities

Related Countermeasures

Category:Encryption