Promiscuous versus Nonpromiscuous Mode
Before we try to sniff traffic on a network, we would need to understand the difference between
a promiscuous mode and a nonpromiscuous mode, which are associated with our network cards.
By default, our network card is in the nonpromiscuous mode, in which we will be able to capture
only the traffic that is destined for our computer. However, we can change our network card to
the promiscuous mode, which will allow us to forcefully capture the traffic that is not destined
for our computer. So rule number 1 for sniffing is that all the network cards should be in the
promiscuous mode.
MITM Attacks
Victim
Victim
Original
connection
Original
connection
Webserver
Webserver
Attacker
Attacker
MITM
connection
MITM
connection
The idea behind a MITM attack is that the attacker places himself in the middle of the com-
munication between a client and a server. Therefore, any communication that is being performed
between a client and a server will be captured by the attacker.
142
◾
Ethical Hacking and Penetration Testing Guide
Once an attacker successfully becomes the man in the middle, he can perform many attacks
on the target network such as capturing all the traffic, denial of service attacks, dns spoofing, and
session hijacking, to name a few.
ARP Protocol Basics
ARP stands for address resolution protocol. It runs upon the link layer (Layer 2) of the OSI model.
Its purpose is to
resolve an IP address to a MAC address
. Any piece of hardware that connects to the
Internet has a unique MAC address associated with it.
How ARP Works
192.168.1.2
192.168.1.3
Host B
Host A
Printer
So let’s imagine the scenario shown in the image, where on a switch-based network, “Host A” with
an IP 192.168.1.2 would like to communicate with “Host B” with an IP 192.168.1.3. In order to
communicate on a local area, Host A would need to have the MAC address of Host B.
Host A will look inside its ARP cache and see if the entry for Host B’s IP address is present
inside the ARP table. If it’s not present, Host A will send an ARP broadcast packet to every device
on the network asking “Who has Host B’s IP address?”
Once Host B receives the ARP request, it will send an ARP reply telling Host A “I am
Host B and here is my MAC address.” The MAC address would be then saved inside the ARP
table. An ARP cache contains a list of the IP and MAC addresses of every host we have com-
municated with.
Network Sniffing
◾
Dostları ilə paylaş: |