Sniffing allows you to see all sorts of traffic, both protected
and unprotected. In the right conditions and with the right
protocols in place, an attacking party may be able to gather
information that can be used for further attacks or to cause other issues for the network or
system owner.
Once you have gotten to the point of sniffing, it is possible to move on to other types of
attacks, including session hijacking, man-in-the-middle, and denial-of-service attacks.
Taking over authenticated sessions, manipulating data, and executing commands are
within the realm of possibility once sniffing can be performed. Of course before we get to
these attacks, you must learn about sniffing and how sniffers work.
In this chapter we spend a lot of time working with network sniffers. Sniff-
ers are not a hacking tool; they are a completely valid and extremely use-
ful tool for diagnosing a network’s functioning at a very low level. Over
the years sniffers have proven their worth time and time again to network
administrators who need to solve problems that cannot be viewed or ana-
lyzed easily or at all using other tools.Understanding Sniffers
Sniffers are utilities that you, as an ethical hacker, can use to capture and scan traffic mov-
ing across a network. Sniffers are a broad category that encompasses any utility that has
the ability to perform a packet-capturing function. Regardless of the build, sniffers perform
their traffic-capturing function by enabling promiscuous mode on the connected network
interface, thereby allowing the capture of all traffic, whether or not that traffic is intended
for them. Once an interface enters promiscuous mode, it doesn’t discriminate between traf-
fic that is destined for its address; it picks up all traffic on the wire, thereby allowing you to
capture and investigate every packet.
Sniffing can be active or passive in nature. Typically, passive sniffing is considered to be
any type of sniffing where traffic is looked at but not altered in any way. In active sniffing,
not only is traffic monitored, but it may also be altered in some way as determined by the
attacking party. Know the difference for your exam.