Active Sniffing Techniques

  1. MAC Flooding 
    One of the most common methods for enabling sniffing on a switch is to turn it into a device that does allow sniffing. Because a switch keeps traffic separate to each switchport (collision domain), you want to convert it into a hub-like environment. A switch keeps track of MAC addresses received by writing them to a content addressable memory (CAM) table. If a switch is flooded with MAC addresses, it may easily overwhelm the switch’s ability to write to its own CAM table. This in turn makes the switch fail into a giant hub. There are a few utilities available to accomplish this technique.
    A. Macof
    Macof is one of the powerful tools used for MAC Flooding. Macof is pre-installed with kali linux. It simply floods the local random mac address resulting into failure of the switch to open in repeating mode and hence enables sniffing with ease
  2. ARP Spoofing
    ARP is the address Resolution Protocol which is used to convert ip into mac address . Arp packets are intercepted to send the data to attackers machine . Working of ARP is discussed in the previous chapter. An  attacker  can exploit  arp poisoning in order to intercept or perform sniffing attack in a network . When the switch is flooded using mac flooding arp tables can be spoofed , due to flooding the switch is in forward mode so that sniffing can be performed easily.
  3. ARP Poisoning

    Address Resolution Protocol (ARP) poisoning attempts to contaminate a network with improper gateway mappings. As explained in Chapter 2, ARP essentially maps IP addresses to specific MAC addresses, thereby allowing switches to know the most efficient path for the data being sent. Interestingly enough, ARP traffic doesn’t have any prerequisites for its sending or receiving process; ARP broadcasts are free to roam the network at will. The attacker takes advantage of this open traffic concept by feeding these incorrect ARP mappings to the gateway itself or to the hosts of the network. Either way, the attacker is attempting to become the hub of all network traffic. Some tools you can use to ARP-poison a host are Ettercap, Cain & Abel and and arpspoof.


Leave a Reply

Your email address will not be published. Required fields are marked *