Sniffing recon

Performing reconnaissance by sniffing packets requires access to the network data stream. In most cases, that implies some form of attacker presence already inside the network perimeter. Given that it is possible to sniff packets, a variety of interesting analysis techniques become possible.

  • Passive target location – packet analysis tools easily collect IP addresses and MAC addresses from systems that have packet traffic in the stream being analyzed. For the most part, packet sniffing is difficult to detect and so this form of recon is essentially passive and quite stealthy.
  • OS fingerprinting – by slowing collecting and analyzing a large number of packets from a source, it becomes possible to do fingerprinting and identification of the operating system and the services that are running.
  • Grabbing credentials – it may be possible to grab login information, password hashes and other credentials from the packet stream. Telnet and older versions of SNMP pass credentials in plain text and are easily compromised with sniffing. More current versions of protocols are usually not so easy to penetrate.
  • Traffic analysis may be able to determine which servers act as central hubs and therefore are of more interest to an attacker.
  • Wireless – passive sniffing recon is a standard part of wireless penetration and since the packets are easily available as a radio signal, it is difficult to prevent them from being intercepted.

Leave a Reply

You must be logged in to post a comment.