Tweet
Switched networks present an inherent initial challenge to sniffing. A wired switch doesn't allow you to sniff the whole network. Each switch port has its own collision domain, so traffic within the switch doesn't travel between ports. Only broadcast traffic has this capability.
WiFi works in a completely different way in that it works more like in a network connected using a HUB.
Some techniques exists to enable a penetration tester to overcome this limitation and sniff a switched network.
MAC flooding
One of the more common methods for enabling sniffing on a switched network is to turn the switch into a hub. A switch keeps traffic to each switchport isolated, so you want to force the switch into a hub-like state. A switch keeps track og MAC addresses and to which port they belong by storing them in a Content Addressable Memory (CAM) table. If a switch is being flooded with MAC addresses, the amount of MAC addresses the switch is capable of storing might be exceeded and the switch might put all ports into one collision domain and let traffic to one particular port flow out through every port in the switch.
CAM tables have a fixed size in which to store information and hold information such as the MAC address, the port they belong to, and Virtual Local Area Network (VLAN) information.
In older switches, the flooding of a switch would cause the switch to fail "open" and start to act like a HUB. This turns the switch into learning mode, where traffic goes everywhere. Once the switch fails, the flood might spill over and start affecting adjacent switches.
The flooding must be sustained during the attack because when the flooding stops and the CAM entries time out, the switch will return to normal operation.
ARP Poisoning
Address Resolution Protocol (ARP) poisoning attempts to contaminate hosts with incorrect IP address to MAC address mappings. These mappings are used by hosts and switches to know the path data should take to reach the target. The attacker takes advantage of this concept by feeding these incorrect ARP mappings to the gateway itself or to the hosts of the network. In this way the attacker attempt to redirect traffic to control where it goes and in that way become the target of selected traffic.
MAC Spoofing
MAC spoofing is a simple concept in which an attacker changes their MAC address of the local host to the MAC address of an existing authenticated machine already on the network.
When this technique is employed and a network administrator has applied port security to the connected switch, the host with the spoofed MAC address will have gained the ability to access the switch port.
MAC flooding is not necessarily a technique used to allow network-wide sniffing, but it does work to allow an unauthorized client onto the network without much hacking effort.
Port Mirror or SPAN Port
One way to circumvent switches is through the use of physical access to the switch and using port mirroring or a Switched Port ANalyzer (SPAN) port. This technique is used to send a copy of every network packet encountered on one switch port or a complete VLAN to another port or another switch where it can be monitored. This functionality is used to monitor network traffic either for diagnostic purposes or tor the purpose of implementing devices such as a Network Intrusion Detection System (NIDS). If an attacker is able to gain control of a network switch, the attacker has complete control of the traffic flow and can enable him to sniff any traffic needed. Output from a SPAN can be directed to any destination needed.
WiFi works in a completely different way in that it works more like in a network connected using a HUB.
Some techniques exists to enable a penetration tester to overcome this limitation and sniff a switched network.
MAC flooding
One of the more common methods for enabling sniffing on a switched network is to turn the switch into a hub. A switch keeps traffic to each switchport isolated, so you want to force the switch into a hub-like state. A switch keeps track og MAC addresses and to which port they belong by storing them in a Content Addressable Memory (CAM) table. If a switch is being flooded with MAC addresses, the amount of MAC addresses the switch is capable of storing might be exceeded and the switch might put all ports into one collision domain and let traffic to one particular port flow out through every port in the switch.
CAM tables have a fixed size in which to store information and hold information such as the MAC address, the port they belong to, and Virtual Local Area Network (VLAN) information.
In older switches, the flooding of a switch would cause the switch to fail "open" and start to act like a HUB. This turns the switch into learning mode, where traffic goes everywhere. Once the switch fails, the flood might spill over and start affecting adjacent switches.
The flooding must be sustained during the attack because when the flooding stops and the CAM entries time out, the switch will return to normal operation.
ARP Poisoning
Address Resolution Protocol (ARP) poisoning attempts to contaminate hosts with incorrect IP address to MAC address mappings. These mappings are used by hosts and switches to know the path data should take to reach the target. The attacker takes advantage of this concept by feeding these incorrect ARP mappings to the gateway itself or to the hosts of the network. In this way the attacker attempt to redirect traffic to control where it goes and in that way become the target of selected traffic.
MAC Spoofing
MAC spoofing is a simple concept in which an attacker changes their MAC address of the local host to the MAC address of an existing authenticated machine already on the network.
When this technique is employed and a network administrator has applied port security to the connected switch, the host with the spoofed MAC address will have gained the ability to access the switch port.
MAC flooding is not necessarily a technique used to allow network-wide sniffing, but it does work to allow an unauthorized client onto the network without much hacking effort.
Port Mirror or SPAN Port
One way to circumvent switches is through the use of physical access to the switch and using port mirroring or a Switched Port ANalyzer (SPAN) port. This technique is used to send a copy of every network packet encountered on one switch port or a complete VLAN to another port or another switch where it can be monitored. This functionality is used to monitor network traffic either for diagnostic purposes or tor the purpose of implementing devices such as a Network Intrusion Detection System (NIDS). If an attacker is able to gain control of a network switch, the attacker has complete control of the traffic flow and can enable him to sniff any traffic needed. Output from a SPAN can be directed to any destination needed.