© The Author(s), under exclusive license to APress Media, LLC, part of Springer Nature 2021
A. SheikhCertified Ethical Hacker (CEH) Preparation Guidehttps://doi.org/10.1007/978-1-4842-7258-9_6

6. Sniffers and Social Engineering

Ahmed Sheikh1  
Miami, FL, USA

In this chapter, you will learn about sniffing and how this technique is used. You will gain an understanding of protocols that may be vulnerable to sniffing and how to detect types of sniffing attacks. In this chapter, you will also be introduced to countermeasures for sniffing. You will also learn about different types of social engineering plus countermeasures to protect individuals from attack.

By the end of this chapter, you will be able to
  1. 1.

    Identify types of sniffing and the protocols vulnerable to sniffing.

  2. 2.

    Recognize types of sniffing attacks.

  3. 3.

    Identify methods for detecting sniffing.

  4. 4.

    Identify countermeasures for sniffing.

  5. 5.

    Identify different types of social engineering and social engineering countermeasures.



Sniffers are programs that monitor data on a network. Monitoring programs use sniffers to produce metrics and are used for analysis, and the sniffer does not intercept or alter data. Alternatively, sniffing is used to steal passwords, emails, and files on a network.

In this chapter, you will learn about the fundamental concepts of sniffing and how sniffers are used in hacking. It is important for an administrator to know about sniffers and be aware of various tools and techniques to secure a network.

Switched Ethernet

On an Ethernet network, you can have two types of environments. First, all hosts can be connected to the same bus where they compete for bandwidth. Otherwise, hosts are connected to a switch. Of course, using a switch is more secure because a switch sends packets to only the computer that the traffic is destined to. Switched networks are much more common. See Figure 6-1.
Figure 6-1

Switched network

Types of Sniffing

The majority of sniffer tools work well in a hub-based environment. The attacker can gain access to a network and use passive sniffing by compromising the physical security of an organization or by using a Trojan horse to install a packet sniffer. Sniffing can be categorized as passive or active.
  • Passive sniffing: Using a switch on a network is a countermeasure against passive sniffing. On a switched network, if there is a passive sniffer, it can only see data that goes to and from the machine on which it is installed. Passive sniffing is common on networks with hubs where the data is gathered from all machines. An active sniffing switch actively monitors the MAC address on each port and injects traffic into the LAN to enable sniffing of traffic.

  • Active sniffing: An active sniffing switch actively monitors the MAC address on each port and injects traffic into the LAN to enable sniffing of traffic. Active sniffers can be classified as address resolution protocol (ARP) spoofing, MAC flooding, and MAC duplicating.
    • The result of ARP spoofing is that the target machine has the wrong entry for the gateway, so all traffic destined for the gateway will now pass through the attacker system.

    • If a switch gets flooded with MAC addresses to the point that it cannot keep up, the switch enters a “failopen mode” and it will start broadcasting packets to all ports on the switch just like a hub would.

    • MAC duplicating occurs when the network is sniffed for MAC addresses of clients that associate with a switch port and reuses one of those addresses .

Protocols Vulnerable to Sniffing

Protocols that send passwords and data in clear text across the network are vulnerable to sniffing. Do not let the requirement of a username and password lull you into a false sense of security.

Protocols that are vulnerable to sniffing include
  • Telnet

  • Simple Network Protocol (SNMP)

  • Network News Transfer Protocol (NNTP)

  • Post Office Protocol (POP)

  • Hypertext Transfer Protocol (HTTP)

  • File Transfer Protocol (FTP)

  • Internet Message Access Protocol (IMAP)

Electronic Surveillance

There is an application for sniffing as a legal tool. Electronic surveillance when authorized by a judicial administrative order uses a wiretap to gather data using the target’s service provider, for example. Mediation devices handle the processing and tools used include Wireshark and Tcpdump.

How to Detect Sniffing

A sniffer does not leave a trace since it does not transmit data. Sometimes the machine that is doing the sniffing is in promiscuous mode. Promiscuous mode allows a network device to intercept and read every network packet transmitted. You can run arpwatch to see if any MAC addresses have changed and run network tools to monitor the network for strange packets. See Figure 6-2.
Figure 6-2

Process for detecting sniffing

There are several methods that can be used to detect sniffing. Review each method for details.
  • Ping method : The investigator using the ping method changes the MAC address of the suspect computer in the route table and then sends a ping with the IP address and the modified MAC address. A system with a sniffer responds to this ping.

  • ARP method : A system that responds to a non-broadcast IP address request is suspected of executing a sniffer.

  • Source-route method : The loose-source route lists the IP address of systems that the packets travel to reach the destination machine. If a machine with an IP address in the loose-source route fails, the packet cannot reach the destination. If the investigator disables one of the computers within the path and the packets still reach the destination, it is likely that the destination computer is running a sniffer.

  • Decoy method : The decoy method uses a decoy server with dummy user accounts and a client with a script to connect to the server. With an intrusion detection system (IDS), the investigator can see when an attacker tries to log in.

  • Reverse DNS Method : Some sniffers perform reverse DNS lookups to determine a domain name that is linked to a particular IP address. The computer carrying out the reverse DNS lookup responds to the ping, which recognizes it as having a sniffer.

  • Latency method : With the latency method, the investigator calculates the response times of the pings to determine what system the excessive load affects. A computer running a sniffer is the one that has a longer response time and is affected by the higher load.


An attacker will often copy the website of the victim and use it later when they perform spear phishing attacks. If a person goes to the same site every day, that user is less likely to examine the URL carefully. Wget is one tool that can be used to copy a website (Figure 6-3).
Figure 6-3


Spearfish Attack

The copied website exists on the attacker’s machine. The attacker now uses spear phishing to get an internal user to go to the site and enter their credentials.

In this exercise, you will attempt a spearfish attack and convince the victim to log on to the copied website on the attacker’s box instead of user’s own internal website. You will also exploit the browser of the victim when they connect to your attacker machine. See Figure 6-4.
Figure 6-4

Spearfish attack

Viewing Credentials

You now have the username and password of the victim. If you test that username and password on the attacker machine, you will get a “page cannot be displayed” error. It is important to know what the response will be because that information can be used if there is further communication with the victim during subsequent spear phish attacks. See Figures 6-5 and 6-6.
Figure 6-5

Web page login

Figure 6-6

Captured user name and password

Social Engineering

Social engineering is using one’s “gift of gab” to make another individual let their guard down, so to speak, so that they divulge information that would not normally be divulged or to take an action that would not normally be taken.

Social engineering plays upon the desire of most people to be helpful in the workplace. How many organizations do you know of that emphasize customer service? Information that is gained can sometimes be used directly in an attack, but most times it is used indirectly as part of a more elaborate scheme.

Social engineering can fall into two categories. The first is human-based, and the other is computer-based. There are six human behaviors that are positive responses to social engineering:
  1. 1.

    Reciprocation: Being compelled to take action when given something, such as buying a product after receiving a free sample.

  2. 2.

    Consistency: Behavior patterns are the same, which may occur when, for instance, you ask a question and wait as someone fills the pause.

  3. 3.

    Social validation: Doing what everyone else is doing. An example of this is if you look up on a crowded street, others will look up as well.

  4. 4.

    Liking: Tending to say yes to those we like or those who are attractive. Models are used in ads to generate interest.

  5. 5.

    Authority: Heeding advice of those in a position of authority, such as ads that say 4 out of 5 doctors agree.

  6. 6.

    Scarcity: The less of it, the more appealing it becomes, like popular toys at Christmas.


Social Engineering Cycle

There are four distinct phases that make up the social engineering cycle : information gathering, development of relationship, exploitation of relationship, and execution to achieve objective. See Figure 6-7.
Figure 6-7

Social engineering cycle


Human-based social engineering involves human interaction and includes actions such as impersonation, eavesdropping, shoulder surfing, dumpster diving, third-party authorization, and piggybacking (Figure 6-8). For example, an attacker may impersonate an employee and give a false identity. An attacker may even take this one step further by assuming the identity of an important employee, such as a director or a member of upper management. An attacker may also pose as a technical support person.

Closely related to the impersonation of an employee is the third-party authorization. Attackers represent themselves as agents authorized by an authority figure to obtain information on their behalf.
Figure 6-8

Human-based social engineering techniques

Computer-Based Social Engineering

Computer-based social engineering depends on software to carry out the targeted action. For example, a Trojan horse is malware that appears to be a normal, usable program, but there is actually a virus hidden inside. A backdoor can be used to bypass the usual authentication methods on a system.

There are several other techniques listed below which attackers can use to launch computer-based social engineering attacks. It takes only one disgruntled employee to take revenge on an organization by compromising a computer system.
  • Pop-up windows

  • Mail attachments

  • Web sites

  • Instant messenger

  • Phising

  • Insider attack


A malicious Shark remote administration tool payload is coded with the IP address and listening port of the attacking machine. The attacker used stolen credentials to map the interprocess share of the victim. The internal attacker then used psexec to execute the malicious payload on the remote system. This is done with another user’s credentials, which may draw attention to that individual if network traffic is examined. Review Figure 6-9.
Figure 6-9

Remote shark connection

Prevention Recommendations

An organization can take several steps to prevent an insider threat. Dividing responsibilities among various employees so that no one employee has total control is called separation of duties. Similar in concept is to rotate a single duty to different employees at different times.

Access control policies must also be implemented throughout the organization to restrict unauthorized access. Logging and auditing access are preventative measures and instituting legal policies and archiving critical data will also help an organization.

General Defense Measures

An effective defense requires planning on the part of management.
  1. 1.

    Management should develop a set of security goals and assign staff members to those goals.

  2. 2.

    The company should perform risk management assessments.

  3. 3.

    Implementing defenses within the company’s security policy is essential. Employees need to be made aware of how to handle social engineering threats through policies and security awareness.



The specific countermeasures that an organization can implement include training, password policies, operational guidelines, physical security policies, classification of information, access privileges, background checks, incident response system, and policies and procedures. It all comes down to adequately training employees, though, about these countermeasures. Users must be able to recognize what kind of information a social engineer can use.


You explored sniffers and social engineering in this chapter. You understand how attackers use sniffing to steal passwords, emails, and files from organizations and individuals. You can also describe the two types of social engineering and the countermeasures to protect organizations and individuals from attack.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.