Network sniffing helps you understand which users are using services you can exploit, and IP spoofing can be used to poison a system's DNS cache, so that all their traffic is sent to a man in the middle (your designated host, for instance), as well as being an integral part of most e-mail phishing schemes. Sniffing and spoofing are often used against the Windows endpoints in the network, and you need to understand the techniques that the bad guys are going to be using:
- Sniffing Network Traffic: There are many tools to sniff network traffic but they all work on the same principle. All TCP/IP packets are readable by your Network Interface Card (NIC). There are hundreds of protocols and thousands of TCP/IP ports. It is safe to say that you will not have to learn about all of them, but you will probably learn about a dozen.
- Spoofing Network Traffic: The TCP/IP system is trusting. The general assumption underlying the way networks work is one of an expectation of trustworthiness. What happens when a malefactor decides to play tricks with the way network packets are put together? This is spoofing. For example, when an ICMP packet is broadcasted to a large number of hosts but the origin IP address has been forged to point to a specific target host, all of the hosts sent to broadcast packet send an unexpected acknowledgement to the victim. This is a Smurf Attack and it ties up the victim machine. The Smurf Attack is one of the many denial of service (DoS) attacks.
You have most likely noticed the motto of Kali Linux, The quieter you are the more you are able to hear. This is the heart of sniffing network traffic. You quietly listen to the network traffic, copying every packet on the wire. Every packet is important or it wouldn't be there. Think about that for a moment with your security hat on. Do you understand why sending passwords in clear text is so bad? Well, protocols like Telnet, FTP, and HTTP send the passwords in clear text, instead of an encrypted hash. Any packet sniffer will catch these passwords, and it doesn't take a genius to launch a search of the packet capture for terms like Password. No need to crack a hash, it's just there. You can impress a manager or a client by just pulling their clear-text password out of thin air. The bad guys use the same technique to break into networks and steal money and secrets.
More than just passwords can be found within your copied packets. Packet sniffers are not only useful for packet purposes. They can be useful when looking for an attacker on the network. You can't hide from a packet sniffer. Packet sniffers are also great for network diagnostics. For instance, a sluggish network could be caused by a server with the dying NIC that is talking away to no one, or a runaway process tying up many others with responses.
If sniffing is listening to the network, then spoofing is lying to the network. What you are doing is having the attacking machine lie to the network and having it pretend to be someone else. With some of the tools below, and with two network cards on the attacking machine on the network, you can even pass the traffic onto the real host and capture all traffic to and from both the machines. This is a man-in-the-middle attack (MitM). In most cases of pen testing you are really only after the password hashes, which can be obtained without a full MitM attack. Just spoofing without passing the traffic on will reveal password hashes in the ARP broadcasts from NetBIOS.