TheKingUnderTheHill Posted November 20, 2012 Share Posted November 20, 2012 I'm currently studying a computer security course at university, we basically have to write a report on a subject we choose, I've chosen Packet Sniffing, the issue is that we get to use the Admin Computer Lab for about an hour a week, no way near enough time to get anything productive done. So I tried gathering some information using Wireshark and I only seem to get my own traffic, which isnt very useful, I've tried other tools and they all have the same problem, does anyone have a fix? Cheers. Quote Link to comment Share on other sites More sharing options...
digininja Posted November 20, 2012 Share Posted November 20, 2012 Do some reading up on switched networks, that will explain why you only see your own and broadcast traffic. You need to either use a hub or get in the middle of the traffic somehow. The easiest way to learn is to put a few VMs on a machine then you see all the traffic so you can have a sniffing machine to play with and a couple of victims. Quote Link to comment Share on other sites More sharing options...
TheKingUnderTheHill Posted November 20, 2012 Author Share Posted November 20, 2012 Ah, I get it now, was just wondering how they had it set up (was hardly going to go ask) i'll set up a little VM Lab to test it all on, although from a theoretical point of view (eg. pentesting a corporate network set up the same way) how would an attacker go about intercepting the traffic? Quote Link to comment Share on other sites More sharing options...
digininja Posted November 20, 2012 Share Posted November 20, 2012 The usual way is to use arp cache poisoning between the devices you want to listen in on. Basically you tell each of them that you are the other so they send you their traffic and you sniff it and pass it on. Or you get access to a switch and change your port to a span port then listen to everything. Quote Link to comment Share on other sites More sharing options...
parity Posted December 30, 2012 Share Posted December 30, 2012 The usual way is to use arp cache poisoning between the devices you want to listen in on. Basically you tell each of them that you are the other so they send you their traffic and you sniff it and pass it on. Or you get access to a switch and change your port to a span port then listen to everything. Could you please tell how this is done? Or is this only possible on professional grade Cisco switches, and can't be used if connected to the hub part of a wifi router? Quote Link to comment Share on other sites More sharing options...
telot Posted December 30, 2012 Share Posted December 30, 2012 (edited) Parity: I recently learned about this by way of Security Onion. I needed a way to sniff all my traffic in order to run snort and snorby and all these awesome intrusion detection tools (which work best by sniffing the entire networks traffic). For the most part, yes, you'll find these "span" ports on commercial, industry grade switches (mega $$$) but there is a cheap alternative. The company is kind of no-name (Mikrotik), but the product is totally sound. I've been using it for months and it works as advertised without fail. http://www.roc-noc.c...rd/rb250gs.html TheKingUnderTheHill: Another option is to sneak a passive lan tap in there. You can buy one of the two available on the hakshop, or you can build your own quite easily with some spare cat5 cable and some female ends, which you can pick up at home depot...hehe pick up some females at home depot... telot Edited December 30, 2012 by telot Quote Link to comment Share on other sites More sharing options...
Pwnd2Pwnr Posted December 31, 2012 Share Posted December 31, 2012 Wow, Telot. That is the cheapest hub switch I have ever seen. Good find. Quote Link to comment Share on other sites More sharing options...
digininja Posted December 31, 2012 Share Posted December 31, 2012 You could buy a tap from the Hak Shop and drop that in place on the network so it intercepts traffic which you can then sniff. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted January 5, 2013 Share Posted January 5, 2013 Could you please tell how this is done? Or is this only possible on professional grade Cisco switches, and can't be used if connected to the hub part of a wifi router? Using a network hub, or the man in the middle suite will get what you want. As Digininja stated earlier ARP poisoning will usually overcome the hurdles that a switch puts in place. So I'd suggest you to look into either Cain and Able or the Ethercap. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.