Sniffer Problem

[TheKingUnderTheHill]

I'm currently studying a computer security course at university, we basically have to write a report on a subject we choose, I've chosen Packet Sniffing, the issue is that we get to use the Admin Computer Lab for about an hour a week, no way near enough time to get anything productive done.

So I tried gathering some information using Wireshark and I only seem to get my own traffic, which isnt very useful, I've tried other tools and they all have the same problem, does anyone have a fix? Cheers.

[digininja]

Do some reading up on switched networks, that will explain why you only see your own and broadcast traffic. You need to either use a hub or get in the middle of the traffic somehow. The easiest way to learn is to put a few VMs on a machine then you see all the traffic so you can have a sniffing machine to play with and a couple of victims.

[TheKingUnderTheHill]

Ah, I get it now, was just wondering how they had it set up (was hardly going to go ask) i'll set up a little VM Lab to test it all on, although from a theoretical point of view (eg. pentesting a corporate network set up the same way) how would an attacker go about intercepting the traffic?

[digininja]

The usual way is to use arp cache poisoning between the devices you want to listen in on. Basically you tell each of them that you are the other so they send you their traffic and you sniff it and pass it on. Or you get access to a switch and change your port to a span port then listen to everything.

[parity]

The usual way is to use arp cache poisoning between the devices you want to listen in on. Basically you tell each of them that you are the other so they send you their traffic and you sniff it and pass it on. Or you get access to a switch and change your port to a span port then listen to everything.

Could you please tell how this is done? Or is this only possible on professional grade Cisco switches, and can't be used if connected to the hub part of a wifi router?

[telot]

Parity: I recently learned about this by way of Security Onion. I needed a way to sniff all my traffic in order to run snort and snorby and all these awesome intrusion detection tools (which work best by sniffing the entire networks traffic). For the most part, yes, you'll find these "span" ports on commercial, industry grade switches (mega $$$) but there is a cheap alternative. The company is kind of no-name (Mikrotik), but the product is totally sound. I've been using it for months and it works as advertised without fail.

http://www.roc-noc.c...rd/rb250gs.html

TheKingUnderTheHill: Another option is to sneak a passive lan tap in there. You can buy one of the two available on the hakshop, or you can build your own quite easily with some spare cat5 cable and some female ends, which you can pick up at home depot...hehe pick up some females at home depot...

telot

Edited December 30, 2012 by telot

[Pwnd2Pwnr]

Wow, Telot. That is the cheapest hub switch I have ever seen. Good find.

[digininja]

You could buy a tap from the Hak Shop and drop that in place on the network so it intercepts traffic which you can then sniff.

[Infiltrator]

Could you please tell how this is done? Or is this only possible on professional grade Cisco switches, and can't be used if connected to the hub part of a wifi router?

Using a network hub, or the man in the middle suite will get what you want.

As Digininja stated earlier ARP poisoning will usually overcome the hurdles that a switch puts in place.

So I'd suggest you to look into either Cain and Able or the Ethercap.