top of page

Network Forensics: Footprinting and Network Sniffing

Hello World! As cyber threats keep evolving, staying ahead is not an option but a necessity. Care to join me as I embark on demystifying the first line of defense and unravelling the basic knowledge and complexities required for protecting your data?

Network Forensics

With the purpose of outsmarting the blackhat peeps, we shall first enlighten ourselves as to what goes on behind the scenes when a hacker tries to break the initial defense, and then under taking it in a realistic but harmless environment.

Footprinting, otherwise known as reconnaissance, is also recognized as the first phase of any cyber-attack in which the threat posers try to gather as much information as possible about the users, systems and network. This gives the attacker the information about vulnerabilities/weaknesses that he can target in his attack to follow. By looking for patterns in the behaviour of people and systems, he could find and exploit a loophole.

There are two types of reconnaissance: Passive reconnaissance and active reconnaissance

In passive reconnaissance, an attacker will not gather information about the victim’s network devices, but rather collect his personal data which is out there in the public records such as organization’s address, phone numbers, news articles, background of that particular organization and so on.

In active reconnaissance, the attacker will gather information about the protected digital or electronic material in which he is required to go around the routers and fire walls. The collected information here includes domain names, system architecture, ports and services, etc.

Sniffing or Network Sniffing is an example of an active recon technique by which an eavesdropper can grab information travelling over a network. The network traffic can be captured and viewed by this process. Mostly, broadcast technology is used in networks, wherein the messages for one computer can be read by other computers as well. In practice, every computer will ignore the message except for which that message has been sent. However, system scan be made to accept any piece of information even if they are not for them.

Network Sniffing

Network Interface Cards (NICs) operate in non-promiscuous mode by default. This means that the NIC will only pass on the traffic which has been addressed to it. If it is not the case then the packets will be discarded. Switching the NIC to the promiscuous mode results in capturing of every packet that may arrive, which means that all the network traffic is passed into the machine regardless of whether it was meant for some other computer or not.

Any system connected to the Local Area Network (LAN) has two addresses. One is the MAC (Media Access Control) address that uniquely identifies each computer (node) in a network and is stored on the network card itself. The second one is the Internet Protocol (IP) address, which is used by applications. The Network Layer manages the mapping of IP network addresses to the MAC. It first looks up the MAC address of the destination system in a table, known as the ARP (Address Resolution Protocol) cache. If no entry is found for the IP address, an ARP request is sent to all machines on the network. The machine having that IP address replies to the source machine with its MAC address. This MAC address is then inserted into the source machine’s ARP cache. The source machine then uses this MAC address to communicate.

There are two major types of Ethernet environments where sniffers work differently:

Shared Ethernet: In this environment, all nodes are connected to a hub and they share bandwidth. All the computers compare the network packet’s destination MAC address with their own and if it doesn’t match then the frame is discarded. A machine running a sniffer has its NIC put into promiscuous mode and can effectively listen to all the network traffic.

Switched Ethernet: In this environment, all nodes are connected to a switch. A switch is an intelligent device, unlike a hub, which sends packets to the destined system only and does not broadcast messages. Hence, putting a computer into promiscuous mode does not work in this case. So, to successfully sniff, here, advanced methods have to be used:

ARP Spoofing: ARP is used to gather MAC addresses of the destination computer that the source machine wishes to communicate. The ARP is stateless, which means it will accept a reply even if it was not requested on the first hand. Ideally for sniffing the traffic originating from a machine, its ARP is spoofed for the gateway of the network. The ARP cache of the target will now have an incorrect entry for the gateway and is said to be poisoned. This way all the traffic destined for the gateway will pass through the machine having the same MAC addresses by which the ARP cache has been poisoned.

MAC Flooding: Switches keeps a translation table which maps various MAC addresses to the physical ports of the switch. This table has a limited memory and hence is vulnerable to overflow of data. MAC flooding takes advantage of this limitation to bombard the switch with fake MAC addresses till it enters into what is known as a “fail-open mode” wherein it starts acting as a hub by broadcasting packets to all the machine s on the network. After this happens, sniffing becomes fairly easy.

Packet sniffers

A tool whose main functionality is to capture (“sniff”) packets being sent/received from/by a computer thereby observing network packet exchanges in a computer. It usually stores and displays the contents of the various protocols and header fields in the captured packets. It is important to note that a packet sniffer itself doesn’t send any packets.

There can be both hardware and software packet sniffers, depending upon the scenario and desired outcome. They can be used to capture login credentials, to eavesdrop on a communication or even capture file transmissions over the network. Hackers do love sniffing in general because it can be done for a long period of time without getting caught.

Out of the variety of tools out there, Wireshark is by far the most prominent network packet analyzer used to examine the network traffic. Not only is it an open-source software but available for all Unix-based and Windows-based OS platforms, both as GUI-based and command-line (T-Shark) utilities.

Getting to know Wireshark is super straightforward and not all difficult to understand. Start experimenting by installing it on a VM and then listen in on a spoofed IP address!

Network Forensics

As you can see, I have applied an icmp filter to acquire ping packets only. The details panel will reflect the information contained in a selected packet, for example, source/destination IP address, size of the packet, protocol and its header data, etc.

Wireshark captures network packets in real-time and displays them in human-readable format. Amongst its many advanced features like - offline analysis, three-pane packet browser, packet details panel, packet display filter, my favourite is the coloring-rules feature.

Network Forensics

It has a predefined set of protocols and rules with specific colour codes which can be even customized by user preference. This helps in analyzing the type of traffic at a glance.

If you are a coder and prefer to write your own programs then perhaps you can start by scripting in python. Scapy is a python module designed for packet sniffing and spoofing. It also uses Berkeley Packet Filter (BPF) syntax to filter packets.

Stay connected with us to explore the diversions of Network Forensics.

Network Forensics

Aditya Arora

Digital Forensic Analyst,

Cyint Technologies


bottom of page