We can then sniff the data and write it to a PCAP file for analysis. The majority of networks we test, there tends to be little or no ARP poisoning defenses in place, and a one-line command, using something like the tool ettercap soon allows you to redirect traffic on the local network via your host to capture all the traffic traversing the network. What an attacker would do would involves creating a man-in-the-middle attack using ARP poisoning techniques.
You could set up a SPAN or mirrored port on your switch, or set up a TAP, but that's assuming you manage your network. You'll see traffic, but mostly only broadcast traffic. Now, on a switched network you can't just fire up your sniffer, and expect to capture all the traffic. This being the case, it is also one of the easiest attack vectors an attacker or disgruntled employee can use on your internal network to extract data, and not get noticed. This is probably one of the cheapest security tools you can use on the network, as it's free, and can find a multitude of potential issues.
Putting a sniffer on the network can not only help you investigate network issues, but also give you a great insight into the "unseeable" security vulnerabilities that are occurring on a daily basis. One of the most important skills in anyone's armory responsible for looking after the security of a corporation's networks should be how to analyze network capture files (PCAP files) obtained from sniffers.
0 kommentar(er)
