- Home
- Techniques
- Enterprise
- Network Sniffing
Network Sniffing
Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
Procedure Examples
Name | Description |
---|---|
APT28 |
APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.[1][2] APT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.[3] |
APT33 |
APT33 has used SniffPass to collect credentials by sniffing network traffic.[4] |
DarkVishnya |
DarkVishnya used network sniffing to obtain login data. [5] |
Emotet |
Emotet has been observed to hook network APIs to monitor network traffic. [6] |
Empire |
Empire can be used to conduct packet captures on target hosts.[7] |
Impacket |
Impacket can be used to sniff network traffic via an interface or raw socket.[8] |
MESSAGETAP |
MESSAGETAP uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata. [9] |
PoshC2 |
PoshC2 contains a module for taking packet captures on compromised hosts.[10] |
Regin |
Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.[11] |
Responder |
Responder captures hashes and credentials that are sent to the system after the name services have been poisoned.[12] |
Sandworm Team |
Sandworm Team has used intercepter-NG to sniff passwords in network traffic.[13] |
Stolen Pencil |
Stolen Pencil has a tool to sniff the network for passwords. [14] |
Mitigations
Mitigation | Description |
---|---|
Encrypt Sensitive Information |
Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. |
Multi-factor Authentication |
Use multi-factor authentication wherever possible. |
Detection
Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a man-in-the-middle attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.
References
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
- Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.
- Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- SecureAuth. (n.d.). Retrieved January 15, 2019.
- Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
- Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
- Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
- Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.
- Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
- ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.