Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.User credentials may be sent over an insecure, unencrypted protocol that can be captured and obtained through network packet analysis. An adversary may place a network interface into promiscuous mode, using a utility to capture traffic in transit over the network or use span ports to capture a larger amount of data. In addition, techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning, can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Detection: Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a man-in-the-middle attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.
Platforms: Linux, macOS, Windows
Data Sources: Network device logs, Host network interface, Netflow/Enclave netflow
Permissions Required: Administrator, SYSTEM
System Requirements: Network interface access and packet capture driver
Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| interface | Specify interface to perform PCAP on. | String | ens33 |
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
Perform a PCAP on MacOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
Supported Platforms: macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| interface | Specify interface to perform PCAP on. | String | en0A |
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark installed, along with WinPCAP. Windump will require the windump executable.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| interface | Specify interface to perform PCAP on. | String | Ethernet0 |
c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5
c:\windump.exe
Perform a packet capture using PowerShell with windump or tshark. This will require a host that has Wireshark/Tshark installed, along with WinPCAP. Windump will require the windump executable.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| interface | Specify interface to perform PCAP on. | String | Ethernet0 |
c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5
c:\windump.exe