Network Sniffing & Spoofing Lab

Master the Dark Arts of Network Traffic Interception and Manipulation

← Back to Dark Arts Vault ← Back to Campus

Your Progress

0%
Complete for 75 XP

Introduction to Network Sniffing

Network sniffing is the process of capturing and analyzing network traffic to intercept data packets. This technique is fundamental to network security testing, troubleshooting, and unfortunately, malicious espionage.

Sniffing Fundamentals

  • Captures packets in real-time
  • Requires promiscuous modeNetwork interface mode that captures all packets, not just those addressed to it
  • Works on wired and wireless networks
  • Can decode various protocols

Common Tools

  • Wireshark (GUI-based)
  • tcpdump (command-line)
  • Mobile apps (WiFinspect, zANTI)
  • Hardware TAPs

Infrastructure Requirements

  • SPAN ports / Port mirroring
  • Network TAPs (Test Access Points)
  • Inline monitoring devices
  • Proper network positioning

Sniffing Types

Passive Sniffing

Passive sniffing involves listening to network traffic without injecting any additional packets. This method is stealthy and difficult to detect.

Characteristics

  • No additional traffic generated
  • Works on hubs and wireless networks
  • Difficult to detect
  • Limited by network topology

Best Environments

  • Hub-based networks
  • Wireless networks
  • Networks with port mirroring
  • Physical TAP deployments

Active Sniffing

Active sniffing requires injecting packets or manipulating network devices to redirect traffic. This approach is more detectable but works in switched environments.

Techniques

  • MAC flooding
  • ARP spoofing/poisoning
  • DHCP attacks
  • DNS spoofing

Attack Vectors

  • Switch exploitation
  • Host compromise
  • Malware injection
  • Man-in-the-Middle (MitM)

Hubs vs Switches

Understanding the difference between hubs and switches is critical for effective sniffing attacks.

Feature Hub Switch
OSI Layer Layer 1 (Physical) Layer 2 (Data Link)
Traffic Forwarding Broadcasts to all ports Forwards to specific port
Collision Domain Single collision domain Separate collision domains
Sniffing Difficulty Easy (passive sniffing) Difficult (requires active attacks)
MAC Address Learning None Uses CAM table
Performance Low (shared bandwidth) High (dedicated bandwidth)

CAM Table Flooding Attack

The Content Addressable Memory (CAM) table stores MAC address to port mappings. Flooding it with fake MAC addresses forces the switch into a fail-open mode, acting like a hub.

CAM Table Structure

Each entry contains: VLAN ID, MAC Address, Port ID, and Learning Status

Normal Operation
VLAN ID MAC Address Port ID Learning Mode
1 00:1A:2B:3C:4D:5E Fa0/1 Dynamic
1 00:1A:2B:3C:4D:5F Fa0/2 Dynamic
1 00:1A:2B:3C:4D:60 Fa0/3 Dynamic
# Using macof to flood CAM table
$ macof -i eth0 -n 1000
# This sends 1000 packets with random MAC addresses
# Switch CAM table fills up and fails to learning mode

Network Topology & Attack Flow

MAC Spoofing & Switch Port Stealing

MAC spoofing allows an attacker to impersonate another device on the network, enabling switch port stealing and traffic interception.

Attack Process

  • 1. Identify target MAC address
  • 2. Change attacker's MAC to match
  • 3. Flood switch with frames
  • 4. Poison ARP caches
  • 5. Intercept traffic

Common Tools

  • macchanger (Linux)
  • Technitium MAC Address Changer
  • Windows Registry editing
  • SMAC (Spoof MAC Address)

Defense Mechanisms

  • Port security (limit MAC addresses)
  • Static CAM entries
  • 802.1X authentication
  • MAC address monitoring
# Linux MAC spoofing with macchanger
$ ifconfig eth0 down
$ macchanger -m 00:11:22:33:44:55 eth0
$ ifconfig eth0 up

# Windows Registry method
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001
NetworkAddress = "001122334455"

VLAN Hopping Attacks

VLAN hopping allows attackers to bypass network segmentation by jumping between VLANs.

Switch Spoofing

The attacker negotiates a trunk link with the switch using Dynamic Trunking Protocol (DTP), gaining access to all VLANs.

Attack Steps

  • Send DTP negotiation frames
  • Force switch port into trunk mode
  • Receive traffic from all VLANs
  • Send traffic to any VLAN
# Using Yersinia for DTP attack
$ yersinia -G # GUI mode
# Select DTP protocol
# Enable trunk on interface

Double Tagging

The attacker adds two 802.1Q tags to frames. The first tag is stripped by the first switch, and the second tag routes the packet to the target VLAN.

Ethernet Frame with Double 802.1Q Tags
Destination MAC
FF:FF:FF:FF:FF:FF
Source MAC
00:11:22:33:44:55
Outer 802.1Q (VLAN 1)
0x8100 0x0001
Inner 802.1Q (VLAN 20)
0x8100 0x0014
EtherType
0x0800 (IPv4)
Payload
Data...

Requirements & Limitations

  • Attacker must be on native VLAN (usually VLAN 1)
  • One-way attack (can send, not receive)
  • First switch strips outer tag
  • Second switch routes based on inner tag

Advanced Switched Network Attacks

STP Attack

  • Spanning Tree Protocol manipulation
  • Become Root Bridge
  • Intercept all inter-switch traffic
  • Send BPDU frames with lower priority
# Using Yersinia for STP attack
$ yersinia -G
# Claim Root Role

DHCP Starvation

  • Exhaust DHCP IP pool
  • Send DHCP requests with spoofed MACs
  • Prevent legitimate clients from getting IPs
  • Enable rogue DHCP server attack
# Using DHCPig for starvation
$ pig.py eth0 --exhaust

Rogue DHCP Server

  • Deploy after DHCP starvation
  • Provide malicious DNS server
  • Set attacker as default gateway
  • Complete MitM position
# Setup rogue DHCP with dnsmasq
$ dnsmasq --dhcp-range=192.168.1.100,192.168.1.200

Wireshark Filter Builder

Build custom Wireshark display filters to analyze specific network traffic.

Select Filter Criteria

IP Address
ip.addr == 192.168.1.1
TCP Port
tcp.port == 80
HTTP Traffic
http
ARP Packets
arp
ICMP (Ping)
icmp
DNS Queries
dns
MAC Address
eth.addr == ...
SYN Packets
tcp.flags.syn == 1
Exclude ARP/ICMP/DNS
!(arp or icmp or dns)

Logical Operators

Generated Filter

Click options above to build filter...

Common Filter Examples

Capture Credentials

http.request.method == "POST"

Detect ARP Spoofing

arp.duplicate-address-detected

Find Large Packets

frame.len > 1000

Track Conversations

ip.addr == 192.168.1.1 and tcp.port == 443

Defense Mechanisms

Implement these security controls to protect against sniffing and spoofing attacks.

Port Security

  • Limit MAC addresses per port
  • Static MAC address binding
  • Violation actions (shutdown, restrict)
  • Sticky MAC learning
# Cisco port security config
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown

DHCP Snooping

  • Validate DHCP messages
  • Build trusted binding database
  • Rate-limit DHCP traffic
  • Block rogue DHCP servers
# Enable DHCP snooping
ip dhcp snooping
ip dhcp snooping vlan 1
interface Gi0/1
ip dhcp snooping trust

Dynamic ARP Inspection (DAI)

  • Validate ARP packets
  • Uses DHCP snooping database
  • Drop invalid ARP responses
  • Prevent ARP poisoning
# Enable DAI
ip arp inspection vlan 1
interface Gi0/1
ip arp inspection trust

Private VLANs

  • Isolate hosts within same VLAN
  • Promiscuous, isolated, community
  • Prevent lateral movement
  • Enhanced network segmentation

Disable DTP

  • Prevent trunk negotiation
  • Manually configure trunk ports
  • Mitigate VLAN hopping
  • Explicit port configuration
# Disable DTP
switchport mode access
switchport nonegotiate

Encryption

  • Use HTTPS, SSH, TLS
  • Encrypt sensitive data
  • VPN for remote access
  • WPA3 for wireless

Knowledge Assessment Quiz

Test your understanding of network sniffing and spoofing concepts. Complete all 12 questions to earn your XP reward.