Security question-- Remote packet capture

While studying for Security+, I frequently came across the topic of hackers remotely capturing packets on a network, as in seeing what other people on other computers are doing on the network from the comfort of the hacker's own computer. How exactly is this possible? Even putting your NIC in proiscuous mode surely wouldn't capture every single packet on the network that is not destined for your computer. Can someone clear this topic up for me?

Thank you.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

BubbaJ

Vask3n wrote:

Even putting your NIC in proiscuous mode surely wouldn't capture every single packet on the network that is not destined for your computer.

That's exactly what happens - the NIC will grab every frame that it sees, but, in most cases, the higher layers drop the packets and segments. Sniffer-type software will give them a place to go so they won't be dropped. It is not merely putting a NIC into promiscuous mode, but doing it in conjunction with the proper software. Just putting you NIC into promiscuous mode will only result in dragging down your PC.

sprkymrk

You are on the right track. Books talk about "hackers" capturing packets like it's as easy as starting a game of freecell. However, there are many ways to capture packets and the technique will vary based on circumstances. For instance, as you stated, putting your NIC in promiscuous mode (usaully by starting a packet capturing program like TCPDump, WinDump, Ethereal, etc) will allow you to see all broadcast packets on your local subnet (or more correctly "broadcast domain"). You will also see packets destined for other computers if hubs, rather than switches, are in use. If switches are in use, you need to either use port mirroring (by modifying the switch config or finding a port already set that way and using it) or by hosing the switch mac tables with a program like ettercap.

If you are on a different subnet (say a router in between) you have to get more creative. Spoofing may work, but it's an old trick that is defended against with proper ACL's in place. Setting up a sniffer in-line with your target or target network will see everything that crosses the device, but again this can be hard to do. Physical access to a router closet will do the trick. Or you can use a trojan horse program, convince some unsuspecting fool to install it, and have it sniff traffic and mail or ftp you the data.

How's that for starters?