Module 5

Network Attacks: Packet Sniffing, ARP spoofing, port scanning, IP spoofing

1) Packet Sniffing : Packet sniffing, also known as packet analysis or packet capturing, is a
technique used to intercept and inspect data packets flowing across a computer network.
Here's how it works:

a. Capture Packets:

Packet sniffing software, often called a packet sniffer or network analyzer, is installed on a
computer connected to the network.
The packet sniffer captures copies of data packets as they traverse the network, without
modifying or disrupting the flow of traffic.

b. Analyze Packets:

Once captured, the packet sniffer analyzes the contents of each packet, including its
headers and payload.
It can extract various information from the packets, such as source and destination IP
addresses, port numbers, protocol types, packet size, and actual data being transmitted.

c. Inspect Traffic:

The packet sniffer allows network administrators, security analysts, or other users to
inspect network traffic in real-time or to store captured packets for later analysis.
Users can examine the packets to identify patterns, troubleshoot network issues, monitor
network performance, or investigate security incidents.

d. Purpose:

Packet sniffing serves various purposes, including network troubleshooting, performance

monitoring, network security analysis, intrusion detection, and forensic investigation.
It can help identify network problems, such as misconfigurations, bottlenecks, or
unauthorized activities, by providing insights into the actual data flowing through the
network.

e. Privacy and Security Concerns:

While packet sniffing is a valuable tool for network analysis, it also raises privacy and
security concerns.
If used maliciously or without proper authorization, packet sniffing can intercept sensitive
information, such as usernames, passwords, or confidential data, transmitted over the
network.

To mitigate these risks, organizations implement encryption protocols (e.g., SSL/TLS) to

protect sensitive data from interception and use intrusion detection/prevention systems to
detect and block unauthorized packet sniffing activities.
 Overall, packet sniffing is a powerful network analysis technique that provides insights
into network traffic, but it should be used responsibly and within legal and ethical
boundaries to ensure the privacy and security of network communications.

2) ARP Spoofing :

ARP spoofing, also known as ARP poisoning or ARP cache poisoning, is a technique used to
intercept and manipulate network traffic between two communicating devices on a local area
network (LAN). Here's an easy explanation of how it works:

Imagine you're sending a message to your friend in a crowded room. To ensure your message
reaches your friend, you ask everyone in the room for your friend's current location. However, a
sneaky person overhears your request and tells you to deliver the message to them instead,
pretending to be your friend. This is similar to how ARP spoofing works:

1. **Address Resolution Protocol (ARP):**

- In a LAN, devices use ARP to map IP addresses to MAC addresses. When one device wants to
communicate with another, it sends out an ARP request asking for the MAC address associated
with a specific IP address.

2. **Spoofing Attack:**
- An attacker on the same LAN sends out fake ARP replies, pretending to be another device
(often the router or another victim device).
- These fake ARP replies tell other devices on the network that the attacker's MAC address
corresponds to the IP address of the legitimate device, effectively redirecting traffic intended for
that device to the attacker's machine.

3. **Interception and Manipulation:**

- With ARP spoofing in place, the attacker can intercept and manipulate the traffic passing
between the legitimate communicating devices.
- The attacker can eavesdrop on the communication, modify the data being transmitted, or even
inject malicious payloads into the traffic stream.

4. **Consequences:**
- ARP spoofing can be used for various malicious purposes, including man-in-the-middle
attacks, session hijacking, packet sniffing, or network reconnaissance.
- It can lead to data theft, unauthorized access to sensitive information, or the disruption of
network services.

5. **Prevention:** - To mitigate ARP spoofing attacks, network administrators can implement

techniques such as ARP cache validation, static ARP entries, or ARP spoofing detection tools.
- Additionally, using encryption protocols like SSL/TLS can protect sensitive data from being
intercepted and manipulated.

In summary, ARP spoofing is a sneaky tactic used by attackers to intercept and manipulate
network traffic, similar to someone redirecting your message to them instead of your intended
recipient in a crowded room. It's important to be aware of ARP spoofing and take steps to protect
against it to ensure the security of your network communications.

3) Port Scanning :

Port scanning is like checking doors and windows to see if they're open or closed in a house. In
computer networks, it's a technique used to find out which network ports on a target system are
open, closed, or filtered. Here's a simple explanation of how it works:

1. **Ports:**
- In computer networking, ports are like doors or entry points on a system. Each port is
assigned a number and is used for specific types of network communication.

2. **Port Scanner:**
- A port scanner is a tool used by network administrators or hackers to scan a target system's
ports and determine their status (open, closed, or filtered).

3. **Scanning Techniques:**
- Port scanners use different techniques to scan for open ports. The most common technique is
TCP connect scanning, where the scanner tries to establish a full TCP connection with each port
to check if it's open.
- Another technique is SYN scanning (also known as stealth scanning), where the scanner
sends SYN packets to the target ports and analyzes the responses to determine if the ports are
open or closed.

4. **Results:**
- After scanning, the port scanner provides a report showing which ports are open and
accessible, which ports are closed and inaccessible, and which ports are filtered (meaning they
didn't respond to the scan).

5. **Uses:**
- Network administrators use port scanning to identify potential security vulnerabilities in their
systems and to ensure that only necessary ports are open.
- Hackers may use port scanning as a reconnaissance technique to find vulnerable services or
potential entry points into a network for unauthorized access.

6. **Legality:**
- While port scanning itself is not illegal, using it to gain unauthorized access to systems or
networks without permission is considered illegal and unethical.

In essence, port scanning is like checking the doors and windows of a house to see which ones
are open and which ones are closed, but in the context of computer networks, it's used to identify
potential security weaknesses or entry points.

4) IP Spoofing

IP spoofing is a technique used to disguise the source IP address of network packets to hide the
identity of the sender or to impersonate another entity. Here's an easy explanation of how it
works:
Imagine you're sending a letter to your friend, but instead of using your real return address, you
put someone else's address on the envelope. This is similar to how IP spoofing works:

1. **IP Address:**
- In computer networking, devices communicate with each other using IP addresses, which are
like unique identifiers for each device on the internet.

2. **Spoofing Attack:**
- An attacker modifies the source IP address field in the header of network packets to make it
appear as if the packets are coming from a different IP address than the actual sender's.

3. **Disguise or Impersonation:**
- By spoofing the source IP address, the attacker can disguise their identity, making it difficult to
trace the origin of the malicious activity.
- The attacker may also impersonate a trusted entity or server by spoofing its IP address,
leading to potential security breaches or unauthorized access.

4. **Consequences:**
- IP spoofing can be used for various malicious purposes, including distributed denial-of-service
(DDoS) attacks, session hijacking, network reconnaissance, or bypassing access controls.
- It can lead to network disruption, data theft, unauthorized access to systems, or the
compromise of sensitive information.

5. **Prevention:**
- To mitigate IP spoofing attacks, network administrators can implement techniques such as
packet filtering, ingress filtering, egress filtering, or cryptographic authentication protocols like
IPsec.
- Additionally, network monitoring and intrusion detection systems can help detect and prevent
unauthorized traffic originating from spoofed IP addresses.

In summary, IP spoofing is like putting someone else's return address on a letter you're sending,
making it appear as if it came from a different sender. It's important to be aware of IP spoofing and
take steps to prevent and mitigate its potential impact on network security and integrity.