Network Sniffing

From enterprise
Jump to: navigation, search
Network Sniffing
ID T1040
Tactic Credential Access
Platform Linux, macOS, Windows
System Requirements Network interface access and packet capture driver
Permissions Required Administrator, SYSTEM
Data Sources Network device logs, Host network interface, Netflow/Enclave netflow

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.

User credentials may be sent over an insecure, unencrypted protocol that can be captured and obtained through network packet analysis. An adversary may place a network interface into promiscuous mode, using a utility to capture traffic in transit over the network or use span ports to capture a larger amount of data. In addition, techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning, can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.


  • APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.1
  • Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.2
  • Responder captures hashes and credentials that are sent to the system after the name services have been poisoned.3


Ensure that all wireless traffic is encrypted appropriately. Use Kerberos, SSL, and multifactor authentication wherever possible. Monitor switches and network for span port usage, ARP/DNS poisoning, and router reconfiguration.

Identify and block potentially malicious software that may be used to sniff or analyze network traffic by using whitelisting4 tools, like AppLocker,56 or Software Restriction Policies7 where appropriate.8


Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a man-in-the-middle attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.