Slide 11 of 16
- One of the most common network-based attacks to be left behind after a host compromise is a network “sniffer”. This attack requires the person placing the sniffer to have superuser privileges, and is usually placed after a host compromise.
- As mentioned earlier, the goal is to either gain more access into other accounts for other attacking, or to collect information to be used against the organization (espionage, blackmail, etc.)
- Sniffers can be in the form of trojan programs which record the first few keystrokes of a session (a hacked ‘telnet’ or ‘ftp’ executable), or programs which sit in the background, listening to traffic on an Ethernet port, and recording information to ‘interesting’ services running on the LAN.
- In a shared media network environment, a promiscuous mode sniffer can see traffic from other machines on the same segment.