Goal is generally to obtain information
Account usernames, passwords
Source code, business critical information
Usually a program placing an Ethernet adapter into promiscuous mode and saving information for retrieval later
Hosts running the sniffer program are compromised using host attack methods
- One of the most common network-based attacks to be left behind after a host compromise is a network “sniffer”. This attack requires the person placing the sniffer to have superuser privileges, and is usually placed after a host compromise.
- As mentioned earlier, the goal is to either gain more access into other accounts for other attacking, or to collect information to be used against the organization (espionage, blackmail, etc.)
- Sniffers can be in the form of trojan programs which record the first few keystrokes of a session (a hacked ‘telnet’ or ‘ftp’ executable), or programs which sit in the background, listening to traffic on an Ethernet port, and recording information to ‘interesting’ services running on the LAN.
- In a shared media network environment, a promiscuous mode sniffer can see traffic from other machines on the same segment.