Wireshark for Ethical Hackers - 5

Networking of Sniffing Crash Theory Practice - Part 1

OSI Model

Secure vs. Insecure protocols

Insecure protocols: HTTP, FTP, Telnet, SNMP v1/2 etc.

Secure protocols: HTTPS (HTTP + SSL/TLS), SFTP, SSH, SNMP v3, IPSEC

Hubs, Switches, Routers

Hub	Switch	Router
L1 device	L2 device	L3 device
Central connection for your network equipment	Forwards packets from one network to another
Just a multiport repeater	Uses the mac-address table	Uses the routing table
Shares its bandwidth with each port	Hosts always have access to the maximum amount of bandwidth

Collision & Broadcast domains

Collision domain

• The Collision domain is a set of LAN devices whose frames can collide with one another
• The Collision occurs if more than one device tries to send anything within a "Shared media" simultaneously
• Collision domains are separated by switches
• Every interface on a switch creates a separate collision domain
• Everything can be sniffed in the Collision domain (if your network card can operate in the promiscuous mode)

Broadcast domain

• The Broadcast domain consists of all devices that will receive a Layer 2 broadcast
• Broadcast domains are separated by routers

VLANs

• Used to separate Broadcast domains
• 802.1Q tags help to tell one VLAN from another
• untagged VLAN on a trunk port = "native VLAN"

Important

• Everything can be sniffed within a Collision domain by an attacker if its network card can operate in the promiscuous mode
• The traffic from some hosts within a Broadcast domain can be sniffed by an attacker if he performs different types of MITM-attacks within its Broadcast domain, but the attacker cannot sniff at the Broadcast domains which he does not have a direct access to.
• Switches (and Routers) separate Collision domains
• VLANs and Routers separate Broadcast domains