Sandworm Team has used intercepter-NG to sniff passwords in network traffic. Responder captures hashes and credentials that are sent to the system after the name services have been poisoned. Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB. PoshC2 contains a module for taking packet captures on compromised hosts. Penquin can sniff network traffic to look for packets matching specific conditions. NBTscan can dump and print whole packet content. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata. MESSAGETAP uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols. Impacket can be used to sniff network traffic via an interface or raw socket. įoggyWeb can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor. Įmpire can be used to conduct packet captures on target hosts. Įmotet has been observed to hook network APIs to monitor network traffic. ĭarkVishnya used network sniffing to obtain login data. ĪPT33 has used SniffPass to collect credentials by sniffing network traffic. APT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials. ĪPT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials. ĭuring the 2015 Ukraine Electric Power Attack, Sandworm Team used BlackEnergy’s network sniffer module to discover user credentials being sent over the network between the local LAN and the power grid’s industrial control systems. On network devices, adversaries may perform network captures using Network Device CLI commands such as monitor capture. The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic. Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to. In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. ![]() An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.ĭata captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |