How are Intruders Using Sniffers?

Posted by Sharan R On 1:54 AM

               When used by malicious individuals, sniffers can represent a significant threat to the security of your network. Network intruders often use network sniffing to capture valuable, confidential information. The terms sniffing and eavesdropping have often been associated with this practice. However, sniffing is now becoming a non-negative term and most people use the terms sniffing and network analysis interchangeably.
          Using a sniffer in an illegitimate way is considered a passive attack. It does not directly interface or connect to any other systems on the network. However, the computer that the sniffer is installed on could have been compromised using an active attack. The passive nature of sniffers is what makes detecting them so difficult. 

We will discuss the methods used to detect sniffers later in this chapter.
The following list describes a few reasons why intruders are using sniffers on the network:
  • Capturing clear-text usernames and passwords
  • Compromising proprietary information
  • Capturing and replaying Voice over IP telephone conversations
  • Mapping a network
  • Passive OS fingerprinting
Obviously, these are illegal uses of a sniffer, unless you are a penetration tester whose job it is to find these types of weaknesses and report them to an organization.

For sniffing to occur, an intruder must first gain access to the communication cable of the systems that are of interest. This means being on the same shared network segment, or tapping into the cable somewhere between the path of communications. If the intruder is not physically present at the target system or communications access point, there are still ways to sniff network traffic. These include:
  • Breaking into a target computer and installing remotely controlled sniffing software.
  • Breaking into a communications access point, such as an Internet Service Provider (ISP) and installing sniffing software.
  • Locating/finding a system at the ISP that already has sniffing software installed.
  • Using social engineering to gain physical access at an ISP to install a packet sniffer.
  • Having an insider accomplice at the target computer organization or the ISP install the sniffer.
  • Redirecting communications to take a path that includes the intruder’s computer.
Sniffing programs are included with most rootkits that are typically installed on compromised systems. Rootkits are used to cover the tracks of the intruder by replacing commands and utilities and clearing log entries. They also install other programs such as sniffers, key loggers, and backdoor access software. Windows sniffing can be accomplished as part of some RAT (Remote Admin Trojan) such as SubSeven or Back Orifice. Often intruders will use sniffing programs that are configured to detect specific things, such as passwords, and then electronically send them to the intruder (or store them for later retrieval by the intruder). Vulnerable protocols for this type of activity include telnet, FTP, POP3, IMAP, SMTP, HTTP, rlogin, and SNMP.
One example of a rootkit is T0rnKit, which works on Solaris and Linux. The sniffer that is included with this rootkit is called t0rns and is installed in the hidden directory /usr/srec/.puta. Another example of a rootkit is Lrk5 (Linux Rootkit 5), which installs with the linsniff sniffer.
Intruders commonly use sniffer programs to control back doors. One method is to install a sniffer on a target system that listens for specific information. Then, backdoor control information can be sent to a neighboring system. The sniffer picks this up, and acts appropriately on the target computer. This type of backdoor control is often hard for investigators to detect, since it looks like the innocent neighbor system is the compromised target. cd00r is an example of a backdoor sniffer that operates in non-promiscuous mode, making it even harder to detect. Using a product like Nmap to send a series of Transmission Control Protocol (TCP) SYN packets to several predefined ports will trigger the backdoor to open up on a pre-configured port. More information about Cdoor can be found at

A rootkit is a collection of trojan programs that are used to replace the real programs on a compromised system in order to avoid detection. Some common commands that get replaced are ps, ifconfig, and ls. Rootkits also install additional software such as sniffers.

Nmap is a network scanning tool used for network discovery and auditing. It can send raw IP packets to destination ports on target systems.


  1. Blogger Said,

    There is shocking news in the sports betting world.

    It's been said that any bettor needs to see this,

    Watch this or quit placing bets on sports...

    Sports Cash System - Robotic Sports Betting Software.

    Posted on July 18, 2017 at 1:58 PM

  2. Stacey Jones Said,

    If you need to hire a real hacker to help spy on your partner's cell phone remotely, change your grades or boost your credit score. Contact this helpline 347.857.7580 or the email address

    Posted on August 15, 2017 at 4:09 PM