• +
How to Detect Someone Sniffing Your Network in a Simple Way

How to Detect Someone Sniffing Your Network in a Simple Way

Bookmark

Type : Tutorial

Level : Easy

Last week I'm posting an article about How to Hack Windows via vulnerability in Wireshark, and someone drop a comment and asking about how to detect if someone using wireshark in his network?.

Actually there's a little way you can do when someone using Wireshark in a network, because wireshark only collecting packet data in a passive mode or let's say it's just collecting and grabbing the data that came across the network.

This Wireshark will works perfectly on network that using WI-FI and HUB because the packet that sent and received also sent to another computer inside the network. If you still can't get what I mean, please see the illustrations below.

Hub :

How to Detect Someone Sniffing Your Network in a Simple WayWhen you're using HUB, the data that sent inside and outside the network will came through HUB, but the main problem is HUB will forward all packet into whole network and check is someone own the packet or not. If there's a computer own the packet, then it will ACCEPT it and the other will DROP the packet.

By using this method, all computer in your network absolutely will receive the packet but they drop it because the packet was not addressed to them. In this network Wireshark will act as data collector and grab all the data even the data was not addressed to them.

 

 

 

Wireless(Wi-Fi) :

How to Detect Someone Sniffing Your Network in a Simple WayThis also happen the same in Wi-Fi networks. Wi-fi have the same behavior with HUB, because when you send a packet inside a wireless network, the access point will broadcast your packet to whole network even to your own PC.

But with this kind of network doesn't mean that all wi-fi network can sniff easily, because it was also depend on how the administrator set up and configuring their network.

In this type of network, Wireshark will also act as data collector across the network(esp. on network that didn't have data encryption).

 

 

 

 

 

The Little Way :

When most system attempt to sniff the network their network cards run in promiscious mode. What does promiscious mode mean? according to Wikipedia :

"Promiscuous mode is a configuration of a network card that makes the card pass all traffic it receives to the central processing unit rather than just packets addressed to it — a feature normally used for packet sniffing."

So if know that promiscuous mode is used for sniffing and if you're attempting to control your local network, you're going to want to know which systems are sniffing on the network so lets find out who's running in promiscuous mode. There are a ton of tools out there to just detect promiscuous mode but now we will use Nmap.

nmap --script=sniffer-detect 192.168.8.0/24

How to Detect Someone Sniffing Your Network in a Simple Way

We can see that the system has been detected to be running in promiscuous mode and the result is "11111111." Different operating systems report different combinations of 1's. Linux reports "11111111", Windows 2k, XP, Vista, and Windows 7 reports "111___1_". By default, the script will only report NICs Likely in promiscuous mode so if you don't see get any results, that's because the scan returned false.

Countermeasure :

I think detecting a sniffer was not a good way to control your network, you only caught the suspecting devices after they doing sniffing your network a.k.a it was too late.

And maybe it was better if you do preventive action for your network. Below was the way to prevent as I think(you can add other suggestion for me to put in this article) :

1. Host to host encryption (IPSEC)

2. Use encrypted protocols (SSL,FTPS,SSH)

3. Use switch for your network

Hope it's useful 🙂

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • Wow, finally… I never know that nmap can do something like this. Very powerful tools.
    Hmm… This technique can bypass firewall?

  • Richie

    Hey there,
    great article. but should everyone use 192.168.8.0/24? what is that?

    thankyou a lot

    • v4L

      #Richie
      It’s a network address. The value depend on your IP address.
      if your IP was 192.168.1.1 (and using class C), then you can use 192.168.1.0/24

  • ImpactResistantCranium

    Hi,
    I have Cisco Switches on my network, will these prevent packet sniffers by default?

    Or, do I have to configure them specifically to do so?

    Thanks

  • Kalai

    Awasome man

  • humardosni

    now the question is how to hide this detection. by changing our mac address can we hide from someone who can detect it?

    • v4L

      #humardosni
      yes you can change your mac address, but still remember that is is only hardening yourself from being detected, doesn’t mean truly invisible.

  • phanTrung

    which tool did you use to sniff which nmap can detrect it??? Please tell me as soon as possible.. I need it to make my project. Tks a lot

    • phanTrung

      I use ettercap to sniff but nmap cant detect promiscuous mode…

    • v4L

      It’s for detect sniffing, where usually sniffer will use promiscious mode and not man in the middle attack, because the ettercap tool you use is for man in the middle attack.

  • Jacques Tranchet

    hello;
    i have found a computer in my private network that does n’t belong to me.
    How can i forbid the computer to acces my network?
    Thanks