Type : Tutorial
Level : Easy
Last week I'm posting an article about How to Hack Windows via vulnerability in Wireshark, and someone drop a comment and asking about how to detect if someone using wireshark in his network?.
Actually there's a little way you can do when someone using Wireshark in a network, because wireshark only collecting packet data in a passive mode or let's say it's just collecting and grabbing the data that came across the network.
This Wireshark will works perfectly on network that using WI-FI and HUB because the packet that sent and received also sent to another computer inside the network. If you still can't get what I mean, please see the illustrations below.
When you're using HUB, the data that sent inside and outside the network will came through HUB, but the main problem is HUB will forward all packet into whole network and check is someone own the packet or not. If there's a computer own the packet, then it will ACCEPT it and the other will DROP the packet.
By using this method, all computer in your network absolutely will receive the packet but they drop it because the packet was not addressed to them. In this network Wireshark will act as data collector and grab all the data even the data was not addressed to them.
This also happen the same in Wi-Fi networks. Wi-fi have the same behavior with HUB, because when you send a packet inside a wireless network, the access point will broadcast your packet to whole network even to your own PC.
But with this kind of network doesn't mean that all wi-fi network can sniff easily, because it was also depend on how the administrator set up and configuring their network.
In this type of network, Wireshark will also act as data collector across the network(esp. on network that didn't have data encryption).
When most system attempt to sniff the network their network cards run in promiscious mode. What does promiscious mode mean? according to Wikipedia :
"Promiscuous mode is a configuration of a network card that makes the card pass all traffic it receives to the central processing unit rather than just packets addressed to it — a feature normally used for packet sniffing."
So if know that promiscuous mode is used for sniffing and if you're attempting to control your local network, you're going to want to know which systems are sniffing on the network so lets find out who's running in promiscuous mode. There are a ton of tools out there to just detect promiscuous mode but now we will use Nmap.
nmap --script=sniffer-detect 192.168.8.0/24
We can see that the system has been detected to be running in promiscuous mode and the result is "11111111." Different operating systems report different combinations of 1's. Linux reports "11111111", Windows 2k, XP, Vista, and Windows 7 reports "111___1_". By default, the script will only report NICs Likely in promiscuous mode so if you don't see get any results, that's because the scan returned false.
I think detecting a sniffer was not a good way to control your network, you only caught the suspecting devices after they doing sniffing your network a.k.a it was too late.
And maybe it was better if you do preventive action for your network. Below was the way to prevent as I think(you can add other suggestion for me to put in this article) :
1. Host to host encryption (IPSEC)
2. Use encrypted protocols (SSL,FTPS,SSH)
3. Use switch for your network
Hope it's useful