• Packet sniffing is the act of capturing packets of data flowing across a computer network. Packet sniffing is widely used by hackers and crackers to gather information illegally about networks they intend to break into.
• The software or device used to do this is called a packet sniffer. A Packet Sniffer is a utility that sniffs without modifying the network's packets in any way.
• Packet sniffing is difficult to detect, but it can be done. But the difficulty of the solution means that in practice, it is rarely done.

Packet Sniffing Attack:

Figure 4

• Packet sniffers (figure 4) intercept network traffic that they can see via the wired or wireless network interface that the packet sniffing software has access to on its host computer.
• On a wired network, a packet sniffer can see the traffic of an entire network or only a certain segment of it, depending on how the network switches are configured. On wireless networks, packet sniffers can usually only capture one channel at a time unless the host computer has multiple wireless interfaces that allow for multichannel capture.
• Once the raw packet data is captured, the packet sniffing software must analyze it and present it in human-readable form so that the person using the packet sniffing software can make sense of it.

• The attacker analyzing the data can view details of the conversation happening between two or more nodes on the network.

• Hackers can use sniffers to eavesdrop on unencrypted data in the packets to see what information is being exchanged between two parties. They can also capture information such as passwords and authentication tokens.

  • Packet spoofing:

• Packet spoofing or IP spoofing is the creation of Internet Protocol (IP) packets having a source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system.

• A spoofing attack is when a malicious party impersonates another device or user on a network in order to launch attacks against network hosts, steal data, spread malware, or bypass access controls.
• The attacker creates a IP packet and sends to the server which is known as SYN request. The difference in the IP packet and normal packet is that the attacker puts the own source address as another computers IP address in the newly created IP packet. The server responds back with a SYN ACK response which travels to the forged IP address. The attacker somehow gets this SYN ACK response sent by the server and acknowledges it so as to complete a connection with the server.
• Once this is done the attacker can try various commands on the server computer
• The most common methods include IP address spoofing attacks, ARP spoofing attacks, and DNS server spoofing attacks.
  • Session Hijacking Attack:
• Session hijacking is also known as TCP session hijacking which is a method of taking over a secure/unsecure web user session by secretly obtaining the session ID and masquerading as an authorized user.
• Once the user’s session ID has been accessed figure 5(a), the attacker can masquerade as that user and do anything the user is authorized to do on the network figure 5(b).

Figure 5

• The session ID is stored within a cookie or URL. HTTP cookies are used for authenticating, session tracking, state maintenance and maintaining user information. Session hijacking takes advantage of this practice by intruding in real time during a session.
• The intrusion may or may not be detectable. If a website does not respond in a normal way to user input or stops responding then session hijacking may be the reason.