What is a Wireless Sniffer?
A wireless sniffer is a type of packet analyzer. A packet analyzer (also known as a packet sniffer) is a piece of software or hardware designed to intercept data as it is transmitted over a network and decode the data into a format that is readable for humans. Wireless sniffers are packet analyzers specifically created for capturing data on wireless networks. Wireless sniffers are also commonly referred to as wireless packet sniffers or wireless network sniffers.
Wireless sniffer tools have many uses in commercial IT environments. Their ability to monitor, intercept, and decode data as it is in transit makes them useful for:
- Diagnosing and investigating network problems
- Monitoring network usage, activity, and security
- Discovering network misuse, vulnerabilities, malware, and attack attempts
- Filtering network traffic
- Identifying configuration issues and network bottlenecks
Wireless Packet Sniffer Attacks
While wireless packet sniffers are valuable tools for maintaining wireless networks, their capabilities make them popular tools for malicious actors as well. Hackers can use wireless sniffer software to steal data, spy on network activity, and gather information to use in attacking the network. Logins (usernames and passwords) are very common targets for attackers using wireless sniffer tools. Wireless network sniffing attacks usually target unsecure networks, such as free WiFi in public places (coffee shops, hotels, airports, etc).
Wireless sniffer tools are also commonly used in “spoofing” attacks. Spoofing is a type of attack where a malicious party uses information obtained by a wireless sniffer to impersonate another machine on the network. Spoofing attacks often target business’ networks and can be used to steal sensitive information or run man-in-the-middle attacks against network hosts.
There are two modes of wireless sniffing: monitor mode and promiscuous mode. In monitor mode, a wireless sniffer is able to collect and read incoming data without sending any data of its own. A wireless sniffing attack in monitor mode can be very difficult to detect because of this. In promiscuous mode, a sniffer is able to read all data flowing into and out of a wireless access point. Since a wireless sniffer in promiscuous mode also sniffs outgoing data, the sniffer itself actually transmits data across the network. This makes wireless sniffing attacks in promiscuous mode easier to detect. It is more common for attackers to use promiscuous mode in sniffing attacks because promiscuous mode allows attackers to intercept the full range of data flowing through an access point.
Preventing Wireless Sniffer Attacks
There are several measures that organizations should take to mitigate wireless packet sniffer attacks. First off, organizations (and individual users) should refrain from using insecure protocols. Commonly used insecure protocols include basic HTTP authentication, File Transfer Protocol (FTP), and Telnet. Secure protocols such as HTTPS, Secure File Transfer Protocol (SFTP), and Secure Shell (SSH) should be used in place of their insecure alternatives when possible. Secure protocols ensure that any information transmitted will automatically be encrypted. If an insecure protocol must be used, organizations themselves need to encrypt any data that will be sent using that protocol. Virtual Private Networks (VPNs) can be used to encrypt internet traffic and are a popular tool for organizations today.
In addition to encrypting information and using secure protocols, companies can prevent attacks by using wireless sniffer software to sniff their own networks. This allows security teams to view their networks from an attacker’s perspective and discover sniffing vulnerabilities and attacks in progress. While this method will not be effective in discovering wireless network sniffers in monitor mode, it is possible to detect sniffers in promiscuous mode (the preferred mode for attackers) by sniffing your own network.
Tools for Detecting Packet Sniffers
Wireless sniffer software programs frequently include features such as intrusion and hidden network detection for helping organizations discover malicious sniffers on their networks. In addition to using features that are built into wireless sniffer tools, there are many aftermarket tools available that are designed specifically for detecting sniffing attacks. These tools typically perform functions such as monitoring network traffic or scanning network cards in promiscuous mode to detect wireless network sniffers. There are dozens of options (both paid and open source) for sniffer detection tools, so organizational security teams will need to do some research before selecting the right tool for their needs.
Written by: Neil DuPaul