Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Network Sniffing

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. Adversaries may likely also utilize network sniffing during Adversary-in-the-Middle (AiTM) to passively gain additional knowledge about the environment. In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring) On network devices, adversaries may perform network captures using Network Device CLI commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)

ID: T1040
Tactic(s): Credential Access, Discovery
Platforms: IaaS, Linux, macOS, Network, Windows
Data Sources: Command: Command Execution, Process: Process Creation
Version: 1.6
Created: 31 May 2017
Last Modified: 15 Oct 2024

Procedure Examples

Name Description
Sandworm Team

Sandworm Team has used intercepter-NG to sniff passwords in network traffic.(Citation: ESET Telebots Dec 2016)

Kimsuky

Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)

Impacket

Impacket can be used to sniff network traffic via an interface or raw socket.(Citation: Impacket Tools)

NBTscan

NBTscan can dump and print whole packet content.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)

MESSAGETAP

MESSAGETAP uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata. (Citation: FireEye MESSAGETAP October 2019)

Stolen Pencil

Stolen Pencil has a tool to sniff the network for passwords. (Citation: Netscout Stolen Pencil Dec 2018)

During the 2015 Ukraine Electric Power Attack, Sandworm Team used BlackEnergy’s network sniffer module to discover user credentials being sent over the network between the local LAN and the power grid’s industrial control systems. (Citation: Charles McLellan March 2016)

Penquin

Penquin can sniff network traffic to look for packets matching specific conditions.(Citation: Leonardo Turla Penquin May 2020)(Citation: Kaspersky Turla Penquin December 2014)

FoggyWeb

FoggyWeb can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.(Citation: MSTIC FoggyWeb September 2021)

Empire

Empire can be used to conduct packet captures on target hosts.(Citation: Github PowerShell Empire)

Responder

Responder captures hashes and credentials that are sent to the system after the name services have been poisoned.(Citation: GitHub Responder)

Emotet

Emotet has been observed to hook network APIs to monitor network traffic. (Citation: Trend Micro Banking Malware Jan 2019)

APT33

APT33 has used SniffPass to collect credentials by sniffing network traffic.(Citation: Symantec Elfin Mar 2019)

DarkVishnya

DarkVishnya used network sniffing to obtain login data. (Citation: Securelist DarkVishnya Dec 2018)

APT28

APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.(Citation: FireEye APT28)(Citation: FireEye APT28 Hospitality Aug 2017) APT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.(Citation: US District Court Indictment GRU Oct 2018)

PoshC2

PoshC2 contains a module for taking packet captures on compromised hosts.(Citation: GitHub PoshC2)

VersaMem

VersaMem hooked the Catalina application filter chain `doFilter` on compromised systems to monitor all inbound requests to the local Tomcat web server, inspecting them for parameters like passwords and follow-on Java modules.(Citation: Lumen Versa 2024)

Regin

Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.(Citation: Kaspersky Regin)

Mitigations

Mitigation Description
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

Encrypt Sensitive Information

Protect sensitive information with strong encryption.

Network Sniffing Mitigation

Ensure that all wireless traffic is encrypted appropriately. Use Kerberos, SSL, and multifactor authentication wherever possible. Monitor switches and network for span port usage, ARP/DNS poisoning, and router reconfiguration. Identify and block potentially malicious software that may be used to sniff or analyze network traffic by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.

Detection

Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a Adversary-in-the-Middle attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes. In cloud-based environments, monitor for the creation of new traffic mirrors or modification of existing traffic mirrors. For network infrastructure devices, collect AAA logging to monitor for the capture of network traffic.

References

  1. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  2. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
  3. Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022.
  4. Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022.
  5. Luke Paine. (2020, March 11). Through the Looking Glass — Part 1. Retrieved March 17, 2022.
  6. Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022.
  7. Cisco. (2022, August 17). Configure and Capture Embedded Packet on Software. Retrieved July 13, 2022.
  8. Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022.
  9. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  10. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  11. SecureAuth. (n.d.). Retrieved January 15, 2019.
  12. SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021.
  13. Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021.
  14. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  15. Charles McLellan. (2016, March 4). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. Retrieved September 27, 2023.
  16. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  17. Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021.
  18. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  19. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  20. Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.
  21. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
  22. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  23. Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.
  24. Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
  25. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  26. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
  27. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  28. Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.
  29. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.

Связанные риски

Каталоги

БДУ ФСТЭК:
УБИ.017 Угроза доступа/перехвата/изменения HTTP cookies
Угроза заключается в возможности осуществления нарушителем несанкционированного доступа к защищаемой информации (учётным записям...
УБИ.069 Угроза неправомерных действий в каналах связи
Угроза заключается в возможности внесения нарушителем изменений в работу сетевых протоколов путём добавления или удаления данных...
УБИ.116 Угроза перехвата данных, передаваемых по вычислительной сети
Угроза заключается в возможности осуществления нарушителем несанкционированного доступа к сетевому трафику дискредитируемой вычи...
УБИ.132 Угроза получения предварительной информации об объекте защиты
Угроза заключается в возможности раскрытия нарушителем защищаемых сведений о состоянии защищённости дискредитируемой системы, её...
УБИ.175 Угроза "фишинга"
Угроза заключается в возможности неправомерного ознакомления нарушителем с защищаемой информацией (в т.ч. идентификации/аутентиф...
УБИ.181 Угроза перехвата одноразовых паролей в режиме реального времени
Угроза заключается в возможности получения нарушителем управления критическими операциями пользователя путём перехвата одноразов...

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.