CAPEC-158: Sniffing Network Traffic

Description
In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information.
Extended Description

For example, using a different character encoding might cause dangerous text to be treated as safe text. Alternatively, the attacker may use certain flags, such as file extensions, to make a target application believe that provided data should be handled using a certain interpreter when the data is not actually of the appropriate type. This can lead to bypassing protection mechanisms, forcing the target to use specific components for input processing, or otherwise causing the user's data to be handled differently than might otherwise be expected. This attack differs from Variable Manipulation in that Variable Manipulation attempts to subvert the target's processing through the value of the input while Input Data Manipulation seeks to control how the input is processed.

Severity :

Medium

Possibility :

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-157: Sniffing Attacks Sniffing Attacks CAPEC-697: DHCP Spoofing DHCP Spoofing
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The target must be communicating on a network protocol visible by a network sniffing application.
  • The adversary must obtain a logical position on the network from intercepting target network traffic is possible. Depending on the network topology, traffic sniffing may be simple or challenging. If both the target sender and target recipient are members of a single subnet, the adversary must also be on that subnet in order to see their traffic communication.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low Adversaries can obtain and set up open-source network sniffing tools easily.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Network Sniffing ATTACK | Multi-Factor Authentication Interception
Resources required

A tool with the capability of presenting network communication traffic (e.g., Wireshark, tcpdump, Cain and Abel, etc.).

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-311: Missing Encryption of Sensitive Data

Visit http://capec.mitre.org/ for more details.