1. Home
  2. Techniques
  3. Enterprise
  4. 网络嗅探

网络嗅探

ID Name
T1040.001 加密协议隧道嗅探
T1040.002 合法流量镜像伪装
T1040.003 微流量切片回传
T1040.004 协议隐蔽隧道

网络嗅探是攻击者通过监控网络通信流量获取敏感信息的侦察技术,涉及捕获未加密的认证凭证、业务数据及网络拓扑信息。传统防御手段主要依赖流量加密、网络分段、ARP监控及云镜像服务审计,通过检测异常端口镜像配置、识别未加密协议使用情况等手段进行防护。监测重点包括网络设备配置变更、异常流量模式及中间人攻击特征。

为规避传统检测机制,攻击者发展出新型隐蔽嗅探技术,通过加密隧道构建、云服务滥用、流量原子化分片及协议语义劫持等手段,将嗅探行为深度融入合法网络操作,显著降低攻击行为的可观测性。这些技术突破传统协议层检测的防御边界,实现嗅探行为的"合法化"伪装。

当前网络嗅探匿迹技术的核心在于多维度的数据生命周期隐蔽处理。在采集阶段,通过云镜像服务伪装与权限滥用实现数据获取的合规化;在传输阶段,采用动态加密与协议隧道技术实现内容不可解析;在回传阶段,利用微流量切片与分布式通道降低传输特征浓度。四类技术的共性特征包括:1)深度利用网络基础设施的合法功能(如云镜像API);2)严格遵守协议规范实现语义级隐蔽;3)引入动态加密与编码机制破坏数据关联性;4)构建多维传输矩阵稀释时空特征。这些技术使得攻击者能在不触发异常告警的前提下,持续获取高价值网络情报。

隐蔽嗅探技术的发展导致传统基于明文检测、规则匹配的防御体系面临失效风险。防御方需构建加密流量分析、云配置持续监控、微异常行为检测等新型能力,结合协议语义完整性校验与跨层行为关联分析,实现对高级隐蔽嗅探的多维感知与精准阻断。

ID: T1040
Sub-techniques:  T1040.001, T1040.002, T1040.003, T1040.004
Tactics: 凭据获取, 环境测绘
Platforms: IaaS, Linux, Network, Windows, macOS
System Requirements: Network interface access and packet capture driver
Contributors: Austin Clark, @c2defense; Eliraz Levi, Hunters; Itamar Mizrahi, Cymptom; Oleg Kolesnikov, Securonix; Tiago Faria, 3CORESec
Version: 1.6
Created: 31 May 2017
Last Modified: 15 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过协议隧道技术将嗅探流量封装为DNS查询、HTTP流等合法协议交互,利用协议规范定义的合法字段承载恶意载荷。例如在QUIC协议中利用Connection ID字段传输加密数据片段,使嗅探流量在协议特征层面与正常业务流无法区分,实现攻击行为的深度伪装。

数据遮蔽

采用动态加密算法(如AES-GCM或ChaCha20-Poly1305)对捕获的原始流量进行实时加密,结合前向安全密钥交换机制,确保即使单次通信密钥泄露也不会影响历史数据安全性。加密后的嗅探数据在传输过程中呈现随机化特征,使基于内容特征的检测完全失效。

时空释痕

通过微流量切片技术将大规模数据拆分为符合网络背景流量特征的微片段,利用CDN节点、P2P网络等分布式通道进行长时间跨度的离散传输。单个数据片段的传输间隔、数据量等参数严格匹配目标网络的流量基线,使得攻击特征被稀释在长周期网络活动中,规避基于流量突增或固定模式的分析检测。

Procedure Examples

ID Name Description
C0028 2015 Ukraine Electric Power Attack

During the 2015 Ukraine Electric Power Attack, Sandworm Team used BlackEnergy’s network sniffer module to discover user credentials being sent over the network between the local LAN and the power grid’s industrial control systems. [1]
G0007 APT28

APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.[2][3] APT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.[4]
G0064 APT33

APT33 has used SniffPass to collect credentials by sniffing network traffic.[5]
G0105 DarkVishnya

DarkVishnya used network sniffing to obtain login data. [6]
S0367 Emotet

Emotet has been observed to hook network APIs to monitor network traffic. [7]
S0363 Empire

Empire can be used to conduct packet captures on target hosts.[8]
S0661 FoggyWeb

FoggyWeb can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.[9]
S0357 Impacket

Impacket can be used to sniff network traffic via an interface or raw socket.[10]
G0094 Kimsuky

Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.[11][12]
S0443 MESSAGETAP

MESSAGETAP uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata. [13]
S0590 NBTscan

NBTscan can dump and print whole packet content.[14][15]

S0587 Penquin

Penquin can sniff network traffic to look for packets matching specific conditions.[16][17]
S0378 PoshC2

PoshC2 contains a module for taking packet captures on compromised hosts.[18]
S0019 Regin

Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.[19]
S0174 Responder

Responder captures hashes and credentials that are sent to the system after the name services have been poisoned.[20]
G0034 Sandworm Team

Sandworm Team has used intercepter-NG to sniff passwords in network traffic.[21]

S1154 VersaMem

VersaMem hooked the Catalina application filter chain doFilter on compromised systems to monitor all inbound requests to the local Tomcat web server, inspecting them for parameters like passwords and follow-on Java modules.[22]

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.
M1032 Multi-factor Authentication

Use multi-factor authentication wherever possible.
M1030 Network Segmentation

Deny direct access of broadcasts and multicast sniffing, and prevent attacks such as LLMNR/NBT-NS Poisoning and SMB Relay
M1018 User Account Management

In cloud environments, ensure that users are not granted permissions to create or modify traffic mirrors unless this is explicitly required.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network.

Analytic 1 - Unexpected command execution of network sniffing tools.

index=security (sourcetype="Powershell" EventCode=4104) | eval CommandLine=coalesce(Command_Line, CommandLine)| where ExecutingProcess IN ("tshark.exe", "windump.exe", "tcpdump.exe", "wprui.exe", "*wpr.exe")
DS0009 Process Process Creation

Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network

Note: The Analytic is for Windows systems and looks for new processes that have the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy.

Analytic 1 - Unexpected execution of network sniffing tools.

index=security sourcetype="WinEventLog:Security" EventCode=4688 OR index=security sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 Image IN ("tshark.exe", "windump.exe", "*tcpdump.exe", "wprui.exe", "wpr.exe") AND ParentImage!="C:\Program Files\Windows Event Reporting\Core\EventReporting.AgentService.exe"

References

  1. Charles McLellan. (2016, March 4). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. Retrieved September 27, 2023.
  2. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  3. Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
  4. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
  5. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  6. Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.
  7. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
  8. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  9. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  10. SecureAuth. (n.d.). Retrieved January 15, 2019.
  11. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  1. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  2. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  3. Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021.
  4. SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021.
  5. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  6. Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021.
  7. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  8. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  9. Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.
  10. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  11. Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.