7

I am not sure what it is called or even if it is possible but here is the scenario I am curious about:

I login to a site that does not use SSL/TLS to do some work (unfortunately I must use this site and have already told the owners to fix it).

My question is simply can someone (and if so, how) sniff traffic to that site from a network that is not my own.

For instance, I login from my work pc which is presumably in a secure network (IE no one is physically hanging around in the parking lot doing a MitM attack) but can someone not on my work's network simply sniff traffic to the http site itself and simply intercept the POST request there regardless of where I am?

To clarify, I am looking to know if it is just possible without using 'hacks' but instead something like tcpdump. so for instance, I know that if an attacker has compromised the webserver or my work pc they can easily sniff my traffic but at that point, they are no longer outside of my network anyway.

Here is a picture I make.

enter image description here

user68784
  • 71
  • 1
  • 3

3 Answers3

3

Any node at any point along the traffic can sniff the traffic, including all the ISPs along the way.

The question, then, is what threats you wish to mitigate? If you what to protect against "small-time" attackers, then any point within the ISP's network is safer and you only have to worry about the ingress and egress points (server, client, local network connections, etc that you eliminated from the threat scope).

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • So if I understand you correctly, an attacker must actually run the sniffer from a node itself? If that is true how does an attacker sniff other nodes (clients) at the same level? For instance, if I sniff at a coffee shop, I get everyone's traffic within the network and not just all traffic to me (node1) from the router (node2) and from me (node1) to the router (node2). – user68784 Mar 06 '15 at 20:14
  • That is a wifi issue. – munchkin Mar 06 '15 at 20:17
  • If an attacker is at a node (an ISP node in this instance), then they can also sniff all traffic going through that node, not just yours. – schroeder Mar 06 '15 at 20:26
  • but what if the attacker is **not** at the node like with the wifi sniff or in the case of my actual question? I mean the attacker can only access the end website just like a user, does that mean they are 'at' that node? I just dont understand how that is possible because I didnt think traffic that I send to the website would 'go through' the attacker's device.. – user68784 Mar 06 '15 at 20:54
  • in this case, the attacker is not AT the end node, they, too, are communicating with the server at the end node. The attacker would have to have access to the local network at the server. – schroeder Mar 06 '15 at 20:57
  • Thanks but what does `local network at the server` mean? does that mean that that is the final node per ce and they can see all traffic at that node? – user68784 Mar 06 '15 at 21:07
1

In the most over-the-top case, somebody could alter the BGP routing between networks so that your traffic flows through their network. This happened to Youtube where all their addresses were routed to Pakistan: https://www.ripe.net/internet-coordination/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study

Combined with a listening effort, it's entirely possible to be done without notice. Passive listening anywhere on the Internet that happens to be involved with moving your traffic is also possible.

Also consider the possibility of DNS hijacking.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • Could you explain that last sentence `Passive listening anywhere on the Internet that happens to be involved with moving your traffic is also possible.`? How does that work? – user68784 Mar 06 '15 at 20:51
  • Any router, switch, tapped cable, etc. between you and the host receiving your traffic is a potential listening point. – Jeff Ferland Mar 06 '15 at 21:04
  • so there is no way to just 'listen' to a particular website itself and see all the traffic coming to/from it? That is the website itself is or is not a potential listening point (assuming the attacker has no access to the webservers themselves). – user68784 Mar 06 '15 at 21:09
  • Right. Plugging in www.google.com into WireShark isn't going to help you unless something is causing you to be in the path of traffic, either because you're in control of a point if flows across or you altered things to make your location a destination for traffic. – Jeff Ferland Mar 06 '15 at 21:14
0

As others have already said TLS/HTTPS protects against attackers that are in the path between you and the website. attackers outside that path cannot sniff the traffic unless they inject themselves into the path (logically speaking, not physically).

Injecting into the path via attack vectors like:

  • BGP route hijacking (as previously mentioned)
  • DNS poisoning (as previously mentioned)
  • Compromised equipment at an ISP (router / firewall)
  • other unlisted or undiscovered attack vectors

It is important to understand that the attacker does not need to be physically at a specific location to utilize the above mentioned attack vectors. Passive listening can be done remotely. I do this with my firewall frequently. I can use SSH to remotely start a packet sniffing session. Packets captured are saved on my remote machine. This can be filtered to only include packets from the website I want to steal information from.

Also, if the attacker is on the same Layer 2 network as the client PC or the webserver, then ARP poisoning attacks are also possible for passive packet captures.

Paul
  • 41
  • 2