Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.
For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to. In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.ĭata captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network.
0 kommentar(er)
