CAPEC-157: Sniffing Attacks
In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Adversary-In-The-Middle attacks (CAPEC-94), but are entirely passive. AiTM attacks are predominantly active and often alter the content of the communications themselves.
Last updated
Overview
CAPEC-157 (Sniffing Attacks) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Determine Communication Mechanism] The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.
- Look for application documentation that might describe a communication mechanism used by a target.
- Step 2Experiment
[Position In Between Targets] The adversary positions themselves somewhere in the middle of the two components. If the communication is encrypted, the adversary will need to act as a proxy and route traffic between the components, exploiting a flaw in the encryption mechanism. Otherwise, the adversary can just observe the communication at either end.
- Use Wireshark or some other packet capturing tool to capture traffic on a network.
- Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client.
- Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL.
- Step 3Exploit
[Listen to Communication] The adversary observes communication, but does not alter or block it. The adversary gains access to sensitive information and can potentially utilize this information in a malicious way.
What the attacker needs
Prerequisites
- The target data stream must be transmitted on a medium to which the adversary has access.
Resources required
- The adversary must be able to intercept the transmissions containing the data of interest. Depending on the medium of transmission and the path the data takes between the sender and recipient, the adversary may require special equipment and/or require that this equipment be placed in specific locations (e.g., a network sniffing tool)
Consequences
What a successful CAPEC-157 attack can achieve.
Read Data
Affects: Confidentiality
How to mitigate it
Defenses that reduce the risk of CAPEC-157.
- Encrypt sensitive information when transmitted on insecure mediums to prevent interception.
Frequently asked questions
Common questions about CAPEC-157.
- What is CAPEC-157?
- In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Adversary-In-The-Middle attacks (CAPEC-94), but are entirely passive. AiTM attacks are predominantly active and often alter the content of the communications themselves.
- How does a Sniffing Attacks attack work?
- It typically unfolds over 3 phases. It begins with: [Determine Communication Mechanism] The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.
- How do you prevent CAPEC-157?
- Encrypt sensitive information when transmitted on insecure mediums to prevent interception.
- What weaknesses does CAPEC-157 target?
- CAPEC-157 exploits 1 CWE weakness, including CWE-311 (Missing Encryption of Sensitive Data).
- How severe is CAPEC-157?
- MITRE rates CAPEC-157 as Medium severity.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-157
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.