1

I had a security concern with an unknown device on the network.

If Wi-Fi is disabled and the network is strictly ethernet, assuming that no malware is deployed and it cannot be physically accessed by an attacker, can packets still be sniffed somehow?

This may be overkill, but I want to learn more about network security and ensure that we're safe.

Any insight is appreciated!

Yuriko
  • 1,528
  • 1
  • 11
  • 23
Forward_Always
  • 11
  • 3
  • Why do you make the assumption of the network being physically secure, while at the same time mentioning a rogue device? Also, it may depend on the cable used for your network as emanations could be monitored. (Look at TEMPEST – Yuriko Oct 15 '22 at 15:51
  • It was connected via WIFI as it was no longer on the network after I disabled it. – Forward_Always Oct 17 '22 at 22:14

2 Answers2

0

If WIFI is disabled and the network is strictly ethernet, assuming that no malware is deployed and a hacker never has physical access, can packets still be sniffed somehow?

This depends on the devices in the network, the installed software and the connections to other networks like the internet.

If there are security issues - like remote access with weak credentials or software which can be exploited while communicating with the outside world - then the attacker might get logical access to systems on the network. Only if there is no direct or indirect (via other networks) access from outside possible, then the attacker would need to get physical access to execute code on vulnerable systems or to attach its own systems to the network.

Once on a system the attacker needs to sniff and exfiltrate the data. Doing a packet capture can be easily done by "Living off the Land", i.e. using legal and maybe already installed software - no malware needed. The same as true for sending the sniffed data to some external system.

Had a security concern with an unknown device on the network.

If the device is unknown to you then it might even mean that the attacker has successfully placed a new device in the network - which means physical access. This would even be worse than what I described.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • Thanks for the informative reply. Is there network software suitable for someone who isn't a network expert (perhaps simple IDS / IPS s/w) that might detect this? When you say "Only if there is no direct or indirect (via other networks) access from outside possible", do you mean Internet connectivity specifically? Is there anything else you might suggest? Thanks again! – Forward_Always Oct 16 '22 at 16:54
  • @Forward_Always: "Is there network software suitable ..." - sniffing can not be detected by looking at the network. See this or that questions for what can be detected and what not. "do you mean Internet connectivity specifically" - I mean direct or indirect connection from the attacker to your network. If the attacker is on the internet then its about internet, but there might also be different scenarios. – Steffen Ullrich Oct 16 '22 at 17:02
  • Can you kindly elaborate on other scenarios? It sounds like one would be a router hack but I don't know what other indirect connections to the network there may be. – Forward_Always Oct 17 '22 at 22:19
  • @Forward_Always: could be anything. The point is basically if your network is completely isolated from the rest of the world or if there is some connection to another network. The attacker is either already in the connected network (like the Internet) or it might hack into the network - the same way as described of hacking into your network, i.e. through vulnerable systems, whatever these might be. – Steffen Ullrich Oct 18 '22 at 01:23
0

If Wi-Fi is disabled and the network is strictly ethernet, assuming that no malware is deployed and it cannot be physically accessed by an attacker, can packets still be sniffed somehow?

It's possible but exceedingly unlikely.

  • Long wires (like those in Ethernet cables) are always antennas, but often poor transmitters for various reasons. But every wire transmits something.
  • 1Gig-T is 5PAM at 125Mhz. 5PAM arguably wouldn't radiate much of anything outside of times with a lot of data traffic. Even then, it's probably a mess, but technically it would transmit something.
  • Transmitters connected to poor antennas with a less than ideal mode of operation would require quite a bit of power to go any real distance. Ethernet operates at 1 volt into 100 ohm impedance. Which is 10mW divided by the poor efficiency of a misshapen long-wire antenna. At 125Mhz, any obstruction, any noise, is making that signal illegible.
  • Now have 4 channels in one cable and more than one Ethernet cable transmitting different data to each computer and it will likely fade completely into white noise.

I'm not sure an unmarked van across the street with government level money can overcome those downsides.

foreverska
  • 2,057
  • 2
  • 11