sniffing – What data can be sniffed in a LoRaWAN network at various points?

What data or metadata can be sniffed in a LoRaWAN network at various points like the end-device (node), the gateway, the network server and the application server? Is there exists a standardized data format for transmitting the messages since I need to sniff the data for any anomalous activity on every point on the network?

I am an outsider to the network so I shall just have access to the metadata or header data of the message. And the application is an machine learning based intrusion detection system which analyzes the metadata info at various points in the network, viz the end-nodes, gateways, network server and the application servers to detect any anomalous activity.

I referred this this article, however it doesn’t clearly specify the points from where the data has been collected. It may be possible that some data has been scrapped at the gateway or at the network server.

So I want to know if there exists a standard and distinct format for transmitting the data from end-node to gateway, from gateway to network server and network server to application server and what all data can be sniffed in these transmissions as an outsider?

deanonymization – Is it possible to detect a Telegram user by sniffing traffic?

Telegram is not a peer-to-peer network like Tor, but has central servers. Indeed, if you have full control over the network you can do all sorts of evil.

Once you get a list of known Telegram servers, you can monitor them and get a detailed record of who connected to the network at what time. You have both source and destination IPs.

Now, I assume the following may happen:

  • A phone is seized from an activits, giving the cops access to the subject’s Telegram groups

Cops already gathered a timestamp archive of connections, now they have access to the contents of the chat. If they find content of interest, they may compare the timestamp of the picture, and the approximate byte size to the connections made that time. Eventually, they will get a short-list of people to investigate

Pure and simple social engineering. Like Europol often does to hunt down child abusers in encrypted chats. Once they are in, they can get live information about who may be posting on certain chats.

The points is that this approach does not directly identifies an individual, but provides authorities a list of suspects short enough to proceed with more human (“classic” police) approaches

passwords – How do sites detect credential sniffing, and what is the purpose of this attack?

We can’t know how Unsplash detected it unless they tell us. However, many large websites have some sort of abuse tooling to automatically detect patterns. For example, Unsplash may import compromised credentials from public databases and match logins on those accounts from certain shared IP addresses. Clearly they’ve seen this pattern before since they have a pre-canned email about it.

In general, any site of reasonable size that has a social aspect where there can be likes or ranking of items is subject to abuse from bots who sell paid likes. As for who would want this, consider being able to put on your resume that you’re one of the top ten most popular photographers on Unsplash. That would be very appealing indeed. It may also cause search engine rankings for your user ID or name to be better, especially if they show up on a favorites or top photos page.

As for why the attackers uploaded images, because it’s very easy to find empty accounts that only give out likes. If a user engages in a variety of types of activity, it makes it seem less suspicious, so the site is less likely to catch on to the pattern. They also may like unrelated accounts to make it less obvious who’s paying them if they do get detected. Most sites don’t permit gaming the system in this way (or using automated systems to do this) and the attackers’ service wouldn’t be very popular if many of their customers’ accounts got cancelled.

man in the middle – At times bettercap ARP sniffing works great and at times not at all, what would be the reason?

I like to track the websites my daughter goes to in order to have some control. So I installed bettercap and setup a script to start it to sniff the HTML URLs being accessed (well, the reverse URL from the IP really).

sudo bettercap --eval 'set events.stream.time.format 2006-01-02 15:04:05;
                       set arp.spoof.targets 192.168.n.m;
                       arp.spoof on;
                       net.sniff on'

Note: the command is a single line (no new-line), I added new lines here for clarity.

The result is a large list of URLs as she hits one website or another. Especially, I see a ton of marketing websites (darn!). But at times I just see the messages:

endpoint detected as

and

end point lost

(the messages include the IP address and device name, in general).

So even though the end points are properly detected, no other data comes through.

My network looks more or less like this:

+--------+   +-------+
| Laptop |   | Phone |
+---+----+   +---+---+
    |            |
    |            |
    |            v
    |      +----------+
    +----->| WiFi Hub |
           +-----+----+
                 |            +-------------------+
                 |            | Main Server       |
                 v            |                   |
           +----------+       |   +-------------+ |
           | Switch   |<------+   | Kali Linux  | |
           +----------+       |   | (bettercap) | |
                 ^            |   | VPS         | |       +--------+
                 |            |   +-------------+ +------>| Router +----> Internet
                 |            |                   |       +--------+
                 |            +-------------------+
           +-----+-----+
           | Laptop    |
           | (Wired)   |
           +-----------+

So all the traffic from all the machines do go through the Main Server using the FORWARD capability of the Linux firewall. In other words the computers to the left are all isolated (they can still communicate between each others but not directly to the main server, the main server can connect to some of them, though). So the network is rather secure.

Since it worked before I would imagine that the script is correct, but still, there is something that makes Kali bettercap work or fail just like that. I’m not too sure what I would need to do to make it work every time I reboot without having to fiddle with it (although this time the fiddling didn’t help, it’s still not tracking anything).

Does oracle database suffer from parameter sniffing issue

Yes it does.

Starting with version 11.1, we have Adaptive Cursor Sharing with bind sensitivity and bind awareness, which allows the optimizer to produce multiple optimal execution plans for the same SQL statement, depending on the bind values.

Purpose of Adaptive Cursor Sharing

With bind peeking, the optimizer
peeks at the values of user-defined bind variables on the first
invocation of a cursor. The optimizer determines the cardinality of
any WHERE clause condition as if literals had been used instead of
bind variables. If a column in a WHERE clause has skewed data,
however, then a histogram may exist on this column. When the optimizer
peeks at the value of the user-defined bind variable and chooses a
plan, this plan may not be good for all values.

In adaptive cursor sharing, the database monitors data accessed over
time for different bind values, ensuring the optimal choice of cursor
for a specific bind value. For example, the optimizer might choose one
plan for bind value 10 and a different plan for bind value 50. Cursor
sharing is “adaptive” because the cursor adapts its behavior so that
the optimizer does not always choose the same plan for each execution
or bind variable value. Thus, the optimizer automatically detects when
different execution of a statement would benefit from different
execution plans.

This does wonders on paper and in presentations, but in the real world, there is still room for improvement.

Shortly: the problem with ACS is that it does not work immediately for new values. It uses the already existing execution plan optimal for other values, and after that, on a repeated attempt, it may choose a different plan. We may not have time to wait for the first sub-optimal attempt for the new bind value to finish, as it may take orders of magnitude longer depending on the actual statement and data quantity/distribution.

https://oracle-base.com/articles/11g/adaptive-cursor-sharing-11gr1

sniffing – HackRF 2.4Ghz capture

I learned to use HackRF-One recently. I am finally interested in listening to and decoding a brand of headphones that use a spread spectrum frequency hopping in the range of 2400 to 2485 MHz.

My question is how do I create a flowchart in GRC that will record the data so that it can be decoded offline later? Is it possible with HackRF?

Prevent packet sniffing and ARP spoofing with a switch

Can I prevent packet sniffing and man in the middle attacks (ARP spoofing) by connecting a switch to my end of a network, forcing certain gateway MAC addresses on a switch and connecting my computer (s) to the switch? Are (reasonably inexpensive) switches even capable of setting MAC addresses? Are my packets really impassable by other computers on the network?

I to have to connect through a network I don't trust. I also need to use HTTP connections, including downloading executables and sending passwords. The gateway's MAC address appears to be static. I have no idea how network architecture looks. VPN is not an option. I would also like to connect to a printer whose IP I know (and I could probably get MAC). Thank you.

Scapy sniffing in python

I don't seem to find how I can cancel something in the filter setting of the sniff in scapy function. For example, I want to scan the network for all ports except 80 and 443 (http / s). How do I get there? Thank you!

wifi – How to disable Airport Sniffing?

when I run the order airporthe tells me that he sniffs:

Sniffing on channel 1:
    airport en1 sniff 1

I noticed that many log files are created in /private/tmp

There may be a bad actor who did this to my mac.

How can I turn off the airport to sniff?

sniffer – sniffing SIM card traffic

I wonder if the SIM card traffic can be sniffed? I'm only talking about the Internet connection for requests to multiple websites. Maybe you sniff this traffic with WireShark?

P.S: not the messages, only the network traffic, where it sends data and what kind.

Is it possible with special equipment?