Network Sniffing
Passive capture of network traffic to extract credentials, tokens, configuration data — Wireshark, tcpdump, RTP / Modbus / Zigbee captures.
§ Where this technique fits
T1040 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 8 approved dossiers in the registry, typically at step 2.6 on average.
Authoritative reference: attack.mitre.org/techniques/T1040/.
§ Dossiers chaining this technique
- step 1 / 5
LoRaWAN replay → spoof environmental sensor
Capture LoRaWAN uplinks from a target sensor. Devices that reset FCnt on reboot accept replayed frames — feed false readings into the upstream IoT platform.
- step 2 / 5
5G core GTP-U user-plane injection → subscriber MITM
Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks.
- step 2 / 5
Mifare Classic crack → cloned hotel key
Many hotel / corporate door systems still use Mifare Classic. Capture nonces during normal use, recover the Crypto-1 key with mfoc / mfcuk, write to a 'magic UID' card — full access to the property.
- step 3 / 5
BGP prefix hijack → traffic interception
From a compliant origin AS, announce a more-specific or origin-spoofed prefix belonging to the victim. Internet routing converges on the attacker AS; traffic for that prefix flows through attacker for inspection / DoS.
- step 3 / 5
MITM HL7 v2 → tamper lab orders / results
HL7 v2 over MLLP is plaintext pipe-delimited. From the same VLAN as the lab analyser ↔ EHR link, MITM and rewrite OBX result segments — changes the patient's documented test result.
- step 3 / 5
BACnet HVAC → disrupt building operations
BACnet on UDP/47808 is unauthenticated. From a foothold in corporate IT, write to HVAC controllers — over-cool a data centre, disable smoke evacuation, mess with elevators.
- step 3 / 5
Reachable Modbus PLC → direct register override
Modbus has no authentication. From a foothold on a reachable OT network, write to coils / holding registers directly with pymodbus.
- step 4 / 5
Zigbee network key sniff → smart-home control
Sniff a fresh device-join with an Atmel RZRAVEN — Zigbee broadcasts the network key in plaintext during pairing. Decrypt all subsequent traffic + send commands.
§ What commonly comes next
- 01Modbus TCP Write to PLCseen 2×OT-MODBUS-WRITE · Impact
- 02Adversary-in-the-Middleseen 1×T1557 · Credential Access
- 03BACnet Building Automation Writeseen 1×OT-BACNET · Impact
- 04File and Directory Discoveryseen 1×T1083 · Discovery
- 05GTP-U User-Plane Spoofseen 1×5G-GTP-U · Lateral Movement
- 06HL7 v2 Message Injectionseen 1×HC-HL7-INJECT · Impact
- 07Mifare Classic Key Recoveryseen 1×NFC-MIFARE-CRACK · Credential Access