# T1040: Network Sniffing Adversaries may sniff network traffic to capture information about an environment, including material passed over the network. Network sniffing refers to using the Network interface on a system to monitor or capture information sent over the wired or wireless connection. An adversary may place a network into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to adversary. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, host-names, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. **Example** As I have demonstrated this technique with Responder by poisoning requests we can use 2 other methods here Tcpdump for Windows or the built-in Windows utility netsh **We will need Administrator privileges for both commands** **tcpdump** ![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MS05R_A-8ilIno2Knkj%2F-MS05Yep4Xf0stm-ZSr1%2Fimage.png?alt=media\&token=c72d0771-127a-4e7d-9263-63c24156c816) **Netsh** ![](https://315180959-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MRh03Vwd4nuiUi3Oje7%2F-MS05R_A-8ilIno2Knkj%2F-MS05Zd9fS5wuiTh46Z9%2Fimage.png?alt=media\&token=a7ff28ad-8f8e-45e4-afe5-8c6f090a6e63) Netsh will create files that will need to be change to pcap or any file you are accustomed for analyzing packets --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/discovery/t1040-network-sniffing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.