Snooping and Sniffing
To read a website page, a device will make a connection to the web server to ask for the page by using the Hyper Text Transfer Protocol (HTTP) protocol. On an open Wi-Fi router these requests and the responses can be seen by anyone who is listening. With wired networking then listening to the data packets zipping back and forth is more intrusive. However with wireless networking all that data is sent whizzing through the air, in every direction, for any Wi-Fi equipment to receive!
Normally a Wi-Fi adapter is set into “managed” mode which means it just acts as a client and connects to a single Wi-Fi router for access to the Internet. However, some Wi-Fi adapters can be set into other modes such as “monitor” mode or “master” mode. In “managed” mode a Wi-Fi network interface ignores all data packets except those specifically addressed to it. However in “monitor” mode the Wi-Fi adapter will capture all the wireless network traffic (on a certain Wi-Fi channel) regardless of the destination. In fact, in “monitor” mode the Wi-fi interface can capture packets without even being connected to any access point (router), it is a free agent, sniffing and snooping at all the data in the air!
Not all off-the-shelf Wi-Fi adapters can do this as it is cheaper for the manufacturers to make Wi-Fi chipsets that only handle “managed” mode, however there are some out there that can be placed into “monitor” mode for example the TP-Link TL-WN722N.
To sniff Wi-Fi packets, you can use a Linux distribution called Kali or the more standard distributions like Ubuntu, but you will need to install some of the tools yourself. If you don’t have Linux on a laptop then you can use Kali Linux on a virtual machine like Virtual Box or VMware.
To capture the traffic we are going to use the aircrack-ng suite of tools, plus some others like driftnet, Wireshark and urlsnarf.
First you need to find out the name of your wireless network adapter. It will be probably wlan0, but to check it run ifconfig and then to double check, run iwconfig:
Next put the wireless card into “monitor” mode, not all adapters/cards support this, so you must make sure you are using a compatible adapter. The command is:
airmon-ng start wlan0
This will create a new virtual interface called wlan0mon (or maybe mon0). You can see it using the iwconfig:
Wi-Fi uses 2.4GHz and 5GHz (depending on which variation you are using). The 2.4GHz range is split into a number of “channels” which are 5MHz apart. To get two channels which don’t overlap at all they need to be spaced around 22MHz apart (but that also depends on which variation of the Wi-Fi standard is being used). That is why channels 1, 6 and 11 are the most common channels as they are far enough apart so that they don’t overlap.
To capture data via a Wi-Fi adapter in “monitor” mode you need to tell the adapter which frequency to tune into, i.e. which channel to use. To see which channels are in use around you and which channel is being used by the free public Wi-Fi service you wish to test then use the airodump-ng command:
The first list shows the Wi-Fi networks within reach of your laptop. The “CH” tells you which channel number each network is using (11, 6, 1 and 11) and the “ESSID” shows the names of the networks (i.e. the service set identifiers). The “ENC” column reveals if the network is using encryption and if so, what type of encryption. You can see from the screenshot that one of the networks is listed as OPN (i.e. OPEN). This is an open Wi-Fi access point setup for testing purposes.
If the free Wi-Fi is on channel 6 then you now use the airodump-ng command to capture the data like this:
airodump-ng -c 6 -w allthedata wlan0mon
This will start capturing all the data on channel 6 and write it to a file called allthedata-01.cap. Let that run for however long you need and the press CTRL-C to exit.
OK, now we have a big lump of network traffic. The next step is to analyze that data. Network traffic contains lots of different information. For example there are all the broadcast packets which contain the information about the wireless network, the SSID etc. That is what your device receives when it is looking for the available networks. The question is, how can we sort through all the packets and find something interesting.
Each service on the Internet uses what is called a port, this is a way for a service (like a web server) and a client to communicate. Web servers use port 80, Email servers use port 25 (and some others), FTP uses port 21, SSH uses port 22 and so on. A single server can run multiple services (web, email, FTP, etc.) even though the IP address is the same, because each service uses a different port.
There are lots of different tools that you can use to filter the data in the network capture. Some simple command line tools include urlsnarf, dsniff and driftnet.
To filter out all the URLs from the data capture use:
urlsnarf -p allthedata-01.cap
To see if there are any passwords lurking around in the data then use:
dsniff -p allthedata-01.cap
And to see what pictures where being viewed use the driftnet tool:
driftnet -f allthedata-01.cap -a -d capturedimages
The -a option tells driftnet to write the images to disk rather than display them on screen. The -d option specifies the output directory.
If you don’t like the command line you can use Wireshark. This graphical tool allows you to look at each packet of data individually but it also offers lots of neat filtering. So if you type “http” into the filter bar then only the web related fields will be displayed. There is also the option to export all the images from the HTTP traffic via the File -> Export Objects -> HTTP menu item.
You want to find out more about how to your protect wi-fi network or how to securely use an open wi-fi hot spot or deploying a secure wi-fi network, contact us now!
By Don Krys
IT Security Consultant
@ Techno|BOSS Intl.