Professional Documents
Culture Documents
https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...
Minuti
Loud thinking from the mind of Mike Tigas.
Super important disclaimer text: If youre not doing this on your own wireless network, get permission first. Otherwise, you may be breaking the law. I will not be held liable for what you do, based on whatever you learn from here. If you dont agree with that, stop reading.
This is Mac-oriented, for simplicitys sake: OS X comes with a lot of things that make this way too easy and thats the point Id like to get across. (This is completely doable on other systems, however. ) This guide is for tech-savvy folks whove used the command-line before. (A previous draft was more general-purpose, but far longer than I was comfortable publishing.)
[1]
1 of 8
10/01/2013 02:42 AM
https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...
TOOLS
Mac OS X comes with a version of tcpdump, which is a common command-line tool for dumping (aka sniffing; saving) the packets that zip across a network. To actually analyze and get interesting information out of the mass of information in a packet dump download Wireshark. Im using the Development Release (1.3.4), but Stable should work fine as well. Install that to your Applications folder by dragging it over.
USING TCPDUMP
My usual use case looks something like the following. (Ill explain all of the bits below.)
sudo tcpdump \ -i $WIFICARD \ -I \ -n \ -w $OUTPUT_FILE \ not ether host $ETHER_ADDR \ and not host $IP_ADDR \ and not "(wlan[0:1] & 0xfc) == and not "(wlan[0:1] & 0xfc) == and not "(wlan[0:1] & 0xfc) == and not "(wlan[0:1] & 0xfc) == and not "(wlan[0:1] & 0xfc) == and not "(wlan[0:1] & 0xfc) ==
\ \ \ \ \
-i sets the network card youll be using ($WIFICARD is your wireless card
en1 , for example, is usually the identifier for Airport cards in Mac laptops)
-I puts your network card in monitor mode, where it listens in on all packets on the network, not just the ones addressed to you. -n disables name resolution, since we dont need it for our packet dump -w sets the output packet dump file ($OUTPUT_FILE could be something like
~/Desktop/capture.pcap )
The last few options filter down our dataset: Dont save data between our computer and the access point, since were interested in eavesdropping other people ($ETHER_ADDR and $IP_ADDR would be your MAC and IP addresses on the local network, respectively) Dont save miscellaneous packets like wireless beacon packets and pings.
2 of 8
10/01/2013 02:42 AM
https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...
There are a lot of them, and they dont hold any useful data. Tip: you can run inet. An example:
sudo tcpdump -i en1 -I -n -w ~/Desktop/dump.pcap not ether host 00:26:bb:0b:1e:01 airport -I
$WIFICARD
ifconfig $WIFICARD
Alternatively, Ive wrapped up that command in a script that (should) automatically figure out your IP and MAC addresses, then start a packet dump that saves to your desktop. You can view the script here and download it from here. Since the
tcpdump
password
tcpdump
needs to be run as an administrator to switch the wireless card on the command-line unless youre absolutely sure its safe.)
over to monitor mode. (Aside: check out the code before running it. Never ever let run anything with
sudo
Assuming youve downloaded it to your Downloads folder, creating a packet dump is as simple as:
cd ~/Downloads chmod +x sniff.sh ./sniff.sh
If the script is working, youll notice the dump file appear on the desktop and grow as you capture packets. You are now eavesdropping on other peoples connections on the given wireless network. At any point, you can finish up and close the script by pressing control-c.
https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...
click on Apply. (Note that since Wireshark is an X11-based application, pasting is done with control-v, rather than -v.) (http or smtp or imap or pop or aim or jabber or aim_chat or aim_budd
You should now have a packet dump that looks sort of like the following. (Click for a larger view.)
You can now dig around and browse all of the data that went through the wireless network: Web pages, SMTP/IMAP/POP e-mail, AIM conversations, Jabber (Google Talk, Facebook Chat) conversations provided theyre unencrypted. (Side note: AIM and Google Talk now default to using SSL encryption. Most e-mail hosts do, too.) The packet data panel (the second or third one bottom one in my example image) allows you to drill down the layers of protocols-within-protocols in every packet. Play around with it! The following filters might also be nice to experiment with:
aim.messageblock.message
will only show IM messages over the AIM will only snow Web pages with
network.
http.request.uri contains "profile.php"
"username" anywhere within the URL or content. (Surprise: this includes submissions to unencrypted login forms, if there are any.)
4 of 8
10/01/2013 02:42 AM
https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...
5 of 8
10/01/2013 02:42 AM
https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...
wireless network. (Provided your connection doesnt need extra authentication like Cisco Clean Access, even non-computer devices like the iPhone support VPN.) Connecting through a VPN encrypts data between you and the VPN only after your information makes it to your VPNs internet connection does it become unencrypted (and from there, it goes to the internet normally). Alternatively, if youre savvy enough to have SSH access to a Web server, you can use it as a secure proxy tunnel in practically the same way. If you understood what I just said, you can probably wing it. If you dont have access to the above, you cant really do that much. Ideally, you should ask your local business to enable WPA on their network and either post the password or have customers ask for it. (My nearby Rocket Market operated their wireless like this, back when I lived up in Spokane.) Most importantly: tread lightly. Never do anything confidential on an unprotected wireless network. And whenever you do go out, only log into sites and services that use SSL. (Facebook, Twitter, Gmail, and many other major sites always send your username & password via HTTPS. Gmail can be read over HTTPS, as can most other e-mail services. iChat can be set to Require SSL under your accounts server settings.) Cautiousness is a virtue, online. Be careful and always be prepared for the worst. Think before you log in. Dont use the same password everywhere. (I used to keep a rotation of about four passwords before switching to all random passwords and 1Password as a password manager.) Dont take the Internet for granted. Oh yeah, and dont ever try anything Ive mentioned here, unless you have permission.
[1] Wireshark does work on all platforms and also performs the sniffing aspects on Windows/Linux if your drivers allow it. With a little bit of effort, you can figure that out. You can still make do with my Wireshark analysis instructions once you have a packet dump.
6 of 8
10/01/2013 02:42 AM
https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...
Comments
Comments for this thread are now closed.
Share 0
2 comments
Oldest Community Mike Tigas
3 years ago
Avatar
And as a postscript: In my mind, this is akin to teaching someone how to wield a gun and saying DONT SHOOT ANYONE ELSE, OKAY? On the Internet, there are no licenses required to tinker which is great for learning, but also frightening since *anyone* is capable of exploiting bugs, loopholes, and unsafe methods. While working on this, Ive already convinced a few friends of the genuine dangers of coffee shop and hotel WiFi. I think the education and cautiousness of folks outweighs the chances of someone going malicious with this.
Avatar
Share
Chris Tigas
3 years ago
you have what is literally the gayest font on this site. take it down immediately or be subjected to intense nonconstructive criticism.
Share
Subscribe
Five Years
Archive
Mike Tigas is a Knight-Mozilla OpenNews Fellow and a Web/mobile applications developer with experience in the media industry (portfolio).
PGP: 0x6E0E9923 & 0x3082B5A3, OTR: 0xB0846D0B & 0x17F5E551
7 of 8
10/01/2013 02:42 AM
https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...
8 of 8
10/01/2013 02:42 AM