Tuesday, September 24, 2019

How to sniff packets in a WiFi network

In wired Ethernet LANs sniffing packets meant for other computers in the network, if on a Linux based system, is as simple as setting your local network interface to promiscuous mode and running tcpdump.

WiFi complicates things as each computer connected to the hotspot holds a wireless WPA session encrypted to a different session key and most hotspots (at least today) only send Ethernet frames meant for a specific MAC address over the specific session mapped to the device to which that MAC address belongs.

Therefore, one is left with at least three possible ways to do promiscuous sniffing on a WiFi network:

  1. MAC spoofing. The MAC address of a Linux box can be easily spoofed using standard utilities like ifconfig but there are also specialized utilities like macchange. MAC spoofing is very fragile and timing prone and although you can hijack a few packets using it you run a high risk of killing the Internet connection of the target device you are spoofing.
  2. Running a rogue (secondary) DHCP server on your Linux box (easily installed and configured on a Linux box) and then performing a DHCP poisoning exploit on the legitimate DHCP server using an easily available and installable utility like yersinia. Doing this you eventually end up with the all of the local network's devices registering with the DHCP server under your control and this way you get to tell them which DNS server and Internet gateway to use. If all you want to do is monitor their DNS requests so you know what sites/services they use, you can simply tell them to use your local BIND instance (which must have query logging turned on) as their DNS server. However, some devices may have their DNS servers hardcoded or you may want to intercept the communication packet themselves; in this case you simply need to set the gateway to your own IP address (which still has as gateway the legit gateway) and turn on packet forwarding like this: sysctl -w net.ipv4.ip_forward=1 After that, using tcpdump and filtering for the IP address of the target device will give you access to the full packet stream to/from that device.
  3. There is an easier way to have the exact same results as with method 2 right above. You can use the arpspoof utility (easily installable by installing the dsniff package) to pretend you are the gateway. While arpspoof is ARP spoofing the target machine will send you its packets thinking you are the gateway; you need to forward them by using the same command as above: sysctl -w net.ipv4.ip_forward=1 Now you also have access to the target device's packet stream. This method also bears some risk of breaking the Internet connection of the target device, so it's best to keep your spoofing as short and targeted as possible.
Methods 2 and 3 are versions of a gateway MITM (Man In The Middle) attack.

Next chapter: SSL/TLS MITM attacks. Privacy goes bye-bye.

No comments:

Post a Comment