In this tutorial today, I’ll be demonstrating some low-level but terrifying utilities you can run on your compromised network. If you weren’t paranoid enough after I showed you how to crack a WEP network in 5 minutes last week, you will be after today.
- These apps will only work on a wifi network that is either open or has compromised WEP security for which you have the passphrase.
- Backtrack5 Security Linux Live-CD: if you’re unfamiliar with the boot process and how to get into a GUI, read last week’s tutorial on how to hack your WEP network.
- A wireless card that supports monitor mode (where it captures all the packets on the network).
Note: This isn’t the only way to sniff out packets on the wifi, but as far as I’m concerned it’s the easiest for beginners and consists of really only a few shell commands to see results. It certainly isn’t the most comprehensive or effective way to do things, and there are certain drawbacks and limitations I’ll discuss beside each utility.
Today we’ll be covering 3 different basic-level utilities for figuring out what’s going on: urlsnarf, webspy, and driftnet.
Boot into Backtrack5 as described last week. Before continuing, make sure you have the following information noted down somewhere:
- The BSSID (Mac address) of your target network.
- The NAME of your target network.
- The CHANNEL number that the network operates on (1-12).
- The WEP key (if needed).
Start by placing your wifi card into monitor mode on the specified channel, using:
airmon-ng start wlan0 [channel]
Replace wlan0 with the name of your wireless device – iwconfig will tell you this if you don’t know it already – and with the relevant [channel] in there too (don’t include the brackets). You should now have a mon0 interface for monitoring network traffic.
Since the packets need to be decrypted on the fly, we need to run them through the airtun-ng utility, which will give us a live stream of the decrypted packets as it sees them on the network, in a suitable format for some of the other apps we will use today. Type in the following command, replacing your details:
airtun-ng -a [bssid] -w [password] -t 1 mon0
Leave out the -wbit if you’re doing this on an open wifi network. You should see something similar to this if it’s successful.
The utility created a new network device stream called at0, which we need to activate using another command (open a new terminal for this, and don’t close the one running airtun-ng):
ifconfig at0 up
Okay, setup is complete, onto stage 2.
This is going to list out all the websites visited by users on the network, so you can see in real time what sites they are browsing too.
urlsnarf -i at0
It’s also going to give a lot of noise though, as each website visited results in a number of requests being made to various places. Here’s a snapshot of me browsing the iTunes store. A quick look over the list will tell me:
- The user is on an IP address of 192.168.0.5 (useful for finding out more later)
- The request is coming from a 32GB model iPad.
- Exactly which URLs are being loaded.
- The user has gone through a number of mobile applications, like Mobile Safari, Reeder (a Google Reader app), and the iTunes store.
With multiple users it could become difficult to tell which requests are made by who, but there are additional filters I won’t get into. For now, this is scary enough.
This one is used to capture images that are being downloaded from websites and such, and it’s pretty much as voyeuristic as you can get.
driftnet -v -i at0
Note: -v isn’t needed, but it shows a textual output in the console window which I prefer to know it’s working or found something. It isn’t perfect by far – during tests I found it only tended to pick up smaller images, presumably because it wasn’t able to fully grab the packets for larger JPGs and such, but it is effective none the less. Here I’ve browsed to a famous Chinese movie streaming website.
It certainly doesn’t pick up everything, but I can assure you that if they’re browsing to a certain pR0n site thats begins with Red and ends with Tube, you’re going to know about it.
While I prefer the log file format of URLSnarf, this utility will actually attempt to mirror what the user is browsing on your computer. In practice it doesn’t work as well as I’d hoped, but it’s intriguing none the less. You need to target a specific user IP on the network though – which you should have through URLSnarf, then type in the following:
webspy -i at0 [target ip address]
In another terminal, launch Firefox using:
Now, in theory, whatever they visit will be mirrored onto your local Firefox browser. In reality, I found it would open a new browser window for every request the website site made – so a site like MakeUseOf might open new tabs for the various advertisers, and Disqus commenting – added to which some sites would only open by IP address. Certainly good fun and some sites work as expected, but of limited real world use.
Running these utilities on your own network to see who’s stealing your wifi and what they’re doing with it is probably acceptable, but once you start running these in public spaces (as someone did with this wifi picture frame that grabs traffic from open wifi spots), you enter a whole new realm of illegalities. Or do you? It’s actually quite easy to secure your traffic even on an open wifi by tunnel everything through a VPN or such, so I hope this just goes to show you exactly how dangerous WEP networks and open wifi can actually be. Think twice before jumping on that local “free internet” someone seems to be broadcasting for fun. I plan to explore some more wifi trickery over the coming weeks, so stay tuned and play safe people.
As ever, feel free to comment and ask questions, or head over to our support community for crowd-sourced advice and unrelated questions.