Follow by Email

Blog Archive

Search This Blog

Intercept and analysis open WiFi traffic

How to Intercept and analysis open WiFi traffic using Wireshark
Share it:
Is it dangerous to use open WiFi
Internet access via WiFi is currently very popular. WiFi is in many apartments, in the workplace. When using wireless access, it is important to maintain the security of your Access Point
Intercept and analysis open WiFi traffic

Nowadays, public WiFi networks are also very popular. They are in restaurants, gyms, shopping centers, subways, hotels, private hospitals and clinics, apartments and condominiums - they can be found almost everywhere where quite a lot of people are going.

These networks have a feature - often they are open WiFi networks for connecting to which no password is required. Are there any additional security rules for working with such networks?

Yes, when using an open WiFi network, you need to be well aware that:
  • all data is transmitted by radio waves, that is, unlike wires, which are far from being accessed by everyone, radio waves can be intercepted by anyone who is within range of in
  •  open networks, data is not encrypted
With the first point, I think everything is clear, if someone with a computer and a WiFi card is close enough, then he can capture and save all the traffic transmitted between the wireless Access Point and all its clients.
    As for the second point, it is necessary to clarify the encryption of the transmitted data. For example, if you open a website that uses the HTTPS protocol (that is, a secure protocol), for example, https://fb.com/ then the data transmitted to this site and from this site to you is encrypted. If you open a website that uses the HTTP protocol, then all the transmitted data: which pages you visited, which comments you left, which cookies your web browser received - these data are transmitted in unencrypted form. So, if you are connected to a WiFi Access Point that requires entering a password, then the transmitted traffic is encrypted again. That is, even if you open a site on the HTTPS protocol, the transmitted traffic is encrypted twice (the first time when transmitting from a web browser to a web server and in the opposite direction, a second time when transmitting from your device to the Access Point, reverse direction). And if you open the site on the HTTP protocol, then the transmitted traffic is encrypted only once (only when transferring from your device to the Access Point and back).

    But open access points do not encrypt traffic. This means that if you use an open access point and open a website that runs on the HTTP protocol, then your data is transmitted in the clear and anyone near you can capture and save it. If you open a site on the HTTPS protocol, then this data is encrypted, however, you can still see exactly which sites you opened (although you don’t see which pages you entered, for example, which comments you left).

    So: you need to remember that open wireless networks are subject to interception of information.
    Next, I will show an example of data interception, from which it will become clearer what exactly an attacker can see.

    Intercept open WiFi networks traffic


    For a successful attack, you need a computer on Linux (for example, with Kali Linux or with BlackArch), and also a WiFi card from this list .

    Let's start by looking at the names of the wireless interfaces:
    iw dev
    iw dev
    As you can see, I have several wireless interfaces, I will use wlp0s20f0u2 .

    Putting the wireless interface in monitor mode:
    sudo ip link set INTERFACE down 
    sudo iw INTERFACE set monitor control 
    sudo ip link set INTERFACE up
    In previous commands, instead of INTERFACE, you need to enter the name that the wireless interface has on your system. For example, for the wlp0s20f0u2 commands look like this:
    sudo ip link set wlp0s20f0u2 down 
    sudo iw wlp0s20f0u2 set monitor control 
    sudo ip link set wlp0s20f0u2 up
    Run airodump-ng with a command like:
    sudo airodump-ng INTERFACE -t OPN
    Where:
    • INTERFACE - the name of the wireless interface in your system
    • -t OPN - a filter that shows only open WiFi networks
    My interface is called wlp0s20f0u2, so I run the following command:
    sudo airodump-ng wlp0s20f0u2 -t OPN
    An example of the data obtained:
    BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID 
                                                                                                 
    00:15:6D:9A:26:C0  -35       19      454    8   1   65  OPN              Anan Apartment      
    00:15:6D:9C:26:84  -45       29        1    0   6   65  OPN              Anan Apartment      
    00:27:22:02:C0:D0  -64       17        0    0   1   65  OPN              Anan Apartment     
    C8:3A:35:01:3F:90  -78        9        1    0  11  135  OPN              Tenda
    As you can see, there are several open Access Points at once. In principle, you can choose any of them to intercept data, but you need to remember that: for successful data analysis, it is important to capture the transmitted data from both the AP and the Clients. That is, I can choose to capture data from a remote AP and, probably, I will capture most of its wireless frames, but the fact is that Clients usually have less powerful wireless transmitters. Clients can also be located further away from me than the Access Point itself. For this reason, it is better to choose the closest AP. The higher the PWR value, the better the signal (just in case I remind you: negative numbers are closer to zero, the more they are). For example, in my situation, I choose a AP with a -35 signal.

    Directional antennas can significantly improve the quality of a wireless connection if directed in the right direction. As for data capture, it is better not to use a directional antenna, as AP can be in one direction, and its Clients - in others. It is advisable to use a large external antenna.

    It doesn't matter if the AP is a hotspot with authorization on the web interface (Captive Portal Check How to bypass Captive Portal) or simply open Access Point - the described interception method works the same for any of these options.

    To capture data, run airodump-ng again , but with a command like this:
    sudo airodump-ng INTERFACE --CHANNEL NUMBER --write openap
    Where:
    • INTERFACE - the name of the wireless interface,
    • Channel NUMBER - number of the channel where the target AP is located
    • Write openap - option to save captured data to file. In this case, the file name will begin with openap (can be changed to your liking)
    For example, I want to listen to the AP that runs on the first channel, for this I want to use the wlp0s20f0u2 wireless interface and save the captured information to a file that starts with openap, then my command is as follows:
    sudo airodump-ng wlp0s20f0u2 --channel 1 --write openap
    Analysis of traffic
    Next, wait for enough data to be collected. You can analyze data directly in the process of capturing - without stopping airodump-ng.

    Analysis open WiFi networks traffic


    During the work of airodump-ng, a file with the .cap extension will be created , for example, openap-01.cap.

    To analyze the data, you can use different programs, I will show the analysis of wireless traffic with Wireshark .

    Open the file with the captured data in Wireshark.

    To highlight different data, we will need Wireshark filters. Here I will show an example of using only some filters, it is recommended to study a large selection of useful Wireshark filters here .

    To assess the quality of capture, you can start with filters that display the results of the TCP protocol analysis.
    For example:
    tcp.analysis.duplicate_ack_num == 1
    Wireshark filters
    This filter displays information about frames with the ACK flag, which are duplicates. A large number of such frames may indicate communication problems between the Client and the Access Point.
    Filter showing frames for which the previous segment is not captured:
    tcp.analysis.ack_lost_segment
    tcp.analysis.ack_lost_segment
    This is normal at the beginning of data capture - because the information is not intercepted from the beginning. But if this error often occurs later, then you are too far from the Access Point or Clients and you do not capture some of the data that they transmit.

    To display frames that are retransmission (resend):
    tcp.analysis.retransmission
    A large number of such frames may indicate that there is a poor connection between the Client and the AP and they often have to resend the same data.
    Using filter:
    arp
    filter arp
    You can see the ARP traffic - with its help, it is convenient to analyze how many devices are currently connected to the local network, what IP addresses they have and what MAC addresses.
    Using filter
    dns
    You can see all sent DNS requests.
    DNS requests
    Thanks to these requests, you can find out which sites the users have visited (even if these sites use HTTPS!), As well as which online services were requested.

    For example, in the screenshot you can see the addresses of the online cinema Netflix, Facebook, various Google services.

    To filter HTTP traffic filter:
    http
    Here you can find a lot of interesting information. For example, you can see requests for services and data transmitted, including API keys, device identifiers, and so on:
    HTTP traffic filter
    You can see the visited URL with all the parameters passed:
    You can see the files downloaded and opened on the Internet:
    You can save any transferred file. To do this, select the package that contains it
    (1) with the mouse, then in the middle pane that contains detailed information, scroll to the bottom to find the data field and right-click on it to bring up the context menu
    (2), context menu, select Export Selected Packet Bytes
    (3) - Export bytes of the selected package:
    Enter a file name, select a location and save it.
    Using filter
    http.cookie
    You can see HTTP requests in which cookies were transmitted. And using the filter
    http.set_cookie
    You can see the requests in which the server has installed cookies in the user's browser. To search for any transferred images:
    http.content_type contains "image"
    To search for specific types of images:
    http.content_type contains "gif"
    http.content_type contains "jpeg"
    http.content_type contains "png"
    To search for files of a specific type:
    http.content_type contains "text"
    http.content_type contains "xml"
    http.content_type contains "html"
    http.content_type contains "json"
    http.content_type contains "javascript"
    http.content_type contains "x-www-form-urlencode"
    http.content_type contains "compressed"
    http.content_type contains "application"
    Search Wireshark requests for receiving files of a certain type. For example, to search for transferred ZIP archives:
    http.request.uri contains "zip"
    Instead of http.request.uri for greater accuracy, you can use http.request.uri.path or http.request.uri.query filters , for example, to search for requests to download JPG files (links to pictures):
    http.request.uri.path contains "jpg"
    A filter that shows only the data sent by the POST method:
    http.request.method == "POST"
    A filter that shows only the data transmitted by the GET method:
    http.request.method == "GET"
    Search for requests to a specific site (host):
    http.host == ""
    Search requests to a specific site by name:
    http.host contains "www.facebook.com"
    Conclusion
    Now the number of applications and sites that do not use encryption is rapidly decreasing. Therefore, the danger of such interception decreases every year. Nevertheless, it is.
    Share it:

    Wifi Hacking

    Post A Comment:

    0 comments: