A locksmith came to let me back into my apartment the other day. He told me that because the front lock was a 'commercial' lock, he'd have to charge me $50 extra. I asked him if he would charge the same if he used the same lock-picking technique on a residential lock (since this was a residence); he said yes. So then I asked him what was so special about a bump key for this lock versus a residential lock, since they're both just blanks cut to five-nines and this lock has no anti-bump pin. He said, nothing special. So I asked him, since the bump key works exactly the same on either lock, why was he charging me an extra $50?
He ended up dropping the extra.
Security is not a Dark Art, and there is no harm in teaching people how or why attacks work. If you can find it at a bookstore or via a Google search, it's safe to disseminate to the general public via blog.
This is pretty standard wireshark stuff; showing data that was on an unencrypted network.
What I've been wondering about for a while now is, can wireshark show data on an encrypted network, assuming it has the key? Can wireshark take a known WEP/WPA2 key and use it to decrypt the packets on an encrypted network on the fly? I haven't found any CLI's or GUI's that have been able to do this out of the box. But surely someone has made this somewhere.
Wireshark is straightforward for revealing data on unencrypted wireless, but I haven't discovered how it could be used to monitor network users when someone has deciphered the key unbeknownst to the users who assume they are operating on an encrypted network such as WEP/WPA2.
Does the nature of the encrypted handshake make this impossible?
I feel like there is a major opening for access point makers to simplify 802.1x rollout for all networks. Now it requires a whole bunch of steps only IT admins can do (RADIUS server, etc).
Maybe your new Dlink router comes with an 'app' which generates unique logins (with optional expiration times) that you can give out to users. There's a whole market of coffeeshop/restaurant wifi providers but they usually use no/shared encryption and a captive portal for managing authentication. That's great for dispensing logins and handling expirations, but is horrible for your user's security and user experience.
Well, if your traffic is mainly facebook domains, then you're chatting with friends. If you're visiting wikileaks and freedom.press you're an armchair freedom-fighter. And if all your traffic goes to random AWS IPs packed in encrypted VPN frames, then you're most definitely a terrorist.
Assuming I wasn't a state actor and just a lowly hacker on a wifi connection, here's some things I can tell about your VPN'd connection:
* The operating system used
* Application-specific traffic patterns
* Content-specific traffic patterns
* The VPN provider and type
First off, I know you're using a phone, because it matches mobile device tcp/ip fingerprints. Second, I can make a reasonable guess about what kind of VPN you're using, both based on the service itself and its traffic or connection pattern. Third, I can make a guess about what kinds of applications you're using, because you are using a phone and the traffic looks a certain way for certain network applications. Fourth, I can guess what kind of content you're looking at, since I have a good idea what kind of browser and application you're using. Fifth, if I can match up all those fingerprints each time, I can identify you as the sole user of that connection, meaning I can now track you whenever I see your traffic. Sixth, by manipulating your traffic in small ways I can also determine more about your host and application(s) by how they respond to network transmission problems.
Based on all that, I can send you a phished e-mail that looks to exploit any of the services or hosts or applications you're using. I don't even need to know who to e-mail; I can just spam tons of addresses and check for results that match the fingerprinted services I discovered earlier.
Another fun attack would be to actually kill every connection you tried to make over a VPN using a specific application and content provider; because it would never work over the VPN, you might eventually try it over your regular connection, giving me a new point of attack.
The author seems to be making the assumption that the "target" is an unencrypted network. They provide no information on wireless network security and its effects on the attack and the conditions that need to be met for someone to be able and perform it.
Protected networks require more effort depending on the method used, WEP is utterly broken, WPA/WPA2 can be broken but require considerably more effort and processing power. More concrete methods exists (802.1x) but are almost never used outside enterprise or educational facilities.
Finally, the chances that reversing an ip address will result in a correct hostname is most likely never the case.
The author is either very ill informed on how wireless networks actually work or is trying to make people scared without explaining why these things happen and how they can protect themselves - any of which I really do not like.
Encryption of wireless isn't really a barrier, it can be easily broken. As its very rare to not have a shared key, once you've joined the "encrypted" network you can see all the traffic flowing through it.
WEP stands for wireless equivalent privacy, and it is. its trivial to break. (just like monitoring wired connections)
There are many unencrypted networks around: hotels, cafes, hotspots at airports and train stations, inside trains and planes and even cities start to provide their own wireless networks. And I expect less than 10% of the regular users to use VPNs or to keep track of only using HTTPS (or secure connections on other protocols).
So I don't know anything about this stuff but looking at the XKCD example it looks really easy to see virtually everything my neighbours are doing on the web. What am I missing? Or is it really this insecure to use wireless?
Encryption. Your neighbours hopefully have protected their wifi with a password. This prevents casual snooping but of course can't really keep out a dedicated attacker. There are automated tools to break WPA encryption.
Additionally, if your neighbours are browsing using SSL/TLS then you theoretically cannot eavesdrop on those sessions.
I've been thinking about this a lot lately. The ideal solution seems to be to encrypt traffic between all hosts on the local network. Are there any good resources for how to setup IPSEC or something on a local wifi network?
The solution already exists in the form of WPA2-Enterprise auth (802.1x), but support is still fairly sparse on consumer devices like cheaper WiFi routers or media streamers. It's also difficult to configure and manage, for the average user.
"If you’re wondering why the network card has access to all messages on the network, consider that you need to see every message in order to determine which ones you are supposed to receive."
Whuuut
I'm not sure what's causing you confusion. In an over-the-air situation you need to grab all the traffic to ensure you aren't missing something addressed to you. Once you grab the traffic, you can drop or otherwise ignore traffic not meant for you.
This is why wifi is segmented into channels: to reduce the number of packets that devices need to sift through.
This is how Ethernet works. Wireless is somewhat similar to a hub vs a switch. The spectrum is mostly a shared medium, just like 10baseT networks, or Ethernet hubs.
What bothers me is that neither the author nor anyone here metioned that HTTPS does leak metadata in the form of the SNI extension which provides the server with the requested host before the cert exchange.
And even without SNI (e.g. IE on XP), there must be only one SSL site hosted on that particular IP, so the attacker can just connect to it and see what site (s)he gets.
"A Shark on the Network" is more appropriate than "How to listen in on wireless network traffic" for this particular post. If it's a "how to listen in...", I would expect the article to introduce better passive attacks (in monitor mode) and raw packet injection attacks that don't require you to be associated to a particular access point, and finally the different wifi chipsets that allow you to perform these types of attacks.
I was hoping to read some recommendations on chipsets that are able to monitor multiple channels simultaneously.. but then it was just another misleading headline.
[+] [-] peterwwillis|11 years ago|reply
He ended up dropping the extra.
Security is not a Dark Art, and there is no harm in teaching people how or why attacks work. If you can find it at a bookstore or via a Google search, it's safe to disseminate to the general public via blog.
[+] [-] justquest|11 years ago|reply
What I've been wondering about for a while now is, can wireshark show data on an encrypted network, assuming it has the key? Can wireshark take a known WEP/WPA2 key and use it to decrypt the packets on an encrypted network on the fly? I haven't found any CLI's or GUI's that have been able to do this out of the box. But surely someone has made this somewhere.
Wireshark is straightforward for revealing data on unencrypted wireless, but I haven't discovered how it could be used to monitor network users when someone has deciphered the key unbeknownst to the users who assume they are operating on an encrypted network such as WEP/WPA2.
Does the nature of the encrypted handshake make this impossible?
[+] [-] geoah|11 years ago|reply
http://wiki.wireshark.org/HowToDecrypt802.11
[+] [-] furyg3|11 years ago|reply
Maybe your new Dlink router comes with an 'app' which generates unique logins (with optional expiration times) that you can give out to users. There's a whole market of coffeeshop/restaurant wifi providers but they usually use no/shared encryption and a captive portal for managing authentication. That's great for dispensing logins and handling expirations, but is horrible for your user's security and user experience.
[+] [-] leeber|11 years ago|reply
So all you'd see from me is encrypted stuff being sent to a random IP address.
[+] [-] anon4|11 years ago|reply
[+] [-] peterwwillis|11 years ago|reply
* The operating system used * Application-specific traffic patterns * Content-specific traffic patterns * The VPN provider and type
First off, I know you're using a phone, because it matches mobile device tcp/ip fingerprints. Second, I can make a reasonable guess about what kind of VPN you're using, both based on the service itself and its traffic or connection pattern. Third, I can make a guess about what kinds of applications you're using, because you are using a phone and the traffic looks a certain way for certain network applications. Fourth, I can guess what kind of content you're looking at, since I have a good idea what kind of browser and application you're using. Fifth, if I can match up all those fingerprints each time, I can identify you as the sole user of that connection, meaning I can now track you whenever I see your traffic. Sixth, by manipulating your traffic in small ways I can also determine more about your host and application(s) by how they respond to network transmission problems.
Based on all that, I can send you a phished e-mail that looks to exploit any of the services or hosts or applications you're using. I don't even need to know who to e-mail; I can just spam tons of addresses and check for results that match the fingerprinted services I discovered earlier.
Another fun attack would be to actually kill every connection you tried to make over a VPN using a specific application and content provider; because it would never work over the VPN, you might eventually try it over your regular connection, giving me a new point of attack.
Hacking is fun!
[+] [-] lelandbatey|11 years ago|reply
[+] [-] geoah|11 years ago|reply
Protected networks require more effort depending on the method used, WEP is utterly broken, WPA/WPA2 can be broken but require considerably more effort and processing power. More concrete methods exists (802.1x) but are almost never used outside enterprise or educational facilities.
Finally, the chances that reversing an ip address will result in a correct hostname is most likely never the case.
The author is either very ill informed on how wireless networks actually work or is trying to make people scared without explaining why these things happen and how they can protect themselves - any of which I really do not like.
[+] [-] KaiserPro|11 years ago|reply
WEP stands for wireless equivalent privacy, and it is. its trivial to break. (just like monitoring wired connections)
[+] [-] deathanatos|11 years ago|reply
Can to elaborate? Aside from brute force attacks, my understanding is that WPA2-PSK using AES is secure.
[+] [-] einrealist|11 years ago|reply
[+] [-] Kiro|11 years ago|reply
[+] [-] na85|11 years ago|reply
Encryption. Your neighbours hopefully have protected their wifi with a password. This prevents casual snooping but of course can't really keep out a dedicated attacker. There are automated tools to break WPA encryption.
Additionally, if your neighbours are browsing using SSL/TLS then you theoretically cannot eavesdrop on those sessions.
[+] [-] bostik|11 years ago|reply
If you can hear the signal, you can capture the traffic.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] samuelkadolph|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] DavidHogue|11 years ago|reply
[+] [-] gstuartj|11 years ago|reply
[+] [-] nerd2|11 years ago|reply
[+] [-] na85|11 years ago|reply
This is why wifi is segmented into channels: to reduce the number of packets that devices need to sift through.
[+] [-] spydum|11 years ago|reply
[+] [-] mlrtime|11 years ago|reply
http://d3js.org/
[+] [-] abalone|11 years ago|reply
http://blog.nodenexus.com/assets/img/hostshark.gif
[+] [-] mbrownnyc|11 years ago|reply
[+] [-] mschuster91|11 years ago|reply
[+] [-] icebraining|11 years ago|reply
[+] [-] geggam|11 years ago|reply
[+] [-] cranklin|11 years ago|reply
[+] [-] fensipens|11 years ago|reply
I was hoping to read some recommendations on chipsets that are able to monitor multiple channels simultaneously.. but then it was just another misleading headline.