How-to: Easy wireless eavesdropping with a Mac - Minut...

https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...

Minuti
Loud thinking from the mind of Mike Tigas.

How-to: Easy wireless eavesdropping with a Mac

Simple question: is unsecured wireless an actual, real-world problem? Simple answer: YES. HELL YES. Not a single coffee shop I frequent has any sort of wireless security. While I understand the consequences of that, I know that others dont. Plenty of poeple take unprotected, public wireless for granted. Some dont understand the risks and others believe that wireless eavesdropping is beyond the technical reach of just any ol person. Thats simply not true. Its dangerously easy for anyone to do and today, Im going to show you how someone can start eavesdropping on an unprotected wireless network in mere minutes. Im going to show you just how easy it is. And then Ill talk about what you can do about it.

Super important disclaimer text: If youre not doing this on your own wireless network, get permission first. Otherwise, you may be breaking the law. I will not be held liable for what you do, based on whatever you learn from here. If you dont agree with that, stop reading.

This is Mac-oriented, for simplicitys sake: OS X comes with a lot of things that make this way too easy and thats the point Id like to get across. (This is completely doable on other systems, however. ) This guide is for tech-savvy folks whove used the command-line before. (A previous draft was more general-purpose, but far longer than I was comfortable publishing.)
[1]

1 of 8

10/01/2013 02:42 AM

How-to: Easy wireless eavesdropping with a Mac - Minut...

https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...

TOOLS
Mac OS X comes with a version of tcpdump, which is a common command-line tool for dumping (aka sniffing; saving) the packets that zip across a network. To actually analyze and get interesting information out of the mass of information in a packet dump download Wireshark. Im using the Development Release (1.3.4), but Stable should work fine as well. Install that to your Applications folder by dragging it over.

USING TCPDUMP
My usual use case looks something like the following. (Ill explain all of the bits below.)
sudo tcpdump \ -i $WIFICARD \ -I \ -n \ -w $OUTPUT_FILE \ not ether host $ETHER_ADDR \ and not host $IP_ADDR \ and not "(wlan[0:1] & 0xfc) == and not "(wlan[0:1] & 0xfc) == and not "(wlan[0:1] & 0xfc) == and not "(wlan[0:1] & 0xfc) == and not "(wlan[0:1] & 0xfc) == and not "(wlan[0:1] & 0xfc) ==

0x40" 0x50" 0x80" 0xa4" 0xc4" 0xd4"

\ \ \ \ \

-i sets the network card youll be using ($WIFICARD is your wireless card
en1 , for example, is usually the identifier for Airport cards in Mac laptops)

-I puts your network card in monitor mode, where it listens in on all packets on the network, not just the ones addressed to you. -n disables name resolution, since we dont need it for our packet dump -w sets the output packet dump file ($OUTPUT_FILE could be something like
~/Desktop/capture.pcap )

The last few options filter down our dataset: Dont save data between our computer and the access point, since were interested in eavesdropping other people ($ETHER_ADDR and $IP_ADDR would be your MAC and IP addresses on the local network, respectively) Dont save miscellaneous packets like wireless beacon packets and pings.

2 of 8

10/01/2013 02:42 AM

How-to: Easy wireless eavesdropping with a Mac - Minut...

https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...

There are a lot of them, and they dont hold any useful data. Tip: you can run inet. An example:
sudo tcpdump -i en1 -I -n -w ~/Desktop/dump.pcap not ether host 00:26:bb:0b:1e:01 airport -I

to see what your

$WIFICARD

is. From there, you can get

the others by running

ifconfig $WIFICARD

look the values next to ether and

Alternatively, Ive wrapped up that command in a script that (should) automatically figure out your IP and MAC addresses, then start a packet dump that saves to your desktop. You can view the script here and download it from here. Since the
tcpdump

command within the script is being run via

sudo , itll ask for your

password

tcpdump

needs to be run as an administrator to switch the wireless card on the command-line unless youre absolutely sure its safe.)

over to monitor mode. (Aside: check out the code before running it. Never ever let run anything with
sudo

Assuming youve downloaded it to your Downloads folder, creating a packet dump is as simple as:
cd ~/Downloads chmod +x sniff.sh ./sniff.sh

If the script is working, youll notice the dump file appear on the desktop and grow as you capture packets. You are now eavesdropping on other peoples connections on the given wireless network. At any point, you can finish up and close the script by pressing control-c.

MAKING SENSE OF THE DATA

Open up Wireshark. Go to File->Open and go open up that .pcap file that youve created. You should now have a huge list of packets. For our intents and purposes, we really dont care about a lot of packet types, so paste the following into the Filter box and
3 of 8 10/01/2013 02:42 AM

How-to: Easy wireless eavesdropping with a Mac - Minut...

https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...

click on Apply. (Note that since Wireshark is an X11-based application, pasting is done with control-v, rather than -v.) (http or smtp or imap or pop or aim or jabber or aim_chat or aim_budd

You should now have a packet dump that looks sort of like the following. (Click for a larger view.)

You can now dig around and browse all of the data that went through the wireless network: Web pages, SMTP/IMAP/POP e-mail, AIM conversations, Jabber (Google Talk, Facebook Chat) conversations provided theyre unencrypted. (Side note: AIM and Google Talk now default to using SSL encryption. Most e-mail hosts do, too.) The packet data panel (the second or third one bottom one in my example image) allows you to drill down the layers of protocols-within-protocols in every packet. Play around with it! The following filters might also be nice to experiment with:
aim.messageblock.message

will only show IM messages over the AIM will only snow Web pages with

network.
http.request.uri contains "profile.php"

"profile.php" in the link (i.e., Facebook)

http.request.uri contains "login" http.request.uri contains "mail" http contains "username"

will only show requests that have the string

"username" anywhere within the URL or content. (Surprise: this includes submissions to unencrypted login forms, if there are any.)

4 of 8

10/01/2013 02:42 AM

How-to: Easy wireless eavesdropping with a Mac - Minut...

https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...

BUT WAIT! THERES MORE!

Wireshark can automatically parse out intercepted files and save them to your hard drive. This means you dont even need to make sense of the raw protocols to get tangible results. Go to File->Export->Objects->HTTP. Click on Save All. Type in a name for this folder and hit OK ignore the Some files could not be saved error. Open up that folder and youll see nearly every file transmitted over the network while you were capturing packets:

TO DRIVE THE POINT HOME

Scared yet? You should be. Unsecured public wireless networks are a huge risk to those who dont understand just how open they are. Ive just shown you how little time and effort an eavesdropping attack takes. In mere minutes of idle time (about 10 in my example dump), anyone has the ability to collect a treasure trove of information on the people using a wireless network around them. Digital eavesdropping and identity theft dont have to be targeted crimes against specific people. Digital thieves can cast wide nets and hope they drag something valuable in.

WHAT YOU CAN DO

If your school or company has a VPN, log into it whenever you connect to an open

5 of 8

10/01/2013 02:42 AM

How-to: Easy wireless eavesdropping with a Mac - Minut...

https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...

wireless network. (Provided your connection doesnt need extra authentication like Cisco Clean Access, even non-computer devices like the iPhone support VPN.) Connecting through a VPN encrypts data between you and the VPN only after your information makes it to your VPNs internet connection does it become unencrypted (and from there, it goes to the internet normally). Alternatively, if youre savvy enough to have SSH access to a Web server, you can use it as a secure proxy tunnel in practically the same way. If you understood what I just said, you can probably wing it. If you dont have access to the above, you cant really do that much. Ideally, you should ask your local business to enable WPA on their network and either post the password or have customers ask for it. (My nearby Rocket Market operated their wireless like this, back when I lived up in Spokane.) Most importantly: tread lightly. Never do anything confidential on an unprotected wireless network. And whenever you do go out, only log into sites and services that use SSL. (Facebook, Twitter, Gmail, and many other major sites always send your username & password via HTTPS. Gmail can be read over HTTPS, as can most other e-mail services. iChat can be set to Require SSL under your accounts server settings.) Cautiousness is a virtue, online. Be careful and always be prepared for the worst. Think before you log in. Dont use the same password everywhere. (I used to keep a rotation of about four passwords before switching to all random passwords and 1Password as a password manager.) Dont take the Internet for granted. Oh yeah, and dont ever try anything Ive mentioned here, unless you have permission.
[1] Wireshark does work on all platforms and also performs the sniffing aspects on Windows/Linux if your drivers allow it. With a little bit of effort, you can figure that out. You can still make do with my Wireshark analysis instructions once you have a packet dump.

April 14, 2010 permalink share

6 of 8

10/01/2013 02:42 AM

How-to: Easy wireless eavesdropping with a Mac - Minut...

https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...

Comments
Comments for this thread are now closed.

Share 0

2 comments
Oldest Community Mike Tigas
3 years ago

Avatar

And as a postscript: In my mind, this is akin to teaching someone how to wield a gun and saying DONT SHOOT ANYONE ELSE, OKAY? On the Internet, there are no licenses required to tinker which is great for learning, but also frightening since *anyone* is capable of exploiting bugs, loopholes, and unsafe methods. While working on this, Ive already convinced a few friends of the genuine dangers of coffee shop and hotel WiFi. I think the education and cautiousness of folks outweighs the chances of someone going malicious with this.

Avatar

Share

Chris Tigas

3 years ago

you have what is literally the gayest font on this site. take it down immediately or be subjected to intense nonconstructive criticism.

Share

Subscribe

Add Disqus to your site

Five Years

Looking for something? Compartmentalization

Archive
Mike Tigas is a Knight-Mozilla OpenNews Fellow and a Web/mobile applications developer with experience in the media industry (portfolio).
PGP: 0x6E0E9923 & 0x3082B5A3, OTR: 0xB0846D0B & 0x17F5E551

20012013 Mike Tigas. CC Attribution 3.0. See license.

7 of 8

10/01/2013 02:42 AM

How-to: Easy wireless eavesdropping with a Mac - Minut...

https://mike.tig.as/blog/2010/04/14/easy-wireless-eavesd...

Powered by Django and django-medusa. See colophon.

Also available via Tor: tigas3l7uusztiqu.onion

8 of 8

10/01/2013 02:42 AM