Wednesday 5 August 2015

How to sniff HTTP traffic on the local Wi-Fi network in 10 steps

We need:

(1) Attacker: Linux machine with two Wi-Fi cards; I am using Kali with internal Atheros and external Alfa (AWUS036NH) WiFi card.
(2) Victim: mobile device; I am using smartphone
(3) Wi-Fi router with set up Wi-Fi network

Steps:

(1) Verify that both Wi-Fi network cards are connected to the same Wi-Fi network:

root@kali:/# iwconfig
wlan1 IEEE 802.11bgn ESSID:"MYWIFINET"
Mode:Managed Frequency:2.457 GHz Access Point: 10:AD:AF:CD:A7:A4
Bit Rate=1 Mb/s Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=70/70 Signal level=-37 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:4 Missed beacon:0

eth0 no wireless extensions.

lo no wireless extensions.

wlan0 IEEE 802.11bgn ESSID:"MYWIFINET"
Mode:Managed Frequency:2.457 GHz Access Point: 10:AD:AF:CD:A7:A4
Bit Rate=65 Mb/s Tx-Power=16 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=64/70 Signal level=-46 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:2 Invalid misc:332 Missed beacon:0


Atheros is wlan0 and Alpha is wlan1:

root@kali:/# ifconfig
eth0 Link encap:Ethernet
...

lo Link encap:Local Loopback
...

wlan0 Link encap:Ethernet HWaddr ac:ba:ad:aa:aa:aa
inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::9eb7:dff:fe04:d2f5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:993402 errors:0 dropped:16671 overruns:0 frame:0
TX packets:1037777 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1231583696 (1.1 GiB) TX bytes:293024209 (279.4 MiB)

wlan1 Link encap:Ethernet HWaddr 00:c0:ca:bb:bb:bb
inet addr:192.168.0.9 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::2c0:caff:fe59:23d0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1164 (1.1 KiB) TX bytes:1882 (1.8 KiB)

(2) Put one of Wi-Fi interfaces into monitor mode:

root@kali:/# airmon-ng start wlan1

Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2539 NetworkManager
2644 wpa_supplicant
3037 dhclient
19213 dhclient
20374 dhclient
Process with PID 20374 (dhclient) is running on interface wlan1
Process with PID 19213 (dhclient) is running on interface wlan0


Interface Chipset Driver

wlan1 Ralink RT2870/3070 rt2800usb - [phy4]
(monitor mode enabled on mon0)
wlan0 Atheros AR9485 ath9k - [phy0]



(3) Go to Wireshark's WPA PSK (Raw Key) Generator page: https://www.wireshark.org/tools/wpa-psk.html
Type in your Wi-Fi network's name and password and click on Generate PSK button.

(4) Start Wireshark. If it is not installed, install it with apt-get install wireshark command.

(5) In Wireshark: go to Capture --> Options and check "Use promiscuous mode on all interfaces"

(6) In Wireshark: go to Edit --> Preferences --> Protocols --> IEEE802.11, check "Enable decryption" option and add generated PSK key as new wpa-psk key in Decryption Keys.

(7) In Wireshark's main dashboard select monitor interface created by airmon-ng; that is mon0 in my case.
Press "Start" button in order to start live capture.

(8) Connect mobile device to Wi-Fi network. Wireshark has to capture handshake packets exchanged between the victim and the router when victim joins Wi-Fi network.

(9) In the browser of the victim's device type in any http address and allow it to load. I typed http://m.bbc.co.uk/weather/2643743 in order to get weather forecast for London from BBC Weather mobile webiste.

(10) Stop Wireshark and search for the HTTP traffic which goes between any IP address which is not the IP address of local Wi-Fi interfaces. In my case that was 192.168.0.5. I could see DNS requests to all services my smartphone uses (Google, Facebook, Whatsapp...) and also DNS query for m.bbc.co.uk, and HTTP GET request that was sent!



No comments: