Wednesday, 5 August 2015

How to sniff HTTP traffic on the local Wi-Fi network in 10 steps

We need:

(1) Attacker: Linux machine with two Wi-Fi cards; I am using Kali with internal Atheros and external Alfa (AWUS036NH) WiFi card.
(2) Victim: mobile device; I am using smartphone
(3) Wi-Fi router with set up Wi-Fi network

Steps:

(1) Verify that both Wi-Fi network cards are connected to the same Wi-Fi network:

root@kali:/# iwconfig
wlan1 IEEE 802.11bgn ESSID:"MYWIFINET"
Mode:Managed Frequency:2.457 GHz Access Point: 10:AD:AF:CD:A7:A4
Bit Rate=1 Mb/s Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=70/70 Signal level=-37 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:4 Missed beacon:0

eth0 no wireless extensions.

lo no wireless extensions.

wlan0 IEEE 802.11bgn ESSID:"MYWIFINET"
Mode:Managed Frequency:2.457 GHz Access Point: 10:AD:AF:CD:A7:A4
Bit Rate=65 Mb/s Tx-Power=16 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=64/70 Signal level=-46 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:2 Invalid misc:332 Missed beacon:0


Atheros is wlan0 and Alpha is wlan1:

root@kali:/# ifconfig
eth0 Link encap:Ethernet
...

lo Link encap:Local Loopback
...

wlan0 Link encap:Ethernet HWaddr ac:ba:ad:aa:aa:aa
inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::9eb7:dff:fe04:d2f5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:993402 errors:0 dropped:16671 overruns:0 frame:0
TX packets:1037777 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1231583696 (1.1 GiB) TX bytes:293024209 (279.4 MiB)

wlan1 Link encap:Ethernet HWaddr 00:c0:ca:bb:bb:bb
inet addr:192.168.0.9 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::2c0:caff:fe59:23d0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1164 (1.1 KiB) TX bytes:1882 (1.8 KiB)

(2) Put one of Wi-Fi interfaces into monitor mode:

root@kali:/# airmon-ng start wlan1

Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2539 NetworkManager
2644 wpa_supplicant
3037 dhclient
19213 dhclient
20374 dhclient
Process with PID 20374 (dhclient) is running on interface wlan1
Process with PID 19213 (dhclient) is running on interface wlan0


Interface Chipset Driver

wlan1 Ralink RT2870/3070 rt2800usb - [phy4]
(monitor mode enabled on mon0)
wlan0 Atheros AR9485 ath9k - [phy0]



(3) Go to Wireshark's WPA PSK (Raw Key) Generator page: https://www.wireshark.org/tools/wpa-psk.html
Type in your Wi-Fi network's name and password and click on Generate PSK button.

(4) Start Wireshark. If it is not installed, install it with apt-get install wireshark command.

(5) In Wireshark: go to Capture --> Options and check "Use promiscuous mode on all interfaces"

(6) In Wireshark: go to Edit --> Preferences --> Protocols --> IEEE802.11, check "Enable decryption" option and add generated PSK key as new wpa-psk key in Decryption Keys.

(7) In Wireshark's main dashboard select monitor interface created by airmon-ng; that is mon0 in my case.
Press "Start" button in order to start live capture.

(8) Connect mobile device to Wi-Fi network. Wireshark has to capture handshake packets exchanged between the victim and the router when victim joins Wi-Fi network.

(9) In the browser of the victim's device type in any http address and allow it to load. I typed http://m.bbc.co.uk/weather/2643743 in order to get weather forecast for London from BBC Weather mobile webiste.

(10) Stop Wireshark and search for the HTTP traffic which goes between any IP address which is not the IP address of local Wi-Fi interfaces. In my case that was 192.168.0.5. I could see DNS requests to all services my smartphone uses (Google, Facebook, Whatsapp...) and also DNS query for m.bbc.co.uk, and HTTP GET request that was sent!



1 comment:

micheal pan said...

BE SMART AND BECOME RICH IN LESS THAN 3DAYS....It all depends on how fast 
you can be to get the new PROGRAMMED blank ATM card that is capable of
hacking into any ATM machine,anywhere in the world. I got to know about 
this BLANK ATM CARD when I was searching for job online about a month 
ago..It has really changed my life for good and now I can say I'm rich and 
I can never be poor again. The least money I get in a day with it is about 
$50,000.(fifty thousand USD) Every now and then I keeping pumping money 
into my account. Though is illegal,there is no risk of being caught 
,because it has been programmed in such a way that it is not traceable,it 
also has a technique that makes it impossible for the CCTVs to detect 
you..For details on how to get yours today, email the hackers on : (
atmmachinehackers1@gmail.com ). Tell your 
loved once too, and start to live large. That's the simple testimony of how 
my life changed for good...Love you all ...the email address again is ;
atmmachinehackers1@gmail.com