قالب وردپرس درنا توس
Home / Tips and Tricks / Safe snooping of Wi-Fi packets with sniffglue «Null Byte :: WonderHowTo

Safe snooping of Wi-Fi packets with sniffglue «Null Byte :: WonderHowTo



Step 4: Snoop Wi-Fi in promiscuous mode

Next, turn to our Wi-Fi card. First, we can find out the name of our map by repeating ip a and filtering the output.

  ~ / .cargo / bin $ ip a | grep MULTICAST

2: enp2s0:  mtu 1500 qdisc fq_code state DOWN group default qlen 1000
3: wlp1s0:  mtu 1500 qdisc noqueue status UP group default qlen 1000 

Then on our system we execute Sniffglue with argument -d to show more details of each request. and the argument -p put our map into promiscuous mode. In the following example, I navigated to badsite.com after I started monitoring the wireless traffic on the wlp1

s0 card.

  ~ / .cargo / bin $ sudo ./sniffglue wlp1s0 -d -p

Listening to device: "wlp1s0"
eth: EthernetFrame {source_mac: MacAddress ([48, 82, 203, 107, 118, 95]), dest_mac: MacAddress ([64, 112, 9, 133, 209, 167]), ethertype: IPv4}
ipv4: IPv4Header {version: 4, ihl: 20, tos: 0, length: 73, ID: 44379, flags: 2, fragment_offset: 0, ttl: 64, protocol: UDP, chksum: 52279, source_addr: 192.168.0.24, dest_addr: 209.18.47.62}
udp: UdpHeader {source_port: 43195, dest_port: 53, length: 53, checksum: 13395}
DNS: Request (Request {Questions: [(A, "googleads.g.doubleclick.net")]})
eth: EthernetFrame {source_mac: MacAddress ([64, 112, 9, 133, 209, 167]), dest_mac: MacAddress ([48, 82, 203, 107, 118, 95]), ethertype: IPv4}
ipv4: IPv4Header {version: 4, ihl: 20, tos: 0, length: 114, ID: 51085, flags: 2, fragment_offset: 0, ttl: 57, protocol: UDP, chksum: 47324, source_addr: 209.18.47.62, dest_addr: 192.168.0.24}
udp: UdpHeader {source_port: 53, dest_port: 43195, length: 94, checksum: 33904}
dns: Response (Response {answers: [("googleads.g.doubleclick.net", CNAME("pagead46.l.doubleclick.net")), ("pagead46.l.doubleclick.net", A(172.217.14.66))]})
eth: EthernetFrame {source_mac: MacAddress ([48, 82, 203, 107, 118, 95]), dest_mac: MacAddress ([64, 112, 9, 133, 209, 167]), ethertype: IPv4}
ipv4: IPv4Header {version: 4, ihl: 20, tos: 0, length: 60, ID: 45283, flags: 2, fragment_offset: 0, ttl: 64, protocol: UDP, chksum: 51388, source_addr: 192.168.0.24, dest_addr: 209.18.47.62}
udp: UdpHeader {source_port: 33734, dest_port: 53, length: 40, checksum: 35194}
DNS: request (request {questions: [(AAAA, "www.google.com")]})
eth: EthernetFrame {source_mac: MacAddress ([64, 112, 9, 133, 209, 167]), dest_mac: MacAddress ([48, 82, 203, 107, 118, 95]), ethertype: IPv4}
ipv4: IPv4Header {version: 4, ihl: 20, tos: 0, length: 88, ID: 41776, flags: 2, fragment_offset: 0, ttl: 57, protocol: UDP, chksum: 56659, source_addr: 209.18.47.62, dest_addr: 192.168.0.24}
udp: UdpHeader {source_port: 53, dest_port: 33734, length: 68, checksum: 49539}
dns: Response (response {answers: [("www.google.com", AAAA(2607:f8b0:4007:80c::2004))]})
eth: EthernetFrame {source_mac: MacAddress ([48, 82, 203, 107, 118, 95]), dest_mac: MacAddress ([64, 112, 9, 133, 209, 167]), ethertype: IPv4}
ipv4: IPv4Header {version: 4, ihl: 20, tos: 0, length: 569, ID: 20264, flags: 2, fragment_offset: 0, ttl: 64, protocol: TCP, chksum: 30553, source_addr: 192.168.0.24, dest_addr: 172.217.4.164}
tcp: TcpHeader {source_port: 46596, dest_port: 443, sequence_no: 766031290, ack_no: 3289351807, data_offset: 8, reserved: 0, flag_urg: false, flag_ack: true, flag_psh: true, flag_fin: false, flag_syn: false, flag_fin: false, window: 229, checksum: 42372, urgent_pointer: 0, options: None}
tls: ClientHello {hostname: some ("www.google.com")}
eth: EthernetFrame {source_mac: MacAddress ([48, 82, 203, 107, 118, 95]), dest_mac: MacAddress ([64, 112, 9, 133, 209, 167]), ethertype: IPv4}
ipv4: IPv4Header {version: 4, ihl: 20, tos: 0, length: 57, ID: 45378, flags: 2, fragment_offset: 0, ttl: 64, protocol: UDP, chksum: 51296, source_addr: 192.168.0.24, dest_addr: 209.18.47.62}
udp: UdpHeader {source_port: 48260, dest_port: 53, length: 37, checksum: 40572}
DNS: Request (Request {Questions: [(A, "badsite.com")]})
eth: EthernetFrame {source_mac: MacAddress ([64, 112, 9, 133, 209, 167]), dest_mac: MacAddress ([48, 82, 203, 107, 118, 95]), ethertype: IPv4}
ipv4: IPv4Header {version: 4, ihl: 20, tos: 0, length: 89, ID: 8256, flags: 2, fragment_offset: 0, ttl: 57, protocol: UDP, chksum: 24643, source_addr: 209.18.47.62, dest_addr: 192.168.0.24}
udp: UdpHeader {source_port: 53, dest_port: 48260, length: 69, checksum: 26142}
dns: Response (Response {answers: [("badsite.com", A(104.200.23.95)), ("badsite.com", A(104.200.22.130))]})
eth: EthernetFrame {source_mac: MacAddress ([48, 82, 203, 107, 118, 95]), dest_mac: MacAddress ([64, 112, 9, 133, 209, 167]), ethertype: IPv4}
ipv4: IPv4Header {version: 4, ihl: 20, tos: 0, length: 57, ID: 45384, flags: 2, fragment_offset: 0, ttl: 64, protocol: UDP, chksum: 51290, source_addr: 192.168.0.24, dest_addr: 209.18.47.62}
udp: UdpHeader {source_port: 57772, dest_port: 53, length: 37, checksum: 61497}
DNS: request (request {questions: [(AAAA, "badsite.com")]})
eth: EthernetFrame {source_mac: MacAddress ([64, 112, 9, 133, 209, 167]), dest_mac: MacAddress ([48, 82, 203, 107, 118, 95]), ethertype: IPv4}
ipv4: IPv4Header {version: 4, ihl: 20, tos: 0, length: 125, ID: 46568, flags: 2, fragment_offset: 0, ttl: 57, protocol: UDP, chksum: 51830, source_addr: 209.18.47.62, dest_addr: 192.168.0.24}
udp: UdpHeader {source_port: 53, dest_port: 57772, length: 105, checksum: 44123}
dns: Response (Response {answers: []})
eth: EthernetFrame {source_mac: MacAddress ([48, 82, 203, 107, 118, 95]), dest_mac: MacAddress ([64, 112, 9, 133, 209, 167]), ethertype: IPv4}
ipv4: IPv4Header {version: 4, ihl: 20, tos: 0, length: 371, ID: 25136, flags: 2, fragment_offset: 0, ttl: 64, protocol: TCP, chksum: 38509, source_addr: 192.168.0.24, dest_addr: 104.200.23.95}
tcp: TcpHeader {source_port: 43706, dest_port: 80, sequence_no: 3479674440, ack_no: 2159468974, data_offset: 8, reserved: 0, flag_urg: false, flag_ack: true, flag_psh: true, flag_rst: false, flag_syn: false, flag_fin: false, window: 229, checksum: 33053, urgent_pointer: 0, options: None}
http: "GET http://badsite.com/ HTTP / 1.1" Request {Method: "GET", uri: "/", Version: "1.1", Host: Some ("badsite.com"), Agent: Some ("Mozilla / 5.0 (X11; Ubuntu; Linux x86_64; rv: 67.0) Gecko / 20100101 Firefox / 67.0"), Reference: None, Authentication: None, Cookies: None}
eth: EthernetFrame {source_mac: MacAddress ([64, 112, 9, 133, 209, 167]), dest_mac: MacAddress ([48, 82, 203, 107, 118, 95]), ethertype: IPv4}
ipv4: IPv4Header {version: 4, ihl: 20, tos: 0, length: 1040, ID: 62478, flags: 2, fragment_offset: 0, ttl: 53, protocol: TCP, chksum: 3314, source_addr: 104.200.23.95, dest_addr: 192.168.0.24}
tcp: TcpHeader {source_port: 80, dest_port: 43706, sequence_no: 2159468974, ack_no: 3479674759, data_offset: 8, reserved: 0, flag_urg: false, flag_ack: true, flag_psh: false, flag_fin: false, flag_syn: false, flag_fin: true, window: 235, checksum: 55524, urgent_pointer: 0, options: None}
Remaining: "HTTP / 1.1 302 Found Server: openresty / 1.13.6.1  r  nDate: Mon, June 24, 2019 11:52:24 GMT  r  nContent Type: text / html; charset = utf-8  Content Length: 0  r  nConnection: Close  r  nLocation: http://www6.badsite.com/?s_token=1561377144.1272041333&kw=Best+Personal+Credit+Cards&term=Best%20Personal%20Credit%20Cards&term = Fast% 20Online% 20College% 20Degrees & term = Job% 20Posting% 20Boards & term = Movie% 20Media% 20Server & backfill = 0 & tdfs = 1  r  nX-Mtm Path: 0  r  nVary: Accept-Language  r  nContent-Language: en  r  NSET cookie: mtm_delivered = WyJiYWRzaXRlLmNvbSIsImh0dHA6Ly93d3c2LmJhZHNpdGUuY29tLz9zX3Rva2VuPTE1NjEzNzcxNDQuMTI3MjA0MTMzMyZrdz1CZXN0K1BlcnNvbmFsK0NyZWRpdCtDYXJkcyZ0ZXJtPUJlc3QgUGVyc29uYWwgQ3JlZGl0IENhcmRzJnRlcm09RmFzdCBPbmxpbmUgQ29sbGVnZSBEZWdyZWVzJnRlcm09Sm9iIFBvc3RpbmcgQm9hcmRzJnRlcm09TW92aWUgTWVkaWEgU2VydmVyJmJhY2tmaWxsPTAmdGRmcz0xIiwxLCIyMDE5LTA2LTI0IDExOjUyOjI0IiwiMTU2MTM3NzE0NC4xMjcyMDQxMzMzIiw3NCxudWxsLG 51bGxd: 1hfNWK: v7-Oji2CCHg8ECfi3-6CthImT5w; expires = Mon 24-Jun-2019 00:52:24 GMT; Max age = 3600; Path = /  r  n "

In just a few seconds, I sniffed traffic and learned about the operating system of the computer that made the request, the requested Web site, and even the encrypted response of the entire Web site I can even see the default search engine being used for the request.


Source link