قالب وردپرس درنا توس
Home / Tips and Tricks / Using Wireshark to Spy Traffic from a Smartphone «Null Byte :: WonderHowTo

Using Wireshark to Spy Traffic from a Smartphone «Null Byte :: WonderHowTo

So you want to know what the person who is always on the phone is up to? If you are on the same Wi-Fi network, you only need to open Wireshark and make some settings. We will use the tool to decrypt WPA2 network traffic so we can spy in real-time on which applications are running on a phone.

While using an encrypted network is better than using an open network, the advantage disappears if the attacker is running the same network. If someone else knows the password for the Wi-Fi network you're using, Wireshark makes it easy to see what you're doing. An attacker could create a list of all apps running on the target device and limit themselves to apps that might be vulnerable.

Decrypting encrypted packets

If you are using a Wi-Fi network that uses WPA2 encryption, the security of your session is based on two things. The first is the password used to generate a much longer number, a PSK, or a pre-shared key. The second is the actual handshake that has to happen to make a connection. If an attacker has the PSK for the Wi-Fi network and finds that you are joining the network, or turns off for a moment, he can decrypt your Wi-Fi traffic to see what you are doing.

The contents of HTTPS sites are not displayed, but any HTTP sites you visit or unsafe HTTP requests that apps create on your phone appear in the overview. This does not seem like a big deal, but in just 60 seconds it's easy to learn a lot about the type of device being monitored and its execution. DNS requests to resolve the domains that apps need to communicate to work are easy to spot and indicate which apps and services are active.

How it Works

To ward off this attack, some conditions must be met. First, we need the password, we need to be near the victim so that we can record the traffic, and be able to remove the target device from the network or wait for the connection to recover. We open Wireshark and access the menu for decrypting Wi-Fi packets, add the PSK to enable decryption, and wait for EAPOL packets from the target device that connects to the network.

To get a feel for the target device Until then, we'll use capture filters to highlight DNS and HTTP packets we're looking for. To see a complete list of all the domains that the device resolved, you can also view a summary of the resolved domains when the capture is complete. With this information, we can easily find out which services are running even if they are running in the background and the app has not been running for some time.

What you need

To do this you need a wireless adapter card that supports Wi-Fi monitoring mode. Refer to our manuals for information on choosing a Kali-compatible device that supports monitoring mode.

Next, you'll need an iOS or Android smartphone connected to your monitored Wi-Fi network. You can practice this on an open Wi-Fi network to see what you are supposed to see, since decryption sometimes does not work the first time. You also need to know the password and network name of the Wi-Fi network you want to monitor. In this way, you can calculate the preinstalled key and decrypt the traffic in real time.

Step 1: Download Wireshark and connect to the Wi-Fi network

Download Wireshark and install it, if not already installed and connect to the Wi-Fi Network where your destination is located. If you want to use a PSK instead of a network key, you should first use the Wireshark tool to calculate it, because depending on the card, you may not be able to access the Internet while recording.

Once you have done this download Wireshark, open it, then take a look at your network interfaces. Before we start capturing, we need to make some adjustments to make sure the map is captured in the correct mode.

Step 2: Set up Wireshark for recording

Under the Wireshark menu option, click the gear-shaped Shooting Options menu.

This will open the recording surfaces window (see below).

Step 3: Start the network discovery and look for EAPOL packets.

If you are not connected to the network, use If the destination is enabled, you can not see any packets because you may be on a different random channel. Wireshark can not change the channel on which the wireless adapter is located. So if you do not get anything, this may be the reason.

Step 4: Decrypt traffic to the network PSK

Now that we have handshakes, we can decrypt the conversation from that point on. To do this we need to add the network password or PSK. Go to the drop-down menu "Wireshark" and select the option "Settings". After the selection, click on "Protocols".

Under Protocols, select "IEEE 802.11" and then click "Enable decryption". To add the network key, click Edit next to Decryption Key to open the Add Password and PSKs window.

Select "wpa-psk" from the menu, then paste your key. Click the tab and save it by clicking "OK".

Then click "OK" in Preferences ] and Wireshark should rescan all detected packets and try to decrypt them. This may not work for a variety of reasons. I was able to get it up and running most of the time by having a good handshake (EAPOL) and switching between using a network password and a PSK. If it works, we can continue analyzing traffic to select the apps we use.

Step 5: Search for DNS and HTTP packets

After we have removed the protection around that traffic, Wireshark can decrypt it and tell us what the devices on that Wi-Fi network are for we have handshakes, do in real time.

. 1 DNS Requests

To see interesting packets, we start with DNS requests. With DNS requests, apps ensure that the IP addresses to which they connect are not changed. You'll be redirected to domain names, which usually contain the name of the app, so it's easy to determine which app is running on the iPhone or Android phone and make the requests.

To view these requirements, we will use two capture filters, dns and http which show us the most obvious fingerprints an app leaves over Wi-Fi. First enter dns in the caption filter bar and press Enter . If that does not work, try switching between PSK and password a few times. It sucks, but sometimes it works.

If your destination feels lonely, you may see the following answer. Tinder calls the domain Tindersparks.com as well as many other services. This request is one of the most obvious.

While using Signal is a good idea, using it with a VPN is a better idea. The reason? Even if you open the signal, the data exchange below is made, indicating that the user is communicating with an encrypted messenger.

While trying to find the song played with Shazam, the following fingerprint remains.

When you open the app to call a Uber, the requirements listed below are created.

Below you can see the effect of opening Venmo and App for the transfer of money. It seems to be a good time to redirect this request to another location.

2. HTTP Packages

Next, using the capture filter http we can see that there are several unsafe web requests. These capture filters contain information, such as the user agent, that indicates the type of device that is connecting to. You can verify this by clicking the packages and expanding the Hypertext Transfer Protocol tab.

This example displays unsafe HTTP requests to a chat server. What the hell is that? The mere testing of the package and the resolution of the domain give us the answer immediately. It's WeChat! WeChat is installed on this phone, and communication is not completely encrypted.

If you want to see everything that has been resolved, you can click the Statistics tab and "Resolved addresses" Select to view all domains resolved during capture. This should be a laundry list of services that the device uses to connect to apps running on it.

This breakdown makes it even easier to spot the targets.

Wireshark makes Wi-Fi networks a risky affair

This type of surveillance may seem invasive, but you should keep in mind that your ISP also maintains a log of this information and has the right to sell the information. If you want to prevent this kind of snooping, you should purchase a VPN like Mullvad or PIA, with which you can even hide local traffic behind strong encryption. In a place where you might do something sensitive over a data connection, you should also consider using mobile data to prevent this type of attack.

I hope you liked this guide to using Wireshark to spy on Wi-Fi traffic! If you have questions about this Wi-Fi decryption tutorial, leave a comment below. You can also contact me on Twitter @KodyKinzie -Fi password without cracking with Wifiphisher

Cover photo and screenshots of Kody / Null Byte

Source link