How-to: Easy wireless eavesdropping with a Mac

Simple question: is unsecured wireless an actual, real-world problem?

Simple answer: YES. HELL YES.

Not a single coffee shop I frequent has any sort of wireless security. While I understand the consequences of that, I know that others don’t. Plenty of poeple take unprotected, public wireless for granted. Some don’t understand the risks and others believe that wireless eavesdropping is beyond the technical reach of just any ol’ person. That’s simply not true.

It’s dangerously easy for anyone to do — and today, I’m going to show you how someone can start eavesdropping on an unprotected wireless network in mere minutes. I’m going to show you just how easy it is. And then I’ll talk about what you can do about it.


Super important disclaimer text: If you’re not doing this on your own wireless network, get permission first. Otherwise, you may be breaking the law. I will not be held liable for what you do, based on whatever you learn from here. If you don’t agree with that, stop reading.


This is Mac-oriented, for simplicity’s sake: OS X comes with a lot of things that make this way too easy and that’s the point I’d like to get across. (This is completely doable on other systems, however.[1])

This guide is for tech-savvy folks who’ve used the command-line before. (A previous draft was more general-purpose, but far longer than I was comfortable publishing.)

Tools

Mac OS X comes with a version of tcpdump, which is a common command-line tool for “dumping” (aka “sniffing”; saving) the packets that zip across a network.

To actually analyze and get interesting information out of the mass of information in a packet dump — download Wireshark. I’m using the Development Release (1.3.4), but Stable should work fine as well. Install that to your Applications folder by dragging it over.

Using tcpdump

My usual use case looks something like the following. (I’ll explain all of the bits below.)

sudo tcpdump \
    -i $WIFICARD \
    -I \
    -n \
    -w $OUTPUT_FILE \
    not ether host $ETHER_ADDR \
    and not host $IP_ADDR \
    and not "(wlan[0:1] & 0xfc) == 0x40" \
    and not "(wlan[0:1] & 0xfc) == 0x50" \
    and not "(wlan[0:1] & 0xfc) == 0x80" \
    and not "(wlan[0:1] & 0xfc) == 0xa4" \
    and not "(wlan[0:1] & 0xfc) == 0xc4" \
    and not "(wlan[0:1] & 0xfc) == 0xd4"
 
  • -i sets the network card you’ll be using ($WIFICARD is your wireless card — en1, for example, is usually the identifier for Airport cards in Mac laptops)
  • -I puts your network card in “monitor mode,” where it listens in on all packets on the network, not just the ones addressed to you.
  • -n disables name resolution, since we don’t need it for our packet dump
  • -w sets the output packet dump file ($OUTPUT_FILE could be something like ~/Desktop/capture.pcap)
  • The last few options filter down our dataset:
    • Don’t save data between our computer and the access point, since we’re interested in eavesdropping other people ($ETHER_ADDR and $IP_ADDR would be your MAC and IP addresses on the local network, respectively)
    • Don’t save miscellaneous packets like wireless beacon packets and pings. There are a lot of them, and they don’t hold any useful data.

Tip: you can run airport -I to see what your $WIFICARD is. From there, you can get the others by running ifconfig $WIFICARD — look the values next to “ether” and “inet.”

An example:

sudo tcpdump -i en1 -I -n -w ~/Desktop/dump.pcap not ether host 00:26:bb:0b:1e:01 and not host 192.168.1.100 and not "(wlan[0:1] & 0xfc) == 0x40" and not "(wlan[0:1] & 0xfc) == 0x50" and not "(wlan[0:1] & 0xfc) == 0x80" and not "(wlan[0:1] & 0xfc) == 0xa4" and not "(wlan[0:1] & 0xfc) == 0xc4" and not "(wlan[0:1] & 0xfc) == 0xd4"

Alternatively, I’ve wrapped up that command in a script that (should) automatically figure out your IP and MAC addresses, then start a packet dump that saves to your desktop.

You can view the script here and download it from here.

Since the tcpdump command within the script is being run via sudo, it’ll ask for your password — tcpdump needs to be run as an administrator to switch the wireless card over to “monitor mode.” (Aside: check out the code before running it. Never ever let run anything with sudo on the command-line unless you’re absolutely sure it’s safe.)

Assuming you’ve downloaded it to your Downloads folder, creating a packet dump is as simple as:

cd ~/Downloads
chmod +x sniff.sh
./sniff.sh

If the script is working, you’ll notice the dump file appear on the desktop and grow as you capture packets. You are now eavesdropping on other people’s connections on the given wireless network. At any point, you can finish up and close the script by pressing control-c.

Making sense of the data

Open up Wireshark.

Go to File->Open and go open up that .pcap file that you’ve created.

You should now have a huge list of packets. For our intents and purposes, we really don’t care about a lot of packet types, so paste the following into the “Filter” box and click on “Apply”. (Note that since Wireshark is an X11-based application, pasting is done with control-v, rather than ⌘-v.)

(http or smtp or imap or pop or aim or jabber or aim_chat or aim_buddylist) and not (tcp.analysis.retransmission or tcp.analysis.lost_segment or not http.response.code)

You should now have a packet dump that looks sort of like the following. (Click for a larger view.)

You can now dig around and browse all of the data that went through the wireless network: Web pages, SMTP/IMAP/POP e-mail, AIM conversations, Jabber (Google Talk, Facebook Chat) conversations — provided they’re unencrypted. (Side note: AIM and Google Talk now default to using SSL encryption. Most e-mail hosts do, too.)

The “packet data” panel (the second or third one — bottom one in my example image) allows you to drill down the layers of protocols-within-protocols in every packet. Play around with it!

The following filters might also be nice to experiment with:

  • aim.messageblock.message — will only show IM messages over the AIM network.
  • http.request.uri contains "profile.php" — will only snow Web pages with "profile.php" in the link (i.e., Facebook)
  • http.request.uri contains "login"
  • http.request.uri contains "mail"
  • http contains "username" — will only show requests that have the string "username" anywhere within the URL or content. (Surprise: this includes submissions to unencrypted login forms, if there are any.)

But wait! There’s more!

Wireshark can automatically parse out intercepted files and save them to your hard drive. This means you don’t even need to make sense of the raw protocols to get “tangible” results.

Go to File->Export->Objects->HTTP. Click on “Save All.” Type in a name for this folder and hit “OK” — ignore the “Some files could not be saved” error.

Open up that folder and you’ll see nearly every file transmitted over the network while you were capturing packets:

To drive the point home

Scared yet? You should be.

Unsecured public wireless networks are a huge risk to those who don’t understand just how “open” they are.

I’ve just shown you how little time and effort an eavesdropping attack takes. In mere minutes of idle time (about 10 in my example dump), anyone has the ability to collect a treasure trove of information on the people using a wireless network around them.

Digital eavesdropping and identity theft don’t have to be targeted crimes against specific people. Digital thieves can cast wide nets and hope they drag something valuable in.

What you can do

If your school or company has a VPN, log into it whenever you connect to an open wireless network. (Provided your connection doesn’t need extra authentication like Cisco Clean Access, even non-computer devices like the iPhone support VPN.) Connecting through a VPN encrypts data between you and the VPN — only after your information makes it to your VPN’s internet connection does it become unencrypted (and from there, it goes to the internet normally).

Alternatively, if you’re savvy enough to have SSH access to a Web server, you can use it as a secure proxy tunnel in practically the same way. If you understood what I just said, you can probably wing it.

If you don’t have access to the above, you can’t really do that much. Ideally, you should ask your local business to enable WPA on their network and either post the password or have customers ask for it. (My nearby Rocket Market operated their wireless like this, back when I lived up in Spokane.)

Most importantly: tread lightly. Never do anything “confidential” on an unprotected wireless network. And whenever you do go out, only log into sites and services that use SSL. (Facebook, Twitter, Gmail, and many other major sites always send your username & password via HTTPS. Gmail can be read over HTTPS, as can most other e-mail services. iChat can be set to “Require SSL” under your account’s server settings.)

Cautiousness is a virtue, online. Be careful and always be prepared for the worst. Think before you log in. Don’t use the same password everywhere. (I used to keep a rotation of about four passwords before switching to all random passwords and 1Password as a password manager.) Don’t take the Internet for granted.

Oh yeah, and don’t ever try anything I’ve mentioned here, unless you have permission. §


[1] Wireshark does work on all platforms and also performs the sniffing aspects on Windows/Linux — if your drivers allow it. With a little bit of effort, you can figure that out. You can still make do with my Wireshark analysis instructions once you have a packet dump.

Comments