I’ve always knew it was possible to sniff traffic on your home network but every time I tried, I always ended up sniffing ‘management type packets’ (e.g. arp requests, syns, acks, etc). I’d never really seen any useful information come across the wire so I pretty much wrote off the idea of sniffing.
Recently I had done a little deeper dive related to some work I’m doing in class and discovered some of the things I’d done wrong in the past. So here’s a short post on sniffing traffic on your home network. Take a minute to understand the concepts and be responsible with your sniffing activities.
If your home network is using a hub (it’s likely not), it’s going to be extremely easy to sniff traffic. With a hub, all traffic is broadcast to everyone on the connected to the hub and each Ethernet card decides whether or not to ignore or process the packet. Turning on a sniffer like Wireshark will allow you to see all packets that go through your Ethernet card.
Wireless Router – No Encryption
Open wireless networks are just like a hub to some extent. All traffic is basically “shouted out” across the network and anyone can intercept the traffic by telling their card to accept all transmissions. If your home network is using an unencrypted wireless connection (which I highly don’t recommend), simply start up Wireshark and start sniffing — you don’t even need to connect to your network.
Your home network is very likely using a wired or wireless router (next). Wired routers are different than hubs; they are switched and do not broadcast packets to everyone. They utilize MAC addresses at Layer 2 to send traffic to a specific host. This makes sniffing traffic just slightly more complicated.
All computers communicating over a router, need to keep a mapping of IP addresses to MAC (or hardware) addresses. To do this, they use a protocol called Address Resolution Protocol (ARP). ARP is like DNS but between IP addresses and hardware addresses. Due to the inherent lack of security in we can trick all computers (or hosts) on a network into sending their packets through our device so we can intercept them with our sniffer. This is a classic Man in the Middle Attack. The trick is to “poison” all ARP caches residing on host computers to resolve the IP address of the router to the hardware address of your computer.
Wireless Router Weak Encryption (WEP)
If you use WEP on your home network (which I hope you don’t), you can perform the same Man in the Middle Attack using ARP poisoning utilizing the nature of WEP’s encryption (RC4 – stream cipher) to decrypt packets on the fly.
Wireless Router Strong Encryption (WPA, WPA2)
Encrypted wireless routers are vulnerable to ARP poisoning due to what many refer to as "Hole 196". For our purposes, you can consider a wireless router with strong encryption just like a wired router. I won’t go into the details of Hole 196; check out the link for more details.
So now that I’ve detailed all the possibilities you could be using for your home network, lets talk about how to use the tools to sniff traffic if your using a router of any sort.
1. Poison Your Network
Ettercap is a phenomenal tool for ARP poisoning. Alternatively, you can use ArpSpoof but you’ll need to set up kernel forwarding on your own, Ettercap on the other hand, handles this for you so this is why I chose it.
Open up a terminal and type this to get ARP poisoning going on your network:
nobody@nobody:~$ sudo ettercap -T -q -M ARP -i en1 // //
Here’s an explanation of the command:
-T is textmode, this is basically the non-interactive mode -q is for quiet -M is the Man in the Middle Attack - ARP in this case -i is the interface - en1 in this case. Replace with your own (e.g. wlan0, eth0, etc) // // means to poison all hosts on the network. It's possible to target single hosts if needed.
Optionally, if you’re using WEP you can add this parameter
2. Start Your Engines … errr … Sniffers
Leave the terminal window with ettercap open and running. Start up your favorite sniffer and have it start capturing on the same interface as ettercap is poisoning on. You should immediately see traffic from your local network.
If you’re using a Mac, you might be interested in my post on getting Wireshark to work on Mac OS X.