
A Shark on the Network - kronion
http://blog.nodenexus.com/2014/11/28/a-shark-on-the-network/
======
peterwwillis
A locksmith came to let me back into my apartment the other day. He told me
that because the front lock was a 'commercial' lock, he'd have to charge me
$50 extra. I asked him if he would charge the same if he used the same lock-
picking technique on a residential lock (since this was a residence); he said
yes. So then I asked him what was so special about a bump key for this lock
versus a residential lock, since they're both just blanks cut to five-nines
and this lock has no anti-bump pin. He said, nothing special. So I asked him,
since the bump key works exactly the same on either lock, why was he charging
me an extra $50?

He ended up dropping the extra.

Security is not a Dark Art, and there is no harm in teaching people how or why
attacks work. If you can find it at a bookstore or via a Google search, it's
safe to disseminate to the general public via blog.

------
justquest
This is pretty standard wireshark stuff; showing data that was on an
unencrypted network.

What I've been wondering about for a while now is, can wireshark show data on
an encrypted network, assuming it has the key? Can wireshark take a known
WEP/WPA2 key and use it to decrypt the packets on an encrypted network on the
fly? I haven't found any CLI's or GUI's that have been able to do this out of
the box. But surely someone has made this somewhere.

Wireshark is straightforward for revealing data on unencrypted wireless, but I
haven't discovered how it could be used to monitor network users when someone
has deciphered the key unbeknownst to the users who assume they are operating
on an encrypted network such as WEP/WPA2.

Does the nature of the encrypted handshake make this impossible?

~~~
geoah
You can decrypt keys in wireshark once you have the key, you can also provide
a key to wireshark to decrypt streams on the fly using said key.

[http://wiki.wireshark.org/HowToDecrypt802.11](http://wiki.wireshark.org/HowToDecrypt802.11)

~~~
justquest
Thanks, I'd been wondering this in the back of my head for a while, last time
I searched for some reason I couldn't find much.

edit: Now that I see the wiki, I remember correctly that the version of Linux
I was using didn't work with this feature in the GUI. Maybe I'll look for the
CLI version again soon.

------
furyg3
I feel like there is a major opening for access point makers to simplify
802.1x rollout for all networks. Now it requires a whole bunch of steps only
IT admins can do (RADIUS server, etc).

Maybe your new Dlink router comes with an 'app' which generates unique logins
(with optional expiration times) that you can give out to users. There's a
whole market of coffeeshop/restaurant wifi providers but they usually use
no/shared encryption and a captive portal for managing authentication. That's
great for dispensing logins and handling expirations, but is horrible for your
user's security and user experience.

------
leeber
I'm always connected to a VPN that I set up on throwaway cloud servers from
AWS, digitalocean, or whatever your preference is. Even on my phone.

So all you'd see from me is encrypted stuff being sent to a random IP address.

~~~
lelandbatey
How do you do this?

~~~
Couto
[https://github.com/jlund/streisand](https://github.com/jlund/streisand) is a
nice and quick way to achieve this.

------
geoah
The author seems to be making the assumption that the "target" is an
unencrypted network. They provide no information on wireless network security
and its effects on the attack and the conditions that need to be met for
someone to be able and perform it.

Protected networks require more effort depending on the method used, WEP is
utterly broken, WPA/WPA2 can be broken but require considerably more effort
and processing power. More concrete methods exists (802.1x) but are almost
never used outside enterprise or educational facilities.

Finally, the chances that reversing an ip address will result in a correct
hostname is most likely never the case.

The author is either very ill informed on how wireless networks actually work
or is trying to make people scared without explaining why these things happen
and how they can protect themselves - any of which I really do not like.

~~~
einrealist
There are many unencrypted networks around: hotels, cafes, hotspots at
airports and train stations, inside trains and planes and even cities start to
provide their own wireless networks. And I expect less than 10% of the regular
users to use VPNs or to keep track of only using HTTPS (or secure connections
on other protocols).

~~~
at-fates-hands
Also keep in mind a lot of people have their phones/laptops set to join any
available wireless networks without asking them, making a spoofing attack a
lot more easier.

------
Kiro
So I don't know anything about this stuff but looking at the XKCD example it
looks really easy to see virtually everything my neighbours are doing on the
web. What am I missing? Or is it really this insecure to use wireless?

~~~
na85
>What am I missing?

Encryption. Your neighbours hopefully have protected their wifi with a
password. This prevents casual snooping but of course can't really keep out a
dedicated attacker. There are automated tools to break WPA encryption.

Additionally, if your neighbours are browsing using SSL/TLS then you
theoretically cannot eavesdrop on those sessions.

~~~
nodata
You'd see their dns lookups.

~~~
Kiro
So basically I can see if my neighbours are surfing on porn sites regardless
of WPA or SSL/TLS?

~~~
chopin
If you break their WPA, then yes, you can see which servers they connect to.
For your purpose that possibly would be enough to know.

------
DavidHogue
I've been thinking about this a lot lately. The ideal solution seems to be to
encrypt traffic between all hosts on the local network. Are there any good
resources for how to setup IPSEC or something on a local wifi network?

~~~
gstuartj
The solution already exists in the form of WPA2-Enterprise auth (802.1x), but
support is still fairly sparse on consumer devices like cheaper WiFi routers
or media streamers. It's also difficult to configure and manage, for the
average user.

------
nerd2
"If you’re wondering why the network card has access to all messages on the
network, consider that you need to see every message in order to determine
which ones you are supposed to receive." Whuuut

~~~
spydum
This is how Ethernet works. Wireless is somewhat similar to a hub vs a switch.
The spectrum is mostly a shared medium, just like 10baseT networks, or
Ethernet hubs.

~~~
bluedino
People forget this. You can make your wireless AP as secure as you want, but
if we're plugged into the same node with our cable modems, you can just run a
regular packet sniffer with ARP poisoning and see all the traffic to your
neighbors. Not sure if that works with DSL connections or not.

~~~
spydum
Mostly not possible. DSL has multiple deployment modes PPP (over Ethernet or
ATM), Bridged, and routed-bridge encapsulation (RBE).

The upstream router at the ISP is usually connected to an ATM or Frame Relay
link, where they create virtual circuits to the DSLAM for each customer/modem
(DSLAM is the last "network" device between your DSL modem and the telco --
it's the thing doing the Analog/Digital conversion from ATM/FR/Ethernet to
electrical signals on the copper pair).

Since DSL works over a copper pair (phone lines), and you already know phone
lines are not shared with your neighbors, there is no chance in intercepting
your neighbors traffic over DSL, without someone physically splicing.

However, when ISP router is in plain bridge mode (i doubt anybody does this
any longer, RBE so much more effective), there is possibility that the router
floods packets for addresses it doesn't know, just like a switch does when it
doesnt know where a certain MAC address is. This would broadcast that frame
out across all the "virtual circuits". Most DSL modems would then also filter
this, so unlikely you would still be able to observe it, unless you had
control over the DSL modem/bridge itself.

~~~
eridal
Sadly a bunch of modems have the admin panel accesible from the WAN side,
probably with the factory password or something the ISP sets to all same
devices.

You still need to known your neighbors' public ip address, but the problem may
be significantly reduced: "hey want to check my cool app?" Boom!

------
mlrtime
I thought the small write up on D3 was more interesting than the capture
aspect.

[http://d3js.org/](http://d3js.org/)

------
abalone
Can somebody explain all the brown on that HostShark circle gif? Looks like
>90% of the requests are going to xo.net, an ISP.

[http://blog.nodenexus.com/assets/img/hostshark.gif](http://blog.nodenexus.com/assets/img/hostshark.gif)

~~~
mbrownnyc
DNS?

~~~
abalone
Maybe that's part of it, but it's <=1 DNS request per domain request so no
more than half that circle should be DNS requests. In practice it's far, far
less because web browsing typically has numerous requests per domain (e.g.
loading images off facebook.com).

My best guess is VPN. Maybe that's how they link Princeton campuses together
or something.

------
mschuster91
What bothers me is that neither the author nor anyone here metioned that HTTPS
_does_ leak metadata in the form of the SNI extension which provides the
server with the requested host before the cert exchange.

~~~
icebraining
And even without SNI (e.g. IE on XP), there must be only one SSL site hosted
on that particular IP, so the attacker can just connect to it and see what
site (s)he gets.

------
geggam
kismet ?

------
cranklin
"A Shark on the Network" is more appropriate than "How to listen in on
wireless network traffic" for this particular post. If it's a "how to listen
in...", I would expect the article to introduce better passive attacks (in
monitor mode) and raw packet injection attacks that don't require you to be
associated to a particular access point, and finally the different wifi
chipsets that allow you to perform these types of attacks.

~~~
fensipens
This.

I was hoping to read some recommendations on chipsets that are able to monitor
multiple channels simultaneously.. but then it was just another misleading
headline.

