CyberMoransđ€
Today, We'll use wiresharkđŠ to decrypt WPA2 network traffic so we can spyđ§ on the apps a target is using on their phone in real timeđ±
While using an encrypted network is better than using an open one, the advantage disappears if the attackerđ is on the same network. It can allow an hackerđ to create a list of every app running on your device and zero in on apps that might be vulnerable.
When you use a Wi-Fi that uses WPA2 encryption, the security of your session is based on two things. The first is the password that's used to generate a much longer number, a PSK or pre-shared key. The second is the actual handshake itselfđ€, which has to happen to establish a connection. If an hackerđ has the PSK to the Wi-Fi network and either observes you join the network or kicks you off for a moment, they can decrypt your Wi-Fi traffic to see what you're doingđ
To pull off this attack, First, we need to be in the same network as our target, we need to be within proximity to the victim so we can record traffic, and we need to be able to kick the targeted device off the network or wait for them to reconnect...đ€€
We'll open Wireshark and access the menu to decrypt Wi-Fi packets, add the PSK to enable decryption, and wait for packets from the targeted device connecting to the network. To get a feeling for what the targeted device is up to, we'll be using capture filters to highlight DNS and HTTP packets we're looking for
Morans, buckle up & throw privacy off the window...đđ
đ Download Wireshark & Connect to the Wi-Fi Network
Download and install Wireshark if it's not already installed, and connect to the Wi-Fi network your target is on.
If you plan to use a PSK rather than a network key, you should calculate it using the Wireshark tool before doing so, as you may not be able to access the internet during the capture, depending on your cardđ
Once you have Wireshark downloaded, open it, then look at your network interfaces. Before we start capturing, we'll need to set a few things up to make sure we are capturing in the correct mode.
đ Set Up Wireshark for Capturing
Under the Wireshark menu option, click on the gear-shaped "Capture options" menuđ
That will open the Capture Interfaces window,đ
Begin the Network Capture & Scan for EAPOL Packets
If you're not connected to the network your target is on, then you won't be able to see any packets because you might be on some other random channel. Wireshark can't actually change the channel that the wireless network adapter is on, so if you're not getting anything, that could be why..đ
đ Decrypt Traffic with the Network PSK
Now we have the handshakes, we can decrypt the conversation from this point onwards. To do so, we'll need to add the network password or PSK. Go to the "Wireshark" drop-down menu and select the "Preferences" option. Once selected, click on "Protocols"đ
Under Protocols, select "IEEE 802.11," and then click "Enable decryption."
To add the network key, click "Edit" next to "Decryption keys" to open the window to add passwords and PSKs.đ
Select "wpa-psk" from the menu, and then paste in your key. Hit Tab, then save by clicking "OK" đ
Once this is complete, click "OK" on the Preferences menu, and Wireshark should rescan all the captured packets and attempt to decrypt them. This may not work for a variety of reasons. ensuring you had a good handshake (EAPOL) and switching back and forth between using a network password and a PSK âșïž
đ Scan for DNS & HTTP Packets
Now that we have stripped away the protection around the traffic, Wireshark can decrypt them and tell us what the devices on this Wi-Fi network that we have handshakesđ€ for are doing in real time.
1. â DNS Requests
To see interesting packets, we'll start with DNS requests. DNS requests are how apps make sure the IP addresses they are supposed to connect to aren't changed. They'll be directed to domain names that usually have the name of the app in them, making it trivial to see which app is running on the iPhone or Android phone and making the requestsđ
To see these requests, we'll be using two capture filters, dns and http, which will show us the most obvious fingerprints that an app leaves over Wi-Fi. First, type dns into the capture filter bar and hit Enter. If this doesn't work, try switching between a PSK and password a few times. It sucks, but it'll workđ
If your target is feeling lonely or hornyđ„Ž, you will see the response below đ
Tinder calls the Tindersparks.com domain, as well as a lot of other services. This request is obviousđ
While using Signal is a good idea, using it with a VPN is a better idea. Because Even opening Signal creates the exchange below, clearly identifying that the user is communicating with an encrypted messenger....đ
Trying to Shazam a song has the following fingerprint...đ
calling an Uber creates the following requests....đ
Heređ we see an interesting result of opening Venmo, an app for transferring moneyđ€
2. â HTTP Packets
Next up, we can see there are several insecure web requests by using the http capture filter. These capture filters contain information like the useragent, which will tell us the type of device that is connecting. We can examine this by clicking on the packets and expanding the "Hypertext Transfer Protocol" tabđ
We see insecure HTTP requests to a chat server. Resolving the domain gives us the answer; WeChatđČ
PS:đ WeChat is a Chinese instant messaging, social media, and mobile payment app developed by Tencent. First released in 2011, it became the world's largest standalone mobile app in 2018, with over 1 billion monthly active usersđ
This user has WeChat installed and the communications are not entirely encrypted. hmmmm....I think ni phone chinkoo...maybe a samsang or Mokiađ€
To see everything that was resolved, we can click on the "Statistics" menu tab and select "Resolved Addresses" to see all the domains that were resolved throughout the capture. This should be a list of services the device is connecting to via them apps the target is using đ
đ Careful with Networks yo!đ
This kind of monitoring may seem invasive, but you should keep in mind that your internet service provider (ISP...like Safaricom, Airtel, MTN, Jio, Verizon, AT&T.....etc) also keeps a log of this information and has the right to sell the informationđ€Ż
To prevent this kind of snooping, use a VPN đ„ž that allows you to hide even local traffic behind strong encryption. In a place where you might be doing something sensitive over a data connection, consider using cellular data whenever possible to prevent this kind of attack.
I hope you enjoyed this guide to using Wireshark to spy on Wi-Fi traffic! Now you can do what the đ”âđ« NSA, Mi5 and CIA do...instead of complaining about what they do. If you cant beat 'em join 'em đ
đConclusion đ€
Subscribe to receive notifications of similar posts đ where we will be reverse engineering malware, vulnerabilities as well as hacking vectors, stories, tutorials and other Infosec stuff...đ
Follow me on twitter for daily Infosec Memes and shenanigansđ
Morans,
Thank you for taking time and hope you learned something new, Like and leave a comment/review and as always, stay awesome! đđ đȘ