top of page
Writer's picturealvin gitonga

Wireshark🦈: Spy on all smartphones☠️ on a Wi-Fi network😈

CyberMorans🤗

Today, We'll use wireshark🦈 to decrypt WPA2 network traffic so we can spy🧐 on the apps a target is using on their phone in real time😱
 

While using an encrypted network is better than using an open one, the advantage disappears if the attacker😈 is on the same network. It can allow an hacker😈 to create a list of every app running on your device and zero in on apps that might be vulnerable.


When you use a Wi-Fi that uses WPA2 encryption, the security of your session is based on two things. The first is the password that's used to generate a much longer number, a PSK or pre-shared key. The second is the actual handshake itself🤝, which has to happen to establish a connection. If an hacker😈 has the PSK to the Wi-Fi network and either observes you join the network or kicks you off for a moment, they can decrypt your Wi-Fi traffic to see what you're doing😎


To pull off this attack, First, we need to be in the same network as our target, we need to be within proximity to the victim so we can record traffic, and we need to be able to kick the targeted device off the network or wait for them to reconnect...🤤


We'll open Wireshark and access the menu to decrypt Wi-Fi packets, add the PSK to enable decryption, and wait for packets from the targeted device connecting to the network. To get a feeling for what the targeted device is up to, we'll be using capture filters to highlight DNS and HTTP packets we're looking for


Morans, buckle up & throw privacy off the window...😆🚀


 

🚀 Download Wireshark & Connect to the Wi-Fi Network

Download and install Wireshark if it's not already installed, and connect to the Wi-Fi network your target is on.


If you plan to use a PSK rather than a network key, you should calculate it using the Wireshark tool before doing so, as you may not be able to access the internet during the capture, depending on your card😛


Once you have Wireshark downloaded, open it, then look at your network interfaces. Before we start capturing, we'll need to set a few things up to make sure we are capturing in the correct mode.

🚀 Set Up Wireshark for Capturing

Under the Wireshark menu option, click on the gear-shaped "Capture options" menu👇



That will open the Capture Interfaces window,👇

Begin the Network Capture & Scan for EAPOL Packets

If you're not connected to the network your target is on, then you won't be able to see any packets because you might be on some other random channel. Wireshark can't actually change the channel that the wireless network adapter is on, so if you're not getting anything, that could be why..👇


🚀 Decrypt Traffic with the Network PSK

Now we have the handshakes, we can decrypt the conversation from this point onwards. To do so, we'll need to add the network password or PSK. Go to the "Wireshark" drop-down menu and select the "Preferences" option. Once selected, click on "Protocols"👇

Under Protocols, select "IEEE 802.11," and then click "Enable decryption."

To add the network key, click "Edit" next to "Decryption keys" to open the window to add passwords and PSKs.👇

Select "wpa-psk" from the menu, and then paste in your key. Hit Tab, then save by clicking "OK" 👇

Once this is complete, click "OK" on the Preferences menu, and Wireshark should rescan all the captured packets and attempt to decrypt them. This may not work for a variety of reasons. ensuring you had a good handshake (EAPOL) and switching back and forth between using a network password and a PSK ☺️

 

🚀 Scan for DNS & HTTP Packets

Now that we have stripped away the protection around the traffic, Wireshark can decrypt them and tell us what the devices on this Wi-Fi network that we have handshakes🤝 for are doing in real time.


1. ☝ DNS Requests

To see interesting packets, we'll start with DNS requests. DNS requests are how apps make sure the IP addresses they are supposed to connect to aren't changed. They'll be directed to domain names that usually have the name of the app in them, making it trivial to see which app is running on the iPhone or Android phone and making the requests😋


To see these requests, we'll be using two capture filters, dns and http, which will show us the most obvious fingerprints that an app leaves over Wi-Fi. First, type dns into the capture filter bar and hit Enter. If this doesn't work, try switching between a PSK and password a few times. It sucks, but it'll work👇

If your target is feeling lonely or horny🥴, you will see the response below 👇

Tinder calls the Tindersparks.com domain, as well as a lot of other services. This request is obvious😍

While using Signal is a good idea, using it with a VPN is a better idea. Because Even opening Signal creates the exchange below, clearly identifying that the user is communicating with an encrypted messenger....👇


Trying to Shazam a song has the following fingerprint...👇


calling an Uber creates the following requests....👇


Here👇 we see an interesting result of opening Venmo, an app for transferring money🤑

2. ✌ HTTP Packets

Next up, we can see there are several insecure web requests by using the http capture filter. These capture filters contain information like the useragent, which will tell us the type of device that is connecting. We can examine this by clicking on the packets and expanding the "Hypertext Transfer Protocol" tab👇

We see insecure HTTP requests to a chat server. Resolving the domain gives us the answer; WeChat😲


PS:👌 WeChat is a Chinese instant messaging, social media, and mobile payment app developed by Tencent. First released in 2011, it became the world's largest standalone mobile app in 2018, with over 1 billion monthly active users👌


This user has WeChat installed and the communications are not entirely encrypted. hmmmm....I think ni phone chinkoo...maybe a samsang or Mokia🤭

To see everything that was resolved, we can click on the "Statistics" menu tab and select "Resolved Addresses" to see all the domains that were resolved throughout the capture. This should be a list of services the device is connecting to via them apps the target is using 👇


 

🚀 Careful with Networks yo!🚀

This kind of monitoring may seem invasive, but you should keep in mind that your internet service provider (ISP...like Safaricom, Airtel, MTN, Jio, Verizon, AT&T.....etc) also keeps a log of this information and has the right to sell the information🤯


To prevent this kind of snooping, use a VPN 🥸 that allows you to hide even local traffic behind strong encryption. In a place where you might be doing something sensitive over a data connection, consider using cellular data whenever possible to prevent this kind of attack.


I hope you enjoyed this guide to using Wireshark to spy on Wi-Fi traffic! Now you can do what the 😵‍💫 NSA, Mi5 and CIA do...instead of complaining about what they do. If you cant beat 'em join 'em 😜


 

🚀Conclusion 🤖

Subscribe to receive notifications of similar posts 😜 where we will be reverse engineering malware, vulnerabilities as well as hacking vectors, stories, tutorials and other Infosec stuff...😋


Follow me on twitter for daily Infosec Memes and shenanigans😝


Morans,

Thank you for taking time and hope you learned something new, Like and leave a comment/review and as always, stay awesome! 😋👊 💪

1,123 views0 comments

Recent Posts

See All

Comments


Post: Blog2_Post
bottom of page