Network traffic analyzer sniffer. What is a sniffer: description
Attention: All files and programs used in the article can be downloaded from the links on the left side of the page!
This article is instructions for hacking WEP encryption of wi-fi networks. This text does not contain basic concepts about wireless networks, assuming that the reader already has them. We will use: Windows OS, CommView for Wi-Fi and aircrack-ng 0.9.3 win.
Since we will be using CommView for Wi-Fi, you need to download this program, for example from the company's website. Aircrack-ng 0.9.3 win can be downloaded from our website. Before installing CommView for Wi-Fi, check if your wireless adapter is included in the list of supported ones.
Install CommView for Wi-Fi by default (be sure to install the driver for your card if required!), unzip Aircrack-ng 0.9.3 win to any convenient folder, but I recommend to the C:/ drive. We can all work.
The aircrack-ng package includes a good sniffer, airodump-ng, but some difficulties may arise when using this sniffer under Windows. Windows OS has one unpleasant feature: it does not allow standard means (official drivers) to put the Wi-Fi card into sniffer mode (the mode in which the card collects all available packages); you can use third-party drivers (which is what they usually do) or modifications of official ones, but this is fraught with glitches and unpleasant consequences in the form of the card refusing to connect to the access point. This can easily be fixed by installing a standard driver.
I would like to offer you another, according to Choix from the site wardriving.ru, a more convenient option - using the CommView for Wi-Fi and Aircrack-ng sniffer combination to crack the WEP key. The main advantage of such a combination is that there is no need to install the driver each time when switching the card to sniffer mode and back. CommView for Wi-Fi also supports some cards, such as the built-in Intel PRO/Wireless 2200BG adapter, which are not supported under Windows airodump.
DOWNLOAD EVERYTHING YOU NEED (list of programs on the left)!
We launch CommView for Wi-Fi, at the first launch it will offer to patch the drivers and reboot. We boldly agree everywhere. Next, if we are going to use the program only to collect encrypted DATA packets, select the RULES menu and check the boxes for capturing DATA packets and ignoring BEACON packets and uncheck the rest. Click save current rule (we save the reserve). Go to the settings and set it there as in the picture:
Almost everything :-) We’ll start breaking it down soon)) The setup is done once, so don’t be alarmed that there’s so much to click on. All you have to do is go to the Log files tab in the main program window, check the autosave box and set the Maximum directory size to 200 meters and the average file size is about 5 meters.
Next, click the *Capture* button and in the window that appears, click *start scanning*. On the right appears a list of points that are in the access area with the signal level and other additional information. We select the point of our victim and press capture. Now we take beer and crackers in our hands and wait until we get the required number of packets (from 100,000 to 2,000,000 depending on the length of the key), we will have to wait a little.
Hooray!!! The packages are collected. Now press Ctrl+L in the window that appears: file, load commview log files and select all the files that we see. Then the rules menu and load what we saved (only date packages). Now we export the packets in TCPdump format.
We use AirCrack, set its parameters and indicate the path to our file with packages from CommView, which is in TCPdump format. To run the aircrack-ng GUI, you need to have Microsoft.NET FrameWork 2.0 installed (1 and 3 will not work).
Select Encryption: WEP, Key size: in order from smallest to largest. If you have captured enough ARP packets, you can check the USE PTW attack checkbox. Click Launch.
If the key is found, you will see something like this:
If the key is not found, try changing the parameters until the end is successful.
Interceptor is a multifunctional network tool that allows you to obtain data from traffic (passwords, instant messenger messages, correspondence, etc.) and implement various MiTM attacks.
Intercepter program interface
Main functionality
- Interception of instant messenger messages.
- Interception of cookies and passwords.
- Interception of activity (pages, files, data).
- Ability to spoof file downloads by adding malicious files. Can be used in conjunction with other utilities.
- Replacing Https certificates with Http.
Messengers Mode– allows you to check correspondence that was sent in unencrypted form. It was used to intercept messages in such instant messengers as ICQ, AIM, JABBER messages.
Ressurection Mode– recovery of useful data from traffic, from protocols that transmit traffic in clear text. When the victim views files, pages, data, they can be partially or completely intercepted. Additionally, you can specify the size of the files so as not to download the program in small parts. This information can be used for analysis.
Password Mode– mode for working with cookies. In this way, it is possible to gain access to the victim's visited files.
Scan mode– main mode for testing. To start scanning, you need to right-click Smart Scan. After scanning, the window will display all network participants, their operating system and other parameters.
Additionally, in this mode you can scan ports. You must use the Scan Ports function. Of course, there are much more functional utilities for this, but the presence of this function is an important point.
If we are interested in a targeted attack on the network, then after scanning we need to add the target IP to Nat using the command (Add to Nat). In another window it will be possible to carry out other attacks.
Nat Mode. The main mode, which allows you to carry out a number of attacks via ARP. This is the main window that allows targeted attacks.
DHCP mode. This is a mode that allows you to raise your DHCP server to implement DHCP attacks in the middle.
Some types of attacks that can be carried out
Site spoofing
To spoof the victim’s website, you need to go to Target, after which you need to specify the site and its substitution. This way you can replace quite a lot of sites. It all depends on how high-quality the fake is.
Site spoofing
Example for VK.com
Selecting MiTM attack
Changing the injection rule
As a result, the victim opens a fake website when requesting vk.com. And in password mode there should be the victim’s login and password:
To carry out a targeted attack, you need to select a victim from the list and add it to the target. This can be done using the right mouse button.
Adding MiTm attacks
Now you can use Ressurection Mode to recover various data from traffic.
Victim files and information via MiTm attack
Traffic spoofing
Specifying Settings
After this, the victim’s request will change from “trust” to “loser”.
Additionally, you can kill cookies so that the victim logs out of all accounts and logs in again. This will allow you to intercept logins and passwords.
Destroying cookies
How to see a potential sniffer on the network using Intercepter?
Using the Promisc Detection option, you can detect a device that is scanning on the local network. After scanning, the status column will show “Sniffer”. This is the first way to detect scanning on a local network.
Sniffer Detection
SDR HackRF Device
SDR is a kind of radio receiver that allows you to work with different radio frequency parameters. Thus, it is possible to intercept the signal of Wi-Fi, GSM, LTE, etc.
HackRF is a full SDR device for $300. The author of the project, Michael Ossman, is developing successful devices in this direction. The Ubertooth Bluetooth sniffer was previously developed and successfully implemented. HackRF is a successful project that has raised more than 600 thousand on Kickstarter. 500 of these devices have already been sold for beta testing.
HackRF operates in the frequency range from 30 MHz to 6 GHz. The sampling frequency is 20 MHz, which allows you to intercept signals from Wi-FI and LTE networks.
How to protect yourself at the local level?
First, let's use SoftPerfect WiFi Guard software. There is a portable version that takes no more than 4 MB. It allows you to scan your network and display what devices are displayed on it. It has settings that allow you to select the network card and the maximum number of devices to be scanned. Additionally, you can set the scanning interval.
Ability to add comments for users
Conclusion
Thus, we examined in practice how to use software to intercept data within a network. We looked at several specific attacks that allow you to obtain login data, as well as other information. Additionally, we looked at SoftPerfect WiFi Guard, which allows you to protect your local network from eavesdropping traffic at a primitive level.
SmartSniff allows you to intercept network traffic and display its contents in ASCII. The program captures packets passing through the network adapter and displays the contents of the packets in text form (http, pop3, smtp, ftp protocols) and as a hexadecimal dump. To capture TCP/IP packets, SmartSniff uses the following techniques: raw sockets - RAW Sockets, WinCap Capture Driver and Microsoft Network Monitor Driver. The program supports the Russian language and is easy to use.
Sniffer program for capturing packets
 |
SmartSniff displays the following information: protocol name, local and remote address, local and remote port, local node, service name, data volume, total size, capture time and last packet time, duration, local and remote MAC address, countries and data packet contents . The program has flexible settings, it implements the function of a capture filter, unpacking http responses, converting IP addresses, the utility is minimized to the system tray. SmartSniff generates a report on packet flows as an HTML page. The program can export TCP/IP streams.
The Wi-Fi network packet sniffer module can be used on both normal and monitor modes, but it also supports a third option, the extended mode, for capturing the Wi-Fi network traffic generated by your equipment.
The extended mode allows you to use the while your wireless card is connected to a Wi-Fi network. Apart from viewing signaling packets (beacons, probe requests, probe responses, data packets, etc.), you will be able to view all the TCP, UDP, or Wi-Fi broadcast traffic generated by your system while connected. This way, you will be able to view and analyze all the web browsing ( HTTP) traffic, or any other network connection sent by the Wi-Fi network you are connected to.
This capture mode does not allow you to view Wi-Fi traffic from other channels, since your wireless card is working at a fixed frequency.
The Wi-Fi network sniffer on extended mode and the network packet capture mode sectors are long-awaited new features on Acrylic Wi-Fi Professional v2.3, which is expected to be launched within the next few days.
Download Wireless Network Sniffer for Windows 7/8/8.1/10
If you do not need to view Wi-Fi network packets or use a Wi-Fi network traffic sniffer, download , a free Wi-Fi network and channel sniffer for Windows that allows you to view all the wireless networks within reach. This version supports normal capture and monitor modes.
If you need complete wireless network behavior information, Wi-Fi network sniffer is the right solution for you, since it supports all three Wi-Fi network capture modes, providing Wi-Fi network packet information in real time. A very useful tool for improving wireless network performance, detecting incidents, and learning more about Wi-Fi networking. Try it for free!
And for advanced users, the Acrylic Wi-Fi driver allows you to.