infus3

How can I tell if someone is sniffing on my network?

27 posts in this topic

Hey, I have a wireless router that I use to broadcast internet for my roommate. I also use it cause I like the firewall that it provides. I don't have it encrypted and pretty much anyone can get on it. I don't mind too much since I would appreciate the same service from someone else. I also enjoy sniffing traffic sometimes. My question is this: How can I tell if someone on my network is sniffing my traffic or traffic of someone else on the network? I know this sounds noobie but I'd like to learn.

Edited by infus3
0

Share this post


Link to post
Share on other sites
How can I tell if someone on my network is sniffing my traffic or traffic of someone else on the network?

You can't. If the attacker has their network card set to monitor mode, and you're not using any kind of encryption, there is nothing to prevent them from sniffing, and nothing you can really do to tell.

0

Share this post


Link to post
Share on other sites

Wow that was fast. :D

Are there any ways I can ensure that I'm not getting sniffed? Besides adding a adding a security key to the network? I'm pretty sure I'm not being sniffed, but I'm just curious as to how I can avoid it if I leave my network open to the public.

0

Share this post


Link to post
Share on other sites
Are there any ways I can ensure that I'm not getting sniffed? Besides adding a adding a security key to the network? I'm pretty sure I'm not being sniffed, but I'm just curious as to how I can avoid it if I leave my network open to the public.

If you'd like to leave the router open, then there isn't really anyway that you can prevent your traffic from getting sniffed, however you can encrypt the traffic from the computer on the wireless network to somewhere on the wired side of your network, so any traffic sniffed is encrypted. You might want to look into setting up a VPN or something to encrypt the traffic.

0

Share this post


Link to post
Share on other sites
Are there any ways I can ensure that I'm not getting sniffed? Besides adding a adding a security key to the network?

You can't keep them from sniffing, but you can make it such that it won't help them. You could set up a VPN server on the wired side of your network and connect to it with a VPN client over wireless from your laptop, and do all of your traffic over the VPN. You could implement any other sort of tunneling and encryption scheme you might be comfortable with, really. It's much easier just to use WPA for your wireless, though.

Edit: Whups, beaten heh.

Edited by McGrewSecurity
0

Share this post


Link to post
Share on other sites

At least I understand what a VPN does now. The regulars that use my wireless are my neighbors and I know they don't sniff. I was just thinking about outsiders/war drivers (if i understand that word correctly) and what they would be able to do on my network.

<---- Since I'm still a n00bie...I'm pretty new to sniffing just wondered if anyone knew any good tutorials on it. I've learned a bit using Cain and the self explanatory gui. I'd like to dig deeper and see what else I might be missing though.

Edited by infus3
0

Share this post


Link to post
Share on other sites

If somebody gets onto your network via 'war driving,' they could potentially use utilities like Cain and Able to gain admin privileges to another host on the network, brute force the router configuration page and have control over your network, etc. or, simply just use up some of your bandwidth. Cain and Able cannot 'crack' wireless encryption however, it can recover user/login passwords of other computers on a wireless network.

look into 'promiscuous mode.'

0

Share this post


Link to post
Share on other sites
If somebody gets onto your network via 'war driving,' they could potentially use utilities like Cain and Able to gain admin privileges to another host on the network, brute force the router configuration page and have control over your network, etc. or, simply just use up some of your bandwidth. Cain and Able cannot 'crack' wireless encryption however, it can recover user/login passwords of other computers on a wireless network.

look into 'promiscuous mode.'

I thought Cain could crack WEP?

Also, a brute force attack by Cain would be very detectable.

0

Share this post


Link to post
Share on other sites

I'm not really looking at Cain as a cracking tool. I don't have a laptop or even a wireless card in my desktop. I simply use Cain to sniff the traffic on my network. I was just wondering about all the things the sniffer could do, so I asked for tutorials/tips and the like.

0

Share this post


Link to post
Share on other sites

Would turning down the transmit power help??? I know in the dd-wrt on the linksys 54g it can be done.. And what about 'ACK' timing.. if I understand this right, when it works (when) it reduces the 'range' of how far a remote computer can be to access the network... Might help against a war-driver brute-forcing you from the parking lot. Guess it works like radar, by timing the return signal or something. I really don't know... just read it a while back and thought I'd bring it up..

0

Share this post


Link to post
Share on other sites

Actually, for the original question, Ettercap has a plugin in which you can detect which hosts on the LAN have their cards in promiscuous mode.

It's quite useful.

0

Share this post


Link to post
Share on other sites
Actually, for the original question, Ettercap has a plugin in which you can detect which hosts on the LAN have their cards in promiscuous mode.

It's quite useful.

This will only work if the folks sniffing are associated to the network, and sniffing in promiscuous mode (where the card or driver provides Ethernet frames up to the higher layers).

This won't work against anyone who knows what they're doing sniffing a network, with a card in monitor mode, unassociated to the network. In this mode, the sniffer gets raw 802.11 frames and also has the benefit of being able to capture packets from multiple networks simultaneously.

0

Share this post


Link to post
Share on other sites
I'm not really looking at Cain as a cracking tool. I don't have a laptop or even a wireless card in my desktop. I simply use Cain to sniff the traffic on my network. I was just wondering about all the things the sniffer could do, so I asked for tutorials/tips and the like.

I am assuming your on a wired network then. Try Wireshark, otherwise known as Ethereal for both Windows and Linux. Although a bit more complicated, it will enable you to give further analysis over Cain and it also uses a GUI.

0

Share this post


Link to post
Share on other sites
Actually, for the original question, Ettercap has a plugin in which you can detect which hosts on the LAN have their cards in promiscuous mode.

It's quite useful.

This will only work if the folks sniffing are associated to the network, and sniffing in promiscuous mode (where the card or driver provides Ethernet frames up to the higher layers).

This won't work against anyone who knows what they're doing sniffing a network, with a card in monitor mode, unassociated to the network. In this mode, the sniffer gets raw 802.11 frames and also has the benefit of being able to capture packets from multiple networks simultaneously.

Wow. That's great. I've never heard of monitor mode before. Interesting.

What's a sniffing tool that can run in monitor mode? Can wireshark?

0

Share this post


Link to post
Share on other sites

In Kismet, while you are sniffing, you can see other sniffing clients, I believe

0

Share this post


Link to post
Share on other sites
Actually, for the original question, Ettercap has a plugin in which you can detect which hosts on the LAN have their cards in promiscuous mode.

It's quite useful.

I warned you guys I'm a bit noob...so this may sound stupid. Since I am the one routing I am the host right? Which makes everyone else on my network clients? Which would mean Ettercap would only work if I was a client on a network trying to see if the host had their card in promiscuous mode?

This will only work if the folks sniffing are associated to the network, and sniffing in promiscuous mode (where the card or driver provides Ethernet frames up to the higher layers).

This won't work against anyone who knows what they're doing sniffing a network, with a card in monitor mode, unassociated to the network. In this mode, the sniffer gets raw 802.11 frames and also has the benefit of being able to capture packets from multiple networks simultaneously.

I don't have a wireless card at the moment and I don't really know anything about wireless...but by association you mean connection right? So I could list all the wireless networks and not really connect to a particular one, yet still sniff traffic from them all?

I am assuming your on a wired network then. Try Wireshark, otherwise known as Ethereal for both Windows and Linux. Although a bit more complicated, it will enable you to give further analysis over Cain and it also uses a GUI.

I downloaded wireshark. It is a bit more complicated than Cain. It might take a bit to get the hang of it.

0

Share this post


Link to post
Share on other sites
What's a sniffing tool that can run in monitor mode? Can wireshark?

(disclaimer: this is how we roll in Linux. I don't how to set a card into monitor mode in Windows.)

You'll have to put your card into monitor mode yourself with iwconfig (or whatever you use to manage your card). After that, Wireshark should be able to sniff in monitor mode, although I haven't had much luck with it actually working. Kismet, however, is excellent. It'll put your card into monitor mode for you, and log all packets, and it's all very nice. And once you log packets with Kismet, you can load up the dumps in Winshark for analysis with no problems.

0

Share this post


Link to post
Share on other sites
I don't have a wireless card at the moment and I don't really know anything about wireless...but by association you mean connection right? So I could list all the wireless networks and not really connect to a particular one, yet still sniff traffic from them all?

Yup.

In Kismet, while you are sniffing, you can see other sniffing clients, I believe

You can see other clients that are acting "suspicious". This means they're sending lots of probe requests, but not associating with any network. This is how less stealthy wardriving software, like Netstumbler, behaves. Kismet will not detect clients in monitor mode.

0

Share this post


Link to post
Share on other sites
What's a sniffing tool that can run in monitor mode? Can wireshark?

(disclaimer: this is how we roll in Linux. I don't how to set a card into monitor mode in Windows.)

You'll have to put your card into monitor mode yourself with iwconfig (or whatever you use to manage your card). After that, Wireshark should be able to sniff in monitor mode, although I haven't had much luck with it actually working. Kismet, however, is excellent. It'll put your card into monitor mode for you, and log all packets, and it's all very nice. And once you log packets with Kismet, you can load up the dumps in Winshark for analysis with no problems.

Mhm. If you are unassociated with the network though, how do you tell where the traffic is coming from? It would be hard to follow the traffic flow, when someone on another AP suddenly starts up 'utorrent'.

0

Share this post


Link to post
Share on other sites
Mhm. If you are unassociated with the network though, how do you tell where the traffic is coming from? It would be hard to follow the traffic flow, when someone on another AP suddenly starts up 'utorrent'.

The 802.11 frames are tagged with the network infromation :)

Edited by McGrewSecurity
0

Share this post


Link to post
Share on other sites
Mhm. If you are unassociated with the network though, how do you tell where the traffic is coming from? It would be hard to follow the traffic flow, when someone on another AP suddenly starts up 'utorrent'.

The 802.11 frames are tagged with the network infromation :)

I think you need to write a book. ^^

0

Share this post


Link to post
Share on other sites
I think you need to write a book. ^^

Nah, there's already a good one:

http://www.wi-foo.com/

I just meant that you really know what you're talking about.

All this talk makes me want to get a wireless card. <_<

Edited by infus3
0

Share this post


Link to post
Share on other sites
All this talk makes me want to get a wireless card. <_<

It would go nicely with that wireless network you're running for all these other people ;)

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now