How to Spy on Traffic from a Smartphone with Wireshark

Dec 6, 2019 11:58 PM
637112443349836922.jpg

So you want to know what that person who is always on their phone is up to? If you're on the same Wi-Fi network, it's as simple as opening Wireshark and configuring a few settings. We'll use the tool to decrypt WPA2 network traffic so we can spy on which applications a phone is running in real time.

While using an encrypted network is better than using an open one, the advantage disappears if the attacker is on the same network. If someone else knows the password to the Wi-Fi network you are using, it's easy to see what you're doing at that moment using Wireshark. It can allow an attacker to create a list of every app running on the device being targeted and zero in on apps that might be vulnerable.

Decrypting Encrypted Packets

When you use a Wi-Fi network that uses WPA2 encryption, the security of your session is based on two things. The first is the password that's used to generate a much longer number, a PSK or pre-shared key. The second is the actual handshake itself, which has to happen to establish a connection. If an attacker has the PSK to the Wi-Fi network and either observes you join the network or kicks you off for a moment, they can decrypt your Wi-Fi traffic to see what you're doing.

The content of HTTPS websites won't be able to be seen, but any plain HTTP websites you visit or any insecure HTTP requests apps on your phone makes are in plain view. This may not seem like a big deal, but in only 60 seconds, it's easy to learn a lot about the type of device we're monitoring and what exactly is running on it. Also, DNS requests to resolve the domains that apps need to talk to in order to work are easy to see, identifying which apps and services are active.

How It Works

To pull off this attack, a few conditions need to be met. First, we need the password, we need to be in proximity to the victim so we can record traffic, and we need to be able to kick the targeted device off the network or wait for them to reconnect. We'll open Wireshark and access the menu to decrypt Wi-Fi packets, add the PSK to enable decryption, and wait for EAPOL packets from the targeted device connecting to the network.

To get a feeling for what the targeted device is up to, we'll be using capture filters to highlight DNS and HTTP packets we're looking for. To see a complete list of every domain the device has resolved, we can also look at a summary of resolved domains after the capture is complete. We can use this information to easily pick apart which services are running, even if they're only running in the background and the app hasn't been running in quite some time.

What You'll Need

To do this, you'll need a wireless network adapter card capable of wireless monitor mode. You can check out our guides on selecting one that's Kali-compatible and supports monitor mode.

Next, you'll need an iOS or Android smartphone connected to the Wi-Fi network you're monitoring. You can practice this on an open Wi-Fi network to see what you're supposed to see, as sometimes decryption may not work the first time. You'll also need to know the password and network name of the Wi-Fi network you want to monitor. This will allow you to calculate the pre-shared key, allowing us to decrypt the traffic in realtime.

Step 1: Download Wireshark & Connect to the Wi-Fi Network

Download and install Wireshark if it's not already installed, and connect to the Wi-Fi network your target is on. If you plan to use a PSK rather than a network key, you should calculate it using the Wireshark tool before doing so, because you may not be able to access the internet during the capture, depending on your card.

Once you have Wireshark downloaded, open it, then take a look at your network interfaces. Before we start capturing, we'll need to set a few things up to make sure the card is capturing in the correct mode.

636956350905462620.jpg

Step 2: Set Up Wireshark for Capturing

Under the Wireshark menu option, click on the gear-shaped "Capture options" menu.

636956453696014433.jpg

That will open the Capture Interfaces window, as seen below.

636956351402025468.jpg

Step 3: Begin the Network Capture & Scan for EAPOL Packets

If you're not connected to the network your target is on, then you won't be able to see any packets because you might be on some other random channel. Wireshark can't actually change the channel that the wireless network adapter is on, so if you're not getting anything, that could be why.

636956374307181369.jpg
636956374740152674.jpg
636956374307181369.jpg
636956374740152674.jpg

Step 4: Decrypt Traffic with the Network PSK

Now that we have handshakes, we can decrypt the conversation from this point onwards. To do so, we'll need to add the network password or PSK. Go to the "Wireshark" drop-down menu and select the "Preferences" option. Once selected, click on "Protocols."

636956375152181094.jpg

Under Protocols, select "IEEE 802.11," and then click "Enable decryption." To add the network key, click "Edit" next to "Decryption keys" to open the window to add passwords and PSKs.

636956399399056152.jpg

Select "wpa-psk" from the menu, and then paste in your key. Hit Tab, then save by clicking "OK."

636956378747181529.jpg

Once this is complete, click "OK" on the Preferences menu, and Wireshark should rescan all the captured packets and attempt to decrypt them. This may not work for a variety of reasons. I was able to get it to work most of the time by ensuring I had a good handshake (EAPOL) and switching back and forth between using a network password and a PSK. If it works, we can move on to the step of analyzing the traffic to pick out apps in use.

Step 5: Scan for DNS & HTTP Packets

Now that we have stripped away the protection around the traffic, Wireshark can decrypt them and tell us what the devices on this Wi-Fi network that we have handshakes for are doing in real time.

1. DNS Requests

To see interesting packets, we'll start with DNS requests. DNS requests are how apps make sure the IP addresses they are supposed to connect to haven't changed. They'll be directed to domain names that usually have the name of the app in them, making it trivial to see which app is running on the iPhone or Android phone and making the requests.

To see these requests, we'll be using two capture filters, dns and http, which will show us the most obvious fingerprints that an app leaves over Wi-Fi. First, type dns into the capture filter bar and hit Enter. If this doesn't work, try switching between a PSK and password a few times. It sucks, but sometimes it will start working.

636956382348900973.jpg

If your target is feeling lonely, you might see the response below. Tinder calls the Tindersparks.com domain, as well as a lot of other services. This request is one of the most obvious.

636956382783274932.jpg

While using Signal is a good idea, using it with a VPN is a better idea. The reason? Even opening Signal creates the exchange below, clearly identifying that the user is communicating with an encrypted messenger.

636956382965462562.jpg

Trying to find that song that's playing with Shazam leaves the following fingerprint.

636956383159993710.jpg

Opening the app to call an Uber creates the requests you see below.

636956384122650235.jpg

Below, we see the effect of opening Venmo, and app for transferring money. It seems like a good time to redirect this request elsewhere.

636956384333431027.jpg

2. HTTP Packets

Next up, we can see there are several insecure web requests by using the http capture filter. These capture filters contain information like the useragent, which will tell us the type of device that is connecting. We can examine this by clicking on the packets and expanding the "Hypertext Transfer Protocol" tab.

636956384738431484.jpg

In this example, we can see insecure HTTP requests to a chat server. What the heck is this? Merely examining the packet and resolving the domain gives us the answer right away. It's WeChat! This phone has WeChat installed, and further, the communications coming out of it are not entirely encrypted.

636956390964212584.jpg
636956373842025426.jpg
636956390964212584.jpg
636956373842025426.jpg

If we want to see everything that was resolved, we can click on the "Statistics" menu tab and select "Resolved Addresses" to see all the domains that were resolved throughout the capture. This should be a laundry list of services the device is connecting to via the apps running on it.

636956389472962543.jpg

This breakdown makes it even easier to see what the target was up to.

Wireshark Makes Wi-Fi Networks a Risky Thing to Trust

This kind of monitoring may seem invasive, but you should keep in mind that your internet service provider also keeps a log of this information and has the right to sell the information. If you want to prevent this kind of snooping, you should get a VPN like Mullvad or PIA that allows you to hide even local traffic behind strong encryption. In a place where you might be doing something sensitive over a data connection, you should also consider using cellular data whenever possible to prevent this kind of attack.

I hope you enjoyed this guide to using Wireshark to spy on Wi-Fi traffic! If you have any questions about this tutorial on Wi-Fi decryption, leave a comment below, and feel free to reach me on Twitter @KodyKinzie.

Cover photo and screenshots by Kody/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!