How To: Stealthfully Sniff Wi-Fi Activity Without Connecting to a Target Router

Stealthfully Sniff Wi-Fi Activity Without Connecting to a Target Router

Identifying vulnerable devices and services on a target router can be difficult without leaving logs and other traces of an active attacker on the network. However, there is a way to covertly decrypt and view Wi-Fi activity without ever connecting to the wireless network.

When targeting Wi-Fi routers, hackers may try to brute-force WPA2 handshakes or phish for passwords. Once the Wi-Fi credentials have been acquired, they will begin mapping and fingerprinting the compromised network using a variety of techniques.

Port scanners will create an enormous amount of noise on wireless networks. Man-in-the-middle attacks can be too aggressive and alert users and administrators to the presence of a hacker. Routers keep logs of every device that connects to the network. Every action taken while connected to a network may in some way result in being discovered on the compromised router.

It's better not to connect to the Wi-Fi router at all. In this guide, we'll develop an understanding of how attackers capture packets as they transmit to and from the wireless router with Airodump-ng — and decrypt WPA2 traffic in near real time.

How the Attack Works

Wireshark is the world's foremost and widely used network analyzer. It allows users to see what's happening on networks at a microscopic level and is the de facto network auditing tool across commercial and non-profit enterprises, government agencies, and educational institutions.

A great feature built into Wireshark allows attackers to decrypt and view router activity transmitted over the air in plain-text, and that's exactly what we're going to find out in this guide.

Step 1: Identify the Target Network

Airodump-ng is available in all popular Linux distributions and will work on virtual machines and on Raspberry Pi installations. I'll be using Kali Linux to collect data belonging to a Wi-Fi router that I control. If you've never used Airdodump-ng before, you can learn some basics in my article on hacking a neighbor with a Post-It note or in our Aircrack-ng overall guide linked below.

To enable monitor mode on a wireless adapter, use the below command.

airmon-ng start wlan0

Then, find the target network. To view Wi-Fi networks in the surrounding area, use the below command. I'll be targeting my "Null Byte" router as an example.

airodump-ng wlan0mon

Take note of the BSSID, CH, and ESSID. This information is required to collect data transmitting to the router.

Step 2: Start Capturing Wi-Fi Data

To start collecting data belonging to a target network, type the below command, replacing the parts in italics with what you're working with.

airodump-ng --bssid TargetMACaddressHere --essid RouterNameHere -c ChannelNumber -w SaveDestination wlan0mon

I'm saving the collected data into my /tmp directory to a file named "null_byte" using the -w argument. Airodump-ng will automatically append a number to the end of the filename, so it'll actually be saved to the /tmp directory as "null_byte-01.cap."

Here's what to expect from a running Airodump-ng terminal:

The most important thing to consider here is the WPA handshake in the top-right corner. A handshake must occur for Wireshark to later decrypt the Wi-Fi traffic. It's possible to use Aireplay-ng to forcefully disconnect devices from the network. Doing this will require devices to reconnect and hopefully produce the WPA handshake in the process, but this may create suspicion among users connected to the network.

As long as the Airodump-ng terminal is running, data will continue to accumulate. The Airodump-ng terminal can run for hours or even days. In my example Airodump-ng session, I let the packet collection run for over 15 minutes. The time elapsed can be identified in the top-left corner of the terminal.

Notice the #Data column in the above screenshot. This number indicates how many data packets have been collected. The higher this number is, the more likely attackers are to discover sensitive information which can be used to pivot or further compromise the target.

When a satisfactory amount of data has been collected, the Airodump-ng session can be stopped by pressing Ctrl + C. There will now be a "null_byte-01.cap" file (or whatever you named it) in the /tmp directory. This .cap file will be opened using Wireshark.

Step 3: Install the Latest Version of Wireshark

By default, Wireshark is included in almost all versions of Kali. There are a few versions which don't include Wireshark, so I'll quickly cover how to install it in Kali.

First, run the apt-get update command to ensure the most recently tested and curated (by the Kali developers) version of Wireshark is available for download. Open a terminal, and type the below command.

sudo apt-get update

Then, use the following command to install Wireshark.

sudo apt-get install wireshark

The && characters can be used between the two commands as I did in the screenshot above. This will instruct the terminal to first sync the package index with its sources, the Kali repositories. Then — and only if the update is successful — it will install Wireshark.

Step 4: Start the Wireshark Tool

When that's done, Wireshark can be found in the "Sniffing & Spoofing" category in the "Applications" menu. To start Wireshark, simply click on the icon.

Step 5: Configure Wireshark to Decrypt Data

To configure Wireshark to decrypt data found in the .cap, click on "Edit" button in the top bar, then "Preferences," and expand the "Protocols" drop-down menu.

Then, scroll down and select "IEEE 802.11." The box next to Enable decryption must be checked. Next, click on "Edit" to add decryption keys for a particular Wi-Fi network.

A new window will pop up. This is where the password and router name are to be specified. The credentials should be entered with the password and router name separated by a colon (e.g., password:router_name).

First, select the "wpa-pwd" Key type. This key type is required to set the WPA password in plain-text. The password to my "Null Byte" Wi-Fi network is a long encoded string, so I entered "bWN2a25yMmNuM2N6amszbS5vbmlvbg==:Null Byte" in the Key column. Another example would be "Wonderfulboat555:NETGEAR72," where "Wonderfulboat555" is the password to a "NETGEAR72" router.

When that's done, click "OK" to save the credentials. Wireshark will now automatically decrypt data belonging to the "Null Byte" Wi-Fi network when a .cap file is imported.

Step 6: Perform Deep Packet Inspection (DPI)

To import a .cap into Wireshark, click on the "File" button in the top bar, then click "Open." The .cap will be found in the /tmp directory; Select it, then click "Open." Depending on how long the Airodump-ng terminal collected data, it could take Wireshark several minutes to import and decrypt all the data.

After opening the .cap in Wireshark, there may be thousands of lines of raw web traffic. This can be intimidating. Fortunately, Wireshark has Display Filters which can be used to manage and filter out packets that aren't useful. There are many display filter cheat sheets online to help Wireshark users find relevant and sensitive data, but I'll cover a few useful display filters below which attackers use to inspect activity taking place on the network.

1. Find POST Data

The HTTP POST request method is often used when uploading a file or submitting usernames and passwords to a website. When someone logs into Facebook or posts a comment at the bottom of this article, it's done using a POST request.

POST data in the .cap will most likely hold the most compromising and revealing data. Attackers may find, usernames, passwords, real names, home addresses, email addresses, chat logs, and much more. To filter POST data, enter the below string into the display filter bar.

http.request.method == "POST"

In my example, I subscribed to a random technology website I found online. It's not unreasonable to believe someone would request email notifications from their favorite news sites.

If POST requests were found in the .cap, the Info column will display which lines contain POST data. Double-clicking on one of the lines will produce a new Wireshark window containing more information. Scroll down and expand the "HTML Form" drop-down to inspect the data.

By inspecting the data collected from this single POST request, a lot of information belonging to someone on the network was discovered.

Collected data included a first name, last name, and an email address which can later be used for phishing and targeted hacks.

There's also a password form required by the website, which can be added to password lists and brute-force attacks. It's not uncommon for people to reuse passwords across multiple accounts. It's certainly possible that password will grant an attacker access to the Gmail address also found in the POST data.

Also discovered in the data is a name of a company, presumably where Christopher Hadnagy is employed. This information can be used by an attacker for further social engineering.

Strolling down the POST data a bit further, there's even more information to be found. A full home address, ZIP code, and phone number is also included in just one POST request. This would inform the attacker of exactly which home the Wi-Fi router belongs to and a phone number which can be used for further social engineering should the hacker decide to send spoofed SMS messages.

2. Find GET Data

The HTTP GET request method is used for fetching or downloading data from web servers. For example, if someone views my Twitter account, their browser would use a GET request to fetch resources from the twitter.com web servers. Inspecting the .cap for GET requests wouldn't reveal usernames or email addresses but it will allow attackers to develop a comprehensive profile of a persons web browsing habits.

To filter GET data, enter the below string into the display filter bar.

http.request.method == "GET"

Many websites append .html or .php to the end of the URLs. This can be an indicator of a website viewed by someone on the Wi-Fi network.

It might be helpful to filter out CSS and font related GET requests, as these kinds of requests happen silently in the background when we view web pages online. To filter out CSS content, use the below Wireshark filter.

http.request.method == "GET" && !(http.request.line matches "css")

The && here literally means "and." The ! (exclamation point) here means "not," so Wireshark is instructed to display only GET requests and not to display HTTP request lines that match css in any way. This will hopefully filter out some useless information related to benign web resources.

Clicking on one of the lines to investigate and expanding the "Hypertext Transfer Protocol" data will provide more identifiable information.

We can see the target is using a Windows computer with a Chrome browser user-agent. As far as hardware reconnaissance goes, this information is highly valuable. Attackers can now, with a great degree of certainty, generate a payload for this user specific to the Windows operating system being used.

The "Referer" tells us what website the target user was viewing immediately before viewing tomsitpro.com. This most likely means they found the "white hat hacker career" article via some duckduckgo.com query.

Referrer's containing DuckDuckGo over Google's search engine might indicate a privacy-conscious user, as Google is known for having invasive policies harmful to its customers. Someone with a concern for privacy might also have an interest in security software like antivirus programs. This is something attackers will consider when generating a targeted payload.

3. Find DNS Data

Encrypted internet traffic will transmit over port 443 by default. One might think to use the tcp.port == 443 display filter to better understand what kind of websites are being viewed but that will usually produce raw IP addresses in the destination column which isn't a very convenient way of quickly identifying domains. In fact, a more efficient way of identifying websites sending and receiving encrypted data is by filtering DNS requests.

The Domain Name System (DNS) is used to resolve websites names into machine-readable IP addresses like https://104.193.19.59. When we visit a domain such as null-byte.wonderhowto.com, our computer converts the human-readable domain name into an IP address. This happens every time we use a domain name to view websites, send emails, or chat online.

Searching the .cap for DNS requests will further aid attackers in understanding which websites are frequently visited by people connected to the router. Attackers will also be able to see domain names belonging to websites sending and receiving encrypted data to and from websites like Facebook, Twitter, and Google.

To filter DNS data, enter the below string into the display filter bar.

dns

Viewing the DNS requests may provide some interesting information. We can clearly see this user browsing travel websites like expedia.com and kayak.com. This might suggest the user will soon be away from home for an extended period of time.

The data is encrypted so attackers can't learn the flight destination or departure information, but using this information to send phishing emails might make it possible for an attacker to social engineer the user into divulging personal and financial information.

For example, if DNS requests for a particular banking website were also discovered, attackers could fake an email from that bank and claim a large Expedia credit card transaction just took place. The fake email might also contain accurate information relating to the target with a link to a fake banking website (controlled by the attacker) dedicated to harvesting banking credentials.

How to Keep Your Personal Data Safe from Hackers

At a glance, all of the personal data discovered in the .cap file might appear harmless or innocuous, but inspecting just a few packets, I learned the target's real name, username, password, email address, home address, phone number, hardware manufacturer, operating system, browser fingerprint, web browsing habits, and more.

All of this data was collected without ever connecting to the router. There would be no way for victims to know this was happening to them. All of this data can be used by attackers to launch an elaborate and targeted hack against companies and individuals.

Keep in mind, all of the personally identifiable information uncovered in this article is also available to internet service providers (ISP) like Verizon and AT&T. Readers should be aware that DPI is performed by ISPs every single day. To protect ourselves from such activity, we can:

  • Use stronger passwords. Brute-forcing weak passwords is an attacker's primary method for gaining access to Wi-Fi routers.
  • Use a Virtual Private Network (VPN). With a secure connection between you and the VPN provider, all of the data uncovered in this article would not have been accessible to an attacker. However, if the VPN provider is logging or performing deep packet inspection, then all of the data would then be easily accessible to them as well.
  • Use Tor. Unlike VPNs, the Tor network is built on a different security model which doesn't relinquish all of our data to one single network or ISP.
  • Use SSL/TLS. Transport Layer Security (HTTPS) will encrypt your web traffic between your browser and the website. Tools like HTTPSEverywhere may help ensure the details of your web browsing traffic are encrypted.

Until next time, follow me on Twitter @tokyoneon_ and GitHub. And as always, leave a comment below or message me on Twitter if you have any questions.

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

Cover photo by Doug Davey/Flickr; Screenshots by tokyoneon/Null Byte

27 Comments

This is really great. Appreciate your work Sir.

I have a question if the .cap file stores raw data packets from the router then why do we really need the password and the router name of the specific victim to decrypt their data.

Why doesn't the wireshark simply decrypt the data for us.

Hmm, maybe I don't understand the question. The data collected by airodump is encrypted. If you import the .cap without first inputing the password:essid, the data can't be read by Wireshark. We input the password:essid into Wireshark so that it can decrypt the .cap.

Hi am a little confused how can you enter the pasword if you don't know it? If it's a captured local handshake. Cheers Kev

I got confused too, I think you just have to hack the router for password then disconnect from it and start capturing packets

because the .cap file contains encrypted packets and if you open it with Wireshark you just see nonsense characters, you need the key to decrypt packets

Ok fine that was the answer I was looking for. What possibly is the best way to hack into WPA2 Networks without phishing.

Hi,
How does it work for "open wifis" ?
Thanks

Hello, first of all again a very nice share. I did everything as described in this article. I first put my Wireless card in Monitor Mode, then sniffed the traffic of the target wlan, did setup wireshark and load the .cap file. Its loading some traffic into wireshark, but as soon as I use any filter to get the GET and POST requests, it doesnt show anything. But I have make sure to visit some GET websites and send out some registrations forms for a newsletter or similiar to also get some POST entries. But somehow I dont get anything. Maybe someone can help me out here?

James Jepiol, I have same problem here, cannot see any post or get http requests. Are we missing out something, please help.

It's possible to capture a bad handshake when using airodump. Try analyzing the .cap with pyrit. First, install.

apt-get update && apt-get install -y pyrit

Then, read and analyze.

pyrit -r /path/to/file.cap analyze

What kind of output do you get?

Tokyoneon, it is too long output to paste here :(

You have plenty of good handshakes, Wireshark should be able to decrypt the packets.

It's more likely an issue with your configuration. Make sure you're using the wpa-pwd key type and entering the password:essid correctly. You're sure the password being entered is correct?

If this is a controlled test environment you're working in, you should disconnect all devices from the network, start a new airodump session, and try deauthenticating one device (e.g., D4:DC:CD:A2:AE:72). That would give you 1 Station with 1 good spread in the .cap. Then, try decrypting the new .cap using Wireshark.

I'm pretty sure I use correct format, which is wpa-pwd as key type and password:essid as key in WPA2 encrypted network.

'Password' also cannot be wrong as I set it up.

I also tried this on different routers I have here with single client connected. Tried same as James above by simply going to websites and trying submitting forms, etc. and the story is the same here.

From a research it seems that decryption in wireshark don't work in my case, it cannot decrypt traffic to figure out http packets which is why show me 802.11 protocol packets only.

Is there way to check decryption?

Try airdecap, it's part of the aircrack suite. What kind of output do you get?

airdecap-ng -e 'ESSID_HERE' -p 'PASSWORD_HERE' filename.cap

Be sure to use single quotes to encase the essid and password. Airdecap will create a new .cap called filename-dec.cap. Try opening the new .cap in Wireshark.

Total number of packets read 31508592
Total number of WEP data packets 0
Total number of WPA data packets 342085

Number of plaintext data packets 123
Number of decrypted WEP packets 0
Number of corrupted WEP packets 0
Number of decrypted WPA packets 50246

After reopening dec.cap file in wireshark, I can finally see http post packets.

So, what would stop wireshark to decrypt same on the fly?

Trying to get some answers on wireshark forums, apparently it is not only my problem. If I get anything descent will re-post back here.

It seems it solved itself out after I updated Wireshark to newest stable version.

Hello,

I'm following every single step, I'm working on a local PoC at home, so I have kali installed and I ran all the stuff from there. I want to sniff my own traffic from my windows machine so I searched through many pages an made some POST and GET requests to get them cached by airodump, but when I stop the capture and open it using wireshark, I can't see any of that requests, am I doing something wrong? I also entered my network password into wireshark, but I see nothing when I open the capture and apply the http.request.method == "GET/POST" even if I only enter the "http" filter nothing shows up .

Could you help me please?

Hello,

so I followed the instructions to the point, where u are running airodump-ng to collect the data.
Now on the picture there are around 15k Data-packages in around 1 5 mins.
Mine was running for 30 min but I barely got 100 packages.
Did I do something wrong? Or is it just "bad luck"?
Greetings.

Hey @rootless, you need to generate traffic on your router. 100K #Data means, there's nothing happening on the network. Try browsing the internet from another device on the router.

The guide still works in 2019- running kali linux on a raspberry pi.

But yeah you need the password. I dont know why he made it sound like you need handshakes for wireshark to decode the captured data.

You need the handshake to crack it offline to get the password.

I had like 4-6 handshakes in my .cap file so I dont know if Wireshark needs them for some reason or decoding or its a misunderstanding in the guide.

But to my knowledge wirehark dont use handshakes for decryption.

I got confused here, i mean how would we enter the password without knowing the password?

Share Your Thoughts

  • Hot
  • Latest