There are two basic approaches here.
a) Take full control over the router itself. Use a dedicated computer to
act as a router/firewall, or use an embedded device and flash it with an
alternative firmware (e.g. OpenWRT[1]) and get/write some suitable
software to log the traffic (e.g. ssh to the router from another computer,
run e.g. tcpdump there, and log the output from the SSH link to your
computer. Take care to log all the packets, not only the headers. For
logging web access, use e.g. urlsnarf from the dSniff package[2].
b) Tap the wireless. Use a computer with a suitable wifi card, and a
program that allows logging data from its network interface. As the
network is yours, you already know the WEP/WPA key. For a demonstration,
try to listen on your wireless network with a laptop running e.g.
Wireshark[3] and then examine the traffic.
As a bonus exercise for b), you may like to get a high-gain Yagi antenna
and listen a bit on the wifi chatter from your window. Especially if you
are located somewhere from where you see large densely inhabited area you
can usually see a lot of traffic, small-ish but significant portion of it
being unencrypted. A night worth of logs, together with some basic
knowledge of the main protocols, can show you browsing habits, emails, and
even accesses to shared network disks, various passwords, and VoIP
traffic. Often you will be able to see only half of the communication -
when the signal strength/clarity of the client or its accesspoint will be
insufficient - but even that can tell you a lot. It was quite a chilling
and unexpected experience, realizing what all can be done from a bedroom
window.
This can be a completely passive attack, and its demonstration can be
pretty scary to the Uninitiated. Principially similar to turning on a CB
radio and listening on the band without transmitting yourself.
This is a very real risk especially in shared hostile environments like
the public wifi hotspots (e.g. cafes and hotels). Typical scenario is that
you ask at the bar or the reception for Net access, you get a WEP or WPA
key. Which is typically the same for everybody. Which means that with just
a humble packet sniffer you can see a great deal of communication between
the site's accesspoint and the computers around. (Again, limitations apply
based on the relative signal quality of the transmitters of the parties
involved.) If their Net access is not encrypted at other level, which it
often isn't, they are pretty much at your mercy.
(This is also a concern with a loss of laptop or cellphone or other device
with stored wireless network access credentials. In case of recovery of
the login credentials, the affected networks are at risk. As the keys are
usually shared by all the devices, mid-sized networks with many users but
too small to have their own RADIUS server are at the worst risk.)
The slight weakness for capturing of web browsing is when the
client/server negotiate on using compression; the HTTP responses then look
garbled. While you can decode the TCP stream if it is complete, a loss of
a single packet makes recovery of the remaining stream difficult to
impossible. You also can not decode the content of encrypted traffic (the
HTTPS, POP3S, IMAPS, protocols employing TLS (e.g. SSL/STARTTLS), and any
information going through a VPN). However even compressed and/or encrypted
traffic can yield useful data, though not the full content, for traffic
analysis (how much traffic and when went from where to where).
The encrypted protocols, even relatively "weak" with e.g. self-signed
certificates, provide a reasonable degree of security against such passive
eavesdropping. (The compression described above is only a pretty weak
obfuscation, do not ever rely on it as a security measure.) However they
are attackable by active means - compromising DNS, hijacking ARP,
hijacking the router, etc. - opening them to vulnerabilities to MITM
(man-in-the-middle) attacks. But this is an entirely different league.
[1]
http://en.wikipedia.org/wiki/Openwrt
[2]
http://en.wikipedia.org/wiki/DSniff
[3]
http://en.wikipedia.org/wiki/Wireshark
On Tue, 14 Oct 2008, mtc wrote:
>
> I am curious if anyone knows the best way to monitor all internet
> activity on a wireless network? The network in question has a cable
> modem plugged into a NETGEAR RangeMax Next Wireless Router WNR834B.
> There are both wired and wireless connections into the Netgear router
> but the computer I am interested in connects to the router via
> wireless. I am the 'administrator' of this home network so I have
> access to the router and log files but the log files are not very
> detailed.
>
> Thanks for any help you can provide.
>
>
> >
Received on Sat Mar 02 2024 - 00:57:25 CST