• The best pen tester tools: sniffer and packet handling. Wireshark (network sniffer) Getting login and password

    Many users of computer networks, in general, are unfamiliar with such a concept as a "sniffer". Let's try and define what a sniffer is, in simple terms for an unprepared user. But to begin with, you still have to delve into the predefinition of the term itself.

    Sniffer: what is a sniffer in terms of English and computer technology?

    In fact, it is not at all difficult to determine the essence of such a software or hardware-software complex, if you simply translate the term.

    This name comes from the English word sniff (sniff). Hence the meaning of the Russian term "sniffer". What is a sniffer in our understanding? A “sniffer” capable of monitoring the use of network traffic, or, more simply, a spy who can interfere with the operation of local or Internet-oriented networks, extracting the information he needs based on access through TCP / IP data transfer protocols.

    Traffic analyzer: how does it work?

    Let's make a reservation right away: a sniffer, whether it is a software or conditional software component, is able to analyze and intercept traffic (transmitted and received data) exclusively through network cards (Ethernet). What happens?

    The network interface is not always protected by a firewall (again - software or hardware), and therefore the interception of transmitted or received data becomes just a matter of technology.

    Within the network, information is transmitted in segments. Within one segment, data packets are supposed to be sent to absolutely all devices connected to the network. Segment information is forwarded to routers (routers), and then to switches (switches) and hubs (hubs). Sending information is done by splitting the packets so that the end user gets all the parts of the bundled together from completely different routes. Thus, "listening" to all potential routes from one subscriber to another or the interaction of an Internet resource with a user can give not only access to unencrypted information, but also to some secret keys that can also be sent in such an interaction process. And here the network interface turns out to be completely unprotected, because a third party intervenes.

    Good intentions and malicious purposes?

    Sniffers can be used for both harm and good. Not to mention the negative impact, it is worth noting that such software and hardware systems are quite often used by system administrators who are trying to track users' actions not only on the network, but also their behavior on the Internet in terms of visited resources, activated downloads to computers or sending from them. .

    The technique by which the network analyzer works is quite simple. The sniffer determines the outgoing and incoming traffic of the machine. In this case, we are not talking about internal or external IP. The most important criterion is the so-called MAC-address, unique for any device connected to the global web. It is on it that each machine on the network is identified.

    Types of sniffer

    But by type they can be divided into several main ones:

    • hardware;
    • software;
    • hardware and software;
    • online applets.

    Behavioral detection of the presence of a sniffer in the network

    You can detect the same WiFi sniffer by the load on the network. If it is clear that the data transfer or connection is not at the level declared by the provider (or the router allows), you should pay attention to this immediately.

    On the other hand, the provider can also launch a software sniffer to monitor traffic without the knowledge of the user. But, as a rule, the user does not even know about it. On the other hand, an organization that provides communication and Internet connection services thus guarantees the user complete security in terms of intercepting floods, self-installing clients of various trojans, spyware, etc. But such tools are rather software and do not have a special effect on the network or user terminals.

    Online resources

    But an online-type traffic analyzer can be especially dangerous. A primitive computer hacking system is built on the use of sniffers. The technology in its simplest version boils down to the fact that initially the cracker registers on a certain resource, then uploads a picture to the site. After confirming the download, a link to an online sniffer is issued, which is sent to a potential victim, for example, in the form of an email or the same SMS message with text like “You received a congratulation from someone. To open a picture (postcard), click on the link.

    Naive users click on the specified hyperlink, as a result of which recognition is activated and the external IP address is transmitted to the attacker. With the appropriate application, he will be able not only to view all the data stored on the computer, but also to easily change the system settings from the outside, which the local user will not even guess, mistaking such a change for the impact of a virus. Yes, that's just the scanner when checking will give zero threats.

    How to protect yourself from data interception?

    Whether it's a WiFi sniffer or any other analyzer, there are still systems to protect against unauthorized traffic scanning. There is only one condition: they need to be installed only if you are completely sure of the “wiretapping”.

    Such software tools are most often called "anti-sniffers". But if you think about it, these are the same sniffers that analyze traffic, but block other programs that try to get

    Hence the legitimate question: is it worth installing such software? Will it be hacked by hackers to cause even more damage, or will it itself block what should work?

    In the simplest case with Windows systems, it is better to use the built-in firewall (firewall) as protection. Sometimes there may be conflicts with the installed antivirus, but more often this only applies to free packages. Professional purchased or monthly activated versions do not have such disadvantages.

    Instead of an afterword

    That's all that concerns the concept of "sniffer". What is a sniffer, I think, many have already figured out. Finally, the question remains in another: how correctly will such things be used by an ordinary user? And then after all, among young users, you can sometimes notice a tendency to computer hooliganism. They think that hacking someone else's "computer" is something like an interesting competition or self-affirmation. Unfortunately, none of them even thinks about the consequences, and it is very easy to identify an attacker using the same online sniffer by his external IP, for example, on the WhoIs website. True, the location of the provider will be indicated as the location, however, the country and city will be determined exactly. Well, then the matter is small: either a call to the provider in order to block the terminal from which unauthorized access was made, or a jurisdictional case. Draw your own conclusions.

    With the installed program for determining the location of the terminal from which the access is attempted, the situation is even simpler. But the consequences can be catastrophic, because not all users use those anonymizers or virtual proxy servers and do not even have a clue on the Internet. And it's worth learning...

    Attention: All files and programs used in the article can be downloaded from the links on the left side of the page!

    This article is an instruction for cracking WEP encryption of wi-fi networks. In this text, there are no basic concepts of wireless networks, assuming that the reader already has those. We will be using: Windows OS, CommView for Wi-Fi and aircrack-ng 0.9.3 win.

    Since we will use CommView for Wi-Fi, you need to download this program, for example, from the company's website. Aircrack-ng 0.9.3 win can be downloaded from our site. Before installing CommView for Wi-Fi, check if your wireless adapter is included in the list of supported ones.

    Install CommView for Wi-Fi by default (be sure to install the driver for your card if required!), unzip Aircrack-ng 0.9.3 win to any convenient folder, but I recommend to drive C:/. We can all work.

    The aircrack-ng package includes a good airodump-ng sniffer, but using this sniffer under Windows can cause some difficulties. Windows OS has one unpleasant feature: it does not allow using standard tools (official drivers) to switch the Wi-Fi card to sniffer mode (the mode in which the card collects all available packets), you can use third-party drivers (which is usually done) or modifications of official ones, but this is fraught with glitches and unpleasant consequences in the form of a card failure to connect to an access point. This is easily fixed by installing a standard driver.

    I want to offer you another, according to Choix from the site wardriving.ru, a more convenient option - this is using a bundle of CommView for Wi-Fi sniffer and Aircrack-ng to crack the WEP key. The main advantage of such a bundle is the absence of the need to install a driver every time you switch the card to sniffer mode and back. CommView for Wi-Fi also supports some cards, such as the integrated Intel PRO/Wireless 2200BG adapter, which are not supported under windows airodump.

    DOWNLOAD EVERYTHING YOU NEED (list of programs on the left)!

    We launch CommView for Wi-Fi, at the first start it will offer to patch the drivers and reboot. Feel free to agree everywhere. Further, if we are going to use the program only to collect encrypted DATA packets, select the RULES menu and check the boxes there to capture DATA packets and ignore BEACON packets, remove the rest of the checkboxes. Click to save the current rule (we save the reserve). We go into the settings and set it there, as in the figure:

    Almost everything :-) We’ll start breaking soon)) The setting is done once, so don’t be afraid that there are so many things to click. It remains to go to the Log files tab in the main program window, check the autosave box and set the Maximum directory size to 200 meters and the average file size is about 5 meters.

    Next, click the * Capture * button and in the window that appears, click * start scanning *. On the right, a list of points that are in the access zone with signal strength and other additional information appears. We select the point of our victim and press the capture. Now we take beer and crackers in our hands and wait until the required number of packages is caught (from 100,000 to 2,000,000, depending on the length of the key), you will have to wait a bit.

    Hooray!!! The packages are assembled. Now press Ctrl + L in the window that appears: file, load the commview log files and select all the files that we see. Then the rule menu and load what we saved (only data packages). Now let's export the packets in TCPdump format.

    We use AirCrack, set its parameters and specify the path to our file with packages from CommView, which is in TCPdump format. To run the aircrack-ng GUI, you need to have the Microsoft.NET FrameWork 2.0 package installed (1 and 3 won't work).

    Choose Encryption: WEP, Key size: in turn from smaller to larger. If enough ARP packets have been captured, then you can check the USE PTW attack checkbox. Click Launch.

    If the key is found, then you will see something like this:

    If the key is not found, try changing the parameters until a successful outcome.

    SmartSniff allows you to intercept network traffic and display its content in ASCII. The program captures packets passing through the network adapter and displays the contents of the packets in text form (http, pop3, smtp, ftp protocols) and in the form of a hexadecimal dump. To capture TCP/IP packets, SmartSniff uses the following techniques: raw sockets - RAW Sockets, WinCap Capture Driver and Microsoft Network Monitor Driver. The program supports Russian and is easy to use.

    Packet sniffer program

    SmartSniff displays the following information: protocol name, local and remote address, local and remote port, local host, service name, data volume, total size, capture time and last packet time, duration, local and remote MAC address, countries and contents of the data packet . The program has flexible settings, it has the function of a capture filter, unpacking http responses, converting ip addresses, the utility is minimized to the system tray. SmartSniff generates a packet flow report as an HTML page. It is possible to export TCP/IP streams in the program.

    ATTENTION! This article is written for informational purposes only for IT security professionals. Interception of traffic was on the example of own devices in a personal local area network. The interception and use of personal data may be punishable by law, so we do not encourage you to use this article to harm others. Peace in the world, help each other!

    Hi all! In the article we will talk about WiFi sniffer. In general, this type of program is designed exclusively for intercepting traffic in the local network. Further, it does not matter how the victim is connected to the router, via cable or via Wi-Fi. I want to show the interception of traffic using the interesting Intercepter-NG program as an example. Why did I choose her? The fact is that this sniffer application is written specifically for Windows, has a fairly friendly interface and is easy to use. And not everyone has Linux.

    Intercepter-NG Capabilities

    As you know, the local network constantly uses data exchange between the router and the end client. If desired, this data can be intercepted and used for your own purposes. For example, you can intercept cookies, passwords, or other interesting data. Everything happens very simply - the computer sends a request to the Internet and receives data along with a response from a central gateway or router.

    The program launches a certain mode in which the client computer starts sending requests with data not to the gateway, but to the device with the program. That is, we can say that he confuses the router with the attacker's computer. This attack is also called ARP spoofing. Further, from the second computer, all data is used for their own purposes.

    After receiving the data, the sniffing process begins, when the program tries to extract the necessary information from the packets: passwords, logics, final web resources, visited pages on the Internet, and even correspondence in instant messengers. But there is a small minus that such a picture works fine with unencrypted data. When requesting HTTPS pages, you need to dance with a tambourine. For example, when a client requests a DNS server, a program can substitute the address of its fake site, where it can enter a username and password to enter.

    Normal attack

    First we need to download the program. Some browsers may swear if you try to download the application from the official site - sniff.su. But you can try. If you are too lazy to go through this protection, then you can download the application from GitHub.

    1. Depending on how you are connected to the network, the corresponding icon will be displayed in the upper left corner - click on it;


    1. You need to select your working network module. I chose with one that already has a local IP assigned, that is, my IP address;


    1. On an empty area, right-click and then run "Smarty Scan";


    1. Next, you will see a list of IP addresses, as well as MAC and additional information about devices on the network. It is enough to select one of the attack targets, click on it and then select “Add as Target” from the list so that the program fixes the device. After that, click on the start button in the upper right corner of the window;


    1. Go to the "MiTM mode" section and click on the radiation icon;


    1. The startup process has been started, now, to see the logins and passwords, go to the third tab;


    1. On the second tab, you will see all the transferred data;


    As you can see, here you can only see and detect intercepted keys and usernames, as well as those sites visited by the target.

    Interception Cookies

    If anyone does not know, then cookies are temporary data that allow us to permanently not enter credentials on forums, social networks and other sites. It can be said that this is a temporary pass. Here they can also be intercepted using this application.

    Everything is done quite simply, after launching a normal attack, go to the third tab, right-click on the free field and select "Show Cookies".


    You should see the required Cookies. Using them is very simple - just click on the desired site with the right button and then select "Open in browser". After that, it will open the site from someone else's account page.


    Getting a login and password

    Most likely, after starting the program, the client will already be in one account or another. But you can force him to enter the username and password again. Since cookies themselves are not eternal, this is quite a normal practice. For this, the Cookie Killer program is used. After starting, the client completely deletes the old cookies and he has to enter the login and password again, and this is where the interception is turned on. There is a separate video tutorial for this:

    Interceptor is a multifunctional network tool that allows you to get data from traffic (passwords, messages in instant messengers, correspondence, etc.) and implement various MiTM attacks.


    Intercepter interface
    Main functionality

    • Interception of messenger messages.
    • Interception of cookies and passwords.
    • Interception of activity (pages, files, data).
    • Ability to spoof file downloads by adding malicious files. Can be used in conjunction with other utilities.
    • Replacing Https certificates with Http.
    Operating modes
    Messenger Mode- allows you to check the correspondence that was sent in unencrypted form. It was used to intercept messages in such messengers as ICQ, AIM, JABBER messages.

    Recovery Mode– recovery of useful data from traffic, from protocols that transmit traffic in the clear. When the victim views files, pages, data, it is possible to partially or completely intercept them. Additionally, you can specify the size of the files so as not to download the program in small parts. This information can be used for analysis.

    Password Mode– mode for working with cookies. Thus, it is possible to gain access to the visited files of the victim.

    scan mode– the main mode for testing. Right-click Smart Scan to start scanning. After scanning, the window will display all network members, their operating system and other parameters.

    Additionally, in this mode, you can scan ports. You need to use the Scan Ports feature. Of course, there are much more functional utilities for this, but the presence of this function is an important point.

    If we are interested in a targeted attack on the network, then after scanning, we need to add the target IP to Nat using the (Add to Nat) command. In another window, it will be possible to carry out other attacks.

    Nat mode. The main mode, which allows you to carry out a number of ARP attacks. This is the main window that allows targeted attacks.

    DHCP mode. This is a mode that allows you to raise your DHCP server to implement DHCP attacks in the middle.

    Some types of attacks that can be carried out
    Website spoofing

    To spoof the victim's site, you need to go to Target, after that you need to specify the site and its substitution. Thus, you can replace a lot of sites. It all depends on how good the fake is.

    Website spoofing

    Example for VK.com

    Choosing a MiTM attack

    Changing the Injection Rule
    As a result, the victim opens a fake site when requested vk.com. And in the password mode, there should be the login and password of the victim:


    To conduct a targeted attack, you must select a victim from the list and add it to the target. This can be done with the right mouse button.


    Additions of MiTm attack
    Now you can recover various data from traffic in Ressurection Mode.


    Files and information of the victim through a MiTm attack
    Traffic spoofing



    Specifying Settings
    After that, the victim will change the request "trust" to "loser".

    Additionally, you can kill cookies so that the victim logs out of all accounts and re-authorizes. This will intercept logins and passwords.


    Destruction of cookies

    How to see a potential sniferr on the network using Intercepter?
    Using the Promisc Detection option, you can detect a device that is scanning on the local network. After scanning, the status column will be "Sniffer". This is the first way that allows you to define scanning on the local network.


    Sniffer detection
    SDR HackRF Device


    Hack RF
    SDR is a kind of radio receiver that allows you to work with different radio frequency parameters. Thus, it is possible to intercept the signal of Wi-Fi, GSM, LTE, etc.

    HackRF is a complete $300 SDR device. Project author Michael Ossman is developing successful devices in this direction. Previously, the Ubertooth Bluetooth sniffer was developed and successfully implemented. HackRF is a successful project that has raised over 600k on Kickstarter. 500 such devices have already been implemented for beta testing.

    HackRF operates in the frequency range from 30 MHz to 6 GHz. The sampling frequency is 20 MHz, which allows you to intercept the signals of Wi-FI and LTE networks.

    How to protect yourself at the local level?
    First, let's use the SoftPerfect WiFi Guard software. There is a portable version that takes no more than 4 MB. It allows you to scan your network and display which devices are displayed on it. It has settings that allow you to select a network card and the maximum number of scanned devices. Additionally, you can set the scan interval.

    Ability to add comments for users


    Notification window for unfamiliar devices after each specified scan interval

    Conclusion
    Thus, we have considered in practice how to use software to intercept data within the network. We considered several specific attacks that allow you to get login data, as well as other information. Additionally, we considered SoftPerfect WiFi Guard, which allows you to protect the local network from listening to traffic at a primitive level.

    Read more: