.

Another Sniffing Related Question

<<

nairos

Newbie
Newbie

Posts: 5

Joined: Sat Dec 01, 2007 2:44 am

Post Tue Dec 04, 2007 1:14 am

Another Sniffing Related Question

Disclaimer - If anyone is uncomfortable answering this question, or feels it is inappropriate to ask here, please tell me.

I'm attending a graduate level model politics event that is VERY cut-throat. Model legislation is frequently stolen (digitally or the old fashioned way), and this is all an accepted aspect of the simulation. Anything goes. It means that keeping digital legislation protected locally is very important - and I'm fairly set in that regard (using TruCrypt, and some other tools)

Traditionally, communication within the simulation was entirely written, which added an old-school level of espionage to the event. Now we're starting to see the use of laptops in-session, and a lot of the communication is moving towards digital/wireless means.

Specifically I have two related questions:

1) On an unsecured (or rather, un-encrypted, but browser-login) wifi network, my traffic is sent clear-text, and can be sniffed by anyone in range. Does anyone know of an IM client or other direct peer-to-peer chat client that adds its own layer of encryption? Something like connecting to a VPN is not preferable, because anyone that I'd like to communicate with in the room would need to connect through it as well, or we've defeated the purpose.

2) Flip-side of my concern. Is there a specific piece of software that I can use to sniff and interpret traffic on the fly, and reassemble the multitude of different traffic it might see? I would probably encounter typical IM traffic (AOL, MSN, ICQ, Yahoo) as well as browser based communication (Facebook, Hotmail) and POP3/IMAP. Sniffing is no problem, but I've never run into a good tool that can make sense of all the different data quickly, and display it in a mannor that is digestable in such a fast-paced environment.

Again, if you feel that question 2 is inappropriate from a newcomer on this forum, I would understand completely.

Thanks
<<

jimbob

Post Tue Dec 04, 2007 4:14 am

Re: Another Sniffing Related Question

First and foremost, if you're walking into such a hostile environment think of defence first and offence second. I would highly recommend a VPN connection to a trusted site to protect all of your traffic as this will mitigate most sniffing attacks. If you use an insecure protocol to collect your personal email for example then your account could be compromised and this will no doubt have consequences beyond the scope of this one event. Physical security is also of paramount performance. Encryption is no good if someone has access to you laptop with the encrypted volume opened.

Getting useful info from sniffed data can be tricky without some experience. There's no magic bullet that will automatically decode everything you see, so consider using something like wireshark. Remember, you need explicit permission to do this, not the implicit understanding that this behaviour goes on at these events.

Also consider taking a step back and not using the provided wireless network. If using a cell phone or 3G card for net access is an option this is much harder to sniff than WiFi. Move data by hand using sneakernet and a USB dongle which never leaves your possession. If a communication medium is insecure you can always opt not to use it.

Regards,
Jimbob
<<

nairos

Newbie
Newbie

Posts: 5

Joined: Sat Dec 01, 2007 2:44 am

Post Tue Dec 04, 2007 5:05 am

Re: Another Sniffing Related Question

Very interesting perspective with regards to avoiding the provided network altogether. I have a laptop capable of using a SIM card and the cell network - though I've never elected to purchase a data plan. I'll look into this.

One of the challengs - while I can ensure my own security (I could use a VPN myself, or even an encrypted VNC session into a machine safe at home), this would be negated by the fact that the people in this environment that I need to communicate with may not have taken adequate steps themselves. Dealing with the digital side of this type of competition is relatively new - evolving - it's a security issue, but not all of the delagates will be adequately prepared. This is not to downplay the significance of the threat - it's there, and we will encounter it - it's just not widely enough protected against by most of the delegates, because it's such a new challenge.

So even if my route to whatever I use as an ISP is secure, if other delgates in the room are receiving my communication through their own insecure connection, my efforts are negated. Hence me looking for a client that itself would supply a layer of encryption (software that I could provide perhaps on a USB key to delegates I need to communicate with)

Physical security is something that really requires my own attentiveness more than anything else. Remembering to dismount a secure volume if I need to leave my laptop - or perhaps never leaving my laptop.

In terms of explicit permission. I'll need to look specifically into the legality side of things. In terms of the event, if a tactic is legal (in terms of the actual law of the city/state or province/country we're in) it's fair game in the competition. There are a few exceptions and explicit rules, but they don't relate to this aspect of the competition. The next major event is being held in the United States. So presumably I need to look into whether capturing over-the-air data is legal/not. I was under the assumption that because the network is not encrypted, it IS legal to sniff the traffic. Admittedly, I'm assuming this because it was a justification used by other participants in the past - so I'll need to do my own investigation. Perhaps someone (preferably from the US) has insight into this?
<<

dean

Post Tue Dec 04, 2007 1:43 pm

Re: Another Sniffing Related Question

Interesting competition. :)

Anyway to sniff wireless traffic (unencrypted) you can use Kismet on Linux. It has a strings function that will grab all plaintext strings for you. It does not reassemble conversations though. You can use wireshark (as previously mentioned) on windows, you will need to associate to the wireless network (wireshark on windows does not allow promisc mode sniffing unless you have an usb wireless adapter from CACE) and you can select specific packets and reassemble the entire stream for that conversation. You can use tools like ferret, hamster or wifizoo to capture/hijack conversations or email accounts as well.

for encrypted communications with a colleague you could hunt for an IM client that has a peer-to-peer function. There are a number of free ones that will do encryption or just use google talk.
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Tue Dec 04, 2007 1:53 pm

Re: Another Sniffing Related Question

I would say use Hamachi for your local LAN like VPN it also has option to Chat in it and you can map drives to trusted computers. Another cool thing about Hamachi is that all tunnels are 256 AES encrypted. Next I would lunch Cain & Able and then after a Man in the Middle Attach I would lunch Wireshark to make sure I had all traffic to replay later. This is all with the understanding that it's accepted to sniff and intercept IP traffic on this network. All the tools I listed above are free windows based GUI tools anyone can learn to use...


Brian
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

nairos

Newbie
Newbie

Posts: 5

Joined: Sat Dec 01, 2007 2:44 am

Post Tue Dec 04, 2007 4:46 pm

Re: Another Sniffing Related Question

It is definitely an interesting competition. Its all rationalized by the notion that if you're not discrete, you'll be penalized in terms of your standing in the competition (credibility, confidence amongst allies, etc). It's a very progressive approach for an academic competition to take - but I presume the objective is to closely simulate real world politics, where of course, this stuff happens, but it is not overt, or admitted to. To be very explicit though, it is completely condoned in the competition - yet considered negative if you're caught - I hope I'm explaining it well? Analogous to cheating, in the card game "Cheat".

I should have thought of Hamachi - don't know why I overlooked that. It has a built in chat client, does it not?

In terms of Cain, would I even need to do a man-in-the-middle? (like APR?) If I've joined the unencrypted network, can I not simply sniff the traffic without connecting myself in between other systems and the router/wireless AP? I might not be understanding this correctly.
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Wed Dec 05, 2007 9:31 am

Re: Another Sniffing Related Question

Yes Hamachi has a built in Chat client.

As for sniffing... I feel it;s always best to sniff like you are on a mirror port so i recommend to ARP poison the subnet to get all traffic to flow though you WiFi NIC. Once you have this running you can use Ethereal/Wireshark to sniff and record all traffic so later you can decode every little packet and reconstruct all client traffic. You could try to sniff in promiscuous mode but I am unsure if you would get all the traffic and be able to decode it correctly.

Brian
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

nairos

Newbie
Newbie

Posts: 5

Joined: Sat Dec 01, 2007 2:44 am

Post Wed Dec 05, 2007 10:51 pm

Re: Another Sniffing Related Question

I'm using a small ultra-portable - only 1.5 ghz. Do you think it could handle APR poisining a whole subnet that might have many dozens of connections running? Isn't that a fairly resource intensive task? Plus it's wireless, not wired.
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Thu Dec 06, 2007 7:50 am

Re: Another Sniffing Related Question

My laptop is only a Dell D600 (1.2 Ghz) and I ARP poison with it all the time. The ARP Poisoning dose not take much CPU but you do need to have a good Wireless connection. I would also advise setting up just some of the filters in Cain and not trying to capture HTTPS as this will slow things down and I do not  think you will have the local ability to crack 128bit SSL. I would ask that if you decide to go this route that you practice on you on little network (Make sure you have permission to do so) and watch the little status bar at the bottom of Cain and make sure packet loss dose not get above 5% or you will crack the subnet. I have a real small video on how to use APR poisoning in Cain here http://www.anti-hacker.info/video/Cain/Cain%20MITM.html

Have fun, be safe, and make sure you have permission...


Brian
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP

Return to Tools

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software