So you want to know what that person who is always on the phone is up to? If you are on the same Wi-Fi network, it is as easy as opening Wireshark and configuring a few settings. We use the tool to decode WPA2 network traffic, so that we can see in real time which applications a phone is using.
Although the use of an encrypted network is better than the use of an open network, the advantage disappears if the attacker is enabled on the same network. If someone else knows the password of the Wi-Fi network that you are using, it is easy to see what you are doing with Wireshark at that time. Allows an attacker to make a list of each app that is running on the targeting device and set zero to apps that may be vulnerable.
When you use a Wi-Fi network that uses WPA2 encryption, the security of your session is based on two things. The first is the password that is used to generate a much longer number, a PSK, or pre-shared key. The second is the actual handshake itself, which must happen to establish a connection. If an attacker has the PSK on the Wi-Fi network and sees if you are joining the network or kicking off a moment, they can decode your Wi-Fi traffic to see what you are doing.
The content of HTTPS websites cannot be seen, but regular HTTP websites that you visit or unsafe HTTP request apps on your phone are clearly visible. This may not seem so bad, but in just 60 seconds it is easy to learn a lot about the type of device we are monitoring and what exactly is running on it. It is also easy to see DNS requests to resolve the domains that apps must talk to work with, which determines which apps and services are running.
To execute this attack, some conditions are required to be met. First we need the password, we need to be near the victim, so we can register traffic, and we have to kick the target device off the network or wait for them to reconnect. We open Wireshark and open the menu to decode WiFi packages, add the PSK to enable decoding and wait for EAPOL packages from the target device that connects to the network.
To get an idea of what the target device is up to and including we use recording filters to mark the DNS and HTTP packets that we are looking for. To see a complete list of each domain that the device has resolved, we can also view an overview of resolved domains after the recording is complete. We can use this information to easily identify which services are running, even if they are only running in the background and the app has not been running for a long time.
You then need an iOS or Android smartphone that is connected to the Wi-Fi network that you are monitoring. You can practice this on an open Wi-Fi network to see what you should see, as decoding sometimes does not work the first time. You must also know the password and network name of the Wi-Fi network that you want to check. This allows you to calculate the pre-shared key, allowing us to decrypt the traffic in real time.
Step 1: Download Wireshark and connect to the Wi-Fi network
Download and install Wireshark if it is not already installed and connect to the Wi-Fi network where your target is located. If you plan to use a PSK instead of a network key, you must first calculate it using the Wireshark tool, as you may not be able to access the internet during recording, depending on your card.
Wireshark downloaded, open it and view your network interfaces. Before we start recording, we must set a few things to ensure that the card records in the correct mode.
Step 2: Setting up Wireshark for Capture
Under the Wireshark menu option, click on the "Capture options" gear menu
That the Capture Interfaces opens window, as shown below.
If you are not connected to the network, target is on, you can not see packages because you may be on another random channel. Wireshark cannot change the channel on which the wireless network adapter is switched on, so if you get nothing, that may be the reason.
Now that we have handshakes, we can start the conversation from this point decode. For this we need to add the network password or PSK. Go to the "Wireshark" drop-down menu and select the "Preferences" option. Once selected, click on "Protocols."
Under Protocols, select "IEEE 802.11" and then click "Enable decryption". To add the network key, click "Edit" next to "Decryption keys" to open the window to add passwords and PSKs.
Select "wpa-psk" from the menu and paste your key in it. Press Tab and save by clicking "OK".
When this is done, click "OK" in the preferences menu, and Wireshark must rescan all captured packages and try to decrypt them. This cannot work for various reasons. I could usually make it work by making sure I had a good handshake (EAPOL) and switching back and forth between using a network password and a PSK. If it works, we can proceed to the traffic analysis step to select apps to be used.
Now that we have traffic protection, Wireshark can decode them and tell us what the devices on this WiFi network we have handshakes for in real time to do.
To view interesting packages, we start with DNS requests. DNS requests ensure that apps ensure that the IP addresses to which they must connect have not changed. They are redirected to domain names that usually contain the name of the app, making it trivial to see which app runs on the iPhone or Android phone and makes the requests.
To view these requests, we will use two capture filters, dns and http that show us the most obvious fingerprints that an app leaves behind Wi-Fi. First type dns in the filter filter bar and press Enter . If this does not work, try switching between a PSK and a password a few times. It is a mess, but sometimes it starts to work.
If your target feels lonely, you may see the reaction below. Tinder calls the domain Tindersparks.com, as well as many other services. This request is one of the most obvious.
Although the use of signal is a good idea, it is a better idea to use it with a VPN. The reason? Even opening Signal creates the exchange below, clearly indicating that the user is communicating with an encrypted messenger.
If you try to find that number that plays with Shazam, the following fingerprint is left behind.
Opening the app to call an Uber creates the requests that you see below.
Below we see the effect of opening Venmo and an app for transferring money. It seems like a good time to take this request somewhere else.
Next, we can see that there are several unsafe web requests using the recording filter http . These recording filters contain information such as the user agent, who tells us the type of device that connects. We can investigate this by clicking on the packages and expanding the "Hypertext Transfer Protocol" tab.
In this example we see unsafe HTTP requests for a chat server. What the hell is this? Only examining the package and resolving the domain gives us the answer right away. It's WeChat! WeChat is installed on this telephone and the resulting communication is not fully encrypted.
If we want to see everything that has been resolved, we can click on the "Statistics" menu tab and "Resolved addresses" to see all domains that were resolved during recording. This should be a laundry list of the services that the device connects to via the apps that run on it.
This distribution makes it even easier to see what the goal was.
This type of monitoring may seem invasive, but you must keep in mind that your internet provider also keeps a log of this information and has the right to sell the information. If you want to prevent this sort of snooping around, you must purchase a VPN such as Mullvad or PIA that even hides local traffic behind strong encryption. In a place where you might be doing something sensitive through a data connection, you should also consider using mobile data wherever possible to prevent this type of attack.
I hope you enjoyed this guide to using Wireshark to spy on Wi-Fi traffic. ! If you have any questions about this tutorial on Wi-Fi decryption, please leave a comment and feel free to reach me on Twitter @KodyKinzie .
Don't miss it: Get someone's WiFi without crackling with Wifiphisher