Wireshark - The Swiss Army Knife of Downloading Tools

In the Information Security industry, there are a wide variety of tools that can be used both for the forces of good and for evil.  One of these tools is called a packet sniffer which has the capability to listen in on the traffic passing along on the network that the system is connected to.  This can be extremely useful from a troubleshooting standpoint, or extremely dangerous as a vector of attack.  Over the last decade or so, most network environments have migrated from hubbed to switched, meaning network devices will only send traffic to the designated recipient system as opposed to blasting the traffic to all connected systems with the recipient system going, "Oh hey, that's meant for me."  This is definitely a good step for security, but also easily defeated with techniques like Address Resolution Protocol (ARP) poisoning, where an attacker can trick the network devices into sending traffic meant for someone else to them, listen in with a packet sniffer, and then forward the traffic along to the actual recipient.  This is accomplished by tricking both parties to update their ARP tables to map an IP address to an incorrect MAC address.  Another term for it is a Man-in-the-Middle attack.  One of the easier methods to do this is via a freely downloadable tool called Cain & Abel.  But I digress...

One of the absolute best packet sniffers available is another free tool called Wireshark.  This is a GUI tool with such an incredible amount of functionality built-in, that I feel like I'm still just starting to scratch the surface of everything that you can do with it.  I recently attended a SANS Voice-over-IP (VoIP) security course down in Orlando back in March where we were able to take a packet capture of network traffic and pull out the actual audio of bi-drectional calls that were being made with VoIP using this application.  Those of you using Vonage, magicJack, or any other consumer-grade VoIP product should probably be aware (or beware) that if you're on a shared network segment of any kind, e.g. cable modem, it's absolutely possible for someone to listen in on your conversations, capture touch tones (e.g. credit card numbers, PINS, etc.), and even listen to or inject audio into the conversation in real-time.  Scary stuff.

Anyway, enough with my security soap boxing, on to the good stuff.  Wireshark comes with the ability to pull files out of a network stream and save them out for later use.  Meaning you can fire up Wireshark, load up an mp3 in Grooveshark or a video in YouTube for example, and once it's done buffering, pull the file out of the packet capture, and listen to or watch that content as much as you want from your local hard drive, offline.  Intrigued yet?  First you'll need to download and install Wireshark.

1. Click on the link above, and download the latest stable release for your system's architecture, currently at version 1.4.6.  Launch the installer, click through a bunch of Nexts, and don't forget to install WinPcap which makes the magic happen.
2. Once it's installed, fire it up, and click on the first icon in the toolbar to "List the available capture interfaces..." Alternatively you can select Capture --> Interfaces from the menu.  Click the Start button next to the corresponding network connection that you want to listen in on.  Depending on your setup, there could just be one, but if not, typically it's the one that shows the most Packets passing through.
3. Now load up Grooveshark/YouTube, select a song/video, and wait for the buffering to complete.  You do NOT need to wait and listen to/watch the whole thing, but you do need for the whole thing to buffer up first.  Just the buffering is enough.
4. Once it's done buffering, in Wireshark, click on the fourth icon in the toolbar to "Stop the running live capture."  Alternatively you can select Capture --> Stop from the menu.
5. Now navigate to File --> Export --> Objects --> HTTP.  You will see a TON of files from different sites listed, but there's only one that you're interested in.  For a Grooveshark song, it should have a something.grooveshark.com Hostname, an audio/mpeg Content Type, a stream.php Filename, and likely it should be the largest in size (Bytes).  For a YouTube video, it should have something.youtube.com, video/x-flv, videoplayback?something, and should also likely be the largest in size listed.
6. Click on the entry, and you'll see a Processing window pop-up briefly and disappear.  Then click the Save As button in the lower right of the window.  Navigate to a location where you want to save the song/video and change it from stream.php to whatever-you-want.mp3 or for the YouTube video, whatever-you-want.flv.  Go ahead and play it.  You know you want to.  For the mp3s, you should find that any available meta-data came down with the file as well, like artist/song information, and album art.  For the videos, use whatever program you prefer to play flash videos.  I'm partial to VLC myself.

And now back to my soap box.  With tools like these that make eavesdropping on the network as easy as point-and-click, you really need to be aware of what you're doing on the Internet and what kind of security risks it comprises.  A few things to consider:

• Never click on links in your emails.  Yes, this is more of a piece of phishing advice, but those links could lead you to a fake version of a site that you thought you were clicking to which can capture your information with something like Wireshark, and then pass you on to the real site, without you ever realizing it.  It can be done, I've done it for a security awareness demonstration before.  Always type in the website address yourself and do your best to validate that it is properly secured with SSL (that little padlock that says communication between you and the site is encrypted, even though this too can be faked).
• Never give out sensitive information like your credit card number or PIN over the phone to someone that called you, especially if you're using consumer-grade VoIP at home.  There are even tools out there that can pull the corresponding numbers to (Wireshark) captured tone sounds, even if you never verbally spoke those numbers.  Always call the bank/credit card company directly yourself.
• If your work requires you to send files back and forth electronically with another party, make sure to use encryption on the connection (SSH/SFTP/SCP/SSL), on the file with a password (PGP/GPG/AES), or ideally both.  Now that you've seen how easy it is to pull a file out of the network stream when it's not encrypted, it should be obvious to you that protocols like Telnet/FTP/HTTP just aren't going to cut it anymore when it comes to security.

Anyway, I hope that this post has served both to educate, entertain, and horrify.  Until next time. :)

attwifi Impersonation Experiment

I recently decided to conduct a little experiment in the name of science (or security, tech-geek curiosity, take your pick).  As many of you may already know, AT&T is behind many of the publicly available wifi hotspots located everywhere at places like Starbucks, McDonalds, etc.  For AT&T iPhone users, the first time that you connect to one of these hot spots, with an SSID of attwifi, your phone is then configured to automatically connect to these networks whenever they come in range so that you can get faster connectivity and avoid data usage charges on your 3G plans. Convenient, right?  Well, security and convenience have always butted heads together, causing headaches for all of those involved.  And that's where I come in.  I was wondering how many devices I could get to automatically connect to a wifi network that I was broadcasting from my backpack on my normal commuting route, which includes about a 3 mile drive, 25 minutes on the subway, and 3 blocks of walking...  roughly 45 minutes door-to-door.


I had previously purchased a portable wireless router, the Asus WL-330GE, and flashed a custom, linux-based firmware called DD-WRT onto it.  DD-WRT is a great alternative firmware for compatible routers as it enables features above and beyond those of the manufacturers' firmware, while providing rock solid stability.  I had another Asus router that was running for over 230 days with no issues until I accidentally, ahem, power cycled it.  Anyway, one of those features is to increase the power of the wifi radio, which came in handy for this experiment.  I gave the device an SSID of attwifi, turned off encryption, and enabled a pool of 50 IP addresses that could be given out automatically to any associated device that wanted one.  I hooked it up to a Griffin USB Reserve Power, and threw it into my backpack for the trip home from the office one day, slightly paranoid that the subway security personnel would come after me for carrying something with bright blue flashing LEDs onto the train.  The Griffin battery is able to provide a little under 2 hours of power to the router, perfect for my little project.  To give you an idea, the router itself is slightly smaller than a deck of cards.

I logged into the router from my own iPhone periodically during my commute to keep tabs on who, if anyone, was connecting.  And were there ever.  By the time I walked the four blocks from my office to the train station, the 50 IP addresses were already all spoken for!  Surprisingly, a majority of the devices that hooked into my router were blackberries, with iPhones coming in second, and Android devices and iPads trailing a distant 3rd and 4th.  For a second run of the experiment later on, I increased the number of available IP addresses to 253, and got 107 devices to connect to me over the course of the commute, one-way!


One of the other features of the DD-WRT firmware is the ability to see who is connected and their relative signal strengths as well.  Sitting on the train on the way home, I took a look at the list and at any point in time had half a dozen or so connected clients.  The amusing thing was, I was basically able to put a name to a face when iPhone users were connected.  The name of the client device is typically [name]'s-iPhone.  So when the signal strength says 98% for Marcia's-iPhone and there's only one woman in my immediate vicinity with an iPhone out, tapping away furiously, wondering why she can't get online, chances are, that's Marcia.

So what does this mean?  Well, from a security standpoint, it's no longer about making sure that your own devices/computers/etc. are fully patched, up-to-date, locked down, etc., to keep the bad guys out.  Now more than ever, with the emergence of mobile technologies, you need to be cognizant of the bad guys that you could potentially be connecting to either willingly or unknowingly.  At best, I could cause a denial-of-service attack, meaning these devices which all prefer wifi over 3G connectivity automatically, connect to my setup, which isn't connected to the Internet at all, and they get nowhere fast.  Marcia's case in point.  At worst, I could setup a system which would pass them through to the Internet just as they expected, but capturing everything that they do along the way beforehand, like passwords, credit card numbers, email and chat messages, etc.  EVERYTHING.  The same risks apply to things like free hotel wifi networks, Panera, Barnes & Noble, etc.


Moral of the story, make absolutely certain that the wireless networks that you're connecting to are the legitimate ones that you're expecting, and it's good practice to disable automatically connecting to wireless networks (unencrypted or otherwise) unless you absolutely need them.  This means turning off wifi functionality until you need it.  I'd be willing to bet that a good majority of my "victims" weren't even using their devices at the time, they were just auto-connecting from their holsters/purses/pockets and such.  As "Mad-Eye" Moody from Harry Potter always says, "Constant Vigilance!"