The Wireshark program will be an excellent assistant for those users who need to perform a detailed analysis of network packets - computer network traffic. The sniffer easily interacts with such common protocols as netbios, fddi, nntp, icq, x25, dns, irc, nfs, http, tcp, ipv6 and many others. During analysis, it allows you to separate a network packet into the appropriate components, according to a specific protocol, and display readable information in numerical form on the screen.
supports a huge number of different formats of transmitted and received information, and is able to open files that are used by other utilities. The principle of operation is that the network card goes into broadcast mode and begins intercepting network packets that are in its visibility area. Can work as a program for intercepting wifi packets.

How to use wireshark

The program studies the contents of information packets that pass through the network. To launch and use the results of the sniffer, you do not need any specific knowledge, you just need to open it in the “Start” menu or click on the icon on the desktop (launching it is no different from any other Windows program). A special function of the utility allows it to capture information packets, carefully decrypt their contents and return them to the user for analysis.

After launching wireshark, you will see the program's main menu on the screen, which is located at the top of the window. It is used to control the utility. If you need to load files that store data about packets caught in previous sessions, as well as save data about other packets caught in a new session, then you will need the "File" tab to do this.

To launch the network packet capture function, the user must click on the "Capture" icon, then find a special menu section called "Interfaces", with which you can open a separate "Wireshark Capture Interfaces" window, where all available network interfaces should be shown, through which will capture the necessary data packets. In the case when the program (sniffer) is able to detect only one suitable interface, it will display all the important information about it on the screen.

The results of the utility's work are direct evidence that, even if users are not independently engaged (at a given time) in transmitting any data, the exchange of information on the network does not stop. After all, the principle of operation of a local network is that in order to maintain it in operating mode, each of its elements (computer, switch and other devices) continuously exchange service information with each other, therefore such network tools are designed to intercept such packets.

There is also a version for Linux systems.

It should be noted that The sniffer is extremely useful for network administrators and computer security services, because the utility allows you to identify potentially unprotected network nodes - likely areas that can be attacked by hackers.

In addition to its direct purpose, Wireshark can be used as a tool for monitoring and further analyzing network traffic in order to organize an attack on unprotected areas of the network, because intercepted traffic can be used to achieve various goals.

ATTENTION! This article is written for informational purposes only for IT security specialists. Traffic interception was based on the example of our own devices on a personal local network. The interception and use of personal data may be punishable by law, so we do not encourage using this article to harm others. World peace, let's help each other!

Hi all! In this article we will talk about WiFi sniffer. In general, this type of program is intended exclusively for intercepting traffic on a local network. Further, it makes no difference how exactly the victim is connected to the router, via cable or Wi-Fi. I would like to show traffic interception using the example of an interesting program “Intercepter-NG”. Why did I choose her? The fact is that this sniffer application was written specifically for Windows, has a fairly friendly interface and is easy to use. And not everyone has Linux.

Intercepter-NG capabilities

As you know, a local network constantly uses data exchange between the router and the end client. If desired, this data can be intercepted and used for your own purposes. For example, cookies, passwords, or other interesting data can be intercepted. Everything happens very simply - the computer sends a request to the Internet and receives data along with a response from the central gateway or router.

The program launches a certain mode in which the client computer begins to send requests with data not to the gateway, but to the device with the program. That is, we can say that he confuses the router with the attacker’s computer. This attack is also called ARP spoofing. Further, from the second computer, all data is used for its own purposes.

After receiving the data, the sniffing process begins, when the program tries to extract the necessary information from the packets: passwords, logic, final web resources, visited pages on the Internet, and even correspondence in instant messengers. But there is a small drawback in that this picture works great with unencrypted data. When requesting HTTPS pages, you need to dance with a tambourine. For example, a program can, when a client requests a DNS server, insert the address of its fake website, where he can enter his login and password to log in.

Normal attack

First we need to download the program. Some browsers may complain if you try to download the application from the official website - sniff.su. But you can try. If you are too lazy to go through this protection, then you can download the application from GitHub.

1. Depending on how you are connected to the network, the corresponding icon will be displayed in the upper left corner - click on it;

1. You need to select your working network module. I chose the one that already had a local IP assigned, that is, my IP address;

1. Right-click on the empty area and then launch “Smarty Scan”;

1. Next you will see a list of IP addresses, as well as MAC and additional information about devices on the network. It is enough to select one of the attack targets, click on it and then select “Add as Target” from the list for the program to assign the device. After that, click on the start button in the upper right corner of the window;

1. Go to the “MiTM mode” section and click on the radiation icon;

1. The startup process has started, now to view logins and passwords, go to the third tab;

1. On the second tab you will see all the transferred data;

As you can see, here you can only see and detect intercepted keys and usernames, as well as those sites visited by the target.

Intercepting Cookies

If anyone doesn’t know, cookies are temporary data that allows us not to constantly enter credentials on forums, social networks and other sites. You could say this is a temporary pass. You can also intercept them using this application.

Everything is done quite simply, after launching a regular attack, go to the third tab, right-click on the free field and select “Show Cookies”.

You should see the required Cookies. Using them is very simple - just right-click on the desired site and then select “Open in browser”. After this, the site will open from someone else’s account page.

Obtaining login and password

Most likely, after launching the program, the client will already be logged into one or another account. But you can force him to enter his login and password again. Since cookies themselves are not eternal, this is a completely normal practice. For this purpose, the Cookie Killer program is used. After launch, the client’s old cookies are completely deleted and he has to enter his login and password again, this is where interception comes into play. There is a separate video instruction on this matter:

Interceptor is a multifunctional network tool that allows you to obtain data from traffic (passwords, instant messenger messages, correspondence, etc.) and implement various MiTM attacks.

​

Intercepter program interface
Main functionality

• Interception of instant messenger messages.
• Interception of cookies and passwords.
• Interception of activity (pages, files, data).
• Ability to spoof file downloads by adding malicious files. Can be used in conjunction with other utilities.
• Replacing Https certificates with Http.

Operating modes
Messengers Mode– allows you to check correspondence that was sent in unencrypted form. It was used to intercept messages in such instant messengers as ICQ, AIM, JABBER messages.

Ressurection Mode– recovery of useful data from traffic, from protocols that transmit traffic in clear text. When a victim views files, pages, or data, they can be partially or completely intercepted. Additionally, you can specify the size of the files so as not to download the program in small parts. This information can be used for analysis.

Password Mode– mode for working with cookies. In this way, it is possible to gain access to the victim's visited files.

Scan mode– main mode for testing. To start scanning, you need to right-click Smart Scan. After scanning, the window will display all network participants, their operating system and other parameters.

Additionally, in this mode you can scan ports. You must use the Scan Ports function. Of course, there are much more functional utilities for this, but the presence of this function is an important point.

If we are interested in a targeted attack on the network, then after scanning we need to add the target IP to Nat using the command (Add to Nat). In another window it will be possible to carry out other attacks.

Nat Mode. The main mode, which allows you to carry out a number of attacks via ARP. This is the main window that allows targeted attacks.

DHCP mode. This is a mode that allows you to raise your DHCP server to implement DHCP attacks in the middle.

Some types of attacks that can be carried out
Site spoofing

To replace the victim's website, you need to go to Target, after which you need to specify the site and its replacement. This way you can replace quite a lot of sites. It all depends on how high-quality the fake is.

Site spoofing

Example for VK.com

Selecting MiTM attack

​

Changing the injection rule
As a result, the victim opens a fake website when requesting vk.com. And in password mode there should be the victim’s login and password:

​

To carry out a targeted attack, you need to select a victim from the list and add it to the target. This can be done using the right mouse button.

​

Adding MiTm attacks
Now you can use Ressurection Mode to recover various data from traffic.

​

Victim files and information via MiTm attack
Traffic spoofing

​
​

Specifying Settings
After this, the victim’s request will change from “trust” to “loser”.

Additionally, you can kill cookies so that the victim logs out of all accounts and logs in again. This will allow you to intercept logins and passwords.

​

Destroying cookies

How to see a potential sniffer on the network using Intercepter?
Using the Promisc Detection option, you can detect a device that is scanning on the local network. After scanning, the status column will show “Sniffer”. This is the first way to detect scanning on a local network.

​

Sniffer Detection
SDR HackRF Device


​

HackRF
SDR is a kind of radio receiver that allows you to work with different radio frequency parameters. Thus, it is possible to intercept the signal of Wi-Fi, GSM, LTE, etc.

HackRF is a full SDR device for $300. The author of the project, Michael Ossman, is developing successful devices in this direction. The Ubertooth Bluetooth sniffer was previously developed and successfully implemented. HackRF is a successful project that has raised more than 600 thousand on Kickstarter. 500 such devices have already been sold for beta testing.

HackRF operates in the frequency range from 30 MHz to 6 GHz. The sampling frequency is 20 MHz, which allows you to intercept signals from Wi-FI and LTE networks.

How to protect yourself at the local level?
First, let's use SoftPerfect WiFi Guard software. There is a portable version that takes no more than 4 MB. It allows you to scan your network and display what devices are displayed on it. It has settings that allow you to select the network card and the maximum number of devices to be scanned. Additionally, you can set the scanning interval.

Ability to add comments for users


​

Notification window for unfamiliar devices after each specified scanning interval

Conclusion
Thus, we examined in practice how to use software to intercept data within a network. We looked at several specific attacks that allow you to obtain login data, as well as other information. Additionally, we looked at SoftPerfect WiFi Guard, which allows you to protect your local network from eavesdropping traffic at a primitive level.

The Wi-Fi network packet sniffer module can be used on both normal and monitor modes, but it also supports a third option, the extended mode, for capturing the Wi-Fi network traffic generated by your equipment.

The extended mode allows you to use the while your wireless card is connected to a Wi-Fi network. Apart from viewing signaling packets (beacons, probe requests, probe responses, data packets, etc.), you will be able to view all the TCP, UDP, or Wi-Fi broadcast traffic generated by your system while connected. This way, you will be able to view and analyze all the web browsing ( HTTP) traffic, or any other network connection sent by the Wi-Fi network you are connected to.

This capture mode does not allow you to view Wi-Fi traffic from other channels, since your wireless card is working at a fixed frequency.

The Wi-Fi network sniffer on extended mode and the network packet capture mode sectors are long-awaited new features on Acrylic Wi-Fi Professional v2.3, which is expected to be launched within the next few days.

Download Wireless Network Sniffer for Windows 7/8/8.1/10

If you do not need to view Wi-Fi network packets or use a Wi-Fi network traffic sniffer, download , a free Wi-Fi network and channel sniffer for Windows that allows you to view all the wireless networks within reach. This version supports normal capture and monitor modes.

If you need complete wireless network behavior information, Wi-Fi network sniffer is the right solution for you, since it supports all three Wi-Fi network capture modes, providing Wi-Fi network packet information in real time. A very useful tool for improving wireless network performance, detecting incidents, and learning more about Wi-Fi networking. Try it for free!

And for advanced users, the Acrylic Wi-Fi driver allows you to.

Attention: All files and programs used in the article can be downloaded from the links on the left side of the page!

This article is instructions for hacking WEP encryption of wi-fi networks. This text does not contain basic concepts about wireless networks, assuming that the reader already has them. We will use: Windows OS, CommView for Wi-Fi and aircrack-ng 0.9.3 win.

Since we will be using CommView for Wi-Fi, you need to download this program, for example from the company's website. Aircrack-ng 0.9.3 win can be downloaded from our website. Before installing CommView for Wi-Fi, check if your wireless adapter is included in the list of supported ones.

Install CommView for Wi-Fi by default (be sure to install the driver for your card if required!), unzip Aircrack-ng 0.9.3 win to any convenient folder, but I recommend to the C:/ drive. We can all work.

The aircrack-ng package includes a good sniffer, airodump-ng, but some difficulties may arise when using this sniffer under Windows. Windows OS has one unpleasant feature: it does not allow standard means (official drivers) to put the Wi-Fi card into sniffer mode (the mode in which the card collects all available packages); you can use third-party drivers (which is what they usually do) or modifications of official ones, but this is fraught with glitches and unpleasant consequences in the form of the card refusing to connect to the access point. This can easily be fixed by installing a standard driver.

I would like to offer you another, according to Choix from the site wardriving.ru, a more convenient option - using the CommView for Wi-Fi and Aircrack-ng sniffer combination to crack the WEP key. The main advantage of such a combination is that there is no need to install the driver each time when switching the card to sniffer mode and back. CommView for Wi-Fi also supports some cards, such as the built-in Intel PRO/Wireless 2200BG adapter, which are not supported under Windows airodump.

DOWNLOAD EVERYTHING YOU NEED (list of programs on the left)!

We launch CommView for Wi-Fi, at the first launch it will offer to patch the drivers and reboot. We boldly agree everywhere. Next, if we are going to use the program only to collect encrypted DATA packets, select the RULES menu and check the boxes for capturing DATA packets and ignoring BEACON packets and uncheck the rest. Click save current rule (we save the reserve). Go to the settings and set it there as in the picture:

Almost everything :-) We’ll start breaking it down soon)) The setup is done once, so don’t be alarmed that there’s so much to click on. All you have to do is go to the Log files tab in the main program window, check the autosave box and set the Maximum directory size to 200 meters and the average file size is about 5 meters.

Next, click the *Capture* button and in the window that appears, click *start scanning*. On the right appears a list of points that are in the access area with the signal level and other additional information. We select the point of our victim and press capture. Now we take beer and crackers in our hands and wait until we get the required number of packets (from 100,000 to 2,000,000 depending on the length of the key), we will have to wait a little.

Hooray!!! The packages are collected. Now press Ctrl+L in the window that appears: file, load commview log files and select all the files that we see. Then the rules menu and load what we saved (only date packages). Now we export the packets in TCPdump format.

We use AirCrack, set its parameters and indicate the path to our file with packages from CommView, which is in TCPdump format. To run the aircrack-ng GUI, you need to have Microsoft.NET FrameWork 2.0 installed (1 and 3 will not work).

Select Encryption: WEP, Key size: in turn from smallest to largest. If you have captured enough ARP packets, you can check the USE PTW attack checkbox. Click Launch.

If the key is found, you will see something like this:

If the key is not found, try changing the parameters until the end is successful.