2

I am relatively new to cybersecurity and hacking and I aim to learn ethical hacking as a passion alongside my mainstream education(Electrical Engineering).

My setup: I have set up my very own WEP WiFi network(intentionally made vulnerable by setting up WEP encryption). I have also set up a microcontroller(NodeMCU, in case you were wondering) to transmit some sensor data(DHT11's temperature and humidity data) over this WEP network. It would post the data over some URI (eg. 192.168.1.100/data).

Goal: To break into the network that the microcontroller is connected to(the WEP network) and sniff the data that is being transmitted. The communication is assumed to be by HTTP and is also assumed to happen by GET method. However, the exact URI is not known. So, GOAL 1 is to Find the exact URI and hence, get the data being transmitted. After accomplishing this, the next GOAL 2 is to try to spoof some data i.e send some garbage data and keep the actual data to ourselves.

Progress so far:

  • Easily cracked the 128 bit WEP encrypted password using Kali Linux (Aircrack-ng tools). Tons of information available readily
  • Got access to the gateway, i.e the modem's settings page(assuming the password is not changed from the default admin, admin User ID and password.
  • Thus, obtained the IP address of the microcontroller

THE PROBLEM: I tried sniffing data off the network(I am still unaware of the exact URI over which the microcontroller is transmitting data). I tried using Wireshark for this. it seemed to match the needs. But, I could not see any traffic on Wireshark from the IP address of the microcontroller. No matter how many times I try refreshing the page on my mobile phone, no traffic was shown. But, however, my phone did display the data. What am I missing? I tried sniffing on the same WiFi adapter that was simultaneously connected to the WEP network. I even tried putting up an external WiFi adapter on monitor(promiscuous) mode and then try sniffing data. All in vain. I need some help.

Wireshark Problem Screenshot_Wireshark

See? No traffic is shown from the esp8266's IP address

Screenshor_2

Now, tried using an external USB adapter. This showed up the ESP as ESPressi_ac, not it's IP. The Motorola.. is my phone. When I first connect it to the network, it sends out an ARP for the IP. You can see it in the 2nd screenshot. But, it gets no response. Still, I am able to view the ESP's web page (knowing the URI beforehand).There is no HTTP traffic at all. What am I missing?

Kathir
  • 121
  • 4

2 Answers2

3

From what I can see, your setup is something like this:

NodeMCU Microcontroller <----> Phone
                          ^
                          |
                          |
              Sniff packets with Kali

Although you have tried sniffing with promiscuous mode, using promiscuous mode to capture wireless traffic might not work:

Promiscuous mode is, in theory, possible on many 802.11 adapters, but often does not work in practice; if you specify promiscuous mode, the attempt to enable promiscuous mode may fail, the adapter might only capture traffic to and from your machine, or the adapter might not capture any packets.

A workaround to this problem is to use monitor mode. Monitor mode is different from promiscuous mode in that monitor mode captures packets without associating with an access point, and promiscuous mode allows you to view all packets on the network you are associated with, even if the packets aren't addressed to you.

You could use monitor mode by passively sniffing packets from networks around you while not connected to an access point.

If the network you are sniffing uses encryption, provided you know the WiFi key, Wireshark can decrypt the packets for you.

TL; DR: Use monitor mode.

Joe
  • 2,734
  • 2
  • 12
  • 22
  • Thank you. So, when i do "airmon-ng start wlan 1", I put it up in monitor mode right? So, I should get the data right? But, I did not. I tried adding the key to Wireshark as WEP key: password_here. But it says invalid. – Kathir Sep 28 '17 at 16:06
  • Are you sure your wireless adapter supports monitor mode? You can check this by running `lw list`. If the output contains the word "monitor", it's supported. Are you inputting the WEP key in the correct format as mentioned on the link in my answer? – Joe Sep 28 '17 at 17:24
  • I do not have access to the Kali system and a WEP at my university right now. Will check tomorrow. BTW, should the key be converted from the original ASCII to HEX before inputting it to Wireshark? The way of inputting the password has changed from the way described in the Wireshark website. I get a dialog box asking me to input the keys. I shall soon upload the screenshot if the problem persists. – Kathir Sep 29 '17 at 06:08
  • No, you shouldn't have to convert the WEP key to hexadecimal – Joe Sep 29 '17 at 10:25
  • But when I enter the exact ASCII value(13 characters long), it says invalid key. Will upload a screenshot soon. – Kathir Sep 29 '17 at 13:13
  • Sorry, I got it wrong: the WEP key SHOULD be in hexadecimal format. – Joe Sep 30 '17 at 14:07
1

If I get you correctly you have the following scenario:

  • One Wireless network that you already gained access to
  • Mobile Phone on the same network
  • A machine on the very network that sends data/gets pulled from

If that is correct you might have missed an important point. Let's see what happens when the data gets pulled:

  1. Your mobile phone requests data directly from the IOT "Server"
  2. Your IOT "Server" replies and sends the packets directly to the phone.
  3. Phone interprets and displays data.

This means that your attack box (KALI) is not involved in that communication.

Why Is that? in a wifi there is no directed communication as such. As you know from switches (not hubs ;) in a wired network communication can be directed as per link. In that way you cannot receive data meant for another client. On wireless (afaik) you cannot direct traffic due to the physics of radiowave expansion in air. Instead every client (wireless network card) will discard every information that does not contain its MAC-Adress as target.

How do I solve this problem? Wireshark actually has a kind little switch that prevents your network card to dismiss (normally) unwanted packages. This behaviour is called "Promiscious Mode". Thats what you might be loogink for.

Under Wireshark's preferences dialog, go to the "capture" option. Here you'll see a checkbox for "capture packets in promiscuous mode."

More Info: Motherboard

Ben
  • 2,024
  • 8
  • 17
  • Thanks, @Ben. That was informative. But, I did try doing that. I hooked up an external WiFi adapter, put it on promiscuous mode through _airmon-ng start wlan1_ command. And then, chose that adapter. This way, I got both, the old traffic from the previous result(internal WiFi adapter) and general 802.11 data of other networks. Should I connect the (CAN I?) adapter in promiscuous mode to the WEP network prior trying? – Kathir Sep 28 '17 at 14:47
  • Absolutely. The idea is: connect (so your app layer can decrypt packages) -> promiscous mode -> start sniffing. – Ben Sep 29 '17 at 06:57