6

So, I am wondering - is it possible for an attacker to sniff traffic on an Ethernet connection if they are not physically plugged into the modem/router hardware but they are connected through wifi? In this scenario the attacker is connecting via wi-fi and the victim is connecting through Ethernet. So both the victim and the attacker are on the same network just using different interfaces.

From my understanding the attacker who is connected to the modem/router through wifi is not going to be able to sniff Ethernet traffic on the same modem/router because they do not have physical access via a network cable to the modem/router. Is this correct?

Eric G
  • 9,691
  • 4
  • 31
  • 58
user_loser
  • 183
  • 1
  • 5

3 Answers3

4

TLDR: Basically with what you're asking, only ARP broadcasts, unless you subnet your wireless from your wired network.

Overall it depends. First, your computer on the ethernet may occasionally send out broadcasts to the whole network. For example, if it needs the MAC address of a machine on the local network, it will send out an ARP broadcast to all machines on the local network, including the attacker's. This doesn't tell the attacker much, however, other than that there is another computer on the network, and he might possibly deduce it's connected by ethernet since he can't see any other Wi-Fi traffic.

However, at this point he can do what is called ARP cache poisoning. His computer could respond to the broadcast sent by your computer looking for the machine on the local network, claiming to be the machine it's looking for. Then your computer will continue to send it data directly, because it thinks it's talking to the right host.

Of course, the attacker would be found out pretty quickly if his computer wasn't set up to reply correctly to the traffic you are sending it. It helps for the attacker to anticipate what kind of connection your computer will be trying to make. And if, say, your computer is trying to open an RDP connection to the attacker's computer, that's not very useful for the attacker anyway. The real danger of ARP cache poisoning is if the host your computer was trying to initiate a connection to was its default gateway to the Internet. The attacker could just forward all your traffic to the real default gateway while acting as a middle-man, sniffing all your traffic.

Fortunately, if the scenario you are referring to is a home Wi-fi network, the default gateway your computer was looking for was the Wi-fi router itself, and though I am not an expert on Wi-fi routers I would assume the Wi-fi router would be smart enough to not forward an ARP broadcast requesting its own MAC address. Plus the attacker would have to beat the router at replying to the broadcast, which seems unlikely, but I suppose could be possible if you had like the worst Wi-fi router ever made.

Anyway, once your computer has the correct MAC address for its default Internet gateway or whatever MAC address it was looking for, all communications will be sent to that MAC address directly. If you were connecting to another computer connected to Wi-fi, the attacker can still see that traffic though.

This explanation also assumes your Wi-fi router is otherwise secured from the attacker controlling it directly. If you, say, left the router admin password at default or something then he might be able to change the settings to have the router forward him all your traffic, or overwrite the router's firmware with one he supplies to have the router forward him all your traffic.

Finally, if you're really worried about these ARP broadcasts coming from your computer, however infrequent and mostly useless they are unless they are for the default gateway which they shouldn't be, then on a nicer router you might be able to subnet the local network to have the Wi-fi be one subnet and the ethernet be another. Then the router shouldn't even forward ARP requests across Wi-fi.

ash
  • 224
  • 1
  • 7
  • Wow, thank-you for the thorough answer. I think I understand some of what you are saying. Hopefully, I am not having all my traffic sniffed. Also, yes this is a home LAN. – user_loser Apr 16 '14 at 04:21
  • if I am using a VPN can they still sniff my traffic even if they have spoofed the MAC address of the default gateway to the Internet? – user_loser Apr 16 '14 at 21:39
  • Yes, they can. However, most VPNs are set up to use end-to-end encryption strong enough that an attacker won't be able to break it. The traffic will be useless to them, other than telling them that you're using a VPN, and what the other end of the VPN connection is. Also, it's not MAC spoofing if they're acting as your gateway, it's ARP cache poisoning, they are different. – ash Apr 16 '14 at 23:43
  • Thanks for the helpful feedback. :D I think I have a better idea of how a home LAN works. – user_loser Apr 17 '14 at 21:26
0

Most sniffing (sometimes called passive sniffing) happens when I read signals that weren't intended for me. I can read them because you don't shoot your signals to a router like a beam, you just kind of emanate them in all directions and hope the router picks up. The important thing about passive sniffing is that it's undetectable - you can't see or control who's reading what wireless signals. When you use a wire, it's like using a beam - I have to be in its path (tapping the wire) to sniff your traffic passively. So, you can't passively sniff Ethernet traffic. That doesn't mean you can't capture it in other ways, but it's not likely an attacker would try if they had other available targets.

KnightOfNi
  • 2,247
  • 3
  • 18
  • 23
0

Yes.

Regardless as to whether or not the victim is hooked up to the router via Ethernet cable or WiFi, it's still connected to the same router - sharing what's obviously known as the same LAN.

Being on the same network makes it very easy for the attacker to utilize tools such as BackTrack, a distribution of Linux, to use command line functions, suites, and even easy-to-use open source toolkits in order to sniff and analyze network data of all kinds. Specific functions for PCAP (packet capture) include netsniff-ng.

It's worth noting, since we're on the subject of LAN security, that if the router was protected by something such as a WEP key or similar encryption - that similar functions such as airsniff-ng in Unix based systems can be used in conjunction with aircrack-ng for easy access to any network - only to be shortly followed by local packet sniffing for any and all ports desired.

All in all, there are also many 3rd party programs available for purchase and download for monitoring network activity, if you preferred these avenues.