Open wireless networks

07 August 2014 by Antonio Vázquez Blanco


It is very common to find open wifi spots in airports, hotels, coffe shops... I understand that when you want universal internet access is tempting to use unencrypted a network but I find this very inconvinient because this kind of networks are very insecure.

Open networks let users connect without password but because of their design traffic remains unencrypted letting other people view sensible information without much hasstle.
For those who are not familiar with wireless devices, you should know that a wireless device can operate in various modes. The most common is "managed" mode, where the wireless card listens for the data that targets its hardware address (a network card identifier), but there are others (not always supported) like "monitor" mode where the card just shows anything that is withing physical range, whether it is targeted for that device or not. Monitor mode can be used to sniff others people traffic wich can be later analyzed.

When I start my computer, by default, Linux puts my wireless card (wlp8s0) in managed mode:

$ sudo iwconfig
wlp8s0    IEEE 802.11abgn  ESSID:"Wifi-Usos"  
          Mode:Managed  Frequency:2.437 GHz  Access Point: 00:22:B0:6F:E7:74   
          Bit Rate=48 Mb/s   Tx-Power=17 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=29/70  Signal level=-81 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:20   Missed beacon:0

For putting it into monitor mode, in my case I have to type the following commands:

$ sudo ifconfig wlp8s0 down
$ sudo iwconfig wlp8s0 mode monitor 
$ sudo ifconfig wlp8s0 up
$ sudo iwconfig 
wlp8s0    IEEE 802.11abgn  Mode:Monitor  Frequency:2.437 GHz  Tx-Power=17 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

Putting a card into monitor mode requires some research. Not every card supports it and not every card will enter monitor mode using previous commands. It also depends on the operative system being used (Windows, Linux, Mac OS...). If anyone wants to put it's card into monitor mode and finds it difficult, just ask in the comments section and I will try to help as much as I can. For the followin example I will be using managed mode in order to avoid capturing others people traffic as I don't have authorization for that.

Once in the desired mode, multiple programs could be used to dump network traffic (airodump-ng, tcpdump...) but for those who don't know much about the topic will find Wireshark simple to use (has an UI) but sometimes shows to much info. Despite the cons I think that you will find it very fun to use and easy to install (It's free!).

Once Wireshark is started you only have to click on the Capture menu and Interfaces... submenu to see the availiable devices for capturing data. I choosed wlp8s0 because it is my wireless network card and clicked start in order to start seing traffic. In the window there's a main list that shows every packet captured by Wireshark. Some of the shown packets will be generated by managing protocols that are encharged of asigning network identifiers to every machine (IP addresses) among other... Other packets will be generated by programs trying to access internet resources as the users browsing the internet.

In my case, for demonstration purposes, I opened the browser and typed which is the router address and it asked me for a login and because I don't know the credentials to login I just used "asd" as user and password resulting in an access denial (Error 401). The moment I opened the router page a lot of packets were logged in Wireshark, too many for me to want to analyze them all, so I decided to filter them. In the top left part of the window there's a field with a "Filter:" label where I wrote http and hit the enter key. A lot of packets disapeared and among others in the list I could see one that showed a "401 Unauthorized" message in the info field. After clicking on it with the right button I selected the Follow TCP stream option from the list. This poped a window with the following text:

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YXNkOmFzZA==
Connection: keep-alive

HTTP/1.1 401 Unauthorized
Server: micro_httpd
Cache-Control: no-cache
Date: Sat, 08 Jan 2000 05:29:54 GMT
WWW-Authenticate: Basic realm="DSL Router"
Content-Type: text/html
Connection: close

<HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
<BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4>
Authorization required.
<ADDRESS><A HREF="">micro_httpd</A></ADDRESS>

This could be divided in two parts. A request that starts with the GET method and a response with the 401 error code. For anyone familiar with the basic authentication protocol there's a field in the request that contains a lot of information. The Authorization: Basic YXNkOmFzZA== line contains the type of authentication and the user and password used to login encoded in base64. If you search Google for a base64 decoder you will find a lot of them online and decoding YXNkOmFzZA== results in asd:asd which is the user and password used.

Plain text credentials is not the only problem here. You can see google query urls wich reveal the searches being done by people in the network, image urls from Google, Facebook and other pages... Even if a page doesn't let you see the images in the revealed urls, Wireshark lets you save the responses to that url queries in files. This can be simply done by clicking on File -> Export objects -> HTTP and selecting a folder. In that folder you'll be able to see webpages, images and other files that had been transferred over the network.

Open networks are not secure at all and they sould not be used in public spots. Alternatives are not always ideal as Wireshark can decrypt WEP or WPA traffic. In my opinion the IEEE 802.11 should create a new kind of network for universal access with something similar to a secret per client that should enable you to encrypt your packets in a way that other users can't spy you. Maybe asymetric encryption could be used in a similar way as it is used in SSL. What other solutions do you think there are?

I think Wireshark is a very powerfull tool that anyone can enjoy with little effort. A lot of tutorials and videos can be found around internet explaining many features that I'm sure you will find useful and interesting. Please tell me if you find any other functionality that can reveal information from open networks so that everyone can use it!

comments powered by Disqus