It is very common to find open wifi spots in airports, hotels, coffe shops... I understand that when you want universal internet access is tempting to use unencrypted a network but I find this very inconvinient because this kind of networks are very insecure.
Open networks let users connect without password but because of their design traffic remains unencrypted letting other people view sensible information without much hasstle.
For those who are not familiar with wireless devices, you should know that a wireless device can operate in various modes. The most common is "managed" mode, where the wireless card listens for the data that targets its hardware address (a network card identifier), but there are others (not always supported) like "monitor" mode where the card just shows anything that is withing physical range, whether it is targeted for that device or not. Monitor mode can be used to sniff others people traffic wich can be later analyzed.
When I start my computer, by default, Linux puts my wireless card (wlp8s0) in managed mode:
$ sudo iwconfig wlp8s0 IEEE 802.11abgn ESSID:"Wifi-Usos" Mode:Managed Frequency:2.437 GHz Access Point: 00:22:B0:6F:E7:74 Bit Rate=48 Mb/s Tx-Power=17 dBm Retry short limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality=29/70 Signal level=-81 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:20 Missed beacon:0
For putting it into monitor mode, in my case I have to type the following commands:
$ sudo ifconfig wlp8s0 down $ sudo iwconfig wlp8s0 mode monitor $ sudo ifconfig wlp8s0 up $ sudo iwconfig wlp8s0 IEEE 802.11abgn Mode:Monitor Frequency:2.437 GHz Tx-Power=17 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:off
Putting a card into monitor mode requires some research. Not every card supports it and not every card will enter monitor mode using previous commands. It also depends on the operative system being used (Windows, Linux, Mac OS...). If anyone wants to put it's card into monitor mode and finds it difficult, just ask in the comments section and I will try to help as much as I can. For the followin example I will be using managed mode in order to avoid capturing others people traffic as I don't have authorization for that.
Once in the desired mode, multiple programs could be used to dump network traffic (airodump-ng, tcpdump...) but for those who don't know much about the topic will find Wireshark simple to use (has an UI) but sometimes shows to much info. Despite the cons I think that you will find it very fun to use and easy to install (It's free!).
Once Wireshark is started you only have to click on the
Capture menu and
Interfaces... submenu to see the availiable devices for capturing data. I choosed
wlp8s0 because it is my wireless network card and clicked
start in order to start seing traffic. In the window there's a main list that shows every packet captured by Wireshark. Some of the shown packets will be generated by managing protocols that are encharged of asigning
network identifiers to every machine (IP addresses) among other... Other packets will be generated by programs trying to access internet resources as the users browsing the internet.
In my case, for demonstration purposes, I opened the browser and typed
192.168.1.1 which is the router address and it asked me for a login and because I don't know the credentials to login I just used "asd" as user
and password resulting in an access denial (Error 401). The moment I opened the router page a lot of packets were logged in Wireshark, too many for me to want to analyze them all, so I decided to filter them. In the
top left part of the window there's a field with a "Filter:" label where I wrote
http and hit the
enter key. A lot of packets disapeared and among others in the list I could see one that showed a "401 Unauthorized"
message in the info field. After clicking on it with the right button I selected the
Follow TCP stream option from the list. This poped a window with the following text:
GET / HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic YXNkOmFzZA== Connection: keep-alive HTTP/1.1 401 Unauthorized Server: micro_httpd Cache-Control: no-cache Date: Sat, 08 Jan 2000 05:29:54 GMT WWW-Authenticate: Basic realm="DSL Router" Content-Type: text/html Connection: close <HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD> <BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4> Authorization required. <HR> <ADDRESS><A HREF="http://www.acme.com/software/micro_httpd/">micro_httpd</A></ADDRESS> </BODY></HTML>
This could be divided in two parts. A request that starts with the
GET method and a response with the
401 error code. For anyone familiar with the basic authentication protocol there's a field in the request that
contains a lot of information. The
Authorization: Basic YXNkOmFzZA== line contains the type of authentication and the user and password used to login encoded in base64. If you search Google for a base64 decoder you
will find a lot of them online and decoding
YXNkOmFzZA== results in
asd:asd which is the user and password used.
Plain text credentials is not the only problem here. You can see google query urls wich reveal the searches being done by people in the network, image urls from Google, Facebook and other pages... Even if a page
doesn't let you see the images in the revealed urls, Wireshark lets you save the responses to that url queries in files. This can be simply done by clicking on
Export objects ->
HTTP and selecting a
folder. In that folder you'll be able to see webpages, images and other files that had been transferred over the network.
Open networks are not secure at all and they sould not be used in public spots. Alternatives are not always ideal as Wireshark can decrypt WEP or WPA traffic. In my opinion the IEEE 802.11 should create a new kind of network for universal access with something similar to a secret per client that should enable you to encrypt your packets in a way that other users can't spy you. Maybe asymetric encryption could be used in a similar way as it is used in SSL. What other solutions do you think there are?
I think Wireshark is a very powerfull tool that anyone can enjoy with little effort. A lot of tutorials and videos can be found around internet explaining many features that I'm sure you will find useful and interesting. Please tell me if you find any other functionality that can reveal information from open networks so that everyone can use it!