Wi-Fi Eavesdropping

802.11 wireless networks operate in license-free frequency bands, and all data transmissions travel in the open air. Access to wireless transmissions is available to anyone within listening range, and therefore strong encryption is strongly recommended.

Wireless communications can be eavesdropped on by two methods:

  1. Casual (Harmless) Eavesdropping
  2. Malicious Eavesdropping

CASUAL EAVESDROPPING

Sometimes referred to as WLAN discovery (via a WLAN discovery tool), casual eavesdropping is accomplished by simply exploiting the 802.11 frame exchange methods clearly defined by the 802.11 standards.

It is needless to say that if a user wants to connect to an access point, it must first discover it. Therefore, to discover an AP the client station should either listen or search for it, resulting in passive and active scanning.

A casual eavesdropper does the passive scanning and is able to simply use any 802.11 client radio to listen (passive scanning) for 802.11 beacon frames. These frames are continuously sent by the AP. Some of the information found in beacon frames includes the service set identifier (SSID), MAC addresses, supported data rates, and other basic service set (BSS) capabilities.

Wi-Fi Explorer Pro3 is a very useful program to perform Wi-Fi scanning. It shows you all of the surrounding APs, even categorized based on channels, security technology, vendors, and the like. A brisk glance at the provided below screenshot demonstrates the explanations.

In the active scanning, the client station broadcasts management frames known as probe requests.

The access point then answers back with a probe response frame, which basically contains all the same layer 2 information found in a beacon frame.

A probe request without the SSID information is known as a null probe request.

If a directed probe request is sent, all APs that support that specific SSID and hear the request should reply by sending a probe response. If a null probe request is heard, all APs, regardless of their SSID, should reply with a probe response.

Many wireless client software utilities instruct the radio to transmit probe requests with null SSID fields when actively scanning for APs. Additionally, there are numerous freeware and commercial WLAN discovery tool applications.

Casual eavesdroppers can discover 802.11 networks by using software tools that send null probe requests. Casual eavesdropping is typically considered harmless.

Another computer software that can be used to capture frames with either a computer Wi-Fi NiC or an external NIC is Airtool. It simply does the capturing by clicking on “capture”. Then, the output will be opened in Wireshark and you can see the frames (for passive scanning). The below snapshot is showing how to use AirTool:

MALICIOUS EAVESDROPPING

Malicious eavesdropping is the unauthorized use of 802.11 protocol analyzers to capture wireless communications. While casual eavesdropping is considered harmless, malicious eavesdropping is typically considered illegal. Most countries have some type of wiretapping law that makes it a crime to listen in on someone else’s phone conversation. Additionally, most countries have laws making it illegal to listen in on any type of electromagnetic communication, including 802.11 wireless transmissions.

An 802.11 protocol analyzer application allows wireless network administrators to capture 802.11 traffic for the purpose of analyzing and troubleshooting their own wireless networks. Because protocol analyzers capture 802.11 frames passively, a wireless intrusion prevention system (WIPS) cannot detect malicious eavesdropping.

A WLAN protocol analyzer is meant to be used as a diagnostic tool. However, an attacker can use a WLAN protocol analyzer as a malicious listening device for unauthorized monitoring of 802.11 frame exchanges. Although all layer 2 information is always available, all layers 3-7 information can be exposed if WPA2/WPA3 encryption is not in place. Any cleartext communications, such as email, FTP, and Telnet passwords, can be captured if no encryption is provided. Furthermore, any unencrypted 802.11 frame transmissions can be reassembled at the upper layers of the OSI model. Email messages can be reassembled and, therefore, read by an eavesdropper. Web pages and instant messages can also be reassembled. VoIP packets can be reassembled and saved as a WAV sound file.

To get a better understanding of malicious eavesdropping, some captured packets are needed. The following packet captures have been done using Airtool and WlanPi Pro as the remote sensor.

While capturing the frames, http://neverssl.com/ was opened. By applying the “HTTP” filter on the packets and looking at them, you will see that the name and some data can be seen in a protocol analyzer software due to opening an HTTP-Addressed website.

The screenshot below reveals the above texts:

During the same capture, some DNS queries happened. By changing the applied filter to “DNS” in Wireshark and doing “Ctrl+f” in Windows or “Command+f” in MacOs, it will be possible to search the name of websites which were opened while capturing.

The below snapshot is an attempt to show that even though the HTTPS protocol was used to access the website, the DNS traffic (and therefore the domain name) is still visible in cleartext! Thus without any specific effort, the eavesdropper will be able to have a grasp of webpages that people are mostly using. He will then be able to use these pieces of information to prepare a targeted attack.

Because of the passive and undetectable nature of malicious eavesdropping, encryption must always be implemented to provide data privacy. Encryption is the best protection against unauthorized monitoring of the WLAN. WPA2/WPA3 encryption provides data privacy for all layers 3-7 information.

Post by Amin Sedighfar

Subscribe
Notify of
guest
12 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
뉴토끼

This specific is generally clearly basic and in addition exceptional truth alongside without a doubt reasonable and besides in fact valuable My business is
뉴토끼

Delaney Ross

I’m often to blogging and i really appreciate your content. The article has actually peaks my interest. I’m going to bookmark your web site and maintain checking for brand spanking new information.

Natalia Jordan

There is definately a lot to find out about this subject. I like all the points you made

Francesca Weeks

For the reason that the admin of this site is working, no uncertainty very quickly it will be renowned, due to its quality contents.

Aldo Peck

You’re so awesome! I don’t believe I have read a single thing like that before. So great to find someone with some original thoughts on this topic. Really.. thank you for starting this up. This website is something that is needed on the internet, someone with a little originality!

Fernando Hernandez

Good post! We will be linking to this particularly great post on our site. Keep up the great writing

Fernando Hernandez

naturally like your web site however you need to take a look at the spelling on several of your posts. A number of them are rife with spelling problems and I find it very bothersome to tell the truth on the other hand I will surely come again again.

Lilly Vincent

Awesome! Its genuinely remarkable post, I have got much clear idea regarding from this post

Chad Smith

For the reason that the admin of this site is working, no uncertainty very quickly it will be renowned, due to its quality contents.

Damion Wheeler

I just like the helpful information you provide in your articles

Elian Lloyd

I very delighted to find this internet site on bing, just what I was searching for as well saved to fav

Roland Arellano

For the reason that the admin of this site is working, no uncertainty very quickly it will be renowned, due to its quality contents.