Wi-Fi Eavesdropping

802.11 wireless networks operate in license-free frequency bands, and all data transmissions travel in the open air. Access to wireless transmissions is available to anyone within listening range, and therefore strong encryption is strongly recommended.

Wireless communications can be eavesdropped on by two methods:

1. Casual (Harmless) Eavesdropping
2. Malicious Eavesdropping

Sometimes referred to as WLAN discovery (via a WLAN discovery tool), casual eavesdropping is accomplished by simply exploiting the 802.11 frame exchange methods clearly defined by the 802.11 standards.

It is needless to say that if a user wants to connect to an access point, it must first discover it. Therefore, to discover an AP the client station should either listen or search for it, resulting in passive and active scanning.

A casual eavesdropper does the passive scanning and is able to simply use any 802.11 client radio to listen (passive scanning) for 802.11 beacon frames. These frames are continuously sent by the AP. Some of the information found in beacon frames includes the service set identifier (SSID), MAC addresses, supported data rates, and other basic service set (BSS) capabilities.

Wi-Fi Explorer Pro3 is a very useful program to perform Wi-Fi scanning. It shows you all of the surrounding APs, even categorized based on channels, security technology, vendors, and the like. A brisk glance at the provided below screenshot demonstrates the explanations.

In the active scanning, the client station broadcasts management frames known as probe requests.

The access point then answers back with a probe response frame, which basically contains all the same layer 2 information found in a beacon frame.

A probe request without the SSID information is known as a null probe request.

If a directed probe request is sent, all APs that support that specific SSID and hear the request should reply by sending a probe response. If a null probe request is heard, all APs, regardless of their SSID, should reply with a probe response.

Many wireless client software utilities instruct the radio to transmit probe requests with null SSID fields when actively scanning for APs. Additionally, there are numerous freeware and commercial WLAN discovery tool applications.

Casual eavesdroppers can discover 802.11 networks by using software tools that send null probe requests. Casual eavesdropping is typically considered harmless.

Another computer software that can be used to capture frames with either a computer Wi-Fi NiC or an external NIC is Airtool. It simply does the capturing by clicking on “capture”. Then, the output will be opened in Wireshark and you can see the frames (for passive scanning). The below snapshot is showing how to use AirTool:

Malicious eavesdropping is the unauthorized use of 802.11 protocol analyzers to capture wireless communications. While casual eavesdropping is considered harmless, malicious eavesdropping is typically considered illegal. Most countries have some type of wiretapping law that makes it a crime to listen in on someone else’s phone conversation. Additionally, most countries have laws making it illegal to listen in on any type of electromagnetic communication, including 802.11 wireless transmissions.

An 802.11 protocol analyzer application allows wireless network administrators to capture 802.11 traffic for the purpose of analyzing and troubleshooting their own wireless networks. Because protocol analyzers capture 802.11 frames passively, a wireless intrusion prevention system (WIPS) cannot detect malicious eavesdropping.

A WLAN protocol analyzer is meant to be used as a diagnostic tool. However, an attacker can use a WLAN protocol analyzer as a malicious listening device for unauthorized monitoring of 802.11 frame exchanges. Although all layer 2 information is always available, all layers 3-7 information can be exposed if WPA2/WPA3 encryption is not in place. Any cleartext communications, such as email, FTP, and Telnet passwords, can be captured if no encryption is provided. Furthermore, any unencrypted 802.11 frame transmissions can be reassembled at the upper layers of the OSI model. Email messages can be reassembled and, therefore, read by an eavesdropper. Web pages and instant messages can also be reassembled. VoIP packets can be reassembled and saved as a WAV sound file.

To get a better understanding of malicious eavesdropping, some captured packets are needed. The following packet captures have been done using Airtool and WlanPi Pro as the remote sensor.

While capturing the frames, http://neverssl.com/ was opened. By applying the “HTTP” filter on the packets and looking at them, you will see that the name and some data can be seen in a protocol analyzer software due to opening an HTTP-Addressed website.

The screenshot below reveals the above texts:

During the same capture, some DNS queries happened. By changing the applied filter to “DNS” in Wireshark and doing “Ctrl+f” in Windows or “Command+f” in MacOs, it will be possible to search the name of websites which were opened while capturing.

The below snapshot is an attempt to show that even though the HTTPS protocol was used to access the website, the DNS traffic (and therefore the domain name) is still visible in cleartext! Thus without any specific effort, the eavesdropper will be able to have a grasp of webpages that people are mostly using. He will then be able to use these pieces of information to prepare a targeted attack.

Because of the passive and undetectable nature of malicious eavesdropping, encryption must always be implemented to provide data privacy. Encryption is the best protection against unauthorized monitoring of the WLAN. WPA2/WPA3 encryption provides data privacy for all layers 3-7 information.