27
R-C-D
6y

Hi hackers!
Just not sure about this one:
Is this true?
The closer i get to the router , the more packets i might be able to sniff.
And something else:
I might loose the traffic sent to the other APs while i'm close to one another.

Is there any way to capter all packets?
(I also have wired access to network but since the socket isolates the traffic let me know if there is any other method)

Thanks

Comments
  • 3
    Wireshark?
  • 5
  • 6
    MITM through arp poisoning? (the entire network)
  • 7
    If you're talking about packet capturing in monitor mode, yes you'll be able to capture more when you're closer to the AP. I like to imagine WiFi traffic as invisible "things/rewards" hanging on the ceiling of a merry-go-round, with new ones being emitted from the center continually. There's more closer to the center so you'll be able to capture more of them.

    Be sure to try it out with a dummy setup, one AP (could be hostapd or something like that), some hosts that e.g. communicate with each other and your attacking host.

    Generally I'd only do packet sniffing like this for capturing WPA secrets though, where deauthing is far more useful than sitting closer to the AP. And even in the worst case where the signal is too weak, on the Alfa's at least you can increase the txpower (within legal and healthy limits, don't go beyond 30dBm) or make yourself a directional antenna. A biquad is relatively easy to make.
  • 4
    As for capturing traffic from wired connections, it used to be possible with dumb hubs but since the advent of switches, for better or worse that became a thing of the past.
  • 4
    @linuxxx has a point. It would work for wired connections as long as router/switch is not mitigating/logging IP collisions. But attacking the whole network is hella inefficient. You'll waste loads of traffic just for 0806 ethtypes sending eth frames to every MAC you can think of, which is very likely to draw NW admins' attention. Isolated attacks are more likely to remain invisible.

    Oh, btw, these attacks are carried out at ETH layer, not IP. So you'll have to know MAC addresses of all the victims. So if you're attacking the whole network, first step should be resolving all network IPs to MACs, second -- poisoning victims.

    I will not explain how any of this is done nor point to any tools.
  • 4
    @netikras i already know them 😂
  • 2
    @R1100 Good. Let's stay discreet then
  • 3
    @netikras i already performed sniffing and poisoning on 1 ap i was just wondering how the attack can bedone on the whole network
  • 3
    @R1100 If you're attacking the whole network eventually you'll miss some packages as from time to time your poison gets antidote released to the NW :)
  • 3
    @netikras do sysadmins usually monitor the network for such attacks?
  • 2
    @R1100 depends on the org. Some do, some don't
  • 3
    @netikras will they recognize the identity of the attacker?
    Assuming i fake my mac
  • 3
    @R1100 It is possible if NW layer has logging enabled. Logs can lead to the exact PC attack had been carried out from
  • 1
    Um for monitor mode that only applies if your sniffing in promisc over lan, distance doesn't matter you just need a connection. As someone mentioned earlier hub based routers just dont exist anymore due to switch based ones replacing themalong sniffing harder. HOWEVER you may be able to cause the switch to broadcast all data like a hub if you perform a Mac flood attack causing it to go into failopen mode.
  • 0
    You have to sniff at switch. And pocket will be having Mac address. Which Mac address should go to which AP can be found on switchport.

    So being closer to a AP, you can sniff only at that AP level. You have to move your abstraction one level above AP and sniff i.e. layer 2
Add Comment