Almost everyone is familiar with the concept of wireless networks and how insecure they can be. Everyone has heard some story about how all your data can be stolen while you surf the web at Starbucks, and hardly anybody does anything about it. I think most people are under the impression that there’s no way stealing information can possibly be that easy, so no one is doing it. The truth is that stealing information is incredibly easy, and some of us are doing it all the time!
The information contained in this article is for educational purposes only. Using it incorrectly can get you in a lot of trouble (if you don’t believe me, I’ll tell you my United States Secret Service story sometime!), so be responsible.
Today we are going to be using a packet sniffer. A packet sniffer basically just listens on a network interface and intercepts all of the packets it sees. If you want a more in-depth explanation, read Wikipedia. Our packet sniffer of choice today will be Wireshark. There’s the download link.
Wireshark is available for all the common platforms, but there are a few problems with getting it running on a Mac. In Mac OS X, ordinary users do not have access to the capture devices needed to capture traffic. There are a few remedies to this, and they are as follows:
- Log in as root – First make sure that the login window is set to display as Name and Password (System Preferences->Users->Login Options) and then log out (Shift+Cmd+Q). Log in with the name System Administrator and whatever password you have set for root. Now run the program.
- Run the program with sudo – From the terminal, navigate to the Wireshark binary (usually /Applications/Wireshark.app/Contents/MacOS/) and run it with the command ‘
sudo ./Wireshark‘ - Change the permissions on your capture devices – From the terminal, run the command ‘
sudo chmod a+rwx /dev/bpf*‘ (for the curious, this gives everyone read/write/execute privileges for those files) and then run the program.
After doing one of those, you are ready to steal people’s precious data. Once Wireshark is launched, click on the menubar on [Capture->Interfaces...]. The window it presents will list the interfaces you can listen on. Find the one you want to use (probably your WiFi card which is usually en1) and hit start. You are now monitoring all network traffic on that interface. You can analyze the data as it comes in, or you can leave your computer locked inside an old van in the parking lot on a hot summer day until you have all of the information that you could ever need.
Now that you’ve got some data, let’s look at what you can do with it. Most importantly, we can save it for later. Try out [File->Save As...] to save your PCAP dump (that’s what they’re called) for later use. As far as analyzing the data, let’s start by talking about what you see in Wireshark. Looking at a PCAP dump, you see 6 columns across the top labeled: No., Time, Source, Destination, Protocol, and Info. One at a time.
- “No.” is pretty simple, it’s the packet number. Every packet you collect is incrementally numbered.
- “Time” is pretty straightforward, too. It’s the number of seconds elapsed since the capture began at the time the packet you are looking at was captured
- “Source” is the source (where the packet originated from) IP address. If you don’t know what an IP address is, you might be reading the wrong blog.
- “Destination” is the destination (where the packet was headed) IP address.
- “Protocol” tells you what protocol the packet in question used. Was it an FTP packet? HTTP? ARP? DNS? Find out here!
- “Info” is exactly what it sounds like. It’s a bit of information about a packet.
When you click on a packet, the bottom part of you Wireshark window should change to display the data contained in that packet. Usually this is just gibberish that means nothing out of context. To give it some context, you would need to see all of the packets in the stream- fortunately Wireshark makes it really easy to do that. If you right click on any packet in the list and select Follow TCP Stream, Wireshark will do just that: filter out all the packets in that TCP stream and present them in a continuous, readable format.
Now let’s do something interesting. Most people are aware that FTP information is sent in plaintext. Those that don’t know this should. No one should ever use plain FTP (use FTPS or SFTP instead). I am about to demonstrate why- feel free to follow along! I’ll start by firing up Wireshark and monitoring packets on en1. Once that’s going, I’m going to initiate an FTP connection. For the purpose of demonstration, you can do this from Finder (Mac OS X) with Cmd+K and the address of the ftp server (if you don’t have a server, enable FTP on your local machine). Once you’ve connected (with username and password), tab back over to Wireshark and stop your capture. Now that we’ve got some data, we can dive in a bit deeper.
Most malicious uses of Wireshark simply involve knowing what you’re looking for. In this case, we are fishing for FTP passwords, so let’s sort our packets by protocol and scroll till we find FTP (advanced users might just filter their packets with the filter ‘ftp’). You should be able to pick just about any packet near the top and follow its TCP stream to find what we’re looking for. Here’s what I found:
USER dylan
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 3 of 50 allowed.
220-Local time is now 20:44. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
331 User dylan OK. Password required
PASS asdfMyPassw0rdasdf
230-User dylan has group access to: dylan
230 OK. Current restricted directory is /
SYST
215 UNIX Type: L8
PWD
257 "/" is your current location
TYPE I
200 TYPE is now 8-bit binary
CWD /
250 OK. Current directory is /
PASV
227 Entering Passive Mode (67,43,13,30,139,195)
LIST
As you can see, my password (obviously I changed it for the example) is right there in plaintext. If I was on a public WiFi network, anyone with a packet sniffer could now connect to the IP given in the destination column using the username and password they found.
This post has become way longer than I expected, so I must wrap it up now. In short, Wireshark can collect all sorts of useful information. Web sites, email, instant messages, FTP, and many, many more common applications all send data in plaintext. A quick Ctrl+F over all of your packets for words like “Pass” can often reveal some pretty fun stuff. I hope this tutorial explained at least enough to get you in a bit of trouble, and as always, I welcome any and all feedback/questions!
Oh, and maybe you could even comment?
4 Comments for Packet Sniffing on Mac OS X with Wireshark
Andrew Hake | November 22, 2009 at 5:21 am
matthew | January 11, 2010 at 2:08 pm
not that I don’t believe you, but what’s the Secret Service story?
nice article by the way — I take it WireShark is using TCPDump and presenting the analysis in a more readable format?
Andrew | January 13, 2010 at 4:30 pm
Very cool article. I’ve always been curious about packet sniffing.
Maccabee | July 21, 2010 at 7:57 pm
Funny, I ran through the whole process and let it run an hour but retrieved no information besides what looked like sites I had visited. Maybe I was the only one on the network, which I doubt because I was at a very public place. I’ll try it again later at home. 
I love the smell of Packets in the morning! Good stuff sir.