carmelo42 Posted January 29, 2014 Share Posted January 29, 2014 Hello guys and girls :) So I'm trying to sniff HTTP with wireshark : - I have an ALFA 500 wireless card, connected to my pentest computer - the alfa card is connected on my wifi network. - I want to sniff HTTP that comes from my 2nd computer, which is on the same wireless network. How can I do this ? (it's workingvery well if my pentest computer is ethernet connected) Quote Link to comment Share on other sites More sharing options...
tom564 Posted January 29, 2014 Share Posted January 29, 2014 Hello guys and girls :) So I'm trying to sniff HTTP with wireshark : - I have an ALFA 500 wireless card, connected to my pentest computer - the alfa card is connected on my wifi network. - I want to sniff HTTP that comes from my 2nd computer, which is on the same wireless network. How can I do this ? (it's workingvery well if my pentest computer is ethernet connected) Is it an open WIFI network? Quote Link to comment Share on other sites More sharing options...
digip Posted January 29, 2014 Share Posted January 29, 2014 If you MITM the target, regardless of wireless or wired, you should see all of its traffic and then just use HTTP as the display filter in wireshark to see only http traffic. If its OpenWifi, then put the card sniffing into monitor mode and you should be able to see its traffic if its not encrypted in any way. If in WEP or WPA, then you need to MITM the other node. Quote Link to comment Share on other sites More sharing options...
carmelo42 Posted January 30, 2014 Author Share Posted January 30, 2014 Is it an open WIFI network? Nope, it's WPA2 protected, but as it's mine, I'm in ! If you MITM the target, regardless of wireless or wired, you should see all of its traffic and then just use HTTP as the display filter in wireshark to see only http traffic. If its OpenWifi, then put the card sniffing into monitor mode and you should be able to see its traffic if its not encrypted in any way. If in WEP or WPA, then you need to MITM the other node. What I don't understand : do I have to be connected on the wireless network BEFORE putting the card into monitor mode ? And in wireshark what interface do I have to listen ? wlan0 ? mon0 ? Quote Link to comment Share on other sites More sharing options...
digip Posted January 30, 2014 Share Posted January 30, 2014 (edited) With WPA, its encrypted, so monitor mode won't see the traffic, so you need to do two things. You can use airomon-zc/ng to start the wireless card in monitor mode if you want, which will give you both a wlan0 and mon0, where the mon0 can be used to inject packets, to arp replays, etc, but if you are connected to the AP with wlan0, then you'll want to MITM the target and sniff the traffic on wlan0. mon0 is not going to be of much use if you already have access to the network, since the traffic is going to be encrypted via WPA, so a MITM of the node while you're connected to the same subnet with wireshark sniffing on the same nic connected to the AP (assuming wlan0) will get you the other nodes traffic. mon0 would be of more use for injection to capture the wpa handshake for later trying to crack the password or deauth clients, etc. In an open wifi network, mon0 would let you see any unencrypted traffic, but a MITM would always be better over the managed nic to capture all traffic of a node. There are other sniffing tools to capture other things as well once on the network, like urlsnarf, things that capture plain text credentials, etc. https://www.google.com/search?num=50&newwindow=1&q=linux+mitm&oq=linux+mitm&gs_l=serp.3..0l2j0i22i30l8.511797.517009.0.521212.10.10.0.0.0.0.159.950.8j2.10.0....0...1c.1.32.serp..0.10.948.KdtMr9HdSZU Edited January 30, 2014 by digip Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.