Hunting Wi-Fi Leeches
by RSG
Packet sniffers are incredible learning tools.
Like many people, I have a wireless Internet router installed in my apartment. It creates a small, wireless Local Area Network (LAN) which provides connectivity for my three computers.
The other day I was tooling around on my LAN, using my trusty packet sniffer to learn more about how my router works and how the various computers interact on the network. All of a sudden I noticed a fifth IP address was sending and receiving data. Five? But I only own three computers and a router. Bingo, I had a Wi-Fi leech.
Wi-Fi leeches are fairly common these days.
It's a very common practice to jump on an open Wi-Fi node when you see one available. 2600 has even provided information on more than one occasion on how to detect wireless nodes (for example, see the cover design for the Summer 2002 issue).
I've always thought, perhaps somewhat naively, that open wireless was better then closed and thus had never blocked access to my router using a password or MAC address filtering. But this time it was personal. I was curious. Who was this leech?
First a disclaimer: I'm not a professional sysadmin, nor am I a low-level protocol ninja. But I've managed to teach myself a thing or two about how networks work. This article is meant to be introductory. Comments and additions are encouraged.
I had to move quickly.
I toggled back to the terminal where my favorite packet sniffer, tcpdump, was running. tcpdump is ubiquitous. If you run a UNIX-style operating system you most likely already have it installed. (Windoze people can use a port called "WinDump.")
Since I wanted to ignore all traffic except for the data going to/from my leech, I restarted tcpdump using the host argument and my leech's IP address:
I run Mac OS X, so the -i en1 flag means sniff on my en1 Internet adapter, i.e., my AirPort card.
The -Aa and -s0 flags are the juicy parts.
They tell tcpdump to suck down the full packets in human-readable ASCII text. Fun!
Check the man pages; your mileage may vary.
A nice alternate to tcpdump is Ethereal. Mac people should also check out EtherPEG which reassembles JPEGs or GIFs in real time as they flow by.
Okay, I had my leech trapped. But what could I learn?
First, I noticed a Media Access Control (MAC) address in the tcpdump output. These are unique hardware addresses assigned to network adapters. With a MAC address you can look up the vendor of the machine.
I plugged the MAC address into www.coffer.com/mac_find and made a note of my leech's computer type.
After sifting through a few more pages of tcpdump output, I learned the make and model of my leech's computer as well as the type and version number of the operating system, plus the make and model of my leech's printer. Hmmm, should I send over a print job?
You'll get a lot of uninteresting garbage, but here are a few strings that are helpful to grep through the tcpdump output with: @, GET, OK, USER, <html>
You'll no doubt discover your own favorite strings to grep on.
After a day or two, I had discovered a whole lot about my leech: his name, the names of his two email providers, the names of the email lists he was subscribed to (Google the "SurvivePX" email list for a giggle), the names and email addresses of his friends... You get the picture.
So here is the dilemma: if someone is stealing your bandwidth, is it okay to spy on them? I'm afraid the ethical answer is probably no. But still, if I could read his email, then he could read mine (if he had half a brain).
In effect, I was reminded of the importance of security and privacy: use encryption, and if you keep your node open (as I opted to do), be conscious of how people are using your network at all times.
My leech prompted me to learn a lot about how data moves around a LAN and what sort of information is revealed about a user. I hope this was useful to you.
For more information on network protocols I would recommend W. Richard Stevens' book TCP/IP Illustrated, Volume 1 (Addison Wesley) and Eric Hall's Internet Core Protocols: The Definitive Guide: Help for Network Administrators (O'Reilly).
For the technical specs of IP and TCP you should also be sure to read RFC 791 and RFC 793.
Happy leech hunting.