August 13th, 2021 at 8:26 PM
So for obvious reasons I'm going to keep it short and simple without going into detail on how to use these tools because they can be used for good or evil depending on who uses it and how, just examples of how they can be setup and how to detect them.
to start with wireshark is a popular packet capture and analysis tool, that's what it does, it allows you to capture and look at information on a network as it passes through a node you control.
the easiest way to set it up is to setup a computer as a proxy for the router (see check out the pi-hole firewall for instructions on that one).
once you have that computer setup as a proxy so all traffic goes through it you need to run wireshark, luckily this tool works on linux, mac, and windows so it can be any computer with a decent network card. you can do this over wifi or ethernet, and this is commonly how a man in the middle attack works, by routing traffic through a device setup to monitor stuff.
there's detailed instructions on how to setup wireshark to do this on the web that do a much better job than I could at explaining it, but setting it up to monitor all packets is usually pretty straightforward, it can also be setup to filter and look for specific types of communication like emails or login requests.
now once you have it setup you often get two kinds of traffic, encrypted and unencrypted.
encrypted will often come out as a jumbled mess but unencrypted is usually plain text, this includes passwords, website traffic, p2p connections, emails, etc.
these days a lot of stuff is encrypted, it's why HTTPS is important because the S stands for Secure meaning the connection is encrypted against this sort of thing.
now this is useful for things like monitoring IP's for re-directs, locating anomalous traffic like Remote Admin tools, keyloggers, etc, and if you have kids it's an easy way to keep an eye on where they're going without needing to install software on their computer.
in the wrong hands it can also be used to spy and steal information like bank info, username/password entries, and emails.
There are other tools like it but wireshark is generally the most popular, usually in conjunction with other tools, such as the wifi pineapple for wireless interception, or setting up a raspberry pi or similar computer to sit between a computer and the network, as well as Remote admin tools and keyloggers to monitor information.
Getting into a place and setting up these tools is usually referred to as red-teaming, kinda like the real world equivalent to the oceans series of movies.
the good news is, it's usually pretty easy to catch these methods using a tool called tracert, now while this does require some familiarity with what you are connecting to a great way is to have a firewall or test box setup on your modem/router which you know the connection route to.
let's say your router is 10.0.0.1, your computer is 10.0.0.21, and your firewall/test box is 10.0.0.42.
your tracert should look like this.
tracert 10.0.0.42
hop 1 10.0.0.1 10ms
hop 2 10.0.0.42 10ms.
if instead it looks like this:
tracert 10.0.0.42
hop 1 10.0.0.1 10ms
hop 2 10.0.0.11 15ms
hop 3 10.0.0.1 15ms
hop 4 10.0.0.42 16ms.
then somebody is intercepting traffic.
similarly it would look like this if it's going through a switch before the router instead.
tracert 10.0.0.42
hop 1 10.0.0.1 10ms
hop 2 10.0.0.11 15ms
hop 3 10.0.0.42 15ms.
your mileage may vary but this is the basics in detecting this sorta thing since usually tracert/traceroute does exactly that, it sends tracer packets that report back the path they took to get to a destination, in windows 10 you need to install this tool as it's no longer included by default.
and there are ways to mask or prevent packets from reporting their path through a network but most don't go through the extra hassle to do this.
tracert/trace route is super handy to have and I often use it for other stuff like checking to see if an ISP has connection problems by seeing if it's been re-routed and thus slowing down the internet connection to say google or linux.com where I know it should be no more than 5 or 10 hops.
Edit: as a fun experiment, try connecting to a TOR node and running tracert to the other side of said node, it's a great way to see how many hops and connections it makes before surfacing from the subweb/deepweb and is a great example of a randomized/distributed proxychain.
to start with wireshark is a popular packet capture and analysis tool, that's what it does, it allows you to capture and look at information on a network as it passes through a node you control.
the easiest way to set it up is to setup a computer as a proxy for the router (see check out the pi-hole firewall for instructions on that one).
once you have that computer setup as a proxy so all traffic goes through it you need to run wireshark, luckily this tool works on linux, mac, and windows so it can be any computer with a decent network card. you can do this over wifi or ethernet, and this is commonly how a man in the middle attack works, by routing traffic through a device setup to monitor stuff.
there's detailed instructions on how to setup wireshark to do this on the web that do a much better job than I could at explaining it, but setting it up to monitor all packets is usually pretty straightforward, it can also be setup to filter and look for specific types of communication like emails or login requests.
now once you have it setup you often get two kinds of traffic, encrypted and unencrypted.
encrypted will often come out as a jumbled mess but unencrypted is usually plain text, this includes passwords, website traffic, p2p connections, emails, etc.
these days a lot of stuff is encrypted, it's why HTTPS is important because the S stands for Secure meaning the connection is encrypted against this sort of thing.
now this is useful for things like monitoring IP's for re-directs, locating anomalous traffic like Remote Admin tools, keyloggers, etc, and if you have kids it's an easy way to keep an eye on where they're going without needing to install software on their computer.
in the wrong hands it can also be used to spy and steal information like bank info, username/password entries, and emails.
There are other tools like it but wireshark is generally the most popular, usually in conjunction with other tools, such as the wifi pineapple for wireless interception, or setting up a raspberry pi or similar computer to sit between a computer and the network, as well as Remote admin tools and keyloggers to monitor information.
Getting into a place and setting up these tools is usually referred to as red-teaming, kinda like the real world equivalent to the oceans series of movies.
the good news is, it's usually pretty easy to catch these methods using a tool called tracert, now while this does require some familiarity with what you are connecting to a great way is to have a firewall or test box setup on your modem/router which you know the connection route to.
let's say your router is 10.0.0.1, your computer is 10.0.0.21, and your firewall/test box is 10.0.0.42.
your tracert should look like this.
tracert 10.0.0.42
hop 1 10.0.0.1 10ms
hop 2 10.0.0.42 10ms.
if instead it looks like this:
tracert 10.0.0.42
hop 1 10.0.0.1 10ms
hop 2 10.0.0.11 15ms
hop 3 10.0.0.1 15ms
hop 4 10.0.0.42 16ms.
then somebody is intercepting traffic.
similarly it would look like this if it's going through a switch before the router instead.
tracert 10.0.0.42
hop 1 10.0.0.1 10ms
hop 2 10.0.0.11 15ms
hop 3 10.0.0.42 15ms.
your mileage may vary but this is the basics in detecting this sorta thing since usually tracert/traceroute does exactly that, it sends tracer packets that report back the path they took to get to a destination, in windows 10 you need to install this tool as it's no longer included by default.
and there are ways to mask or prevent packets from reporting their path through a network but most don't go through the extra hassle to do this.
tracert/trace route is super handy to have and I often use it for other stuff like checking to see if an ISP has connection problems by seeing if it's been re-routed and thus slowing down the internet connection to say google or linux.com where I know it should be no more than 5 or 10 hops.
Edit: as a fun experiment, try connecting to a TOR node and running tracert to the other side of said node, it's a great way to see how many hops and connections it makes before surfacing from the subweb/deepweb and is a great example of a randomized/distributed proxychain.