2

I'm using netcat -l 555 option to communicate between two computers(Linux) on port 555, is there any way I can eavesdrop to whats going on in that conversation from a 3rd computer?

After the second machine responds with netcat <First_machine_IP> 555 the port closes so the conversation remains "private".

Im arpspoofing and every packet is transfered through my machine first , can I exploit that to see the conversation? any tool to do so? I heard something about port mirroring but im not sure it works remotely.

after beginning of chat session

before beginning of chat session

Marcus Müller
  • 5,863
  • 2
  • 17
  • 28
eyal360
  • 131
  • 1
  • 9
  • Possible duplicate of [How safe are Wi-Fi Hotspots? Because WPA 2 is compromised, is there any other security protocol for Wi-Fi?](http://security.stackexchange.com/questions/143268/how-safe-are-wi-fi-hotspots-because-wpa-2-is-compromised-is-there-any-other-se) – Marcus Müller Dec 21 '16 at 00:09
  • This depends on what kind of WiFi security you're using. I explained the different attach scenarios regarding your question in [my answer](http://security.stackexchange.com/questions/143268/how-safe-are-wi-fi-hotspots-because-wpa-2-is-compromised-is-there-any-other-se/143274#143274) to the question above. – Marcus Müller Dec 21 '16 at 00:09
  • And for unencrypted WiFi networks as well as WEP-protected networks that both the eavesdropping as well as the eavesdropped party are logged onto, yes, this is inherently possible without any special software. – Marcus Müller Dec 21 '16 at 00:13

1 Answers1

1

I tried to explain in which cases WPA networks are subject to "spyability" by other users in this answer. Short: If the attacker isn't on the same WPA2 network, you're safe. If the attacker is on the same network, you're only safe if the network uses WPA2-Enterprise, and not WPA2-PSK.

For unencrypted networks, you can obviously simply sniff off the unencrypted packets from the air – no need to ARP-spoof anything. It's simply like sitting in the middle of a conversation.

For WEP, it's the same when the attacker is in the same network. If the attacker's not in the same network, he'd have to crack the WEP encryption – but that's sadly pretty realistic, given that you can derive the key by triggern known plaintext in relatively short time. As soon as you have the key, sniffing is as easy as on an unencrypted network (or an Ethernet hub, if you remember these).

ARP spoofing is a technique to make other computers send data to you instead of their intended target – but that probably won't work in a simple Wifi – all the station will probably want to send packets to the access point, which doubles as router, and you'd have to convince that router that you are the legitimate holder of its IP address the moment you try to send forged ARP replies.

That'll simply fail, usually. In more complex networks, the access point might not be the router, but still, you'd very likely have to poison the ARP cache on the "backbone" side of the Access Point – a non-trivial problem.

Marcus Müller
  • 5,863
  • 2
  • 17
  • 28
  • thanks for the detailed info, I'm using WPA-PSK and im already in the network so it shouldnt be a problem according to you, but I still cant figure out how to listent to that port(555) which is closed, any ideas? – eyal360 Dec 22 '16 at 07:55