4

I'm looking to do some packet sniffing on some of my IoT devices to see how much they are phoning home, and to see some the ports I can block to keep them from doing so.

They are a mix of wireless and wired devices so a simple promiscuous mode Wireshark isn't sufficient. I'm running a Netgear router at the moment so I can't run the sniff from there either.

Is my best option a MITM attack using ARP poisoning? I don't want to go through all the effort to try to setup some sort of proxy to sniff.

I'd like to do this from Linux. Is Ettercap the best tool for this these days?

Improve this question
4
  • what model netgear? Commented Apr 8, 2018 at 14:38
  • It's a WNDR3700, I know I can put dd-wrt on it, but the stock firmware has worked better for me. Commented Apr 8, 2018 at 14:40
  • OK this was insightful to me. Commented Apr 8, 2018 at 14:50
  • When you talk about IoT devices, you are too abroad. You must specify the technology at PHY and MAC Layer (802.11/802.15.4-Zigbee), the network protocol (IPV4 or IPV6). Basically, if you are using 802.11(b/g/n/ac/ah) you can configure your devices on the same network and try to sniff the packets by using the aforementioned tools (you can try eventually bettercap). Commented Jul 8, 2018 at 13:14

3 Answers 3

Reset to default
1

If you can put 2 interfaces on the Linux box, poisoning and attacks are not needed at all. Setup interfaces for WAN & LAN, add DHCP server and some NAT rules and you can easily monitor traffic with any tools including ethercap, tcpdump, wireshark, etc and later block those undesired streams.

If 2 interfaces are not handy, do the same above on one interface: Disable DHCP on the router, give Linux a static address, do the rest just like above and let the Linux do the job.

Improve this answer
2
  • While this would work, unless I am misunderstanding your suggestion this solution it would pretty intrusive to the rest of my network. I would have to go through and put in all my static DHCP address and whatnot onto the new DHCP server instead of my router. Either that or I would have to segregate off the devices I want to sniff onto another network. Ideally, I would like to only target the specific IoT devices and not interfere with anything else. Commented Apr 8, 2018 at 15:01
  • I think it's a better idea to bridge the two interfaces instead of intruding on the whole network. Just connect the devices through the transparent bridge. Running ARP poisoning will be a lot more intrusive across to the rest of the devices on the network. You could also try MAC flooding the Netgear switch's CAM, that way it will start acting as a hub. Better than ARP poisoning IMHO, however works if there are no port restrictions/protection on the device. Commented Apr 8, 2018 at 18:28
0

These devices most likely phone home over TLS so if you want to go down the arp spoof route you would have to use sslstrip in order to actually see the traffic.

I would recommend arpspoof + sslstrip and some additional iptable commands to get this up and running.

For example:

  1. Enable IP forwarding in Linux (as the packages you are interested in do not have your IP as destination)

    sudo echo 1 > /proc/sys/net/ipv4/ip_forward

  2. Make sure the packages you are interested in go through sslstrip in order for you to actually see the non-encrypted content:

    sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

    sudo iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 10000

  3. Poison the target IoT device's arp table

    arpspoof -t X.X.X.X -r A.A.A.A

    Where X.X.X.X is the IoT device IP and A.A.A.A is the gateway IP of the given network.

  4. Monitor the traffic with wireshark using the following filter:

    ip.addr == X.X.X.X && http

If you have the possiblity to enter a proxy in the IoT device I would recommend burpsuite and their http proxy/intercept solution.

Improve this answer
1
  • sslstrip would only help if the device is willing to talk HTTP. Are there a lot of IoT devices that support both HTTP and HTTPS? I know there's a lot of crud out there, but having support for both seems bizarre. Commented Jul 8, 2018 at 22:23
0

I've previously used Linux and Ettercap to sniff packets and do exactly what you have mentioned.

I remember disabling proxy back then. If you are sniffing your own devices, it doesn't really matter to be honest.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.