Please consult the detailed
guide on setting up your own Snifflab network here: https://openeffect.ca/snifflab-an-environment-for-testing-mobile-devices/
Researchers and end-users alike
often seek to understand what data their mobile device is sending to third
parties. Unfortunately, monitoring one’s phone to see what, and to whom, data
is sent is not exactly simple. Using packet capture software on Android is
impossible without first rooting the device, and even then, difficult to use
and export saved data. There are no applications to capture packets on iOS.
Our motivation for creating the
test environment described herein is to make it incredibly easy to capture
packets for any device with a WiFi connection, with very little client
configuration needed.
How it works
In our environment, dubbed
Snifflab, a researcher simply connects to the Snifflab WiFi network, is
prompted to install a custom certificate authority on the device, and then can
use their device as needed for the test.
Snifflab architecture
All traffic on the network is
logged by a Raspberry Pi dedicated to that task (“PCAP Collecting Machine”, in
the Figure). The traffic is cloned by a Great Scott Gadgets Throwing Star LAN
Tap, which routes it both to its destination, and to our Raspberry Pi. The Pi
continually collects packet data, creating new packet capture (pcap) files at a
regular interval, or once the active file reaches a configurable size. Saved
files are regularly transferred to another machine (“Backup Machine”) for
persistent storage. Users with SSH access to the Pi can also manually restart
the pcap service, to get instant access to the captured packets, instead of
waiting for the interval.
The custom certificate that
each client must install enables the proxy server (“MITM Proxy Machine”)
through which Snifflab routes its traffic to intercept HTTPS requests to the
outside world, and re-encrypt them using certificates generated on-the-fly.
This allows for the researcher to later decrypt most captured network traffic
sent over HTTPS.
On the backup machine, the
researcher has access to all previously-collected PCAPs, organized into folders
by date, with each file named by the unix time at which the capture began.
The researcher may then open up
the collected PCAP(s) in Wireshark or their utility of choice to analyze and
decrypt the traffic.
A Packet capture (pcap) is a
widely used data format for storing low-level network data transmission
information. The packet is the base unit of data transmission on networks. To send
a message from one computer to another, networking software breaks up the
message into small packet files, each with metadata that — among other things —
describes the source of the data, the destination, and the specific packet’s ID
so that packets can be reassembled correctly at the destination. A pcap file is
a collection of packets sent over a network. pcaps are created using software
that “listens” to one or more network interfaces running on a given device, and
dumps all the data packets it detects into a pcap file for future analysis.
For
example, one could listen on a computer’s WiFi interface, or the ethernet
interface, or both.
No comments:
Post a Comment