Monday, February 8, 2016
How to Tap Your Network and See Everything That Happens On It by Alan Henry
Your home network is your fortress. Inside it lies tons of valuable information—unencrypted files, personal, private data, and perhaps most importantly, computers that can be hijacked and used for any purpose. Let's talk about how you can, with the power of evil, sniff around your home network to make sure you don't have any uninvited guests.
This post is part of our Evil Week series at Lifehacker, where we look at the dark side of getting things done. Knowing evil means knowing how to beat it, so you can use your sinister powers for good. Want more? Check out our evil week tag page.
In this post, we'll show you how to map out your network, take a peek under the covers to see who's talking to what, and how to uncover devices or processes that may be sucking down bandwidth. In short: You’ll be able to recognize the signs that something on your network is compromised. We'll assume you're familiar with some networking basics, like how to find your router's list of devices and what a MAC address is. If not, head over to our Know Your Network night school to brush up first.
Before we go any further, though, we should issue a warning: Use these powers for good, and only run these tools and commands on hardware or networks you own or manage. Your friendly neighborhood IT department wouldn't like you port scanning or sniffing packets on the corporate network, and neither would all the people at your local coffee shop. As with every evil week post, the point is to teach you how it's done so you can do it yourself and protect yourself—not exploit others.
Before you even log onto your computer, write down what you think you know. Start with a sheet of paper and jot down all of your connected devices. That includes things like smart TVs, set-top boxes, laptops and computers, tablets and phones, or any other device that might be connected to your network. If it helps, draw a map of your home, complete with rooms. Then write down every device and where it lives. You may be surprised with exactly how many devices you have connected to the internet at the same time.
Network admins and engineers will recognize this step—it's the first step in exploring any network you're not familiar with. Do an inventory of the devices on it, identify them, and then see if the reality matches up with what you expect. If (or when) it doesn't, you'll be able to quickly eliminate what you do know from what you don't know. You may be tempted to just log in to your router and look at its status page to see what's connected, but don’t do that yet. Unless you can identify everything on your network by its IP and MAC address, you'll just get a big list of stuff—one that includes any intruders or freeloaders. Take a physical inventory first, then move on to the digital one.
Once you have a physical map of your network and a list of all of your trusted devices, it's time to go digging. Log in to your router and check its list of connected devices. That'll give you a basic list of names, IP addresses, and MAC addresses. Remember though, your routers device list may or may not show you everything. It should, but some routers only show you devices that use the router for its IP address. Either way, keep that list to the side—it's good, but we want more information.
Next, we're going to turn to our old friend nmap. For those unfamiliar, nmap is a cross-platform, open source network scanning tool that can find devices are on your network, along with a ton of detail on those devices. You can see open ports, the operating system in use, IP and MAC addresses, even open ports and services. Download nmap here, check outthese install guides to set it up, and follow these instructions discover hosts on your home network.
In my case, I installed and ran it from the command line (if you want a graphical interface, Zenmap usually comes with the installer), then told nmap to scan the IP range I'm using for my home network. It found most of the active devices on my home network, excluding a few I have some enhanced security on (although those were discoverable too with some of nmap's commands, which you can find in the link above.)
Compare nmap's list with your router's list. You should see the same things (unless something you wrote down earlier is powered off now.) If you see something on your router that nmap didn't turn up, try using nmap against that IP address directly. Then, based on what you know, look at the information nmap found about the device. If it's claiming to be an Apple TV, it probably shouldn't have services like http running, for example. If it looks strange, probe it specifically for more information, like I did in the screenshot above. I noticed one of my machines was rejecting ping requests, which made nmap skip over it. I told nmap to just probe it anyway, and sure it enough it responded.
Nmap is an extremely powerful tool, but it's not the easiest to use. If you're a little gun shy, you have some other options. Angry IP Scanner is another cross-platform utility that has a good-looking and easy-to-use interface that will give you a lot of the same information. Previously mentioned Who Is On My Wi-Fi is a Windows utility that offers similar features and can be set to scan in the background in case someone comes online when you're not watching. Wireless Network Watcher, again for Windows, is another utility we've mentioned with a nice interface that, despite its name, isn't limited to wireless networks.
By now, you should have a list of devices you know and trust, and a list of devices that you've found connected to your network. With luck, you're finished here, and everything either matches up or is self-explanatory (like a TV that's currently turned off, for example). However, if you see any actors you don't recognize, services running that don't correspond to the device (Why is my Roku running postgresql?), or something else feels off, it's time to do a little sniffing. Packet sniffing, that is.
When two computers communicate, either on your network or across the internet, they send bits of information called "packets" to one another. Put together, those packets create complex data streams that make up the videos we watch or the documents we download. Packet sniffing is the process of capturing and examining those bits of information to see where they go and what they contain. To do this, we'll need Wireshark. It's a cross-platform network monitoring tool that we used to do a little packet sniffing in our guide to sniffing out passwords and cookies. In this case, we'll be using it in a similar manner, but our goal isn't to capture anything specific, just to monitor what types of traffic is going around the network. To do this, you'll need to run Wireshark over Wi-Fi, in "promiscuous mode." That means it's not just looking for packets heading to or from your computer, it's out to collect any packets it can see on your network.
Once installed, open WireShark and select your Wi-Fi adapter. Click "options" next to it, and as you see in the video above (courtesy of the folks over at Hak5,) you can select "promiscuous mode" for that adapter. Once you have, you can start capturing packets. When you start the capture, you're going to get a lot of information. Luckily, Wireshark anticipates this, and makes it easy to filter.
Since we're just looking to see what the suspicious actors on your network are doing, make sure the system in question is online. Go ahead and capture a few minutes' worth of traffic for starters. Then you can filter that traffic based on the IP address of that device using Wireshark's built-in filters. Doing this gives you a quick view of who that IP address is talking to, and what information they're sending back and forth. You can right-click on any of those packets to inspect it, follow the conversation between both ends, and filter the whole capture by IP or conversation. For more, How-To Geek has a detailed guide on Wireshark filtering. You may not know what you're looking at, but that's where a little sleuthing comes in.
If you see that suspicious computer talking to a strange IP address, use the nslookup command (in the command prompt in Windows, or in a terminal in OS X or Linux) to get its hostname. That can tell you a lot about the location or type of network your computer is connecting to. Wireshark also tells you the ports being used, so Google the port number and see what applications use it. If, for example, you have a computer connecting to a strange hostname over ports often used for IRC or file transfer, you may have an intruder. Of course, if you find the device is connecting to reputable services over commonly used ports for things like email or HTTP/HTTPS, you may have just stumbled on a tablet your roommate never told you he owned, or someone next door stealing your Wi-Fi. Either way, you'll have the data required to figure it out on your own.
Of course, not every bad actor on your network will be online and leeching away while you're looking for them. Up to this point, we're taught you how to check for connected devices, scan them to identify who they reallyare, and then sniff a little of their traffic to make sure it's all above board. However, what do you do if the suspicious computer is doing its dirty work at night when you're sleeping, or someone's leeching your Wi-Fi when you're at work all day and not around to check?
There are a couple of ways to address this. For one, the Who's On My Wi-Fi application we mentioned earlier can run in the background on your Windows computer and keep an eye on who's connecting and when. It can ping you when you're not looking at it, and let you know when someone's connected to your network, which is a nice touch. You can leave it running on a computer at home, and then when you wake up or come home from work, see what happened while you weren't looking.
Your next option is to check your router's logging capabilities. Buried deep in your router's troubleshooting or security options is usually a tab dedicated to logging. How much you can log and what kind of information varies by router, but you can see in the screenshot above I can log incoming IP, destination port number, outgoing IP or URL filtered by the device on my network, internal IP address and their MAC address, and which devices on my network have checked in with the router via DHCP for their IP address (and, by proxy, which have not.) It's pretty robust, and the longer you leave the logs running, the more information you can capture.
Custom firmwares like DD-WRT and Tomato (both of which we've shown you how to install) allow you to monitor and log bandwidth and connected devices for as long as you want, and can even dump that information to a text file that you can sift through later. Depending on how you have your router set up, it can even email that file to you regularly or drop it on an external hard drive or NAS. Either way, using your router's oft-ignored logging features is a great way to see if, for example, after midnight and everyone's gone to bed, your gaming PC suddenly starts crunching and transmitting a lot of outbound data, or you have a regular leech who likes to hop on your Wi-Fi and start downloading torrents at odd hours.
Your final option, and kind of the nuclear option at that, is to just let Wireshark capture for hours—or days. It's not unheard of, and many network administrators do it when they're really analyzing strange network behavior. It's a great way to pin down bad actors or chatty devices. However, it does require leaving a computer on for ages, constantly sniffing packets on your network, capturing everything that goes across it, and those logs can take up a good bit of space. You can trim things down by filtering captures by IP or type of traffic, but if you're not sure what you're looking for, you'll have a lot of data to sift through when you're looking at a capture over even a few hours. Still, it will definitely tell you everything you need to know.
In all of these cases, once you have enough data logged, you'll be able to find out who's using your network, when, and if their device matches up with the network map you made earlier.
If you've followed along to here, you've identified the devices that should be able to connect to your home network, the ones that actually connect, identified the differences, and hopefully figured out if there are any bad actors, unexpected devices, or leeches hanging around. Now all you have to do is deal with them, and surprisingly, that's the easy part.
Wi-Fi leeches will get the boot as soon as you lock down your router. Before you do anything else, change your router's password, and turn off WPS if it's turned on. If someone's managed to log directly into your router, you don't want to change other things only to have them log in and regain access. Make sure that you use a good, strong, password that's difficult to brute force. Then, check for firmware updates. If your leech has made use of an exploit or vulnerability in your router's firmware, this will keep them out—assuming that exploit's been patched, of course. Finally, make sure your wireless security mode is set to WPA2 (because WPA and WEP are very easy to crack) and change your Wi-Fi password to another good, long password that can't be brute-forced. Then, the only devices that should be able to reconnect are ones you give the new password to.
That should take care of anyone leeching your Wi-Fi and doing all their downloading on your network instead of theirs. It'll help with wired security, too. If you can, you should also take a few additional wireless security steps, like turning off remote administration, disabling UPnP, and of course, seeing if your router supports Tomato or DD-WRT.
For bad actors on your wired computers, you have some hunting to do. If it's actually a physical device, it should have a direct connection to your router. Start tracing cables and talking to your roommates or family to see what's up. Worst case, you can always log back onto your router and block that suspicious IP address entirely. The owner of that set-top box or quietly-plugged in computer will come running pretty quickly when it stops working.
The bigger worry here though, is compromised computers. A desktop that's been hijacked and joined to a botnet for overnight Bitcoin mining, for example, or a machine infected with malware that calls home and sends your personal information to who-knows-where, can be bad. Once you narrow your search to specific computers, it's time to root out where the problem lies on each machine. If you're really worried, take the security engineer's approach to the problem: Once your machines are owned, they're no longer trustworthy. Blow them away, reinstall, and restore from your backups. (You do have backups of your data, don't you?) Just make sure you keep an eye on the PC afterwards—you don't want to restore from an infected backup and start the process all over again.
If you're willing to roll up your sleeves, you can grab yourself a solid antivirus utility and an antimalware on-demand scanner (yes, you'll need both), and try to clean the computer in question. If you saw traffic for a specific type of application, look to see if it's not malware or just something someone's installed that's behaving badly. Keep scanning until everything turns up clean, and keep checking the traffic from that computer to make sure everything's okay.
We've only really scratched the surface here when it comes to network monitoring and security. There are tons of specific tools and methods that experts use to secure their networks, but these steps will work for you if you're the network admin for your home and family.
Rooting out suspicious devices or leeches on your network can be a long process, one that requires sleuthing and vigilance. Still, we're not trying to drum up paranoia. Odds are you won't find anything out of the ordinary, and those slow downloads or crappy Wi-Fi speeds are something else entirely. Even so, it's good to know how to probe a network and what to do if you find something unfamiliar. Just remember to use your powers for good.
Title photo made using Christos Georghiou. Additional images by Thomas van de Weerd and Linux Screenshots.