Snifflab is a technical exam surroundings for capturing in addition to decrypting WiFi information transmissions. Snifflab creates a WiFi hotspot that is continually collecting all the packets sent over it. All connected clients’ HTTPS communications are subjected to a “Man-in-the-middle” attack, whereby they tin after move decrypted for analysis. This article presents a brief overview on Snifflab in addition to how to create MITM Test Environment using Snifflab.
Motivation
Researchers in addition to end-users alike oft essay to sympathize what information their mobile device is sending to tertiary parties. Unfortunately, monitoring one’s retrieve to run across what, in addition to to whom, information is sent is non precisely simple. Using parcel capture software on Android is impossible without start rooting the device, in addition to fifty-fifty then, hard to purpose in addition to export saved data. There are no applications to capture packets on iOS.
How it worksM
A researcher merely connects to the Snifflab WiFi network, is prompted to install a custom certificate say-so on the device, in addition to and then tin purpose their device every bit needed for the test.
All traffic on the network is logged past times a Raspberry Pi dedicated to that chore (“PCAP Collecting Machine”, inward the Figure). The traffic is cloned past times a Great Scott Gadgets Throwing Star LAN Tap, which routes it both to its destination, in addition to to our Raspberry Pi. The Pi continually collects parcel data, creating novel parcel capture (pcap) files at a regular interval, or 1 time the active file reaches a configurable size. Saved files are regularly transferred to roughly other car (“Backup Machine”) for persistent storage. Users alongside SSH access to the Pi tin likewise manually restart the pcap service, to become instant access to the captured packets, instead of waiting for the interval.
The custom certificate that each customer must install enables the proxy server (“MITM Proxy Machine”) through which Snifflab routes its traffic to intercept HTTPS requests to the exterior world, in addition to re-encrypt them using certificates generated on-the-fly. This allows for the researcher to after decrypt well-nigh captured network traffic sent over HTTPS.
On the backup machine, the researcher has access to all previously-collected PCAPs, organized into folders past times date, alongside each file named past times the unix fourth dimension at which the capture began.
The researcher may in addition to then opened upwards up the collected PCAP(s) inward Wireshark or their utility of choice to analyze in addition to decrypt the traffic.
Using SNIFFLab MITM Enivronment
SNIFFlab.py -h
-i (specify the network interface)
-s (specify the file size limit)
-t (specify the fourth dimension interval, inward seconds, betwixt novel PCAP files)
-f (specify a filename suffix to append to each PCAP.
-u (specify a ssh username for a remote backup)
-h (specify a ssh host for remote backup)
-p (specify the path on the remote host for backup)
Reference:
- https://openeffect.ca/snifflab-an-environment-for-testing-mobile-devices/
- https://github.com/andrewhilts/snifflab
