the Interceptor
What is the Interceptor?
The Interceptor is a wireless wired network tap. Basically, a network tap is a way to listen in to network traffic as it flows past. I haven't done extensive research but all the ones I found when looking passed the copy of the traffic onto a specified wired interface which was then plugged into a machine to allow a user to monitor the traffic. The problem with this is that you have to be able to route the data from that wired port to your monitoring machine either through a direct cable or through an existing network. The direct cable method means your monitor has to be near by the location you want to tap, the network routing means you have to somehow encapsulate the data to get it across the network without it being affected on route.
The Interceptor does away with the wired monitor port and instead spits out the traffic over wireless meaning the listener can be anywhere they can make a wireless connection to the device. As the data is encrypted (actually, double encrypted, see how it works) the person placing the tap doesn't have to worry about unauthorized users seeing the traffic.
See here for more information on how it works.
What Hardware Is Required
This project has been built and tested on a Fon+ but should in theory work on any device which will run OpenWrt and has at least a pair of wired interfaces and a wireless one.
Possible Uses
This isn't intended to be a permanent, in-situ device. It is designed for short term trouble shooting or information gathering on low usage networks, as such, it will work well between a printer and a switch but not between a switch and a router. Here are some possible situations for use:
- Penetration testing - If you can gain physical access to a targets office drop the device between the office printer and switch then sit in the carpark and collect a copy of all documents printed. Or, get an appointment to see a boss and when he leaves the room to get you a drink, drop it on his computer. The relative low cost of the Fon+ means the device can almost be considered disposable and if branded with the right stickers most users wouldn't think about an extra small box on the network.
- Troubleshooting - For sys-admins who want to monitor an area of network from the comfort of their desks, just put it in place and fire up your wireless.
- IDS - If you want to see what traffic is being generated from a PC without interfering with the PC simply add the Interceptor and sit back and watch. As the traffic is cloned to a virtual interface on your monitoring machine you can use any existing tools to scan the data.
I'm sure there are plenty more uses, if you come up with any good ones, let me know.
Download
The Interceptor comes as a single tarball which can be downloaded from here.
It also requires a number of extra packages to be installed on a base OpenWrt install, they can be found on the OpenWrt download page.
Install Notes
There are two sets of install notes, a basic set and a detailed walk-through set. The basic set is the standard set of notes that comes with most packages, the detailed set is a full walk through from flashing the Fon+, installing dependencies, installing Interceptor, starting up and monitoring traffic and finally shutting it down. Most people should find the basic set sufficient but the detailed set are useful if you have any problems.
Limitations
The main limitation is bandwidth, the wired network can get up to 100Mb/s but the top speed of the wireless is 54Mb/s, add on to that the overhead of encryption and that rate drops down further. This is why the Interceptor won't work well on high traffic parts of the network.
From tests I've done, under high load the network seems to stay up and stable but not all traffic ends up on the monitor interface. I haven't done any research to find out where the traffic is being dropped, it could be DaemonLogger, the AP or at the VPN. This is good as it means the device doesn't affect the smooth running of the network but obviously means you may miss some important data. Be aware of this when working with the device.
The software has no fail safe in case of problems. If the hardware or software fails the network connection being tapped will probably be lost. Don't use the Interceptor in situations where uptime is critical without knowing what you are doing.
Support
If you have any problems or questions you can either drop me an email or visit the Hak5 forums.
Licence
The Interceptor is released under a Creative Commons licence, view the terms for more information.
Thanks
I'd like to say a big thanks to everyone who has helped me putting this project together, especially the Hak5 crew.