How To sniff anyone's FON login

September 2006

Update (2006-11-05): It's basically fixed now, every time you login a random password is generated.

I'll describe how you can get anyone's username and password by sniffing the unencrypted WLAN traffic.
On Sep 06, 2006 I posted the idea (technical details) on the FON forums (Backup) and mailed a notice to Martin and the FON support.

Requirements:

To really sniff logins from other persons you'll need a WLAN card which supports monitor mode.
To simulate this under real conditions you'll need your FON router, a computer which will sniff the WLAN traffic and another computer which will login to your FON router.
But even with only one WLAN device and your FON router you can still test it.
Additional to the hardware you'll need a program which can sniff traffic and dump it into a file (pcap format).
I used Ethereal, it's available for Linux and Windows.

How To:

Notice: If you only have one WLAN device skip step 1-7, you still can sniff your own connection as a prove that you can get the login just from the WLAN traffic.
I'll describe how to sniff logins with Linux, it's theoretically possible with Windows too, but don't ask me how to set you WLAN device to monitor mode with Windows.

Of course you can sniff your own WLAN traffic with Windows too.

1) Boot your Linux (KDE). I used the BackTrack Live CD.
2) If your WLAN card wasn't detected automaticaly you have to manualy install it.
To see if your card was installed succesfully run iwconfig, it should look similar to this:

As you can see my WLAN Device is eth0
3) You have to set your card to monitor mode.
Monitor mode means that your card is just listening for any packets, it's also known as "passive mode" or "promiscuous mode".
It's done with iwconfig <device> mode monitor
4) You should set your WLAN card to a fixed channel, otherwise your card will hop between the channels and probably some packets will be lost.
To set a channel use iwconfig <device> channel <channel>
5) Your card should be configured properly. Bring it up now: ifconfig <device> up
6) To make sure it's working: iwconfig <device>
Your shell should look similar to this:

Don't worry if all the LEDs of your card are off, that might be normal.

7) It's time for the sniffer now.
Start Ethereal and click on "List the available capture interfaces..." at the top left

8) You see a list of all your interfaces, select "Prepare" for your interface.

9) You should see the Capture Options screen, make sure "Capture packets in promiscuous mode" is selected.
You should set "Capture Filter" to tcp, that will decrease the size of your log file.
Additional you can select "Update list of packets in real time" and "Automatic scrolling in live capture".

Now just click on "Start".
This Capture Status windows should popup

All WLAN traffic should be captured now!

10a, two or more WLAN computers) Open a Browser on another computer (make sure it's opened after you started packet capturing) and login to any FON Access Point.
I suggest you to use a temporary Friends and Family login because somebody could already sit in front of your house and sniff your login ;).
Your Ethereal computer should have captured several packets now.
10b, only one WLAN computer) Open a Browser on your computer (make sure it's opened after you started packet capturing) and login to any FON Access Point.
I suggest you to use a temporary Friends and Family login because somebody could already sit in front of your house and sniff your login ;).
Ethereal should have captured several packets now.
11) Click on "Stop" at the Ethereal Capture Status windows.
12) Go to "File/Save As" and save the capture log to e.g. "fon.pcap". Make sure that File type is set to "libpcap (tcpdump, Ethereal, etc.)".

13) Now you just need to go to http://fon.freddy.eu.org/pcap-decoder/ and submit your capture log file (fon.pcap).