The Interceptor: a free network tap

The Interceptor is a wired network tap which passes network data out over a wireless network so it can be sniffed on a network device on a remote machine.

First the the two wired NICs on the Fon+ are bridged. This allows it to be placed in-line on any network and the data to flow freely. Ideally the bridge doesn’t have an IP address so it can’t accidentally interfere with any traffic flowing through it. From simple experiments the bridge doesn’t alter the TTL but does increase the time the data takes to flow between the machines.

This project has been built and tested on a Fon+ but should in theory work on any device which will run OpenWrt and has at least a pair of wired interfaces and a wireless one.

Possible uses

This isn’t intended to be a permanent, in-situ device. It is designed for short term trouble shooting or information gathering on low usage networks, as such, it will work well between a printer and a switch but not between a switch and a router. Here are some possible situations for use:

• Penetration testing – If you can gain physical access to a targets office drop the device between the office printer and switch then sit in the carpark and collect a copy of all documents printed. Or, get an appointment to see a boss and when he leaves the room to get you a drink, drop it on his computer. The relative low cost of the Fon+ means the device can almost be considered disposable and if branded with the right stickers most users wouldn’t think about an extra small box on the network.
• Troubleshooting – For sys-admins who want to monitor an area of network from the comfort of their desks, just put it in place and fire up your wireless.
• IDS – If you want to see what traffic is being generated from a PC without interfering with the PC simply add the Interceptor and sit back and watch. As the traffic is cloned to a virtual interface on your monitoring machine you can use any existing tools to scan the data.