Physical wiretapping for beginners

Sniffing traffic on a network is fun but getting a physical connection in the first place can be just as interesting, especially when you want to extract information from a cabled network but can't simply plug into it. Wiretapping is a way of tapping into a network wire, hence the name, that is already connected to a device on each end. The term originally meant tapping into a phone line but in this case we'll be taking a closer look at a Cat6 ethernet cable.

Required hardware

For simplicities sake and because the spare hardware I had laying around fit the purpose, we'll be tapping into a 100Mbit connection. This is only important if you are trying this on a gigabit connection, in which case you will have to cut a few wires. In any case, don't try this in your production environment.

If you want to follow along and tap your own network, you'll need the following things:

  • A physical server (like my desktop)
  • A physical client (like my rpi)
  • A physical network (any switch, hub or possibly home router should suffice – just pretend you can't simply plugin your notebook)
  • A notebook to attach to the network tap
  • At least three ethernet cables
  • A punch down keystone block/jack – you can get this one off amzn or ebay.
  • A sharp knife, some tape and the hardware/network/cable owners permission.

Other than that, some form of server/client software that will constantly send messages back and forth will be needed. For the sake of this post, I wrote these python scripts.

The goal

I've created a very simplistic setup using an old 100Mbit netgear switch, my desktop and an old rPI. Except for the tower, which is obviously standing under the desk, you can see the setup in this picture.

img-wiretap-setup

The plan is to listen in on the conversation that the desktop (server) and the rPI (client) are having, without interrupting the connection. To do so we will cut open the wire between the switch and the client and hook up our laptop so we can listen in on the transferred data.

The know-how

But before we start cutting, here is a little information on ethernet cables and their internal wires. In this case, we care less about which Cat version we're using but we do care of which type our cables are, TIA-568A or TIA-568B.

img-rj45a-wiresimg-rj45b-wires

In most cases today, you'll be using a TIA-568B which means that the internal cables are like the ones shown in the second image. If you are using a A-type cable, you need to mind the crossed wires. Just follow the markings printed on the punch down keyblock and you should be fine.

img-wiretap-cable-type

Now that we know what the two ethernet type cables look like, let's inspect the punch down keystone block, which I will refer to as connector from now on.

img-wiretap-punchdown-block

As you can see, the connector has two different color markings, one for A-type cables and one for B-types. Since we're using a B-type ethernet cable, we'll be connecting the cables according to the B-type color code.

Cutting the wire

Enough theory, let's cut one of those cables open and see what's inside. Use your knife and a solid underground and make two cuts half way around the cable about 5cm (~2") apart from each other, but be careful not to cut any of the wires. Then connect the two cuts alongside the cable. The easiest way to do this without damaging the wires is to push the tip of the knife from one cut towards the other while pointing the cutting edge away from the cable.

Once you're done, the cable connecting the client to the switch should look something like this.

img-wiretap-cable-cut-open

Now it's time to choose the right cable pair. Ethernet cables up to 100Mbit transfer over the orange and green cable pairs.

Transmit: orange (-), orange-white (+)
Receive: green (-), green-white (+)

If you find yourself on a Gbit connection all four pairs are utilized. You can bypass this by cutting the blue and brown pairs, effectively forcing the connection to fall back to 100Mbit. This will require the connection to re-establish itself though, so it won't be without interference.

Since we are tapping in to the client cable, we have to think from the clients perspective in regards to cable colors. The orange pair is used for transmitting data, in other words everything that is sent from the client to the server. The green pair on the other hand is used to receive data that is sent from the server to the client. Keep that in mind when you are trying to listen in on a specific flow direction of the traffic.

Hey, listen!

For now, let's listen in on what the client has to say. Take the orange wire pair and untwist it as good as possible. Than connect your notebook to the connector and start your sniffing software, for example tcpdump, so we can see when the tap is successful.

$ sudo tcpdump -i eth0

Next locate the correct wire slot on the connector for each of the wires and push them down to the bottom.

img-wiretap-connect-block

Tcpdump should tell you immediately, once you get a connection. If both wires are pushed down and you still don't receive any data, pull one out and push it back down. Then do the same for the other wire and repeat the process for each of the wires until you have a connection. If all fails, try to remove some of the isolation with the knife.

img-wiretap-tcpdump

As you can see, the client (192.168.0.102) is connecting to the server (192.168.0.102) and they're happily chatting with each other. Obviously the tcpdump command should be tweaked to fit your scenario, for example by filtering for a certain port and writing the results to a file. If you're new to tcpdump, check out @r_paranoid's post for reference.

No harm done?

Here is what my wires looked like afterwards. Since I was lucky enough to get a connection on the first try, the damage is almost minimal. Of course this still has an impact on the cables quality, but the connection is still up and running.

img-wiretap-cable-damage

Oh, and tape. There is nothing that tape can't fix. Plus points if yours is matching the color of the cable.

img-wiretap-cable-fixed