Wondering Whether Someone’s Eavesdropping? Maybe You’re Right!

Do you think someone might be eavesdropping via Have you ever seen a pesky side and pop up a minutes after you have discussed the remotest subject with your friend? Relatedly, have you ever given careful attention to the terms and conditions of the applications installed on your smartphone? Do you know whether or not those applications are using your phone speaker, camera, GPS and other features of your device to control you and market their product or design their business strategies based on how you think? What about your ideas? How safe are they and how can you protect your ideas from being yanked away?! Follow the link below and see for yourself. a laptop or a smartphone? Well, you’re right! Learn how to catch them red-handed and shut them out!

Step-By-Step Configuration:

Requirements:

1. A PC, Laptop, or Smartphone
2. MikroTik Router with a minimum of two ethernet interface, wireless is optional
   1. Our recommendation is hAP-mini
3. Internet with no filtering

Network Diagram:

This is how you should connect your smartphone to a MikroTik router and establish a connection between the router and the Internet.

MikroTik Router configuration:

Default configuration:

Default Configurations on RouterBOARDS

Most MikroTik Routers in the “Wireless for home and office” category come with a default configuration as described below:

• Ether1 is set up as WAN interface, and there is a DHCP-Client setup to get an IP Address from your modem;
• The other Ethernet interfaces and the Wireless interface(s) are bridged and known as LAN network. You could connect the Ethernet port on your PC/laptop to one of these ports;
• Wlan1 and wlan2 “if available”  are already set up and broadcasting SSID: MikroTik-”MAC address,” so you could connect your smartphone/laptop to the router by searching an open SSID;
• The default IP Address 192.168.88.1 is already set up on the bridge interface, and there is a DHCP-Server running to give the clients an IP Address from the “192.168.88.10-192.168.88.254” IP Pool;
• SRC-NAT is configured to translate the private IP Address to WAN IP Address; and,
• A basic firewall filter is set up to protect the Router itself and LAN “customers”

In another words, everything is almost ready for us to begin the test.

Step-by-step visual guide for the required configuration:

1. Connection between Laptop <-> MikroTik Router

1. Open the WinBox software:

Download the latest version of Winbox here.

1. From the Neighbors tab, click on the Refresh button. You will find RB931-2nD in the list. Click on the IP Address:

1. Default router username is admin and no password has been set. Click on the connect button:

Note: Press OK to keep the default configuration.

IP Address configuration

1. Complete this checklist:
   1. Click on Interface: Check the interfaces and make sure you have th flag “R” beside ether1 and wlan1 “if you are expecting a wireless client connected to this device.”

1. From the left side menu, click on IP → Addresses. Make sure there is an IP Address assigned to ether1.

Troubleshooting

1. Troubleshoot the router to see if you have a ping for 8.8.8.8 and yahoo.com. Thus, from the left side menu, click on Tools → Ping

1. Now, you should troubleshoot your PC/laptop/smartphone by browsing the internet. Ping 8.8.8.8, and if everything is opening fine, we are good to go. Otherwise, you should troubleshoot NAT and Firewall settings.

Disable/Remove all the firewall rules

1. From the left side menu bar click on IP → Firewall → Filter Rules

1. Select all of the firewall rules using Ctrl+A and remove them all by clicking on the red minus button.

Ignore the dummy rule and let it stay.

Network Diagram

1. Test connections between the smartphone and the MikroTik Router:
   1. You may be better off to have two devices connected to the router using the wireless interface, one laptop and one smartphone, for instance. One can be connected to the router and run the tools (preferably the laptop) and one to run the APPs (the smartphone).

Setup DHCP-Server

1. Check the connections in the Registration tab of Wireless Tables and the Leases tab that can be found via IP → DHCP Server.

How to log traffic going through the router

1. Create two rules in IP → Firewall → Filter Rules to log all traffic from and to the smartphone.
   1. Click on the blue plus button:

1. Under the General tabl, choose “forward” in the Chain row, and 192.168.88.253 for the Src. Address. In the Action tab, choose “passthrough” for the Action row, check the box next to Log, and, in the Log Prefix, type “traffic from smartphone.”

1. Now, create a similar rule but to log traffic to the smartphone. In this rule, same as the previous one, Chain=forward, Action=passthrough, Log=Enabled, Log Prefix=“traffic to smartphone.” The only different is that undert the General tab, you should fill out the Dst. Address with 192.168.88.253

How to use Torch tool to snif the traffic

1. From the left side menu, click on Tools → Torch,

A torch is a sniffing tool that allows you to troubleshoot the packet based on the below parameters:

• Interface
• Source Address
• Destination Address
• Port, Protocol
• IPv4/IPv6
• VLAN
• DSCP

Using Torch, we could have a better understanding of how a packet travels between the source and the destination, and one could gain a lot of useful information that can never be found this easily and quickly using other software like Wireshark.

1. Run Torch from Tools → Torch.

1. Change the Interface to ether1, and check the boxes next to Src. Address, Dst. Address, Port, and Protocol. Moving on, increase Entry Timeout to 00:01:00, and uncheck Src. Address6 and Dst. Address6.
2. Click on the New Window button and follow the same process on the new Torch window but change the interface to bridge and Src. Address to 192.168.88.253.

1. In this step, close all running software on your phone. Open a browser and do a quick test;
   1. Open a website that you know is a host IP Address. For this guide, I opened www.netwire.ca

1. Keep an eye on the running Torch while you are opening that page and write all the Dst. IP addresses that use protocol TCP and port 80/443 since browsers usually use this port and protocol to open a website.
2. As we increased the time, the number of entries increases too much, and thus, to find active entries, you can order the entries by Tx Rate.

1. As you could see, the Src. Address is all from the same address but to different Dst. IP Addresses. In this example, the only Dst. Address to where we have traffic is 38.110.90.231, and the other information for this packet is tcp/443.
2. Now, open a browser on your computer, and, using this URL, find more details about the IP address: https://www.whatismyip.com/ip-whois-lookup/ as you see in the picture below, where netwire.ca is hosted.

1. Now, let’s run another test. Open your Facebook application and check Torch again.

1. In this example, the Dst. Address is 31.13.71.1 and 31.13.71.3.

How to find which traffic is legit?

1. Now, we want to test our smartphone speaker:
   1. Close all the applications;
   2. Check the Torch. Make sure you are in a quiet area and there is nothing appearing in the Torch;
   3. Now, think about a subject you have never talked about before and start speaking about it close to your phone speaker;
   4. Start the Torch and keep an eye on it while you are speaking and write down all the IP Addresses on a paper; and,
   5. My subject is about a Christmas toy gift (toy gift from Costco).

1. The result: When I have all the applications closed with nobody speaking, there is no traffic showing in Torch. However, as soon as I start speaking, I can see traffic to Dst. Address 17.249.108.11, TCP: 5223.

1. Now, open the Facebook application and repeat the same test.

1. As you can see in the Torch, as soon as you start speaking, these IP Addresses appear, and when you stop speaking, Tx/Rx Rates drop to 0bps. If you do whois for 157.240.18.15, you will find the same result.

1. Week, there you go! You just pinpointed a traffic that flows without a direct request from you. Now, how to drop this type of traffic which is generated without any direct request:

1. By editing the firewall filter rules we have created in step 9, we can easily drop traffic to a specific IP Address, Port, and Protocol. For example, in the above picture, you could find some unique information about the logged traffic:
   1. The packet is received in the interface bridge;
   2. The protocol used for this packet is TCP;
   3. The destination port is 443; and,
   4. The destination address to where our conversation is sent is 23.222.75.174.

Note: the more specific the rule, the more efficient it is and the better it works to filter the type of traffic you need to catch by the firewall.

1. To create a rule in order to accept or drop a specific type of traffic based on the information we got from our log and Torch, you can proceed based on the following step-by-step process:
   1. IP → Firewall → Filter Rules → Add a new rule

1. You could see in the log that the IP Address and the destination IP Address of one of the sources are the router’s IP Address, so the packet travels through the router. With regard to creating a firewall rule, the chain we should use is “forward”.

1. A firewall works by the if-then principle, and every information we define in the General tab is known as “if”. All of these conditions have to be matched with a packet for a rule to be working properly as it is expected. The next step is to define an appropriate Action for the rule.

1. The last step is to change the rule order by dragging the rule and dropping it in the right order.

1. Test if our firewall is working correctly:
   1. If I start another test, I should see Rule #0 will start counting packets, and I should not be able to see a packet get logged by Rule #1 and Rule #2. Also if I run a Torch, it should not appear in the Torch.