Network data stealing by someone
This guy pretended my friend and took my wifi password for studying. But later I found that he was lying to me that he knew no coding when he by chance said to me that your wifi password is very strong can not be hacked. I also noted that whenever his mobile connect to my wifi only some multi-casting/ multi-screen is seen in wireshark data. Where as when I connect my mobiles to my router there never such multi-casting/ multi-screen is seen in wireshark data. I came to know that he was stealing my personal data. Below is some part of wireshark data when that mobile device was connected. I don't know how to read it. Can you please help me figure out what is wrong:
Epoch Time: 1624161285.241922291 seconds
Ethernet II, Src: X6:3X:XX:XX:XX:b0
(X6:3X:XX:XX:XX:b0), Dst:
IPv4mcast_XX:XX:XX (01:00:5e:XX:XX:XX)
ssdp M-SEARCH * HTTP/1.1\r\n Expert
Info (Chat/Sequence): M-SEARCH *
HTTP/1.1\r\n\ [M-SEARCH *
HTTP/1.1\r\n] [Severity level: Chat]
[Group: Sequence] Request Method:
M-SEARCH Request URI: * Request
Version: HTTP/1.1 HOST:
XXX.XXX.XXX.250:1900\r\n MAN:
"ssdp:discover"\r\n MX: 1\r\n ST:
urn:dial-multiscreen-org:service:dial:1\r\n
\r\n [Full request URI:
http://XXX.XXX.XXX.250:1900*] [HTTP
request 2/3] [Prev request in frame:
9501] [Next request in frame: 9505]
Here is another. Where Src MAC is attackers mobile and Dst is my Laptop MAC. The Wireshark data shows some Google Cast. But why anything like Google Cast is being sent to my laptop. When I connect my mobile there is never any things like connecting to my laptop and any Google Cast.
Ethernet II, Src: X6:3X:XX:XX:XX:b0 (X6:3X:XX:XX:XX:b0), Dst: 3X:XX:XX:XX:8X:83 (3X:XX:XX:XX:8X:83)
[Here Src is attackers mobile and Dst is my laptop.]
Internet Protocol Version 4, Src: 192.XXX.XXX.1XX, Dst: 224.XXX.XXX.XXX
User Datagram Protocol, Src Port: 5353, Dst Port: 5353
_233637DE._sub._googlecast._tcp.local: type PTR, class IN, "QU" question
Name: _233637DE._sub._googlecast._tcp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
1... .... .... .... = "QU" question: True
_googlecast._tcp.local: type PTR, class IN, "QU" question
Name: _googlecast._tcp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
1... .... .... .... = "QU" question: True
EDIT:
Here is another where an unknown MAC address appeared in TCPDUMP data. There is no detail of device manufacturer on internet for this MAC address 45:10:01:XX:XX:XX.
184 2021-07-12 12:21:00.397132256 CrayComm_11:39:96 45:10:01:XX:XX:XX 0x0000 344 Ethernet II
[Protocols in frame: sll:eth:ethertype:data]
Ethernet II, Src: CrayComm_XX:XX:XX (00:00:80:XX:XX:XX), Dst: 45:10:01:XX:XX:XX ...
Can you please help me figure out what is wrong. To be blunt: what's wrong here is giving out the WiFi password. Only give out a guest access password, which a decent WiFi router should have. Accept the responsibility and use this as a learning experience. For the rest there's nothing here. Change your WiFi password, reconfigure your devices and keep going.
Yes I changed the Wifi password and even stronger.