Ask Your Question
0

Network data stealing by someone

asked 2021-08-20 16:30:14 +0000

aks gravatar image

updated 2021-08-23 04:09:16 +0000

This guy pretended my friend and took my wifi password for studying. But later I found that he was lying to me that he knew no coding when he by chance said to me that your wifi password is very strong can not be hacked. I also noted that whenever his mobile connect to my wifi only some multi-casting/ multi-screen is seen in wireshark data. Where as when I connect my mobiles to my router there never such multi-casting/ multi-screen is seen in wireshark data. I came to know that he was stealing my personal data. Below is some part of wireshark data when that mobile device was connected. I don't know how to read it. Can you please help me figure out what is wrong:

Epoch Time: 1624161285.241922291 seconds

Ethernet II, Src: X6:3X:XX:XX:XX:b0
(X6:3X:XX:XX:XX:b0), Dst: 
IPv4mcast_XX:XX:XX (01:00:5e:XX:XX:XX)

ssdp M-SEARCH * HTTP/1.1\r\n Expert

Info (Chat/Sequence): M-SEARCH *

HTTP/1.1\r\n\ [M-SEARCH *

HTTP/1.1\r\n] [Severity level: Chat]

 [Group: Sequence] Request Method:

M-SEARCH Request URI: * Request

Version: HTTP/1.1 HOST:

XXX.XXX.XXX.250:1900\r\n MAN:

 "ssdp:discover"\r\n MX: 1\r\n ST:

 urn:dial-multiscreen-org:service:dial:1\r\n

 \r\n [Full request URI:

 http://XXX.XXX.XXX.250:1900*] [HTTP

 request 2/3] [Prev request in frame:

 9501] [Next request in frame: 9505]

Here is another. Where Src MAC is attackers mobile and Dst is my Laptop MAC. The Wireshark data shows some Google Cast. But why anything like Google Cast is being sent to my laptop. When I connect my mobile there is never any things like connecting to my laptop and any Google Cast.

Ethernet II, Src: X6:3X:XX:XX:XX:b0 (X6:3X:XX:XX:XX:b0), Dst: 3X:XX:XX:XX:8X:83 (3X:XX:XX:XX:8X:83)
[Here Src is attackers mobile and Dst is my laptop.]
Internet Protocol Version 4, Src: 192.XXX.XXX.1XX, Dst: 224.XXX.XXX.XXX

User Datagram Protocol, Src Port: 5353, Dst Port: 5353


_233637DE._sub._googlecast._tcp.local: type PTR, class IN, "QU" question
Name: _233637DE._sub._googlecast._tcp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
1... .... .... .... = "QU" question: True

_googlecast._tcp.local: type PTR, class IN, "QU" question
Name: _googlecast._tcp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
1... .... .... .... = "QU" question: True

EDIT:

Here is another where an unknown MAC address appeared in TCPDUMP data. There is no detail of device manufacturer on internet for this MAC address 45:10:01:XX:XX:XX.

184 2021-07-12 12:21:00.397132256   CrayComm_11:39:96   45:10:01:XX:XX:XX   0x0000  344 Ethernet II

[Protocols in frame: sll:eth:ethertype:data]

Ethernet II, Src: CrayComm_XX:XX:XX (00:00:80:XX:XX:XX), Dst: 45:10:01:XX:XX:XX ...
(more)
edit retag flag offensive close merge delete

Comments

1

Can you please help me figure out what is wrong. To be blunt: what's wrong here is giving out the WiFi password. Only give out a guest access password, which a decent WiFi router should have. Accept the responsibility and use this as a learning experience. For the rest there's nothing here. Change your WiFi password, reconfigure your devices and keep going.

Jaap gravatar imageJaap ( 2021-08-21 08:52:48 +0000 )edit

Yes I changed the Wifi password and even stronger.

aks gravatar imageaks ( 2021-08-21 09:29:48 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-05-01 04:02:08 +0000

updated 2024-05-01 04:03:08 +0000

any android phone is going to be sending these packets. Its a multicast packet going to the broadcast address of the network. Your laptop, having SSDP enabled, is listening for these packets. SSDP is enabled by default on windows computers. And the packet basically says, hey if you wanna cast a video to a google device, im here and im available.
Also, cell phones for many years now have connected (by default) to wireless networks using a randomized spoofed MAC addresses so they arent to be getting tracked at all the random hotspots people connect to. This is why the device's mac is not registered.

Drawing conclusions of technical things based on the name alone is going to drive you crazy. keep an non-biased mindset and research things prior to drawing any conclusions. Non-biased meaning, dont google "dial protocol someone is hacking me" and expect to NOT find people saying to beware of dial and its malware etc... Look more for "what is dial multiscreen org". And you will find the answers you are looking for.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-08-20 16:30:14 +0000

Seen: 1,834 times

Last updated: May 01