Network data stealing by someone

asked 2021-08-20 16:30:14 +0000

aks gravatar image

updated 2021-08-23 04:09:16 +0000

This guy pretended my friend and took my wifi password for studying. But later I found that he was lying to me that he knew no coding when he by chance said to me that your wifi password is very strong can not be hacked. I also noted that whenever his mobile connect to my wifi only some multi-casting/ multi-screen is seen in wireshark data. Where as when I connect my mobiles to my router there never such multi-casting/ multi-screen is seen in wireshark data. I came to know that he was stealing my personal data. Below is some part of wireshark data when that mobile device was connected. I don't know how to read it. Can you please help me figure out what is wrong:

Epoch Time: 1624161285.241922291 seconds

Ethernet II, Src: X6:3X:XX:XX:XX:b0
(X6:3X:XX:XX:XX:b0), Dst: 
IPv4mcast_XX:XX:XX (01:00:5e:XX:XX:XX)

ssdp M-SEARCH * HTTP/1.1\r\n Expert

Info (Chat/Sequence): M-SEARCH *

HTTP/1.1\r\n\ [M-SEARCH *

HTTP/1.1\r\n] [Severity level: Chat]

 [Group: Sequence] Request Method:

M-SEARCH Request URI: * Request

Version: HTTP/1.1 HOST:

XXX.XXX.XXX.250:1900\r\n MAN:

 "ssdp:discover"\r\n MX: 1\r\n ST:

 urn:dial-multiscreen-org:service:dial:1\r\n

 \r\n [Full request URI:

 http://XXX.XXX.XXX.250:1900*] [HTTP

 request 2/3] [Prev request in frame:

 9501] [Next request in frame: 9505]

Here is another. Where Src MAC is attackers mobile and Dst is my Laptop MAC. The Wireshark data shows some Google Cast. But why anything like Google Cast is being sent to my laptop. When I connect my mobile there is never any things like connecting to my laptop and any Google Cast. 

Ethernet II, Src: X6:3X:XX:XX:XX:b0 (X6:3X:XX:XX:XX:b0), Dst: 3X:XX:XX:XX:8X:83 (3X:XX:XX:XX:8X:83)
[Here Src is attackers mobile and Dst is my laptop.]
Internet Protocol Version 4, Src: 192.XXX.XXX.1XX, Dst: 224.XXX.XXX.XXX

User Datagram Protocol, Src Port: 5353, Dst Port: 5353


_233637DE._sub._googlecast._tcp.local: type PTR, class IN, "QU" question
Name: _233637DE._sub._googlecast._tcp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
1... .... .... .... = "QU" question: True

_googlecast._tcp.local: type PTR, class IN, "QU" question
Name: _googlecast._tcp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
1... .... .... .... = "QU" question: True

EDIT:

Here is another where an unknown MAC address appeared in TCPDUMP data. There is no detail of device manufacturer on internet for this MAC address 45:10:01:XX:XX:XX.

184 2021-07-12 12:21:00.397132256   CrayComm_11:39:96   45:10:01:XX:XX:XX   0x0000  344 Ethernet II

[Protocols in frame: sll:eth:ethertype:data]

Ethernet II, Src: CrayComm_XX:XX:XX (00:00:80:XX:XX:XX), Dst: 45:10:01:XX:XX:XX ...
(more)
edit retag flag offensive close merge delete

Comments

1

Can you please help me figure out what is wrong. To be blunt: what's wrong here is giving out the WiFi password. Only give out a guest access password, which a decent WiFi router should have. Accept the responsibility and use this as a learning experience. For the rest there's nothing here. Change your WiFi password, reconfigure your devices and keep going.

Jaap gravatar imageJaap ( 2021-08-21 08:52:48 +0000 )edit

Yes I changed the Wifi password and even stronger.

aks gravatar imageaks ( 2021-08-21 09:29:48 +0000 )edit
add a comment