Sniffing Cryptocurrency Traffic – If you work as an investigator, I feel sure that when you read the title of this chapter regarding sniffing network traffic, you will think of the potential issues involved that could make it difficult or impossible. If you work within government or law enforcement, you will immediately think of the application of wiretap and intercept legislation—here in the UK, this type of activity requires an intercept warrant, which can be difficult to obtain. If you are a civilian investigator, you may assume that this type of activity is illegal and outside your sphere of expertise.
It is true that most countries have laws against intercepting any type of communications—whether it’s voice, radio, or data—and parts of this chapter assume that you have the legal right to acquire data. I will make it clear when I’m talking about a technique that is likely covered by legislation, but it is your responsibility to check the local laws in your country and follow them. This also applies to government and law enforcement officers that will need to consider what approvals are needed.
What Is Intercept?
Intercept legislation is usually described as intercepting and storing communications that are destined for a specific destination. Using mobile phone interceptas an example, let’s say Alice calls Bob. Alice and Bob have an expectation of privacy, and the voice traffic is between two specific end-points: the voice from Alice is destined for Bob and vice versa. To listen to that phone call means positioning a receiver between the two endpoints, and it is this detail that is usually classed as intercept and hence illegal.
However, if Alice stood in the street and shouted across a road to Bob, Alice is broadcasting, so there are no defined endpoints and no expectation of privacy. Listening in to that conversation would not be illegal.
We can apply the same principle to data packets. If IP address 192.168.1.2 is sending data to 192.168.2.3, there are defined endpoints, and if we used technical measures to put a receiver between them and intercept that data, then this would likely be illegal. However, there are data packets that are broadcast to everyone, such as very specific broadcast packets from WiFi routers that broadcast the WiFi access point name. If I look at my phone and see a number of WiFi access points close by, it is because the phone has received broadcast packets announcing their existence. This is not intercept.
Another area that is not intercept is requesting data from a server of some type and receiving a response. This chapter will teach you how to watch a Bitcoin node and record the transactions and block information that is flowing out of it. It can feel a bit like intercepting the data, but because you are simply watching a flow of data making up the publicly available blockchain, this is not intercept.
Blockchain data for most cryptocurrencies is unencrypted because the data is public and there is no need to protect the data flow over the Internet. This means that it is possible to set up a WiFi-based or wire-based wiretap and watch the data flowing to and from peers on the blockchain network. Other cryptocurrencies such as ZCash are taking a different approach and encrypting their data. Please remember that a WiFi or wire-based wiretap on an Internet connection not owned by you would be classed as intercept in most territories.
Watching a Bitcoin Node
You can watch any Bitcoin node simply by connecting to it and requesting the flow of transactions. You are then able to see and record all of the blocks and transactions that are broadcast by the node to its peers.
Once you have a target IP address, a great tool is available to enable you to watch transactions and blocks coming from the node. It’s called the Bitcoin P2P Network Sniffer, and it’s available at http://bit.ly/2o4VL9s . You just need to download the Python file sniffer.py .
Open sniffer.py in your chosen text editor (such as Notepad++). In the section titled “Default Settings if no configuration file is given,” find the line that begins with “host” followed by an IP address Adjust the IP address and port to your target address and save the sniffer.py file. Next, open a terminal or a command shell in the folder where sniffer.py is located and type the following:
Sniffing Data on the Wire
This book is not the forum to teach you how to set up a wired or wireless intercept. Most modernized countries have the capability to enable approved government agents or law-enforcement officers to watch data flowing to and from a particular IP address via agreements with Internet service providers (ISPs) or some central monitoring location. Tools in the public domain also enable equipment to be connected to a network in an attempt to intercept specific traffic or all the available traffic. It should be noted that trying to achieve full network intercept can cause many problems including bandwidth considerations and
storage of the data in real time.
Intercept of WiFi-based traffic is considerably easier to achieve, and plenty of commercial and open-source tools are available to set up a WiFi-based tap. With a WiFi intercept, the limitations of antennas and the fact that it must be in listening mode only means that received packets are not acknowledged. The result of this is that there will almost certainly be missed packets that can add up to significant data loss over time.
If you haven’t used Wireshark before, I would recommend investing some time to learn it properly. Many excellent books and tutorials are available online that can teach you how to use Wireshark. A good place to start is the online help guide published on the Wireshark.org website
The Wireshark window has four primary sections:
At the top of the window are the menu options, the toolbar, and an editable expression bar for creating filters.
The next section contains a list of each captured packet. The Time column displays the default time. This is not an actual world time—it’s the time offset from the first captured packet, which can be changed. The columns to the right of the Time column are Source, which displays the source IP address; the Destination, which displays the destination IP address; Protocol, which displays the protocol used; Length, which displays the length of the packet; and Info, which is an interpretation of the packet content.
The third section breaks down the selected packet into its constituent parts. This is known as the packet details section. You can expand each part to view detailed raw and interpreted data about the packet.
The bottom section provides the raw hex that makes up the selected packet, with the ACSII interpretation on the right. Each line displays the data offset, then 16 hex bytes, followed by 16 ASCII bytes.
This short chapter is not designed to be a detailed explanation of sniffing cryptocurrency traffic on a network. Instead, it provides an overview of what is possible and an example of how to achieve it. Traffic sniffing and network protocol analysis are specific skills that need to be learned and practiced.
In this blog, I also discussed how carrying out any type of traffic intercept is probably illegal in your country unless you own the data, have approval from the owner of the data, or are working as a government or law enforcement officer. Even for an officer of the law, there will likely still be legal requirements and legislation to work in line with.
Putting those restrictions aside, because Bitcoin traffic and the traffic of other cryptocurrencies is unencrypted, the data is readable, and which could be very useful in connecting a user to specific cryptocurrency addresses and trades. If you see a need to engage in traffic analysis of any cryptocurrency, I recommend that you do significant research, practice, and get the assistance of a specialist in this field
If You Want To know More About Hacking Click Here