Ethernet taps are useful tools for sniffing network traffic as it crosses the wire. Traditional taps, such as the excellent Throwing Star LAN Tap, are typically installed at the wall jack or the switch as they require access to the end of the network cable: Unplug the cable from the jack, plug it into the tap, and plug in a patch cable from the tap to the jack. But what if you don’t have access to the end of the cable? Let’s say, for example, you’re crawling around in the drop ceiling of a bank (as one does) and you come across a random ethernet cable running through the space. You don’t have access to the ends, but there could be juicy, useful information crossing that wire! Enter the Inline Ethernet Tap.
The Inline Ethernet Tap was designed to be used in situations where access to the ends of an ethernet cable is not possible. It works by slicing open the outer sheathing of the wire and then using an Insulation Displacement Connector (IDC) to connect to the Send and Receive pairs. Ethernet adapters are then used in conjunction with a network sniffer to listen to the traffic on each pair.
10Base-T and 100Base-T ethernet* uses either Cat5, Cat5E, or Cat6 cables. All of these cables are basically 4 twisted pairs of wires, for a total of 8 wires. Of these 8 wires, the orange/orange-white pair is used for traffic heading one direction down the wire, and the green/green-white pair is used for traffic heading the other direction. Depending on your perspective and which wiring standard is used (T568A or T568B), this could be the send/receive pairs, or the receive/send pairs. These wires are terminated with a RJ45 connector which plugs into a computer’s ethernet adapter.
*This technique doesn’t work with gigabit ethernet as it uses all 4 pairs for data transmission.
A computer’s ethernet adapter uses 4 of it’s 8 pins for 10/100Base-T communications. Pins 1 & 2 are used for transmitting data, and pins 3 & 6 are used for receiving data (orange/orange-white in the pictured diagram). An ethernet adapter will listen to any traffic received on 3 & 6; this data can then be viewed using a network sniffer such as Wireshark. When sniffing traffic with a network tap, we need two ethernet adapters in order to listen to the full duplex conversation (send and receive) because each adapter can only listen on a single pair of wires connected to pins 3 & 6. Wireshark can view traffic from multiple adapters at once, so when we see the traffic from the two adapters it looks like standard ethernet communications.
Assembling the Inline Ethernet Tap
- Solder the ethernet jack to the PCB (on the side without the skull and crossed soldering irons)
- Solder the 4 pin header connector to the PCB (also on the side without the skull and crossed soldering irons)
- Have a beer
At this point, you could use the tap with a standard ethernet patch cable, but you’d only see one direction of traffic. To see both directions of traffic, you will need to build a special breakout cable. Basically, this breakout cable just takes the orange pair and the green pair and terminates them on their own RJ45 jack, each at pins 3 & 6.
- Take a standard ethernet cable, and cut one end off (length is up to you)
- Remove about 3 – 4 inches of the outer sheating
- Separate the orange pair and the green pair, and cut the rest off.
- Untwist the orange pair slightly and insert the orange-white wire into position 3 of the jack, and insert the solid orange wire into position 6. Using a RJ45 crimper, crimp the jack to set the wires in place.
- Repeat step 4 for the green pair.
- Optional: use shrink tubing to make everything look neat and clean. You will need to this prior to steps 4 & 5.
Using the Inline Ethernet Tap
First, a disclaimer: Do not use the Inline Ethernet Tap on production networks or other important infrastructure! It can irreversibly damage ethernet cables!
- Using a razor, knife, or sharp scissors, carefully slice along the outer sheathing of the ethernet cable to be sniffed. The slice needs to be around 2-3 inches long
- Find the orange and green wire pairs inside the cable, and gently pull them away from the rest of the wires
- Using a fingernail or punchdown tool, press each wire into the appropriate slot on the 4 pin IDC receptacle connector. The circuit board has the wire order printed on it; your wires should correspond to that. When pressing wires into the connector, ensure they go far enough in to make good connection with the internal copper of the wire
- Plug the connector into the assembled Inline Ethernet Tap
- Plug the breakout cable into the Inline Ethernet Tap
- Plug the each of the jacks on the double end of the breakout cable into an ethernet adapter (you’ll need two)
- Start Wireshark
- Select Capture > Interfaces
- Select your network interfaces (remember, should be two), and click “Start”
- Drink a beer
At this point, you should see in Wireshark all ethernet traffic going across the tapped wire. Success!
There are a couple of countermeasures against this sort of attack. You could try to make sure that unauthorized personnel don’t have access to your network cabling. Alternatively, expose network cabling so that it is obvious at a glance if someone has added one of these taps to your network (using wire rack cable trays, for example).
The best defense against network taps is the same as the defense against man-in-the-middle attacks: encryption. Only use secure protocols such as TLS, HTTPS, SSH, and S/MIME whenever transmitting/receiving sensitive information. This ensures that anyone who can illegitimately access the network traffic won’t be able to see anything useful. This is especially important within an organization’s intranet, as a network tap would more likely than not be installed in an office (for example). There is quite often an attitude of “it’s constrained to the intranet, so it’s safe from hackers” in corporate environments, but depending on the physical security of a facility it could be trivial to drop a tap on an internal network.
Want your own Inline Ethernet Tap? Find me at a security conference and I’ll give you one. Or you can hit me up on twitter @diyevil and maybe i can mail you one.