The Passive Splice Network Tap
Wired networks are everywhere whether you like it not. Almost every building is wired inside out, from businesses to schools to hotels. Unfortunately in most cases, little or no thought given to the physical security of the wiring. Don’t take my word for it, just lift a ceiling tile in any hallway and take a peek for your self.
This indirectly affect wireless networks as well, as the Access Points are still connected via a wired network. Most installations will employ proper wireless security measures, but nothing for the data sent back over the wire after being received by the AP.
So What? Well, this opens up a Vulnerability allowing for Physical Wiretapping. Old school, but potent as ever. There are several ways of going about doing a physically wiretap. The assumptions are that the network is Ethernet over twisted pair cabling, and the wiring is physically accessible.
Traditional Taps
The most common and obvious way to tap a ethernet cable is cutting it, and re-crimping or punching down the two ends to a sniffing device. The device could be an Ethernet bridge, which would allow not only to sniff but also filter, mangle or inject new data. The other option is sniffing the data passively, which can be accomplished using a hub, switch with span, or a DIY passive tap. If DIY isn’t your style, there are commercial tapping products too.
Unfortunately, all of the above methods suffer from a few drawbacks: the link on the wire is disconnected for a period of time while the cable is cut, the possibility of accidentally injecting undesired packets back on to the wire, and the cut and re-crimped cable leaving behind dead obvious and easily noticeable evidence of the tap that has taken place.
Passive Splice Tap
A few years ago I was messing around and decided to see if it’s possible to tap a hot ethernet cable without dropping the link. My first attempt was made using alligator clips and a wire stripper, which worked but was very annoying and painful. After trying various other techniques, I found a better way to make a splice connection to the twisted pairs using IDC connectors, and the Passive Splice Tap was born.
Unlike the conventional taps described earlier, the passive splice tap is stealthy. The link on the cable being tapped is never dropped and if done cleanly, and the aftermath is not obviously visible either. There is a downside though, this technique only works on 10/100 networks, and not gigabit (but not to worry, there is a way to get around this, explained further down).
Here’s a quick background on what’s going on. In 10/100 twisted pair ethernet networks, only two of the four pairs of wires are actually used for data transmission. From a computer’s perspective, the orange pair is for RX and the green pair is for TX. The passive splice tap works by connecting a sniffer’s RX to either the RX or TX of the wire being sniffed. By having two RX interfaces on the sniffer, you can capture full duplex traffic on the wire.
Recipe
Before starting, you will need the ingredients for a passive splice tap. Two punch down type 8P8C (aka RJ45) IDC connector jacks, A punch-down tool, Two regular pass-though ethernet cables, a sharp knife, clear tape, and an alibi. You also need a laptop to log the data with two ethernet interfaces (two usb to ethernet adapters will do the job). Now for the instructions.
First take the cable you want to tap and cut the casing long ways a few inches to expose the 4 pairs of wires inside. Isolate the green and the orange pair of twisted wires.
Next, take one of the jacks and find the orange and orange-white connectors (will look like two blades with a gap between). Put the jack perpendicular to the orange pair of wires. Now punch down the orange wire in to the orange connector, and the orange-white wire in to the orange-white connector. Take the another jack and repeat the process, but this time punch the green wire in to the orange connector, and the green-white in to the orange-white connector.
At this point, the tap it physically done. Yes, It’s that simple. Now connect each of the jacks to the ethernet interfaces on the laptop using the two regular ethernet cables. The sniffer laptop will be like ‘wtf mate’ and fail at auto negotiating a link since only the RX wires are hooked up. So bring the two interfaces up manually in promiscuous mode (if in *nix, use ifconfig with the promisc switch).
Finally fire up wireshark or your favorite packet sniffer. If you are using wireshark, select capturing on the ‘Any’ interface as we want to capture data on both ethernet adapters at the same time. If the sniffer app does not have an ‘any’ interface, simply start two instances and capture the two interfaces separately. Further more, you can bond the two interfaces so you can treat the full-duplex as a single interface if you have that much free time.
Once done logging the data, just pull the jacks out of the wires carefully. Stuff the wire pairs back in to the casing, and use some clear tape to keep the casing’s cut closed. Unlike obviously noticing a cut Ethernet cable, this method is not visible to a glance unless looked closely.
And that’s how you perform a Passive Splice Tap.
Overcoming Gigabit
As mentioned earlier, one limitation of the passive splice tap is it only works on 10/100 networks. This is because gigabit uses a completely different pin/pair assignment that require all four pairs. To overcome this, there is a simple yet elegant hack. Simply snip the brown and/or blue pair of wires. The end devices will have no choice but to fall back to 100 since only two pairs are available. The downside of course is that the the link on the wire will be dropped momentary until the connection is renegotiated.
Caveats
The passive splice tap does not usually disrupt or disconnect the connection on the wire, but the devices on either end might behave unexpectedly due to impedance changes due to the extra interface introduced or by noise introduced. In rare cases you might see link errors, disconnects, or a velociraptor (you never know…)
Although the tap is completely transparent to the network from a data perspective, a Time Domain Reflectometer can be used to detect if a taps exist on the cable and locate it’s exact position. But a network planning on using such device would most definitely not leave their wired networks exposed to such petty attacks.
Final Thoughts
Wired networks are everywhere, and unfortunately very much vulnerable if the wiring is exposed and unprotected. If you are regular network user, make sure to always use encrypted and secure forms of communication, and never blindly assume wired networks are are somehow magically secure. If you are a network admin, please give some more thought regarding the physical security of your network. Having a really strong door to a house is meaningless if you forget to put up walls. You get the idea.
Disclaimer: This is written solely for educational purposes, so don’t ever attempt to do anything described here in real life. Finally, I am not responsible for anything you do, if you ever do.