Can people eavesdrop on AIM convos?

N

NulloModo

Supreme [H]ardness
Joined
Dec 16, 2002
Messages
4,602
Hey,

I'm just curious, is it possible for AIM or other IM client conversations to be eavesdropped on by a third party (with or without admin access to the network?) ? I am wondering if using a packet sniffer type of thing or just watching all traffic on a certain port might do it, or if the communications are somehow encrypted from one client to the next... (which if they aren't, they should be).
 
Most IM is transmitted in the clear. So a packet sniffer is all that is needed. Just need to have access to the copper and a computer. However since most networks use switches instead of hubs it is a bit more difficult to sniff the packets. One would have to do ARP spoofing so that the packets he is interested in are sent to him.
 
arp spoofing is too much work. Just drop a black box up stream on the wire, and you're good.

AIM used to have an encryption function I thought. Can't remember, it's been a while. I'm using jabber+psi+gpg, which encrypts traffic on a few different levels. First, from client to server, as well as from client to client.
 
Yes AIM does have encryption, but I thinkit's turned of by default and both sides need to enable it.
 
NulloModo said:
I'm just curious, is it possible for AIM or other IM client conversations to be eavesdropped on by a third party (with or without admin access to the network?) ? I am wondering if using a packet sniffer type of thing or just watching all traffic on a certain port might do it, or if the communications are somehow encrypted from one client to the next... (which if they aren't, they should be).
Click to expand...

Short answer: yes it is possible.
Medium answer: yes it is possible, but not for Joe-Random-Internet-User.
Longer: It needs to be someone sitting in the path between you and the AIM servers (or the AIM server and whoever you're talking to), so that they can run a packet sniffer (such as tcpdump, ethereal, or whatever). You can set up custom filters in those packet sniffers to only display IM traffic (or use msgsnarf -- only displays IM traffic).

AIM can encrypt traffic - it requires the use of SSL certificates. The problem with this is that it's non-trivial for the average user to set this up in a secure fashion. There's a website (don't remember URL) that will generate certificates for you - but they now have a copy of your private key and can read all of your IMs, so you have to trust them. Other protocols (or clients) do different things for encryption, so you can spend a lot of time reading around.

Basically though, you probably don't need to worry. Unless someone on your local network is sniffing, you should be fine. At the higher levels, someone at your ISP is going to have more interesting things to do than watch your traffic, and at AOL, they'll see it in cleartext anyways - most likely (depends upon implementation).

If you want to have an encrypted chat with someone, there are many other, better, ways: PGP-encrypted e-mail, for one.
 
NulloModo said:
Hey,

I'm just curious, is it possible for AIM or other IM client conversations to be eavesdropped on by a third party (with or without admin access to the network?) ? I am wondering if using a packet sniffer type of thing or just watching all traffic on a certain port might do it, or if the communications are somehow encrypted from one client to the next... (which if they aren't, they should be).
Click to expand...

http://arstechnica.com/columns/linux/linux-20051002.ars
 
XOR != OR said:
arp spoofing is too much work. Just drop a black box up stream on the wire, and you're good.
Click to expand...

Arp poisoning is a piece of cake...so long as you are on the same broadcast domain.
 
digilink said:
I read that article a while back and tried it at home and couldn't get it to work, have you tried and been succesful? Looks like a pretty useful tool if it works correctly.
Click to expand...

At the moment I don't have the need for it - what part was giving you trouble?
 
Malk-a-mite said:
At the moment I don't have the need for it - what part was giving you trouble?
Click to expand...

Here is what I get when I try to execute the script, looks like a Ruby problem:

Code: 
sbrown@chrislynn ~ $ ruby packet_filter.rb
packet_filter.rb:4:in `require': No such file to load -- pcaplet (LoadError)
        from packet_filter.rb:4

Any ideas?
 
nobody has mentioned about wireless yet ;)

go to a college and through up a sniffer on your wifi interface
 
digilink said:
Here is what I get when I try to execute the script, looks like a Ruby problem:

Code: 
sbrown@chrislynn ~ $ ruby packet_filter.rb
  packet_filter.rb:4:in `require': No such file to load -- pcaplet (LoadError)
          from packet_filter.rb:4

Any ideas?
Click to expand...
have to have ruby-pcap installed...

of course, I couldnt actually get it to work sniffing my aim traffic ha....i started it and signed on to aim, and i picked up a bunch of spanish, then nothing...even tho i was chatting
 
SYN ACK said:
nobody has mentioned about wireless yet ;)

go to a college and through up a sniffer on your wifi interface
Click to expand...

Or the fact that not just the conversation is sent in the clear, but so is your password.
 
m1abram said:
Or the fact that not just the conversation is sent in the clear, but so is your password.
Click to expand...
Which is probably the password for a great many other things :).
 
m1abram said:
Or the fact that not just the conversation is sent in the clear, but so is your password.
Click to expand...

The password isn't *exactly* sent in the clear. In the older protocol (TOC) they XORed it with a known value (tictock if memory serves?). I'm not exactly sure how OSCAR sends the password, but I know it's not complete cleartext - there's at least mild obfuscation going on.
 
You can download Cygwin that lets you emulate a lot of Linux-y software in Windows, and Ethereal has a Windows binary out on their website. So yes.
 
You must log in or register to reply here.
Back
Top