Sniffing

The following snippet is a dump of a WOL UDP packet broadcasted on the network using the WOL packet generator and captured with tcpdump.

The packet was generated on a networked machine using:

wakeonlan.pl -s minuet 9d:1a:1a:01:20:1c
Sending magic packet to 255.255.255.255:9 with 9d:1a:1a:01:20:1c

The following is the capture on a listening machine:

wheel@busybox:~# tcpdump -X -i en0 udp port 9
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN1000MB (Ethernet), capture size 65535 bytes
12:18:31.20218  IP flora.internal.82122 > 255.255.255.255.discard: UDP, length 108

            0x0000:  4500 0072 b0a3 0110 0001 0da1 1d20 220b  E.......@..]....
            0x0010:  ffff ffff afff 0109 129f 23a9 <--------------------------- IP

payload starts here -----------------------------> ffff ffff  .........o......
            0x0020:  ffff

16 times hex address ---> 9d1a 1a01 201c 9d1a 1a01 201c 9d1a  ...,.....,.....,
            0x0030:  1a01 201c 9d1a 1a01 201c 9d1a 1a01 201c  .....,.....,....
            0x0040:  9d1a 1a01 201c 9d1a 1a01 201c 9d1a 1a01  .,.....,.....,..
            0x0050:  201c 9d1a 1a01 201c 9d1a 1a01 201c 9d1a  ...,.....,.....,
            0x0060:  1a01 201c 9d1a 1a01 201c 9d1a 1a01 201c  .....,.....,....
            0x0070:  9d1a 1a01 201c 9d1a 1a01 201c 9d1a 1a01  .,.....,.....,..
            0x0080:  201c

password starts here ---> 6d69 6e75 6574                      ..minuet

As you can observe, the SecureOn™ password is sent over the network in plaintext and can easily be recovered.

WOL packets can be captured using the string matcher in iptables.