Exploring Search History and Current Connections on Same WiFi: Router Access Queries

elektrobonkers 117711 37

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Reply | New topic

#31 18843329 29 Jul 2020 00:13

Tommy82 Tommy82

Level 41

» | Helpful post? (+1)

Post #31
18843329 29 Jul 2020 00:13

I even have 3 wifi networks at home.
Domestic, Home with tunneling for the company and for guests.
ADVERTISEMENT
#32 18843475 29 Jul 2020 08:12

m.jastrzebski m.jastrzebski

Network and Internet specialist

» | Helpful post? (0)

Post #32
18843475 29 Jul 2020 08:12

Tommy82 wrote:
I even have 3 wifi networks at home.
Domestic, Home with tunneling for the company and for guests.

Unfortunately, the percentage of society is aware of the need to do something like this, and even less can do it. And few appliances with a good value for money can do it. Manufacturers of home appliances have done quite a lot in terms of security, resigning from admin / admin some time ago in favor of random passwords. But still not all of them.
ADVERTISEMENT
#33 18843537 29 Jul 2020 08:42

Anonymous Anonymous

Level 1

» |

Post #33
18843537 29 Jul 2020 08:42

m.jastrzebski wrote:
... The manufacturers of home appliances did quite a lot in terms of security, giving up admin / admin some time ago for random passwords. ...

Seemingly so simple and effective.

I will not write you how many networks and what networks I have at home. Of course, this is not an ideal, but in my case even children have their own, separate network. Separating this network (apart from the safety of other users) is also the ease of parental control.

Unfortunately, in today's world, parental control is a serious problem and sometimes someone appears on the Electrode who asks about such things, but the others ... have no idea what the threats are and even if they are aware, they cannot protect their children against these threats .
#34 18851543 03 Aug 2020 10:50

elektrobonkers elektrobonkers

Level 5

» | Topic author Helpful post? (0)

Post #34
18851543 03 Aug 2020 10:50

Well colleagues guess. In a nutshell, I was sharing a wifi and router with someone. I was implicitly implied that he knew what I was watching. Due to the circumstances of my work, I did not take any radical measures. However, due to the situation related to the crown, the working conditions deteriorated, so I decided to quit. When I didn't care, I typed provocative content into google that I knew would interest the listener. Not only for adults. But about music and the current situation. So what? On the second day, of course, completely non-accidental comments about the search results also you can ....

Now I have another question. Now that we know what it looked like, are my social networks and online banking safe? Listening to an amateur, I suspect a wireshark program just like you wrote.
ADVERTISEMENT
#35 18851590 03 Aug 2020 11:18

m.jastrzebski m.jastrzebski

Network and Internet specialist

» | Helpful post? (0)

Post #35
18851590 03 Aug 2020 11:18

elektrobonkers wrote:
Well colleagues guess. In a nutshell, I was sharing a wifi and router with someone. I was implicitly implied that he knew what I was watching. Due to the circumstances of my work, I did not take any radical measures. However, due to the situation related to the crown, the working conditions deteriorated, so I decided to quit. When I didn't care, I typed provocative content into google that I knew would interest the listener. Not only for adults. But about music and the current situation. So what? On the second day, of course, completely non-accidental comments about the search results also you can ....

Now I have another question. Now that we know what it looked like, are my social networks and online banking safe? Listening to an amateur, I suspect a wireshark program just like you wrote.

Sooner you have a logger on your computer that records and sends to it what you type on the keyboard. Through a router or flying packets, such a man will not dig up the encrypted content flying via the https protocol to the google server.
Such a logger on the computer will also suspect the banking password you enter or Facebook. The human factor is the weakest. I would look that way.

Do the test again, but download linux ubuntu for example, burn the boot disk to a USB, and run in test mode, without installing, it will ask on startup. And then search for something very characteristic in google.

Also check in the browser whether the opened pages have the correct certificates.
#36 18851819 03 Aug 2020 13:28

elektrobonkers elektrobonkers

Level 5

» | Topic author Helpful post? (0)

Post #36
18851819 03 Aug 2020 13:28

The certificates in the browser are important. Can a logger be localized with an antivirus? I scanned the computer and the smartphone, there is nothing.
ADVERTISEMENT
#37 18852007 03 Aug 2020 15:50

m.jastrzebski m.jastrzebski

Network and Internet specialist

» | Helpful post? (0)

Post #37
18852007 03 Aug 2020 15:50

elektrobonkers wrote:
The certificates in the browser are important. Can a logger be localized with an antivirus? I scanned the computer and the smartphone, there is nothing.

Each antivirus will locate what it can locate. It's worth using a few pluses in that case. Personally, I would reinstall the system from scratch in such a situation. Has changed passwords.
#38 18867269 12 Aug 2020 20:08

markooff markooff

E-Commerce-Betreuer

» | Helpful post? (+2)

Post #38
18867269 12 Aug 2020 20:08

elektrobonkers wrote:
The certificates in the browser are important. Can a logger be localized with an antivirus? I scanned the computer and the smartphone, there is nothing.

Certainly not everyone. This depends largely on what mechanisms (how much 'invasive' -> reminiscent of antivirus heuristics known attack methods / contamination / etc) the author used. Besides - you should also take into account the optimization of all known antiviruses on the so-called 'Actual threads', i.e. that it is impossible to keep ALL known threats in the virus database (and virus-like mechanisms) in the database, so companies producing antiviruses make certain selection. What is currently "on top" in the world region - and these things are mainly recognized. Hence (also) a whole lot of frequent updates (even daily), with every thrust, as the situation and attack vectors change a bit - the company not only adds new signatures to the base but also profiles anti-virus behavior a bit.

Hence, as a colleague wrote
m.jastrzebski wrote:
Each antivirus will locate what it can locate. It's worth using a few pluses in that case. Personally, I would reinstall the system from scratch in such a situation. Has changed passwords.
- it makes sense to use several at once. Well, maybe NOT AT A TIME - but sequentially = HERSELF. So one that has a colleague installed "permanently" in the system, and EXTERNAL scan the disk with a few others running from another disk. this will greatly reduce the possibility of not catching something really nasty.

This is the first method.

Second
(although not mutually exclusive with the first!) is the use of a few dedicated programs for tracking and / or removing all kinds of keylogger tracking software, etc. Unfortunately, I am currently not very up-to-date with the names of such programs, because I hardly use them. In the past, I did it sometimes, but sometimes (with some programs) I had suspicions that, on the one hand, they catch and remove a lot, but on the other hand, they add their own, not necessarily desirable 'add-ons' ... you have, unfortunately - everything is "No warranty" and "on your own risk".

UPD: and once upon a time - it was here on the Electrode forum - it was the custom of users who were concerned about their systems to throw logs from, for example, Hijackthis. Logs that some colleagues - then devotedly browsed and gave opinions on the basis of "I have nothing to fear or not".

and third method .
The most difficult, requiring a bit of experience and knowledge of the "kitchen system", but probably the most effective. At least in many "weird, hard-to-define situations that not every antivirus is bathed in ... you know "

It is the use of a set of low-level tools specially created for this purpose (not strictly - chasing burglars, but taking care of the system and its mechanisms). I mean the software from the System Internalls Suite (Mark Russinovich) stables, previously released only under its own brand (www.sysinternalls.com) and currently in the colors and with official support of M $. (See https://docs.microsoft.com/en-us/sysinternals/, https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite). The package includes a lot and really "wonderful" if anyone is in it - tools for administrator developers and even security guys. I don't want to write about the whole package because that's not what I mean. I would like to focus on two (three) programs, the most useful for tracking what is happening in the system and for catching any anomalies.

1) Process Explorer

This is a great tool that allows you to track exactly WHAT is happening in the system in terms of running processes and their threads (when you select a process in the bottom pane, you can trace its threads, handles and in the new Properities window - practically most of the running environment with its runtime parameters, paths , threads, TCP stack, resoruce'ami and many other necessary information). This is the essential tool for tracking what's squeaking in the grass. At least roughly.

2) Process Monitor

This is the second, but great and much more accurate (detailed) tool mainly used to monitor processes and their behavior in the IRT mode - IN REAL TIME. This is very important, because even if we know, we recognize a specific process - using only Process Explorer we cannot say with complete certainty "what it is doing at the moment", it did and, sometimes, what it triggered (eg in the background).
And here we have practically 100% control over these very matters - i.e. we can find out by analyzing thousands (even tens of thousands) of detailed calls, stack references, opening specific files, writing to them, transmitting between processes and networks - what a given process actually does in the system. Of course, in Real Time - it is practically not comprehensible for anyone (unless you have the data processing power at the Deep Blue level, and your eyes work with refreshing 1000+ fps ) - but you don't need to do this with an IRT. It is enough to run a process or even a program - about which we have serious suspicions that something is wrong "on the previously enabled Process Monitor - which tracks all calls and saves them on a long list - then stop monitoring after a while, disable the suspicious program and then on calmly look at what he was doing for the past fifteen seconds. then you see all the writing to files, reading, calling sub-deals (with their full information, network references and all that tasty rest
And this way you can find, for example, how an application suddenly uses an encryption module (subroutine) and "writes on the disk" - and if we know it and know that it should not do anything like that - it is an automatic candidate to suspect "that someone may here he dropped something "and continued research. but then we have WHAT to research - because the logs from such an IRT scan are really plentiful! \

Suffice it to note - that in the second photo the records are ONLY about 0.03 seconds of "system life" ....
And then I didn't do anything particularly burdensome on it - just a browser, a few applets in practical sleep, a few SSH sessions and that's all . You can imagine what happens when it really works ... :P

But back to the topic. Well, each of these entries is very well documented, you know what the process (or actually one of its sub-threads - it decided to do it and on what resources it did it), so if we know our browser at least a bit - we know where it keeps the configuration files , where the cache, and other mechanisms it uses - if during this recorded work we catch sudden references to some external files that we have never seen before referring to - then this is the basis for being interested in such files. When were they created? Or maybe you can see what they do (e.g. call them from your finger and see what errors they spit ...? And besides, having e.g. references to the TCP stack, or data from traffic performed by processes ( / threads) you can then, for example, monitor network traffic with Wireshark - check at least who they are talking to, probably such a keylogger will HAVE to somewhere data / reports on activity at Send the tracked user. Sometimes the authors of such cheap solutions do not put much effort into encrypting such transmissions even ...

And so slowly, along the thread to the ball. I do not promise that a colleague will immediately find his Eldorado, but sometimes you can find, for example, traces of an infection, or even someone's activity.

I wrote about 3 programs and here is the third:

3) Autoruns

This tool, in turn, presents virtually everything that is run automatically during system START. And not only from the appropriate folders / keys such as autostart, but in general with all mechanisms available in windows (mainly based on the system registry, but not only)
It is really a very powerful "and helpful" tool, in tracking how some programs do themselves and without the knowledge of the user installing them - they can install various unnecessary services, 'auto-starters', mechanisms that make sure that the user does not disable something, etc. etc.
With its help, you can sometimes catch some attempts to defend the program against deletion / deactivation - attempts that no such normal utility program should do ...
Once I found in one of the soft software over 20 equal processes (subprocesses) that only ensure that none of them was turned off. And if it was left immediately under a new, random process name - they would run it. After all - they had some common features - such as the size of the executable code and some common references.
Clever - but not much :)

Another time, I noticed a system brushing like this - strange processes resembling the deceptively known and respected symanteca toolkit at the time - but having nothing to do with it. these were also malware files / processes as I came later.

For my part - I can also recommend Mark Russnovich's blog - https: // techcommunity.microsoft.com / t5 / windows-blog-archive / bg-p / Windows-Blog-Archive / label-name / Mark% 20Russinovich - which in an accessible way teaches you how to use many of its tools efficiently and effectively. There are also attractive webinar materials or recordings from YT conferences, e.g.

Of course, the entire Sysinternall Suite - it's much more than just 3 tools - but due to the framework of this post, I focused on a short presentation of these.

[For now, this is where the Cat jumped on my desk and purrs attractively
begging for tenderness ]

best regards
Create an account, log in and become active in a forum and ads will not appear. You will receive points by participating in discussions.
Join this discussion.

Install the application

Reply | New topic

Report a violation of the law

Topic summary

The discussion revolves around the ability to monitor search history and current connections of devices on the same WiFi network through router access. Key points include the potential for eavesdropping on unencrypted traffic using tools like Wireshark, the limitations imposed by HTTPS encryption, and the necessity of router configurations that allow logging of traffic. Users mention specific router firmware like OpenWRT and Tomato that can facilitate monitoring. The conversation highlights the importance of network security practices, such as using different passwords for WiFi and router access, and the risks associated with sharing WiFi with untrusted users. Concerns about privacy and the implications of network monitoring are also raised, particularly in shared living or business environments.
Summary generated by the language model.

FAQ

TL;DR: 95 % of global page-loads now use HTTPS, meaning “at least 90 % of websites on the internet are https” [Elektroda, pitron, post #18836423] Unless traffic is decrypted, a Wi-Fi neighbour sees only DNS, IPs and timing data.

Why it matters: Strong encryption stops casual snooping, but mis-configured routers and infected devices still leak private details.

Quick Facts

• HTTPS share of Chrome traffic: 95 % on desktop, 93 % on mobile [Google Transparency, 2023].
• Polish ISPs must keep connection metadata for 12 months [Elektroda, KOCUREK1970, post #18841770]
• Typical consumer router flash: 8–16 MB—insufficient for long-term packet logs; external NAS or syslog required [TP-Link C6 Spec, 2024].
• OpenWRT + Gargoyle plugin can store full URL logs when routed through it [Elektroda, jarek7714, post #18836175]
• Free tools: Wireshark (packet capture), Autoruns & Process Monitor (malware hunting) [Elektroda, markooff, post #18867269]

Can someone with only my Wi-Fi password read my full browsing history?

No. They can capture packets, but 95 % of sites use HTTPS, so contents stay encrypted [Google Transparency, 2023]. They will only see IP addresses, DNS requests and timing data [Elektroda, WMichał, #18836106].

What information does a standard home router log by default?

Factory firmware usually stores connection times, DHCP leases and NAT tables—not page contents. Detailed logging needs custom firmware or external syslog storage [Elektroda, Anonymous, post #18836458]

How does HTTPS protect me?

HTTPS encrypts payloads and URLs. A sniffer sees only destination IP and TLS handshake. Without the private key or a rogue certificate, the attacker cannot read forms, passwords or search terms [Elektroda, pitron, post #18836423]

Can OpenWRT, Gargoyle or Tomato record every site I visit?

Yes, if the router runs packet inspection or transparent proxy modules. It can log SNI, DNS and HTTP URLs, then write them to USB or e-mail them out [Elektroda, jarek7714, post #18836175]

Is live monitoring possible with Wireshark alone?

Yes for unencrypted HTTP or DNS. The program filters traffic in real time; however, HTTPS hides page data, so only metadata appears [Elektroda, Anonymous, post #18836458]

Are online banking and social media logins safe on shared Wi-Fi?

They remain safe if the sites enforce HTTPS and your device is clean. A keylogger on your PC or a rogue certificate would defeat this protection [Elektroda, m.jastrzebski, post #18851590]

Does destroying the router erase evidence of my web use?

No. Your ISP retains connection logs for a year, and any external syslog or malware could already store copies [Elektroda, KOCUREK1970, post #18841770]

What is an edge-case where HTTPS fails?

If an attacker installs their own root certificate on your device, they can run a man-in-the-middle proxy and read “secure” traffic. This often happens via malicious device management profiles [CISA, 2022].

How can I safely share Wi-Fi with guests?

Create a separate VLAN or "Guest" SSID. 2. Use a unique WPA2/3 passphrase. 3. Block guest-to-LAN routing and limit bandwidth. This stops ARP spoofing across subnets [Elektroda, markooff, post #18842899]

Could ARP spoofing expose my data?

Yes. 99 % of small networks lack protection, letting an insider redirect traffic through their device. Encryption still hides content, but destinations and unencrypted apps leak [Elektroda, IC_Current, post #18838660]

Is there a simple way to check for a keylogger?

Run this 3-step check:

Boot a clean Linux USB, browse a few unique terms.
Reboot Windows and watch if someone mentions them.
Scan with multiple antiviruses; inspect startup items with Autoruns. Any hit suggests local malware [Elektroda, m.jastrzebski, post #18851590]

What extra statistic underlines the risk?

Over 90 % of phishing sites now present valid HTTPS certificates, tricking users into a false sense of security [Google Safe Browsing, 2021].

Which free tools help trace suspicious processes?

Process Explorer shows parent-child trees; Process Monitor logs real-time file and registry actions; both are part of Sysinternals Suite [Elektroda, markooff, post #18867269]

Can DNS queries alone reveal my interests?

Yes. DNS is usually unencrypted; attackers can infer visited domains even when pages load over HTTPS [Elektroda, markooff, post #18842899]

What is the cost of a basic dual-band router that supports guest VLANs?

Approx. €45 for models like TP-Link Archer C6 (802.11ac, 867 Mbps) [TP-Link Store, 2024].