We showed how Ethernet traffic can be passively intercepted at the physical layer using nothing more than twisted pair knowledge and simple alligator clips.

Welcome back, aspiring investigators!

They say that eavesdropping is impolite. In everyday life, that is true. In the world of networks, however, listening carefully to traffic is not bad manners at all. It is a profession. Network forensics, incident response, and security auditing all rely on the ability to observe how data actually moves across wires. Surprisingly, many people still believe that this kind of traffic interception requires exotic, expensive hardware straight out of a government lab. In this article, we want to show you that reality is far more down-to-earth.

With a basic understanding of Ethernet signaling and a few simple components, it is possible to organize traffic interception using something as humble as ordinary alligator clips. The technique we will discuss is not new, but its simplicity and effectiveness continue to make it relevant today. There exists a particularly elegant attack that relies on half‑duplex interception of twisted‑pair RJ45 traffic. “Half‑duplex” here means that we only capture one direction of traffic. It’s either incoming or outgoing. But not both at the same time. Twisted‑pair sniffing has been known for many years, yet it remains practical because twisted‑pair Ethernet is still everywhere. Even though fiber optics are increasingly common, the familiar copper cable continues to dominate the so‑called “last mile.”

In residential buildings, twisted‑pair cables often run openly through stairwells, basements, and technical shafts, feeding nearly every apartment. They are frequently bundled together with other infrastructure, sometimes in a rather chaotic fashion. 

As we will see later, this physical accessibility makes interception far easier than many people expect. Modern office buildings are no different. Behind clean walls and raised floors, a twisted pair is still doing most of the work.

This means the attack can be carried out anywhere you can get unobstructed access to Ethernet cabling. That can be an office corridor, a server room entry point, or even a typical apartment building entrance. What this technique cannot do is scale indefinitely. Between buildings, campuses, or cities, fiber optics are usually deployed, and this method simply does not apply. You cannot intercept an entire city this way. 

Theory

Let us begin with a short refresher on how an RJ45 cable is constructed. A standard Ethernet cable contains four twisted pairs of conductors. Each pair consists of two wires twisted together to reduce electromagnetic interference and signal leakage.

Each pair serves a specific purpose in classic Ethernet configurations:

1. The green pair is used for data reception,





2. The orange pair is used for data transmission,





3. The brown pair carries PoE‑ or data at 1000 Mbit/s,





4. The blue pair carries PoE+ or additional data at 1000 Mbit/s.

Incoming and outgoing traffic flows over specific pairs, and the information itself is encoded as small electrical changes on those conductors. By carefully coupling to one of these pairs, it is possible to observe the signal without fully inserting a device into the link.

Equipment

To perform this interception, we need very little equipment. A standard Ethernet network card is sufficient, along with a short piece of twisted pair containing only two conductors. You can create such a cable yourself by modifying a regular patch cord or assembling one from individual components purchased at a networking store.

We are only interested in the RX pair (the first and second conductors) terminated with a standard RJ45 connector on one end. This connector plugs directly into the attacker’s network card.

On the other end, those same two conductors are attached to ordinary alligator clips. The result is a simple probe cable. 

Conventionally, the white clip is used as the positive contact and the black clip as the negative. This setup may look crude, but electrically it is entirely sufficient for the task.

Exploitation

Actual traffic interception begins when these alligator clips are attached to the target cable. Depending on which direction of traffic you want to capture, the clips are connected either to the orange pair or to the green pair of the Ethernet cable being tapped.

To do this, the outer sheath of the cable is carefully cut with a utility knife. The cut is made along the length of the cable so that the inner conductors are not damaged. There is no need to strip insulation from the wires themselves. When lightly clamped, the alligator clips pierce the insulation on their own and establish electrical contact.

Once the clips are in place, you apply gentle pressure until packets begin appearing on the sniffer attached to your network card. From the perspective of the communicating devices, nothing unusual has happened. No additional hops appear in traceroute output, no latency spikes are introduced, and the link continues operating normally.

For demonstration purposes, we use an Android phone as the capture device. Some external Ethernet adapters are automatically recognized by Android, and with root privileges no further configuration is needed. In a simple test setup, the phone successfully captures traffic flowing from one laptop to another. Again, only in one direction.

At this point, standard network forensics tools become very powerful. We use a script that not only saves traffic for later analysis but also divides the phone screen into three functional areas.

You can find the script here.

One section runs tcpdump and shows live packets. Another runs the net‑creds utility, which extracts credentials directly from captured traffic. In our demonstration, this allowed us to recover a NetNTLM hash at the exact moment a system authenticated to a network share, using nothing more than alligator clips.

The final section runs tcpxtract, a tool that extracts transferred files based purely on signatures, independent of protocol. When an image is downloaded via FTP, the phone successfully reconstructs and saves it locally. 

This demonstration was conducted in a controlled environment, and no real home or corporate networks were harmed. Still, it should be obvious how easily these test components could be replaced with real targets in less controlled settings. There are important technical limitations to this method. Passive sniffing with two conductors is only possible on links operating at 10 or 100 Mbit/s, where only four wires are used. At 1000 Mbit/s, all eight conductors participate in data transmission, and the signaling method changes completely. That said, network cards do not always negotiate gigabit speeds successfully. Even with all eight wires present and cable lengths of only a few meters, many links still fall back to 100 Mbit/s. In such cases, the connection remains vulnerable to this sniffing technique. If a link is actively running at 1000 Mbit/s, interception with alligator clips alone is not possible. However, experiments show that if one of the additional wire pairs (the blue or brown pair) is cut, the link will automatically downgrade to 100 Mbit/s after a short delay. At that point, interception becomes possible again. In many corporate environments, Power over Ethernet is used to supply IP phones and other devices. PoE relies precisely on those additional wire pairs, which means that true gigabit operation is often impossible on such links in the first place.

The attack demonstrated here is purely passive. It observes traffic without modifying it. Active attacks, such as SSLsplit or man‑in‑the‑middle insertion, are theoretically possible but far more intrusive. They require cutting the cable, crimping connectors, and inserting hardware inline. All these actions are noisy, risky, and much easier to detect. For that reason, we do not consider them here.

Although this alligator‑clip method is not perfectly “clean,” since it involves opening the cable sheath, it does not disrupt connectivity when performed carefully. No packets are dropped, and no visible signs of interference appear.

Summary

The risks posed by passive traffic interception are reduced today thanks to the widespread adoption of SSL and TLS. Even so, many protocols still transmit sensitive information in clear text. Network shares, FTP, legacy authentication mechanisms, and HTTP Basic authentication remain surprisingly common in corporate environments. Because of this, physical network security still matters. Exposed cables in uncontrolled areas are unacceptable in professional installations. Proper cable channels and concealed routing are simple measures that can reduce attack surface.

Understanding how data can be intercepted at the physical layer helps us better assess risk and design networks that fail less easily.

If you’re interested in digital forensics, we recommend our training for both beginners and those looking to advance their forensic skills. Subscribers get access to a wide variety of trainings.

Source: HackersArise
Source Link: https://hackers-arise.com/network-forensics-capturing-network-traffic-with-alligator-clips/