Capture Windows Live Messenger conversations

Introduction and preparations

Hello at all, in this howto i'll show you how to sniff windows live conversations that flow on air, for example in a WIFI access point.
This is how to it's tested only on (l)unix machine, using the free-software Wireshark (available on internet or in the repositories), which is used to sniff packets, and then analyze them.
This procedure sould work even on windows (even though i am not sure actually), however it's reccomended to try this on a linux distro ( works even using a live cd ;) )
In these howto we see also how to capture packets using airodump (i've already talked about this sotware in another howto: crack wep protection), and how to decipher them using airecap–neg, and in the end how to analyze them using wireshark.

Catch the network traffic

The procedure was already explained in another howto available at this link, for this reason you should read this few lines to see how put your wifi card in monitor mode and how to sniff packets.
However it's recommended to not capture packets for over an hour, because the dimension of the cap file could became too big.

Packets decoding

In this section it's essential to know the network key (if the network is open you can go on), even though there are other ways to know the key ;).
Whether the procetion used is WEP, just open terminal and type:

airdecap–ng –l –b <mac Access Point> –w <chiave_WEP> <nome_file–01.cap>

Otherwise if the protection is WPA the procedure is little more complicated, biecause we have to had taken even the handshake, the connection process of a new user, whom will be accompained with the WPA key.
To check whether the handshake was captured, in sniffing phase, should be appears a new string on the right side of the shell where airodump is working.
Using airdecap, the packets which won't be decrypted with the right "handshake" will be lost, to try this step you have just to lunch airodump and then connect to your personal wifi.
To decrypt packets merely type:

airdecap–ng –l –e <ssid Access Point> –p <chiave_WPA> <nome_file.cap>

At this point airdecap will give us a new file (adding –01.dec in the end of the file name) which will contain the dedcrypted informations.

Packets analysis

Well, after saving the cap file (called msn.cap from now) we have to open wireshark, click to open and load the msn.cap file. We'll see now a long list of packets.
Now we have to apply very interesting object called filters! Wireshark, indeed, allow to filtering the whole packets list by using expression or merely names.
Know how to use efficiently filters it's an important goal, but this is not the purpose of this howto therefore if you are interested you have to search by yourself:)

Windows live messanger conversations!!

Windows live messengers travel on clear; so if someonw is talking on the wifi where you are connected you have just to apply the filter: Msnms contains msg.
This filter selects the packets whose application control is called MSNMS, and from the new list, you have to select those of msg type, those that contain messages (another particular filter is JOI because it's used when a new conversation begin).
Now we have just to click in a packet, with the right button of the mouse select follow tcp stream.
This will do show on screen each cattured packets, if you can't see anything you just try with another msg packet.

This procedure was tested some time ago on my network, now i don't know whether the msn packets still travel in clear, so you have to discover it ;)
Bye bye.


The use of this material at the expense of others is absolutely not approved by badnack, which is not considered in any way responsible for any damage caused by improper use of the material. Copies of the above links are for illustrative purposes only and are posted only for for educational purposes