Remotely viewing the Internet activity on another computer

As long as you have an account on the computer, and the computer is linux or Mac (unix), and it is an admin account, this is what you can do:

First, you will need to be on the computer and enable remote access. On a mac, it is not enabled by default.

STEP 1 : Enable Remote Login on subject computer

Hit Splat (⌘) -spacebar, type ‘terminal’, and hit enter.  A bash shell will open.  Welcome to command line 🙂  Enter the following command (the ‘>’ denotes a prompt.  Don’t type that):

> systemsetup -setremotelogin on

 

STEP 2 : Figure out its IP address

While you are in terminal, get the IP address:

> ifconfig | grep ‘inet ‘

This will get you the IP address of the machine.  It’s not 127.0.0.1.  It’s the other one 🙂

If it changes later, from your terminal window on your own mac you can scan the network and find it with this:

> sudo nmap -sP 192.168.2.1/24

NOTE: 192.168.2.1 might not be your IP address range.  Whatever the IP address is that you located earlier, change this so it’s right.  

STEP 3 : Access the subject computer remotely

Now, from the terminal window on your mac, open a shell to the other mac, the one you are surveilling, using the ipAddress that you discovered in step 2:

> ssh yourUserNameOnOtherMachine@ipAddress

Next you will be asked for a password.  It won’t see the usual Password: •••••••• where a bullet appears with each keystroke.  You’ll just see Password:•  But don’t worry, your keys strokes are going in.

Monitoring

Now that you are connected, there are a few interesting things you can do.  When it comes to the tcpdump command, these commands are simplistic and just the tip of the iceberg of what it can do.

DNS Requests

This command will get you DNS calls.  Whenever the subject opens a new page or browses to a new website, you will see stuff here:

> tcpdump -vvv -s 0 -l -n port 53

control (^) – c to quit

 

HTTPS Requests

This one will get all HTTPS headers so you can see what websites are being accessed, as they are accessed, and basically every request sent out (somewhat noise).  Since it is HTTPS, you won’t be able to see the exact request, you’ll only see the site being accessed.  Google and Youtube properties all look like they are from 1e100.net.

> sudo tcpdump dst port 443

HTTP Requests

> sudo tcpdump dst port 80

You can open multiple windows and run both.  

Good luck, and don’t forget:  accessing a system that you neither have permission to access nor own is ILLEGAL.  Spy on your SO at your own risk. I won’t go into the morality of spying on your children or employees.  It’s too murky and really depends on the situation.