Video thumbnail (Frame 0) Video thumbnail (Frame 3159) Video thumbnail (Frame 4579) Video thumbnail (Frame 5957) Video thumbnail (Frame 7196) Video thumbnail (Frame 14104) Video thumbnail (Frame 16642) Video thumbnail (Frame 18645) Video thumbnail (Frame 20258) Video thumbnail (Frame 23075) Video thumbnail (Frame 23826) Video thumbnail (Frame 28669) Video thumbnail (Frame 34048) Video thumbnail (Frame 37793) Video thumbnail (Frame 40498)
Video in TIB AV-Portal: WIRELESS VILLAGE - Hunting Rogue APs*

Formal Metadata

Hard Lessons
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Given the challenge of locating a static Access Point this presentation highlights our strategy, pitfalls, and success.
Keywords toddparody
Point (geometry) Slide rule Wind wave Word Presentation of a group Email Multiplication sign View (database) Assembly language Row (database) Tangent
Point (geometry) Category of being Multiplication sign Wireless LAN Rule of inference
Point (geometry) Identifiability Information Multiplication sign Bit Mereology Estimator Process (computing) Order (biology) Spacetime Wireless LAN Address space Spacetime
Point (geometry) Laptop Slide rule Suite (music) Presentation of a group Greatest element Multiplication sign Direction (geometry) Function (mathematics) Rule of inference Power (physics) 2 (number) Frequency Latent heat Term (mathematics) Hacker (term) Core dump Computer hardware Arrow of time Information security Address space Graphics tablet Rule of inference Email Touchscreen Information Inheritance (object-oriented programming) Closed set Physicalism Bit Multilateration Line (geometry) Tablet computer Uniform resource locator Process (computing) Software Order (biology) Quicksort Wireless LAN Software protection dongle Reading (process)
Point (geometry) Area Multiplication sign Adaptive behavior Perturbation theory Line (geometry) 2 (number) Frequency Category of being Uniform resource locator Order (biology) Core dump Arrow of time Error message Window
Axiom of choice Multiplication sign Bit 2 (number) Revision control Mathematics Propagator Tower Tower Core dump Speech synthesis Energy level Arrow of time Pattern language Firmware Address space Resultant Asynchronous Transfer Mode
Point (geometry) Satellite Evelyn Pinching Multiplication sign Decision theory Boom (sailing) Function (mathematics) Rule of inference Power (physics) Number Aeroelasticity Pi Goodness of fit Strategy game Computer hardware Core dump Cuboid Arrow of time God Graphics tablet Touchscreen Information Moment (mathematics) Bit Line (geometry) Limit (category theory) Connected space Tower Right angle Quicksort Figurate number Freeware Wireless LAN Reading (process)
Point (geometry) Slide rule Service (economics) Direction (geometry) Multiplication sign Water vapor Bit Price index Data transmission Power (physics) Gaussian elimination Pi Process (computing) Tower Radio-frequency identification Tower Wireless LAN Reading (process)
Point (geometry) Multiplication sign Intrusion detection system Forcing (mathematics) Port scanner Energy level Pattern language Right angle Cartesian coordinate system Twitter Number
I wanted to introduce this next speaker because quite frankly I rejected his talk outright he submitted I'm gonna teach you how to fox hunt that was it that was like the whole submission like one almost a sentence and the whole team said well maybe maybe you should let him talk and like all email him something mean and see what he comes back with he came back with a fully fleshed out presentation including slides that was actually half d senses and I said well he's more prepared for anything than I have ever been so I guess I'll let him talk Todd everybody thank you very much appreciated zero so zero is not lying I think I may have broken a record for CFP accepted CFP submission accepted with the least amount of words I think at eight words in there all right so how's it going everyone hopefully you're doing well it's story time my name is Todd parody this is Minnie and we're gonna tell you kind of the experience we had last year hunting for rogue access points or competing in the Wireless CTS challenge known as hide and seek just like zero said neither many or myself are on drugs right now if we were just on very little sleep because we're also competing this year joined us last year was Ronan and lazy sprocket they're over there beating right now everybody wave at them and say hello no love come on give him some love all right those are good guys is that you want to check that mic real quick we do a Mic Check and then we'll get started check alright awesome okay hunting rogue a pap stands for access points and what we say or go off on tangents on in here do not reflect the views of our employers this is about
last year not this year this is important because this year the rules for hunting the rogue access points are competing in the wireless CTF have changed arguably it's gotten harder we've faced our own challenges this year so far and
obviously all this happened here in the wireless village it's important to note that what we explained to you here took us a lot of time we're gonna try to condense a six hour experience into 30 minutes but know that that is only one category of competition here in the Wireless CTF so it's important that if you're going to compete here in the Wireless CTF that you come with a team that way other people can focus on other things with that also a disclaimer what we're going to go through here is both a how to and a how not to so if you don't pick up on the cues of how not to and you go do it we do not take responsibility for that all right okay
so let's talk about the challenge the challenge is it's called hide and seek and if you were here for the intro brief zero explained it very well what it is is it's a stationary wireless access point on 2.4 gigahertz or five gigahertz but stationary is very important it means it doesn't move so you have to find it but in order to find it the only information they give you is the MAC address of that access point that's what you start with so that's what we're starting with what's up we are going to walk through how kind of we thought about this process solving the problem some of the assumptions that we made how we ended up solving it and some of the challenges that we that we faced so for those of you don't know I'm just the MAC address for the wireless access point is six bytes of data that's a unique identifier and that's what we need to use to find it part of the challenge is
the sir space that was given if you were here for the intro earlier that search space has gotten bigger this year but for last year it was just here at Caesar's Palace and here's a little bit of data about Caesar's Palace it's there's about four thousand rooms it spans a physical space of about sixty acres and it's probably a conservative estimate there is about thirty thousand people here at one time so what that means that's a lot of reinforced concrete that's a lot of human bodies a lot of interference for wireless signals and within that whole space we're looking for one wireless access point so you could call it a needle in a haystack and you wouldn't be wrong so with this there were some
unknowns as we got started when competing in this challenge it would be nice to have a little more information than just the MAC address but there was some very critical information that we didn't know that forced us into guessing about a few things so one of the one of the unknowns was power how how much power is this access point broadcasting with for reference your standard wireless dongle that you plug in to your laptop will broadcast will use about half a watt which doesn't get you very far it would be nice if the the hidden access point had more power that way we could find it from further away but we didn't know what the power was we also didn't know the frequency or the channel within that frequency that we were looking for since other teams were competing we didn't know how much time we had to actually find it it wasn't a timed competition the the hidden access point stayed hidden until it was found if nobody found it during DEFCON it would just go away or no point to be awarded and then obviously we would like a little more specific location than just Caesars Palace that makes things very difficult we also made some assumptions with all this that the access point was plugged into a power outlet which kind of tells us maybe it's up against a wall close to a door and we weren't sure about the the wireless village team but if I were doing this I wouldn't want my access point just to walk off so we'd want some sort of physical security in place so that that wouldn't happen so we assumed that there was either human or by location the access point was being physically guarded and then obviously we assumed other teams were looking which made it a race against the clock and a race against the other team we couldn't just lollygag and take our time so in order to do this we we had to come in with a few tools we're gonna talk about yeah well the slide talks about the tools that actually helped us solve the problem here's the how not to when when we started this we started as a team many went off one direction I went off another Ronan and lazy sprocket did the same my tools were a pwned pad which is Nexus 7 with pone OS installed on it which I thought was nifty because there was a little touchscreen tablet and I'd plug in a wireless adapter I'd be on my way lightweight did no need for an extra battery pack turns out that was the wrong choice and you'll see why a little bit later but what did help us out was a Raspberry Pi and a well we we didn't build out the Raspberry Pi with like Kali Linux or even pen to probably get struck by lightning for saying that but it was just plain raspbian on the Raspberry Pi and then we loaded the aircraft suite which brought us arrow dump and that's all you need in terms of software it's super lightweight hardware we used a tp-link 722 n which is a 2.4 gigahertz wireless adapter and then we had two antennas this is important you'll see this pop up here in a second but we had one that was omnidirectional for those of you taking notes Omni all around it's radiation pattern is like doughnut and then we have a directional antenna that was more high gain 15 DBI of gain that looks more like a laser it looks more like a soda straw in terms of radiation pattern and it reaches super far I think I've seen five kilometers at any given time that a directional antenna can reach the one specifically we used is a yagi so you saw that in the previous presentation or you may have seen a few roaming around here and yeah so that was our tools and then we had one rule this same rule applies this year and I harp on this because at the end of this presentation this is something you can actually go do with just a little bit of software and maybe borrow a Raspberry Pi if you don't have one but the one rule is do not go on the casino floor with RF equipment casinos very sensitive to that and they will pick you up and ask you questions and they're not nice about it okay
so before we start the actual storytelling it's important that you see the slide or you know kind of read it because I'm gonna point out a few things and I apologize if the text is too small but in red what you see is the output of airmon-ng airodump-ng excuse me when you're sniffing for a specific access point you'll only see those two lines so the top is just kind of a column headers and then on the bottom this sorry the bottom is actually the command that you run to start arrow dump and we're specifying the access point with the MAC address that was given to us at the beginning if you're not near it you're not going to see a second line of text at the top because arrow dump has not found the access point yet and we begin it also gives you a elapsed time pay attention to that I told you this was this was a long arduous process we're trying to condense six hours into six hours of experience into a 20 minute talk here so as we began our team split up with my poem I grabbed a yagi antenna and I thought you know what this is super high power all the stories I've ever heard about Def Con you hear about somebody walking around with the yagi antenna and everybody gets super scared what's he doing what's he trying to hack so I thought you know what better way to actually find something than look like a hacker of stories told so I grabbed a yogi thanks to lazy sprocket he had one on him and the good thing about the yogi is from a single
location I can see a lot of I can see a far distance right so that means me physically I don't have to move around a lot less walking so the but the bad thing is that in order to get good signals you have to have line of sight to the access point that you're looking for so I thought the best place to do that was in the middle of Caesars in their little courtyard area and well that's where the pool is as well so I walk out there with the yogi and I start scanning all the windows thinking I'll get into the windows and find the access point the problem with that though is I am human so there's lots of errors and with the yogi you kind of need to dwell in a specific area for a long period of time and I wasn't able to do that and I was a little impatient and it was hot outside it's Vegas so I kind of rushed through that but thought I might find it super easy with less effort and did that for about an hour and a half then we kind of regrouped and talked about as a team how we might tackle this better because we had already wasted an hour and a half the other teams were probably you know getting close so Minnie and I discussed maybe like
okay what's a better way to do this well the directional antenna is good for one thing but maybe we need to stop being lazy and actually get on our feet and walk around so we decided to go with the omnidirectional antenna and all that is is a just the standard one that comes with the wireless adapters that you buy using the same arrow dump command and for the next two hours we walked around Caesars property that was all around the lobby's and the the hallways and still if you notice there's no second line of text so we're into this about three hours now and nothing's happened so a lot of stuff starts running through our mind there might have been some injuries from all the walking and we have to figure out how do we actually solve this and lots and lots
of stairs yes so speaking of stairs right so we figured since this thing was powered in a stationary manner it's probably in a hotel room we were convinced after we had scanned the conference for a couple times it must have been in the tower so that kind of led us to this assumption that we just need to walk the halls with the Omni we also had the assumption since we were in channel hopping mode that's just where you're looping through the channels and constantly setting them in firmware through air with dump that we'd have to if you can picture your hotel room if you're staying in Caesar's you have four hotel rooms in a cluster so we had to kind of sit there for a second okay there's nothing go to the next cluster and do that on every single floor we went floor to floor door to door because if you think about all that steel reinforced concrete the signal propagation is probably going to be somewhat horizontally siloed through the door that's just our assumption anyways that the signal pray wasn't going to make it through the walls very well so we ended up just lining ourselves up at the door and hopefully catching a beacon so five hours later the the solution is coming but we didn't just dive into this without a little bit of math we did understand that there was about a hundred and twenty floors that we were gonna have to walk so we did split our team into two and did a rough version of a parallel search so that we could reduce our time but still after you know three or four hours we had no luck we we didn't get any results arrow dump was still showing that our adapter had not seen that MAC address and just just imagine the level of doubt you have after five hours like
was the Omni a good choice was the Auggie a bad choice was anything powered on I mean that's that's a valid question after three hours of walking and you kind of get into this rhythm and the carpets have these patterns that like lull you into a sleep you have to ask yourself these very basic questions and one of the questions that we forgot to ask ourselves at the beginning is is our equipment working well I guess we did ask that but we didn't really test it is our Chris equipment really working and also crashing parties throughout
Caesar's Palace and getting free redbull and beer was definitely thought out too great log alright so we made one mistake and well we made several mistakes but this was definitely our biggest mistake if you notice here in the output and how many of you noticed this at the beginning awesome it wasn't a typo this was actually a copy and paste unfortunately so using my pone pad for whatever reason at that point I thought to myself for whatever reason I'm not switching to all the 2.4 gigahertz channels which there are 14 of I was only switching to 1 through 11 to this day I can't figure out where in pono s that is hard-coded or whatever but doing a little bit of research and talking to the the gents up here what we did find out is that for about the last few years channels 12 13 and 14 are restricted by FCC because of a company called global star global star is a satellite communications company that obviously does satellite communications but they reserved channels 12 13 and 14 the limitation is you just can't broadcast wireless Wi-Fi 2.4 gigahertz Wi-Fi in high-power on those channels for fear of interfering with satellites and you know all the satellites that come crashing out of the sky all the time so we think because of that the pone pad was not switching into channels 12 and 13 and 14 and this is where we had our come-to-jesus moment we had just spent three and a half hours three and a half four hours walking Caesars Palace going into the every single floor going door to door drinking lots of beer yes eating pizza in the hallways perhaps and what did we what do we do at this point we know how to fix it because we did find some some hardware that worked the Raspberry Pi it actually switched to channels 12 and 13 but now that we've wasted all that time do we go back and retrace our steps and see if we miss the access point or do we continue on with our parallel search of the towers and hope that we hadn't passed it before and have to retrace our steps we're also getting thoughts like well maybe it's outside maybe there's an outlet outside somewhere maybe it's in a bush maybe it's in the parking I thought it was in the parking garage in some guys car yeah all sorts of thing about this time it's it's about midnight which to us felt like about 4:00 a.m. but it was only midnight and we sat down to have dinner with the rest of our team and we all kind of decided no we're not gonna continue on you know we tried for four hours let's just not do this and then we moved on with other things luckily Minnie and I drank some Red Bulls at dinner though we were like all right we've got a few more hours in this we can do this so we we packed up the Raspberry Pi it's got a touchscreen on it and then a wireless dongle and do the same thing and run arrow dump and this is the same output except this time
wrong way this time we're on channels 1 through 13 you can see it in the top left I guess it kind of killed the punchline here but after two hours we had that come-to-jesus talk again and said look we've been doing this for another two hours you haven't found anything we made it through one and a half or towers at that point going floor to floor door to door and we were we were exhausted I don't think either one of us had walking shoes on bear in mind that every hallway looks exactly the same yes it does you have to look at numbers to know where you are but even that gets confusing okay come to spice market buffet for dinner with us dang it so literally at the moment that we decided to give up we look down at the raspberry pie and boom this second line the second and third line of text show up it's 2 a.m. we should have probably gone to sleep about an hour ago we should have stopped walking about four hours ago and we had to kind of pinch ourselves and figure out if we were hallucinating because we had just made this decision to stop yet we found it so at this point a lot of stuff goes through our heads like okay we found it we're done let's go now one thing we forgot to mention was that last year's rules were whoever gets the whoever gets a picture closest to the access point wins the points and one of the assumptions at the beginning or the unknowns were are there other teams looking for this so what we didn't want to do was give up now and then another team get a closer picture like actually see the access point all we saw was the signal we wanted to see the the box plugged into the wall at this point we thought we were gonna be on the floor for about another 10 minutes we basically figured we had it in the bag right yeah it we wanted to go to sleep in a hurry but for whatever reason we had some some clarity and we decided to verify what we found a couple of the things you'll notice and if you go try this these are two pieces of information that will help you solve this puzzle one is your well I guess three pieces one is your search strategy which we're showing you how poor ours was but two is the the power of the signal that you find so if you notice in the top left you get a power reading for the signal that your adapter picked up and it says negative 98 well the lower the smaller the power right so the the weaker the signal so that means we're far away from the access point or it's just a weak signal we don't know we only have one data point so we need to get some more data but the other really good piece of information is the receive quality rxq receive quality tells you what how how good your connection is with that with that access point so a - and it's out of ten a hundred sorry sleep it's two out of 100 so that's really low so that still means that it's not enough information to tell us that the access point is on this floor itself and then of course because the gods hate us it's on channel 13 so chances are we scanned past this with a yogi or we walked past a bouncing signal at one point and we just our tools just weren't set up correctly but either way it's 2:00 a.m. we found it so we go up a floor not a
slide but a floor we go up a floor we went down a floor - and we hit oh eight been there already remember God is that we differ yeah we were trying to catch the signal below a - just to verify it wasn't there so we got two more floors to the 43rd floor and we catch the signal again this time you'll notice power is at negative 80 which is greater than negative 99 and our received quality is 86 which is greater than 2 so we're getting closer but that's still only two data points and what we could do is go up another floor and we have one of two things would happen we'd either get a lower power reading which means that the access point is on the 43rd floor or we get a higher one which means it's either on the 44th or higher and we find that on the 44th floor it's actually lower at negative 99 and receive quality is 4 so process of elimination that takes us to the 43rd floor and here's where I think that we spent the next 40 minutes because we wanted to be absolutely sure what many was talking about earlier we took one of our assumptions and and actually verified it by going where we found this signal the strongest going to each door at 2:00 a.m. in Las Vegas and touching the door at the antenna and we found the the power was a lot higher at a specific door also very hard to explain the room service while you're putting raspberry pies on people's doors at 2:00 in the morning don't worry about it what happens in Vegas so the other technique that we used is body shielding so we had we still had the Augie with us but we were using an omnidirectional antenna and with the omnidirectional antenna like I said it's radiation patterns like a doughnut so if you pick up a signal that you have no idea which direction is coming from but you can take that omnidirectional antenna and use your body all the flesh and water that's in here and you put that on the antenna just right on your chest like this and it will block all the signals not all of them but majority of them behind you so that when you get the the power reading and the receive quality it's pretty good indication that that signal is coming from in front of you and so we just kind of turned around like this and try to figure out which which direction we were getting the the highest power from and sure enough that led us to room 43 65 and Julia's tower
at 2:00 a.m. and we sent we tweeted this picture to the wireless CTF and you'll see I think we had a power of negative 66 but this time received quality was 100 on channel 13 quick quick note even though we resorted to the Omni at this point we still took up the Augie directional or just pointing them down at the doors like this to try and you know see if we could calibrate the or triangulate whatever you want to call it find the signal in a more reasonable manner because the Omni can kind of drive you insane if you're just watching the rx and it was a bit of a field test for us too and what we learned is that the yagi doesn't really give you much more data so if we were to do this again which may or may not be true we would go and start with an omnidirectional rather than the yagi and just leave that out completely the I was like well I mean with the Oggy you could also if you had a really good line-of-sight from a long range such as from another hotel potentially pick up signals very well yeah that's what the Yogi's are built for is long-distance transmissions the last thing I want to mention here is that even though this was 2 a.m. that we found the signal took this picture we waited outside of this door for probably another 40 minutes sitting on the floor dozing off of it hoping that whoever was in that room would come out or go in so that we could take a picture of the access point because this is as close as we could get we couldn't get it any further without cloning some RFID badges which we weren't going to do so
lessons learned what do we learn last year one you have to limit your assumptions or at least eliminate them there was a few that we made that we're very risky one of them if you're keeping notes was we used the tp-link 7:22 n that is only a 2.4 gigahertz adapter we did not start equipped with a 5 gigahertz adapter and we could wasted all of our time if it was a 5 gig access point number to test your tools before you get here and then number 3 definitely wear comfortable shoes I think we had blisters and lots of crazy stuff we brute force this entire thing and it took us six hours there's much smarter ways to go about doing this for example everywhere you go you could just collect BSS IDs make sure you know where you went before when the back gets dropped on Twitter you search through your stash of BSS IDs and try to match up with where you were and go back to that spot for the hidden access point for the hide and seek that works very well because it's supposed to be stationary so you can just go back to where you were find it and and you're good to go much smarter not harder improve the search pattern if you notice we found the hidden access point on the 42nd floor that was the first signal we also picked it up on the 43rd which is where it was and then we went up to the 44th and we could pick it up across three levels so instead of walking floor to floor in door to door we could have walked every second floor or every third floor and door to door there was like a vertical styling if you remember though in the middle yes like under 43 65 and above 43 65 we might pick it up but like five meters down if you were on the floor below it not so much correct the the signal was only strong in the middle of the hallway so we could have improved our search pattern another thing we could have done there is use the yagi more intelligently maybe with a three axis motor to point and scan and then the last thing we thought about throughout this whole time is at 2:00 a.m. we thought what if this is a decoy what if somebody screwed with this what do we do so we can neither confirm nor deny that the future work for this year includes or does not include decoys because that would have been very disappointing if after all that time we only found a decoy because they didn't they didn't DM us back until the morning so like we spent the whole night just tossing and turning like what's it worth it yeah I still asked myself ok any questions we're done did it to do - I don't know the questions all right thanks guys [Applause]