and I'm like I'll email him something mean and see what he comes back with he came back with a fully fleshed out presentation including slides that was actually half decent and I said well he's more prepared for anything than I've ever

been so I guess I'll let him talk Todd everybody. Thank you very much appreciate it Zero. So Zero's not lying I think I may have broken a record for CFP accepted CFP submission accepted with the

so uh how's it going everyone hopefully you're doing well it's story time my name's Todd Parody this is Mini and we're gonna tell you kind of the experience we had last year hunting for rogue access points or competing in the wireless CTF challenge known as hide and seek just like

Zero said neither Mini or myself are on drugs right now we're just on very little sleep because we're also competing this year um joined us last year was Ronan and Lazy Sprocket they're over there competing right now everybody wave at them and say hello no love come on

give them some love alright those are good guys is that you want to check that mic real quick we do a mic check and then we'll get started check alright awesome okay hunting rogue AP's AP stands for access points and uh what we say or go off on tangents on in

here do not reflect the views of our employers this is about last year not this year this is important because this year the rules for hunting the rogue access points are competing in the wireless CTF have changed um arguably it's gotten harder uh we've faced our own challenges this year so far um and obviously all this happened here in the wireless

village uh it's important to note that what we explained to you here took us a lot of time we're gonna try to condense a six hour experience into thirty minutes um but know that that is only one category of competition here in the wireless CTF so it's important that if

you're gonna compete uh here in the wireless CTF that you come with a team that way other people can focus on other things um with that also a disclaimer what we're gonna go through here is both a how to and a how not to so if you don't pick up on the cues of how not to and you go do it we do not take responsibility for that alright okay so let's

talk about the challenge uh the challenge is uh it's called hide and seek and if you were here for the intro brief zero explained it very well um what it is is it's a stationary wireless access point on two point four gigahertz or five gigahertz um but

stationary is very important means it doesn't move uh so you have to find it but in order to find it the only information that they give you is the MAC address of that access point that's what you start with so that's what we're starting with what's up um we are going to walk through how kinda we thought about this process uh solving the problem some

of the assumptions that we made how we ended up solving it and some of the challenges that we faced so for those of you who don't know just the MAC address for the wireless access point is uh six bytes of data it's a unique identifier and that's what we need to use to find it part of the challenge is the search space that was given if you

were here for the intro earlier that search space has gotten bigger this year but for last year it was just here at Caesars Palace and here's uh a little bit of data about Caesars Palace um it's there's about four thousand rooms um uh it spans a physical space

for about sixty acres and it's probably a conservative estimate that there is about thirty thousand people here at one time so what that means that's a lot of reinforced concrete that's a lot of human bodies um a lot of interference for wireless signals and within that whole space we're looking for one wireless access point so you could call it a

needle in a haystack and you wouldn't be wrong so with this there was some unknowns um as we got started when uh competing in this challenge it would be nice to have a little more information than just the MAC address but there was some very critical information that we

didn't know um that forced us into guessing about a few things so one of the uh one of the unknowns was power how how much power is this access point broadcasting with um for reference uh your standard wireless dongle that you plug into your laptop will

broadcast uh will use about half a watt um which doesn't get you very far it would be nice if the the hidden access point had more power that way we could find it from further away uh but we didn't know what the power was we also didn't know the frequency or the channel within that frequency that we were looking for um since other teams were competing we didn't know how much time we had to actually find it uh it wasn't a

timed competition the the hidden access point stayed hidden until it was found if nobody found it during Def Con uh it would just go away uh or no points would be awarded and then obviously we would like a little more specific location than just Caesar's Palace uh that makes things very difficult um we also made some

assumptions uh with all this that the access point was plugged into a power outlet uh which kind of tells us maybe it's up against a wall um close to a door and uh we weren't sure about the the wireless village team but if I were doing this I wouldn't want my access

point just to walk off so we'd want some sort of physical security in place uh so that that wouldn't happen so we assumed that there was uh either human or by location the access point was being physically guarded and then uh obviously we assumed other teams were looking which made it a uh a race against the clock and a race against the

other team uh we couldn't just lollygag and take our time so in order to do this we uh we had to come in with a few tools uh we're gonna talk about well the slide talks about the tools that actually helped us solve the problem uh here's the how not to uh when

when we started this we started as a team uh Mini went off one direction I went off another uh Ronan and Lazy Sprocket did the same uh my tools were uh PwnPad which is uh Nexus 7 with uh PwnOS installed on it um which I thought was nifty cause it was a little

touchscreen tablet and I'd plug in a a wireless adapter and I'd be on my way lightweight um no need for an extra battery pack uh turns out that was the wrong choice and you'll see why a little bit later but what did help us out was a raspberry pie um and a uh all we we didn't build out the raspberry pie with like Kali Linux or even

pen 2 I'm probably gonna get struck by lightning for saying that but uh it was just plain rasbian on the raspberry pie and then we loaded uh the air crack suite uh which in terms of software it's super lightweight um hardware uh we used a TP-Link 722N uh which

is a 2.4 gigahertz uh wireless adapter and then we had two antennas this is important you'll see this pop up here in a second but uh we had one that was omni directional for those of you taking notes omni all around it's radiation pattern is like

a donut um and then we have a directional antenna that was more high gain 15 DB I of gain that looks more like a laser it looks more like a soda straw in terms of radiation pattern and it reaches super far um I think I've seen 5 kilometers at any given

time that a directional antenna can reach the one specifically we used is a yagi so you saw that in the previous presentation um or you may have seen a few roaming around here and yeah so that was our tools and then we had one rule this same rule applies uh this year and I

harp on this because at the end of this presentation this is something you can actually go do um with just a little bit of software and maybe borrow a raspberry pie if you don't have one um but the one rule is do not go on the casino floor with RF equipment uh casino's very uh sensitive to that and they will pick you up and ask you

questions and they're not nice about it ok so before we start the actual story telling um it's important that you see the slide or you know kinda read it cause I'm gonna point out a few things and I apologize if the text is too small but in red what you see is the output of aromon NG uh aerodump NG excuse me um when you're sniffing for a specific

access point uh you'll only see those two lines uh so the top is just kind of a uh column headers and then on the bottom this uh sorry the bottom is actually the command that you run to start aerodump and we're specifying the access point with the mac address that

was given to us at the beginning um if you're not near it you're not gonna see a second line of text at the top because aerodump has not found the access point yet uh and we begin it also gives you elapsed time pay attention to that I told you this was this

was a long arduous process we're trying to condense six hours into uh six hours of experience into uh a twenty minute talk here so as we began our team split up uh with my pwn pad I grabbed a yagi antenna and I thought you know what this is super high

power all the stories I've ever heard about Def Con uh you hear about somebody walking around with a yagi antenna and everybody gets super scared you know what's he doing what's he trying to hack uh so I thought you know what better way to actually find something than look like a hacker of stories told so I grab a yagi thanks to Lazy

Sprocket he had one on him and the good thing about the yagi is from a single location uh I can see uh a lot of I can see a far distance right so that means me physically I don't have to move around a lot less walking um so the but the bad thing is that in order to to get good uh signals uh you have to have line of sight uh to the

access point that you're looking for so I thought the best place to do that was in the middle of Caesars uh in their little courtyard area and that's where the pool is as well so I walk out there with the yagi and I start scanning all the windows thinking uh I'll get into the windows and find the access point um the problem with that

though is I am human so there's lots of errors uh and with the yagi you kind of need to dwell in a specific area for a long period of time and uh I wasn't able to do that I was a little impatient and it was hot outside it's Vegas so I kind of rushed through that

um but thought I might find it super easy with less effort and did that for about an hour and a half um then we kind of regrouped and uh talked about as a team how we might tackle this better cause we had already wasted an hour and a half the other teams were

probably you know getting close um so Mindy and I discussed uh maybe like ok what's a better way to do this well uh the directional antenna is good for one thing but uh maybe we need to stop being lazy and actually get on our feet and walk around so we decided to

go with the uh omni-directional antenna and all that is is uh uh just the standard one that comes with the wireless adapters that you buy um using the same arrow dump command and for the next two hours uh we walked around uh Caesar's property that was

all around the lobbies and the the hallways and uh still if you notice there's no second line of text so we're into this about three hours now and nothing's happened so a lot of stuff starts running through our mind um there might have been some injuries from all

the walking and we have to figure out how do we actually solve this and we have to and lots and lots of stairs yes so um speaking of stairs right so we figured since this

thing was powered in a stationary manner it was probably in a hotel room we were convinced after we had scanned the conference floor a couple times it must have been in the tower so that kind of led us to this assumption that we just need to walk the halls uh with the omni we also had the assumption since we were in channel hopping

mode uh that's just where you're looping through the channels and constantly uh setting them in firmware uh through arrow dump that we'd have to if you can picture your hotel room if you're staying in Caesar's you have four hotel rooms in a cluster so we had to kind of sit there for a second okay there's nothing go to the next cluster and do

that on every single floor we went floor to floor door to door because if you think about all that steel reinforced concrete uh the signal propagation is probably going to be somewhat horizontally siloed uh through the door that's just our assumption anyways that the signal probably wasn't going to make it through the walls very well so we ended

up just lining ourselves up at the door and hopefully catching a beacon so five hours later the solution is coming uh we didn't just dive into this without a little bit of math we did understand that there was about a hundred and twenty floors that we were going to have to walk um so we did split our team into two and did a rough version of a

parallel search so that we could reduce our time um but still after uh you know three or four hours we had no luck we we didn't uh get any results arrow dump was still showing that uh our adapter had not seen that mac address and just just imagine the level of

doubt you have after five hours like was the omni a good choice? Was the yagi a bad choice? Was anything powered on? I mean that's a valid question after three hours of walking and you kind of get into this rhythm and the carpets have these patterns that like lull you into a sleep um you have to ask yourself these very basic questions and

one of the questions that we forgot to ask ourselves at the beginning is is our equipment working? Well I guess we did ask that but we didn't really test it. Is our quiz equipment really working? Also crashing parties throughout Caesars Palace and getting free Red Bull and beer was definitely- shout out to Gray Log. Alright so we made one

mistake and uh well we made several mistakes but this was definitely our our biggest mistake um if you notice here in the output and how many of you noticed this at the beginning? Awesome. Yeah it wasn't a typo this was actually a copy and paste unfortunately. So using my PwnPad uh for whatever reason uh at the at that point I

thought to myself for whatever reason I'm not switching to all the 2.4 gigahertz channels which there are 14 of um I was only switching to 1 through 11 uh to this day I can't figure out where in Pwn OS that is uh hard coded or whatever um but doing a little bit

of research and talking to the the gents up here what what we did find out is that for about the last few years um channels 12, 13 and 14 are restricted by the FCC because of a company called Global Star. Global Star is a satellite communications company that uh

obviously does satellite communications but they reserve channels 12, 13 and 14. Uh the limitation is you just can't broadcast wireless uh Wi-Fi 2.4 gigahertz Wi-Fi um in high power on those channels for fear of interfering with uh satellites and you know all the

satellites that come crashing out of the sky all the time. So we think because of that the PwnPad was not switching into uh uh channels 12 and 13 and 14 and this is where we had our come to Jesus moment. We had just spent 3 and a half hours 3 and a half 4 hours uh walking Caesars Palace going into the every single floor going door to

door drinking lots of beer yes eating pizza in the hallways perhaps and what did we what did we do at this point? We know how to fix it um because we did find some some hardware that worked uh the Raspberry Pi it actually switched to channels 12 and 13 but

now that we've wasted all that time do we go back and retrace our steps and see if we miss the access point or do we continue on with our parallel search of the towers and hope that we hadn't passed it before and have to retrace our steps. We're also getting thoughts like well maybe it's outside maybe there's an outlet outside somewhere maybe

it's in a bush maybe it's in some guys maybe it's in the parking I thought it was in the parking garage in some guys car. Yeah all sorts of things about this time it's uh it's about midnight um which to us felt like about 4 am but it was only midnight um and we sat down to have dinner uh with the rest of our team and we all kind of

decided no we're not going to continue on you know we tried for 4 hours let's just not do this um and then we moved on with other things luckily Minnie and I drank some Red Bulls at dinner though and we were like alright we've got a few more hours in this we can do this so we uh we packed up the Raspberry Pi uh it's got a touch screen on it and then a

wireless dongle and do the same thing and run arrow dump and this is the same output uh except this time oop wrong way this time we're on channels 1 through 13 you can see it in the top left um and I guess I kind of killed the punch line here but after 2 hours uh we

had that come to Jesus talk again and said look we've been doing this for another 2 hours we haven't found anything we made it through 1 and a half more towers at that point going floor to floor door to door and uh we were we were exhausted I don't think either one of us had walking shoes on bear in mind that every hallway looks exactly the same yes it does um you have to look at numbers to know where you are but even that

gets confusing um ok come to spice market buffet for dinner with us dang it um so literally at the moment that we decided to give up uh we looked down at the Raspberry Pi and boom the second line the second and third line of text show up uh it's 2 am we were

should have probably gone to sleep about an hour ago we should have stopped walking about 4 hours ago and we had to kind of pinch ourselves and figure out if we were hallucinating cause we had just made this decision to stop yet we found it um so at this

point a lot of stuff goes through our heads like ok we found it we're done let's go now one thing we forgot to mention was that last year's rules were whoever gets the whoever gets a picture closest to the access point wins the points and one of the assumptions at the beginning or the unknowns were um are there other teams looking for this so what we

didn't want to do was give up now and then another team get a closer picture like actually see the access point all we saw was the signal uh we wanted to see the the box plugged into the wall. At this point we thought we were going to be on the floor for about another 10 minutes we basically figured we had it in the bag right? Yeah um it we

wanted to go to sleep in a hurry but uh for whatever reason we had some some clarity and we decided to verify what we found a couple other things you'll notice and if you go try this these are 2 pieces of information that will help you solve this puzzle um one is your well I guess 3 pieces one is your search strategy which we're showing

you how poor ours was um but 2 is the the power of the signal that you find so if you notice in the top left um uh you get a power reading for uh the signal that uh your adapter picked up and it says negative 98 well the lower the smaller the power right

so the the the weaker the signal so that means we're far away from the access point or it's just a weak signal we don't know we only have one data point uh so we need to get some more data but the other really good piece of information is the receive quality RXQ receive quality tells you what how uh how good your connection is with that

uh with that access point so uh 2 and it's out of 10 uh 100 sorry sleep it's 2 out of 100 so that's really low so that still means that it it's not enough information to tell us that uh the access point is on this floor itself and then of course because the gods hate

us uh it's on channel 13 so chances are we scanned past this with a yagi or we walked past a bouncing signal at one point and we just our tools just weren't set up correctly um but either way it's 2 am we found it so we go up a floor um not a slide

but a floor we go up a floor we went down a floor 2 and we hit even though we had been there already remember uh is is that what we did first yeah we were trying to catch the signal below it too just to verify it wasn't there so we go up 2 more floors to the 43rd floor and we catch the signal again uh this time you'll notice power is at

negative 80 which is greater than negative 99 and our receive quality is 86 which is greater than 2 so we're getting closer but that's still only 2 data points and uh what we could do is go up another floor and we have 1 of 2 things would happen we'd either get a lower power reading which means that the access point is on the 43rd floor or we get a

higher one which means it's either on the 44th or higher and we find that on the 44th floor it's actually lower at negative 99 and receive quality is 4 so process of

elimination that takes us to the 43rd floor and here's where I think that we spent the next 40 minutes cause we wanted to be absolutely sure and what Minnie was talking about earlier uh we took 1 of our assumptions and and actually verified it uh by going where we found this signal the strongest going to each door at 2 am in Las Vegas and

touching the door with the antenna um and we found uh the the uh the power was a lot higher at a specific door. Also very hard to explain to room service why you're putting raspberry pies on people's doors at 2 in the morning. Don't worry about it what happens in

Vegas. So the other uh technique that we used is body shielding so we had we still had the Yagi with this but we were using an omni directional antenna and with the omni directional antenna like I said it's radiation pattern is like a donut so if you pick up a signal there's you have no idea which direction it's coming from but you can take that omni

directional antenna and use your body all the the flesh and water that's in here and uh you put that omni antenna just right on your chest like this and it will block all the signals not all of them but uh majority of them uh behind you so that when you get the the power reading and the receive quality um it's pretty good indication that that

signal's coming from in front of you and so we just kinda turned around like this and try to figure out which which direction we were getting the the highest power from and sure enough uh that led us to room 4365 in Julius Tower uh at 2 am and we sent we tweeted this picture to the wireless CTF um and you'll see I think we had a power of

negative 66 but this time receive quality was 100 um on channel 13. Quick quick note uh even though we had resorted to the omni at this point we still took up the Yagi directional and we're just pointing them down at the doors like this to try and you know see

if we could calibrate the or triangulate whatever you want to call it find the signal in a a uh more reasonable manner cause the omni can kind of drive you insane if you're just watching the RX. It it was a bit of a field test for us too and what we learned is that uh Yagi doesn't really give you much more data. Yeah. Um so if we were to do

this again which may or may not be true uh we would go and start with a an omni directional rather than the Yagi and just leave that out completely um the well I mean with the Yagi you could also if you had a really good line of sight from a long range such as from another

hotel potentially pick up signals very well. Yeah and that that's what the Yagi's are built for is long distance transmissions um the last thing I want to mention here is that even though this was 2 AM that we found the signal took this picture we waited outside of this door for probably another 40 minutes sitting on the floor dozing off of it um

hoping that whoever was in that room would come out or go in so that we could take a picture of the access point cause this is as close as we could get we couldn't get it any further um without cloning some RFID badges which we weren't going to do. So we

learned lessons learned. What did we learn last year um one you have to limit your assumptions or at least eliminate them uh there was a few that we made that were very risky uh one of them uh if you're keeping notes was we used the TP-Link 722N that is only a 2.4 gigahertz adapter um we did not start equipped with a 5 gigahertz adapter and

we could have wasted all of our time if it was a 5 gig access point. Number 2 uh test your tools before you get here um and then number 3 definitely wear comfortable shoes uh I think we had blisters and lots of crazy stuff um we brute forced this

entire thing and it took us 6 hours there's much smarter ways to go about doing this for example everywhere you go you could just collect BSSIDs make sure you know where you went before when the Mac gets dropped on Twitter you search through your stash of BSSIDs and try to match up with where you were and go back to that spot for the hidden access point for the hide and seek uh that works very well because it's supposed to be

stationary so you can just go back to where you were find it and you're good to go much smarter not harder uh improve the search pattern if you notice we found the the hidden access point on the 42nd floor um that was the first signal we also picked it up on the 43rd which is where it was and then we went up to the 44th and we could pick

it up across 3 levels so instead of walking floor to floor and door to door we could have walked every 2nd floor or every 3rd floor and door to door. There was like a vertical siloing if you remember though. In the middle yes. Like under 4365 and above 4365 we could pick it up but like 5 meters down if you were on the floor below it not so

much. Correct the the signal was only strong in the middle of the hallway um so we could have improved our search pattern uh another thing we could have done there is used the yagi more intelligently uh maybe with a uh a 3 axis uh motor to point and scan um

and then the last thing we thought about throughout this whole time is uh at 2 AM we thought what if this is a decoy? What if somebody's screwing with us? Uh what do we do? Uh so we can neither confirm nor deny that uh the future work for this year includes or

does not include uh decoys cause that would have been very disappointing if after all that time we only found a decoy. Cause they didn't they didn't DM us back until the morning so like we spent the whole night just tossing and turning like was it worth it? I still ask myself that question. Okay any questions? We're done. Do do do do do do. I

have no questions. Alright. Thanks guys.