RECON VILLAGE - Mapping wifi networks and triggering on interesting traffic patterns
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Alternative Title |
| |
| Title of Series | ||
| Number of Parts | 322 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39939 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Computer networkTexture mappingHill differential equationComputer wormPattern languageProcess (computing)Dependent and independent variablesSoftwareTexture mappingComputer virusIncidence algebraXMLUML
00:27
Information technology consultingVideo gameFuzzy logic
00:45
Interior (topology)Wireless LANModal logicOSI modelFrame problemOpen sourceComputer networkData managementPower (physics)EncryptionSharewareVideoconferencingException handlingVideo gameCoefficient of determinationFuzzy logicMultiplication signInternet der DingeVulnerability (computing)BitComputer programMathematicsSoftware-defined radioTexture mappingOpen sourceOptical character recognitionFrame problemNoise (electronics)Pattern recognitionType theoryTrailLink (knot theory)Hacker (term)VideoconferencingSharewareNeuroinformatikWritingGraph (mathematics)PhysicalismTouch typingOpen setInformation securityXML
04:00
Hill differential equationConvex hullProof theorySinc functionPoint cloudThresholding (image processing)Scripting language2 (number)VideoconferencingSource code
04:39
SharewareInferenceVideoconferencingPersonal identification numberFunctional (mathematics)Point (geometry)Asynchronous Transfer ModeComputer programTheoryAddress spaceSoftwareTexture mappingVideoconferencingBitMereologyLetterpress printingProof theoryField (computer science)View (database)
07:24
NumberElectronic mailing listRange (statistics)WaveGoodness of fitWireless LANFrequencyFile formatGraphical user interfaceSoftwareTexture mappingPerspective (visual)Source code
09:32
Asynchronous Transfer ModeData conversionAddress spaceAsynchronous Transfer ModeFrame problemSharewareSoftwarePlug-in (computing)BitPhysical systemDiagramProgram flowchart
10:31
Local area networkConvex hullPersonal identification numberExecution unitBitPhysical systemCodePlug-in (computing)System callPattern languageRange (statistics)Thresholding (image processing)Power (physics)Address spaceInheritance (object-oriented programming)MetadataLevel (video gaming)Interface (computing)Social classTexture mappingComputer programFunctional (mathematics)Source code
13:03
Power (physics)Hydraulic jumpMultiplication signPattern languageInformationSharewareTexture mappingAuthorizationAddress spaceRange (statistics)Source code
14:22
SharewareTrailLimit (category theory)Plug-in (computing)Term (mathematics)Multiplication signCountingSharewarePattern languageFunctional (mathematics)Closed setNeuroinformatikVariety (linguistics)Uniqueness quantificationType theoryDifferent (Kate Ryan album)Source codeJSONXML
15:40
Plug-in (computing)Range (statistics)Power (physics)Source code
16:10
SharewareIntegrated development environmentMaxima and minimaDuality (mathematics)Hash functionMusical ensembleLink (knot theory)OSI modelTrailAsynchronous Transfer ModeInformationRandomizationWaveCommunications protocolWireless LANAsynchronous Transfer ModeIntegrated development environmentComputer programSoftwareData storage deviceAddress spaceFunction (mathematics)Multiplication signDatabaseConfidence intervalPlug-in (computing)WindowIntrusion detection systemInformationSmartphoneTrailAdaptive behaviorComputer fileRange (statistics)Configuration spaceWeightInjektivitätMusical ensembleSource codeXML
Transcript: English(auto-generated)
00:00
But now for Caleb. I'm going to hand it over to him for his comprehensive talk on mapping Wi-Fi networks and triggering on interesting traffic patterns. And without further ado, Caleb. Thank you. Hello. So as she said, my name is Caleb. I work at Mandiant slash FireEye on the incident response R&D team. That's my day job.
00:28
So if the Mandiant consultants are like ninjas like Uma Thurman, I'm kind of the sword maker who makes their swords. I can't remember what that guy's name is in the movie. Anyone know? Thank you. That's right. So I like fuzzy things in life. Like that dog. But also like fuzzy graphs and
00:55
math that is fuzzy. I find I like when I have to kind of pull the signal out of the noise.
01:02
And one of the things I like about that is because if you get into the real world, almost everything is fuzzy. So if you're looking at image recognition, text recognition, voice recognition, or going out and touching things in the physical world, like with SDR, you have to use mathematics a lot and kind of that fuzzy math.
01:22
And I come from a programming background, and I think it's cool programming computers and stuff, but it's even more interesting when you can move things around in the physical world and kind of reach out and touch it. At least to myself. So kind of a precursor to this talk or something that led up to it. I kind of
01:43
got into IoT stuff before I knew it was called IoT. I did like a Raspberry Pi security system. And that was one thing that led me into this talk. And the other was wireless hacking is fun. I've been doing different kinds for a while. I used to do the TCP layer 3 and 4.
02:06
And then I did a little bit with SDR at the lower layer, and then this talk is kind of on layer 2, the data link. And I kind of ignored this layer for a while because I thought it seemed kind of boring.
02:20
You know, because the data you get at layer 2, at the data link layer is in 802.11, it's roughly this. You get the source Mac, the destination Mac, the SSID, the frame type, but then the rest of the data is encrypted. So it kind of seemed boring in the past, but then I started looking at it, and you can infer a lot of other interesting data if you're tracking over time and implying various things.
02:48
But the time is implied. It's not in the frame. So I had this problem initially that led me to thinking about this stuff. I had a Canary IP camera, and I have a Wink security system, and they don't talk to each other.
03:05
And I wanted the camera, if it saw motion, it was armed, to trigger the sirens in my security system. But they didn't talk. So I had this problem, and as a Pythonista, you know, I had a fever, and the only prescription was more Python.
03:23
That's how I usually solve things that bore me. And the solution was this program I wrote called TrackerJacker. It's open source, it is also pip installable.
03:45
And this is the tool that I used to solve that problem. So my thinking was, let me go to a video, I decided I had to record this because I didn't want to bring my own security system to Def Con and do a live demo with it, and then go back home and plug it into my house.
04:03
So I videoed this, but basically the concept was, since it's an IP camera, if it detects motion, it's going to have to upload that to the cloud. So I can just look for a threshold of bytes, like if I see more than half a megabyte in 10 seconds, assume that it's uploading a video, which would mean it's probably detected motion.
04:24
And from there I was able to call this script to then trigger my sirens. So this is kind of the proof of concept with that. So I'm going to just, I don't think we have good sound, so this is the siren, and then this is the camera that doesn't talk to each other.
04:48
So basically I move into the camera's field of view, and you'll see the TrackerJacker program print something, and then right after that you'll see the siren go off.
05:12
So that was kind of my proof of concept, and made me pretty excited. But something about it also kind of freaked me out, because I realized I didn't even have to be on the wireless network to detect that.
05:28
I could just, because you're in monitor mode, so you're not connected to the network. So conceivably, if I had a neighbor, and they were doing this, or if it were me and I had a neighbor, I could probably see if they have any IP cameras,
05:42
I could look at their MAC address, and from that ascertain with a probability, maybe if it's Nest, it might be a camera. Well you could see if that's detecting motion, even if you're not in the same house, even if you're not connected to that network.
06:00
So that was kind of an interesting surprise. A little side note with that, I actually, I was testing this out with this camera, and I started noticing it was detecting motion, or I was getting triggers even when it was unarmed. The camera was in home mode.
06:20
And that was a little freaky, because in theory if it's in home mode it's not recording video, but it turned out it was. I didn't call them out though, because they actually had a setting to disable that, but it seemed a little bit gray, kind of, to me. So I want to actually show you TrackerJacker in the live.
06:45
So it's running right here on my Ubuntu VM, and so this is performing, TrackerJacker has two kinds of parts. One is the mapping functionality, the other is this trigger functionality. So like triggering the security camera is the trigger functionality.
07:04
But the mapping functionality is, it basically maps out, it scans every channel, and it captures basically all the packets it can, and it builds the relationship map between every access point, so it lists everyone on every channel,
07:20
and then it shows every, well let me show you the data. So I've been scanning here at Recon Village. So it shows you every SSID, and then under that each node in that network, so each BSSID. And then under each BSSID, you see all the devices connected to that.
07:44
So it's kind of, you know, it's kind of like Nmap, but for the wireless radio waves. Because it'll build every relationship that it sees. And you know, you get the vendor if it's there, the signal strength, the bytes received, all that kind of stuff.
08:04
So you can really get a good idea of what's on every network, and are they active, you know. So that's kind of, you know, that was solving a problem that I saw, because I didn't see a good way with many other tools to get that exhaustive list.
08:24
At least in a nice format. Maybe in a GUI, but that was kind of a motivation. So a little bit real quick on how this works from a radio perspective. So a few basic things, probably most people know.
08:44
Let me ask, how many of you are familiar with 802.11? Okay, yeah, okay, let's go over briefly then. So you know, you have these various channels, channel 1, channel 6, channel 11,
09:00
and those simply correspond to radio frequencies, to predefined radio frequencies. And so you have your 2.4 GHz range channels, and you have your 5 GHz range channels. Obviously the radio, it's just radio, I recently was doing a lot of ham radio stuff,
09:23
and layer 2 stuff, or layer 1 stuff, and so coming back and looking at Wi-Fi, it was interesting to think of it as kind of just radio, you know. And ultimately, a note about the monitor mode. So you may be familiar with promiscuous mode, where you could do this,
09:41
if you're on a network, and you want to just say give me all the traffic I see, normally it filters out frames that are not for your MAC address. But with promiscuous mode, you can say give me everything that you see. Monitor mode is a little different than that, and I wanted to clarify it. So monitor mode, you basically put your adapter into pretty much pure radio mode.
10:06
And it receives every, it receives frames from every network on that particular channel that it's on. And so it's not associated with any Wi-Fi network or anything like that. And it can receive from all of them.
10:26
So, another demo I wanted to show. I wanted to give an idea of the plugin system a little bit. So I've got this pretty sweet plugin system, and it's just very simple Python code.
10:45
Let me make that bigger. So this is what a plugin looks like. So you basically just have, let me ask this. How many people here know basic Python programming? Okay. Maybe 40%.
11:02
So, for those who know Python, the plugin API is really nice. You write, you know, there's no inheritance or anything like that. There's just, you have your top level class called trigger, and you have an init method and a call method. And basically, all of the various metadata or data about every packet is put into this function.
11:24
So the device ID is like the MAC address, the vendor would be like Apple, you know, the interface it was on, the power level. And so you can take that in your Python code and just write all kinds of various plugins.
11:42
So one example, okay, I'll start with this one. So, again, these are kind of to respond to virtually any kind of traffic pattern you could think of. So you could respond to a threshold of bytes like I did for the camera one, but you could also say if I see any device that's closer than negative 50 dBm in power,
12:05
so within a certain range. And if you see that, then do something. Or you could focus on a particular MAC address. So anyway, one example plugin is, imagine that you want to deauth attack. Let's say you really hate Apple and you want to deauth every Apple in range.
12:25
Well, that's traffic pattern. You can look at it based on the, you know, because we did look up for the vendor based on the OUI. So we can look that up and say, okay, that's an Apple device and so respond.
12:40
So let me demo that. So it's just, I don't know if there's any Apple devices with it in range, but, oh, it looks like there is. So everyone it sees that it gets all the data on, it will deauth.
13:04
And we should see that, oh, there we are. Deauth things on. Probably. So we won't leave that running for very long. But it's, so how many of you guys have tried to do a deauth with Aircrack before?
13:21
Okay. So if you've done it, you know that you have to specify like the BSS ID, you know, the node that it's on, MAC address, all that kind of stuff. And so what if you deauth someone? Well, probably they'll jump over to another node and then you'd have to do another scan, fill in the information, launch the attack again. So this does that kind of automatically because it's, you know,
13:43
every time something pops up, it's going to just respond. So, you know, if you have it looking for a particular MAC address, it'll pop up anywhere and then TrackerJacker would, you know, deauth it. So don't run that for very long. And if you do, maybe limit the power. So you can do this based on the power.
14:01
So say only within some range. Actually, I think I did that for, so it probably didn't deauth people outside of this room. But that's an example of, you know, having a traffic pattern and then being able to respond to it. Let's see. Oh, I was going to show you a different demo as well.
14:30
So this one, this one's not very useful. It's kind of, it's more to demonstrate what the plugin API is kind of capable of. So this is kind of just showing, you know,
14:41
the top X devices and that in terms of closeness. So that's kind of what like AirCrack does. So it's not new, interesting functionality. But I thought it was kind of cool because it kind of shows you can do quite a variety of different types of things with TrackerJacker with the plugins if it's based on traffic patterns.
15:08
And let's see. Yeah, I'll demo. One other demo, this one is, I want to demonstrate what a really simple,
15:20
so this plugin here, count apples. So this, you know, it basically just says every time I see an apple computer, unique, that's unique, then print it out.
15:44
So it's doing something kind of useful. You know, even for a really small plugin, it's doing something kind of useful. And it's kind of a really simple example you could work from. Oh, actually I had modified this to show other people. I actually put a power range on that.
16:03
So let me see. I actually want to see what it is if I get rid of that. Yeah, that's more like it.
16:23
And this is actually a really short range antenna. So I think I mentioned it, but the output file, you know, it's a YAML file.
16:45
So it's kind of cool because it's both the database for TrackerJacker as well as the human readable output, but it's also kind of the interop, an interop, because, you know, you can easily write a program that parses YAML.
17:01
Actually, let me see if I have that still. Have you guys seen the, Marv was here, Wi-Fi? No. So this guy, I think it's like this running joke. Someone told me about it. But people have this network and it says Marv was here, like a lot of variants of it. So I was programmed to filter Marv out
17:23
because I was wanting to know how many SSIDs there were. So yeah, there was 50 Marv SSIDs.
17:42
But I wanted to show that because, you know, this is just an example of what a strip would look like that could parse the YAML. Pretty, well, reasonably short. Okay, I also wanted to mention environment.
18:00
So I have not run this on Windows. If you would like to see it on Windows, please submit a PR. It's got basic macOS support, but it's mostly Linux. So it does run, some of the basic stuff runs on Mac, but it's mostly been tested on Linux.
18:22
So Kali, Ubuntu, Raspberry Pi. And then as far as adapters go, typically it's better to use an external adapter, as most of you probably know for this kind of stuff. I really like the, like there's this one I have,
18:41
the Panda PAU-09. And the 07 is nice too. But it's, you know, they're both small and they're both dual band. And they both, they work with Linux without configuration and they support like injection and monitor mode, which is nice.
19:03
And then as far as takeaways, you know, it's interesting to look at wireless again and realize, oh yeah, even though we have this concept of private networks and all that, it's still, it's just radio ultimately. And there's only so much you can do with radio,
19:23
to conceal radio waves. You know, the protocols have to be, are written in a way where they have to have that, some of that information public. There's not, you know, a good fix for that. It's also, a takeaway is it's really trivial
19:41
to track you based on your Wi-Fi. Most of your smartphones, you know, if it's on Wi-Fi, they're broadcasting their MAC address everywhere you go. And I think there was a Snowden reveal about the government doing that. And I think it came to light recently, maybe stores are doing that to track people
20:02
or something like that. But it really is not like a theoretical caveat, so very simple and really difficult to prevent. You know, you can keep your Wi-Fi off when you're traveling around and that's gonna cut down on being tracked where you're at.
20:20
But like, you know, if you connect with your phone to your home Wi-Fi, every time, if someone was looking, you know, they could see if you're there or not with a high confidence. I, you know, it's just annoying because there's not really something good to do about that.
20:40
There's not a good fix. Also, as I said, you know, it's kind of cool, there's actually interesting information that can be attained even at layer two. We have this, there's this new tool, TrackerJacker. Feel free to try it. Negative feedback is welcome, as well as positive. And if you write any cool plug-ins,
21:01
you know, give me a PR end. We'll add it in. And I think that's it. So thank you.