RECON VILLAGE - Mapping wifi networks and triggering on interesting traffic patterns

Video thumbnail (Frame 0) Video thumbnail (Frame 683) Video thumbnail (Frame 1119) Video thumbnail (Frame 6008) Video thumbnail (Frame 6979) Video thumbnail (Frame 11103) Video thumbnail (Frame 14303) Video thumbnail (Frame 15781) Video thumbnail (Frame 19579) Video thumbnail (Frame 21542) Video thumbnail (Frame 23510) Video thumbnail (Frame 24251)
Video in TIB AV-Portal: RECON VILLAGE - Mapping wifi networks and triggering on interesting traffic patterns

Formal Metadata

RECON VILLAGE - Mapping wifi networks and triggering on interesting traffic patterns
Alternative Title
Mapping wifi networks for interesting traffic patterns
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Sure, WiFi hacking has been around for a while, and everyone knows about tools like airmon-ng, kismet, et al. But what if you just want to view a list of all networks in your area AND see all devices connected to each network? Or maybe you want to know who’s hogging all the bandwidth (and maybe deauth them if they use too much)? Or, what if you want to know when a certain someone’s cell phone is nearby. Or perhaps you’d like to know if your Airbnb host’s IP Camera is uploading video to the cloud? For all these use-cases, I’ve developed a new tool called ““trackerjacker””. In this talk, we’ll use this tool to explore some of the surprisingly-informative data floating around in the radio space, and you’ll come away with a new skill point or two in your radio hacking skill tree, as well as a new magical weapon… I mean tool.
Dependent and independent variables Texture mapping Process (computing) Software Texture mapping Computer network Hill differential equation Computer worm Pattern language
Coefficient of determination Video game Fuzzy logic Information technology consulting
Frame problem Trail Optical character recognition Link (knot theory) Open source Multiplication sign Demo (music) Source code Software-defined radio Thresholding (image processing) Computer programming Neuroinformatik 2 (number) Data management OSI model Mathematics Hacker (term) Computer network Videoconferencing Wireless LAN Vulnerability (computing) Scripting language Modal logic Source code Noise (electronics) Pattern recognition Texture mapping Demo (music) Graph (mathematics) Interior (topology) Bit Power (physics) Frame problem Type theory Proof theory Fuzzy logic Point cloud Hill differential equation Convex hull Encryption Internet der Dinge Videoconferencing Exception handling Writing
Point (geometry) Functional (mathematics) Personal identification number View (database) Demo (music) Range (statistics) Letterpress printing Mereology Perspective (visual) Field (computer science) Theory Computer programming Frequency Goodness of fit Videoconferencing Address space Texture mapping File format Electronic mailing list Bit Proof theory Graphical user interface Number Wave Computer network Inference Videoconferencing Wireless LAN Asynchronous Transfer Mode
Asynchronous Transfer Mode Demo (music) Computer network Source code Bit Data conversion Frame problem Address space Asynchronous Transfer Mode Physical system
Execution unit Functional (mathematics) Personal identification number Texture mapping Inheritance (object-oriented programming) Code Interface (computing) Range (statistics) Local area network System call Thresholding (image processing) Metadata Computer programming Power (physics) Source code Energy level Convex hull Pattern language Address space Plug-in (computing) Social class
Texture mapping Demo (music) Information Multiplication sign Range (statistics) Authorization Source code Pattern language Address space Hydraulic jump Power (physics)
Functional (mathematics) Trail Demo (music) Variety (linguistics) Closed set Uniqueness quantification Multiplication sign Demo (music) Counting Limit (category theory) Neuroinformatik Type theory Different (Kate Ryan album) Term (mathematics) Source code Pattern language Plug-in (computing)
Range (statistics) Source code Power (physics)
Trail Asynchronous Transfer Mode Computer file Confidence interval Multiplication sign Demo (music) Range (statistics) Adaptive behavior Maxima and minima Function (mathematics) Computer programming Duality (mathematics) Intrusion detection system Hash function Musical ensemble Integrated development environment Information Plug-in (computing) Address space Injektivität Randomization Link (knot theory) Trail Information Data storage device Database Wave Integrated development environment Computer network OSI model Configuration space Smartphone Wireless LAN Communications protocol Window Asynchronous Transfer Mode
but now for Caleb and I'm gonna hand it to him for his comprehensive talk on mapping Wi-Fi networks and triggering on interesting traffic patterns and without further ado Caleb thank you so as she said my name is Caleb I work at mandiant slash fire I on the instant response R&D team that's my day job so if the mania
consultants are like ninjas like uma Thurman I'm kind of the sword maker who makes their swords and remember that guy's name is in the movie anyone no thank you what's already Hanzo that's right so I
like fuzzy things in life like that dog
but also like fuzzy graphs and math that is fuzzy I find I like when I have to kind of pull the signal out of the noise and one of the things I like about that is because if you give into the real world almost everything is fuzzy so if you're looking at image recognition text recognition voice recognition or going out and touching things in the physical world like with SDR you'd have to use mathematics a lot and kind of that fuzzy map and I come from a programming background and I think it's cool programming computers and stuff but it's even more interesting when you can move things around in the physical world and kind of reach out and touch it at least to myself so kind of a precursor to this talk or write something that led up to it you know I kind of got into IOT stuff before I knew it's called IOT I did like a Raspberry Pi can security system and that was one thing that led me into this talk and the other was you know wireless hacking is it's fun I've been doing it different kinds for a while I used I used to do the TCP you know layer three and four and then I did a little bit with SDR at the lower layer and then I'm this talk is kind of on the layer to the datalink um and I kind of ignored this layer for a while because I thought it seemed kind of boring you know because the data you get at layer 2 at the data link layer is in 802 dot 11 it's roughly this you know you get the source math the destination MAC the SSID the frame type but then the rest of the data is encrypted so it kind of seemed boring in the past but then I started looking at it and you can infer a lot of other interesting data if you're tracking over time and implying various things so you know at the time is an implied it's not in the frame so um I had this problem initially that led me to thinking about this stuff I had a canary IP camera and I have a weak security system and they don't talk to each other and I wanted the the camera if it's on motion it was armed to trigger the sirens in my security system but they didn't talk so I had this problem and I had to pythonista you know if I had a fever and the only prescription was more Python that's how I usually solve boring things that bore me and the the solution was this program I wrote called tracker jacker it's open source it is also pip installable and this is the tool that I used to solve that problem um so my thinking was let me go to a video I decided I had to record this because I didn't want to bring my own security system to DEFCON and do a live demo with it and then go back home and plug it into my house so I
video this but basically the concept was since it's an IP camera if it detects motion it's gonna have to upload that to the cloud so I can just look for a threshold of bytes like half if I see more than half a megabyte in 10 seconds assume that it's uploading a video which would mean it's probably detected motion and from there I was able to call this script to then trigger my sirens so this is kind of the proof of concept with that so I'm gonna just I don't think we have
good sound so this is the siren and then this is the camera that doesn't talk to each other so basically move into the cameras field of view and you'll see the tracker jacker program print something and then right after that you'll see the siren would go on so that was that was kind of my proof of concept and maybe pretty excited but something about it also kind of freaked me out because I realized you know I didn't even have to be on the wireless network to detect that you know I could I could I could just because you're in monitor mode so you're not connected to the network so conceivably if I had a neighbor and they were doing this or if it were me and I had a neighbor I could probably see if they have any IP cameras you know I could look at their MAC address and from that ascertain you know with the probability you know maybe if it's nest it might be a camera well you could see if that's detecting motion even if you're not in the same house even if you're not connected to that network so that was that was kind of an interesting surprise a little side note with that I actually I was testing this out with this camera and I started noticing it was detecting motion where I was getting triggers even when it was unarmed the camera was in home mode and that was a little freaky because in theory if it's in home mode it's not recording video but it turned out it was I didn't call them out though because they actually had a setting to disable that but it seemed a little bit gray kind of me see so I want to actually actually show you tracker jacker in the live so it's running right here on my GU bun 2vn and so this this is performing one of the tracker jacker has two kind of parts one is the mapping functionality the other is this trigger functionality so like triggering the security camera is the trigger functionality but the mapping functionality is it basically Maps out it scans every channel and it captures basically all the packets it can and it builds the relationship map between every access point so lists everyone on every and then it shows every let me show you the data so I've been scanning here at
recon village so it shows you every SSID and then under that each node in that network so each be SSID and then under each the SSID you see all the devices connected to that so it's kind of you know it's kind of like in map but for the wireless radio waves it because it'll build you know every relationship that that it sees and you know you get the the vendor if it's there the signal strength the bytes received all that kind of stuff so you can really get a good I get a good idea of what's on every network and are they active you know so that's that's kind of you know that was solving fraud solving a problem that I saw because I didn't see a good way with and many other tools that get that exhaustive list at least in a nice format maybe an a GUI but that was kind of a motivation so a little bit real quick on how how this works from a radio perspective so a few basic things I probably most people know let me ask how many of you are familiar with 802 11 okay yeah okay well let's go over it briefly then so you know you have these various channels channel 1 channel 6 channel 11 and those simply correspond to radio frequencies to predefined radio frequencies and so you have your you know your 2.4 gigahertz range channels then you have your 5 gigahertz range channels obviously the radio it's just radio I recently was doing a lot of ham radio stuff and where your to stuff or layer 1 stuff and so coming back and looking at Wi-Fi it was interesting to think of it as kind of just radio you know and
ultimately I note about the monitor mode so you you may be familiar with promiscuous mode where you could do this on if you're on a network and you want to just say give me all the traffic I see but you know normally it filters out frames that are not for your MAC address but with promiscuous mode you can say give me everything that you see monitor mode is a little different than that and I wanted to purify it so monitor mode you you basically put your adapter into a pretty much pure radio mode and it receives every it receives frames from every network on that particular channel that it's on and so it's not associated with any with any Wi-Fi network or anything like that any conversion and it can receive from all of them so another demo I wanted to show I wanted to give an idea of the plug-in
system a little bit so I've got this pretty sweet plug-in system and it's um
so it's just very simple Python code let me make that bigger so this is what a
plug-in looks like so you basically just have let me ask this how many people here know basic Python programming okay maybe 40% so for those who know Python the plug-in API is really nice you can you write you know there's no inheritance or anything like that there's just you have your top level class called trigger and you'd have an init method and a call method and basically all of the various metadata or data about every packet is paul is put into this function so the device ID is like the map address the vendor would be like apple you know the the interface that was on the power level and so you can take that in your Python code and just write all kinds of various plugins so one example okay I'll start with this one so again these are kind of to respond to virtually any kind of traffic pattern you could think of so you could respond to a threshold of bytes like I did for the camera one but you could also say if I see any device that's closer than negative 50 DBM and power so it within a certain range and if you see that then do something or you could focus on a particular MAC address so anyway one example plug-in is imagine that you want to be off the tack let's say you really hate Apple and you want to do off every Apple in range well that's that's traffic pattern you know you can you can look at it based on the you know cuz we do the lookup for the vendor based on the UI so we can look that and say okay that's an Apple device and so respond you know so let me demo that so it's just mm-hmm I don't know if there's any Apple devices with it in range but oh it looks like there is so everyone it sees that it gets all the data on it will be off and we should see
that hat up there we are do y'all think so on probably so we shall we won't leave that running for very long but it's so how many of you guys have tried to do it the off with air crack before ok so if you've done it you know that you have to specify like the bssid you know the know that it's on mac address all that kind of stuff and so what if you do off someone well it probably they'll jump over to another node and then you'd have to do another scan fill in the information launch the attack of yeah again so this does that kind of automatically because it's you know every time something pops up its gonna just respond so you know if you have it looking for a particular map address it'll pop up anywhere and then tracker jacker was you know the author so don't run that for very long and if you do maybe limit the power so you can do this based on the power so say only within some range actually I think I did that for so they probably didn't do off people outside of this room but that's an example of you know having a traffic pattern and then being able to respond to it oh I was gonna show you a different demo as well
so this one this one's not very useful it's kind of it's more to demonstrate
what the plug-in API is kind of capable of so this is kind of just showing you know the top X devices and that in terms of closeness so that's kind of what like aircrack does so it's not new interesting functionality but I thought it was kind of cool because it kind of shows you can do you can do quite a variety of different types of things with tracker jacker with the plugins if it's based on traffic patterns and let's see yeah limit one other demo this one is I want to demonstrate with a really simple so this plug-in here count apples so this you know it basically just says every time I see an Apple computer unique that's unique then print it out
and there we are so it's it's doing something kind of useful you know even even for a really small plugin it's doing something kind of useful and it's kind of a really simple example you could work from oh
actually I had modified this to show other people I actually put a power range on that so let me see I actually want to see what it is if I get rid of that
yeah that's more that's that's more like it and this is actually a really short range antenna like a so I think I mentioned it but the output file you know it's um it's a yen will file so it's kind of it's kind of cool because it's um it's both the database for tracker jacker as well as the human readable output but it's also kind of the inner op8 and Interop because you know you can easily write a program that parses yamo actually let me see if I have that so have you guys seen the marvelous here Wi-Fi no so this guy I think it's like this running joke someone told me about it but people like have this network and it says Marvel was here like a lot of variants of it so I was programmed to filter Marv out because I was wanting to know how many SS IDs there were so yeah there is 50 Marv SS that's ascites but I wanted to show that because you know this is just an example of what a strip would look like that to parse the yamo pretty well reasonably short okay I also wanted to mention environment so I have not run this on Windows if you would like to see it on Windows please submit a PR it's it's got basic Mac OS support and but it's mostly Linux um so it does run some of the basic stuff runs on Mac but it's mostly been tested on Linux so Kali Ubuntu Raspberry Pi and then as far as adapters go typically it's better to use an external adapters most of you probably know for this kind of stuff I really like the like there's this one I have the Panda PA uo9 and the O 7 is nice too but it's you know they're both small and they're both dual-band and they both they all they work with Linux without configuration and they support like injection and monitor mode which is ice and then as far as um as far as takeaways you know it's interesting to look at Wireless again and realize oh yeah even though we have this concept of net Private Networks and all that it's still it's it's just radio ultimately and there's only so much you can do with radio to conceal radio waves you know they the protocols have to be all written in a way where they have to have that some of that information public there's not you know a good fix for that it's also I take away is it's it's really trivial to track you base on your Wi-Fi most of your smart phones you know if it's on Wi-Fi they're broadcasting their MAC address everywhere you go and I think there was a Snowden reveal about the government doing that and I think it came to like recently maybe stores are doing that to track people or something like that but it really is not like a theoretical not yet it's so very simple and really difficult to prevent you know you can you can keep your Wi-Fi off when you're traveling around and that's gonna cut down on being tracked where you're at but like you know if you connect with your phone to your home Wi-Fi every time if someone was looking you know they could see if you're there or not with the high confidence I you know it's uh it's just annoying because they're not really there's not really something good to do about that there's not a good face also as I said you know it's kind of cool there's actually interesting information that can be attained even at layer two we have this or there's this new tool tracker jacker feel free to try it negative feedback is welcome as well as positive and if you write any cool plugins you know give me a PR end we'll add it in and I think that's it so thank you [Applause]