 Okay, DEF CON 24 wireless capture the flag. This is our 13th DEF CON that we've been running wireless starting back in DEF CON 11 when the wireless war drive started Guy named Pete Shipley. Yeah, we're wearing a Schmuckon shirt. I do hack charities. It's fun Sorry Bow to my firewall Those that get it get it those that don't it's funny So anyway, so they started a wireless war drive after Pete Shipley's talk on net stumbler about 10 11 12 13 years ago Chris Hurley guy goes by Romer started it as a actual contest in Las Vegas It covered all of Las Vegas. It was really really kick-ass those that were there Wow, if you ever see draghorn the guy that wrote kismet. Thank him for writing net stumbler Hashtag bad hashtag bad DEF CON advice. He will kill you So that being said, this is the next iteration of the wireless capture the flag. These are all brand new challenges So those who have played before Sorry, this is all different now those that don't have knowledge You're gonna learn a lot We want people to play that have never played before because we do this to teach people That's the main reason we're even here at DEF CON at all is to teach people We're at DEF CON we're at Schmuckon. We're at 13 or 14 B sides a year Derby Yeah, we do about 20 conferences a year doing this type of contest and teaching so that people can get a feel for what wireless looks like Anybody heard of IOT? You know what IOT is? It's wireless It's wireless. Welcome to wireless rebranded people forgot about wireless security for about 10 years It was really ugly. We never stopped because we enjoyed it. We had fun with it. Now all of a sudden Josh and General's in the room Wow He always has an antenna on a Jack Daniels bottle. It's always a lot of fun What's really fun is as he's losing during the capture the flag that Jack Daniels goes down the antenna goes up. It's weird So this is our iteration this year I have to do this one first sorry, but Feel free We are not lawyers consult a lawyer if you have any questions about anything in the RF spectrum There are people here that are no longer here after doing wireless shit already this year and by not here They're standing behind these poles. It's weird. They get really well-fed though. So that's good If you have any questions FCC.gov is a great site for anything RF If you're trying to broadcast go next door and get your ham radio license and then come back Do not frequency jam Broad spectrum jamming is illegal everywhere. It is nothing good about it And sadly you're typically jamming yourself unless you're really really good at what you do and it's still physics and you're jamming yourself So do yourself a favor. Don't eat us the air that gets picked up really fast by those black helicopters that you keep seeing leaving the airport They're not really black or red. I think and us we're monitoring for all this as well because we want to keep you guys out Of trouble. That's our goal is to give you a place to play beat the crap out of RF wireless Zigbee skater. God. I can't even name all the things that we're running. So that being said If it feels wrong, it probably is We authorize you to attack our networks and we'll give you what those networks are in a minute This is a secure network. So by playing and attaching to the network. You can send to whatever happens Play for fun, but play at your own risk The stuff that you guys can do to us We've probably already thought of and we can do it back, but we can do it really well and knock you down We've also got equipment that will knock down half this hotel. So that being said have fun But play good now under the fun those that don't know what a capture the flag is This is a wireless capture the flag unlike the big capture the flag downstairs. We're not asking you solve puzzles This isn't a whole lot of weird kind of crypto ish Deep level stuff and we're not asking you to hack the Gibson what we are giving you is real life real Normal things that you're gonna run into as you're working doing stuff learning about things But in a legal place to do it and it gives you the opportunity to be able to work with each other It'll give you the opportunity to work with each other to learn in a very good way So like if you get stuck on the particular thing at home or anything like that This is the place to be able to find someone go. Hey, how the hell do I do this because we all happen to be here So de-authenticating packets is not jamming first and foremost It is a necessary capability in doing wireless work Wi-Fi works specifically When there's a when there's a whole bunch of you doing it you get a lot better results than when one of you is Doing it so you're gonna get good results off the capture the flag just by sitting here and just sniffing the air for a while first hint This can be done with about forty dollars worth of equipment It can also be done with four thousand to ten thousand dollars worth of equipment But ultimately we make everything so that you can do it with forty dollars worth of equipment You might not be as fast. You might not be you know blazing speed, but you can still compete in about 90 percent Ish we've got a couple things that do require some equipment because hey, this is Defcon There clues everywhere we talk about them on a regular basis pay attention to us WCTF desk over there at WCTF underscore US is all throughout this this briefing That's our Twitter handle we're blasting stuff out on a regular basis schedules talks capture the flag information When the foxes are leaving when the hide-and-seeks are starting and some other stuff if you have a question ask We'll determine if we want to answer it Early in the conference we typically will help people that we know probably aren't going to be competing to win Try and social engineers feel free Later in the contest as certain people start having the same questions over and over again That's when we start actually helping because it's going to help the group as opposed to helping like an individual team that's playing To score you submit flags the flags are in transmissions. They're decoupling video They're demodulating signals. They're breaking crypto of the wireless itself. So WPA web ZB I yeah a whole lot of stuff And then once you capture the flag submit it right away Some of the challenges are timed so the points go down as you as you're working through it Scoreboard will be up as soon as we start and it'll be up throughout the duration of the contest You'll see how you're doing and what flags are taken, but I know What is CTF so resources sdr.ninja? Sorry Russ is one of the gods of this stuff. He does a lot of research He puts a lot of stuff up and he also stands on the shoulder of gods I took that from your talk To get giants gods, whatever Guys like Mike Ostman guys like balance saber Blah blah blah blah blah these guys have been building this stuff starting this stuff Working with groups like at us back in the corner. Hey guys To get you guys the best information we possibly can Wcf.us is where we have all of our resources for the capture the flag for the wireless village the schedule the scoreboard References all of our past in briefs where it's given gear advice What you should bring how you should do it how did to how to capture the flag? The sig id wiki which is the first time I've ever done that right in a talk is also a really good place to start if you See a signal in a software-defined radio and you don't know what it is Somebody's probably seen that signal before and has posted it and you can actually look at the signal You can look at the FFT and see what it's supposed to look like and you can compare it to what you found Gear so this talk right here I think we have a laser. Yeah, look at that Wcf docs besides DC 2015 in brief has our full gear Here's what you should have here's what you should bring how to CTF So I just capture the flag this year. We have officially over a hundred flags for challenges this year It's the most we've ever done We're doing that because we've had a lot of requests for a lot of things And we've tried to incorporate as much that we could legally we also have 25 Additional flags that are available for different acts of hackery if you guys do something really cool in the room And you can prove it to us or we see the results of it on someone else's System in the air we're gonna give you points just because you did something really really cool Or yes Or negative points if you do something super douchey if you do something super douchey We're gonna use a discretionary points to knock you down And the challenges range from 72 megahertz to 5.8 gigahertz So the challenges so these are the coins over the years we do coins every year the winner of the contest will actually get the 2017-2016 coin We do three for first place three for second three for third So if you play you get a coin there these are challenge coins the first copper challenge coin We've ever seen so we said hell what the hell let's make one And we have a Star Wars theme this year hence the Empire the modified imperial symbol and our village So budget your time challenges don't have to be solved in order if you find something in the air pick it up and take it Difficulty ranges literally from easy to insane easy is something that your computer will do for you If you just monitor the air your computer with the right tool will just take care of it for you easy points Up to insane where you need to find something that's inside of Russ's head that's broadcasting off of a raspberry pi Pay attention to details if you see something Investigate it we're sending strong the strongest signals in this area minus a couple cell towers and a couple other things that are real But if you find something that's really interesting You're gonna probably have a good chance to look into it, but don't dwell on the problem if you have a question ask us Ask questions learn have fun and then check Twitter regularly again Twitter handle at WCTF underscore us That's got everything that we tweet on a regular basis. Thanks to our blonde hair buddy over there mark Say hi mark All right 22 days since he CTF So mobile challenges we have challenges that have to be accomplished in the room or within the radius of the room or within's Sightline of the RF. We also have mobile challenges and this year We're doing a lot of them because people seem to enjoy them this conference if you haven't figured it out yet is two hotels 25,000 bodies of water walking around and we're hiding RF signals in and on those people so day one Fox and Hound Fox and Hounds one of the oldest running contests at Def Con We will give out the ESS ID and Mac address at 11 30 on Friday 10 30 on Saturday and 9 o'clock on Sunday via Twitter You need to find the Fox and what the Fox is is a person carrying a Beacon a radio or something on them that you need to track down and find when you find it You go up and say excuse me. Notice. I didn't touch him. Excuse me. Are you the Fox? Only on Saturdays If it is the Fox they have to say yes, they will tell you that they're the Fox But yeah, but yeah, so we we've got a lot of these so that's why we post these slides You go up to the Fox. You see the Fox. They're gonna say yes, they will hand you something you bring that thing back to us It's 750 points per Fox Just getting the Fox's could potentially win the conference for you If you've got people that are getting the Fox's and competing in the challenges You guys are gonna do really really well. So that's the first Fox hide-and-seek We take the exact same concept and we hide the device. This is really similar to things that law enforcement military CI FBI NSA EIEO does where they have to go find a device that somebody's planted inside of a location again two hotels Everything that the conference has access to is in play So we accept the yes the space that the conference is running in but not the casino floor. Thanks. Yes if It's in somebody's room you take a picture of the room if it's in a conference area Take a picture of the table the hide-and-seek. You don't have to bring us the device You just have to bring a picture that shows that you were where the device is We'll tell you if you're close enough typically you need to be within a couple meters for it to be accurate If you're a room or two off and nobody else finds it that day will typically give the closest person But typically you need to give us the actual room or both or sofa or Lamp or curtain. I mean we're pretty pretty tricky with these Bluetooth Foxen Hound Rick Mr. Kass mr. The plague mr. The plague The slides are so tiny. Where's my clicker? Ha ha So we decided that too many people were finding the Foxen Hound quickly so he said fuck you and we're doing Bluetooth low-energy and Yeah, I'm sorry in advance. We're going to tweet out some information about how you can track with the unique identifiers and then good fricking luck Same rules apply. Don't be holding a giant-ass antenna in the middle of the Casino floor that they will get cranky and I will instruct all the foxes not to be in those areas so Fox hunt there will be three difficulties easy medium and fuck off No, no, no I saved that word Yeah, so Bluetooth low-energy is what most of you probably have on your body right now fitness bands Smartwatches things like that Bluetooth low-energy is used for the Internet of shit things the Internet of things It's IOT garbage and it's just absolutely everywhere. I did talk yesterday about a new tool called blue Hydra It's open-source and it's in the latest pencil release Pen-soup and pencil pencil pencil pencil might help So yeah, you probably want to use a nice tool, especially if you're going for the hard one because good luck Yeah, so Bluetooth low-energy I'm not gonna give away too much today, but there might be more hints tomorrow Depending on how terribly you all do so easy and then a medium and then a 750 point this is gonna be a lot of fun Bluetooth hide-and-seek same general idea somewhere it will be hidden It will be either in the con area or in the hotel area. Yeah, that's two hotels have fun Bluetooth low-energy goes how far? Ah, you know 30 feet Yeah, it'll be fun for all but 750 points and that's not gonna go down So that's definitely worth an awful lot in the capture the flag. So good luck Yes, wow that is wet Anyways, so I've got a software to find radio Fox for everyone to go out and try to look for the It is transmitting at where is it? I think I said it was 70 megahertz 72 megahertz. That's right. It's transmitting at 72 megahertz It beeps 10 times and then it plays the song. What does the Fox say? And it just goes back and forth back and forth same spaces as normal are in play The Fox is released every day at about 10 o'clock Depending on whether or not the Fox remembers to turn themselves on Yeah, but they but they should be Yeah, anyways, so with the SDR Fox instead of asking them. Are you the Fox you asked them? What does the Fox say and They are expecting that question to be asked of them and they will give you an answer and that answer is written on a Piece of paper and that piece of paper is the flag for that answer Please do me the extra favor of just like bring the kit back up because inside of that whole thing is their your ability to score so the The SDR Fox that's what it's doing. It's I think it's out in the moment Or rather will be turned on in a moment. The Fox has already been released. Yes So anyways, that's pretty much it as it relates to that pay attention to the Twitter account for any last minute updates Or issues along those lines So the other fun challenge is the duck hunt That I've brought back this year. So the duck hunt There's a transmitter on the table over there that Burps out a packet in AFS K every once in a while going quack And you have to find I think I got the frequency up there if not you have to find it Yeah, on this one you have to go find it. Technically. It's easy to find but once you see that quack and What you need to do is essentially run this type of command at the bottom on the very most simplest form if All you got is a raspberry pi to transmit with or anything along those lines, but you need to send a bang and If it decodes that bang correctly, it's going to burp back an MD5 Hash that hash is your duck. That's what you used to submit for points so every hour there's another duck flying and For every hour, it's 50 points per duck if you shoot too many times in other words If it can't decode bang correctly every time I think I have it set to Five right now, so if it can't decode if you're just banging it Raising yeah So the duck will fly away you will hear the Nintendo dog laugh at you And it'll just stop caring for whatever happens for the next five to ten minutes and at random on the Interval for that so you just have to wait for the bang again the antenna system on it is a little bit mismatched so Think of it as an actual duck hunt you have to use something very directional or get really really close like an actual shotgun and duck hunting So that is the duck hunt Explained it's just in this room as opposed to be roaming around the conference area Yeah, that didn't work out too well That was just roaming was too hard the And I think that's everything I want to say your regret to that I do have a write-up on sdr. Ninja about more details technical information on it if you need to practice or want to practice Or if you don't have specific gear and you want some hints as to how to set something up, so that's where all that is and Back to you Wow, that was awesome. There's a laser on this All right, so room challenges room challenges are things that actually happen in here They don't have to happen in here They can happen out in the hallway they can happen if you can hover outside the windows Please don't then you can get them from there as well There is a test flag WCTF zero zero is a Secure network we are tied into the DEF CON network, but we're tied into the wired side of the network when you're on that You are through our firewalls. I'm not going to say you're being monitored, but if you're a douche we see you And we're gonna do shit That being said passphrase for that is capital g o n e underscore capital r o g u e Gone rogue What that allows you to do is to get on this on the scoreboard? It's a 10-point flag that so that you can check your team make sure that the team has access to the scoreboard Scoreboard instructions are really really really simple. We're not doing anything crazy like we've done in the past Rusted a great average job coding at drunk And we've got a scoreboard that just you go into and log in and you set up mediocre It does a really good job. So you go in you say you log in you create a team You submit that flag right there and with that flag you get the points you get ten points I can tell you've seen some of the point values ten points isn't a lot It's truly a test to make sure that you have access everything works for you and that your team is registered In the past I can honestly tell you sir that anyone that's listening Goons have taken phones and thrown them on the floor and stepped on them. I promise I've seen it happen It's a privacy-ish thing if you want to take a picture of a crowd ask the whole crowd Hey, anybody not want their picture taken people put their heads down It's just a kind of courtesy of what used to be a hacker con, but it's now called Defcon anyway web WCTF zero one again. These are in the air as exactly that it's a web challenge if you get into this challenge It's a 50-point challenge. It's a fairly low point challenge that puts you into the skater network We have a full functioning wired-and-wireless skater network running here I'm sorry. I CS I will change that we apologize It is an ICS not a DCS or not a skater It is an ICS network if you don't know the difference in that punch me and then talk to him WCTF 2 is a little bit harder It's web like Alderaan our clues aren't always very specific and you've got to kind of figure them out If you sniff the air and have a clue of kind of what's going on in Wi-Fi You're gonna understand what this means just by looking at it, but web like Alderaan Web like Anakin's legs. So this is a little bit different WCTFO 3 again. We're kind of obscure Easy WPA WCTFO 4 this one should crack itself Literally should crack itself. We give you guys the word list the word list will be posted It's on our website. You pull that down you listen for 10 minutes. This will pop up as a handshake You should be able to get this one pretty quick This one's a little bit harder This is WPA at Starbucks If you've played our contest before you might have a clue what that means if you don't you'll look at it And you should see the packets and see what that means as well WPA leave your deoths at home. Yeah guys, we're starting to go completely real now These are legitimate real enterprise level challenges now WPA like Howie Mandel You know anything about Howie Mandel. He's kind of weird. There's some very very specific things. He's really weird about it's the clue here WCTFO 9 350 points for a WPA challenge So most we've ever done for a WPA challenge for really really good reasons if you do this professionally and you're doing a pen test You're gonna see a lot of this This is a really good chance to learn how to fix break and or see how they should be implemented SDR drinking game. This is one of our favorites my favorites. I don't know if everybody else's favorites, but it's my favorite If you baseline your system now and get to know the spectrum in the area the frequency ranges of the game will be in the usable range of the RTL SDR, so we're keeping this within normal ranges of the $18 Radio frequency software to find radio. We're going to have a reference Signal coming up at 900 megahertz if you've got a and it's not up yet Yeah, it will be up in a little bit It'll allow you to baseline and see what the signal is going to look like during the contest But we're doing this a little different this year. We're not giving you the ranges where the flags are We're going to tell you it's in the range of an RTL SDR And you got to go find it and you've got to find it and you raise your hand When you raise your hand you're gonna see this this is going to be broadcast in the air on a whole lot of frequencies Russ has perfected air painting So he's tagging the air on frequencies with our logo logo is going to change every day And we're going to change it every day because we want to have some fun and we want to do some neat stuff But that is an actual waterfall off of a hack RF on a Windows computer of the airspace Of a PC. I'm sorry. I'm sorry. He uses you bun to pardon me. Yeah So this is what you're gonna have to find you're gonna have to pick this out of the air the picture is gonna change for the RTL SDR or for the SDR drinking game a little bit because we think it's funny What happens with this I'm sorry so if you find the frequency and you're the one that finds a frequency you raise your hand You say I think I found it. We're gonna look at it and say yep. You found it. We then flip a coin Heads you drink tails everybody else in the room drinks. It's fun for all SDR shootout Okie-dokie, so I Brought back my radio shock collars from last year and instead of just one is going to be a pair of them Anyone want a duel and you want to play a game with me? So what we're going to do is it's two players you stand up in the middle back to back You got the shock collar strapped on to your thigh your laptops or wherever not your neck It now I'm not going to allow that but the thigh is a good spot. It's nice and meaty and it's not going to be too terribly awful The the objective is is that your laptop is 10 paces away from you and the opponent is 10 paces away from the other side Before you play I'll be transmitting on the transmitter So you can capture the signals if you want to do simple replay or anything along those lines But I'm not going to tell you which signal it is it's going to beep. It's going to flash It's going to shock or it's going to vibrate your objective is to shoot your opponent to get it shocking their leg Or wherever they happen to have it strapped on to so the Yeah, so the the objective is to shoot your opponent so you'll stand back to back and You start from an empty console No GRC sketches up or anything like that and you furiously start banging at your machine in order to shoot the other person and then Whoever gets shocked the first is the loser and then we'll just iterate this until it's no longer fun Will know because it's painful enough But your objective is to still shoot the other person. Yes, sir That's why I'm saying put it on your leg And not around your neck So last year we had a fellow Tim come in and rock this challenge when it was different So this time we're we're making it a little bit more energetic Well, yeah Yeah, anyways, so moving right along on The SDR challenges the thing that I'm doing differently this year as well is that I'm not giving you the frequency Ranges to look for for the different types of challenges But what I am doing is that I'm doing RF painting as an offset to where the actual legit challenge is So you should be able to see this little humdinger scrolling by reusing slides To identify that you're at least close to where it is And I don't mean like you're gonna be 10 megahertz or 50 megahertz off It's within a megahertz or so just off the leading edge of it so you could actually still capture the legit signal and run with it from there and Also, I'm I'm not giving you the exact sort of detailed type of hints that I used to before I'm now grouping them based in categories and What I mean by that is that for the first for instance in this category your hint is video killed the radio star and There are five flags that are extrapolated across that thought process For the second one spies like us There's four flags that are running across something in that particular kind of theme or mode of thinking or Abstract concept See getting inside my head is a very dangerous place For the next group of Sdr flags if bees couldn't zag Yeah, I think that's the the most direct one so if you Can't figure out what that means for a radio sort of thing start drinking early For the next group it's hammer time So if you can kind of think about what that might end up meaning for types of radio transmissions That's what you're going to be looking for there's five flags in there And then also have a handful of other ones that are just random one-offs. So for instance, I got a Stack of power bricks that are daisy-chained. I will transmit a non-off signal for one of them You need to extrapolate what the values are for the remainder. Your objective is to turn them all on There's some serious points for doing that And Sorry that should have said Your turn to come up We we really want to thank this fine gentleman for donating time and energy with us So I'm a ICS skater guy. I'm not actually I'm here to actually learn all this wireless stuff. So Talk to me about ICS skater talk to these guys about the wireless stuff and how much the shock collar hurts That I don't have experience with So the type of system we have here is actually the type of system you'd find in a manufacturing plant. So this is going to be automotive or airline or like Semiconductor manufacturing. It's not going to be your typical skater system. So this is going to be running high-speed real-time protocols over it So The only thing that you will be seeing typically on when you get through that web is The is one of the devices you've got to find the other devices that are in the network So there's a switch in there. What's the switches IP? What's the PLC's IP? Again, these don't show up in the traffic that you're gonna see you're gonna have to find them in the network The switch as a password again, don't go in there and First thing I will say please don't Intentionally change things in there the all the stuff in there is very easily hackable So I would ask you not to screw with other people by changing the program and the PLC and Changing the passwords. I would request that you do that if you do I will shut it off Reprogram it and turn it back on but I would rather not take the time to do that So the find the switch PLC Or the quiz switch password find the IO blocks password. So there's a 24-volt IO Signals in there find the password in that There's a file hidden in the IO system find the Find the file and then bring the the flag is actually the The tag that's in there So Then then you get into the actual industrial protocol stuff So there's a bite pattern that you will find when you hit the buttons Hidden in or it's not hidden, but it's in the actual data field for the IO block You need to bring the data pattern the bite pattern for all All the button pushes To these guys Yeah So each each button push will be 50 points, so Okay, so the first one is what's the button? What's the what's the button pushes or what's the signal? What's the signal by itself and then what are each of the buttons? And then there the PLC will actually send a command to the IO block you have to find what the Data value is to start with and then each of the button push each of the light commands coming out of that There is You can dump the program from the PLC to a USB drive and there is a There's a data file in there that you'll need to bring the sha one hash to these guys And then the final is Okay, there is one The last random flag in there that they don't have a points assigned to it's a can you Without reprogramming the PLC can you make the lights do something different than there's than they're normally commanded to do Basically, can you run a man in the middle attack against the PLC? So and the IO block and that's these guys are gonna figure out that yeah And you have to prove that you did not reprogram the PLC. So you run your attack You show them then you turn your attack off and show them that it works properly again Huh, that sounds really specific like an attack that may or may not have ever happened in a ICS Maybe Do we have to spin it backwards? No All right, so skater I know isn't exactly a hundred percent ICS, so I am reading skater ICS isn't exactly Wireless the problem and the the benefit of this and the reason we really wanted this in this year There are so many networks that are ICS DCS and skater that have a wireless component connecting attaching a part of Nobody should be fucking with an ICS DCS or skater system that you happen to find over a wireless network Bad things can happen really really fast and you can get thrown in jail for a really long time But here have fun. That's what it's here for if you had Curiosity about what skater looks like you wanted to see what a network looks like first of all you got a crack web which I'm making you drink every time you screw okay Gabe Sorry Yes, that's a good point If you want to see what an ICS network actually looks like and you want to really mess with something fun Enjoy have fun play with it do what the hell you can with it There aren't many opportunities in this world to play with a true ICS network in line connected to The web challenge for this one We want you guys to crack the web first and cracking web is something that if you're doing anything with wireless You should have done 300 or 400 times in the past because it's the hardest Programmatically to crack it's the easiest to fall down, but it's the hardest to crack. It's five terminals It's multiple commands. It's making sure you're getting the right place at the right time And anyone that sits at that man's table that's sitting down right now They have a 20-point handicap was cryptos is my handicap the man bun over there girl with the bun. Yes Which bathroom do you use in North Carolina? Sorry too soon all right final surprise so 13 years ago We already talked about this we are doing a wireless ward drive this year to bring back what we did 13 years ago This is the kind of thing that literally anyone can do there is no necessary equipment for it other than a System that can capture BSS IDs in the air Yeah, he's got a tool that stumbler right use drag horns tool net stumbler We're totally joking you really should tell him that if you ever see him drag horn loves to be told how he wrote that stumbler Things not to do at Def Con, but no the for real the The wireless war drive war walk war anything get creative have fun Literally you need a laptop with a card that can receive and the ability to capture some files we are requesting telling saying and Reminding you that we are in district 9. Thanks Cal or circuit 9. Thank you, California No key no p-caps will be accepted and the reason no p-caps will be accepted is you guys can't do collection And even though you may or may not be able to do it on your own in Clark County, Nevada because of California Thanks Google you can't do that anymore. So we're taking a dot any X XML any TXML Which Aero Dump and kismet both output natively? in order to submit by 929 on Sunday you need to submit in a Dot xz tarball to wireless village and ctf at gmail.com Point oh six five points per unique Bss ID validated by us now that being said we're doing really low point values because we were calculating out five ten fifteen Thousand BSS IDs worth of points and that doesn't put you as a winner of the conference alone But it gets you pretty close so literally the wireless war drive is that important because finding BSS IDs and Understanding how this stuff works is how we all got started and if you guys are new to this It's a really fun thing to do if you've never done it Point one three points per unique BSS ID if you've got it tagged with a GPS So if you've got a GPS running you actually get double the points per BSS ID We've been sending out some tweets over the last couple weeks about bringing a GPS with you There's a good reason for it. It needs to be validated by us though We know most if not all of the tricks because we've done most or all the tricks in different war drives over the years Render man back there. Please raise your hand has probably written the book on tricks that you can do in a wireless war drive to try and win That being said we have seen a lot of these problems and we Was giving him credit We reserve the right to refuse any submission we deem to be fake or otherwise not genuine Because we want this to be a real contest. We want you guys to actually walk around. Yes, you can programmatically generate a 500,000 BSS ID list Do all you want whatever floats your boat I hope you don't use those GPS coordinates though because I've heard that they're being messed with well as long as it's between consenting adults I don't care All right, so that's the final stage this year again This slide deck will be up on our site this information will be available and we'll be tweeting it out on a pretty regular basis Dot XZ tar ball Wireless village and CTF at gmail.com by 929 on Sunday the 7th final word This capture the flag we build for you guys. We do it every year. We've been doing it for a really long time But we play to while you guys are playing. This is fun for us We enjoy this and there are no rules beyond the few that we told you about not getting you arrested So if we see fuckery going on we're gonna fuck back if we don't see any fuckery going on We're gonna inject some because hey, that's what we do This is like a real live pen test on a hundred different systems You're going to get sys admins that knock wireless down. You're gonna get sys admins that run tools that Track detect and find things. There's incident responders that find things if you're really messing with the hardware We're going to play as well as you guys are Please don't get arrested. Please leave a casino alone. This is for your own good Those rooms in the basement do truly exist and they take people there render. You've been there a couple times, haven't you? If you have any questions tweet us go to the website ask us sdr.ninja as well Have fun. Yes Just to recap the legal slide that we showed at the beginning because it's that important Connecting to our network is consent You are allowed to hack each other. You are allowed to hack us We will hack you Seriously This is meant to be a real exercise Have fun because we will Runway or the other we're going to have fun. So please join have fun and play But maybe take the work laptop and leave it at home Or don't or don't for the consequences. This is death confer. Yeah Intensive purposes if you join the secure defcon network, don't expect what you do to be secure because it's not if you join the open defcon network I'd love you You'll be on like 17 different boards across defcon that track all that stuff if you're not using a VPN Stuff's gonna happen if you have a laptop that you're ready to burn or you're ready to play with or you're Professional at this and you're cool with using yours. Go for it. Have fun with this Do you guys have any questions gals have any questions? Crypto's do you have any questions? Good. Well, that's a first really anything anyone. Yes Okay, so I'm gonna pair that down to basically if you're a noob. What do you do? How do you start and noob is not a bad term? That's what we're here for every one of us was was a Noob at some point. We started this because I can tell you back at the Alexis Park Did I back at the Alexis Park? I was sitting on the floor Writing trying to use kismet trying to figure out a way to turn the damn sound off if anybody remembers how that used to be and Learning this shit, but back then nobody wanted to help anybody because it was a truly volatile network Church of Wi-Fi was started by render man back there That started a whole lot of teaching a whole lot of talking a whole lot of what does this wireless stuff really do? How can we break it? How can we fix it? How's the world really work? You what yes, he has performed marriages as the Hope of the church of Wi-Fi So so that being said this isn't new stuff This has been around for a really long time and we love playing with it But nobody ever taught us anything it was reading the spec it was reading the IEEE what we do here if you're playing and you're playing Seriously, we're gonna let you play we're gonna answer some questions They're gonna be programmatic questions here and there if you're playing to learn we're gonna sit down with you and help you We're gonna tell you to go sit with somebody at another team if they want you to sit there and sit there and side Shoulder surf Josh and general is allowed five or six people to play with him over the years and they've learned a ton This is like your 12th your 12th CTF or so Okay, it's more than one he knows what he's doing with this stuff and it's fun for him Cryptos over there has been playing quite a bit and we've been laughing at him over the years But if you want to know anything about how pi watt works there he is that is pi watt what What? and some really cool drone stuff too, so and and and Zigbee stuff and Kind of to distill everything that he said we have slides and training material on those two websites So you can start there There's a resources tab on both sites that you can go through and it's like 50 or 60 Presentations that we've done over the years and on my side the sdr ninja one I actually have downloadable exercises that you can work through so you don't even have to have a transmitter or a receiver. It's just All in software Yeah, any other questions? If you're playing have fun if you're interested hang around We do a lot of kind of breakout workshops. The ICS stuff is here to play with Ask, please. I did because I looked first The slides a skate I screwed up my fault my bad any other questions drink cyber cyber cyber cyber drink Anyway, have fun. Enjoy. We're here all week We love the fact that we filled a room at 9 o'clock on the first day of DEF CON. Thank you and have fun