 Welcome. Thanks for coming out. My name is Aaron Peterson. I'm going to be talking this morning about penetration testing Wi-Fi. So I'm going to kick things off, get right into it, and make sure everything works here. Can everybody see that alright? It's a little blurry earlier. I've got two laptops in sync here. So whatever I'm talking about doesn't match up the slides. Let me know and I'm probably off the slide or something. So who am I? What am I going to be talking about? Again my name is Aaron Peterson. I'm going to be talking about pen testing Wi-Fi. Here's just a general outline of what we're going to be talking about. General pen testing. One of the tools I'm going to be talking about today is Wi-Crawl. So who am I? Again my name is Aaron Peterson, project manager and developer for Wi-Crawl. Test? Is that better? Okay. I'll try to scoot over here a little bit. Also the founder of Midnight Research Labs. That's the research labs that this project came out of. Also the co-founder of Alpha Defense along with Bill Terwilliger who's around here somewhere. My day job, I work on the network security incident response team at Harvard. And kind of a general network security by day, pen tester by night. Here's a little blurb on both Alpha Defense and Midnight Research Labs. Alpha Defense is based out of Boston. Just a standard quick disclosure here, none of the views. You can read it. So pictured a little dramatic here, but here's kind of what I view to be the current state of Wi-Fi scanning. Wi-Fi is everywhere. I think in my hotel room last night without an internal card I had about 30 different access points. Probably only about two of those access points were real open access points. It takes a little bit of work to drill down to get to something that's usable. We don't really care about all the extra access points that won't do anything for us. A couple of points. Again, Web, just because it's Web doesn't mean that we can't get on an access point or use an access point. And also just because it's open doesn't mean that we can get on that access point. Web, you can put lipstick on a pig, but it's still a pig. So moving forward, some of the different use cases for some of the different groups. This release is really focused more on the penetration testing side of things. Y-Crawl is a little bit more of a generic framework that we can use for doing a lot of different things, finding rogue access points, just getting on the internet, things like that. Talking about rogue access points, what's behind that access point, Magical Land of Narnia, or the soft chewy underbelly of my corporate network being exposed. We want to try to find those types of things. So what we want to do is search through these access points methodically to try to find the ones that we care about are irrelevant to us. So a few slides here on penetration testing with Wi-Fi. Generally there's kind of two different types of penetration testing, and one may or may not be considered penetration testing, but it's two of the types of engagements that I mostly see. The more traditional penetration testing follows of Wi-Fi specifically is very similar to other types of penetration testing. We have a similar methodology. We're going to start with some type of reconnaissance phase. We want to do, you know, from there we move on to discovery, you know, footprinting, enumeration, scanning, those types of things. Then move on to some type of vulnerability assessment phase, and then potentially some type of penetration testing itself. And then there's all the reports that come after that. But there's a lot of individual tools that will help us with those different types of things. But they're kind of scattered about and some work and some don't. And one of the things that we try to do with Y-Crawl is to wrap those up into one usable interface. The second thing I want to talk about with regards to penetration testing is rogue access points. Like I mentioned before, you can take a $20 device, stick it on your network, and completely subvert, you know, all the security that you've put in place on the exterior. I'm sure everybody knows it's pretty common to have kind of a, you know, the eggshell problem where you have, you know, a tough outside. But once you get into the inside, there's, you know, everything's open. Nobody thinks to patch their printer, you know, but realistically you have, you know, all of your important documents going through there. So it's pretty easy to get to important things. Some of the difficulties with penetration testing, it really takes a long time. You know, to really sit down and do a real scan in the field. It often takes longer than, you know, sort of the lab cases that you see of cracking, you know, web or WPA, things like that. Oftentimes maybe you won't see enough clients or you won't see WPA handshake. Things like that can really contribute to the length. So you really just want to sit something down and let it, you know, sort of thoroughly scan through, you know, the entire AP space. Hackers have a lot more time than pen testers. Pen testers typically have, you know, a week on site at most, maybe an engagement to last a month. But a hacker can sit in his house and, you know, let web crack run or whatever it is, a cow patty run for months. Again, there's tons of tools to do this kind of stuff. General geographic issues, any type of business park, things like that. You're going to see, you know, hundreds and hundreds of access points in any large building, you know, any type of downtown area. So it's really difficult to distinguish between, you know, what you're actually testing and what's available, especially in the case of the rogue access point. It's really difficult to tell whether you're actually authorized to scan through these different access points because just because a new access point, you know, appears somewhere on the network, you know, it doesn't mean that you're authorized to, you know, crack it and see if it's on, you know, your network. So it's kind of difficult. And again, with rogue access points, you're never going to be able to prove a negative. You can never prove that an access point isn't on your network. There are, you know, you can catch the 80% case by, you know, catching the links, open devices that are on the network. But you're never really going to be able to prove. So it's kind of a difficult thing to really do well. Again, there's lots of different tools. I think a lot of you guys probably know most of these tools. I bet a large percentage of the people have used most of these things. The discovery side of things, everybody's familiar with Kismet and Net Stumbler, and those are pretty common things. WEP, Air Cracks, pretty much the gold standard these days. It does a dozen different attacks. We try to wrap up, again, probably the 80% case in Y-Crawl. But you can do all sorts of things with Air Crack. There's a couple newer tools. Has everybody seen West Side yet? Has anybody played with West Side? No? It's pretty cool. You should check it out in the Air Crack development tree. But with the testing that I've done, you can crack WEP. I mean, the difference between six minutes and three minutes, I guess, isn't too big of a difference. But it's really a cool tool that you should check out, and we're going to be adding a plug-in for it. And then some of the other tools for WEP there. More of the common things for WPA. Of course, there's Cowpatty, Air Crack can now do WPA, Pre-Shared Key, Brute Forcing. There's a whole other side of things of attacking the client, and that's very cool. We'd like to add some support for that within Y-Crawl, but right now we're mostly focused on kind of the, I guess you'd say server side of things, or access point side of things, but there's tools for that. Karma is probably the best known and most usable one. And then there's a whole bunch of other tools that some of these here are directly related to wireless. But you're still going to run a lot of the common pen testing tools for a wireless engagement. You're still going to probably run an Nmap scan, a Nessa scan, or whatever VA tool that you have. You're probably going to use those types of things as well. And there's hundreds of those things. A couple of random notes that I wanted to put together. Probably the most important one that I wanted to get across is that word lists are more important than you'd think. A very large number of companies that I've gone to, once we've finally gotten in and correct whatever password it is, that password has been based off of some type of corporate information, whether it's product data, the name of the company, or some derivative, or even a derivative of the default password that you'd see on that system. People will look at you funny. Security guards will try to detain you, so make sure you get access. All right, I'm running out of time, so I'm going to go pretty quickly through the rest of the slides. But the point of this is that Ycrawl can really help with penetration testing in this aspect. Again, with this release, we're really trying to focus more on the penetration tester. We've added support for FPGA acceleration through some of the work that Hikari's done. If you've, probably a lot of you have seen his talk, and if you haven't, you should check it out, because it's very cool. Better filtering, a bunch of new plug-ins. We're adding new reporting, like PDF reporting, that should look more like a general corporate report. It's not actually there yet, but it'll be soon. Again, it's really just a logical approach to penetration testing. You have a lot of the same things that you're going to do every time, so you want to just step through those different types of events in a logical fashion, with a bunch of different tools. You can paralyze your attacks with multiple cards. Okay, so here's Ycrawl. All right, thanks. More goal-oriented checks. What do I really want? Am I trying to penetrate a network? Do I really just want access? Am I trying to get to the Internet? What types of things? So here's kind of a marketing-type blurb, simple Wi-Fi scanner, an auditor with a flexible and simple plug-in, blah, blah, blah, blah. Something that's pretty important, too, I guess, is that really the power of Ycrawl comes in the different plugins. You saw me mention a bunch of different tools. You guys are probably all familiar with those tools, but really what we want to do is wrap and automate those tools so that we don't end up doing the same things over and over again, because that gets boring. Skip the rest there. Some basic examples of what we can do. General discovery, try to associate, get an IP address, get to the Internet. The default operation. Then you can do more advanced things for penetration testing, things like that. Under the hood, we've got these different sections. Here's the general architecture. Not too important. The discovery engine. This is really similar to what we have today and something like Kismet or something like that, just something that finds the access points. We can do multiple different radio header types, a bunch of different things there. This is written by Jason Spence, who's here somewhere, wave your hand. He's right here in the front. This is actually kind of an outdated architecture overview. We've added some things like then, like splitting channels. When we're running with multiple cards, we can have one channel per card or a couple different channels or whatever overlap there is. The plugin engine. This is really like the master scheduler. It takes all different plugins, all kinds of different plugins here. I'm going to try and skip pretty fast. One other important point is it's really based on event levels and those event levels take us through from a new access point all the way to having internet access. We want to try to get from having an access point to associating with that access point to getting an IP address, getting to the internet, and then there's hooks based around all those different event levels. The workflow is really just to escalate through that and get as far through the plugins as we can on a given access point. We've got different types of plugins. There's the interface. Here's some of the plugins that we have. I've talked about a lot of these already. I wanted to just walk through a couple of them, the Air Crack one. It's kind of neat. We start, you know, just put in monitor mode, start gathering traffic, look for clients, try to de-off those clients, start running fake-off and running ARP injection, and then really start trying to crack web. So that's all sort of automated. FPGAs, again, this is one of the new things that we added. This is some pretty cool stuff. You can really accelerate how quickly you're able to crack web or WPA, pre-shared keys, things like that. You should check it out. For a penetration tester, I think this is a pretty cool feature and it's worth the money to try and get one of these things because, again, hackers have a lot more time than we do to do these things. So to have any leg up on that is great. Here's right from Hakari's talk, some of the performance increases you'll see. Plugins, here's an example plugin. Profiles, this really allows you to select what you're going to run, when, that kind of thing. So it's really just a description of that. I'm just going to skip through this. Here's some examples of how you can set up those profiles based on the different use cases. The UI, Peter, is Peter here? Peter, wave your hand. Peter did a really good job. He's been adding a lot to this in the last few days. There he is, right down in the middle. Comrade Peter. And it's really come a long ways. But I have to skip through this. That's actually old. So here's the new UI. I'm going to show a demo, so I'm not going to go into these. Profile selection. We're releasing here a new release at Defcon. We've been adding a ton to what we probably added. I don't know if a few thousand lines of code in the last three or four weeks. So there will be some bugs, but we'll try to fix those as quickly as possible. There's a new curses interface that we're testing. There's a bunch of stuff we want to do in the future, but I want to get to the demo. Oh, one actually really important slide. Scanning and liability. As in any other type of penetration testing, ultimately you're responsible. The case law on what you can do and can't with a given access point that's not yours isn't entirely clear. That the general thing is to never use an access point that's not yours. But the point for penetration testing is always get permission, always get lawyers involved, get contracts, insurance, all types of things just to make sure that you're covered. There's a good white paper by Sands that covers a lot of this stuff. Oh, I guess that was a slide off here. So there's the liability slide. Thanks to all the midnight research guys. Vanessa, my wife for putting up with me in the last few weeks. Maddie, Aircraft guys, Picari, a bunch of different people. So what we're going to do is go straight out of time here. We're out? One minute? Okay, sorry guys, demo is kind of the most important part of this. I just ran out of time here. Where's my cursor? So here's micro. We can again run with multiple different types of cards. We can select our profile. We're just going to go through this. Here's an open profile. Actually, we're going to do. What's that? This always turns into advertising. Everybody puts up their own access points. Thanks guys. All right. So we got a bunch of different access points there. That was just running discovery. So what I'm going to do is only select my access point. All right. Well, we'll select this one too. But we're just going to do a default profile here. Let's do the default. Then we're going to run in manual mode. So there's automatic mode, which is just try to do everything I can on all the access points I can based on the profile. But right now what we're trying to do is discover just these different access points. So we can see here that some basic information we can see right now. If we look at the plugins for this, let's look at which one it's running on right now. Right now it's trying to associate. It's trying to run DHCP. It identified the access points. Let's look at what that was. It's an Aruba access point. So what's going to do is just sit and try to crawl through these. And I think I have it configured to run like I can look right here in the plugins that we have selected. Come on here. In the plugins that I have selected. So these are all the different plugins that we have here. I have a file of a certain number of them selected and just running through those sequentially to try to DHCP. And we can click on each access point, click in the plugin to see what the output for that is. Right now it's running DHCP. Tried to associate where we were able to associate. And then after this we'll try to run through and map everything. Okay, so I think I'm running out of time. I guess there's a room that I have to answer questions. Q&A and where is it? Q&A and Track 1. I do have live CDs. Okay. So.