 Welcome to the wireless capture the flag gear talk. I'm Rick and this is Rick. I'll be Rick today And we're we're just a couple of dicks who play with our hardware a lot. So we're gonna talk about that You all get to watch. Oh You can announce this time. I got to announce it last time. Yeah We decided that maybe if we've been doing this for 12 years We should become like a company or something. So we officially formed a nonprofit We are now the RF hackers sanctuary, so it's exciting That means for the rest of the week and I expect all of you to arch your back as you walk in the door and scream sanctuary That would really make my day. So thank you all of you. Come on Disney I'm not that old some of you have saw this movie. No, okay So yeah, we spent a whole lot of our time doing that and not a whole lot of our time on slides So that's gonna be my excuse So this asshole over here is your chaos You may know him from the famous distro pen to if you don't know him from the famous distro pen to it's because it's really not that famous but it is absolutely amazing and The basis of a lot of the work that we do a lot of the work that we do for testing and a lot of the work We do for teaching training etc Most of the people that are doing well have either used pen to or are trying to use pen to over in the capture The flag Main reason is radios work all the time almost all the time Works 100% of the time at least 80% exactly and the reason that's important is because we're talking about gear And we're talking about gear for wireless capture the flag because that's the easy thing to say that's legal that everybody can do Who in here is a wireless pen tester? Who in here tests more than Bluetooth and Wi-Fi? Okay, keep going who's yet who in here test Zigbee who in here tests amr ADS B Okay The reason that we run pen to as opposed to some of these other districts We're gonna get a little deeper into it as we go and actually part of zero's intro is he spends like All of the time he's not working for the company to pace him working on this distro So that radios work all the time who's had trouble loading, you know a driver in anything but Windows or Mac Yeah, wireless drivers suck who's trying to load the real tech driver by themselves with the new AC card Any of you have a smile on your face right now? Nope just the people with their hands down laughing at you And that's exactly right and those that got it working who had the actual Driver working with full injection and the ability to sniff with 90% or better efficiency when you're getting your packets Okay, so some of what we are going to do today is talk about not just the gear because the gear is really cool And we we have a lot of it I mean what 8 to 10 15 radios and at any one time in our bags And I think the bag of antennas I carry weighs more than some of your backpacks But we use that because we like how these radios work in certain circumstances There aren't a lot of people that raised their hand that said that their Wi-Fi pen testers or Bluetooth pen testers One of the things we push people to do as best as we can is to start being RF pen testers Because there's a lot of other stuff as we're going to discuss in this talk and then kind of as we freeform a little bit There's a lot more signals out there that can make somebody very vulnerable So if you're a bad guy and you're attacking red team blue team purple team, I don't care yellow team If you're attacking a network you need a vulnerability to get in firewalls are pretty good How many people have had to beat an IPS before over whips? over wireless Because there aren't that many there any good so That's the really way too long intro to Rick Yeah, sure. I'll be me now. Oh man. Don't even read it Oh, can I can I read the whole thing it's word-for-word and watch everybody leave they're gonna fall asleep a But seriously this this guy has been doing wireless since wireless wasn't even cool And he's part of the crew that has made it cool I'll never forget my introduction to him of yeah, I know what he looks like, but he really knows what he's doing and So he's been doing this is what was it Defcon 10 and competing in the wireless competitions and kind of helped found the wireless village and did found the wireless catch the flag so Yeah, he looks like he's been around the block because he has and yeah, we should definitely go over some of that experience So one of my favorite parts of all of RF and wireless is finding things So we've really gone way out of our way and we apologize to the contestants In fact, I I let them go home early last night, which was really weird of me because I was like hey It's 11 o'clock go home If you can't find a rogue device you can't do RF anything If you don't know where it is and you can't get close enough to inject into it Take you out take down the the packets that are coming from it or find the signal You're not close enough to do the work you're trying to do so. Let's just say you know easy example There's a rogue access point in a hundred thousand square foot floor in New York City on the 35th floor go Who would feel relatively comfortable going and finding that access point Okay, what would you do? I'm gonna I'm gonna call on people in the same the stand so you know feel free to not raise your hand if you don't care What would you do? Okay, so he said use a spectrum analyzer good answer or a Wi-Fi radio and walk around and find it One of the things we try and teach as best as we can is a Repeatable process for everything we do by having a repeatable process I know what appears to be rogue versus what appears to be real versus what appears to be broken And by knowing that we have the ability to find things because typically if somebody's gonna put a quick plant something They're gonna use a raspberry pie. They're gonna use a nock. They're gonna use a rogue access point of some sort and Hey, uh, hey scoot Wave to everybody How'd your implant go last night? They attempted to put an implant in the village and they did a really good job of masking it and had we not been truly Looking for things we wouldn't have found it. He took the shell. Do you mind if I tell the story? Okay? He took Do we do the shell of an Aruba device the Aruba devices aren't here You know those white Aruba access points that are all over the place Well, he took the shell of one of those hollowed it out and put a raspberry pie inside He didn't encrypt it, but he put a raspberry pie inside Trying to capture more information. Well by doing that he hit a device It was coming over RF and it was actually doing a really good job, but it was loud so the spectrum analyzer great answer The problem is if somebody's only trying to attack an office and they do it correctly Your spec hands only gonna find it if you get close enough to where that signal is so working with people on how to make Really shitty antennas. Hey wasabi you have your shitty antenna anywhere? Teaching people how to make really shitty antennas so that when you're really close to a signal you know your you know You're right on top of it. Oh, look at that. I happen to have it SMA connector into a B and C connector with a paper clip and hot glue It is also classified as a weapon at TSA so be careful Why is this work? Somebody why does it work? What? Exactly all it's doing is taking the energy coming out of the radio and dispersing it It's not doing jack and shit to help you with a good signal But what it's doing is it's gonna alert you when a signal is close Hence why we do the wireless capture the flag in the CTF and we make people go find stuff But we don't just stop at Wi-Fi we move across the spectrum and that's kind of how we're gonna get into this a little bit I'm gonna let you talk to this next one because this is pretty oh This is my favorite part because he does most of the work so We build this thing that we have to carry around with us So I want to say half of my testing is literally how do we cram all of this stuff together in a very tight space? So the the box on the right is actually the box that we're using to run the capture the flag right now And it's all of the transmissions more or less Replicated out so we've got 20 Wi-Fi radios in it We've got four RF cats and we've got three blade RFs with amplifiers And all of that stuff has to fit in there and we've powered in there And why did we pick those things and how did we get them to fit and oh my goodness? How did the knock not fall over with 50 watt USB devices on it? So the the testing and the building of this stuff is really what allows you to to figure out how all of this works Just making the kit on the left the kit on the left is a Kismet fully loaded box basically that's actually a picture of us on the high roller on Tuesday We took that while up in the air over Vegas Collecting everything security did not like us at they let us on they let us on during the ride that they didn't like us And the part of that picture that's cut out is me handcuffed to that kid Which also we have a video going through now We have a two-minute video security checking it out He never took off the handcuffs and they never said anything about it and I almost peed So inside of that box. We actually have six RTL SDRs tunes to different frequencies picking up ADS B car clickers Tires driving by all kinds of weird stuff. We've also got three Wi-Fi radios to Bluetooth radios to Zigbee 12.41900 we've got two mouse jack dongles and GPS and I think that's about it, but just building that kit. We found several bugs in Kismet We found several bugs in RTL 433 We found several bugs in the Linux kernel that we've been spending time reporting and trying to get fixed So that this device which was a four-core processor running with a load of 12 when we started actually got down to a load of about three when we were done and Functioned rather than all the devices falling off of the bus and only one time did the power supply Crap itself and do a wide band jamming attack. Yeah, that was finally failing driving driving down the road And I called zero and I was like hey, dude What could possibly be messing with our GPS the satellite radio and our phones? They're like it's all passive We got to where we were going and realized that there was a five watt or a five amp power supply That literally was shitting the bed all over the place So we found a a absolute denial of service attack on a car. Just take a really bad Chinese five amp 12-volt power supply and just cut the wire a little bit Apparently everything goes to hell and back and he did gloss over that a lot I know this is scheduled as a two-hour talk. It may or may not be two hours We've got some folks here to help us out with some of the other areas that they are much much much smarter than us And but I will say that we are going to go into each one of those and we're going to talk through how The testing of kismet went how the testing of Linux went and the testing of USB buses I know more about USB buses than I ever wanted to know And the fact that some of these really crappy computers can do a really good job So that's kind of how this is going to work. We're going to talk to you guys about What exists and what can be done, but also how we can test Because in some places where you may go some of you may not be native to a place where Amazon can deliver in an hour and a half Like I am where you may only get this radio and this radio and this radio or you may be in another country where you can only have these three things Showing you how to test them to get the absolute most out of them is going to make you more efficient as you're trying to do this work And the other piece that I wanted to really highlight on so Red team a cat the red team alliance has worked with us very closely and the core group. Is that like over there? Babbling Babbling Brett Brett stand up and represent your company Stand up and say hi. Thank you that gentleman in the TSA security uniform. He's not TSA Well, I mean he could be if I give you five dollars. Will you pretend to be the TSA? That box in the bottom they've created for us Working in conjunction with us for the capture the flag RFID is also an extremely important piece of this if you've ever done so we talked wireless. Who's a physical pentester? Who's used an under-the-door tool? Who knows what a DDT is? Who has a lockpick set on them right now? There we go. Who's used those lockpicks in the last three hours? Okay, good. So that kit is a full-on. Oh, there it goes Oh Already and it's really pretty didn't leave the scream grab here There we go. Did anybody check so? The that box at the bottom is literally a building in a box There are four different types of access control cards Running into a single controller with a pie in the background taking in all the information and handing out flags If you haven't seen it yet the thing over there on the end of the table that makes you look like the devil is one of the coolest access control Capture the flag style devices that I think's ever been built and I know Babic's not here, but one of his representatives is can you raise your hand there? Already you wave I know but I'm making deep wave to because he's standing there in his ramen shirt, which I absolutely love They do some amazing RFID work and they've helped us tremendously to really take this up to another level And I just you know want to thank them for partnering with us But from a learning perspective having the ability to have that many readers in one place is something that we're going to adopt Into our CTF and that type of thing is going to start traveling with us Thanks to them and we're going to just keep saying thank you to them for for a while as it goes YouTube So those are the three pieces so from this set of of devices we've literally hit from 316 315 to six gig and All of the low frequency and high frequency cards that exist in three pelican cases that we can travel just about anywhere with Now I wouldn't expect anybody else to do that insanity because that's about a year's worth of work But the testing methodology you get you can travel the kismet box for you. That's true The technology and the testing that goes into that is really what we want to we want to impart on you So moving on This is a PSA Please stay out of the casinos with any radios that you may have they do put you in jail The jail is underneath of this building. It's very big and you're not getting out without any bruises And by the way if you came into this room who has an Apple phone Don't raise your hand if you don't want to if you have your Bluetooth on this isn't a burner phone discussion This isn't a Apple versus Android discussion. Please turn your Bluetooth off You are ridiculously vulnerable to a whole lot of things. I am an Apple user when it comes to phones I have a watch it is in watch mode. You know what it's doing. It's being a watch Cool But my phone has Bluetooth off the reason behind that is Apple has not fixed the vulnerability that has come out with Apple BLE and BLE We'll have hopefully a demo up with that tomorrow and start talking to people about their phones But essentially from your Bluetooth your phone number the power of your phone the Wi-Fi Help me here. What else? Virgin number if the screen is on if the screen is locked phone number Yeah, all can be pulled off Bluetooth. That's a very connected to you right now this idea So very discreetly no no embarrassment here Just turn your Bluetooth off if you have an Apple device and that's an iPad iPhone iPod I Anima, I don't know But Apple leaves those on for watches for pencils for connectivity to all kinds of things Just turn it off, please Because all your RF does belong to us and we've been capturing since we got here. We're gonna review all that when we get home We're gonna look at it. We're gonna say huh this dude had his Bluetooth on and this lady had this on and Moving on. Yeah Good you read that. Yay Okay, so How do we test radios? This is actually a really really wild thing First we buy lots and lots of radios, and then we buy lots and lots of USB hubs mostly USB Because it's so much easier than taking apart laptops Maybe ten years ago companies started introducing BIOS Lockouts to stop you from putting in Wi-Fi cards that they didn't sell and that sucks Because you had to go and customize your BIOS and do those kinds of things and at that point the community pretty much said F all this we're just gonna use USB stuff so We just started doing USB stuff and it's not a big deal when you put eight radios in a box and try to play with them It is a pretty big deal when you put 30 in So if you go back and talk to our good friend Alex who makes a whole bunch of crazy radio stuff That's really awesome. Hey Alex stand up and raise your hand and put that thing down Yes, stop waving that around the casino is going to stop you Alex Alex raise your hand wave high stand up and Hold up one of your big yeah, put that down please put that down don't point that at that down Please please put that down pick up the other thing with all the radios on it That's so Alex makes these devices. No, those are antennas Alex radios. Yeah, that's PCI radios Okay USB one two, okay, so he actually discovered he was the first one of us to figure out that The new Intel USB three chips could only handle 11 Wi-Fi cards at a time And the 12th one didn't work We figured that out just after him when we plugged 12 Wi-Fi cards into our nuke and it didn't work The part where we actually figured it out first is that we bought a newer nuke and the newer USB controller could handle more So my current record is 31. I've got 31 connected to my test box at home Which I'm actually like out of outlets and spaces put things in the little corner where I do my testing So I have to like I don't know buy a table or something to keep going So you find the weirdest things when you test this stuff The things that you never expected to find be the problem are the problem So the the real tech driver was released last year about this time New it was 11 AC monitor mode proper injection theoretically the driver crashed horrifically And so we started testing so I went on to Amazon and I bought every single Wi-Fi card that had the real tech chips That to see which one was any good Lots of money later I plugged them all into my system and realized it didn't work and then I plugged it into multiple systems and started spreading out load because Stupid limitations and then we bought new nuks and fixed that problem But the point is is you find really weird issues when you go to test these things At the time I was testing with a tool called kismet shootout and what kismet shootout does is it actually You give kismet all of the Wi-Fi cards And you say put them all on channel one or channel two or channel six or whatever and then it counts How many packets are seen? That's all it does it counts How many packets each device sees and that allows me to say if this device sees this many packets for this device Only sees 86% of those packets thereby this one's better. So I connect a whole bunch of Wi-Fi cards to the system once I put them on different channels And I meter them against each other to see who picks up the most packets Once I get a fairly good cream You know, there's these 10 are pretty decent I go through and I do injection testing go through the aircraft and I say okay Does this one work? Does this one work? Does this one work? And it's actually really interesting to find out that like the minor differences in the chips That's often make one suck and one work great or even worse like some of them receive really well And they can't transmit for crap You know, they'll go three feet, but they just don't have a good radio chain on the TX side and they don't go very far at all So the ones that we're using in our kit are actually TP link T2 use and they Totally go a solid 35 feet. I mean just absolutely Garbage on the transmit and pretty much on the receive side But all we do is we put them right next to each other and we have this little area for capture the flag And that's as far as they need to go and they're the tiniest thing on earth Yeah, every every time we do testing Rick's like did you get it within like 16 feet? It's like well, yeah He's like good enough. All right, we're moving on. Yeah, so the ones we actually like are actually the alpha zero three six ACMs They're a monster card. They have two antenna connectors to mount the side They have these giant eye surrender antennas on top of them and they're they're much longer range They're much better transmit power, but they're enormous and we didn't want that kind of thing in our kit So we actually go through and do testing to see that kind of level like okay This is good enough for what we are doing But these are the ones that we recommend for like putting in your kit and going out and doing whatever so one of the big things that Rick Said but probably didn't hit on so I'm doing the whole this might be on the test later is You've got to log everything if you're not logging. You're not getting errors. You're not getting packet captures You're not getting data. You're not getting transmissions You're not getting anything if you just plug a radio in and say up this one works This one doesn't you need empirical data to be able to go back to now It doesn't mean you've got the best of the best or the worst of the worst it means that you have your own level of of Subjective quantity, you know identification. It says this is one. This is two. This is three. This is seven at That point you know that what you have is the best that you have When you're going out to do whatever it is you're trying to do and that could be literally going to the beach and wanting to have your Laptop connect to the Wi-Fi we're getting on a boat and having your Wi-Fi connect to the dock or you're doing a full-on You know red team where you need radios involved and you need to be able to get them from the parking lot And so I know this radio is great. It's got SMA connectors So I can hit you know I can use my panel antenna and I can hit 150 yards solid with injection But until you've tested and you've gotten the unempirical data You really can't say that what we find the most and we tell people in the CTF Because we want them to take this back into their real world If you don't test your stuff, you don't know what it does How many of you have ever played in any type of CTF? Few people there should raise their hand. Did you spend a week beforehand testing your equipment to know exactly how it's supposed to react? Nobody ever does because every time we get there. They're like, oh my colonel is broken. Oh, I have to update Do you have internet so I can update? I didn't check this driver. Which colonel is this? Tools like Kismet and some of the others that are very helpful in data collection Literally update what every six hours. I mean at the long side Drag one doesn't even sleep. I don't think I think I mean They're updating the software that you're relying on to do what you're trying to do Hourly some of you may or may not have tested your stuff yearly Do you guys go to more than one con here? How often do you test your stuff to know how it's supposed to react to know what the baseline is So when it's something's different, you know it changed every day Rick But but we're idiots every single day every totally kids the shootouts running at my house right now It's a long-term test again. We've got ends of the spectrum. We're all on the spectrum. We're here But we've got ends of the spectrum We've got the I test shit and oh my god. I'm going out tomorrow Let me get a laptop at Fry's throw a new hard drive in it and throw a live distro on it So part of this and again hey good segue by accident platform selection You're going to work or you're going to CTF and you guys decide which scenario you want to sit in You need something to type on I don't know how many people we've had come into the CTF and be like hey I want to play what do I need? Well, you need a radio and a laptop at home. Oh, I didn't bring I didn't bring a laptop Well, what do you want to do? Well? I want to learn well, why didn't you bring a laptop? I'm gonna do this. I'm gonna do it Hold a paperclip in my teeth and I'm gonna stand up on my soapbox for a second Who read all the stuff coming out on Twitter about the burner phones for Defcon? Who read all the stuff about turn off all your radios turn off your Wi-Fi turn off your Bluetooth Hide your kids hide your wife. They're coming to get you right okay Who's been to Starbucks Dunkin Donuts or a Panera in the last six months? Okay Who did all this worry before they went to Starbucks Panera or Dunkin Donuts? Right right and you should who is it work last week or the week before because it's summertime and was worried about this Huh? You work it's your developer, huh? He turns off before you're either a writer or a developer Okay, so where your protection posture is for your device when you take it anywhere Should not matter if you're coming to Defcon, which by the way in the last way too many years Jesus was 17 years It's gotten a lot easier used to not be able to come to Defcon with something that had a device that you connected to Anything else with now you could have a Windows XP box Online at Defcon right now, and you might make it home fine It's different, but everybody worries about it. They worry about the Vegas worries about it They worry about black hat. They worry about Defcon. Well, I Promise you that you have more issues if you're working in and I'm just gonna name three cities randomly LA New York in Baltimore in DC. That's four You have more to worry about going into a Starbucks or a Panera and connecting to their Wi-Fi Then you do coming to Defcon How often are you stressed out about going to Panera or Starbucks or the train station or wherever? Just let that settle in for a second. This is why testing and knowing what your stuff does matters Have you seen the bars at night? The good hackers are all way too drunk to be hacking you right now All right, I'm stepping on my soapbox. We're gonna talk about platform selection because there are some platforms to select from Rick, do you know the nice platform? Do you know 30 inches there? We're a little biased here the the dude that creates one of those operating systems is here And this is Bill Gates. I'd like to welcome. Hey Actually, I'd like to talk to you about developers developers developers developers Velvers You got it. You got it. There we go All right. I like this You're perfect for the front row. He hasn't heard these jokes before They're funny for us. All right windows is an operating system. Do we all agree? Yeah How many have to use windows? Okay Yeah, it's either because office 365 sucks or because open office doesn't quite work well Or because you were given a laptop at work to use windows There are tools that windows works with I can name five or six off the top of my head. There's spike. There's Insider, there's Meta geeks entire suite of stuff There's a there's a snipping program. I can't remember what it's called anymore When he kept when he kept yeah, but yeah, the right right the radio air peek at and I think I just mentioned $65,000 worth of equipment So you have you have to pay for windows stuff, but it's not bad. It's gooey It's pretty it's you know, I can give this to a CXO and say hey, here's here's your stuff. Here's your heat maps But for doing this type of stuff we do it's not ideal and it's not ideal because I can't manipulate the way that I'm going to affect the physics of the RF Virtual machines are cool. Who uses them? Ever tried to do RF over a VM with EIE IO Okay 80% of you can say yes, and it worked fine and the other 20% can say oh my god Why doesn't it work and the answer is you will never know So M's are fabulous until they don't work and then you you there's nothing you can do about it So yeah, oh, there is an operating system missing from this screen. Which is it? Crapple Crapple Okay, Steve died moment of silence Okay, moving on so he died and the entire vision of Apple changed when it came to usability of their of their operating systems Five six twelve twelve years ago. God Kahuna and I We gave a talk and we gave a talk on wireless and we gave a talk on wireless using VMs using Apple because Apple at that time actually had Colonel ish type stuff Rick still hated it But it had Colonel ish type stuff it had the ability to write to the how more appropriately it had the ability to run three or four VMs It had the ability to pass that data through Well things have changed it doesn't anymore in fact there are articles out there about USB 2 to USB 3 conversion on Apple and Contention on the USB bus Because of the screen and the way the Wi-Fi works to make Apple almost unusable So in the last two or three years in this type of talk we've given we've taken Apple off the list It is a viable operating system if you have to use office. It is a viable operating system for Adobe or development or music or I'm sure you know, there are tons of people that have real good uses for it in this space It's not ideal the cost of an Apple outweighs the absolute car that you have to go through to make it work So we move on to raspberry pi. I'm gonna skip over the middle one. Yes Yeah, loud Right, so the question is like doing doing separate boots on it So it's not the hardware on Mac that's necessarily the problem Although they tend to implement the standard their own special way that we're talking about the operating system itself So that the we're skipping over pens in the middle But the point is any hardware that you can live boot into Linux the answer is do that right? Even if you don't want to Reinstall your operating system and kill your windows box or kill your Mac box if you can boot into Linux You can do all this stuff with direct access to the hardware And if you're super spooked about that just yank the hard drive before you do it probably not with a magnetic screwdriver But you get my point Easily enough just not format your hard drive if you don't want to do that And you can do all of these things and save to USB stick and it's no big deal But the ease of use with Linux aside from you know trying to actually use Linux The tools are there and the tools roughly work as well as open-source ever works and the supports there as much as open Source ever has support but to get these things the only way you're gonna do it is with Linux or with millions of dollars You can buy a 10 to $50,000 Bluetooth sniffer or you can buy an uber tooth one And they both do exactly the same thing one works in Windows and the other pretty much doesn't work in Windows But you can choose do I want to run Linux or do I have 10,000 extra dollars laying around and if the answer is the second one Could you please be a sponsor? Did I mention we're a non-profit now? So raspberry pi is on there Raspberry pi is on there because raspberry pi runs Linux. It'll run gentoo. It'll run Debian It'll run Raspbian. It'll run a whole lot of operating systems or on Cali. It'll run Cal It'll run NetHonor Cali. No Cali Cali Cali Cali Cali with all the next mod patches and everything included Well, we haven't gotten there yet, but Windows runs Cali too Yeah, Cali's Cali's an operating system. All right, so raspberry pi so as a dropper as a leave behind as a pass-through as a Bridge raspberry pies do a great job because if you lose it you lost 35 bucks I don't care what your budget is people care about the bottom line now There's a team that will be made, you know not named right now because scoot left that left a raspberry pi on site They left it on site unencrypted so whoever found it was able to pull all their data off and look at it and review What they were doing adversary red team pentester, whatever have you We're able to pull everything you did off that information you guys can sit down there are seats We don't bite I promise lots of them up front. We showered this morning. We did it in separately. Well, sort of In the middle, but That's a different story So so the fact that we have the ability to take a 35. Okay, we've got what pi fours now They're 50 bucks, but that's an nth of a percentage of the cost of a lot of these engagements Raspberry pi w that what's there? What are they 10 bucks 12 bucks now? You have the ability to do a lot of the things we're going to talk about and we're going to back them a hundred percent But it's a tool Not your main device if you need a laptop to do work use a laptop or a computer Don't use a leave behind or a dropper to do the work that a laptop should do We're going to talk a little bit about that Rick was talking about workloads a little bit a little bit ago as a single source server That you're leaving in as an RF Forwarder Bluetooth Wi-Fi have whatever have you they work great They're not going to be your primary OS or your primary device. Yeah, again going back to the if you didn't test it first It doesn't work we've got only like 18 things plugged into the kismet box and that compute stick is Chugging real real hard that's based on a design from much earlier where I built a seven radio rig And I built in a little word with two lithium ion batteries that did not look like a bomb at all And we snuck onto a trolley and sniffed a bunch of sea level traffic and they got interviewed about it But that one ran for a total of five minutes before the RAM completely filled up and the box Decided to crash because it couldn't write to the disk fast enough to put the captures on ran all the radio is great Yeah, no problems there captured lots and lots of data really fast Battery battery battery was great. We battery life on that charge my phone off the battery after we're done Yeah, it was great, but yeah five minutes five minutes of capture time and then the RAM was full Bigger RAM would not have helped me there Sometimes you just you run into these weird problems and it's really important to test these things Because the thing you don't expect to break is always what breaks all of our challenges pretty much are running and our status page Is broken so people keep coming over to us saying the challenge isn't running How do you know scoreboard says it's not running like well? Did you look in the air all of them are up? Oh? Yeah, so it's always the thing that you wish was simple that breaks and the complex stuff is what works fine Hey blunder bus. You're still in third Sorry just add to so We're doing this in a weird order on purpose We talk if you've ever heard us who's ever listened to us travel on ever anyone, okay? But wow this counts now this counts now so Cali is a great operating system Cali has an absolute place in the loop Cali has a place in the world But every operating system and every device that those operating systems are on our tools I am really really really bad with physical tools My father-in-law can build a mansion with like Home Depot if I go to Home Depot and buy a hammer I've got three broken thumbs yes three and the nail never went in But it's the same tool used by a different person People that are really good at wired pen testing reverse engineering database exploitation web exploitation General networking stuff or anything that God love him Dave Kennedy has written or has his team has written just don't read the code. Good. Works Amazingly in Cali. So if that's your gig and that's what you're doing Cali is a great operating system Try and do wireless work and be really effective using Cali The difference between and again, we're going back to logs empirical data The difference and the loss net the loss in packets with Cali to pen to are enormous So many many times we will disparage count We have built stickers and written stickers that say hey ha ha ha you use Cali ha you suck but Because they're doing the capture the flag and we absolutely 100% of the time To note that on the sticker or the discussion that we're having if you're doing wireless work They're these are going to be your problems We could have a flame war in Lenox on Debian versus slack versus gentoo versus BSD immediately following this talk we can meet over there. Yeah, we can meet over there We'll have an absolute flame war But until you can tell me in this instance using this device using this type of test I hate this operating system I still am going to call bullshit on you because until you've done that Windows is the right tool for certain things Mac is the right tool for certain things. All right. You've gone too far. Don't we have another slide. Nope I'm pretty sure we do. Nope. This is it. This is the last slide Please so I want you to talk about Ben too. So oh yeah, go ahead. I like Ben too It's a lot of fun So the truth is is when you're using a live CD and the next slide The only thing that matters is does the tool I'm trying to run work does the device I'm plugging in work It doesn't matter what the OS base is it doesn't matter what schmuck put it together It only matters does this work right now this second and if you're trying to install with pen to the answer is probably 80% It doesn't but if you're trying to use any of the tools it Absolutely does work and we spend an enormous amount of time Testing our own stuff and we use pen to to test it which means that we know for a fact that you can break the challenges with the hardware using pen to When you choose what operating system to install I always suggest that you install the one that you asked the least Stupid questions about if that happens to be pen to that's great And I would love to support you but the truth is is using pen to which is based on gen 2 is enormously painful for new linux users. The learning curve is straight backwards This is a normal learning curve pen to is this way. Yeah, no joke. Yeah, absolutely So learning to use linux. I started on red hat. I did I spent two years on red hat And then I'm like, oh my god, why does this never do what I want it to do and the guy I was working with on the Intercap projects like oh, I use gen 2. It's the only way that's yummy And then I just now I'm on gen 2 forever go gen 2 But the truth is it is painful to use sometimes when you are trying to do Updates and reconfiguring the system and learning how to make linux work So if you have no idea how linux works and you want the pain by all means I will help you if you want to start with something a little gentler honestly using Debian or Ubuntu Learning how linux works or something based on set operating systems even Cali you can learn how linux works And when you're a little more comfortable with that something that's a lot more complex is is worth it sometimes So the next slide Please do not go out and buy these tools We've had this talk before and the next thing I know three days later I went to hacker warehouse, which by the way is phenomenal and they've got everything But I went to hacker warehouse and I bought all these things. I'm a pentester now, right? I Went to Home Depot. I bought a saw a hammer jigsaw and some nails. Can I build a house? Hell, no I bought a monocle now in the millionaire. Yes. Yes, monopoly boy So the ubertooth is a great tool for portions of Bluetooth that you need it for Alpha radios are phenomenal if they have the right chipset If you can find the TP-Lang W TL WN 722 and version one It's golden. It's about 13 bucks and it will last for years It's a $13 Wi-Fi radio that in 2.4 gigahertz will do everything you need it to do And I see you all taking pictures. Don't go buy all this because you can't buy some of it But version most of it anymore, but version one is amazing version to the change of chipset It doesn't inject. It's worthless Hack RF Mike Osman makes an amazing cape a capable software to find radio There are better, but they're more expensive. There are worse and they're cheaper But they may do exactly what you want them to do The global stat BU 353 GPS is amazing We're not even using them. We're using the block 7s because they do a better job They're smaller and they make better connections Crazy radio PA. Who knows what that does? By the end of this talk, you're gonna love these and you're gonna go buy them The crazy radio PA is the mouse jack attack. Who's heard of that? Oh Okay, we have to talk about mouse jack a little bit. So for those of you to know it just sit back and laugh at everybody else The Senate UD 100 is an amazing Bluetooth radio But one of our guys who does a ton of work and I'm gonna plug him real quick. What are you over there? Yep, he can't hear low low frequency stuff because he's been blown up too many times It works see we have a high frequency we can hear him Woody has done a crap ton of Bluetooth testing and is pointing us in some directions on Bluetooth radios that are different from the UD 100 he says he sees like 10 times more things in the same room. So hey cool Let's work with this USB powered hubs. You'd think this was a really just easy simple No worries. I'm gonna go buy a USB hub. How many have we burned up? I Mean like literally melted only a few but most of them break really quick though ones that don't break usually don't actually fill all the ports because so I've got a seven port at home That's got three of those to be links in that because you can't actually fit them next to each other Most USB hubs are awful both in throughput and in latency and in heat and in the fact that they just generally break So for instance if you look in our box, which we encourage you to look but not touch You'll see two different kinds of hubs We've got one where they're really really close to each other And we've got the new model of same said hub where they're actually spaced out enough that you can put Devices in every friggin port if you're taking notes the Vantac 10 port USB 3 hub is Absolutely amazing. It's aluminum as of your forearm, but it's not that big. It's it's all aluminum It's made for bit miners and it disperses heat phenomenally and it's got full bandwidth. So Even something as simple as going to fries are on Amazon or Microcenter and finding a USB hub Even that is something we test and we're gonna talk through some of this testing as we go through this again We're 48 minutes of a two-hour talk when we talk for two hours. I think we can talk for like six I think you could probably talk for two right good talk for two hours. I'm gonna close though It might be now. I don't know. I haven't decided yet USB to Ethernet controller if you've bought a new generation laptop that is decent How many USB ports do you have one two all USB see none love it. Yeah, that shit sucks But you have to be able to plug other things into it because you know We talk about how secure Wi-Fi is but if you're not using client certs and server certs Validating both and having no wild cards and having everything signed and having your IT department write a GPO that gives you WPA to only insert form You're not really secure using Wi-Fi. How many years has Defconn's Wi-Fi gone down because of us? I Mean all the way down or just we stole all the passwords. Oh both. I mean most of the time They don't even notice the knock hates us and we love them and they hate us and we love them I want it on record that we love them and we try and help but Essentially every time they create a network they implement it properly. Who's this this admin in the room? Don't it's okay to raise your hand if you are who's implemented Wi-Fi and done it correctly and dealt with the absolute hell of dealing with mutual cert authentication and Validation and the search chain and all of everything that goes with that I connect my GPD to my phone's hotspot at work. So I don't have to do that right Because people go around it. So again if you're not going with the full compliance of what wow This is going black quick the full compliance of what your enterprise is doing You're not secure any other time if you're still following the same rules. So USB to ethernet controller if you don't use Wi-Fi you got to use ethernet We were testing radios in the room before this to get ready for this talk and the CTF and you guys because you know Defconn's a bunch of assholes that try and break everything and The end goal was Rick had at least one gigabit ethernet over USB 3 device That's cut in half with his pliers because I was de-offing him with my handheld radio Does anybody know what frequency USB works on? USB to transfers at 480 megahertz Does anybody know what frequency handband is like 430? Business man's even worse like in the 460s. Yep Yeah, like if you use any of the radios that have the tty Inside the radio they actually pop up a warning in this radio config software of for the love of God Don't transmit while you're trying to upload to the radio Because it picks up right into the radio and feeds into it and I have bricked a radio that way before you can de-off Someone's Dongle, you know, we're in dongle gate now. You can de-off somebody's ethernet connection with a handheld radio Regularly you can move a mouse because what bus does the mouse sit on? you USB We're on the USB bus is really vulnerable to RF attacks Those that are Wi-Fi pentesters. How often do you do? USB based frequency RF attacks. I can move your mouse. I can make your computer do things It's not supposed to do literally by keying up a 5 watt handheld near you Now who's trying to sniff Wi-Fi on a USB 3 hub that is really really cheap Yeah, it leaks energy all over the place and completely ruins your signal Like those big thick cables that nobody likes. Those are the good ones for a reason. They're good Headphones are up here. Why? A because I don't want to listen to other people talk while I'm trying to work When you get on a train headphones, you know, the really big ones are like the universal don't talk to me signal But headphones are important if you're trying to listen to RF signals So as you're listening to these RF signals, you're gonna hear voices. You're gonna get video You're gonna get things that you want to hear I had an assessment that we were on in the middle of Trafalgar Square in England Well, if you've ever been there, there's a few other embassies around there They will be named unnamed unnamed at this point We were doing an assessment. We found some stuff and the next thing I know we're hearing chatter And I didn't recognize the language. So I called in somebody that might and he's like, oh That's not good. Okay. So we you know as an intelligent assessor does we go to the ground? Took a surface that's running Linux because it looks like I'm walking around as a tourist for the tablet a bunch of shit in my backpack Next thing I know I've got a group of people with earwicks and Flags on their chest following me and the guy that I'm working with Because they realized that we intercepted their communications and we were down the road trying to triangulate where they were Well, this isn't an abnormal situation if you're doing red teaming in America or other countries It really doesn't matter where you are That happening allowed me to realize that you know people see what you're doing your upset matters Radios have to be down when you're doing this stuff because they can fingerprint me digitally So as we're going through the headphones were what allowed me to at least look semi Touristy and get the work done that I needed to get done Also helps in personal relationships My wife refers to my radio as mr. Crackley and I am only allowed to use it if I have my earbuds in Who has a scanner? You ever listen to a scanner? They're not not quiet In fact, they're very loud and they're very usually not well tuned because you're getting a signal from like 60 miles away The key to all this is know what your gear does Know what your signatures look like and know what other people can see of you as you're walking around and then antennas assorted How many antennas are you carrying right now? Yeah About 200 okay just in my pocket. Yeah, I've got to my body right now You're like I mean 45 or 50 antennas matter and frequency matters And some of the talks you've heard today talk to the frequencies that go on and how they work a 2.4 gigahertz antenna on a 433 megahertz Transmitter or transceiver isn't gonna give you a whole lot of anything good. It's gonna give you a lot of dirty signal Understanding what you're doing with antennas is super important So these are two tools that we live in quite a bit in the Wi-Fi world One on the left has pretty colors one on the right has more pretty colors Which one are you presenting to a CEO? I? Hope neither and I hope you're writing up an assessment of actually what they say and not what that's showing But aerodumping kismet are pretty much the defect. Yes. What Chris? He's saying hi. Are you just saying hi hi Chris? Can you say hi to everybody Chris if you're gonna if you don't have enough to share don't give anything out? Okay, he does have enough to share everybody go share with Chris start with hugs. He's a very nice guy. He loves hugs Bear looking for a twink in the back if everybody's getting up to give him a hug sit back down Or don't you might punch you or hug you. I'm not sure so kids An aerodump are the two kind of go-to tools Aero dump for Wi-Fi specific kismet as you see if you come over and look at some of the work We're doing kismet gives you a lot more information It gives it to you know much better form and then Mike if you could just give us Packet captures back and not make a scripted that would be great It totally doesn't always crash on the pkf-ng output But these are two really good tools to use these capabilities. We're talking about So to get to where you're going You're gonna have to pack it out some way so you can pack it covert The the osprey bag on the right you can be totally I'm a soft guy. I've got my oak leaves. I got my Levi's I've got my hard rock cafe shirt on and wear your M 11 backpack You need a pelican you need something to travel with Having the ability to get your gear from one place to another super important that m-wrap app actually happens to be a war driving vehicle See see where I went with that that was that was clever That was fun So again if you're putting stuff in your car the reason that kismet box was built is I wanted the ability to throw something in the car plug it in and have it run as opposed to Plugging a hub in plug in things in getting everything set up setting up a network and all that other bullshit So having the ability to just throw it into the vehicle you're in is very helpful You've got to get your shit from one place to another one of these will probably help I don't have a rental car here because frankly rental cars tend to suck just ask woody They've got a lot of flaws to them and your data goes to pretty much everybody Who has an Android phone here you can raise your hands proudly on that even though iPhones are a better phone Androids are better devices these are devices that you can are tools that you can use on Android We've kind of talked through this over the years as to what works what doesn't This would be something I would take a picture of Or you know get the video later But these particular tools make your Android device a relatively covert device to do things with as long as you Have the right OTG cable The Nexus 5 X's are decent devices But they only work with like three OTG cables, which means that they kind of suck when you're trying to do work Understanding how your how your tools work If you're at DEF CON We used to be really concerned over those things that killed Steve Irwin I'll let you Google that one but open signal and LTE discovery do an amazing job of telling you when cell towers move Why would it be a problem when cell towers move? Discuss amongst yourselves Having the ability to see them is very helpful and open signal and LTE discovery do a really good job for that Anything else you want to talk about on there? No, but that guy has a question. Yes question. Hi No Yeah Apple there is a real quick the question was are there ways without jailbreaking your iDevice? I'll leave it at iDevice instead of phone To detect moving signals over LTE GSM or 4G or 5G. I'm gonna uncharacteristically say something kind of pro Apple here They are really really really bad to the app developers by preserving the user's privacy They do things like not allowing you to read the MAC address of the device and not allowing you to read the information of the device Basically at all Whereas Android makes all of their money from app developers who are basically stealing all of your private information So they give you everything if you are an app on Android you can access the GPS You can access with Wi-Fi nearby you can get all the MAC addresses of everything anywhere near you and things like nrf connect Do exactly that to track the local Bluetooth devices and show them to you But Apple locks all of that down doesn't even make it optionally available to protect you from those companies being evil with your data Apple may in fact be secure in that way Android may in fact be useful in that way and unfortunately your choices are one or the other So you know whatever personally I carry two phones. I carry a device and I carry a phone I like apples as phones. I like androids as devices both of which fit in my pockets And they both work really well, but you got to figure out what it is that you're trying to do when you're doing it Any questions about those tools? Excuse me. I use a right phone. Do you recommend is the question? I use an other yeah I use a note because they're bigger screens, and if I'm using it as a device I want to be able to see a little bit bigger screen You use pixels, right? I use whatever Google is selling because they're the only ones that actually get security updates in a timely manner And as it turns out that's very important to me personally. I Know right Yeah Do otg cables work with every phone? No, no, definitely not They get over the lot of phones and usb-c is a lot better about that But you also have to realize that there's not like drivers in these phones or whatever you plug in So for example almost every Android phone Including like the chrome cask sticks can take a usb ethernet and we'll use that as their primary ethernet But only like two or three chipsets actually work. It's the most common ones So it feels like oh, yeah, like every of one of them works, but I've got a stack of them They just don't work. So there's a very limited driver set You're not gonna plug a Wi-Fi card into your OTG cable and use it on stock Android There are products like nethunter and the putting express products that have Completely customized the kernel the operating system to give you those extra drivers that are not available on like stock Android But you can get like you can plug an RTL SDR into your phone And you can use RF analyzer and that absolutely works because it's a nice user space driver and somebody ported the RTL Libs to Android so there there is a lot of capabilities, but don't don't think it's a Linux computer. It's not All right, so the sweet spot of where most people do their work Wi-Fi 2.4 and 5 gigahertz Who here especially you people over there only has 2.4 gigahertz stuff with them It's okay. Yeah, okay You don't have to admit it because we all know the truth is Nobody only has 2.4 gigahertz stuff with them your phone your laptop Everything that you're not using for hacking is dual band All of the stuff that people are using for hacking like these sweet de-offing wristband on one of our contestants over there is 2.4 gigahertz only garbage and the truth is 5 gigahertz is very very well utilized here at Defcon because every schmuck with 50 cents is de-offing Wi-Fi right now But all their stuff is 2.4 gigahertz only It's shocking that people are actually going around and not sniffing 5 gigahertz Okay, this has been a big complaint of mine for years, especially with AC AC is only 5 gigahertz. There wasn't any enhancement to 2.4 for AC So all of these laptops for several years are predominantly using 5 gigahertz Even the cheaper devices are now mostly dual band and truth believe it's not dual band stop buying it It's garbage. It is the most overused spectrum We have in the world and it's it overlapping with your microwave Like it's the worst spectrum on the planet stop using it 5 gigahertz is great. Oh my god Talk about Wi-Fi testing what kind of Wi-Fi testing should we talk about oh boy? So Ted you still here Teddy Ted no last name Ted Ted wave hi Thanks, so Ted gave a talk earlier called are you interested in kismet? It was a great pun But the truth is kismet has a wonderful API that gives you all of its information and allows you to kind of poke at it So we used kismet mostly him. I had the idea and beg for somebody else to write it for me He rewrote my kismet shootout Into a rest API call to the new kismet and it allows you to test Competitively those cards against each other and that is again one of my primary ways of testing Wi-Fi cards in addition Testing things very fairly is almost impossible I have a large baggie of really really crappy antennas not because I use crappy antennas But because they're all exactly the same crappy antennas Mostly I use the little zero dbi ones that come off of the Senate angles because I have a bag of like 20 of them And that allows me to test like 10 or 15 cards with exactly identical antennas at once to see what really is what? And so we spent a lot of time testing with things like that Just feel like this slide is inappropriate. I want want this one. It feels better talk about Wi-Fi So yeah, testing with things like the new kismet shootout and testing with especially air replay and G Air replay and G is the primary tool that everyone uses to inject packets It's also the best tested because people complain Immediately if something doesn't work with aircraft because it is kind of the gold standard So the aircraft guys get all of these bugs They fix all of these bugs and they generally have a nice working product So if you test it with kismet shootout and it looks like it receives more packets than most of your other cards And you test it with air replay and G and it looks like it reasonably high percentage of successful transmissions That is a damn fine Wi-Fi card If you run one of those tests and it doesn't work out for you that sucks Also run a lot of connected tests I know it sounds weird because you know what was the hack I need to connect to a Wi-Fi network from But the number one thing I used to see which was the funniest thing on the planet We were running a capture the flag and everybody had those 802 11 G only alpha cards that were so popular for so long The 036 H is that everyone loved so much the one watt alphas And they would buy these things and they would crack the weapon it'd be two minutes later Because the thing has great injection support and then they try to connect to the network and they couldn't do it Because that card's firmware was so light you could do basically anything you wanted with it You could check draw frames you could capture raw frames with man if you try to connect to the Wi-Fi network the things sucked You had to be within like six inches of the access point for them to reliably connect one watt It was not successful at connecting. It was not I love the real tech ones for connecting to be quite honest because they actually have enough firmware on them to do The job correctly so testing things when you're connecting is is actually a big deal You know Wi-Fi testing stuff you want to talk about I talked about shoot out air replay and just actually using it as a Wi-Fi card Which is a lot of that's crazy right that is absolutely crazy. No, I think The biggest thing you got to look at is what are you trying to do when you're trying to do it? If you're trying to hit channels one six eleven and a band You can do that with one radio, but you're gonna miss handshakes You're gonna miss data you're gonna miss packets Data loss on these radios added to the fact that it's channel hopping is gonna give you a hard time So again testing The best you can to do what you're trying to do. Who's ever a war-driven? Wiggles back in the back usually they left for the day, but Wiggles been here Wiggles been doing this stuff for like 20 17 years 18 years something forever as long as like the I pack and the Proxmark gold existed Wiggles been capturing data all over the world If you've war-driven before and and or if you just want to guess what's the optimal speed to drive while war-driving? 90 With your rig yes, what is the optimal speed? Yeah? Zero park outside your GPS is gonna suck And you get like you know a couple Yeah, seriously if you're war-driving if you're driving around trying to get access points you want to be as efficient as possible What's the speed you drive? How many Wi-Fi cards do I have? What's the speed? Five okay, that's a thing Anyone else can you drive ten on most roads? Can you drive five on most roads? What I have minutes over the speed limit So the the what you read if you Google it, and I've done this before is 35 miles per hour is the optimal speed to war drive How many channels are you getting in that 35 miles per hour as you're passing? If you don't test your equipment Rick said 90 with some of the rigs. He uses he could drive 90 miles an hour There's well one two three four five six or 14 plus 37 220 if you unlock the firmware, what's the uh? Yeah, there's what 60 channels roughly right now in the US like 44 44. Okay 44 channels If you're driving 35 miles an hour down the road This is not the algebra train question if you're driving 35 miles out per hour down the road And you have 44 channels to hit and you don't know how many channels you're going to hit as you're driving Did you get all the Wi-Fi? No, you didn't but if you know that you can drive this fast with these 12 radio six radios five radios and they're locked on channels and not channel hopping Then you can come up with an optimal speed So when you're trying to do the collection and you're trying to do your testing do that testing Keep this kind of theme coming back test your stuff before you go out if you just want to collect data I mean art bark gave a talk and on a panel Semi sober well he gave a talk for about 10 minutes, and then he just started you know being art bark He runs around with like 15 Android devices. He drops them onto ubers He does all kinds of work to get things up to go to wiggle and he does a good job of it because he's dispersed What he's trying to do, but if he was trying to drive around with Ellen Jimmy Johnny Jen Jen and I don't know whatever other names He's named his access points. He's not getting the same amount of data that he's trying to get Yeah, does anybody here know how many Wi-Fi cards you can channel hop within Linux at once I Found this one out No one got any guesses how many can you channel up at once to that's a guess. That's a good guess She's got eight fingers up. I couldn't even tell and name one Hi, I haven't at a time can channel up You can only issue a command to one Wi-Fi card at a time in Linux So if you have 30 of them you have to queue the queuing system is not even fair It's just whoever takes the lock first wins So when you put a bunch of stuff together and you say well, you know There's a 44 channels and I'm just gonna channel up at five a second and I'm gonna put nine cards in there And I'll be great except you can't actually do that You end up with wonderful setups like my kismet box with a load average is 12 Because all of the cards are stuck in D state waiting to channel change one at a time Is a really interesting feature of Linux that we're currently working on fixing well by we I mean Yohadas Burke who's actually a god and write most of the Linux stuff But he's been helping me through fixing this problem And I've been testing for him to actually allow you to channel hop with more than one card at a time because well It's 2019 people have more than one Wi-Fi card now So it's testing is important so Understanding how your stuff works matters a lot and if you don't understand it You can't use it properly You shouldn't be getting paid to do what you're doing and I am calling everyone out That's getting paid to do this type of work if you don't know how We don't normally give two-hour talks we can talk for like eight or ten hours at a time, but We're never closing But we run the village so we can give it over as long as we want So you guys can ask as many questions as you feel free to ask With this testing though understanding where where your device is working how they work is going to be critical The best way that I've found to do testing and it's really really stupid. It's really basic Get an access point whether it's your phone your device your laptop whatever it is and go out to a soccer field or a football field Or somewhere outside where that big yellow thing is in the sky that burns you and Set up that access point at like the zero yard line for those that are you know Happy with sports ball. That's where the big lines are put that access point there and walk out a hundred yards and it's nice on a football field because it's already marked for you and stand there and Get a reading from your device and see what reading that is then move to 90 8070 I don't think I have to go all the way down for you And write down what those ranges are at that point You know that at this distance on a perfect day My radio works at this efficiency and when you have that ability to have that knowledge You can move forward with the way you're working because you know exactly what your devices are going to do now Caddy out that with we're manipulating physics when we're dealing with wireless devices whether they're RF of any sort It's not going to be perfect But if you compare two or three devices to each other you have the ability to say My empirical data says this device is better than this because of this Understanding how that works is critical when you're doing your testing if you're standing, please feel free to sit down We've got lots of seats Bluetooth some of you said you work with Bluetooth Who has the ability to de off Bluetooth anyone? Because if you do I want to talk to you Bluetooth is a really really cool Capability within the 2.4 gigahertz spectrum Bluetooth by design Frequency hops as it goes from P from connection to connection as a frequency hops in order to de off Bluetooth You have to jam the 2.4 gigahertz frequency Who's allowed to jam in any country in the world the entire 2.4 gigahertz frequency? No feds here. Okay, cool When you have that ability the reason that they've stopped it the reason yet CC has gone really strong on it is 2.4 gigahertz is what also allows you to make cell phone calls over Wi-Fi Who's ever seen you know do you want to call over Wi-Fi instead of using cellular? If you block 2.4 gigahertz and you block the ability to get across those signals You can't call E 9-1-1 which means you are doing a public safety to service and therefore you're breaking rules That being said Bluetooth will De off it will disconnect if you jam the entire 2.4 gigahertz frequency set But it's smart enough to not do that so a lot of the work that we do in Bluetooth Has changed over the years Yes Yep, those black helicopters do not joke. They are a hundred percent legit a hundred percent of the time Messing with this stuff is really bad. It's bad for reasons. Yeah, I'm sorry So what he said was and I'm gonna paraphrase a little bit But there was a guy in California that was taking our I 70 I 71 Thus 71 right is the 71 were in California And he was jamming Bluetooth because he was sick of people talking on their GSM he was jamming cell phones from working because he didn't want them to function while they were going you know going forward That being said he got fine $30,000 and had jail time simply because he was jamming the FCC eventually found him They don't mess around they don't and they don't for a lot of reasons and you know hey hack the planet, you know rock on Some of this stuff is for our own good. I mean, it's it's not all bad some of it really sucks I mean legally in this district within the United States because of Google. Thank you Google We can't sniff Wi-Fi outside of a place where you have a rules of engagement Which by the way because it's on record we've given a rule of engagement for our wireless capture the flag Feel free if it says WCTF in all caps to beat the living poo out of it But other than that you're not supposed to do any sniffing within the state of within the didn't was it the Rick Is it the ninth district? Where are we? What district are we in in California the ninth? Yeah, within the ninth district not you know not a Not to say that you can't do it with with rules But by legal you are not allowed to sniff traffic within within that space because Google did all their Google driving and everything else Yeah, how would you catch somebody driving down the highway with a jammer? We're gonna move on to SDR for a second, which is later in this To jam in order to do broad-spectrum jamming you have to spread send let him run. Piero. It's okay That's not Piero. Well. He looks like Piero In order to do broad-spectrum jamming or wideband jamming you have to send out a ton of energy The emission of that energy is a very specific There's a word I'm trying to come up with signature. Thank you is a very specific signature that is very very easy to find I've done some FCC Fox hunting before where we go out and look for jammers two years ago We actually put out a a request to our wireless people over radio and a bunch of other communications There was a group that was jamming out the ham radio devices that telefreak was trying to run And we went out into the hotels and found the jammers But we put out enough information that they got scared that we were looking for them that they stopped Finding jammers is really really easy We're gonna get in to SDR in a second. Thank you those of you that have one walk through this marathon with us That type of testing is really important because you have to find those rogue signals that are giving you a problem And you have to find those devices that are talking too loud. That's how you start to look for them Yeah, we actually got a report of somebody jamming our ham radio repeater just yesterday And we spent a little bit of time looking for the jammer and it turns out that my $40 amplifier Had shorted itself and really really needed a reboot. Yeah, we were jamming ourselves very effectively Five watts pack yourself. Did you know the five watt reaches the flamingo clearly? I didn't but turns out it does and the amps heatsink works great. Yes. Yeah Yeah question in the back All right, so the question is what about jammers Yeah, what is what do you do about jammers for like a home alarm system or whatnot and the truth is if it's wireless It's not a it's not an alarm system. It's not a security system So our cameras are wireless especially if they're Wi-Fi if your door sensors are wireless If your only way to get out is cellular. It's not a security system So I'm not giving up my personal protection But to be fair I use one of those devices and they will be remain nameless The one I chose has Zigbee Wi-Fi and hardwired ethernet If you're that good you're throwing something through my window or cutting the glass and coming in And then you've got to deal with my dog and guns and a whole lot of other things But your personal protection and how you deal with that you have to understand what those risks are and you have to be Comfortable with them so if you don't want to get jammed in 2.4 And then you jump 2.4 and 9 gigahertz cool Then you've got something that's hard lined in over over coax and then you've got cat 5 or cat 6 or whatever it is You can't do a lot more. I mean to be fair There's there's probably like microwave or satellite technology you could use But if you've got a triple backup on three different frequencies or four different frequencies I don't know how much better you can do. Yeah, the truth is if I cut your phone line and Jim cellular Your alarm system is not gonna alert nobody But yeah, there's always a risk you have to decide what the risk is but but truthfully the the really garbage Door sensors are really really garbage hard to 04 33 decodes a few of them It's pretty funny. You know watch your neighbor's doorbell get rang or their doors open and close the windows open and close And one of the companies I formerly worked for they told me everything was wired They were wrong so it wrote a little script that replays door open door closed or open door closed just in a loop And it turns out you can't but you're an asshole I am but it turns out you can't arm the security system like that, but it does blink like it's party mode So it was fun for one of us So within Bluetooth, there's a couple different things you can have your internal Bluetooth radio if you've got a laptop This is what it looks like. It's the first one on the left We look at currently the one that we're using is the Senate UD 100 It does a really good job for decent distance Bluetooth, and we've got an over tooth one over tooth one's not a Bluetooth radio at all It's a 2.4 gigahertz spectrum analyzer, but it does an amazing job decoding Bluetooth data so when you start to pair these together and Use specific tools that give you the ability to change these You get good data now that being said that first radio Who takes the radio out of their laptop as soon as they buy it and replaces it with something else that they buy online because they've researched them Man those new intels and the answer is not which model It's literally all of them like you can buy a new Intel Wi-Fi chips for like 30 bucks Usually on Amazon or eBay and you can get the latest wireless card that everybody wants to support and they're really cheap Yeah, like I remember 20 bucks $200 Wi-Fi cards, and now I buy stacks of $30 Wi-Fi cards that are way better Okay, could you clear the door sir you got to keep the door clear for fire code Thank you janitor for those that have not been to any con ever before gender is usually the loudest voice in the room So the fact that I have 2400 watts to speak into Sorry, yeah, you're a delicate flower and so is co-op delicate flower. Yes. Yes, so you talk to each other I think he's in Paris right now just point and talk so I'm gonna jump over a couple slides We can come back to Bluetooth, but is Iceman still here is Iceman still here No, he was no you literally a second ago was here No No, okay, we're not gonna jump I was gonna jump over to RFID, but I think he walked out because we've been talking too long That's fine. Let's talk about mouse jacking. So hey funny as hell who knows about mouse jacking or lodge attacking Yeah No, yes some maybe Okay, we're gonna give a little bit of teaching here not a lot because we are talking about testing mouse jack They even have a really cool logo. Thank you best deal cool logo There is a device that you can buy called a crazy PA radio The crazy radio PA crazy radio PA whatever if you google it, you'll find it the crazy radio has the ability to find and inject into Logitech Dell Microsoft and Amazon wireless mouse and keyboards if somebody can come up off the top of their head with another company that does wireless mice and keyboards Be happy to hear it Anyone it's pretty much every 2.4 gigahertz Receiver and they're encrypted receivers, which is nice because they're they're safe by the way we gave this talk at besides DC and Osaka was still running her wireless mouse and May or may not have had her laptop rebooted during a CTF while she's gabbing at the mouth over there not paying any attention yet again Hi, Osaka Yeah, no, it's funny. She's right in front of us. She really is anyway We tell people this and they still don't listen what I can tell you 100% is This attack allows key injection code injection Redirection manipulation into devices that are running these mouse and keyboards For 20 bucks you can check to see if you're a problem or anybody you work with is a problem or anybody you're working for is a problem Forget 20 bucks who here follows maim 82 on Twitter's Yeah, I'm pretty sure it's maim 82 and if you follow this guy. He's come out with the logi tacker attacks He's been teasing about it for weeks and just really killing all of us He found a way to extract the keys by plugging the receiver in he found a way to inject Keystrokes past the whitelisting feature of the clickers So clickers normally can't have keys and he found a way to bypass that and actually inject keys into the new Clickers that have the protection he found ways to force pair to the dongle So even if you don't have the keys for something that they're actually using you can add your own keys And use those I mean like literally every way you could break it dude found a way to break it And then he released what's called the logitech unifying Unifying dongle unifying stuff and he's got another dongle of which he lists a number that he likes that have a newer chip set than the crazy radio PA and Those are as low as like nine dollars on Alibaba So you just have to wait six weeks to play with them I was really mad because mine showed up three hours after my flight to Las Vegas Yeah, these things are really awesome. The attacks are really legitimate We like this one because it is supported by kismet and it will find all of the vulnerable devices The newer attacks do require the newer dongles to run some of the stuff Not all of it You can actually run some of the attacks with the old the crazy radio But this one works with kismet which means I can just walk around find vulnerable devices or you know Parking your parking lot and find vulnerable devices and then go to town. So funny story. I was working with a client Which obviously is gonna remain nameless they had Pretty decent security They had triple authentication somehow and I don't know how they did triple but triple authentication to the Amazon cloud They were jumping through VMs. They weren't working off their main desktop They were using VDI if you have a buzzword that exists over at black hat They were using it to get into the Amazon cloud They were using gub cloud even though they weren't a government agency. They were able to get in so literally as secure as they could possibly be Well, except for the fact that they were using a Logitech mouse and keyboard to do all the work that they were doing From the parking lot and we measured because they really wanted to know in the outbreak how far it was It was 126 meters away from where the keyboard and mouse were sitting. I Was in a distance on the Logitech mouse and keyboard is 10 meters I Was injecting keystrokes into their development cycle into the Amazon cloud From the parking lot Well over standard wasn't it from three like through three VMs Yeah, it was it was a ridiculous set of connections all kinds of dual authentication The basic the bottom line here is whatever your mouse and keyboard have context with on your screen is Where this will start injecting so when I pulled back my reverse shell My reverse shell was not within the rules of engagement was not within the client site was not even an IP address I recognized so I stopped everything called them up and said hey, what's this like? That's that that's our cloud instance on our secure side, huh? So just want to let you know if you look at the net stat on that box You'll see this IP address and they're like yeah, what's that? I said, okay watch your screen for a second click click click click. Oh shit So this attack even though it's a localized attack is Mitigatable you can actually do a really good job of updating the firmware and making a whole bunch of changes But this attack isn't just an RF attack This is bordering and bound going across boundaries that should not be crossed with RF questions so The guys at simple Wi-Fi wireless world and whatever else they're going to be going by this week Brawl who's an amazing dude Created antennas a couple years ago that we really really like it's a 12 DB dual polarized Four port antenna that's dual band. So it's 2.45 gigahertz dual polarized for inputs I've never not been able to get on to a client site with that antenna It's it's absolutely phenomenal, but it gives you a lot of distance 12 DB So it's it's 12 DB I increase off of this little radio because it's 2.4. No, no, it's it's We call it the Ukrainian easy pass because that's pretty much what it looks like It's just like it's like this big and white You had one of those amplified log periodics with like like a pistol grip with that have been convenient That might have been convenient anybody that makes them that I don't know anyone who makes them I think Alex might so There's a lot of antennas you can use but from that distance. I was able to hit it really clearly really So all right software-defined radio. So we've talked about hardware-defined radios Software-defined radios give you the ability to if you can program it you are that radio So if I want to be a hundred and thirty three megahertz radio I'm a hundred and thirty three megahertz radio if I want to be a repeater I'm gonna be a repeater if I want to be a GSM cell tower I'm gonna break a billion laws, but I can be a GSM cell repeater And there's all kinds of YouTube videos on what's he doing? Oh Okay on raspberry pi with blade RF becoming a cell repeater Software-defined radios are absolutely amazing in game-changing Years ago there was a discussion that we had in wireless village that we talked about why bluetooth was not economical to break into Because to do the type of work we needed to do it was way too expensive Well now we can break into anything with an RF signature that is within the oscillating power of that radio Just by making some GNU radio blocks and making it do what we want it to do So if you guys look up front up on this screen that's been behind us the entire time You want to play with the knob or did it? Oh, yeah? I want to play with a knob So that is an edis. I don't even know what because none of us can afford it except for people that are buying it with major How much does that cost? How much does the edis cost? To the muggles in the room, how much does the edis radio that we're using cost how much does it cost? How much does this cost can I afford it? Okay, so that $10,000 software-defined radio with a nice guy everybody clap for Nate for letting us borrow this Even set it up to print our logo in the screen. It's awesome. That is pushing. Is it 200 megahertz of bandwidth, but oh It's only a hundred today. Oh, you cut it in half. Oh ice man. You came back. Thank you. We're almost there So that is pushing across a hundred megahertz of bandwidth Simultaneously Allowing us to see everything going on in the space that that screen is showing us if we wanted to program that Radio to then inject into those streams using those protocols. We can do that So this can be a Wi-Fi radio. This can be a Bluetooth radio a Zigbee radio This can be all kinds of stuff Nate's gonna play with his radio a little bit. You want to show us Wi-Fi? How about if you show us all of Wi-Fi? Oh, you did already all of Wi-Fi. So remember we were talking about jamming Bluetooth Don't do it, but he could please don't do it But we have the ability to get all of that spectrum in one spot Software-defined radios even I'll be honest 10,000 is cheap for what this is capable of doing Give us the ability to manipulate RF in a way that we've never been able to in the past Yeah, I really can't stress it enough that like most of these software-defined radios we love The answer is only what makes sense for what you're doing Like I said earlier, we're using the tiny little cheap Wi-Fi dongles that don't go 25 feet because we only need them to go 20 feet and that was the best thing for us, right? Edis owns the entire top end of the str market. There is not a competitor There is not anything else you want to buy they make all of the good stuff as far as I'm concerned I'm not you you don't have to worry. You're not gonna get in trouble for this Edis makes all of the good shit. Okay, I'll make him feel better So there are other companies out there that are spectrum Analyzers that do a really good job like in Ritsu and others But they are not software-defined radios and they do not do what this stuff does there's that good And they go for like a hundred grand right Edis doesn't go for I'm sorry. What are we calling you now? They're a That sounds familiar for anyone. Yeah, that sounds right if you have never done software-defined radio stuff Go over the vendor area buy a twelve dollar RTL SDR that radio in the middle the one that says Next smart I think any E. That's no luck SDU are SMA. That's the connector RT. That's the real tech chipset. They made a pun They did they're punny that goes for like 1520 bucks it does not transmit it receives only it receives from if I remember correctly 301.1 no, I think it's like 50 to 1.7 Okay, they also have new ones But the point is is I have like 15 of them because they are cheap and they are great and you can always find an excuse to Buy one more and if you have the one edis board If you burn it up, it's not a big deal. You can test things you can receive things Most of what we're talking about that's not 2.4 or 5 gigahertz. You can see with this you can see gsm You can see adsb. You can see airplanes flying in the air You can see seafaring objects going out into the water You can decode the p25 radios the goons are using right now. Yes, you can We tried to help them too Anyway, moving on to the left is the edis b205 that is another software-defined radio that we use very heavily It's about that big if you can see that Very small easy portable Extremely powerful great fidelity, but again, I don't know. What are they seven to eight hundred dollars? Set more. Yeah. No, he's eight one more time with real real fingers. Oh nine eight two really two fours Here, let me give you three. I think that was that was 11 dollars. He said it's 11 Five them all now. I saw two fingers. That's what I saw. So they're like 800 bucks Coming down from there. You've got the new on blade rf my blade rf micro Does an amazing job for about five or six hundred bucks. It does dual band. It does transmit receive. It has transceived capabilities It's another good radio below. That's the hack rf. It's about what 200 bucks 300 bucks Or a little less than 300 bucks and they have our favorite add-on on the planet Which is the porta pack It's a software to find radio with basically a game boy on it and you can decode all kinds of things You can send all kinds of things. It's just a really really useful thing Truthfully, it is one of the lower end of the software to find radios It's one of the older models of software to find radios But the usefulness of an add-on like the porta pack is absolutely ground breakingly amazing still And of all of these I mean new on and blade and and great scott gadget It's doing an amazing job working with the open source community Thank god we know the guys that we know at edis because they work amazing with the open source community too They happen to all be standing over there. Um, but if they're in a green shirt say hi to them. Um, hi guys Um You've got to find something that's not only supportive But also easy to use and has the drivers that you want to work with So depending on your need all three of those might be good Some of the work we do we have no problem using yardsticks and other You know devices that work for specific frequencies You're trying to scan this much data Then you're looking at a much different much different form factor much different much different product Um, I'm going to jump over the next one real quick because I really want to talk about these And we're going to talk about some rfid stuff. Oh, here you go You can talk who has a badge at work Don't raise your hand if you don't feel like it that lets you into the building you're going into It's pretty common right most of them have these three weird letters on them h then i then d So h id has some very strict rules on what we can talk about out loud versus what we can't talk about out loud So we'll be happy to talk to you about things that can be done But there's a really cool tool called a proxmark 3 There's a branch of development called the iceman branch Which has been just completely abominated and and gotten rid of And now there's an iceman rrg correct. Oh, yeah. Oh, yeah Guys, this is iceman say hi iceman Hi So we figured we would bring up our swedish friend to help us with this talk because When it comes to dealing with rfid stuff, this is the guy that's writing the software that you you hate right now um What are some thoughts you have on? product testing Software test i'm doing a panel of one. This is really fun. Wow product testing and product development when it comes to rfid As well as access controller Oh Wow, you weren't prepared for that one. Were you I wasn't ready for that one. Well, um What I think about that would say that people who are doing that those companies are doing it quite well But they do not have a hacker mindset. So don't they don't see it in a cloner's way of wanting to do it So they wouldn't like to say that. Oh, we have a safe cryptology and They build up the readers and source for it and then they will have someone to Try to hack the crypto and oh no, we use as we use Triple this and that's safe and they all feel good about it And then comes the little people around goes like, oh, yeah I put your reader in acetone and I melted out the pcb and I extracted a firmware from your Pick and then we decompile that and we analyze that and we found all your key generation algorithms And then we took bad ideas and implemented in the proxmark source code And boom goes your cards They don't think like that And that's what I think about that. Yeah So The proxmark is pretty much if you're doing this professionally the de facto standard device that you're going to buy To start doing this testing it handles most devices pretty well Yeah, it does Receive and transmit pretty well Yep, it's got a really cool new sexy super which I still need one Bluetooth add-on with a battery that allows us to go in your pocket and pick up stuff in an elevator And being realistic what from three three to five inches. Oh, yeah. Well, you were in your imperial system. We have that I'm sorry 17 to 20 centimeters. Oh, no. Now. Let's see. We have a large antenna. You would go 14 centimeters 14 Okay, so I think I was within that super set super set. Yeah, you have better antennas, I guess um That's not the biggest issues because if you See there's a part of things if you Other people who do an RFID hacking used to Combine things so hardware hackers combine things with other hardware and make something even more worse Or more effective. So we take like one of his hid readers you see there And they put a proxmark in behind of it So all of a sudden we're reading because this company seduce this product does a really good Well of making a coupling and antenna design So we have a really long reading range because that's in the natural habitat of their systems should do But if your weaponized as well proxmark in the behind of it you do that And you give a possibility of a proxmark even further Which makes it kind of nasty So that hid reader isn't the one you're used to seeing it's about this size And it's what you typically see when you're going through like a parking garage or Like an easy pass or something. Yeah, it's a big energizing unit If you ever open one of those up there's like I don't even I've never actually measured it But I'm thinking like 40 feet of copper wrapped around that thing With a decent power supply that enables that that rfid card to get Energized and hand out its weekend data, which is is ones and zeros that make it all work Which is a different talk that's going to happen tomorrow by vatic Talking about how that weekend data actually gets translated But when you take something like the prox or the esp keys or something behind that big reader Again, we're getting into antennas now if you're testing your equipment if I only need to be this far from zero I hit him on the head That's fine But if I need to be from meat ice man, I need something that's going to give me that distance The tool itself might do the hardware or the work you need But it may not have that reach that you need So again when you're getting into testing you need to verify your distances and If you're doing a pen test or you're trying to steal credentials Or if you're just a really bad guy and you're here to learn how to break into buildings If you can get on to an elevator and get all the credentials in the elevator Versus walking into the elevator and I've done this unfortunately and walk up to each person. Oh, excuse me. Oh, excuse me Oh, sorry. Let me stand over now. I must stand over here. Okay now I've hit everybody but I look like an absolute fool and it makes you look like you know You start to become a little more obvious versus sitting there with that big reader inside of a backpack or a side satchel Which is the typical tiger team way of doing it with a satchel Um to get that data Isn't it a fanny pack? It's a fanny pack Hey babic Come here So the other person that we were going to bring up on stage for RFID and I think they went to dinner because you know They've been working like 600 hours straight and all this Is So the other bro, come on the other night and I run of rules So I'm going to be honest about this and I said this the other night and I'll repeat it again When it comes to RFID work The world would end if this stage collapsed right now Um, you've got half of it collapse right right that half just just from you're over You've got the developer of the tool that almost everybody uses and one of the best You know operators and instructors in the business on RFID when you put those two together This is why we do testing because we're trying to beat as the good guy Them from breaking into our shit if we're the bad guy or being the adversary or putting on the hat of being the adversary We're using standing on their shoulders to do the shit that we're trying to do Okay, can I add on yeah go ahead? Yeah, I brought you on stage for a reason. Yeah, so spoiler I don't do testing for it for the I have a philosophy thing that I rant on sometimes, but I'm going to keep it really short go ahead and rant It's okay. This is a two hour talk. They've got time in my opinion Defcon is not a security conference. This is a hacker conference We hack because it's fucking fun and it's fucking cool Like if we can do it in a way that doesn't harm and creates good then that's really wonderful But I don't do it for that. I do it for the hack, right? That's that's that's why I really enjoy it. So Uh, I do it because because for the sake of the hack for the love of the hack If I can do it in a way that benefits security in a positive way, then that's really wonderful But but if I found years ago that if I focused It's it's a it's a It's a little white lie that we came up with that's okay. This is the fifth soapbox of the night So this is awesome. It's a little white lie that we came up with Uh to make to make it easier to talk to other people who don't get us like, oh my god Why do you do that stuff like why you're on computers? Why are you picking locks? And just to get them to shut up. You're like, oh, it's it's for security. We find security problems And that's why I do it. No, you do it because it's fun Like they don't get it. They don't get it, but you do it you do it because it's fun right So that's that that's that's it. But so I wasn't going to speak for you But that's pretty much what we were saying all night. I I enjoy it because it's fun I enjoy teaching I I enjoy the process of learning that like That moment where like things begin to click in your brain is like really really addictive So I like to inspire that and create that as much as possible for other people And that's one of the reasons why we've trained for so many years is because I like doing that and if I can get paid to Do it then like yay, right? But yeah, that that's it. I just so so when it comes to I don't do this for security And I'll be and I'll I'll be so we'll get back to real then so when you're breaking shit And you're using your doing your testing What process do you use the same question? I posed ice man Process do you use to test that this is better than that and I make this new hardware and this is better than that What am I testing? Breaking into a building or if I detest it Okay, and so the question is how do I know what type of platform is better? What is your process on testing? Oh, shit. I don't want to buy just because somebody said to buy it I'm going to buy three or four and test them and see which one works best. Oh, I look for I look for Little little hallmarks of like how something might be designed, right? Like for example, if I'm if I'm comparing if I'm looking for a box to put stuff in right? I'm like, man, I need something to carry things around. I need to buy a box How do I know I don't know a lot about boxes? How do I know if one's better than another? I'm going to I'm going to start. I'm going to grab a box and I'm going to start looking at it I'm going to be like, oh interesting. How do they how do they attach the signs together? Oh, look they use adhesive Well, they probably did it this way because it's a little bit cheaper and this looks kind of sloppy So like they made a box, but they don't care about boxes Right, so now I haven't I don't know everything that went into it But I have an idea of the design intent, right? But I might look at something else and I go like, oh man, look at this this edge is rounded And they they like did this thing over here. That's so interesting like look at all the extra work They went through on stuff that doesn't matter to anyone else That tells me that this is a passionate design and engineering team And there was a lot more thought behind it and I applied that same basic idea I don't know what he's looking at I applied that same basic idea to evaluating things for security So I I don't have to understand how everything is designed I pick the things that I do understand and that I can compare to other things and I go, okay How well did you do this thing? And and and that while it's not a hundred percent There is there is generally a correlation People who care about one part a lot tend to care about all the other parts as well Because you don't make something beautiful and then put it inside something ugly Like you you want the whole thing to be really holistic and and work well together I don't know if that's a good answer. No, that's great. That's great I can explain because frankly a lot of us buy a lot of stuff because people say hey go buy this But if you don't have a methodology or a process whether it's good or bad It's your process to test what it is you're trying to fix or test what it is you're trying to break You're just throwing shit at the wall until it sticks I would love it if this industry started to actually Take on the corporate mindset of just this just this I promise I'm not going to say corporate mindset But of having a way of doing things that repeats So that you know that you're not wasting your time when you're doing your research Oh, this radio sucks. Oh, wait a minute. I'm not using the right driver The right kernel or the right the right tool versus Oh, shit, this works really well because I'm doing what I need to do. I'm gonna give you a for instance. Go ahead for instance I was looking at recently cookies a A physical token management device Commonly referred to as a key box. I was about to say can you be a little more English? Yes. Yeah, so I understand I was I was looking at a key box and I'm like, okay. How do they set this up like How do I know how much thought and effort went into the overall like architecture behind everything all the guts inside and I start looking at the instructions and like within the first three pages it's talking about how You need to know how to use telnet because everything is configured using telnet and so that for me was like kind of a red flag because Like telnet as a basis for configuring a security device Is that is that a good best practice? Like is that what you start with like? No, thank you, ross So the fact that in that even even before I looked at anything else The fact that they started with that was a red flag to me. I knew that Immediately my level of trust for that product has has gone down Right. I was doing an evaluation for something completely different at another project. There was some There was a physical locking device That had a electronic element to it and they were talking about how wonderful and secure it was They were really really proud of it And how it revoked credentials and how if someone lost the fob Then it would die after a certain amount of time And we started looking at the communication between this very special fob And some, you know the thing that it talked to and I have to be vague. Unfortunately. I apologize And immediately it was it was unencrypted serial with no With no replay protection. You sound very security minded right now. I'm not hacker minded. How would you break that? How would you break into that? Let's break into that device that you saw that you thought was really cool Which which device I don't know the one with serial and Unencrypted reads and what would you do to break that because this is all part of our testing as a security hacker? Oh, wow. We're now security hackers. I would start. I just made that up. I would start I would start recording things and playing them back. See what happens. That's that's it You just start you start trying things most of the stuff that I do is Just seeing what sticks. It's the same stuff that you guys do. There's there's no special sauce I I can't stress that enough like the whole lot of us are up here And we're clearly a bunch of incompetent jackasses yet for some reason people look up to us And the reason is is because we decided we don't know what to do I'm just going to start trying shit and that's literally the entire thing about being a hacker You can't get distracted by the fact that you have no clue what you're doing You just need to start grabbing data that you can read and replaying it to see what happens I didn't hack a security system in my office I replayed the packets that I captured in the air and made a light blink I am a monkey. I am a very easily entertained monkey and that was fun It happened to break the security system But I did it for the blinking light and that's what's important. You got to just do it Just jump in and have fun and learn Yeah, I wanted to just flick in, you know Well, you got it. You got it. My soapbox is the best soapbox Well, I come from a land of Ikea, you know when the assembling things is like It's one page 65 pages and some little pieces of wood And then a picture of saying you're missing or something But it comes down to hacking things in the mindset of solving bugs so finding a bug is I can just mention It's a quick anecdote Do you know about the my fair dark side attack? You know that one way you find the key for My fair classic cars, yeah called dark side. Okay, whatever No, if you know the dark side attack The dark side attack anybody know the dark side attack. I will be the interpreter Yeah, let's try to have a this is your british accent when most people talk about cracking the my fair key They're actually referring to the dark side attack. It refers to a very specific type of brute forcing It was the original oldest attack. It was kind of a big fucking deal when it came out 10 years ago There is a box of cookies between them too. They come to the dark side. We have cookies. Yes, we do And yes, and the thing is like on the proxmox it It triggered you could rudder you could run that attack. It's in two Parts you have a nouns nouns collecting part on the device and then you have an offline brute force attack on the client And somewhere sometimes there was a problem on the device when you're trying to collect the right announcers and trigger the knock bug And it reset the device in your trigger the VTF the watchdog trigger and we're like all the time so people were running attack and it's like People are gonna fuck So and I can't hack that key. I can't crack it and I I can't run my scripts whatever and So we've hit just about every device type That we're talking about and we finished each one with What questions do you guys have if you have specific questions about this and i'm cutting it because i'm a little bit worried about your guys time I really don't care that much because we can keep this place open all night But what questions do you have about rfid hacking and testing that Basically the heads of state can answer for you The question is how easy is it to replicate rfid? Very easy That is an incomplete answer Homework and stuff so so so rfid really just refers to a couple of things who refers to The idea of using a very specific physical kind of token that traditionally uses coils for communication As a means of identification. That's it, right? But there is a billion in one ways that you can create such a platform So the second part of that answer is It depends on what type of rfid you're talking about and how that system was was designed The most popular one in the world, which is currently referred to as hid prox That is extremely easy because of the tools that exist today But is it one swipe for accessing doors? Right Yeah, you're you're you're you're asking me about credentials that you use to get through a door Right, but there's many different kinds of those credentials is what i'm talking about so so it is I I can understand why how easy is it to clone rfid sounds like a very simple question And on its face it is But it doesn't it doesn't cover all the different possibilities If you were to ask me how easy is it to clone a prox card? I would say very very easy But if you were to ask me how easy is it to clone a desfire evolution to credential I would say Uh, I don't know of any publicly known defeat If you have a method for doing so let me know because I have some people who will pay you lots of lots of dollars To learn that method. So you haven't you haven't heard about the attack against them yet, have you? It's called a sledgehammer on the window. Oh, yes Yeah, there you go It's another thing of this major rfid brands people know about hid or my favorite. It's the two largest But we have a list of a forum. I think it's an excel sheet of Um all the brands and different kinds of tags that's out there in rfid and that list is about 4 000 items So we cover about 20 to 30 of them in their proxmox Source code and the client but there's a lot of different systems out there and Many of them haven't been researched Many of them have not anyone has been looking into it. That's why the future of sdr is Well, that's ultra high frequency cards and tags because there's no really genuine Interesting research going on on to it because there's no two for it And that's something to look forward to this the future of hacking is people like you listen to this and go like oh Yeah, so nobody did this yet interesting Was there one more question we're going to take one more rfid and then we're going to move on All right And i'm only moving on because I know the encore guys are like I think they're falling asleep because they've been here longer than they should be. Yeah good Repeat the question The question was if I want to learn more about rfid when I go home. What's a what's a good place to start I'll tell you where I started. I don't know, but it's the best place. It's a place Uh, I started at the proxmark forums Me too. Um Like many, uh hacker forums The signal to noise ratio Is less than ideal But if you are willing to put in the hours and the time the information is there Your two best friends are the forums and ebay So if you're like cool, I don't know what that post is talking about this, uh This this prox or indola reader. I've never seen that how I it looks easy. I wonder if it's easy You know how you can do it without screwing with a real building you go on ebay You type in indola and you start buying some stuff And it'll take some time and a few more dollars, but you will get there. That's how most of us started And it will take a little bit of a longer time, but that's that's your best shot. Hey real quick Let me jump in here at this point. We're going to cut the recording But because we run the village we can keep it open as late as we want And we'll just ask the goons to be really kind to us and not lock the doors yet We're going to cut the recording. We're not leaving. We'll answer a billion questions We're still going to talk about ham and zigby and a couple other things If you want to stay awesome, if you want to go feel free as well We're going to keep going, but we're going to cut the recording at this point So if you need to if you want to take notes take better notes. Is that cool? All right Thank you any more questions Well guys, you all have access control somewhere Some of you have questions about something. Maybe they know they might not Maybe they don't have the right tools. I have a question If I was trying to set up an access control system That made sense for my organization What would I do to test it against? What could possibly happen? That's a good question. I know I came up with it. You just made it up. Did you? Yeah, all right. You've done this before Let's see the question was how I just said the question set up. We're good. Okay Yeah, all right You think and I'll and I'll start doing some some talking That How do you feel about this? Is this good? They're argentinian cookies. They're really good. They're really good. They're alfajores. They're really good So the the testing piece is a is a difficult one. It's one that everyone is curious about Well, the first thing is How much do you understand about how that system is designed, right? So one of the things that we It's good, right? One of the things that we teach Is how every component works and how they're all connected. That's one of the things that I'm going to be talking about tomorrow So this will be an easier question to answer tomorrow if you come to my talk at 4 p.m I'm going to give you a very abridged But I feel somewhat comprehensive overview of how a modern access control system is designed and installed But you're going to the short answer is you're going to take a look at every link in the chain From the point that you have like your card you start with the card and say okay What kind of credential is that what is the means of communication authentication to the reader? Once the reader gets that information, what happens? Does the reader send it in the clear? Does it send it encrypted? Where does it go? Okay? It goes to this little Door controller. That's what you see the the blinky green board in the middle of the uh, the bright red readers for the ctf That's called a door controller. You're going to learn about that tomorrow The door controller is an embedded linux computer Usually that's really really out of date because no one ever updates their firmware So then my question is how well is that door controller segmented from other parts of the network? Had they done something stupid like put it directly on the internet? Yes, that happens Yes, you could google for door controllers that are on the internet directly That show dan my friends show dan you can find door controllers online today you can log into with admin admin So um, and then you know that door controller has to be connected to a database of users, right? Your users live in an sql database of some kind. So then How is that database secure? Has anyone changed the database credentials? Is that database on its own segment? Like all of these things are really really important And it's a more it's a more complex. It's a more complex issue to look at So let me just roll back real quick because I was listening to bavic's process And and bavic has been doing this probably about as long as I have He just described a process of how he would test that What is different about testing door controller to connection to server To outbound connection to internet connection sounds a lot like network pen testing doesn't it? Sounds a lot like web app pen testing sounds a lot like rf pen testing Everything we do is a process So if we're a bad guy and we want to break into shit We're going to go through and say, huh the front door is locked. Let's look at the side door side door is locked That sucks. Let's look at a window. Huh windows open. Let's go through the window We'll go in the window. We'll unlock the front door. Take that front door now. Oh, well, we got the car keys We've got the garage keys now. We've got all the keys It's exactly the same The media that we are going after whether it's prox Does anybody here build prox marks? Hey guys, okay now if the room explodes we're done um But it's the exact same process and the exact same testing methodology And I hate using big words that have a whole lot of syllables in a hacker con And I don't have blue hair and most of it's starting to go away But we do the same shit whether it's rf id zig bz wave sdr wi-fi bluetooth or ham We're looking for that side window that's open that we can break into and come back through and attack Did I say anything wrong? I kind of tuned out a little bit. Oh So did I But it generally sounded correct. I mean Regardless of what you do Test your shit and make sure it works If you don't test your shit and make sure it works You're an amateur throwing data bits at a problem If you're a professional You may or may not have gotten paid to do this. I hope you're getting paid if you're a pro But you're throwing shit at a block In sequential order waiting for an answer to come back And answering every one of those negative stimuluses with something that's meaningful to that network The negative stimulus is what makes you better. Hey woody come here So Woody has a different non-it background Am I wrong so far Woody is a redneck hacker That does some shit really cool And i'm not i'm not like Pimping out talks woody's the dude that like took over all the forts from like 2012 till now and is giving a talk tomorrow on How forts get taken over and All the key codes get rolled and a whole bunch of other shit that he's going to discuss in depth But woody finds this shit by going, huh? That's different Huh, that doesn't work that way. Let me try this. Oh that failed shit My wrong is that pretty close say your process Pretty much and I just try to use simple tools that make it easy and fast So if it doesn't work, I know and then I move forward so I guess what we're all boiling down to is you know, this was starting off as a gear talk We've got a bunch of other shit to cover if we want to but Every single one of us whether it's classically trained cs computer science security people Versus people that literally came out of another completely other world like a medic and became a fucking Published hacker to do shit that breaks every major device. It's like 10,000 10 million devices right now How many did you break? There's quite a few right now. It's millions right for lots of millions Ford's pretty big. We're not being recorded anymore. Two things don't help till now. So yeah, so every forward I can lock unlock denial or service to the key fob Um, and then I can get in plug in and pull the door access code So that being said Hacking is not hard Hacking does require some sort of process that you can repeat that you can make do what you want it to do This was a gear talk So just one thing I wanted to say with that go ahead Woody here. We say it again is Because I wasn't formally or traditionally trained I have friends that are really amazing who teach me how to do stuff and when I find new stuff I've been like, hey, look what I found like why would you even run down that road? So one of the things is this I found my first zero day because someone said oh, yeah that attack doesn't work against That kind of equipment. So I was like, well, I should probably figure out what Not working looks like because I have no idea and all of a sudden it did work and they were like, wow It's not supposed to so because I'm not formally trained. I try stuff that most guys would be like I'm not going to waste my time looking at that You'd be amazed how many people use that as a security platform to put those flaws in the system But all of it comes back to doing something that's repeatable I don't give a shit if you're the 500 pound dude in your mother's basement that never sees the light of day that Types on computers Anybody saw the the tweets like two years ago. That was the big joke 400 pounds 400 pounds. Okay 400 pound hackers We're all getting there eventually but you know, hopefully we can cut it like half of that To try to close it out with something gear related just by a way Yes Your eye watch that's connected not to your phone Maybe no, we'll check that tomorrow. We'll check that tomorrow. Um, is there is there a Device that someone has in their mind right now that they saw either on a building or online somewhere where they're like, huh That looks really interesting. I wonder how hard it is to hack that Okay. Well, what are you thinking of in your head? I'm sorry For emergencies. So the emergency sirens that make everybody leave a building very quickly if if they go off. Okay. Yes. Yes. No Yeah, so emergency sirens. All right, so that's actually a pretty cool example. They're serial So my my yeah, so my so my question is okay I wonder how hard it would be to mess with that emergency siren So the first thing I do is that I go I I would identify manufacturers who make emergency sirens And I would start reading product pages. Would you find maybe the physical rooms that they might hold? What's that? Would you find the room really? Would you find the rooms that those devices might be in like something that says electrical data or facilities closet? Uh, yes, but I'm talking about as a Like I just want to learn more, right? Are we learning more? Are we hacking? Well, we're getting to the hacking I'll let you go. Go ahead. They're they're connected, right? So I would I would identify who makes them Then I would say okay, like how much information can I find about them? Do they post wiring diagrams? Do they post information about how this device communicates with other things? Are there any part numbers that I can look up and buy used on ebay? Can I buy a sample from the manufacturer and then I would just start playing with it? And trying to set it up the same way then a building would have it set up And then I would start breaking it or messing with it And that's true for anything, you know the same thing for RFID when I started with RFID I just started buying stuff and trying to get it set up the same way That a manufacturer would have it set up or a company would have it set up And then I'd start looking for things that don't make sense to me things that I can try to manipulate Or or have weaknesses in so That's really what it comes down to