 All right, without further ado, a man who needs no introduction. Hello everyone. How is everybody doing? Come on, Defconn. Hey, my name is Guillermo. I'm 22. It's my first time in Defconn. First time speaking to so many people. So, I think the Irish are going to be good for this. So, today I'm going to talk to you about Wi-Fi hacking. So, I have a bachelor's degree in the University of Chile. I'm Chilean, by the way. I'm one year until I get my majors. So, this, I'll talk about a little bit about me. So, I'm into scrappers or crawlers. I don't know if you guys know them. Yep. So, I really like automation about things, like things you shouldn't do manually. You should tell the PC or the machine to do it again and again. So, I helped create the genealogy tree for Chile, the biggest genealogy tree in Chile. I did an HDR. It's handwritten text recognition research in Guatemala last year. So, I'm into AI as well, as most of you guys are. And I went to Defconn China on June, this last Defconn on China, first one. We did a workshop. In my second internship, I did Wi-Fi hacking. So, that's what we presented for Defconn China. And this is going to be the same workshop, just the talk. So, I don't know if you guys saw the slides are going to be in that link. The slides are really similar to the workshop ones. So, if you want to take a look, there's going to be on the second link over there. There's going to be some code for everything we're going to talk about. Yep. You got your pictures. All right. So, Wi-Fi. Who knows here Wi-Fi? Everybody knows Wi-Fi, right? So, what is it? What is Wi-Fi? Wi-Fi is radio frequency. What does it do though? So, the idea of Wi-Fi is communicating. You have an ISP that connects to the World Wide Web. And you have a router that gives you the communication between the web and your machines or cell phones. So, I'm going to talk about a little brief history of Wi-Fi. So, on 97, the IEEE land protocol. I'm sorry, man. I'm so sorry. The IEEE land protocols were defined. And at first, they only supported two megabytes links. So, that wasn't good enough for Wi-Fi. That was 802.11a. And then, once in year 99, 802.11b came around. And it was like 10, 15, 20 megabytes per link. So, that was good for Wi-Fi. So, that's when web came in, 99. Two years later, web got exploited. So, web so bad. 2003, WPA came across. And 2006, WPS. We're going to talk a little bit about WPS. 2011, we got WPS vulnerable. So, does anybody here know WPS? Yeah. There you go. 2017, we got WPA2 cracked. And 2018, we got WPA3. And one year later, it's got already five vulnerabilities. So, it's not going to be implemented, I think. Yeah. Thanks for nothing. So, what are the attacks I'm going to talk to you about today? We're going to attack WPS. We're going to attack web. And WPA2. We're going to talk about men in the middle. How can we do that? And how effective is it? Denial of service, just one slide. And DNS hijacking. So, WPS. Well, what is it? First of all, WPS was implemented for the non-geeky people to connect to the Wi-Fi really easy and quick. And, yeah, it has a single hard-coded value. So, only one value doesn't change unless you change it manually. On 2011, it was cracked. Brute force attack. So, you can spoof all the traffic by on WPS. So, WPS has eight numbers. And those eight numbers give you ten to the eighth combinations. So, that's a really big key space for, I mean, you look at that number, you say, wow, how can WPS be vulnerable? But, the last digit is a tech sum. So, that's one less. Ten to the seventh. And you get four, the first four digits are going to do a tech sum. And then the next three digits are going to do a different tech sum. So, you actually get ten to the four plus ten to the three. You only get a key space of 11,000. So, from that mill and air key space, you only get 10,000. So, that's why it's vulnerable. So, I'm going to go over the commands really quickly. First, you're going to want to put your monitor mode, what's it called, Wi-Fi antenna? Somebody? The alpha? Nobody? What's it called? What's the term for your antenna? What's that? No, no, no, just the device. How do you call it? Adapter, yeah, I was looking for that. So, you put your adapter in monitor mode and you can use the wash command to look at all the WPS around you. And so, you're going to brute force it with Reaver. That's how I did it. That's how I'm going to show you today. So, that simple command is going to brute force attack it. You don't have to do anything at all. You just reaver it and it's going to crack. And the fourth command you can authenticate to the Wi-Fi using the pin. So, I'm going to show you, I know you can't see that well, but okay. So, first you put your monitor mode interface, then what you'll do is check it's monitor mode. Then you use wash to check all the WPS around you. You're going to see all of them showing up. So, you're going to pick your target and we're going to attack it. Yeah, we chose WPS. We get the MAC address and the interface and we start reavering it. I don't know if that's a thing, start reavering it. So, what you can see right there is it's going to start using pins, like random pins. And it's going to try to authenticate. I can't, sorry. I tried. So, you can see, you can see right there it's like M1, M2, M3, and 4. So, it's going to go through a process. Like it's going to try pin 111111 and it's going to go through the packages and it's going to be like, ah, this is not the pin. Okay, next pin. And reaver is going to go brute force attack it with the 11,000 key space combinations. So, yeah, that's WPS. Really easy to crack. First, if you're trying to hack Wi-Fi, that's the first thing you're going to have to try. Like, you see WPS. Okay, let's attack it. So, WPS has three versions. Zero, no version, one and two. Uh, version, I only, I was only successful with version zero, with the no version. Why? Because the routers were so old they didn't have, they didn't lock after trying a lot of pins. So, you can attack it and it won't lock. Versions one and two, they have, after several failed attempts, they'll get locked. So, the solution there is going to be either the owner of the router has to reset it and, I'm sorry, and it's not going to be that fast because if you're going to start attacking, I don't know, 10 pins, he's going to restart the router and 10 pins, you're never going to get the 11,000, you know. So, that's a slow solution. So, there's the pixie dust strip. I wasn't successfully, uh, I wasn't successful running it, but I've read a lot about people being successful running the, the pixie dust. So, the way to solve the locks is, uh, using pixie dust. Yeah, so you have to be really close to the AP, to the access point, to crack WPS. If you're too far away, you just won't get it. And there's a list of 175 devices, uh, that are, are vulnerable by WPS. So, if you got the link from the presentation, you can access that link. So, now that we got WPS, uh, out of the way, we're going to start talking about encryption methods. And, uh, so, I have a question for you guys. Why do we need encryption? Like, all right, so, the first reason is that when you send data over the internet, you have no power over the data. So, once you send it, anybody can take that packet, anybody can do anything with that data. So, uh, as, as users, we do, we do not want to, uh, have our data out in the wild. So, uh, encryption methods. Uh, first, uh, in 99, it was Web. Then, in WPA, WPA2, and WPA3. So, we're going to talk about, uh, all of them for, um, maybe not a lot about WPA3. So, W, WEP, Web. Has anybody used Web here? Yep, ha, since how long? Yeah, while back. So, you're not going to be, uh, using WEP if you are here in DEF CON, you know. But, you can still, uh, check, you can still, uh, find WEP, uh, in the wild. So, if, I don't know why people are not, uh, up to date, but they should really stop using, uh, WEP. So, WEP has a 64 and 128, uh, bit key sizes. Uh, it uses, uh, SyrmCypher RC4 for, uh, Cyphering, which is actually a pretty good method, uh, Cypher method, but the vulnerability is not going to be, uh, the Cyphering. Uh, the key is ecstatic and is entered manually. So, if you're using WEP, you're going to have to type in or randomly generate the, the key and it's going to stay the same, uh, all around. So, in 2001 it was compromised and it is very easy to crack. Uh, to crack it, you're going to have to, uh, have some traffic through the network and I'm going to explain to you why. Yeah. So, why is WEP vulnerable? So, uh, the packets are encrypted, uh, by, uh, the pre-shared key. So, when you enter the path, the password of the WEP, uh, that key is going to be used all throughout the packets. So, every packet I send, uh, to, to the internet is going to be encrypted by the same key. So, so if you intercept, uh, let's say 10,000 packets, you're going to, uh, be able to decipher the password. Just, uh, mathematicians are so cool to, to do this. Uh, I don't know how does, how does it work behind the scenes, but if it works, don't break it. So, the vulnerable thing here is that IVs are going to be repeated. The IVs is a initialization vector. Once you send the packet, uh, the encryption takes an IV and since IVs are not infinite, we are going to have, uh, like an overflow and you're going to have repeated IVs. So, with 24 bits, you're going to have that 16 million, uh, amount of IVs. So, once you start sending data through the, the network, um, once you reach over the 16 million 7,000, 700,000, uh, it's going to go back to one and it's going to reutilize the same IV used for, uh, packet I send a while ago. So, I can compare both IVs and mathematicians are cool, so it works. You can, uh, run all of the IVs in about five hours. If you're, uh, patient, uh, you can get a web cracked in five hours. Usually it's not that long. It usually takes about half an hour and some commands. So, once again, you're going to put, uh, your interface in monitor mode. Then you're going to look for the target with air, air dump. Uh, all of you guys know the tools I'm using, right? Like you've been to the, to the village. Uh, after you, uh, search for your target, we are going to start doing, uh, specific, um, scan on that same target using the BSS ID, like the MAC address and the channel. It's on that AP. And in another terminal, we're going to start, uh, deauthenticating him. Why, why do we need to deauthenticate the, the user or the clients? Because when the client, uh, connects to the network, it's going to ask, it's going to go through the IVs and it's going to, going to send packets to the net, the network. And it's going to be like, hey, I'm the one, I'm the user for this AP. And IVs generate it and then you get the, the since you are looking for the number three, uh, step, the air dump, you're going to start getting all those packets. So it's very important for you to start to, uh, keep, to keep those packets saved somewhere. So then you can crack it with air crack. Usually if you have about 10,000 packets, which is, um, maybe 10 minutes of, um, listening into the wifi, uh, you can crack it. So, um, first we're going to put our interface in, uh, okay, skip that step. So I went directly to the AP, I wanted to crack. Uh, right now we are, uh, we are watching for the AP. We can see we have a client connected, uh, back there. It's a station. So if, I know, I know you can, you can't see that well, but here in the data column, I can't see it. I can't see either. In the data, in the data column you're going to start generating packets. And those are the important packets. So once you get, uh, a lot of packets, you're going to start cracking it. You can see that this station right here is generating a lot of packets because it's, uh, maybe downloading something from, from the web or, um, streaming, I don't know. Oh. Oh, I'm sorry. I can't go forward. But, uh, I, I wanted you guys to see, uh, how it got the password like after you, uh, air crack it. Yeah, we're going to, uh, stay here for a minute. Okay. Right? So there you can see I got a lot of packets in the data column. So when I decide to, uh, say, uh, it's enough packets, uh, air crack it, I'll just go ahead and do it. Uh, you can start running on a second terminal, the air crack command. And it's going to go, so the first air crack is going to ask for 5,000, uh, IVs. If it doesn't get it, it's going to wait until you get 10,000. So you can have this in a parallel, uh, terminal, having the air crack command. And it's, when it detects it's 5,000, it's going to go air crack it. And when it's 10,000, it's going to try again. So there you, you just saw, uh, it was really, really, really fast. Like I ran the command and it just instantly cracked it, cracked it. I, I think I have, I had about 20,000 packets in my, uh, cap files. So that's a pretty good number. About 10,000 is a good number for start cracking it. So, web. What's the conclusion about web? Do not use web. It's really easy to crack. Uh, the encryption, encryption, uh, um, so all your traffic is going to be, uh, unencrypted if you get the password. Yeah. So we're going to go into WPA. WPA has two types of, uh, Cyphering. It's got TKIP and PSK, also known as AES. It's got 128 and 256 bit, uh, key phrases. And, uh, the difference between TKIP, it's going to go packet to packet doing, uh, it's going to create dynamically, uh, what's it called? Uh, it's a pre-shared key. It's a PS, PSK. It's going to create it dynamically for every packet you're going to encrypt. And AES, A- ES is a stronger, uh, Cyphering method. Uh, if you want to crack AES, it's going to take you millions of years. So it's really strong Cyphering method. And it was adopted by the US government in about, uh, 2006. So WPA and WPA2 are really similar between each other. The only thing that changes is that, uh, the only thing that changes is that it's going to always use AES. It's not going to, uh, let it use the TKIP. So the problem with WPA is that the TKIP is really similar to the RC4, uh, stream Cyphering. So, uh, we saw in web. And that is not going to be good since web is cracked. So WPA, TKIP is going to be really similar to web. So it's as vulnerable as, it's as vulnerable as web. Um, so AES is a best, uh, Cyphering method. It's, uh, most, uh, safe. And, well, how, how can you create the PSK, the pre-shared key? Is that you take a, uh, passphrase and it's going to go through, uh, a function. Uh, I don't remember the name of the function. The function is called a password based key derivation function. Which, uh, it does, it's, uh, create, creates a value for, or it creates a key. Yeah. That's, that's what it does, the, that function. So once you get, uh, the passphrase through that function, you are going to get the PSK. Once you get the PSK, you're going to generate the PMK, which is going to be the, um, I can't remember the, what to stand for. Um, I can't remember the PMK. Uh, pair, pair Weiss master key. There it is. So once you get the pair Weiss master key, you're going to combine it with, uh, a value, actually two values, the, uh, MAC address of the AP, and the, another, the MAC address of the client. So you're, you're going to combine the, the pre, uh, pre-shared key, uh, the pair Weiss master key with all these four values, and you're going to get, uh, the master key. Okay. That looks very bad. But, okay, so you can see how the, it's going to, uh, the client and the router is going to be communicating. Uh, first, the router is going to send, uh, an ANONS, which is the first value of, um, it's going to be the first value that the client is going to use to create the P, uh, the PMK. So once, uh, the AP sends that, the client is going to send back the PMK. Once that it's sent, the router is going to say, oh, okay, so you are, you're okay until this point, and it's going to send back another packet. Yeah, so you can see it's a four-way handshake. Everybody know what the four-way handshake is, right? Yep. We're going to go over a little bit. So what's, uh, the vulnerability is here, uh, in WPA. The thing is that, okay, so the pair Weiss master key is composed of, uh, four, uh, different sections, and the algorithm is only, only checks the key say, key CK, KCK, KCK. Part of the, of the PTK. Why, why does that? Because, uh, the chances of getting a key CK, uh, correct is, uh, the probability of getting a correct key CK with, uh, PTK correct is nearly zero. It's, uh, one over three to the, ten to the 38, yes, zero. So the algorithm is only going to check the key CK, uh, part. So why, why do we need to know that? So the way to crack it is, uh, analyzing the four-way handshake. Once you understand the four-way handshake, you, uh, have, you know what to look for. So in the, uh, first step, uh, I, I already explained this, so I'm going to go fast. Yeah, so finally in the fourth step of the four-way handshake, the AP is going to tell the client, hey, uh, your numbers match, my numbers match, uh, you're a good, uh, host coming inside my network. So for a little bit of commands, first you're going to put your, uh, monitor mode interface, uh, as always, you're going to look for the target with air dump and, uh, specify the target with, with air dump and specify the channel and the BSS ID. And another terminal, you're going to want to, uh, deauthenticate the clients. Uh, so in this step, you need to have, uh, clients inside the network. Why? Because if you have no clients, then you can't listen to, to the four-way handshake. We're trying to capture the four-way handshake. So once we start, uh, deauthenticating them, uh, the client is going to want to authenticate back to the network. So that's when we get the, uh, the WPA handshake. And we're going to, once we get the handshake, we can, uh, run Aircrack as well with, uh, WordList. So dictionary attack. Why is this useful? Because, uh, there are, are a lot of dictionaries out there in the, in the web. And today, nowadays we have the cloud. So we can run, uh, a whole lot of passwords to crack, uh, to crack the Wi-Fi password. So, uh, here you can see the WPA handshake, uh, signed right there. We can see that, uh, there are two clients connected to the network. And once I started deauthenticating them, I'm going to get that message up there. And that's all you need. That's the, the gold mine. Uh, so if you do not get the handshake, you're going to want to deauthenticate, uh, once again. And repeat until you, until you do get the message. So now we're going to see how to crack WPA and WPA2. The way to crack WPA and WPA2 is actually the same method. So I'm not going to do, uh, a difference between there. So we do the monitor mode interface. Uh, we're going to start looking for our target now. So once we get our target, we're going to specify it in air-dump with the channel and the BSS ID. Yeah, getting the MAC. It's important. And, uh, so we can see right here that we got a client connected. If we did not have that client, we just could not crack it. So in another terminal, I'm going to start deauthenticating the client. We can see that the power is going to, the power column is going to go jumping between zero and a negative number. That means that it's going to, that means that it's being interrupted. So the client is going to be kicked off of the network and the client is going to try to get back into the network automatically. So that's when we get the WPA handshake. So what we did, uh, in China a month ago, two months ago, is, uh, uh, we created a password, uh, on crunch. Just created a whole, uh, dictionary with passwords, uh, number based. So for the people attending the, the workshop, they could actually get to crack it. We created the, we made it so that they could crack it in about five, ten minutes. So you can, uh, crack it with air crack and, uh, dictionary. So now I'm going to start talking about, uh, cloud. Uh, there's this site called GPU hashme. And, uh, you can send the cap files on that site so that it can start cracking it on their site on, on the cloud. So what it does is, uh, basics, you have a basic search. Uh, GPU hashme is going to start, uh, doing, um, well the basic search only takes eight digits, uh, base. And it's going to use, uh, reduce word list, uh, spectrum. So once you send the cap file, it's, uh, no charge. And you get a message like, uh, hey, we found your password. You want to pay five dollars for it? Uh, and usually I say no. Because if it cracked it, then I can crack it with my own dictionaries. So that's why we, uh, did, uh, in the workshops or, uh, when we were trying to hack some Wi-Fi's. Uh, we actually sent it to GPU hashme. And once it said, uh, it got it, we just sent, we just started, uh, cracking on my computer. You also have an advanced, uh, WPA search, which takes a, a lot, uh, better and more word lists. Uh, you have to pay in advance about, um, twenty seven dollars. So if you do not get the password or the password is not crackable, you do not get a refund. Uh, once it founds, finds the password, you, it's, it's free. You already paid twenty seven dollars for it. And there's a pro search. Yeah, it just uses a whole lot, uh, spectrum. It's going to be about, uh, fifty four dollars. So some of the cons about, uh, cracking in the cloud, I think, uh, the cons are basically when you try to hack Wi-Fi is that it's really slow. Like once, uh, when I got into Wi-Fi hacking, I was so, um, uh, like I had high expectations because I thought I was going to start cracking Wi-Fi's and I'm going to be like that cool kid that gets, uh, the whole neighborhood's passwords. And it wasn't like that. Uh, it took a lot of time and practice to actually know what you're doing. So you can optimize it, uh, like I talked to you about crawlers and scrappers, I like automation. So I had some scripts in the presentation from Defcon. There's some scripts for you guys to run that it takes, uh, the whole spectrum of Wi-Fi's and it's going to start attacking all of them. So we got GPU hash me in the cloud, uh, and we tried to do it ourselves. So we got an Amazon web service server and, uh, we had 16 NVIDIA, uh, K80 GPUs. Uh, it was about less than a dollar for a GPU an hour. So if you can actually crack the password in under an hour, it's going to be less than a dollar. The, so the cons for doing this, um, dictionary based attack is that you actually need dictionaries. The, that's kind of like a semi-con because there are a lot of dictionaries out there and really good dictionaries. Uh, another con, it was, uh, the configuration of the environment in Amazon web service was actually quite complicated. It was not like, just go do it. So we spent a lot of time doing that. So as well as, uh, so I, I told you it was a slow process and in Amazon web service, uh, we did not get really good performance. Like we had 16 GPUs and it only cracked 16,000 passwords a second, which sounds like a lot, but you're using, uh, 16 GPUs. If you are trying to do like a dictionary with, uh, five billion, uh, passwords, it's going to take a lot of time. So actually, like I told you before, um, once we sent the GPU, the cap file to the GPU and we got the checks, uh, we got the check like, hey, we found your password. Uh, we actually started using my Surface Book 2 and it was really, really, really fast. It got really hot so that you can see why it's, uh, ventilating. Uh, so I told you about the Amazon web service. It had about 60,000, it cracked 60,000 passwords a second. The Surface Book 2 cracked at 100,000. So, and with one GPU, uh, I think we're doing something wrong in, in AWS, but we couldn't figure it out. And so now we're gonna start, I'm gonna start talking about, uh, client attacks. So what I just talked to you, uh, about, it was, uh, infrastructure, uh, encryption methods. Now we're gonna start attacking the client. So the first attack is, uh, called the Cafe Latte attack. I don't know why it's called like that, but it's a web attack. So, you actually do not need the, the AP to be nearby. You only need the client. So what you do in this attack is that you are gonna simulate that the AP is near the client. So the client is gonna start connecting to you. Once the client is start connecting to you, you're gonna get the same, uh, passphrase from the client. So you can actually crack the WEP, uh, passphrase that way. The Cafe Latte attack is actually really simple to, uh, employ, to, uh, to do to somebody if they are using a WEP, uh, AP, which please do not use them. Um, yeah, so it's really easy to execute. Yeah, it's very important for you guys to, uh, have them in not-associated mode. You can see, uh, down there in the stations, uh, they're not associated. So they are good clients. If they are associated, uh, we're gonna have to kick them off the network and start doing the attack. So for the Cafe Latte, uh, I told you, you are supposed to create your own, uh, AP. You do that with airbase and with, uh, command dash n dash w, that's going to start the Cafe Latte. You actually run that command and once the client starts connecting to you, the Cafe Latte attack is going to execute by its own. You don't have to do anything at all. And you're gonna have to, uh, collect the packets as well as we did in the WEP cracking. And there's another, uh, variation of the Cafe Latte, it's called a Hirté. What it does is, uh, it fragmentates all the packets. So when you have a big packet sent through the network, what this does is gonna, uh, partitionate, uh, the big packet into really small packets so you can get more traffic. Why do we need more traffic? Because we need the IVs to overflow. So that's with, uh, WEP client attacks. Um, so now, uh, the Evil Twin, I think this is my, uh, favorite attack, the Evil, uh, Men in the Middle. Uh, why is it my favorite attack? Because, well, if you're the Men in the Middle, you are getting all the traffic from your, uh, from the person you want or the company. So I think that's really powerful. Once you crack the password, you can, uh, decrypt the messages unless it's a HTTPS encrypted. But, so, how does it work? We, we see that, uh, we got an ISP and the Dracarys, Dracarys is actually a real name for, uh, AP. We saw the walking around the streets, we saw Dracarys down there. So we said, huh, we need to hack them. So basically the Men in the Middle is that all those, uh, machines are connected to Dracarys and our Evil Men down there is gonna create an, uh, an identical AP and with the same name, same, uh, ESSID and same BSSID. And what he's going to do, he's going to kick them out of the network. He's going to denial of service the, the real AP. And all those clients that, uh, are trying to reconnect to the, to the AP are going to connect to the, to the fake one. So it's actually quite easy to, uh, execute as well. You just, uh, put the fake AP, uh, kick them, kick the clients off and the clients are gonna come, come to you. So there's this thing about competing with the legitimate route, um, AP. You have to have the same, uh, signal or strength or power as the, uh, original AP. If you have, uh, less strength power, uh, the clients are not going to connect to you. So the steps for, uh, doing the men in the middle is, uh, you bring up the fake AP. I'm sorry, you have an AP, you connect clients to it. If you're doing this, uh, at home, uh, and not in the wild, you bring up the AP, the original, you connect some clients to it and then, uh, bring up the fake AP. Then you de-off them and the clients are going to connect to the fake AP. And that's what I told you right now. So, yeah. Some commands, we already saw, uh, how to create a fake AP with Airbase. This interface creates the AT-0 interface and you're gonna have to do a little bit of configurations between, uh, port forwarding so you can actually give them, uh, internet access. If you do not, uh, do this configuration, then the client that connects to the fake AP, he's not going to be able to surface the net. So that's, uh, how you create the bridge. You bridge your AT-0 with the fake AP created AT-0. You give them an AP and, uh, I think, uh, I deleted some configurations. So if you want to know specific configurations, check out the Defcon China link. So once you, uh, you ping that IP so you know that you're having internet, uh, through the machine and more configurations. So, yeah, I'm repeating myself. So what we want to do is, uh, okay, so we got our fake AP and, uh, we got the client connected to us. Now we want to start sniffing the packets and we're gonna do that, uh, with Wireshark. We're gonna put, uh, the Wireshark on the AT-0 which is the fake AP, uh, interface. And once you do that, you can, uh, start sniffing all the packets. In the terminal for the airbase, it's gonna say, uh, okay, the fake AP is up and it's gonna start sending messages for when people try to connect to, to your network, to your AP. Okay, so airbase is actually, uh, pretty cool because you can tell it to, uh, you can tell it which kind of network I want to, uh, simulate. For example, if I want, uh, an open network, I just do the airbase, no, uh, parameters. If I want a WEP, uh, fake AP, I just put the dash W. And, uh, with WPA, WPA, uh, with, uh, different types of WPAs, we're gonna start adding parameters to, uh, get the fake AP to behave, to behave like it's, uh, what you're trying to do. So, we already talked about denial of service, like throughout. When we were kicking off the clients, off the networks for it to connect to, to us, we were actually denial, denial in their service. And the way, uh, I only know how to do DOS, it's with, uh, it's doing airplay. So the airplay is actually pretty cool command as well. You can tell it, uh, to do like an infinite loop of DOSing with the dash 0. You can do dash 0 and, uh, the next number, you see it's dash 0, 0. If I go dash 0, 10, it's gonna send 10 DOS packets. If I go dash 0, 0, it's gonna go forever. So once, if you have your machine turned on and dash 0, 0, she's not gonna be able to connect to the, to the network. Alright, that was denial of service. Told you it was one slight. So, um, DNS hijacking. We actually did not go in, in depth about this, but we got some pretty cool DNS, uh, results. Like, I'm not supposed to say but we got all, uh, my neighbors and we started getting to the router and we put, yeah, you can't see it very well. You go to the router, uh, home page and to the configurations, you can go to the DNS and you can write down, uh, the IP you want it to, of another DNS server. So, DNS hijacking is, is very useful for doing spearfishing. Like, if you are able to hack into the, someone's Wi-Fi, get into the router and change the DNS, uh, you can actually get everything from, from the people connecting there. Why? Because you're gonna start looking like, ah, he goes to the bank of, uh, Chile. He goes to the Banco of Santiago. He goes to, uh, these pages. He goes there. So, when you know where, uh, your client is doing the, which pages he's visiting, you can actually create, uh, by phishing. Like, ah, he goes to Banco de Chile. Okay, I'm gonna create a fake Banco de Chile site and direct, redirect the original, um, you're gonna redirect them to your, uh, fake, uh, website. So you can get credentials from whatever website you want. There's, uh, um, I think I didn't include the, the script, but you can actually, uh, optimize it by trying to crack the default passwords. There are some dictionaries that have the default passwords for, uh, the different brands of, uh, APs. For example, for Linksys, there's, uh, like, username password defaults and you can go through it, uh, really quick. So if your, uh, target is not really wifi geek and he didn't change the passwords, you're, you're practically in. And there's the link for how to DNS poison. Like, it's a Spanish link, so if you want to translate it, that'll be cool. Okay, so restaurants, coffee shops. The typical, uh, display of a coffee shop or a restaurant is that you practically have wifi and maybe you have some machines connected to it and then you have some, uh, printers. You are gonna have some customers eating there that are gonna ask for the wifi. So what this guy can do, uh, he can do a man in the middle in the whole restaurant. For example, if, uh, he asks for the password, he is already in the network, he doesn't have to do much work to get anything from the people. You can actually get into the printers quite easily and start printing the crap out of them, if you want to. Uh, so that's when I came to DEF CON, I was really worried about, uh, being hacked here and being worried about the, the wifi's. And I see that problem a lot in, uh, restaurants. Like, I am really looking out for anything suspicious. Like, if I'm in, uh, Starbucks, for example, I look for suspicious people trying to do something, like my nature, I don't know. Um, okay. Okay, so that was, uh, all about, um, wifi. I just wanted to show you something, uh, we got into on, on our way. Uh, it's a fake AP's, uh, flood. So what this command you're looking right now is, uh, what it does is, it's gonna create, uh, a whole bunch of, uh, fake AP's with, uh, really random, um, names. Like those. So if you guys can, uh, watch on your cell phones right now, I'm gonna start doing the attack or the flood. Not working. Alright. So if you, uh, watch right now, you can see, uh, that you're looking at, uh, really weird named, uh, wifi's. If you can see them, raise your hand. I, yeah, okay. So what happened in my machine right here? Like there's a lot of wifi going around and my PC, my machine like, uh, freezes. So there's, uh, the same, uh, proof of concept. Like if, how can you do like, uh, crash, uh, device by sending so many, uh, wifi's. We did not go, uh, in depth, but I, I think it's, uh, uh, interesting to, to look for. Like if you want to mess with somebody, uh, do a crazy AP flood and his, uh, cell phone freezes. So, uh, some of the devices, uh, we used, uh, you can see here the pineapple, the wifi pineapple, uh, you all know hack five, right? So the pineapple, what it does is it automizes all the attacks I just talked about and it does it fantastic and it's really easy to, to use. Like if you want to, uh, get men in the middle, you just tell it to do it and it does it. The, so this adapter, it says it has three kilometer range, which, uh, do not believe that. It's actually pretty good for the cost. It's 34 bucks in the Amazon and it's actually pretty good adapter. The next one right here is $220 in Amazon. It says it has five, uh, kilometers, uh, range. I wouldn't trust that, but, uh, my friend has it and it's not that good. And that one, we got a crazy, uh, I think that one can go up about five kilometers, uh, on open, like no buildings in the middle. So that's a crazy adapter right there. So to finalize this talk, uh, I just want to say, uh, wifi is really weak. Like, they have these strong methods for encryption and ciphering, but there are a lot of ways to get around, uh, if you want to attack a target, there are a lot of ways you can do it. Even though, uh, wifi sets, it's, uh, it's safe, it is not. And people do not know that. So even WPA3 is vulnerable. So I don't know, uh, how can we make it safer? I always ask myself that question. I just don't know how to solve it. I, I think people smarter than me are trying to solve it and they're not getting that either. So wifi is everywhere. Everywhere you go, you're gonna look, uh, you're gonna find wifi. And, uh, I think that's a pretty cool, uh, research subject like wifi in general because everywhere you go you're gonna find it and everybody, everyone uses it. So WEP, after, uh, getting to know WEP, I was like, why would people use WEP? And, uh, so we were in, uh, my boss's office with the adapter and we saw a WEP, uh, pop up and it went away. So we started looking for that WEP because we really wanted to, uh, do the, the hands on, not just in the, in the, in the office. So we went outside to look for it. We went to, I think it was a gas station. And we were, uh, one computer on one hand and the adapter and the other one, uh, walking like that in the streets like, where are you, where are you? And, uh, we actually got to, we found the WEP as a gas station. So, uh, we went there in, uh, bad hours because they weren't working. It was like, uh, 7pm. It was after hours. So no traffic was, uh, available. So we went there the other, the next day and we actually got to crack that WEP. It was pretty, I think that, that was my first, uh, Wi-Fi, uh, accomplishment. Yeah, and to finalize it, Wi-Fi attacks are cheap to execute and they're actually pretty easy. If you do not know anything about Wi-Fi, you can still do it. So there, hands on for Wi-Fi.