 But now for Caleb, I'm going to hand it over to him for his comprehensive talk on mapping Wi-Fi networks and triggering on interesting traffic patterns. And without further ado, Caleb. Thank you. Hello. So, as she said, my name is Caleb. I work at Mandiant slash FireEye on the Instant Response R&D team. That's my day job. So, if the Mandiant consultants are like ninjas like Uma Thurman, I'm kind of the sword maker who makes their swords. I can't remember what that guy's name is in the movie. Anyone know? Thank you. That's right. So I like fuzzy things in life, like that dog, but also like fuzzy graphs and math that is fuzzy. I find I like when I have to kind of pull the signal out of the noise. And one of the things I like about that is because if you get into the real world, almost everything is fuzzy. So if you're looking at image recognition, text recognition, voice recognition, or going out and touching things in the physical world, like with SDR, you have to use mathematics a lot and kind of that fuzzy math. And I come from a programming background, and I think it's cool programming computers and stuff, but it's even more interesting when you can move things around in the physical world and kind of reach out and touch it, at least to myself. So kind of a precursor to this talk or something that led up to it, you know, I kind of got into IoT stuff before I knew it was called IoT. I did like a Raspberry Pi security system. And that was one thing that led me into this talk. And the other was, you know, wireless hacking is fun. I've been doing it different kinds for a while. I used to do the TCP, you know, layer three and four. And then I did a little bit with SDR at the lower layer. And then this talk is kind of on the layer two, the data link. And I kind of ignored this layer for a while because I thought it seemed kind of boring. You know, because the data you get at layer two, at the data link layer is in 802.11, it's roughly this. You know, you get the source map, the destination map, the SSID, the frame type, but then the rest of the data is encrypted. So it kind of seemed boring in the past, but then I started looking at it and you can infer a lot of other interesting data. If you're tracking over time and implying various things. So you know, like the time is an implied. It's not in the frame. So I had this problem initially that led me to thinking about this stuff. I had a Canary IP camera and I have a Wink security system and they don't talk to each other. And I wanted the camera, if it's on motion, it was armed to trigger the sirens in my security system, but they didn't talk. So I had this problem and as a Pythonista, you know, if I had a fever and the only prescription was more Python, that's how I usually solve boring things that bore me. And the solution was this program I wrote called Tracker Jacker. It's open source. It is also PIP installable. And this is the tool that I used to solve that problem. So my thinking was, let me go to a video, I decided I had to record this because I didn't want to bring my own security system to DEF CON and do a live demo with it and then go back home and plug it into my house. So I videoed this, but basically the concept was, since it's an IP camera, if it detects motion, it's going to have to upload that to the cloud. So I can just look for a threshold of bytes. Like if I see more than half a megabyte in 10 seconds, assume that it's uploading a video, which would mean it's probably detected motion. And from there, I was able to call this script to then trigger my sirens. So this is kind of the proof of concept with that. So I'm going to just, I don't think we have good sound. So this is the siren, and then this is the camera that doesn't talk to each other. So basically, I move into the cameras field of view, and you'll see the tracker-jacker program print something. And then right after that, you'll see the siren go off. So that was kind of my proof of concept and maybe pretty excited. But something about it also kind of freaked me out because I realized I didn't even have to be on the wireless network to detect that. I could just, because you're in monitor modes, you're not connected to the network. So conceivably, if I had a neighbor and they were doing this, or if it were me and I had a neighbor, I could probably see if they have any IP cameras, I could look at their MAC address. And from that ascertain, with the probability, maybe if it's Nest, it might be a camera. Well, you could see if that's detecting motion, even if you're not in the same house, even if you're not connected to that network. So that was kind of an interesting surprise. A little side note with that, I actually, I was testing this out with this camera. And I started noticing it was detecting motion where I was getting triggers even when it was unarmed. The camera was in home mode. And that was a little freaky because, in theory, if it's in home mode, it's not recording video, but it turned out it was. I didn't call them out though because they actually had a setting to disable that, but it seemed a little bit gray, kind of, to me. So I want to actually show you Tracker Jacker in the live. So it's running right here on my Ubuntu VM. And so this is performing, one of the, Tracker Jacker has two kind of parts. One is the mapping functionality. The other is this trigger functionality. So like triggering the security camera is the trigger functionality. But the mapping functionality is, it basically maps out, it scans every channel and it captures basically all the packets it can. And it builds the relationship map between every access point. So it lists everyone on every channel. And then it shows every, well, let me show you the data. So I've been scanning here at Recon Village. So it shows you every SSID and then under that each node in that network. So each BSSID. And then under each BSSID, you see all the devices connected to that. So it's kind of like in-map, but for the wireless radio waves. Because it'll build every relationship that it sees. And you get the vendor, if it's there, the signal strength, the bytes received, all that kind of stuff. So you can really get a good idea of what's on every network and are they active, you know. So that's kind of, you know, that was solving a problem that I saw. Because I didn't see a good way with many other tools to get that exhaustive list. At least in a nice format. Maybe in a GUI, but that was kind of a motivation. So a little bit real quick on how this works from a radio perspective. So a few basic things I probably most people know. Let me ask, how many of you are familiar with 802.11? Okay, yeah, okay, well let's go over briefly then. So you have these various channels, channel one, channel six, channel 11. And those simply correspond to radio frequencies, to predefined radio frequencies. And so you have your 2.4 gigahertz range channels. And you have your 5 gigahertz range channels. Obviously the radio, it's just radio. I recently was doing a lot of ham radio stuff and layer two stuff, or layer one stuff. And so coming back and looking at Wi-Fi, it was interesting to think of it as kind of just radio, you know. And ultimately a note about the monitor mode. So you may be familiar with promiscuous mode, where you could do this, if you're on a network, and you want to just say, give me all the traffic I see. But normally it filters out frames that are not for your MAC address. But with promiscuous mode, you can say, give me everything that you see. Monitor mode is a little different than that, and I wanted to clarify it. So monitor mode, you basically put your adapter into pretty much pure radio mode. And it receives frames from every network on that particular channel that it's on. And so it's not associated with any Wi-Fi network or anything like that. And it can receive from all of them. So another demo I wanted to show, I wanted to give an idea of the plug-in system a little bit. So I've got this pretty sweet plug-in system. And it's just very simple Python code. Let me make that bigger. So this is what a plug-in looks like. So you basically just have, let me ask this. How many people here know basic Python programming? OK, maybe 40%. So for those who know Python, the plug-in API is really nice. You write, you know, there's no inheritance or anything like that. There's just, you have your top-level class called Trigger, and you have an init method and a call method. And basically, all of the various metadata or data about every packet is called, is put into this function. So the device ID is like the mapped address. The vendor would be like Apple, you know, the interface that was on, the power level. And so you can take that in your Python code and just write all kinds of various plug-ins. So one example, OK, I'll start with this one. So again, these are kind of to respond to virtually any kind of traffic pattern you could think of. So you could respond to a threshold of bytes like I did for the camera one. But you could also say, if I see any device that's closer than negative 50 dBm in power, so within a certain range. And if you see that, then do something. Or you could focus on a particular MAC address. So anyway, one example plug-in is imagine that you want to de-auth attack. Let's say you really hate Apple and you want to de-auth every Apple in range. Well, that's traffic pattern. You know, you can look at it based on the, you know, because we do the lookup for the vendor based on the OUI. So we can look that up and say, OK, that's an Apple device. And so respond, you know. So let me demo that. So it's just, I don't know if there's any Apple devices within range, but oh, it looks like there is. So everyone it sees that it gets all the data on, it will de-auth. And we should see that up. There we are. De-authing someone. Probably. So we won't leave that running for very long. But so how many of you guys have tried to do a de-auth with Aircrack before? OK. So if you've done it, you know that you have to specify like the BSS ID, you know, the node that it's on, MAC address, all that kind of stuff. And so what if you de-auth someone? Well, it probably will jump over to another node. And then you'd have to do another scan, fill in the information, launch the attack again. So this does that kind of automatically because it's, you know, every time something pops up, it's going to just respond. So, you know, if you have it looking for a particular MAC address, it'll pop up anywhere and then tracker-jacker with, you know, de-auth it. So don't run that for very long. And if you do, maybe limit the power. So you can do this based on the power. So say only within some range. Actually, I think I did that for, so it probably didn't de-auth people outside of this room. But that's an example of, you know, having a traffic pattern and then being able to respond to it. Let's see. Oh, I was going to show you a different demo as well. So this one, this one's not very useful. It's kind of, it's more to demonstrate what the plug-in API is kind of capable of. So this is kind of just showing, you know, the top X devices and that in terms of closeness. So that's kind of what, like, Aircrack does. So it's not new interesting functionality. But I thought it was kind of cool because it kind of shows you can do, you can do quite a variety of different types of things with tracker-jacker, with the plug-ins, if it's based on traffic patterns. And let's see. Yeah, I'll demo one other demo. This one is, I want to demonstrate what a really simple, so this plug-in here. Count apples. So this, you know, it basically just says, every time I see an Apple computer, unique, that's unique, then print it out. So it's doing something kind of useful. You know, even for a really small plug-in, it's doing something kind of useful. And it's kind of a really simple example you could work from. Oh, actually I had modified this to show other people. I actually put a power range on that. So let me see. I actually want to see what it is if I get rid of that. Yeah, that's more, that's more like it. And this is actually a really short-range antenna. Like a, so I think I mentioned it, but the output file, you know, it's a YAML file. So it's kind of cool because it's both the database for tracker-jacker as well as the human-readable output, but it's also kind of the interop, A and interop, because, you know, you can easily write a program that parses YAML. Actually, let me see if I have that still. Have you guys seen the Marv was here, Wi-Fi? No. So this guy, I think it's like this running joke. Someone told me about it, but people like have this network and it says Marv was here, like a lot of variants of it. So I was programmed to filter Marv out because I was wanting to know how many SSIDs there were. So yeah, there was 50 Marv SSIDs. But I wanted to show that because, you know, this is just an example of what a strip would look like that could parse the YAML. Pretty, well, reasonably short. Okay, I also wanted to mention environment. So I have not run this on Windows. If you would like to see it on Windows, please submit a PR. It's got basic Mac OS support, but it's mostly Linux. So it does run, some of the basic stuff runs on Mac, but it's mostly been tested on Linux. So Kali, Ubuntu, Raspberry Pi. And then as far as adapters go, typically it's better to use an external adapter as most of you probably know for this kind of stuff. I really like the, like there's this one I have, the Panda PAU-09, and the O7 is nice too. But it's, you know, they're both small and they're both dual-band, and they both, they all, they work with Linux without configuration, and they support like injection and monitor mode, which is nice. And then as far as takeaways, you know, it's interesting to look at wireless again and realize, oh yeah, even though we have this concept of net, private networks and all of that, it's still, it's just radio ultimately. And there's only so much you can do with radio, to conceal radio waves. You know, they, the protocols have to be, are written in a way where they have to have some of that information public. There's not, you know, a good fix for that. It's also, a takeaway is it's really trivial to track you based on your Wi-Fi. Most of your smartphones, you know, if it's on Wi-Fi, they're broadcasting their MAC address everywhere you go. And I think there was a Snowden reveal about the government doing that. And I think it came to like recently, maybe stores are doing that to track people or something like that. But it really is not like a theoretical caveat. So very simple and really difficult to prevent. You know, you can, you can keep your Wi-Fi off when you're traveling around and that's gonna cut down on being tracked where you're at, but like, you know, if you connect with your phone to your home Wi-Fi, every time, if someone was looking, you know, they could see if you're there or not with a high confidence. I, you know, it's, it's just annoying because there's not really, there's not really something good to do about that. There's not a good fix. Also, as I said, you know, it's kind of cool. There's actually interesting information that we obtained even at Layer 2. We have this, or there's this new tool, Tracker Tracker, feel free to try it. Negative feedback is welcome as well as positive. And if you write any cool plugins, you know, give me a PR end. We'll add it in. And I think that's it. So thank you.