 So, I'm talking about a thing called TOSPO virus. I call it TOSPO virus, so you'll find out what that means in the future. This is my little trek through the sweetest of the Wi-Fi fruits, which is the Wi-Fi pineapple. It is kind of geared towards a workshop. Is anybody actually doing this as a workshop, or are we just sitting around? All right, so we've got a couple of people here, do you have pineapples? That's going to make it really hard, so you kind of need pineapples for it. So yeah, anybody doing this as a workshop, it's going to make it really short if nobody is doing it because then we don't have to wait for anybody. Yeah, it's just story time. Cool? Anybody? Anybody back there? We got one? Oh, you got one? Do we have a, do you throw one up there? Do we have a second one? Because we really need two. Thank you so very much. Yeah, is there anything important on it? Because we are going to flash it back down. We're going to downgrade it. If you were here for the previous talk, you may have heard that like all of this stuff kind of got fixed. Doesn't care? Cool? Not up for it. Not up for it? Okay. All right. That can happen at any point in time. Is there anybody that works in affirmative action here? So I'll keep going. That's my man servant over there. So the workshop layout is going to be like introductions. You'll find out a little bit about me very little. Yes, sir? Yeah, just like two would be great though. You know what? I mean, I've got two and we can re-flash those. That's really easy. I think that'll work. You? No. No, we need two. You got to listen. This thing's working, right? All right, all right, we'll use the, we'll use the, actually this is, this probably works out well because then it's less for people to fuck around with. So yeah, we'll go through some setup which will be these guys setting up. They will be our, I guess, guinea pigs which is wonderful. Thank you for volunteering yourselves. We're going to disclose some vulnerabilities which have kind of already been disclosed a little bit and we're going to do some exploitation of those vulnerabilities. We're going to overview, have a very, very, very tiny little overview of viruses which is like literally one slide but important. And then we're going to introduce you to TOSPO virus itself. And we will go through the process of using TOSPO virus and then we will recover some data over the air which is quite fun, I think. So introductions. Myself, I am Catatonic Prime. I'm sometimes caught making good decisions about alcohol but not often, especially at Defcon. Did anybody else drink too much last night? Yeah, yeah, yeah, that's, I also wrote the TOSPO virus itself. This is actual Reverend. He's my manservant. He's a Windows sys admin. He's been hanging out with me and he provided all of the comments to make it easier for people to read. If you do get a copy of these materials, they will be available sometime after the talk. We'll put them up on GitHub or whatever. So what you need, if you looked at the website, is you will need a laptop. You need a working version of Metalsploit. Collie works just fine for this. And you need a partner. Remember two devices. And somebody needs to be device number one. So I guess since it's just you two, both of you give us your social security numbers. The one with the lowest is the one that is device number one. You guys must be very close. So we should have, did you turn one of these guys on? That guy's on? They're both on? Okay. So you guys, if anybody else wants to follow along over there, you are welcome to. You can jump in almost at any time. But these things are going to go away because I think we're going to share one over. But if you guys could from, if you're using a virtual machine, do this from your virtual machine. The materials need to be in your Linux distro, not on your host. So yeah, connect to one of these guys. The rest of you, please don't fuck it up. Like I'm begging you. Do not de-auth and do mean things or like intercept and it just makes me sad. Yeah, you especially. As soon as, when you showed your demo earlier, I was like, oh fuck, I should have put that in. That looks glorious. It's nice and fast. So we will take a couple of minutes. Anybody have any questions yet? No? Okay. Yeah, it's all the boring stuff at the beginning. Yeah. How about I ask you guys some questions? Where are you from? Who here is from the great state of California? Hippies. Who here loves guns? I don't see any of the California people raising their hands. Oh, man, yeah, just come, I did not think of any of that until now. I swear. You guys ready yet? Tick tock. Tick tock. Yeah. We do have two hours. It's going to be really long. We're going to take time. Feel free to ask questions at any point in time, especially since we don't have a lot of people that we're managing. That's probably going to be just nice and smooth. You can ask anything at any time. Oh, man, I wish that we had. We have a jacuzzi in our room that is filled with ice, beer, and liquor. And we got, I think, maybe halfway through it, more than half. Oh, we just, oh my God. So if any of you pray, we do have a guy that went to the hospital and he clocked in with a .422. Defcon, holy shit. You got to, yeah, my understanding is he said the hospital did say that was the highest that they've ever seen, and that's in Las Vegas. So yeah, he was texting, right? He was texting? Okay, so his hands work, but we don't know if he can speak. It's going to be terrible in posterity. When I come back and I'm like, no, he can't speak. Dang it. Yes, sir? Oh, you know, I was like, I could use Shaw. And then I was like, man. That's good enough, yeah? You guys set? Set? Everybody set? Okay. Anybody back there waiting? Nope. They're doing their own thing, having fun. That's cool. That's great. All right, so we're moving on. Some of the stuff that you got to do, once you get those course materials, you got to unpack them. You got to move some stuff into the right places. You got to install the back door that we do for you. Just run scripts, pull the exploits from exploit DB and just execute, right? Always works. Tick-tock, tick-tock. This is the slowest part. And then later we get in some more of the fun stuff. Oh, yeah. Any time, man. Whenever you're ready. So did anybody get their pineapple on last year during Darren and Seb's talk here? Did it just like go completely, completely dead? Yeah, I was testing the exploit out on you. I didn't own one yet. And I was literally standing right next to you. So if you were on the back row, you're messing around with your pineapple during their talk. And I was literally standing there with my laptop because there was no seating. With it bent up like this. And I'm looking over the guy's shoulder. And it's not working. The exploit's just not working. So I'm messing with it. I was like, this thing should work. It worked. So I done all my testing in a virtual machine, an X86 virtual machine with all the Wi-Fi pineapple stuff copied over into it. What happened was I had bashing that virtual machine. Wi-Fi pineapple just has busy box. And so one of my commands was growing up. So it was working. The payload just wasn't running. And I got so mad about it, I just RMRFed it. My bad. Dandy public apology there. Yeah, the rest of them got pretty bad treatment too. But at least they got a nice entertaining screen. You're saying that you're going to buy this guy a beer, right? Absolutely. So now it's like five people here. Yeah, that's what I was saying. Oh, free beer. Yeah. You guys all say, you just got to type what's on the screen. I think we got to call the guy who can text still. I do feel really bad for him, though. I hope he's OK. It is exciting once it comes around. I know, right? I am a little curious. I did look at something earlier. I was walking around with my pineapple running what I will be showing off today. And I did see that it connected to at least one which said pineapple five version 1.2.0 you can hunt me. And I was curious if that was yours. No? Oh, OK. I don't have a hunting product. Oh, yeah. I thought about that. Sure. This year I'm completely crowd sourcing. It's just been other people that I've given it to. Just in case my laptop eats battery and I forget, then it's going to shut down in the middle and that would suck. Here's some teamwork occurring over here. Anybody else here know how to type? Anybody know how to use Linux? It did something. He said it did something. Oh, you guys know. So you get into the Metalsploit framework. You know where that's located? You're good? Cool. Great. Oh, you got another one? OK, cool. Great. The password was TOSPO virus. TOSPO, yeah. Oh, TOSPO with a P. Something upside down B or D, something. OK, so once you get that all done, we actually need to probably downgrade your pineapple because this does not work on the latest firmware. So you can do that by finishing configuring your device and then you can copy it. That will open up SSH. You can copy your bin over. You can copy the old firmware, which is included in the course materials with backdoors. And you just, yeah, run these commands. Ta-da. All of the vulnerabilities that I use have been patched. So they are all mitigated. Where are you here in the previous talk? OK, so at the end of the previous talk, they were mentioning that now when you configure a new device, when you get a new device that has the latest firmware, you have to go through a process of proving that you own it. And the way that you do that is you use Ethernet and you turn off the radios. Because as it turns out, leaving the radios on, it leaves some attack surface open. So, yeah, now they've forced you to turn the radios off by flipping dip switches. Then you can continue, flip the dip switches back on when it's time and finish configuring your device so that somebody else doesn't do it for you. Yeah. Me too. I didn't do it. I didn't do it either. It does take a couple of minutes. Flash, you get your commands in at least. Say that it's writing firmware, rebooting, et cetera. Man-servant. Go help them. God, I'm so glad that I have them. I don't know what I would do in my life without them. Oh, yeah. You know what? In the course materials is also the HTML. Yeah. There's like a lab document in there. You can open that. It has every command that we run. You can literally copy, paste into a terminal. If you can type like three keys, two of them at the same time, you're set. That's the tough part. Or right-clicking is also successful, unless you're missing a middle finger. No. What? Whoa, you're... Dude, that's fucking weird. That's what middle finger privilege sounds like. Do-do-do-do. That's the third one doing. Has anybody here... Or anybody else here done any exploits on the pineapple? Their own? Has anybody run Myscript? Yeah. Has anybody run McGrewscript here? He released it? No. You're not that famous, man. Oh, my God. I did. I am considering integrating it later. It's very... It's highly effective. It'll make it... It's looking so good. I think it'll make a good addition. Anybody here know how you can identify a pineapple over the air? Like, if you get beacon frames? Like, what's a good option for that? Like, how to tell? Anybody? I was just connected to them. No, no, no. The SSIDs in them? Anybody know about their SSIDs? For the OUI? Yeah, sorry, the MAC address, yes. Yes. Yeah, so the SSID... Yeah, that's one way. Once they're configured and they don't have the SSID... Sorry, I didn't mean SSID. It meant BSSID, the MAC address, the OUI. Yeah, it's like, I believe, 031337. Is somebody... Anybody? Yeah, so if you see those, those are probably pineapples when you're at DEF CON. Yeah, so I mean, it could be a good thing to play with with this, is instead of looking for SSIDs, you look for those and might help with searching and finding them. Are you guys set? All right. Yes? Maybe I should do it. Yeah, this part is boring. So you guys are good. You got the lab at least. I'm going to move on. So the vulnerabilities, hey, fun stuff, right? This is what people really want to hear about. Yeah. So like I said, as far as I know, all of these have been mitigated in version 2.4. That's the latest version. It's actually 2.4.0. Those changes were put out by Seb just last week. And all of the vulnerabilities, the first one, I don't usually like to count this as a vulnerability. It happens to be super useful in this case. It's default usernames and passwords. Yeah. You know, okay, boring. Anybody know what the default password for a pineapple is? We know they're yummy, sir, but what is the password? Yeah. So yeah, default username is root. Default password is pineapples are yummy. Then there's a week proof of ownership challenge. They covered that a little bit at the end of the previous talk. We'll talk about it a little bit more and give you some closer numbers. I'm really bad at math, so if I fucked all that up, sorry. Predictable anti-CRS RF tokens. This is what I actually count as the vulnerability. They do not release their CSERF token to you until after the device is fully configured and you successfully log in. But as it turns out, you can do some other stuff. It's easy and fun. And then a little bit later, I picked up a login anti-CSERF bypass as well in pre-configuration devices. So you can just skip all of that other stuff and just get to the chase, which we will talk about that as well. And all of these have been fixed. Once you get authentication, once you get session, that's good. You want to target component system configuration functions.php and you want to be able to run commands there. This is built in. It's by design. So target that. That's your command injection point. So the weak challenge, we're going to skip the default passwords, right? Because we already covered that. No need to put a slide for it. A weak challenge. The challenge allows you to reset the password. There are four LEDs on a Wi-Fi pineapple. I believe it's what? Green, blue, red, yellow, or amber. And there's three possible states on, off, or blinking. So, hey, that's like a theoretical of 81 possible solutions, which if you were actually hitting them really fast and getting them wrong like I've done, you can get about two per second, approximately. And you should, in theory, I think, get them in half of that time. So that's 80 divided by two divided by two or approximately 20 seconds to compromising the password and resetting it, which will allow you to login and complete all of the rest of the setup. Or if you get them wrong a lot like I have, you'll notice the green one is literally always on. So there's only 27 possible solutions, which leads you down to being able to compromise the device in seven seconds. This is very important because all of these vulnerabilities only apply to pre-configuration devices. So once they're configured, they're kind of, they're a lot better off with the exception of some ARP spoofing. So, yeah. Pardon me. I should get some aspirin, too. So yeah, seven seconds to compromise. Very important. Once you get a successful login, so either by resetting the password or using the default credentials, once you are successfully logged in, you will generate a CSERF token, an anti-CSERF token, and that is based entirely, yeah, muscles don't work good. I mean, I've played football for like years. Yeah, yeah, we're good. Good Lord. I'll leave it the way I got it. I was caught back. So once you generate your anti-CSERF token, it is generated as the shawl one of the session ID, which on these devices is quite interesting because if you use a cookie with a session ID that did not already exist, it will make that session for you. I was talking to some other guy and he was like, oh, my God, session fixation, and I was like, eh, I don't know, is it? Is it? So if somebody knows about that and would like to chat about it later, yeah, I see this guy looking confused. I'm with him. I don't think so, either. But if somebody has a fancy idea about that, let's talk. I would love to hear ideas, and we can try them out. We have devices. So that will create a session with a specific token, in this case, my session will be to a token like this, which then gives us access to execute commands. Because anti-CSERF is passed, you have a logged in session, you can now run commands on the device, you are root on the device effectively. So doing all of this a little bit faster, there's a faulty check in the authentication stack and the header stuff that they include, and it looks for a string called include CSS styles.php, but it doesn't look for it being the end of the string, and also the beginning of the string, it looks for it anywhere in the string. So if we do a little directory traversal trick, we can just include that at the beginning, back up a little bit, and then presto, we can execute commands without doing any login at all, or any root forcing at all. The virus does not use this, but I imagine it could. Activity for the astute student. So the exploit chain kind of looks like this, or could look like this, you could adjust it to make it better for you however you wanted. You choose your starting point, you choose an exploit method. In our case, we just stay on the top side and the TOSPO virus land, but it would be pretty easy to put these in an actual chain instead of having that decision at the beginning. So just try one if it fails, try the last one, and then hopefully you'll get there. So once you have done this, there are a couple of ideas like, well, what should you do with it? I think that you should install a service. I think that you should install an SSH backdoor. I believe yours was doing this, but you added a user. So in the previous exploit last year, it did a lot of very bad things. It attempted to make it as difficult as possible to recover. It removed the whole web interface. It tried to remove anything that could reflash it and all this sort of stuff. This year, I settled for just adding a user and SSHing in, but the code's available, do what you want afterwards. So it could be a good thing to add the user. I add an SSH authorized key instead. I found that to be easier at the time even though it's really big, and part of that has to do with preventing people from cracking the Shaw later, if you use a weak password for it when you add the user. I like keys a little bit better in this way. Then you can also do maybe like a little encrypted packet disclosure with some stuff for the WPA protected managed interface. Once you've finished configuring a device, let's say that it's been infected by the virus, then you still want to be able to gain access to it. The question is how do you spot them? How do you know which ones are infected? You could just connect to anything. One of the OUIs for Wi-Fi pineapple might as well connect and see if it has the back door on it. Or you could just wait for it to tell you. I like that a little bit better. All of these things combined is what makes up TOSPO virus. We'll talk a little bit about that after. This was geared towards being a workshop for people to do all of this stuff. Do you guys get set up? You haven't been listening to me, have you? I was hoping that you were just ignoring all of the vulnerability stuff. So there's some... I need some Metasploit modules for these. If it was a workshop, you can just load these up. They're super easy to use. Exactly these commands. Presto, you're in. You can modify your password. You can start completing the configuration a little bit or just change the password to whatever you want. Run this command again. Exploit. Boom. You're in. You can change the password, do whatever. You can play around with it a little bit and it'll get you in every time as long as it's a pre-configuration device. So, yes. I'm going to move along. I hear that we are having much a little less time than we were expecting to, which is cool. So if you were doing the workshop, you'd want to grab your SSID and the SSID of your partner. So everybody should have their SSIDs because you're going to share that a politeness thing because well, we'll talk about that later. And on the first device, if you pick a device, you'd say on this device enable SSH that'll let you copy files over and get things started. So talking about viruses, they really only have two primitives. They have a search function and they have a copy and replicate function. And if you have those two things, you basically are a virus by definition. I always thought there was like better than this, but nope. Turns out if you just like little black book computer viruses, this is it. Worms are very similar. They just do these things in an automated fashion without any human interaction so it can happen automatically. I think 1988 Morris Worm, stuff like that just uses an exploit, exploit, exploit and just keeps jumping around. Oh, or Code Red if you want to be like slightly more newer or like Stuxnet if you want to be even newer. Of course works is as we discussed you can identify Wi-Fi pineapples by their SSIDs. You can detect pre-configuration ones definitely by their SSID. It looks a lot like pineapple 5 and I can't spell. Underscore something, something, something, which are the last four digits of the MAC address. Once it sees one of these, once it sees one of these, uses IWList scan to find that. Once it sees one, it will seek to use the default credentials. If that fails, it will attempt to brute force the puzzle, reset the password to the default so it's easy for them to be like, huh, that's weird, maybe the default still works, glitch, whatever. I don't know, I was hoping to not interfere too much with the user experience or using their device because then they'll just reflash it. Once it gains access, it backdoors it, adds an SSH key, adds an RSA key, which it does only for public only. It also generates its own SSH key, so the device that it's on creates an SSH key that it will use to infect victims, which is only for that particular device, and every device will do that, so that is a unique part, but all of them carry like a master backdoor key that they add, so they actually end up adding two keys, and they install a service. I call it a service, but it's really just like a cron job. A minute later, look for another one, see it, own it, only now you have two doing it, because yeah, it does that. It's pretty fun. And that is the automated fashion that makes TOSPO virus actually technically a worm. So if you were participating, yes, still behind, we'll run through it real quick, I can run through it pretty fast and at least show it you would, yes, if you're going through it, you could CD into TOSPO virus, you can edit stuff, there's a whitelist in there, you set up the whitelist so that you're not rude to your neighbors in the wireless village, and you're not infecting other people's devices without authorization, because that is, you know, I hear it's a problem, or something, something US federal code or something, I don't know. Yeah, I never heard of it. And I'm not a lawyer, so I have no advice. You can build it, this takes TOSPO virus and actually shrinks it down, it goes through like some little obfuscator that I pulled off, makes it slightly harder to read, not too much harder, you could pump it through as much as you would like, I think that would be a great thing to add in a little extra anti-reversing or, you know, make it polymorphic or metamorphic or something that would be sweet, just so that people get some weird samples when they start looking at each other's. You could also install a root kit like a backdoor to hide the virus. I did not choose to, I was originally going to let this loose without telling anybody about it at all. Yeah, I mean, to authorize devices, to authorize devices, there was a white list. It's cool. But yeah, I chatted with Seb and Darren, and they were such nice and I was like, oh man, I can't do that. I'm not that kind of person. I would not do that. I'm so glad that you're here. So yeah, then you basically create a seed device and just copy the directory over, make a directory, copy the files over, install the service yourself, and a minute later, you'll see that it should jump over to the second device that's in its whitelist, whitelist, whitelist. Then you can confirm that by using the master backdoor key, which is TOSPO virus backdoor, TVBD, and that should just let you pop right into the device as root and presto you have access as you would expect. Then you can go back, reflash device number one, which was the seed device. It will now be clean and if you wait approximately two minutes, then it should jump back. So that's what we're going to do next by using SSH. We'll come to that in a second. Would anybody like to see this actually work? That would be cool, right? I agree. So let's just try to run through it real quick. I need to flash a couple devices from right now. Oh, shit. You said that earlier. Yeah, you gave me that number like a while ago. Your info's not good. I was just doing that. I just burned through like 15 fucking slides for that. Oh my god. This resolution is ridiculous. What has happened here? Oh god. I can't computer. Oh, that doesn't look good. I heard this was a problem at DEF CON. Demos. Yeah, I know, right? Why do... What do I know? I heard that's a problem at DEF CON too. Okay, that would be great. Thank you. Yeah. Am I crazy? No, right? Like who needs wires? Yeah, right? Yeah. You know, dude, I'm fucking I'm getting just like some driver issue or something. I thought it was going to be a workshop. I thought other people were going to be doing this. Ryan, I'm fucking dying here, man. There's nothing to see here. Literally. Not anymore. I literally just lost the device. That is super bizarre. I think the window solution is to reboot. I apologize while I read. God. This is my first time being in front of like one of the people ever and clothed. Yeah, should just do DEF CON comedy. I don't think I'm as funny as those guys. So... What's that weird buzzing sound? Sounds like somebody's playing with a vibrator. Oh, I see the microphone. Let's not do that. It's cool. Did we actually bring our device back up? Come on, windows, don't fail me. I'm so unfortunate. I plugged in this fucking projector, but look, there's the device. Great, we're set. Oh, my God, this resolution. I say web development. I really mean like exploits. It's the same thing. Has anybody ever added a web interface to something that never was supposed to have it? It's okay, be honest. I just want to know what it was. That's all. I was really concerned there for a moment. Pause. I wonder if it went away when I put my machine to sleep. I don't know. Let's turn this on. Good Lord. Make sure that we... You got to do everything from bridge to adapter. Oh, thank God, there it is. Yay, back on track. So now I've told everybody about the vulnerability, so I'm going to spin up a box for you right now. Feel free. Later. Did you get that one? Problems at Defcon. Yay. I heard you're not supposed to bring laptops to Defcon or cell phones. I also heard it was canceled. I actually thought it was. I saw that picture of the Cosmopolitan, and I was like, ah, man, Defcon's over. It takes a minute to reboot. Oh, to reflash it. No, because she's configured it. That's right. That one thing we talked about earlier? Oh, man. Yeah, I'm hungover. I wish it was better for you. It's just like a crowd of my father out here. I'm so disappointed. That guy knows what I'm talking about. Is it the long hair? That's everything. So for those of you who haven't caught up with what's happening over here, they didn't have the root password to reflash it to downgrade it. So post configuration devices, these things don't affect it. We can't reset it. Yeah, you can flip the last switch up and then reboot it with an IP address of 192.168.1.2 and then so forth and so on. They have an image. They have an image. Sorry? What? People are yelling at me? It's coming up. Blue flashy light for anybody who cares. That means it's booting. Hopefully it keeps doing that unlike my other one in the hotel. Or rather, hopefully it stops doing that unlike my other one at the hotel. Yeah. It's not good. There he goes. I don't have metal splite on this machine because I was expecting other people to do this once more. Oh, wait. Workshop as a workshop. Yeah. I told you to do what you did. Yeah. It's all those people. I know, right? That's right. The father's up here. I think that's right. If I read free passwords. There's an end user license agreement? Oh, I had no idea. Usually when I do this, I do use the metal splite modules in which case, no, I definitely do not read the end user license agreement. Yeah. Sounds great. Let's do this. I guess it is flash time configuring it now. The vibrator is still going. Somebody has got, like, incredible endurance. They must be so proud. Yeah. I can't handle this. I think of another production device in which you can put contents. You have to read that one. Something we'll cover later. Yeah, a new device. Let's cover that device later. Pineapples are yummy. That's right. Yeah, that's right. There we go. So here's the virus being copied over. You can see that there are also two keys in there. One of them is the disclosure key. The other one is the SSH key. Let me just pass forward. Somewhere in here. I forgot what I'm supposed to do now. Oh, yeah, that's the one. Fucking Microsoft and their curly quotes. They think they're so goddamn smart. For those of you who missed that, you could stop at Fuck Microsoft. He's a Windows sys admin. Andy loves it. Just realized I did not fix my white list. I should just make sure that that's uh... Let it go. Yeah, that's true, right? That's true. You know what? Let's do that. Who needs a white list like this? Let's just do something more like... Yeah. Yeah, everybody here is consenting to Wi-Fi Pineapple stuff, right? Yeah, all right. See? Native to me. All right, so my device here is configured now. Should have the virus on it. We can pop into it real quick just to double-check. I'll take a look at the time, see about when it's going to fire off looks like in another 45 seconds. Or it's doing it now. I'll just wait for the network to come back. Is it done? I've ruined it for you. Oh, hey, look, it came back. I wonder what it was doing. Well, that was weird. Network disappeared for a little bit, but it came back. So, uh... So, yeah, I believe that my devices hopefully just jumped over. We can kind of go check. Oh, man. I think somebody else turned one on. Did you guys just finish? I don't suggest doing this in, like, the chill-out area. Not suggesting that at all. I hear, though, if you do, turning off IPv4 is really entertaining. So, there's a couple of extra files up here that weren't here originally. If we take a quick look at these, we should be able to get at the open-out CD. Take a quick look at what probably got owned. This is not one of mine. Whoops. Whoever has Pineapple 5, B1, BF, if you could check out your root directory for a TOSPO directory, you might want to just see if it's there. This might be the new one over here, too, though. Yeah? Did you guys get it spun up? Flashed? Reflashed? No. Okay, well, then. That's... So, yeah, in theory, it jumped over somewhere. Which is maybe good enough. Let's move on now. Whoever you are, I hope you enjoy it. You can see how it kind of works. You get it loaded and as soon as it finds a device, it drops for a little bit, but it restores all previous network state. That's the goal of that was to keep people just like, all right. Yeah. Once it is infected, it likes to share some information. Once a device gets post-configured, after you've configured it, your SSID, you've got a password in slash etsy slash config slash wireless, and it likes to go and scrape that password out of there for you. It will just make a copy of that. And then it runs it through OpenSSL with one of the keys. It's a tvd.pub, which is an RSA public key. It is only 256-bit, but we take all of that data and shove it into a probe request using IWListScan, because that command is awesome. It's super simple. It's available on everything, especially wireless router type things. You can fit 32 bytes into the SSID, but with the RSA encryption tacked in there, you actually only get about 20 bytes that you can put in, so it's super low bandwidth. It only goes out once a minute. You could probably expand it to have your own encapsulation and do complete exfiltration in this way, but the goal for me was to not disclose people's Wi-Fi, pineapple passwords that they get in post-configuration throughout the whole con for everybody, except for the devices. Yeah. So, yes, I chose to use RSA 256. I figured it was good for three days. Maybe I'm not a cryptographer. So, would anybody like to see what that looks like? I need a USB, mini USB, because I ran down here. Does anybody have a thing that connects to one of these alpha cards? God, I owe everybody a beer in the audience. No, no, no. This guy right here. Look at an alpha card. God, I hope this fucking works. Oh, it's doing something special down below. Oh, yeah, thank you. I know it wasn't yours. Yeah. I heard a very authoritative answer of yes over there. I think that guy knows what he's talking about. Staffcon. It just makes it better. I forgot what I was doing. Oh, so to help with this, since these packets are encrypted, they look kind of nasty and I don't like fishing for them in Wireshark, but I'll show you what they look like in Wireshark. Okay. Oh, thank God. Yeah, that's got to go. Good thing I have Wireshark right here. Yeah, I know. Running Wireshark as root is totally cool. I love it. Their dissectors are so perfect. Everything. Yeah, everything. No volns, no volns. This is the worst place to do Wireshark captures for Wi-Fi packets. God. Oh, Mon-Zero. Yeah, yeah, thank you. I want to connect, too. My screen is so tiny. I'm going back to my room and drinking. This is fancy. I'm scared. Yeah, yours worked like immediately. Mine's like a... I wonder if I got a bad card. Is this mine? No. You actually have a bad card somewhere and I just lose it. And then it ends up in the wrong place at the worst time. I know I should just ditch it. Someday. That's the way it's made. I just passed it through. Sorry? Here. I know what usually adds it now. I'm here for like another 10 minutes or something. Hey. If I see any of the Debian guys or who are the fuck out of that, I'm buying them a beer. Does anybody know how to use Aramon? Yeah, I think, yeah. Let's try it again. Seeing prayers. This one will probably work. Or not. Yeah. Anybody else want to try this? Yeah. I mean, I got... That's cool. D-Message. Yeah, I unplugged it. I tried again. This would be so much easier if you guys were doing it. So I'd be up here yelling at you. This is the worst experience of my life. I've done this like fucking 50 times now. We did it last night. The night before. It worked great. Yeah, we did. Just to show that... I want to scrape the packets up. I need those packets. Yeah, how are you doing? How about you guys? Is there anybody in here who can sniff packets right now? Who would like to come over and join? They're busy. I know, right? It's a wonderful experience. You got it? Bring it up here. Yeah, this is now your time. Congratulations. Cool. Right, I'm liking that. It's going to take a long time for me anyways. This card is in the worst spot for the VGA adapter. It literally does not fit. Because the USB is in the way. Alright. Don't try any typing. It's like right next to it. It's my new machine. I know, right? Your mouse pad is soft. It's so difficult for me to use. So you're aware of it. Is there a way for me to yank this thing to the other screen? Yank most of my whiskey in this class. Yeah, I do. I think it's under administration. It's just pressed buttons. Oh, that scotch. It's not just me. Heavy lane one? Oh, bang. But is it true? It's true. This is going to be painful for me. Ah, yes, thank you. Now we're talking. Yeah, we are. So, yeah. Oh, deos? Oh, yeah. Nobody needs networks. Let's see if we can find a probe request in here somewhere. Somewhere, somewhere, somewhere, somewhere. If somebody sees a probe request, let me know. Oh, oh. That's a response, guys. English. I'm going to use the filter. I just forget what it is. How's the responses? You can just keep saying that. It's like I wouldn't know the difference. I wouldn't know the difference. Quests to send. Oh, sort by info. That sounds great. I wrote a Python script for it. Shrinking and mousing. Oh, my God. Man, fuck this. I think we have another volunteer to come up. I know, right? This makes it a workshop. Man. I think a response would work fine because I think the subtype is four. And I just forget, like, I'm feeling bad about sorting now. Why is there so much in this room? See if we can yank one of these guys. Oh, your mouse. God. Okay, okay, okay. I'll take this guy. Oh, yeah, there's a lot. Just sit around. I don't want to stop the capture. It's fast enough. Nice machine, dude. Except for the mouse pad. All right, so here we have probe requests. You can put it in any probe request that has a length of 32. Here, my mouse is killing me. So we will just filter down to those. So here are our exfiltrated password packets. They look like just a bunch of random noise. They have a length of 32 bytes. They do not actually contain the password. I wish that there was a way for me to copy this to another machine that maybe had the public key on it so that we could decrypt it. Mind if I plug in a USB? Nothing can go wrong. Right now, I'm indebted to you. I'll sell you my man-servant. No way, me. I'm going to copy some files. You're going to get a copy of the virus. You're cool with that, right? Oh, root, right. Yeah, fuck the world. I forget what interface was it. It's a little Python script to do all the filtering for me because I'm lazy. And it works way better than... Oh, I made that wrong one. Oh, god damn it. I can type three keys. So since it transmits every minute or so, we wait. And at one point, it will find the encrypted packets. It will give you the AP that it came from. You take a guess at which SSID it actually belongs to because it doesn't actually know that. They're slightly different. And then you end up with the password that is the password to that SSID decrypted using the public key, which he now has, so anything that happens, it was him. I very much appreciate all of y'all's patience. Holy shit. I love you too, Darren. So, yes, that pretty much wraps that all up. I think we're getting pretty close. Or maybe like a little 30 minutes early, any questions? I have had plenty of time to talk about all of this and nobody has been participating. Would anybody like to go spread this around? I mean, play with us somewhere? Yeah? Well, you have a copy of it now on... Oh, look, hey, more. So when they come in, let me give you the ending notes. Sir, thank you. Not mine. My lawyer will contact you shortly. This is... That's it. It's probably going to go up on Reverend's GitHub, because I don't want people bugging me about it, even though I wrote it. So, thank you very much to Acfi for being so generous with They suggested that I even do any of the presentation stuff at all. I wasn't going to do that. Like I said, just spread it. To authorized devices. Only. Thanks to DevCon, etc. The Wi-Fi Village, thanks to this guy who has given me more than he should have. That other guy whose father hates him as well. My dad loves me, actually. But I feel bad for that guy. Any questions? If not, I think we're done. Thank you so very much. Have a wonderful day.