 Alright, now that I've wasted enough of Josh's time, this fine gentleman has been competing on our Capture the Flag for two, three years. Three years now, I see him every year, submitted a talk to our call for papers, and we promptly went over it and said, who the hell is this? So I was kind of interested, should we let him talk? Yeah, okay, sure, let's let him talk. Then he shows up and is like, wait, that's you? Aw man, why don't I approve that? So without further ado, here's a guy who keeps making me do more work at the Capture the Flag, Josh in general. For that we thank you. Alright, so I just want to cover, I'm also part of Nova Hackers, and I currently do Incident Response in Northern Virginia, this research is not related to that job. So in the overview, we're going to kind of just lay out some basic things there, then we're going to hop into- I'm talking to the mic. Oh, sorry, whoops. Yes, I forget about these things. Alright, so now they can actually hear me. We're going to go over Wi-Fi, we're going to talk about hardware and software that you need. We're going to talk about attribution, so finding people over Wi-Fi and figuring out who they are and where they're from. We're also going to talk about tips for protection, so how you can protect yourself from these kinds of attacks. We'll also go over the same things in Bluetooth as well. Alright, so you're a defender. You are walking around with your laptop in your back, you've got a cell phone, you might have a Fitbit, all these things are transmitting things about you. Your Wi-Fi devices are telling everyone what networks you've connected to in the past. Your Bluetooth devices are giving away your MAC address, if you have a name on it, it's giving that away. You might have RF, so if you're typing on your laptop, there's RF signals that are going out. There are also a lot of other things like with a laptop, this one's going over BGA, so people could be picking up that as well. We won't be talking about those, but those are things that just kind of have in the back of your mind. The other thing is if you have a GSM device, so Mi-Fi or a cell phone, you're also going to have connections to whatever tower you're going to have as well, so that can determine some things about you. So if you're staying in a room, you've got AT&T, people might be able to pinpoint you. Alright, so you lose. You can't protect against people picking up these signals if you want to actually walk in the real world. So for the discovery mode, for Bluetooth, you can get your MAC, several of the things. Good OPSEC is when we're doing these attacks, we're not going to actually connect, so we're just going to sniff. You can use the decibels in order to home in on someone, so the closer to zero, the closer you are to the person. There's also two types that we'll be talking about today. There's low energy. Those are things that require a battery, such as an alarm system or fire extinguishers that might have some kind of Bluetooth in order to register or do whatever. Then you have the classic. That's normally what's in your phone. Most things that I've been seeing, and I've been doing this for several months now, I see a lot of Fitbits, a lot of iPhones, androids, and entertainment systems. So if you go to someone's house, you'll probably pick up their entertainment system. If they're in an apartment complex, you'll probably pick up other people's iHome or whatever that. For Wi-Fi, every Wi-Fi that you've ever connected to, if you have not cleaned this out, is actually broadcasting those back. So as you can see, I went to the Marriott. I had a friend that had a Verizon MiFi connected to that, and I was playing around with ASCII and created a little fun fingers up guy, and I connected that as well. So all these are broadcasting and are identifiers to me. So they can give away what home you have for your Wi-Fi. They can also give away your work. So if you work at a network company, and it's IT widgets, then they'll know that you work at IT widgets because you've connected it there once and it's broadcasting wherever you go. And also your friends. So if your friend has a distinct Wi-Fi that's been logged and has been loaded up on the Internet, and we'll talk about that a little bit later, then you can also pick up that and kind of get location information. So hardware needed. I recommend the Alpha, specifically the RTL 8187. It has some capabilities that some drivers have been written for the Android. So you can use that to actually just have it in your pocket and walk around and pick up P-Caps. I'll be showing this today on a Linux system. And then the other piece that you'll need in order to use it with the Android is an OTG cable. You can pick those up for about $3 to $5 just off of Amazon. And I'll post the slides. That's actually the link. So you can actually get the one that I have that I know works. For software, we have Wiggle Wi-Fi, one of my favorites. We have P-Caps scanner on Android, which is kind of a version of Kismet that's been ported. I'm not sure if it's the same author or not, but it works pretty well. Then there's a tool called Bit Shark Share. If you don't mind paying $5, this is an excellent way to look at the actual P-Caps on your phone. It also has the capability, if you're an enterprise customer and you use Cloud Shark, you can upload the P-Caps directly to Cloud Shark. So then we have Kismet for Linux and Windows, and we also have Air Crack. On Mac, you probably want to just throw up a VM, because all the ones I've tried really don't work well, and it's kind of just easier to throw up a Mac than Mac VM instead of just fighting with all the drivers and whatnot. Then you have Wireshark and TCP dump, and Wireshark also has a command line called T-Shark. We'll show a little bit about that, and those work across Mac, Linux, and Windows. So you can do your capture on Linux or Mac, sorry, Linux or Windows, and then just move it over to Mac if that's what you're more comfortable with. All right, so this is Wiggle Wi-Fi. We use this a lot, actually, in the WCTF in order to track things and kind of get an idea of what's going on around. You can see it's the icon in the top left there. It has a lot of information, so you've got your DBI in the bottom left. You have a Mac address, shows the SSID. You've got GPS location, because you've inherently got that on the actual Android itself. Shows you speed, so in this particular, I was actually doing it while in a car, not, you know, I threw it over there and drove and picked up different things. Not driving. It also has several other historical information, and it has data where it's actually keeping a database that you can upload to Wiggle Wi-Fi, and will allow you to see all kinds of fun stuff there. So this is what the interface looks like when you upload it. You've got a lot of different features here, and people have been uploading this for several years. So as you can see, it goes back to 2001. So you've got a lot of data, so when you're trying to figure out who's who, you can go on this site and actually track down people based on what people have uploaded and done for war driving. In this particular one, I did the Bayleys Hotel, and you can see all the Wi-Fi that people have uploaded from this. It's got latitude and longitude, and it also has an option for searching in an actual address down there on Google Maps. You can get in, homing. So this is the P-CAP scanner. It has to have the RTL plugged in via the OTG cable. Then it also has an option to export it, and what I normally do is I open it up in the file manager, and then that'll give you an option of all the files that can open P-CAPs. And as you can see, BitShark is the top one there. So here's the BitShark interface. Over on the left, you have a selection of different P-CAPs. It shows size, what Ethernet was picked up with it. It has a MAC address and basic information. So what I normally do here is just kind of look for ones that are large or the size that I'm looking for, and then I click on it and I get all this data. So you actually have data hex in the bottom. You have the Ethernet frame packets that have been parsed out for you, and then you have some basic information which you saw to correlate from the other screen. They also have statistical information, so those are the filters down there, the middle two icons, and that kind of helps you if you're like wanting to parse something out. So this is Kismet. This is a little hard to see, I'm sorry. They don't have the greatest coloring when you start it up, but as you can see here, I've selected the Auto Group Probe, and this is showing out different wifi that's actually trying to attempt to connect different hotspots. So they're not even associated. You're getting this information without them even being connected to an AP. The other thing is Aircrack. Aircrack is a little bit cleaner with its output. I created a script because I forget things very often, and so I essentially just have a case loop and several different files that do various different actions. I'll actually be posting this later on today after the slides so you guys can use it. Breakdown, it'll allow you to put your YLAN adapters in monitor or on monitor mode. You just like monstart or stop, which you want to do. It'll loop through all the ones on your system, and you can say yes or no whether you want to throw it in monitor mode. You can do config, which if you can see up there at the top, I've selected a config that has channel 11, has a certain BSS ID, and it's gonna put a file out with test three. It also has the option to capture all BSS IDs, and then also you can toggle it so it uses the one from the configuration. So, in the next slide I'll be showing where I selected all of them and how you can actually look at that. Handshakes, you can test it for handshakes, so if you're doing WPA tack and you can actually just go through, it'll create a screen, you can hop in now that screen and go back to this, and it'll kind of help you figure out what's going on. So we've actively been using this in the wireless CTF, and it's been working fairly well. All right, so this is just kind of the loop that I was talking about earlier. And then you can see over on the left-hand side, sorry, you're left, yes. That is very, very, very small. So this was just collecting everything that I possibly could. What you can do if you have this is, what'll happen is it'll run off of the screen, so just do make the text size in the terminal, stop the PCAP collection, copy it out and throw it into a text file, and you'll be able to see everything. So you can see down here, we've got some interesting ones, AT&T, Wi-Fi, Belkin, Guest, CCC-W, Wi-Fi, Coffee Bean. So these are all indicators about this particular person and that's their MAC address, so we can kind of correlate all that together. And then the bottom one here has got some actually interesting identifiers so we can kind of track down where in the world they're located. So using that, we can actually look at FCPS Mobile. If you notice, FCPS Guest. So this is actually, Rick, are you listening? This is actually either a middle school or a high school that someone connected to in the Fairfax, Virginia area. We also have some other information about where they might have gone, they might have gone to New York. We have Century Building 11A. And then we also have the FCC building. So if we go back, we can see FCC public is also one of the options there. So we've kind of got some information about where they've been. Searching FCC, I put in the actual address of the FCC there and I was looking around. I didn't actually see FCC public as an actual hotspot. So that's the thing to know with this attribution. Is it sometimes hit or miss and sometimes you get really dialed in and other times it's a little more vague. So that's just the way it goes with attribution. So before you actually definitely say this is so and so or this is a person that does that, you've got to work with your degrees of variability there. All right, so how would we do this if we wanted to do it in Wireshark and not just, sorry, Air Crack. So for this one, I picked Andrew's iPhone 6 which was a hotspot that people were jumping on. So essentially I had done this capture right off of the PCAP tool on the Android. I threw it in Wireshark and I selected statistics, YLAN summary. So it'll show Andrew's iPhone, other Wi-Fi hotspots, Baileys, whatnot. Shows all the associated different connections to it. And if we pull one of those MAC addresses out, we can see which ones those have previously connected to. So if you see 94.94, it was one of the, actually 16, yeah, so it was the Apple device, second Apple device right there. You can see that these are the wireless connections that they've done previously. So if I was gonna do some analytics, I would probably go with the fourth one down there, the A194809 and go through Wiggle Wi-Fi and try to find where is that actually located. The other thing you can do is you can use TCP dump. So you're gonna grep essentially for XOR 0030 and XOR 0040 using the dash dash NNR command which is network neighbors. And you'll see right here we've pulled out one that's AT home base. All right, so moving on to Bluetooth, we have several different software packages for that. You can also run it on a desktop or laptop. And, but I'm not gonna probably go into that too much because I wanna focus on the actual Android. And the reason I wanna do that is because Bluetooth is very low. So you're probably gonna get about 35 feet, maybe 40, the max. You're wanting to home in on your target. If you're having a laptop and you're running around with doing Bluetooth, that's not very good. But as you can see, I've got an Android device in my pocket. You know, that's pretty inconspicuous and reasonable for me to have. All right, so we've got Ramble, BlueScan, and Bluetooth SmartScan if you're so inclined to have an iPhone. The only hardware that you would possibly need is the BTUbertooth. I'll be perfectly honest. This is something I'm learning but I wanted to throw it up here just so if you guys wanted to check it out and work through that, you could. All right, so this is what Ramble looks like. A lot of people are actually using Ramble primarily because it gives you a lot of data in the middle and it also gives a quick look on where that actual device was found. So you go from the device over here, which was a FlexBit, which is one of the ones that they do for health checking and all kinds of other fun stuff, how far you've run, whatnot. And then here is the point where I actually found that. I personally like BlueScan a little bit better. And the primary reason for this is Ramble will export everything as an SQLite database, whereas Ramble will export it as a JSON file. That allows me to be able to move it into different implementations. And I've also been talking to the creator of BlueScan and he's doing some really cool stuff. He's creating like a wiggle-like setup where you can actually upload your data and then you'll be able to see it on a map. He doesn't have it fully implemented, but I've actually written a tool so that you can actually build it out yourself. So as you can see here, you've got your local Mac, so that's your actual device yourself. You have the Mac that you're attempting to sniff, then you have your longitude and latitude, you have any description data as well and some other characteristics like the DBI and altitude. So here's some things. Like I said, these slides will be posted. If you just guys follow me on Twitter, Josh in general, I will publish all of this and anything else that I build will also be posted there as well. So for the first one is you'll take the JSON file, you'll eGrep and it'll pull out a Mac address. And so what I've done here is you're gonna go before three and after eight so that you can actually get the full area around it. So you can get the local Mac and then you can also get the other stuff that you're interested in. If you notice the... Hold on, let me stay here real quick. So that number there, data seconds and timestamp, those are in epoch time. So epoch time is essentially the Linux time that was devised that goes from 1970 and forward. So how many seconds from 1970? It essentially is a number from that. That doesn't really help me. I can't read that. It's not super helpful. But that being said, I can use certain tools in order to figure out what range I want. And this would be the script that you would use in order to do it on the raw JSON. So how do we make this human readable? So there's a tool called epoch converter. You can actually Google for other ones as well. But you can just throw that timestamp in there and it'll parse it out. So the key thing to note is that the actual part that Linux will use is it goes up to 10 characters and then they should have put a decimal point in there but they didn't. Epoch is smart enough to know that but if you're doing any kind of scripting off of it just know that you're gonna need to go 10 characters in. And that's what I've done in the second, oh sorry, third script there. So for this part here, what I've done is I've said, okay, at this particular time I wanna pull all the MAC addresses that I was looking at for that time. I'm gonna use Wireshark in order to figure out what those are. So we have an Apple device. We have a HTC corporation device and then we also have a Texas Instruments. So what this is doing is it's just taking the first three of the MAC address which is registered with the IEEE figuring out what device it is based on those characters. So if you actually do want to know what that actual epoch code was you can use this script here. So what it's doing is it's taking the first 10 so that Linux isn't getting confused by the decimal point then you're piping it to XRX date and tack R will go ahead and filter that out for you. This last one here is a script that essentially I wrote that when you go to Wireshark you can pull down all the identifiers that they've found for Bluetooth and you can pipe it into a file called maxLST. What you can do with that is then you can just grep through it and find other MACs based on that. So if you're looking for all your Apple devices that you found or you want to look at all your HTC devices you can use this script and correlate it off of the Wireshark. Now the reason I did this is because when I was talking to the guy that created BlueScan Abram he was saying that he was using the IEEE database. So it's a little bit different than Wireshark. Wireshark does some other correlative stuff and they pull from other data sets that they can possibly find. What's interesting though is that some of the MAC addresses for Bluetooth are actually private. So he would find Bluetooth out in the field he'd take the IEEE, say hey what MAC addresses this you know what device and it would come back as private. So when he was conversing with them they actually told him that there are dev Bluetooth devices that companies can register under a private name so that they don't disclose what it is they actually have and then of course national security. So there are some of these that you won't find and that's why I did the correlative to Wireshark because they might have a little bit more in the database there. All right, so like I was saying we don't actually have something where we can throw a whole bunch of Bluetooth MAC addresses and longitude and latitude data and get a very nice graph. So what I did was I took the JSON and I parsed it out in a way that has MAC addresses the key longitude and latitude and it allows you to see it on Google Maps. So first thing we wanna do is get our database. We wanna export that database and the current way that he does that is he has an email. So you just email to yourself, download it and put it in a file. So I just use them here, piped it in there. Then you'll wanna run the parser and what the parser will do is it'll grab all the longitude, latitude. It'll also grab the MAC address and use that as a name identifier and it'll put it to an output.csv file. Google Maps has a way that you can actually upload data to it. So just go to Google Maps, go to My Maps and hit Create. That'll bring you up with a new screen here which will allow you to kind of look and configure your data. Go ahead and click Import. Make sure that you upload it as a CSV. So if you for some reason change the file name it needs to be CSV. Google gets confused for whatever reason, I don't know why. But once you upload it as a CSV you'll get a new screen that says, okay longitude, latitude and you just wanna select those. And I've already, with my script I've put the headers in there so you don't have to fiddle with that. Next thing you wanna do, whoops, oh sorry. You'll want to select the name, just tell it hey I'm gonna use the name field as the key and then you'll wanna probably give it a name. So for this one I gave it Defcon Wi-Fi Bluetooth data. And then this is what it looks like. So here's Mandalay Bay where I was at Black Hat and they have all these different Bluetooth pieces that I picked up whether it be a Fitbit or Android or iPhone and all these are now showing up in a graphical data. So it's actually accurate enough that I can see, okay hey these people were in the shops at Mandalay Bay. These other people were down by the raffles calf. So it's pretty accurate actually with the GPS because it's using all the things that you have built in with your phone. So in addition to that when I was flying I was actually selecting to do Bluetooth scans. So here's how we can do attribution. So there was a girl on her iPhone, I'm not gonna show her face of course because that would just be creepy. But I saw that she was the only one with her iPhone out. So what I did was I fired up the Bluetooth and I started collecting information and here is that information. So now if I was to be walking through the airport I've essentially met her once and now I can be like hey, I know you. Not creepy at all. On a little more of a serious note though, while I was at Black Hat, I noticed that there were some people in a detail. I'm not gonna say what federal agency and I've blacked out their faces because I don't wanna get in trouble and I don't wanna get them in trouble. But they were all on their phones waiting for this person to come out. And so I was like well let me just go ahead and do some scanning and see what's up. So I was able to figure out, and there was about seven of them total. So you have the general here, you have two intel officers and then some other people. This guy right here was how I figured out which agency it was because he had it on his name badge. So you can see over here I did kind of a double sweep. So this is a salt card, actually tell you what, let's hop over here first and then I'll move back to that one. All right, so in the morning at around 11.30, 11.31, I found and did a whole bunch of scanning so you can see that's really big. So I came back in the afternoon and I happened to see the general walk by and I was like oh they're still here. So what I did was I walked back over there and I threw the Bluetooth out. And so now at 15.30, 15.13, I can't talk today, sorry, I was able to do a correlative and figure out that that was his galaxy gear. Now earlier in the day, I'd actually saw them on the table, putting their phones out and it wasn't actually a galaxy phone. They also had their common blackberries. So now I can actually correlate any time I'm walking around, if I see this MAC address again, I can know that that security detail is here. Most times just from what I've heard and understand the actual target themselves will probably have not as much of a digital footprint. But by profiling their detail and the lack of security that they're doing, I can now figure out that that person is in the vicinity. So that's kind of bad. The other thing that was kind of interesting too was I noticed that they were using what's called a salt card. So essentially what that does is if someone steals their phone, they've got that salt card in their wallet or another place on their person and it automatically locks the phone. So just another piece of information that I can find out about kind of the infrastructure that you're using and if I see this as well, I can know that it's possibly them. All right, so tips for protection. Turn Bluetooth off when needed. If you're not using a headset or you're not using some kind of media center or you're not transferring files, just turn it off. It doesn't really need to be on it. It's wasting your battery. The other thing is clean up your wifi. So if you haven't been to your friend's place in probably six months and you don't think you're gonna be going back or they've moved, get rid of that access point because it's giving information about you away. Also beware of who's around you. So if there's a guy that's looking really suspicious with his phone out or he's got a cable kind of like this poking out of his pocket, you might wanna throw it in airplane mode. Also scan yourself, know what you're transmitting. So I scan myself and I also scan my network. So I recently went to Europe for work and I was playing around with this. Unfortunately, the P-Caps were on their work computer so I couldn't use them. But I noticed that my work SSID, even though it wasn't around, was being transmitted. And I was in another country and that's bad. So one of the things that I'm now considering when I travel abroad is go ahead and delete the work laptops, SSIDs that I've used, you know, any guests or employee stuff. That way I'm not as much of a target. And so those are kinds of things that I'm employing to try and reduce the attack vectors that I have on me. So, does anyone have any questions? I know I kind of probably moved through that a little bit fast and. So there was a really good talk earlier just yesterday of these tools. So I actually haven't fuzzed. Oh, yeah, sorry. So the question was what kind of vulnerabilities are actually in these tools themselves? So I guess one of the vulnerabilities I could think of off the top of my head is when you're uploading your Wiggle Wi-Fi stuff in order to be able to get it into Google, you're giving Google some of your data and also anyone else that uses Wiggle Wi-Fi. So potentially if you are scanning and you have that in your data set and it was probably the first ones that came up, someone could essentially, if they were able to figure out that that was the one that you uploaded, they now know who you are and what you're doing. So that's one off the top of my head. But as far as like fuzzing these or changing SSIDs to be like any kind of weird stuff, I haven't actively done that. I guess another thing is you could put cross-site scripting or SQL injection in the SSID and then these tools, once you upload them and whatever backend database you could possibly do at some SQL injection or cross-site scripting. So those are two things I'm thinking off top of my head. If anybody else has anything, feel free to jump in. All right, next question. Jander in the back. Yes. So the question is, have I found a lot of Apple watches? I honestly have not done correlative analysis in order to figure out whether it's an Apple watch or not, but I'd be interested to see. Okay, so yeah, so that was what Ramble was really good at. So their database on Wiggle was actually a little bit better, is that what you're saying? Yeah, of course, yes. Correct, yeah, so what he was saying was if you have an iPhone and you throw it in Bluetooth, all right, sorry, throw it in airplane mode, the Bluetooth will be shut off, but in Android you can pop the Bluetooth back on. So, gentlemen here in, Right, yeah, so what he was saying for those of you that can hear, that essentially there's apps that will figure out what cell phone tower you're in, a Wiggle Wi-Fi, you can actually see the cell phone tower, the SSID or the SSID of that. And you can also use other apps in order to do correlative stuff off of that. So if I'm at home, turn on Bluetooth, then Wi-Fi, when I'm not in that range, then turn it off. One thing to note about the Wiggle Wi-Fi, because I did play with that, it doesn't really have a way to export it to another device or actually push it to Wiggle Wi-Fi. So that was kind of why I admitted it here, but it is definitely another thing that you would want to try if you're trying to figure out what the device is and you don't have it in your dataset for your database. Can you correlate multiple different things, Bluetooth to Wi-Fi and things like that? Yeah, so I actually, when I was doing the detail, I actually captured PCAP data too. I just didn't have a chance to parse through that, but so what I could have done is I could have said, okay, I'm in this vicinity, I have these DBIs, or see, these DBs for these particular items, I know that here's what I'm looking for. So the MAC address of Samsung Wi-Fi is also gonna be similar, it's gonna be a similar type of device. So then I could look at what is that connecting to? So I might have been able to find FBI or DHS or CIA or something like that and one of their public Wi-Fis that they had once connected to and then correlate for that. I do know that some of the Intel agencies are just using non-names that attribute to them while other companies do that, so it might not be as valuable. You're saying that NSA surveillance van wireless probably isn't that valuable? I hate to break it to you, but yeah, NSA surveillance van is probably not them. But the FBI one is actually accurate. I don't know. Awesome. Any other questions, comments? One back here. Oh, wonderful. So what he was saying back there is that Apple is infamous for using one up, one down Macs, so your Bluetooth might be 01 and then your Wi-Fi might be 02. So if you see one and then you see the other, you can do correlation. The other thing that's interesting too, and I'm not actually seeing it too much because I'm still able to pick up iPhones and those types of devices, Apple was actually trying to do randomized Macs. So I guess they would have like a pool and then this was as of, I believe iOS 8. What they were doing is essentially your Mac address would change on a regular basis. But if you had cell phone towers on, like if you had, it wasn't in airplane mode, then it would still just go ahead and broadcast the right one. So I'm not really sure exactly how that works. I've been playing with it a little bit more. I've read a few articles, but I haven't actually seen it in a while. I've still been picking up Apple devices left and right. Gotcha. Okay, so what he was saying is essentially the phone has to die or be turned off before it'll actually do the re-randomization. So if people are good about keeping their phones on, I'm really bad about that, but it would essentially stay the same. But it's still gonna be targeted as an Apple device. So you can do the correlation there. Yes, wonderful. So this gentleman over here just is able to track people based on a high gain antenna. That's fantastic. Is that actually been able to lead to some prosecutions or? Okay. Yeah, that's gonna be crazy. So I'd be interested if that's, I was assuming it's admissible in court, but yeah, I mean, absolutely. So, cool. All right, well, I'll go ahead and give you guys your time back. So thank you for coming.