 Thanks for coming to my talk and showing some interest. I'll be showing this slide again during the questions portion so you can write that down or follow whatever. So my name is Steven. My friends call me Steve-O. This is my 11th DEF CON and my first time as a speaker. Yeah, this is kind of cool. This is my third year participating in the wireless capture of the flag. My team has won three years in a row and two of the years we won a black badge. My day job is I'm a system engineer or ops guy, as a lot of people like to call it. And at night I like to play with security stuff. So, now Rick gave a breakdown of what Fox hunting was. I'm not sure how many of you guys were there when you saw him go over that. But basically they release people out there with Wi-Fi foxes in their pocket that have a VSS ID and associated with it. And we're supposed to go out there and try to track it down and follow where it is and ask the person if they're the fox. One of the new challenges, which is kind of cool, I wrote this into my program as crack the WPA. So anyhow, the foxes actively avoid you. So if you have like a Wi-Fi cactus on your back and you look like you're looking for somebody, you're not going to catch the fox because they're going to avoid you. And sometimes they can go into non-public areas and go hide and stuff, so you have to like wait it out or what have you. So you have to kind of be stealth about it. And that's kind of what this tool is based on is the ability to just have like your pie hiding in your backpack or you know, wherever you want to put it. And search for the fox from audio cues. So I just kind of went over this. Why built this? And inspiration was kind of like a Wi-Fi Geiger counter. Wouldn't it be cool if you could like walk around and you know, the frequency of the clicks would increase as you got closer to the fox. So last year my team captured the fox with version one of this software and it's on GitHub. You can download it now and you can like throw it on your pie if you can get it to work. That version has click only so it's just sound. The configuration wasn't dynamic so it didn't have a web UI or anything like that. And there wasn't any external interaction like pulling from an API or something like that. So version two is what I'm hopefully going to demo today if things go well. And I'll go ahead and release that version to my GitHub repo after DEF CON. This has a web UI. It's team aware so I have a Slack integration. So you can put a Slack command in say like add fox with the BSS ID and it'll talk to the database and my device will go and grab that dynamically. It also has a auto cracking feature with Wi-Fi 2. Really cool tool. It's point and shoot. It's really simple. If you haven't used it I'd recommend giving it a shot. It's pretty neat. I have other ideas and actually Zero was just talking to me about maybe doing a little collaboration with this. Yeah, might be cool. I had a lot of fun making this too by the way. So a minimal setup which is kind of what you see on the table here is going to cost you about $90. So this particular version is running Cali on the Raspberry Pi so it's a Cali image. I'm using an alpha adapter that can go into monitor mode and do package injection. It has a USB sound card because I couldn't get the onboard version to work and it's a little particular about the USB sound card so some of them crash so you have to find the right one. I'll probably work on that later. I didn't have time to go around. Obviously you have a battery pack and headphones. So this is, you can come up and look at it or this is what it looks like picture wise and I'll post a link to the slides after so you can download them. So from a program flow perspective, so me as a user, I have my phone with me and I'm connecting to a shared AP between me and the Pi and I interface with a web UI where I can issue commands. I can select what BSS idea I want to scan for and there's also a flag to auto-crack. So it's not turned on by default. In the background, it's got the cracking adapter basically that does the scanning, the signal scanning and does the cracking. The program is controlled and it has a shared state among all the threads. This is the first time I've actually written a multi-threaded application too which was interesting. So it's got a UI module which you'll see where you control it. A sound module which is what controls what is played sound wise. A signal scanner which is telling, it's constantly pulling when this is turned on telling you what the signal strength is and depending on what the situation is it will play different sounds and there's a module that pulls the API to see if there's new foxes and it will play sounds depending on if it successfully pulled it or it had an error. And I don't know, you might hear both sounds, you might just hear one. And yeah, so I kind of went over the slack part so the team could be sitting at the work station and they could type a command into Slack that will add the MAC address or the BSS ID. That will in turn go to a Flask app in AWS and the PyClicker will download the latest data. Yeah, so it's just kind of an interactive component. I do some of this for work so the slack stuff and the API was kind of fun to do. So, yeah, I think I kind of went over some of the design principles. Now I'm going to try to do a live demo. I have screenshots just in case it doesn't work. I practiced this a couple of times so we'll see how this turns out. All right, stand by. All right, so sorry about that. Didn't realize I didn't have the microphone. So, I am going to, I clicked on the wrong one. I have two active APs by the way, so. All right, so that's the sound where it's not picking up signal and this should pick up in just a second. Anytime. So who wants to go like run away? All right, here you go. Yeah, you need to come back. Yeah, I'd like my AP back, thanks. Yeah, so you don't need to go very far like, you know, I don't know, go down that way a little bit. And he's holding it up to his badge. Now it doesn't do anything with the badge. Go that way a little bit. I want it to disconnect and play the sonar sound. Can you guys hear this okay? All right, cool. What's going on the program here is like this is the debug stuff. It's not going to be nearly as verbose. You know, when it's actually enabled. All right, so we lost signal. All right, you can come back now. Oh, did you, did you, did you have your, okay. If you put it in tinfoil it will stop responding too. What's that? I think there's a lot going on in this room too, so it kind of makes sense. Or did it switch off? No? It's possible someone's messing with it too. Like that's, that is a very, yeah. Anyway, so it, especially when there's not a whole lot of interference it actually works pretty well. So in order for it to start cracking it needs a number of successful pulls. How many is it at right there? Okay, 18. So that should be enough. And we're going to, let me see here. You guys haven't seen the web UI yet, have you? Sorry about that. I forgot that I had it up here. All right, so does it say enabled or cracking enabled? Sorry, it's a little awkward. You know, you got to have something to listen to while it's doing its thing. And I may have lost connection to the pile. Let me make sure. Yeah. Second. All right, so that's Wi-Fi doing its thing. Now I need to connect to it so it can properly deal off. Did it cap it yet? I can't tell. All right. All right, so now it's doing its cracking. And it's a pie because this isn't very fast. I thought about offloading that to the AWS instance as well, but didn't have time any day now. That's the tone to like, okay, you can go on to the next one. You can go grab the fox and say, this is the past phrase. So don't need any of those slides now. This was just in case the demo got wonky. All right, so does anybody have any questions? It was like super secret secure past phrase or something like that. What's that? Yeah. Yeah. Anybody have any other questions or that word list? I was like 200K or something like that. The word list this year is like 6, 335K, I think. Or actually, I'm sorry, lines. So words, yeah. Yes. Features, I want to add Bluetooth scanning. I also, during the signal scanning portion, it's actually going through all the different BSSIDs and names. I also want to generate a list of BSSIDs that are dynamic in that web interface that I showed you so that, I don't know, you can select one of those without having to actually do any configuration. Like I said, I didn't have time to do that, but yes. No pictures, I guess. Yes, actually, I have one. So my thought is when you're doing the fox hunting is you can use Omni to get a general vicinity and then when you have a lock on the fox and you can use the directional one. Yeah. So that's the plan anyway. Yes, sir. I have thought about that. Math is hard and I didn't have enough time. But yeah, that's an awesome suggestion. I have thought about it, but yeah, I didn't. Yeah, maybe version three. And like I said, the source code is going to be online. So like, if you guys want to contribute, feel free. It's totally welcome if you can bear my crappy code. So all right guys, well, thank you very much. And thanks.