 Thanks for staying late. This is the latest talk this year at Packet Hacking Village of any day. So, appreciate sticking around. Oh yeah, a presentation. So, in case you don't know, we're talking about mapping Wi-Fi networks and triggering with interesting traffic patterns using a new tool called Tracker Jacker. So, a little bit about myself. By day, I work for FireEye on the Mandiant side, basically doing kind of like R and D for our consultants and that kind of stuff. I've been programming for about 18 years. So, I come from more of a software engineering background and I kind of pivoted into cybersecurity like three and a half years ago. But I definitely enjoy it. And I typically enjoy programming stuff but also like hacking stuff and then mathy kind of stuff. So, things like radio are really interesting to me because you kind of have to use mathematics to pull the signal out of the air and that kind of stuff. And ontologically, I describe myself as a Christian mystic which is like a weird term you can ask me about later if you want. So anyway, many consultants are like ninjas and the team I work on is kind of like the sword makers basically. I like fuzzy things like this dog and also things like fuzzy signals because yeah, like I said, I think it's really cool trying to pull the signal out of the air or the signal out of the noise. So, programming is cool and it's cool to move things around on the screen and that kind of thing. But if you want to move things in the real world, you kind of have to get out into the real world. Your programming needs to get out in the real world and every time you need to do that, whether it's image recognition, radio stuff, text or voice, you got to deal with the fuzziness and so that's kind of where I'm coming from. I've been into the IoT stuff before I knew it was called IoT and I kind of come in from that direction like doing kind of like IoT things. I did a Raspberry Pi security system because I find the IoT stuff cool and that was actually part of what drove this tool being created. Let me make the text bigger. So, while attacking school, I've been into it for a while and I've kind of worked at a lot of the different layers. Back in the day, I did a good bit at layer four and three but with things like encryption, sometimes that's less fun. I've also kind of dropped down into the physical layer. I did a talk here at DEF CON last year with software to find radio and crafting signals and that kind of stuff. With this talk, we're going back up to layer two, the physical layer or not the physical, the data frame layer and for a while I kind of felt like this layer was a little bit boring because ultimately at this layer, almost every Wi-Fi is encrypted and so the data is encrypted. So, what is interesting there? And well, you can basically look at the data in the frames. You've got the source MAC address. So, some of this stuff, systemically they cannot encrypt because they need that data for the wireless communication to happen, right? So, things like the source MAC address and destination MAC address have to be there. Things like the network SSID, the BSSID, the type of frame that it is and then you have just a bunch of encrypted data. So, it's not super exciting just looking at that but let's add on the inferred data we can ascertain. So, we can also get things like power level implicitly based on the signal strength, we can get time, we can get the manufacturer of each device from the IEEE database and we can also keep track of things like the network that each device is connected to. So, if you look at any given frame by the way in 802.11, they don't all say I'm from this to this and I have this SSID. If you wanna keep track of that, you need to actually be keeping an internal database of this is all the devices on this network and that kind of stuff and that's kind of what we are gonna get into. So, this was kind of my problem. Like I said, I kind of am into IoT kind of stuff and you know, everyone's just going crazy making all these new IoT home automation systems and they don't all talk together very well. And so, I had a Canary which is like an IP camera and it never ended up wanting to talk to my Wink security system. And so, with a Wink, you know, I have like an alarm like sirens and lights and that kind of stuff and I was like, well, I would like if the camera sees motion and it's armed, turn on the sirens. So, you know, I thought, well, I could like try to root the device or something crazy like that. And I thought, well, what if I just look at, so it's a cloud-based camera, so it's gonna wanna upload the video to the cloud as fast as possible. If someone breaks in, they're gonna take the camera and crush it, so ASAP, let's upload that video. So, basically what I did is I just said, well, if I can look at the data and look at the threshold, look at some threshold and say, if it's above this threshold of data coming from the MAC address of the camera in some period of time, consider that motion was detected because it's uploading a video. And so, that was kind of the approach and that kind of created the whole tracker-jacker program. You know, there is, I'm a Python programmer and so I have these problems where, you know, I have some problem and it's very much in quotations and I end up writing a program to do it. So the solution was tracker-jacker. So, tracker-jacker is, so I wanna talk about, I wanna show you briefly a little demo of tracker-jacker and then I wanna jump over to some radio theory, very light radio theory and then I'll show a few more examples of using tracker-jacker. So, it is open source, it's on GitHub, it's on PyPy, the Python index and you can just, it's a single, in theory it's a single command to install it. You can pip install. So, the first demo that I wanna do, so the thing is I didn't really wanna bring my camera and connect it to Defcon Wi-Fi. So, I recorded this demo at home. So, I'll go ahead and play this demo and basically I'll skip ahead because I think I have a little introduction. Now, I'll just, I'll talk over it. Here we have a setup, test setup. So, basically, you know, I've got this, this is a, let me meet myself there. So, I've got, this is the siren right there. I've got tracker-jacker running on the laptop and what's gonna happen is the canary cameras face the other direction and when I move over there, it should pick up motion and then try to upload the video, so I'll show what that looks like in a second. It should try to upload a video which tracker-jacker would then see and which whole thing, sorry about that. Cause tracker-jacker to run the script which it should take just a second. Oh, there it is. You can see something print out on the screen. So, that's kind of the idea and I clicked the video right after that. So, do you guys kind of see what happened? I mean, basically, the camera saw motion, tracker-jacker saw that motion, detection, it hit the threshold and behind the scenes, so tracker-jacker, it has two main ways of doing an action. You can either have it call a script like I did in this example or you can write a plug-in and so I simply had a script that could turn on the sirens and that's how that connection was made. The other demo I'll show you right off the bat is this one. So, I always, whenever, or not whenever, but often it ends up being the case where I'm doing a wireless hacking thing and they ask me if there's audience participation, I always say yes, there is audience participation but it may not be voluntary. So, I've just been running, I've been running tracker-jacker in the background last hour or whatever. So, you know, it's basically just picking up all of the wifi devices and it's building a map. And so, I'll go ahead and show you what that looks like. So, as you can see, it's just scanning and you can see here it's channel hopping. So, it's automatically cycling through the channels, it supports whatever channels your wifi adapter supports. And what it does then is packet hacking village. It outputs it in this YAML file where it's, so I chose YAML because it's human readable but if you wanna write a program to parse it yourself, you can't and so it's kinda cool because it's both the output in a file, nice, clean, simple file as well as the database. So, ultimately to be keeping, to do really interesting stuff, you need to keep track of all these relationships and so internally, tracker-jacker keeps them in memory and then it serializes to this file from time to time. And so, what you have is at the top level here, each SSID and then underneath that, you have each BSSID or basically the nodes of that network and then underneath that and you can see things like the signal, channels it's on, the vendor. Let's find one that has some actual clients connected because there's a lot of noise apparently around here who would have thought in the packet hacking village. So, a lot of these are, let's go down to, I'm just gonna have people on it. So, right here you can see this node of the Caesars Villa has these devices and so it's just got the MAC address, the bytes it's seen send recently, the signal string, the manufacturer and it has that then for every Wi-Fi device that's within range. And, let's see. And so, I wanna just briefly show how that works. So, I wanna look at how Wi-Fi works from a radio perspective. So, by the way I should mention, I come from kind of a, like I said, software defined radio slash ham radio world. So, I kind of stepped away from the higher levels and then I set back to them kind of from the radio perspective. So, I kind of was thinking about a lot of this stuff from the radio perspective. So, really briefly, there's the two bands, 2.4 and 5 gigahertz. Now, ultimately these are channel numbers but those are just standard abbreviations for the actual frequency. So, ultimately TrackerJacker's hopping between all these frequencies slash channels over time. There's 5 gigahertz channel. Ultimately the data's modulated, the Wi-Fi card at layer two will demodulate that for you. Nothing too fancy there. This is kind of an important part, though, I think. So, most of you are probably familiar with promiscuous mode and that's kind of where if you're on a Wi-Fi or ethernet network, you can just say, I don't want you to only give me the packets destined for my MAC address, I want you to give me all the packets. Whether they're for someone else's MAC address or not. Well, there's this other thing called monitor mode. I mean, if you probably already know about it. But basically it's where you don't connect any network. And instead, you put your Wi-Fi adapter into more of a pure radio receiver and demodulation mode. And that's what this is using. This is using monitor mode. So, you're not connected to any network, but you can then receive the packets from every single network within range is how that works. And so, that's kind of then what is being exploited by Tracker Tracker. So, okay, so I talked about the mapping functionality. And I showed you briefly in the video the tracking slash triggering functionality, but I wanna show a few more examples of what it looks like. So, like I said, there's a really nice plugin system. Let me show you what a plugin looks like. How many, actually out of curiosity, how many people know how to program in Python? Have rudimentary Python programming skills? Okay, maybe 30, 40%. And like I said, basically you can either call out through to a script or you can call out, you can call out a plugin you want to run. Plugins look like this. This is simple plugin that just counts every Apple device within range. The plugin API is very simple. There's no subclassing or anything like that. You just create a Python class called trigger and make sure it has an init method and a call method. And then there's these various keyword arguments that get passed in. And you can just take any of those that you want and do whatever you want with them. And so basically, I kind of look at Tracker Jacker as it provides some basic mapping functionality and some basic responding to patterns and calling scripts kind of functionality as well as a few built-in plugins. But in some ways it can also be seen as a platform. So there's a lot of annoying things if you're trying to do this kind of tracking. So you've got to be hopping between channels. You've got to be, things like the frames, what's the source and what's the destination, those are different depending on the type of frame. And so Tracker Jacker does a lot of normalization and that kind of stuff. And it gives you all the data you would probably want within in these calls to your functions. I have this one that kind of shows, let me show what it looks like to run a plugin. So I'm going to go track mode, plug in, plug in examples slash plug in template. So yeah, way too much data to see. But you can see it's just printing out all the data it's getting passed in. The device ID is the Mac or the SSID or the BSS ID depending on the context. It tells you this is a BSS ID. It tells you how many bytes it's seen from that. It tells you the vendor. So you can do like reg X's on that. It gives you the power level. It gives you, it also gives you the SSID it's part of. The interface you're on, the channel, and then it also, the frame type. And then it also gives you the raw frame data in case you want to really drop down and do something else that is not provided. So that's kind of there in the code as a example template. And there's several others. Let's go ahead and do another example template. So I did a simple Fox Hunt plugin. This is like what you get in Air Crack, right? It just shows you the top closest devices by power and it just recycles that. So that's kind of a built-in plugin, but that's an example of almost any, I think of it as almost any kind of thing you might want to do where you want to look at some traffic patterns of wifi at layer two and do something, call it script, whatever. Keep track of it. So that's another one that actually I wrote. So I was talking to someone, Gloria over there, and we were like, I wonder how many different types of devices there are at Def Con. Like what's the biggest players? So I wrote this little plugin. Let's see if I have it loaded up here. Literally, I wrote this today. It was kind of fun trying to commit to source and all of that right before the talk and try not to break anything. So this is the plugin. It's a little more, it's like 50 some lines of code. But then with this, you can output, this is what I've seen so far at Def Con. Zebra is actually the most popular, which is kind of a surprise. Apple's close behind. I don't even know what this Marata is, Broadcom obviously. So it's just a pattern I wanted to look for and it saw like 2,800 devices in maybe 30 minutes or something like that. And yeah, so that's a few plugin examples. Oh, let's do another one. So all right, just to give you an idea of the flexibility and the kinds of things you could do. Let's say that you really hate some particular manufacturer of device, maybe Apple or something like that. And you're like, I really hate Apple and I want to de-auth every Apple device that gets close to my house, for example. Now, I mean, maybe it'd be a drone. Maybe a drone, you don't like drones, right? Or maybe you're in an Airbnb and you don't want your Nest Cam spying on you. So there's actually some semi-non-malicious use cases for this. But so let me show you what the, let's go down, history, copy and paste it. All right, let's see if this works. So this plugin actually, there's also a plugin config parameter. So if you create a plugin that itself, you would like to be able to pass parameters too. So in this case, vendors to de-auth, that's, you could pass in multiple vendors to de-auth. You could also pass in particular max. Let's see if that works. All right, so I think, yep, so it's looking and finding devices, it has enough data to de-auth. And for this functionality, by the way, it's calling out to Aircrack. So right now, oh, there we go, we're killing, we're killing some. Now this is, so this is actually kind of cool though. Okay, so right now a tractor-jacker, like I said, it's just passive, but it can call things. So it can call Aircrack. But how many people have tried to de-auth with Aircrack before? Okay, so one annoying thing for those of you who know, if you try to de-auth, you need to know the BSS ID and the MAC address and all that kind of stuff. Now one problem though, like let's say you're on a big network and it's got, let's just say 20 nodes like here. And if I de-auth you on one of the nodes, what's gonna happen? Well it's just gonna jump over to the next node, right? And connect. And you're gonna have to then do another scan and do another de-auth. Well, so this is actually, behind the scenes, automatically doing that for you. Because it's really just whack-a-mole. Like, it will just, it's just reacting. So every time it sees this particular, you know, something from this vendor or if it's a MAC address that you really hate, it whacks it and it automatically fills in all those parameters for you. And that's just, it was kind of like, it was, we'll go ahead and stop that. But come on, people like, you gotta expect that at DEF CON, right? But anyway, but it was kind of like an afterthought though. I was like, oh, it'd be cool to be able to do this. And the cool thing is, again, it's just a plugin. So the core, I actually kept kind of small and the plugin functionality is pretty powerful. So I ended up writing a lot of stuff I thought I was gonna write in the core into the plugin system. So that made me, that forced me into making the plugin system a very much a first-class citizen. So it's, I think it's reasonably flexible at this point. And let's see. Some other things I want to note. So TrackerJacker is, it's mostly been developed for and tested in Linux. So Kali, Ubuntu, any of that kind of stuff. Like I'm, what I'm doing is I'm running it in a VM. Obviously, if you're at the top level, that's even better. But I do have some preliminary Mac support as well. I can try to demo that. Also, TrackerJacker requires root privileges because it's doing the pcap. So that's one possible downside, I guess you might say. Let's see if this works. It's gonna kill my wifi. And there, yeah, so there it's running, basic scan. By the way, TrackerJacker is built on Scapey. Now how many of you guys are familiar with Scapey? Okay, cool. So Scapey, it's this really sweet Python library that lets you do packet crafting, but also sniffing and that kind of stuff. And so this is a layer over that, pretty extensive layer over that. I'm working with a Scapey team kind of. I was trying to get them to push out some new functionality to make the Mac version better. So I'm kind of pending on that. But so more, there'll be more Mac support forthcoming when some of that other stuff is ready. And further other features as well. If anyone wants to help port it to Windows, that would be someone else, other than myself. I had no promises on that. As far as wifi devices, I thought I would make a note. So I really like these, I've never heard anyone talk about them, but the Panda brand, they have these really nice devices, like this little one right here, it's a dual band. It runs on Linux right out of the box, and it supports like monitor mode and injection. So pretty sweet, that's the kind I've been using for most of my testing. The alpha, there's some alpha ones that work for it, the TP-Link, I have a few notes on that. And a few major takeaways. So at the physical layer, wifi is just radio, right? And so there's only so much you can do to prevent these kinds of attacks. So a few more things, expoundings on some of the testing that I did. So with the security system, with the camera, one of the things I realized after I wrote it is, oh wait, I'm not even connected to my wifi network. I don't need to be connected to my wifi network. So you can actually scan and find all the vendors of IP cameras near you, and you can see when they're detecting motion or not. Actually a funny side note, Canary, so I was testing this stuff, and I have this Canary camera, and I would arm it and make sure it went off and then I disarm it, and then it was going off while it was disarmed. And I was like, that's kind of weird. And it turns out they were uploading video even when it was not in the armed mode, now there was a setting kind of hidden away, you could turn off, but it was kind of a weird, oh wow, I saw that I did not think it was recording video during that time. So it could also be useful for testing that kind of stuff, but it's also kind of scary because yeah, I mean it could be an IP camera in a neighboring house or building, and you could detect when there's motion, right? One of the other very obvious use cases would be tracking people with smartphones, right? And that's kind of what I was doing here, you know, so, but that's, there's only so much you can do to prevent that, right? Because, so there's some things like, you know, Apple devices do Mac randomization, so if you're not connected to any network, they'll be not sending out their actual Mac when they're like probing for Wi-Fi networks and all of that, but if you ever connect, it basically has to use your Mac. And so for example, if you're at your house and you're connected to your home Wi-Fi network, someone could just go and look and see if you're connected or not and basically know if you're home or not. That's kind of, you know, that's a little bit worrisome, and there's really not a lot you can do. Like I said, you can turn off Wi-Fi when you're traveling around, so that at least while you're out and about, they're not gonna be tracking your physical location whoever they are is. And I believe I saw some report from Snowden that the government is using this kind of tracking in addition to other kinds. It's also another funny testing thing I realized. So my network at home, it has several repeaters and I could notice from Tracker Jacker when I was like upstairs versus downstairs based on which node I was connected to. There's all kinds of crazy things you can do like that. Another fun plug-in was, and I'm not gonna demo it for time's sake, but it'll just look and see who all is around and it'll show anomalies. So that's another very simple plug-in to write. If you wanna, you know, you can set a threshold like if I see power level greater than negative 50 dBm and I haven't seen this MAC address before, then do an alert, right? And you wouldn't wanna do that without any kind of power filter because people passing by in the street, right? But if you have a power level, that's really quickly a really interesting program to detect potential invaders. I could say that being useful for companies, you know, kind of a basic, that would be an interesting piece of data if there was someone who broke in and stole stuff, right? It's trivial to track in Wi-Fi monitor mode. Like I said, I was a little bit surprised by the kind of information that you can get out of the raw 802.11 mode. I kind of, for a while, I guess I thought, well, it's all encrypted and so there's not a lot of interesting stuff, but if you're tracking stuff over time and keeping track, then that's where the kind of creepy data gets leaked from. As I said, you know, I have this new tool, Tracker Jacker, and I think that's the main takeaways. So I'll call that the end and if any of you guys have any questions, let me know. Thank you. Yes, as in do they do randomization or not? I mean, they all send out their MAC address, like, you know, almost every Wi-Fi device will do its probes and it'll send out data when it's trying to look for Wi-Fi to connect to, right? And so those are all kind of the same. There is probably some active scans you could do to try to fingerprint more, right? I haven't got into any of that yet, but there's definitely stuff you could do, I think. Yes, no, not at this point. For that you would need some kind of more active probing into it. Now you can differentiate in location and stuff like that, but that's not gonna help with that, I don't think. Yes, I don't know. It might be able to, yes. ARP spoofing? Not directly, but you could definitely use it as a trigger to call something that does ARP spoofing. It uses escapee and you could definitely write a plugin that would then call escapee, yeah, yeah. Yes, kind of yes and no. So it doesn't have to be transmitting, it depends on what you mean by data. It could be not connected and just looking for networks to connect to, and it will be found. But it's transmitting data, but it's purely passive, so it's only gonna pick up on what's in the air. But if your Wi-Fi device is actually sending a signal over the air, whether it's a control frame or a data frame or management frame, that'll get picked up. Yeah, oh actually, yes, it seems to be randomized from what I've seen. By the way, actually, since you brought that up, have you guys, is Marv here? Okay, because I was scanning around of Hacking Village and I noticed this Marv guy everywhere. So yeah, it was kinda funny, let me see if I can print this out, Python three, filter Marv. I wrote a little script, let's see if this works. Marv had 50 SSIDs, oh by the way, at the Hacking Village, here, just in the last hour, it found 631 devices, 270 SSIDs, 50, not including the 50 that Marv made. So, just to show you what that looks like. So you can see what he was doing, he had all these, so kudos to Marv. Oh, actually, a funny other little thing, just a funny DEF CON, this was like a great DEF CON moment, okay? So I was running Tracker Jacker in one of the chill out lounges like three hours ago. And I got this exception thrown and it was like this recursion error and someone had crafted a packet so deep that it blew up Skapey's decoding. So I actually created a new ticket for them and I put my call escape in an exception handler so I thought that was a really cool DEF CON moment. In the code I actually have a thank you DEF CON comment. Let me see, there it is. Thank you DEF CON. All right, let's see any others. Yes, yes it will. Actually, I've tried this on a couple airlines and you see the guest one usually but the other ones also show up. And that's because some of the management type frames, so they're not sending out the beacons, right? If they're not, if they're hidden. But the SSID still shows up in other packets. And basically any type of packet where it has that, if it has it, Skapey will grab it. So, and actually I don't even know what all those type of packets are, I just know I look for it in every type. So, yeah. Yeah, I think you can. I think you can, because the same, so Bluetooth does a little bit more to try to hide its MAC address, for example, but yeah, you could, I think. Yes. I have thought about that, yeah. One of the other roadmap things is to have support for a couple Wi-Fi adapters simultaneously as well, which would help with that kind of thing. See. Any other questions? All right, well, thank you.