 So, thanks everybody for showing up. I am Luis, this is Nelson. We're going to be talking about A2 that Nelson wrote. I'm here just because I'm funny, kind of. Not really. I gave him some ideas on that, so let's get to it. So we're going to get a little bit of boringness and a little bit of Brazilian accent this morning. So have some coffee. So, we're going to go over the agenda. It's going to be like, who are we? What we do, kind of, for a living? I'm going to do a brief introduction about wireless attacks, something that probably you guys know better than I do, but it's going to be really quick just to get you in the mood for Beholder. Then I'm going to just mention some attack tools, solutions, existing solutions for wireless attacks. Then I'm going to pass it over to Nelson, who's going to talk about the development of Beholder. What does it do? What does it, what it doesn't do? We're going to run you from, like, some diagrams, some scenarios on how to implement the Beholder, and we're going to try to do a demo at DEF CON. If it doesn't go well, we have a few videos to show you, but hopefully it's going to go well. And then we're going to go over the futures of Beholder and also wireless attacks. So, I guess, let's do it. So, who the hell are we? I'm Luis. I've been working with wireless for quite a while now. Actually, if you have somebody to blame the network, the wireless network here, that's me. So, boomie, or buy me a beer later. I'll take it. And pretty much that's how I pay the bills. It's working with wireless. Nelson? Nelson, this is the man. The guy flew all the way from Brazil. He gave me the idea of coming like a few months ago. So, let me do a brief introduction here. A few months ago, Nelson told me, I want to write something like this and that. I'm like, dude, that's so freaking lame, right? Everybody does that already. They're like 10,000 wireless tools one a day. And he said, no, I want to do something a little different. And since you've been working with this for a while, too, maybe you're going to have a few ideas and let's try to do a talk at DEF CON. And here we are now. So, he wrote the whole thing. I'm just like, oh, this sucks. Oh, put this there. Oh, man, you don't know how to do anything. So, this guy, he wrote a book. He has like a couple of books published in Brazil. He's the author of the checkbook kit. So, that's the guy. So, this is the man. Like a few years ago, one of the first wireless talks that I've seen was from him. So, big props to this guy here. Okay. So, this is the boring part. Okay. So, I'm going to try to be really fast. So, we're going to talk about wireless attacks, Wi-Fi attacks. Things that we've seen for the past since what? DEF CON 8. We've seen things all around. So, I put these slides in an order that is kind of like an evolution. Could be wrong. I'm going to forget some stuff. Actually, I have my cheat sheet here. So, let's see if I don't forget. Okay. So, the very first one, DOS attacks. What are DOS attacks in wireless networks? DOS attacks could be like different things. Could be from packet types of sending packets, DOS packets to clients, DOS packets to access points, faking beacons, trying to steal associations, or simply just attack the network, even like from layer one, from like the wireless, fuse a jammer like this that you can buy for 200 bucks to actually like throwing rocks at access points. Access points is something that actually wireless is good, wireless works well. That's again how I pay my bills. But you don't have the wire there. Other problems that you might have is interference. Interference sometimes acts just like jammy. 2.4 gigahertz, as you guys know, it's an open frequency. So, everything, sorry, so everything there is pretty much free for all. So, that's a problem. Men in the middle attacks, usually it's used in combination with some sort of DOS attack or packet injection as well. So, you have a client that is connected to a valid access point. You want the password from that guy at Starbucks. You run your laptop and you do a man in the middle and you steal whatever you want from that guy. If the guy doesn't yet use encryption impersonation, that means you have one guy with a laptop. So, there are three scenarios here. One, the guy has a laptop and he wants to pretend he is a valid user to gain access to the network. In an open network, in a Starbucks or some airport, that's okay because there's no encryption. Then people thought, oh, let's put encryption on. And then it gets a little harder and we're going to get into it. But the second one is when, sorry, when the attacker he wants to be, wants to act like a valid access point. So, the user, the valid user is going to connect to that guy to, and then most likely to be a man in the middle or like karma. We're going to talk a little bit about karma in a little bit. But it could be different things. And lastly is some device, most likely an AP, that is going to be acting as a valid AP as well. Surveillance is just a matter of like packet is sniffing. So, you have your wireless network. Somebody's on the outside sniffing packets. That could be encryption. Yeah, but encryption today is pretty much the only way to block that. You cannot stop the packets from going through the windows and things like that. Some of the wireless IDS vendors, they're doing some pretty neat stuff actually to install antennas outside the building and try to block the signal. But again, you're just sending more wireless packets. But apparently it is effective. I didn't try to test that myself yet. Packet injection, I talked about that. Most likely used to, in combination of the other ones. So, when you do man in the middle, first you have to de-off the valid user to connect to you. Or you send like, or you do packet injection to simply break the network. Send de-off packets to everybody and things like that. Crypto cracking. We all know that web has been broken forever. That's why they created WPA. Then Josh and some other guys, they came over and they broke WPA. So, WPA in theory is still kind of secure. But not totally. So, go on the internet. Again, I'm not here to preach to the core. Go to the internet and probably you know how to make your links as routed at home safe or kind of. Client-side attacks. Either ad-hocs. So, how many here flew? Like, open your laptop in an airplane and look for networks. Although, the FAA say you cannot use wireless devices on board. But that's okay. So, you'll see free public Wi-Fi on the airplane. Is there an access point there? Of course not. Is there an attacker there? Maybe. Especially flying out of that con. But usually, what happens is there was, for example, a bug on Windows that the client searched for networks. If it doesn't find any of the networks in the preferred list, it starts advertising the last one it connected to. A simple nomad presented this at Shmucon two years ago, I think. And lastly, of course, is client attacks on the same network. You had Starbucks. You run Nmap. You see that guy has certain ports open. You try to do something on those ports. Rogue access points. This could be a whole talk by itself. Because when you say rogue access points, what could be a rogue access point? Not her. But rogue access point is any malicious access point. So, from a vendor perspective, some vendors, they classify a rogue access point as an access point that is plugged into your network. Which is true. So, somebody went to fries for lunch. It doesn't feel like working. So, like, oh, let me test this router that I bought for home. And he plugs it in and he's chilling out there. Suddenly, somebody, oh, we have a meeting. Oh, let's go. And the guy has, they have the best wireless network using 802NX, WPA2, all the whole nine yards. But guess what? Now you have links as open network in your office. So, that's not cool. And other things, too, that we're going to talk, I think, right now. Oh, more about rogue access points. So, when you talk, when you think about wireless IDS systems, rogue access points, you think, the one that you buy at fries, 802.11a, 802.11bg. Things like that. But you still can buy, and I bought one at eBay, not too long ago, a really old access point from cable-tron or digital, like a ROM about. It's not 802.11b or a. Some are 802.11, already in the 2.4 gigahertz range, but some they're 900 megahertz. So, if you have sensors that only work in 2.4 and 5, guess what? You're not going to see that guy. So, if you can find this old stuff on the Internet, that's, there you go. Then you have wireless bridges. This is not a wireless bridge. This was actually in Aruba, the island, the natural bridge, the largest natural bridge existent. But guess what happened to it? It turned into a wireless one, because it doesn't exist anymore. But they still do tours to that. So, you get on a bus, you go, let's go see the bridge. And halfway they say, oh, the bridge doesn't exist anymore, by the way. So, that's a ripoff. Impressionation 2.0? What is Impressionation 2.0? People came with just names. We, as security folks, are turning pretty much into marketing people because, say, oh, now we have the evil twin. Yes, it is a new attack. But guess what? It is just impersonating a valid access point. So, everybody knows what the evil twin attack is, right? Okay, good. Or, even better, just run karma. Karma is whatever you want it to be. It's like you're a DEF CON, you're drunk, you go out on the street. It's like, oh, she's beautiful. Yeah, she is. So, it pretends it is whatever you want it to be. We thought, I mentioned, I didn't talk about, I mentioned crypto cracking, but then you have faster crypto cracking. Is Hikari here? Most likely not. So, Hikari implements any type of, like, crypto breaking to FPGAs. So, guess what? Through rainbow tables implemented in FPGAs they can break him and Branderman and Johnny Cash, all these guys, they did, like, some awesome work about, like, WPA cracking. And that's how it goes. That's Josh Wright, one of the guys that know just a little bit more than all of us together here about wireless. And his last talk, his last finding that he told us about, is rogue radio servers. So, everybody knows how 821X works, right? A little bit. You have a radio server in the back end usually. So, everybody keeps saying 821X or WPA2. Yeah, it's secure. Yeah, and then a few years ago we found out that, well, if the client is configured to use PEEP and does not validate the server certificate, guess what? It's not secure. So then people start doing that. Then Josh came with the idea, okay, if you want to validate a check for a valid certificate, I'll do a fake access point. I'll do a rogue, a fake radio server. And guess what? I'll put a valid certificate on that thing. And then, so there are all the options that, of course, mitigate that. So, search on the internet for his video. It's pretty cool. And, so Josh is one of the bad guys. So I just want to say there's a lot of people that, in the past few years, put a lot of work to make wireless more secure, breaking it. So big props to all these guys. That's that guy sitting there. Stand up, Eldon. See, you thought he was going to make me ashamed. Big hands for Eldon. He did a pretty good research on wireless IDS a few years ago. Bitto from Wi-Fi Club, the Shmoo Group, Hikari, Render Man, Mike Urshaw, Dragorn from Kismet. And that guy is Ken Caruso. He just drinks. He doesn't do anything. About tools. So we all know about, like, there are several tools that you can use to make bad things. And most of them you can find here, from the stuff that all these guys, like, backtrack is an awesome live CD. You should know that already. So let's do solutions. So we talked about the attacks. How to break it. How do we fix that? Well, some of the stuff, as you know, there's no way to fix it. You cannot, like, matrix style dodge the packets that the EVO APs are sending or the EVO attackers are sending. So what can you do? There's wireless solutions. So I was... I'm going to do an introduction to wireless IDS and put you to sleep. But I'm just kidding. So I'm just going to talk a little bit about wireless IDS. So we get into the mood for Beholder. So WIDS is not that... I did a search on Google and found that guy. I'm like, oh, he looks excited talking about wireless. So imagine the guy on the left. He is the integrated wireless IDS. What is an integrated wireless IDS? That's the guy who's sitting there. You buy from a vendor a solution that you deploy all the access points. And you want wireless IDS that is already implemented on that system. And then you have the lady on the right. She is the overlay one. That means you have your wireless network but that doesn't have any wireless IDS capability. So you buy from a vendor sensors and total solution that is going to put their sensors along with whatever you have already. So you have to separate systems. Which one is better? I don't know. It depends on the situation. But both products do really neat things. Usually from one perspective it's good to have something that is always there, not serving clients just watching for the network. So that maybe that would be a better solution. Do I have anything else to say about this? And of course you have wireless IPS systems. Usually the same systems. But of course once they detect something they're going to attack back. Usually in wireless this is interesting because you could be docing yourself. If you say I don't want any ad hoc networks here. Guess what? If you're not that close from the AP, if two laptops are close to each other, they're transmitting, the sensors are going to start attacking those guys to say disconnect. But it's on the same channel that your wireless network could be using. So that's a problem. So keep that in mind. But again I'm not here to say bad things about wireless IDS. I think if you have a wireless network you need to have some type of IDS. So you have some tools out there that help you find networks. Even Windows, crappy Windows does that. So you have NET Stumbler as well. You have Kismet that not only does that but what does it tell you? It says there's a network or the network went away. There's no, they were not intended to be a wireless IDS. And that's the idea that Nelson got. So from a wireless, from a free wireless IDS perspective, the only thing that I know, Rogue Scanner Network Chemistry released Rogue Scanner a few years ago. That was a free tool to search for rogue access points in your network. They got bought out by Aruba Networks. So I think Rogue Scanner is somewhere on the internet. It's really easy to find. And not on the wireless IDS but something that helps not only pentesting. Of course you're going to use Y-Craw from the midnight research labs to do pentesting on wireless. But again if you have a wireless network, most likely you better do some type of pentest every once in a while to see if it's working the way it's supposed to. So before we get Nelson here, just going to talk a little bit about 802.11 Beacons. Beacons are management trains. Beacons are the packets that the access point sends saying, hey I'm here, I am T-Mobile, I am hotspot, whatever. And some people have the wrong perspective. So here are the beacons. You cannot see crap can you? No. But most likely the good things that it says, it says the data rates that wireless network supports. It says the name of the ESSID. It says the speed. It says speed I already said that. But it says the transmit power and all those values that it is really important for the client to know why to connect to that network or not. Guess what? It lets everybody know about that as well. So one of the things that people say, oh I'm going to make my wireless secure. So I'm going to configure my AP not to say the name of the ESSID. Is it good? Of course you turn on NetStem or Kismet and you see there's an AP but I don't know what that AP is. What SSID that is. But guess what? Once a valid user connects to that AP, the AP has to say yeah I am that guy. So guess what? Now you know the wireless network name. This is not new. This is actually kind of lame. But on the beacon and you might be able to see on the top left some vendors they actually send some information about because they want to make a neat network kind of thing right to help management and things like that. They send some information that is really important that probably you should not need to know. Like this one here in this case yeah I sent the ESSID name but not only the name it gives the ability for the network admin to put an AP name. So even if you didn't have an ESSID or if you're trying to find an AP that one on the one two three four on the fifth row says AP name. So it says AP 11 Laguna something. I was in Cancun, Mexico when I did this. So I'm like oh awesome. So I might not know what SSID name is but if I want to steal that AP or do something to that AP I know it is close to Laguna 2F or 2B whatever that is. Number of clients connected and things like that. So of course this is going to get more and more populated along the years. So Beholder pretty much is based on Beacons right now and I'm not going to get ahead of myself and without further ado Nelson Borrello. Hi everybody. Thanks Luis. Okay let's go some about Beholder. Beholder is writing in CNC and based on WIDS wireless tools. You know that too? Linux environments. Yeah just another network scanner but Beholder changed same changes in IP SSID MAC mode many changes. This is okay and meaningful signal variations. I will talk about them. And the cool feature is syslog support to large networks. You can use many sensors, behold sensors in your large environment and our reports to once syslog centralize it. I will talk about that. That's cool. That's a nice feature but but it's not so cool. This is better right? It's better. Look at Martini on his hand. He's ready for death. Beholder can be detected karma. I will show to you. And can you use rejects a regular expression to select what exactly you can be alerted and detect if access points suddenly disappear too. For example see if somebody uses a jamming signal. But think Beholder don't do. Beholder don't put any interface in monitor mode. Don't sniffing the wireless traffic. Don't cracking at all. And don't detect anything about client. Beholder just for just detect signal beacon sign off. Just does that. Okay some design challenger. Beholders is can be easy to use, install and maintain. Could be comprehensive to understand to implement new features. And some issues. Scanning time difference per adapter. Beholder can use any wireless adapter in Linux environment. If you have your nets you can use it for for Beholder, for use Beholder. MedWiFi caching is a problem because if the access point disappear may be delayed to detect that. And don't use any libraries, external libraries, just two source codes do you make and that's okay. For now just for Linux. And the future, I don't know, is clear maybe. Let's check the technical details. How Beholder detects karma? Beholder sends a random SSID request and waits for response. If they get response, probably karma is running. I can send one, I change the SSID random and wait for response. That mode to detect karma in environment. So how many SSIDs do you create? Like three? Or two? I don't remember. Better versions, just one. But I plan to change to three. It's clear how it works. If karma sends back, hey, yes, I'm X, Y, Z, so it's probably karma because it's totally random SSID. So it's a really easy and neat thing that he put in. Okay. That's that scenario is to check if some access point disappear. I have my nets and another net. I don't care about that net. So I use Beholder dash my nets interface and if that SSID disappear, Beholder, I don't care. But if my nets disappear, Beholder, we will learn about that. Another scenario, I can use regular expression both the case in missing disappear or to check if some similar SSID appear in the environment. That's my net. That SSID appear. I don't care. But if someone created my nets, Wi-Fi, that match my regular expression, Beholder, I'll let about that. So if you ever configure a wireless IDS system that you have, imagine that you can think of anything similar to your SSID name. It's a pain about to freaking do it. So this is a really neat thing to do. You put like something that is going to be similar. So DEF CON, if you have a zero instead of a no, yeah, that's an easy one to think about and configure on your wireless IDS system. But how many O's can somebody, how stupid is a user to connect to a network that is kind of similar, has a kind of similar name. That's all. Okay. Thanks Luis. And then the last scenario, if you have larger networks, you could combine some sensors and I'll use syslog server to centralize the information. For example, you can use syslog to select what kind of message do you want to get. Okay. Time to demo. There we go. DEF CON live demo. Let's see. Is it better? It's better? Okay. That's the basic, the normal use of the world. Some rogue API, the first one, DEF CON, DEF CON, DEF CON, some DEF CON networks. If you want API, it's add the list, but the nice feature is that it's okay. What Nelson is going to be doing here, he will be connecting as an USB access point and he's going to connect that access point with a network with a similar name of DEF CON and he's going to do put Beholder to watch for any name similar to DEF CON. So right now he's typing the regular expression. He's going to block with a pancelli. So let's wait for the API to come up. Tension. There we go. No, not yet. So we see the regular DEF CON ones. Yeah, we got a shitload of APIs here. Okay. So you can see up there highlighted. It says, what's the SSID? I cannot read that. It's all lowercase DEF CON. So the name is the lowercase DEF CON or something similar to DEF CON and so it says it matches a pattern. So again, in distributed systems what you can do, you can have many laptops running and send everything to a Syslog server and then have a decent Syslog message parser or something to look for the Beholder stuff. So now it's totally the opposite. He's going to tell Beholder to watch for the networks. So in this case he's saying I care for any networks that all the APIs that match this and he's going to unplug the AP and he's AP and Beholder's going to say that the access point went away. So again, that's something that Eldon, known as Schmuck on a few years ago, that many IDS vendors didn't do that. So if you see that attack, it's like, ooh, I saw an attack. But if all the APs go down, it's okay. That's okay. That's not a problem. So if you see there are DEF CON with a no and stuff, Beholder says it disappeared. And now he's going to plug it back and then to say, so you don't freak out and it's going to say yeah, it's okay. Your AP is back or your APs. So it could be more than one AP. And again, with the regular expression, you can search for any APs. So it doesn't really, it doesn't have to be your AP. If you're, if you're concerned about your neighbor's APs and just in case you use it, you can monitor those to you. Somebody's tossing the wireless network. That's awesome. Love DEF CON. It's my jammer on. There we go. See? So it says, relax, your AP is back. So go back to bed or something like that. So that's what we had for the demo, right? Okay. So this is a great picture he found. So there are many tools out there. Beholders, and again, this is just the beginning. So again, we're going to release this or tomorrow, right? Tonight we're drinking. So tomorrow this is going to be on the website. And, but you have many things out there. You can use all the tools possible to make your life better on the wireless network. So Beholder is going to help you a bit, as Buddy Jesus says. And what is next on Wi-Fi attacks? Wi-Fi attacks? Everybody, there was a big hype a while ago about 802.11.an. And, well, at least Beholder works with that. Just get out 802.11.an wireless card that fries and bump in your Linux system. Beholder works with that. I tested that. But I think there's, we kind of got stuck into a really interesting phase of wireless in the past few years. Because either anything coming out now is going to be a type of a DOS attack, which is kind of lame but really effective. But we have 802.11.an now. So some people said that 802.11.an APs were a problem. Just like I mentioned, the 900 megahertz was a problem that no other sensor would get it. Either the AP that I got at fries 802.11.an is broken because with an 802.11.B I can, even when I put in green field mode, when I put it to work only on 802.11.an, I think the beacons and management frames are still heard by 802.11.B devices, B and G. So I don't know if that's my AP with problems or if that's the way it should work. Another thing that I, and the wireless bridges kind of thing that I mentioned before. It's a problem if you have a bridge that it's not really an AP. So the packets are different. There are two feuds, one that's called from DS and the other one to DS that says one and one, meaning it's from wireless IDS to a wireless distributed system as well, to a WDS to WDS. Some tools, they don't get that. And with 802.11.an going as fast as in real life, 120, 150 megabits per second, it's freaking fast already. So if people want to suck stuff from your wired network using wireless bridges could be a problem. Or even rogue APs. Right? So tomorrow, not today, tomorrow, BeholderWireless.org is going to have the tool. You're going to have a contact email, right? If people want to contribute to the, yeah and this is this is GPL free, all that stuff, right? So yeah, so you guys can help out as well. So before we take questions across there on the other room, I want to thank you all for coming. Thanks for the patience. I want to thank our one beta tester who gave us feedback, Kevin 350. So thank you.