 Welcome to the wireless village. I have the pleasure of for the second time this weekend introducing my good friend who will remain Nameless because for those of you who haven't had a chance to see him yet I want you all to to get a fine picture in your head of what a wonderful man This is this man's been well We worked together for quite a while and that was a lot of fun And then he left me to start his own project and nobody had actually seen him for a while And when I say nobody had seen him for a while I mean for some reason you just never saw him but what you did get was his wonderful voice So without further ado, I'd like to have you all close your eyes so that you don't get confused I'd like to hear his famous catchphrase that he has at all the beginnings of his videos Hello, all welcome to security tube.net And how do you miss that give this man a big hand? Thanks for coming Thanks for the great introduction Rick Okay So in this session, we are going to be looking at how to script your own Wi-Fi attack tools with Python How many of you've scripted your own tools in any language wireless, okay, Python Ruby Pearl Couple, okay All the pearl guys are hesitating to raise their hands So I've been doing a lot of wireless security for probably the last 15 years And being able to script quick proof of concepts always comes in handy Now when you look at wireless scripting There are really two ways by which you can get packets from the network One is using raw sockets, which is probably the absolute low-level way Of talking to your operating system telling it to go ahead and give you the packets The second slightly more abstracted way would be to use something like escapee Lippy cap or some other wrapper which works around all the low-level details of a raw socket So how many of you have ever created your own? SSID sniffer with a raw socket or use raw sockets at all Okay So let me show you how it looks like Okay So this is a Raw socket based SSID sniffer in Roughly 20 lines of Python. This does not use any external library Now initially and there's an interesting story behind why I created this piece of code Initially, I had actually created a much more simplified one Roughly the same number of lines using escapee Right after that I posted this on reddit programming and All the programmers started flaming me Because they were like you use escapee, right? That isn't allowed I mean if you have to do it you have to do it using just raw sockets So that's when I created the alternate version It just uses raw sockets now How does this work? It opens a raw socket and then we bind it to an interface assuming Mon zero Unfortunately, we have to change that to a WLAN X mon now if you use one of the latest versions That's because I think that changes brought about by zero chaos is air mon NG ZC, right? That kind of required me to change almost all my scripts, which I probably wrote over the last eight years So everything crashes for the first time now So here is an example of how you can do that what we do after that is basically just receive from the interface and Check if this is an 802.11 packet and After that pick up the SSID length from the exact location and check if it is an LSS ID or not I mean we aren't going to be using this to learn using Python This is just an example that you could write your own SSID sniffer in Python in just so many lines The only place where I see a good application of this is on an embedded device So if you have an open WRT based router where you're trying to go ahead sniff the air You probably want to use this rather than escapee Unfortunately, escapee seems to hold most of the packets in memory and embedded devices don't have that much amount of memory So all your escapee based scripts end up crashing on your open WRT systems if they run for a long time Let me show you how this looks like So my wireless interface is WLAN 3. I'm just going to go in an M1-NG start WLAN 3 and then I'm going to change the interface To WLAN 3 mon could even take it as an input if you wanted Let's actually take it as an input. Now the very first demo always crashes So I'm just going to use a channel hopper In the background, okay, this is bad. Just give me a second. Okay I'll just get back to this and usually I mean this is the first time this has ever bailed out on me So it's probably just bad luck I'll just come back. I'll definitely kind of make this run out a horrible way to start What I really want to talk today about is how to automate WPA based attacks How many of you have used WPA CLI? anyone Okay, so the de facto network management utility is WPA supplicant on Linux based machines now interestingly WPA supplicant Allows what is called a control interface through which you can control it at runtime So you can actually change parameters make it do interesting stuff while it is running So once you connect your client card typically your network manager Would go ahead and start it Can I actually look at? Where run? Okay, just a second guys. I think I'll just do a quick reboot I know what is wrong. I actually killed many of the network management utilities. That's the reason why So how is this going to work? basically WLAN The WPA supplicant Basically exposes a control interface. In the meantime, I can actually show you what the control interface looks like Okay So WPA supplicant Basically has a control interface And that control interface is actually what is used by our network manager So internally WPA supplicant exposes all of these different interfaces to you The one we are going to use is what they call the control IF now the control IF is actually a C-based API and We are going to be using a Python wrapper to go ahead and talk to that and control WPA supplicant Now what does the control interface allow us to do? It actually allows us to run a bunch of commands for example ping looking at the MIB The status. So let's say if you're connected to a WPA Network or for that matter any network using WPA supplicant You can monitor the status on a separate terminal You can even look at things like the different key caches You can set variables Do log on log off. So every single thing you could actually do with the WPA supplicant config file You can actually control that at one time using the WPA supplicant control interface So let me quickly log in the demo gods aren't with me today. This is my fifth talk at Defcon I had a two main stage and I think one village talk and one is tomorrow, but This seems to probably be it. It's about time statistics caught up with me So something has to go wrong. Okay, we'll see it should run Interestingly WPA supplicant also has a very low-level API called the D-Bus API this is used by a ton of GUI programs to go ahead and Basically emulate what is Linux is calm right if you've used Windows calm Think of this as calm on Linux. So this allows different programs to talk to each other using a D-Bus This is really a virtual bus over which programs can send message to each other So you can have subscribers consumers You can publish your API's So WPA supplicant actually publishes its own API Which you can access over the D-Bus So you could send it command poll. What is the current events happening and things like that? Okay? Now as soon as you run your machine your network manager automatically will start WPA supplicant if you have a wireless card If WPA supplicant is configured to run its control interface You should actually find it in where run WPA supplicant Interestingly the control interface file has the exact same name as the interface Right WLAN 3 in this case Now any time you need to go ahead and talk to the existing running version of WPA supplicant You actually use the control interface So let's look at some very simple examples Now the best way to learn the control interface is to use a utility called WPA CLI Does anyone used it? Okay, this is like one of the little hidden gems I mean if you use WPA CLI you can automatically figure out the entire control interface So if you run WPA CLI without any arguments It'll automatically go inside the where run WPA supplicant directory Figure out the control interface file and In a way attached to it So now it can monitor and look at what is happening on your current running instance of WPA supplicant So if you notice we just got two events here with said control events can result WPS AP available Right, so you could actually write your own arrow dump in G Just by going ahead and invoking WPA CLI with scan results And there you go. You have a ton of information About everything WPA supplicant and in turn your network manager sees It also tells you which of the APs are WPS enabled I don't know if arrow dump supports this at this point is Thomas here No, I haven't seen WPS being tagged anywhere and This does not require any special cards if you have a functional Linux system with a wireless card on it Which works you can run WPA CLI on it This does not require an athros card or an alpha card or any special hardware, right? It'll just work out of the box Now there are tons of different commands You can actually use with WPA CLI Probably the easiest way to get started with WPS supplicant which can be very confusing if you look at what is available in the config Now let's try and look at If we can automate some of these things Right, so you could play with WPS up CLI later on. It's completely command line ton of help out there And all you have to do is to configure a network as an example You'll use ad network. It actually returns an ID to you and then you go ahead and you know Add the network configs and all of that. It's a great tool if you want to configure, but this talk is about automation So I'm not going to talk about how to use WPS CLI, right? But definitely have a look at it Now let's look at how we can control WPS supplicant using the WPA control APIs Okay, let's wait for it Something's wrong Someone's watching over me Okay, so I'm trying my best not even to you know move a muscle on this side so that probably the cable doesn't get No little shaken up in any way, but hey Now interestingly there is only one Python Extension available for WPA control called pi WPA control you can actually go to github and Originally the author of WPA supplicant had published this with some demo code in there Unfortunately, he didn't maintain it. So pi WPA CTRL is the one which is updated with some small patching here and there So remember to download that Once you do that you basically have the power of Python To control your WPA supplicant interface So I'm going to open up another tab and just start WPA CLI on this Interestingly, you can have multiple agents pulling the same control interface and even sending receiving commands, right? so We'll use WPA CLI just to look at the kind of events which are happening in the background Just so that you don't have to watch me type in stuff Uh Using WPA control is actually quite easy All we have to do is Import WPA control as expected now once you do that you need to tell WPA control Where the control interface exists, which is where run WPA supplicant WLAN 3 in our case So we're going to go ahead and define that as the control interface All of the sample source code will be available for download then I'll give you URL and you can download it Now after this you can actually tell WPA control to open and get a handle To this control interface Right. This is done with very simply WPA CTRL Dot WPA control give it the path to the control interface Now once you do that You can actually go ahead and ping the interface And if everything works fine, you should get back a anyone If you ping it, what do you get back? a pong Right, so that's basically their own internal quick heartbeat test mechanism So you can ping it just to ensure that hey do I have a stable connection is the control interface still running and All of the commands which we talked about here Can actually be sent over the WPA CTRL interface. I mean it's just fantastic Total hidden gems in here. I mean you can actually automate live attacks and a ton of stuff Now interestingly with just a couple of lines of Python You can actually control WPA supplicant and tell it to scan the network So before we do that you can look at the status of the interface by just using status and Right now it says hey, it's inactive not connected really do anything and it just gives you a MAC address Now we can request a scan now keep in mind Your network manager is Already talking to WPA supplicant and requesting it to scan the air probably once every minute One of the ways you can stop that is kill the network manager or stop it and then you start your own instance of WPA supplicant with the right config option so that the control interface is available Right, then you might not have the network manager interfering So a lot of times when you actually try to run a scan you might actually get an error busy right now It says okay, which is great and if we go back here Let's try scanning once again So we are requesting a scan and a couple of seconds later you'll actually see scan results available So this is the WPA CLI interface, which is also monitoring for all the live events Which WPA supplicant is publishing on its control interface So the moment we have scan results and that's something you can monitor in Python as well You could very simply go back And pretty much write your own version of AeroDump There you go Isn't that great and and you could just run this in a loop You know time it once every couple of seconds and then you can get all the results Interestingly if the network manager is running you do not even have to do anything it'll automatically scan periodically There are also event-paced Mechanisms where you can be told when a scan is complete So people who've programmed like a callback Right so that you receive a callback and you can only handle events when they happen Rather than having to poll for events continuously now here is one quick word of caution is if you run scan Successively really quickly Actually going to get failed busy's Now all of these scan requests are actually getting cached so After some time you'll actually have WPA supplicant quickly process them one after the other Now this is something you would need to handle in your code and you'll actually see the error busy quite a lot or the fail busy quite a lot Sometimes it's probably channel hopping still collecting stuff. So you cannot time it you can't say okay After five seconds I can be sure the scan results are available. You can't do that One mechanism is if you poll you have to check for the return value The other is where you subscribe and wait for the right event Right. We'll talk about the event-based mechanism a little later Now WPA CLI actually has like a ton of commands in there Let me see if I can Pick something up. Okay I'll share this document as well. This is A draft of one of the chapters I was writing for our next book But WPA CLI if I just quickly scroll down Just show you the relevant part before we can move on to other interesting things So you can actually configure WPA PSK WPA to PSK Enterprise networks and all of that using WPA CLI So here is an example, you know scroll up Here is an example of how to configure a WPA PSK network using WPA CLI so we first Do an ad network this returns an ID and We need to use that ID now to reference that network configuration Every time we talk to WPA CLI So after that, we're going to be going to go ahead and change for example the SSID The way you'd like to scan So WPA supplicant even allows you to decide whether you would like to send things like null probe requests Or just silently wait for beacons all of that can be configured Now in the case of PSK, OTH is going to be open. It's WPA PSK. We're using TKIP and then finally We use PSK. This is a demo one two three more defines whether this is infrastructure or independent BSS and Very similarly you could actually go ahead and configure WPA to PSK and enterprise as well So I'd highly recommend using and looking at WPA CLI as I said, it's the best way to learn stuff now Let's actually look at some serious scripting which we can do so event monitoring Here's a simple example of how to monitor events really very simple All you have to do is call attach and after that you can just wait receiving for events So WPA dot receive is a blocking call So anytime a new event is available you get woken up Now if you're thinking what about individual events, can I just subscribe to a scan result event? Well, the control interface does not support that directly You probably have to write your own wrapper around it and then call whatever code you want depending on what event you've received Now one of the things I'd always wanted to do is write a live WPA PSK attack tool. I mean there is nothing more than an Academic value to that. Now here is what I mean by that Let's take a word list. How do we crack WPA or WPA to PSK right now? Can anyone just explain while I connect? What if there is no client around? What if you're an impatient person? So one of the interesting things which you can look at and this actually applies to a lot of stuff is What if I mean again, there isn't much of practical value to this But the best part is you can still do it. What if we could actually take past phrases out of a word list and Try and check every single passphrase against the access point live Now when you look at something like an air replay and G or many of these tools They are stateless, which is most of them operate typically with the single packet principle, right? You send a de-auth you forget about it. You keep sending de-auths Doing a fake authentication actually is easy just a probe request response and the a sock stuff Trying to verify a WPA passphrase live against an AP is non-trivial You actually need to have the entire WPA stack available Including things like looking at the four-way handshake checking, you know the different nonces creating your PTK and then finally verifying that against the mick Right, which is like a signature over some of the four-way handshake packets only then do we actually know that Hey, the AP and I both of us have the same passphrase Now how do you do something like that if you wanted to and actually this attack and automation? Doesn't just apply to WPA PSK any time you actually want a full network stack available to you and Where you'd like to try different attacks You would probably have to use the control interface of WPA supplicant or host APD Right host APD also has a control interface So, how do we do that? Okay, so I've I'm going to show you what this script does in just a bit So it's a WPA PSK live cracker and what it does is it goes through a dictionary Picks up individual passphrases and tries it against the access point live Yeah right The reason I did not mention the SSID and all of that yet is I know the CTF guys would immediately Like go ahead and send the odds and stop You know this from working so now I can go back to the script and show you how this works The same template can be used for any stateful attack So let's say you would like to create an access point on demand and you know an mitm setup You could go ahead use the control interface for host APD accordingly How does the code look like? All of these python scripts would be shared after the class so you can run it yourself later on Now if you recall I'd shown you WPA CLI's config On how you can go ahead and create a network and set different parameters for that network, right? So we are going to be using WPA controls api To simulate all of those steps, but inside our own code So for every single passphrase in our word list We go ahead create the appropriate network setting And then we tell WPA supplicant to actually Run and try and connect to that So if I were to monitor WPA supplicant while this attack is going on Probably Really appreciate what is happening in the background and why it is so heavy weight that you need a full blown stack so i'm running this And actually start seeing trace packs on WPA supplicant If you notice it's trying to authenticate associated Right, this is WPA supplicant trying to do the four-way handshake and there you go The first attempt the four-way handshake failed. Do you see that? Right, and it basically disconnects Then I give it the next passphrase And then it goes back and tries again Second one right now is right on the list. So finally key negotiation succeeds And we are able to connect to the network so By monitoring all of these state changes you can actually write your own stateful tools Which probably can launch more sophisticated attacks after connections. Here is another simple example Let's say you want to check every single open ssid And verify which one has free internet access on it Right, how do you do that right now? If I told you to write a script connect to every network right and tell me if This has an internet available without maybe You know any form of captive portal on it or if it has a captive portal then Maybe capturing the captive portals page and storing it somewhere right so you could Use the exact same process All that would differ here Is we would first scan the air do you recall when we called scan results When we did the whole WPA CTRL scan and then we got the scan results And for every ap in the scan result We go ahead try and connect to it based on the security parameters, which we see which is of course in this case It's open does not have any form of encryption Once that is the case We try and connect to that access point and see if that succeeds WPA supplicant will raise the event And then you can actually even call the DHCP client on that interface actually could even have it running And then you can check if you're able to access servers and things like that So this is just an easy example really anything which requires you to do stateful things Now if I were to go back Just to look at the complicated part of the script Now all of this looks quite simple And you don't have to do all the commands again and again all you have to change is does the passphrase every single time So i'm going through the word list and for every passphrase all i do is Set the passphrase And then select and enable this network When we do that and send this command to WPA supplicant over the control interface WPA supplicant immediately starts picking up the configuration you created and tries to connect Now all of the problems which i faced initially i mean i actually thought this would just be 20 lines of code That's it But when i started working with it Do you recall all those fail busy? fail Those events seem to be happening more often than probably i realized So what i had to do is anytime i run a command i actually have a wrapper on top of it So this wrapper will actually automatically try to run that command for up to five times the command failing Right, so tries the command gets back a failure says okay, let's wait for maybe you know a second or two Let's try it once again So this seems to be the only way and which i finally figured a lot of people were using as well Including you would actually find Not exactly this but something similar In androids wpa supplicant python code as well So literally all your linux and posix systems which use wpa supplicant including android Actually automates most of the connection for the network manager using this exact control interface Right, there is no other choice really i mean the only other choice is you have a fixed config file Which you start wpa supplicant with While a network manager needs the flexibility to be able to change the network based on what the user selects So This was one of the things i had to write It's actually very simple You know all i do is a while one and i go ahead keep trying Catch the exception people who've used python if you haven't every language pretty much has something similar to this And i just go ahead and try up to maximum retries This actually works quite well Let me actually delete The right passphrase from the word list And if you go back here you should be able to see the entire trace back Now one of the other things i also managed to do after this is actually fire other automated tools So as an example, let's say you want some kind of an automated scan to run after connection So you could control wpa supplicant connect to the network and once you get a dhcp address You can then launch nmap and all of those automatically Right, so a lot of automation Across not just wi-fi but layers above it can actually happen with this script as a starting point I've tried brute forcing For up to five thousand of course it takes an astronomical time as i said The whole purpose of a wpa psk cracking live is more academic and just to illustrate The fact that you can do this without having to write your own network stack of any kind But it is actually quite stable The only flaky part was getting the ok busy and the ok errors from time to time And if you handle that with a wrapper it's actually quite stable Any any questions with respect to the control interface? I mean this is just one example of what you can do. It's up to your creativity And you know the task at hand, but any questions so far? control interface Yeah If you have multiple cards So here is the thing right because in a way wpa supplicant Has a true stack not a simulated one using raw sockets So if you look at things like airways and g they sniff packets just using raw sockets So you could actually run multiple instances of airways and g And one instance wouldn't interfere with the other because there is no true network stack attached But wpa supplicant actually has a stack And unfortunately because of that you can only run one instance on one card You could run multiple instances, but you need multiple cards for that Uh What is the other way you can automate is by doing everything in raw sockets Right, but that is actually very very painful given the fact that the wpa four-way handshake and everything which follows after that Including the group key management and the gtk is and all of that Uh is something which is quite difficult to emulate If you just wanted to do it in You know your own fake ap software But yes, you could that would be one of the ways to do it question Okay, okay Now one of the other things is Uh, something actually even more Sophisticated just going to Keep this simple all the code examples are available Uh, probably take a couple of hours to go through what D bus is but at a very high level A lot of programs use What is called the D bus which can be a system D bus or only on a per application basis Uh, think of this as A message queue at a very high level Right, so I can go ahead and say okay me wpa supplicant Can go ahead and receive or send messages on the D bus And anyone who like to control me or probably go ahead and read data from what i'm doing Can subscribe to the same D bus This isn't restricted to wpa supplicant Actually a lot of software does this on posix base systems So here is an example Uh, and this this code can be a little intimidating But actually it is quite simple of how you can automate a wpa enterprise attack Using D bus. I'll just explain what it is Uh, so let's say in the case of peep or eap ttls You probably want to try different iterations of usernames and passwords just as one other example Right, so in this case we could again use the wpa control interface which we just looked at What is the downside with the control interface? The responses which you receive are all text based So you have to do the text parsing most of them are just separated by new lines So every line is separated by a new line The D bus gives you a pure data structure Right so that you can actually work with data structures and objects directly Rather than having to use text and maybe try to convert it to whatever compatible object your program requires so At the very top what we do is we mention the different D bus parameters This typically would tell the application where the D bus path interface and all of that is Now wpa supplicant has all of this very well defined in its documentation Right, so they have a huge documentation for the D bus api Ideally most of The implementations which i've seen of the D bus for supplicant is all c code Your network manager for example actually uses the D bus api Now the D bus api Provides you most of the interfaces the control one does but as I said now you get back objects If I go back Now most of the process is exactly similar You just have to Do it in the D bus way Right so that you can set up, you know who you want to send messages to call the appropriate interfaces and all of that stuff All this code is going to be available for free Personally, I haven't seen much of this code being around anywhere. So it kind of took me some time to write it Because the documentation around this is poor the only good places I could find something Was android's document or documentation really androids code for its network manager Which also uses D bus and a couple of other things So with this you can actually have kind of given scripts here You can automate scans. So here is an example of me scanning with D bus Now almost kills you given the fact that the last time we scanned we just basically sent scan and we just printed it Right and everybody clapped. I'm sure when I run this nobody will So you could actually go ahead start the scan. Let me show you how the scan looks like Uh using the D bus interface So you need to know the interface id and run scan WLAN 3 Now the best part of using D bus is as I said everything you receive is objects So you can actually parse all of these individual parameters Very nicely and kind of reuse them in your program Right I've parsed some of them you can parse the rest Some of them are still placeholders So you could run the scan get the list of ap's look at interesting ones and now Launch another module to do an automated attack The WPA supplicant Interface is the only one available right now to actually do Very complicated stateful attacks on wi-fi Right, uh, I haven't seen anything else Any any questions with respect to the D bus I mean I'd probably take at least a day to go through the D bus api if if I were to teach it in a class So just want to keep it high level and so that people can download and try the code rather than me explaining every aspect of it questions Okay Apart from this of course you also have Some of the other code which we are giving out Scapey anyone Scapey yay right, okay Yeah, so uh a ton of skatey code Couple of the interesting ones Including things like monitoring probe requests through skatey You can try it. I mean compared to using the WPA control and the D bus api. I think skatey is python 101 So I mean it's super easy to use skatey. There there isn't much to it at all per se, so I'm not going to run escapee code This zip file should be available at pentesteracademy.com slash Wi-Fi village in the next one hour. I couldn't make my vpn work. I wonder why So as soon as I get it working, it should be there pentesteracademy.com slash Wi-Fi village. Let me kind of write that out for you You can download all the code you can email me in case you're having any issues with the code or If there is any other interesting aspect of it, which you want to know Any other questions queries about programming Your own kind of wireless attack tool, which is stateful All the d-auth and all that is actually quite easy to write I mean you could write it with skatey You could do it in raw sockets. Most of them are just single packet or at most a couple of packets Those are quite easy to write and maintain Even the fake-auth I'd actually recommend using skatey Uh skatey has a couple of functions where it can actually wait for the response Where it understands that if I send out a probe request, I'm looking for a response Or if I send out an esoc request, I'm looking for a response. So I'd recommend skatey up to fake-auth Beyond that if you want to do anything stateful Which is stable You probably look no further than the wpa control apis Extremely stable code very well written You know being a c programmer. I actually looked at the code and I mean, you know, it's way better than what I could probably ever write Being around probably for the last 15 years. So it's a fantastic code base Every posix system uses wpa supplicant and host a pd. By the way, they haven't published the interface for host a pd But you can tap into similar stuff and work with it as well By creating fake apis Why is why is it better to use host a pd over Something like airbase ng anyone? What is the what is the difference and where is it important? To realize the difference. How many of you used airbase? Okay How many of you have never created a fake ap? Okay, all people so people who used airbase You know, could we use airbase if you wanted to do wpa enterprise? Wpa enterprise honeypots if you wanted to create a wpa to peep or a ttls based honeypot Where you also have a back-end radius server actually we did a bunch of demos yesterday In the last class we took But maybe some of you weren't here. So could we do that with airbase? Why But if we work in monitor mode, we get all packets So airbase could actually pick up all the packets and do the needful, right? I mean you're close, but not close enough Go ahead. Give it a try Okay, you're close. Uh, let me give the answer So basically what airbase cannot do is low-level ep packet redirection Right, so when we look at wpa enterprise All the initial network log on over 802.1x happens using ep I mean ep isn't ip ep is a protocol in itself. So airbase doesn't understand ep And airbase doesn't work right now at least and it cannot redirect ep packets to the radius server Host apd can Yeah, I mean you could modify any tool if you added the support, but right now there isn't any support is what I mean Yeah, I mean you could modify any source code to add any support you like but as of this point there isn't Right. I mean it isn't a limitation of it conceptually. It's a limitation in the sense of not being implemented Right, uh, any questions? Any other questions? So you can download this code in Maybe an hours time the link should be up and if you have any questions about programming or automation with python Uh, we did the very first python for pentesters course online in the world. So We love python. So if there's anything just send us an email. Thank you