 Hello, everyone. So this is the first time I've spoken out loud for like a day and a half because I lost my voice and I've been walking around like a breathy, Hannibal Lecter. So if I suddenly start squeaking like a teenage boy, please forgive me. I'm just going to be sucking on this thing. So today we're going to be talking about some Wi-Fi hacking stuff. In particular we're going to be talking about rogue access point attacks or evil access point attacks or whatever you feel like calling them. And it's kind of a continuation of a talk that we did in 2014. We released something called the MANA toolkit. So the way we're going to talk about stuff is there's three scenarios and you might not be doing exactly what the scenario is describing. But I'm just using them as examples to kind of go through some of the capabilities, tools and techniques that we'll be releasing today. So my name's Singe. This is Michael Kruger, underscore, cable thief, but we're trying to call him Squirtle Boy. So if you're looking to give him a nickname, please help us out there. We work at a company called Sense Post. It's a penetration testing company based predominantly out of South Africa and London. We've been going for about 18 years. We were told we weren't allowed to use PowerPoint. So this is a PDF. That used to be an animated GIF in the corner. Alright, so the first scenario we're going to jump straight in. In 2012, a colleague of mine, Glenn Wilkinson, and Daniel Cuthbert released something called Snoopy. Anyone here ever use Snoopy? Three people. Sorry? Sorry, I can't hear you. So Snoopy was a framework for tracking wireless devices, trying to geolocate them based on networks that they were looking for, and then using the fact that the device ID was unique. Fortunately, in 2018, Snoopy is dead. Yeah, they killed Snoopy. And the primary reason Snoopy is dead is because there's been some changes to the way device manufacturers make their things work across Wi-Fi. So the first thing is that passive sniffing mostly doesn't work anymore. That's what two reasons are going to now. And the other thing is that device manufacturers have changed the default behavior that instead of a device going, hey, is my home network nearby? It just says, hey, are there networks nearby? And is one of them my home network? So it tries not to reveal the networks it's looking for in its preferred network list. But I first spoke about the spectrum issue. So this is a really awesome tool called Wi-Fi Explorer. It's commercial. But if you want to play with Wi-Fi, it's good. It's not a hacking tool. It's more like an understanding tool. And this is their default view for the Wi-Fi spectrum. So the 2.4 gigahertz and 5 gigahertz spectrum. Actually, that bottom one was something a snapshot I took at the blackout keynote that Prisa Tobriz gave. It's just an insane number of access points. And when you look at a picture like this, you get the idea that the 5 gigahertz spectrum is a little bit bigger than the 2 gigahertz spectrum. But in reality, the 2 gigahertz spectrum has three non-overlapping 20 megahertz channels. So if you put something on channel one and two, they technically overlap. But the 5 gigahertz spectrum has 24 non-overlapping channels. So what that means is if we were to draw this to scale, it looks a little more like this. There's way more 5 gigahertz spectrum available for Wi-Fi than there is 2.4 gigahertz. And so if you want to passively monitor all of that stuff before you could do things like hopping channels and stuff, now if you're hopping through all of these channels, you're just going to miss lots of it. So instead, you have to engage in the very practical and very good-looking attack like this. It's really great for Opsik. Clients never see you coming. It's the pineapple on the top. It distracts them. So that's not hugely practical to try and figure out what devices are doing in the Wi-Fi around you. And we want to do it with that. I'm from Africa. We're cheap. So what we can do is we present ourselves as an access point. And wireless clients are already very good at finding access points and then broadcasting their management frames at them. So if we're an access point, then the devices come to us. We don't have to go to them and monitor all of the spectrum. So this is why it's quite desirable to do some of these more active attacks rather than plain passive attacks for tracking purposes. The other thing that changed is devices are probing much less. For some reason, we were a little pressing into 2014 with that. So we implemented something called Loud Mode, which provides an ability for manner and tools that use something similar to learn networks nearby and re-broadcast them. So maybe your device isn't actively probing for Bob's House of Pain, just your older iPad in your back pocket is, or somebody you went there with last night is. And then we can learn that that's a network that somebody might be connecting to and re-broadcast it to your devices and learn either nearby networks. But the problem we end up with is anonymous devices. So manufacturers wanted to make it that you couldn't uniquely identify devices. So increasingly they use these randomized MAC addresses, and that's what you see flying around. Last year at Defcon Dent and Gentry or Gentry, I'm sorry if I'm butchering that, did some really cool work into creating unique signatures for Wi-Fi devices. And that got built into HostAP, which is predominantly what MAN is built off of. And so that gave us a really cool way of de-anonymizing devices. You probably can't tell, but I drew that myself. And let me give you a practical example of what that looks like. Thank you. I mean, this is the best part of the whole talk, just to be clear. All right, so if we've got four devices, and they're all probing for some non-unique network called Internet, so if they're probing for something unique, then maybe we could identify a device because no other devices are probing for that. But these ones, we don't know what device is which. Now, the one thing we've implemented in MANA is random device detection, so the output will mark whether something's a randomized MAC address or not. So if we put that stuff in there, and this is taken from an actual MANA output and imported into Maltigo, which makes this really easy. So we can see that there's two randomized MAC addresses and two non-randomized MAC addresses. So we can maybe start making some guesses that some belong to the other, but we don't know which randomized probe belongs to which legit MAC address, and we don't even know that these randomized probes belong to those MAC addresses. So what we did is we took Denton's work and we extended it to generate the signatures also for devices before association, so that in MANA we can get these device signatures. So if we put that in there, this shows that there's two devices, so probe one and three belong to one device and probe two and four belong to another device. So he did some really cool work and it allows us to effectively de-anonymize devices. So things like Snoopy can work again because you've got something like Loud Mode getting them to advertise the networks they connect to, and then you've got signatures which allow you to de-anonymize the device so you can start tracking individual devices again and be creepy. And I'm not showing you lots of detail about how to do that stuff because for a change I put a lot of work into documentation and so like the host APD Manawiki's got a massive amount of information labeling all of the different configuration options and what they do and how to make it work. I'll give you links to these things at the end so don't worry too much about taking pictures now. Okay, so that first scenario was talking about tracking and probing and it's kind of well trod territory. We've made some changes there but didn't want to spend too much time on it. So next we're going to look at Enterprise Networks so these are EAP TLS kind of things that most people are running at companies. And so this is the domain where something like host APDWPE Wireless Purnage Edition has traditionally done its work. Manawiki was also doing some of this stuff in 2014 and we've made some changes there. The nice thing about having both of this capability in Manawiki is you can get lots of devices to connect to you and you can also get lots of passwords from devices. So being good at getting devices to connect you also helps for this part. All right, so the most common implementation is the Evil Twin Attack. So this is Spock's Evil Twin from the Mirror Universe. And Evil Twin Attack, you create an access point that looks the same as the legit access point that you want to go after. And like when people talk about it, they mostly say that's all you do, you just make another access point. You've got fancy enterprise access points that implement all sorts of crazy 802.11ac stuff really well with well engineered antennas well placed in the ceiling. And you're walking around with like a dinky alpha card in your backpack. You're probably not going to beat the enterprise AP. So what often happens is then people do things like de-auths and so people start implementing management frame protection 802.11w and this becomes much harder. So actually the way I'd recommend you do this is go buy a fancy enterprise access point like a Ruckus or a Naruba. And then you can use MANA as just a plain back-end radio server and it'll actually capture the creds there. Now this is something that's already implemented in HostAPD WPE. And if any of you familiar with Celeste Barber, so she takes pictures of celebrities and then she kind of rips them off and it's pretty hysterical. Most of them are her awkwardly wearing underpants. So this was the least awkward one I could find. And so with the Celeste Barber to HostAPD WPE with MANA. So Brad Antonievich, Joshua Wright in 2008 they released the free radius WPE and the sleep tools which sort of were the first attacks against EAP networks where you could capture credentials and crack them. So that stuff's been in MANA for a while. I've cleaned it up, cleaned the output up. People kept sending me rude messages saying I have to hand carve things into hash-cat and stuff so now just displays it right. But what I've also done is I've extended it so it does more EAP modes. So at the moment it does about 13 different EAP modes. It'll try and capture credits, plain text, CHAP, MS-CHAP, MS-CHAP version 2, GTC, things like that. And about seven of those fairly well tested in real client environments and that's working quite well. But we did some other stuff too that I want to take you through. So here's another back of the napkin drawing I attempted to describe how EAP connections work. So the first thing that happens is a Wi-Fi connection if you're familiar with Air Replay, if you do a fake auth, that's that first part. And then these tunneled EAPs, so people, TTLS, their security comes from this TLS session that it creates. So the idea is we use best practice TLS stuff and then we can do crappy MS-CHAP inside that tunnel because it's protected by TLS. Now the sort of fundamental flaw in all of this and I'll cover in a bit more detail now is that we don't have a very good way of validating certificates in the wireless world and I'll get into that in a second. And so then you've got this MS-CHAP challenge response. Now MS-CHAP version two provides a method for approving that the access point knows the password and approving that the client knows the password. So what we did in 2014 is we did this auto crack and add thing so that if you capture the passwords it'll try and crack it and if it's weak enough you can quickly add it to the radius user's file if the device tries to reconnect with the man in the middle then. But then Brad in hostAPDWPE implemented something he called EAPSuccess. So instead of doing that because the access point can't prove that it knows the password if it hasn't cracked it it would just send an EAPSuccess method back. And I thought this was silly because why would that work and then Michael kept telling me I must make it work and he wouldn't let up really wouldn't let up. And so I eventually spent a hot evening digging through code trying to figure this out and what actually turns out is that all Mac and iOS devices have a broken implementation so they won't validate that the access point actually knows the password if you send an EAPSuccess they'll just be like okay sure I'll connect. I mean from iOS 9 I've tested it on iOS my latest one on here my latest Mac OS I've reported it to Apple we kind of had the discussion on Twitter so and Brad had built this functionality ages ago so it's not really a zero day but it's an interesting thing to know. So you don't need to use things like auto crack and add with iOS they'll just connect. And then the the other thing is the certificate validation problem so on the left hand side is the legitimate certificate chain for DEF CON's Wi-Fi certificate and on the right hand side is a cloned version of that chain it's using a colleague of mine Rogan Dawes' tool called Apo Steel which is good for cloning certificate chains rather than just an individual certificate and now on something like iOS and some other supplicant devices if you connect to a Wi-Fi network it'll pop up the certificate and it can be signed by a valid cert authority and it'll still pop up the certificate for you to hand validate so if I saw the certificate on the right and it had all the DEF CON things everything looks exactly the same except for not differently and humans aren't very good at memorizing long strings of hashes so for things that try and force you to validate on the actual certificate that becomes problematic if you aren't doing automated rollout to client devices and even then if you are doing automated rollout to client devices we've got this problem with IT where client devices tend to stop being compliant to your policies and you always end up with that one MSO 8067 or that one poorly configured supplicant then on the flip side there's a bunch of supplicants which will validate on the CA the certificate authority so WPA supplicant used in Linux and Android does that, Windows default configuration will do that and so here you can see that DEF CON bought a certificate from DigiCert so I can go spend $150 I mean they know let's encrypt exists and then I can buy a certificate with the same CA it doesn't have to be a DEF CON certificate I can present that on my rogue access point and Windows will connect to it I tested just to make sure I wasn't going crazy I used DEF CON's configuration complete with your username and your password all in bold, put up my rogue access point and the things happily connected to it so there's no option in WPA supplicant at the moment to validate on the actual certificate which is kind of stupid and in Windows you've got an option to validate on the actual hostname so you can see it's wifi-redge.defcon.org I can't buy a certificate so if you validate on the actual server name like DEF CON instructed you to then actually Windows is in a pretty good place and for iOS they pushed out only one guy hope Microsoft's paying you well and then for iOS they pushed out a mobile profile like an MDM profile basically Apple configuration profile to validate on the exact search which works quite well although I fact fingered it I've got this problem with wifi search so if any of you saw Parisa Turbiz's keynote at Black Hat and she was talking about how they're trying to get rid of SSL or HTTP pages and they've got this consistent set of iconography I was thinking what a nice problem they have like when your problem is just trying to get people to do something everyone knows they should and you need to make some icons more consistent wifi devices don't even have a consistent way of validating server certificates I mean we're in a pretty bad place there and all of this is just talking about if somebody's actually trying to put effort into validation because most of us and most users will click on the wifi network type in your username and password and yell whatever the certificate okay but the general recommendation is to use something like EAPTLS so again very advanced diagram of EAPTLS and what EAPTLS does is it does away with the certificates I mean the passwords and you just have certificates it's mutual authentication so you've got a client certificate and you've got a server certificate we'll just use EAPTLS except the problem is with normal TLS you create an encrypted tunnel and then the communications can continue in wifi it's a kind of a once-off authentication afterwards the tunnel is torn down then you have the WPA2A handshake and then normal wifi stuff so what that means is if the client is not validating the server certificate then you can just accept whatever certificate it sends you and yeah now you're man in the middling EAPTLS isn't necessarily a fix for this as a matter of fact it comes down to the exact same security decision as people TLS decisions is a single certificate validation of the server certificate so all of that problem with the server with certificate validation and wifi kicks back in so this was actually implemented in man in 2015 by meatballs thanks guy and then I broke it sorry and then I fixed it again about a month ago so that works again okay but then Michael one day was cracking some wifi hashes and he noticed that hash cat let me go here for the moment hash cat uses mode 5500 I think for cracking MS Chap hashes which is also NTLM v1 ESS and he thought hey there's this NTLM relay thing maybe I could do like an MS Chap relay and so he came up with what he's calling sickerfant it's a play on supplicant and so the idea is that you can have two separate devices you can have manna being a rogue access point negotiating a session with a victim device and then you can have WPS sickerfant negotiating a session with a legitimate target access point so those two don't need to be physically near each other they just need internet connection so you can be targeting someone at their house and then have the other thing at the target organization and what's really nice about this is you don't have to crack the password so if it's longer you still get connected to the network fairly instantly and so Michael's going to give you a demo of what that looks like and we're going to release that tool set today thank you Dominic so I've got broken this demo down into three parts the first two parts do happen simultaneously because the two things need to be happening at the same time but the first part is I'm just going to show you what manna looks like when it's pretending to be the corporate AP and then the second part is supplicant retrieving the required information from manna to connect to the legitimate corporate AP so in this scenario we can imagine that there's a chap at home he's got his device for the IOD network but it also uses domain creds so if we just relay this thing we should be able to connect to the normal AP or the normal legit corporate domain so here's the command for running manna we put it on a pie and throw it in his garden and hopefully our access point is stronger than his little router that he got from his internet service provider and hopefully he's not got any of the certificates probably pinned in those sorts of things so I'm just gripping out the relevant information otherwise there's a lot of noise so I'm just gripping for sycophant and manna I've added a config option to manna to say enable sycophant which just instructs it to not use to not generate well it still generates a challenge but to not use that challenge rather retrieve a challenge from my supplicant sycophant so let me be passed to the client I just run this and we wait for the chap to connect here they've initiated a connection with us so the phase 1 identity and the phase 2 identity phase 1 establishes that outer tunnel phase 2 is starting the actual EAP the MS chap handshake there is a delay after this because now sycophant is starting up on the other side and is trying to play catch up so it's quickly connecting to the actual corporate AP and getting the challenge which is then passed to manna to present to the client so that we may get a valid response as you can see here it's retrieved the the first auth challenge contents is what host APD our rogue generated but we don't want to use that one so there's auth challenge contents after copy which it's actually gone from the legit access point we send that to the client john in his bedroom and his phone has decided that our access point looks more appealing so it knows the password it generates a response using our hash manna takes that response writes it down to a file and essentially passes it on to my sycophant and we get the hash anyway in case we want to crack it later so then next we have the other half of this equation which is my sycophant wpa sycophant I'm running it using the the adapter ending in u6 thanks to the new naming convention once again repping out the relevant data and I'm also repping for an eep failure which just to show that there's not one so we run it in the config is now so this is now happening here in proximity in close proximity to an actual legit corporate ap because we want to connect to it so this portion has to run close to your client so then you just put where you want to connect to in the config file using the standard well, supplicant syntax and we don't need creds so we leave those blank cool so what we got here is phase one came in and supplicant immediately well sycophant immediately starts to connect to the access point it gets the challenge data passes the challenge data to mana and waits for the response mana at this point has been waiting for a little while the client's been waiting for a little while they're both edgy and they immediately come back with the response see here the mana contents cool take that response we pass it off to the access point the access point goes okay cool you've shown me you know the password success you're done now you're connected brilliant I specifically didn't run DHCP this time just to show this bit where we don't have an IP address so I then run a DHCP client just to get an IP this is just to prove that we do have full comms to the network I connected to again IP of 10.0.0.5 I double check it and then I come to connect to a server on the client's network I go back because I'm lazy and I copy it but essentially I'm going to connect to a web server on 8080 and we automatically just connect to people's wifi cool thank you very much so we're going to release that stuff today WPS of Cicophant and the mods to mana so that you can do this attack yourself Michael's used it successfully on some of our client engagements that's a practical working attack that works in live environments and then to the most important part coming up with a name Michael sent me this image which was deeply disturbing which we later found out was called squirtle boy I'm not sure it made it less disturbing so this is why we really want Michael to be known as squirtle boy from now on okay so interestingly back in in 2002 oh I'm never going to get these names right let me look them look them up on my phone here so Enosokan with Nyemi and Nyberg wrote a paper in 2002 about malering the middle tunneled authentication modes and from that the ITF spec for this thing in 2004 made short included a section on defending against these attacks so if you zoom in there's something called cryptographic binding or crypto binding and the point of crypto binding is to make sure that some of the keying material used in the outer TLS session is used in the inner EAP method so that they can be you know that the same device that relaying isn't happening so it's always disappointing to implement an attack and think you're the first and then find out that the standards had a defense against it for over a decade it seemed to be turning on crypto binding and we think that's really just because of a lack of practical attacks that said thanks to synchronicity we were definitely not the first so in 2014 Peter Robbins released a similar sort of an attack but it was against a specific thing that Apple was doing I think something around Leap in a Weisek paper in 2014 which Apple then fixed so it wasn't a full implementation and then this morning 15 minutes before we woke up somebody logged an issue in France Manor asking for this as a feature request and linking to a paper that had been written in 2016 and sent to the FOSTA mailing list by Ciarre Siniak I'm so sorry for butchering that name and so he also has a partial implementation it was done against the EAP state machine and host AP and WPS applicant but as far as we could tell it's not a full working practical implementationist yet so we think this is the first practical implementation attack that can be used by people and so because there's no practical implementation of the attack or certainly not a widely known one what you see is that the default configs for a lot of networks don't turn on crypto binding so here's a picture of Microsoft's radio server configuration and by default they will not disconnect clients that don't have crypto binding so because this is something that needs to be done on the client side the access to the radio server can detect and disconnect clients which makes it slightly less usable I guess but a bit more secure so maybe that's why they didn't do it there is they don't want to make it harder for people to get on the network but here's a fully updated Windows 10 default connection dialogue and their crypto bindings not enabled either host AP tries to do some crypto binding by default so there are some places where they try to do it but most people aren't running host AP networks in their enterprise organizations so for the most part crypto binding doesn't seem to be turned on you can go turn on crypto binding but I think the biggest defense against these sorts of attacks is just to make sure that your client devices are properly validating the server certificate that gets presented because if that's done then this part doesn't matter too much because they won't get past the tunneled the outer TLS negotiation because they'll say that's not the right access point you're fake alright so those first two scenarios is once the first one is getting a bunch of devices to connect to you and being able to figure out which device is doing what the second one was doing EAP attacks oh sorry one other thing is you would have seen Hashcat and Atom's PMKID thing anyone is interested in WPA2 handshake cracking put some basic stuff in just to try like if a client ever sends a PMKID to just log that into the same file I need to do way more testing to see if that's if it's a practical attack from a rogue access but that might be fun okay so now we're going to look at some Mitem stuff so back in 2014 we released the Manor Toolkit and the idea there was lots of people take and then you can Mitem as you know for granted but the reality was if particularly if you're new to this you have to sort of orchestrate networking and access point stuff and protocol stuff and that can be quite a lot to do and then with the increase in certificate pinning and things like HSTS sometimes it's about to get breathy with things like certificate pinning and HSTS it's not sort of a given that you're going to be able to man in the middle all the things and get all of the passwords so the big problem we ran into with Manor Toolkit is the ability to construct pipelines we were using IP tables to redirect traffic from one place to another place so for example you can SSL strip something but you can't then pass the traffic SSL split maybe there's some IP tables gurus in here who can show us how to do it but it wasn't pleasant and then along came Better Cap so Better Cap written by Evil Socket in Go it can do all of this stuff and it's really fantastic so initially we wanted to get Evil Socket up on the stage to talk about some of this stuff but he's got a whole bunch of really cool Wi-Fi attack things built into Better Cap so if you want to do captive portal attacks or you want to beef hook browsers through your Mitten all sorts of other things then you can now do that with Better Cap so we're just effectively deprecating Manor Toolkit and saying use Better Cap it's better and just a big shout out to Evil Socket for the awesome work he's done in there I know based on the issues that get logged that guy takes some bullets the other problem you face is the Wi-Fi network and all of the networking okay, so we're seeing people waving hands and Michael found a cool tool written and maintained by a guy named Obliq called Create AP and what this does is just makes it really easy to say create an access point and bridge it between this network and this network or NAT it without all of the sort of complexity that Manor Toolkit brought in however there were some things that it didn't do it doesn't allow you to create EAP networks it certainly doesn't allow you to do Manor modes and it doesn't allow you to create more than one Wi-Fi network sometimes you might want to create more than one Wi-Fi network because probes don't say what kind of security principle they're connecting to so you might want to present an open PSK and EAP network and see which one it connects to so Michael made Parade AP which is a fork of Create AP that can do all of these things that's something else we're releasing today so it does all that networking and access point orchestration for the most obvious ways in which you would use Manor Toolkit to do this stuff if you want to get into the detail of all the other config options then you can handcraft your own config files and do it that way we've written it all up on the wiki but this just makes life much easier so that's an example ignore the dash n at crept in there but this is an example of setting up a Manor EAP malicious access point that's if you don't have the dash n natting traffic from WLAN 0 to S0 called evil corp if any of you use Manor Toolkit to edit some of the scripts this is way easier than any of the stuff we did before okay and then there's also a bunch of really cool proportionality options that have been built into Manor see it's a sniper rifle proportionality so by default Manor is a bit of a flamethrower just target every device it sees in any network it sees but if you're on an engagement where you've got specific scope you might want to limit it to specific devices or specific networks or if you're in law enforcement or something and you've got a specific mandate you might want to limit what it does so we built a bunch of options in there like SSID filters that was contributed by a guy named cyber devil but one of the things that we think is really cool is we extended MAC ACLs down to a management frame level so any of you should be familiar with the way MAC address ACLs work on Wi-Fi you know your home router does it you can say only these MAC addresses can connect you can see the AP but if you try and connect and you're not in there you'll get rejected so we brought that down to management frame level so if the access point receives a probe request sorry if the management if the access point receives a probe request from a disallowed MAC address then it's not even going to respond to the probe request it means for the most part it won't even show up in their list of available networks also provide some ability to kind of hide from people who might be looking for these devices or wireless intrusion prevention systems we think it's quite cool and then I borrowed a concept from the aircraft guys they've got this idea of binary net masks so that you can kind of mask out certain bits in a MAC address so you can do things like anything with this OUI you know any of these devices can connect but these can't but it also allows you to do things like for randomized MAC addresses go full manner on them but when they try and connect to be a little more circumspect about checking what the MAC address is so it's a really flexible way of dealing with different MAC addresses and then lastly if you want to get into Wi-Fi hacking it's really difficult to practice on the one hand you've got to buy hardware you've got to make sure that chipset works with what you're doing so for example the those new black alphas the chunky ones those things because they're doing more stuff in firmware you can't use manners probe manipulation stuff the radius stuff will work but not not those things so you got to make sure you get the right hardware and then also it's really difficult to kind of not target people you don't mean to you know you might be testing between your two devices but it's meanwhile it's like men in the middling somebody next door anytime somebody's playing with the stuff in the office we just plug into the wired network because it's like dossing the Wi-Fi I've even had really weird situations in busy environments where it ends up kind of dossing Bluetooth which is kind of strange so in 2014 we built some CTFs in AWS where you could practice Wi-Fi hacking which we're kind of proud of because Wi-Fi in the cloud is a thing now and today we're going to release some docker images that let you well the moment is one docker image but hopefully some more docker images in the future that allow you to practice some of these these things so you don't need any hardware it's not going to target any live live environments and you've got some kind of known completion criteria so you can make sure that you're able to run these commands and they work so that's actually Michael in the picture there if you look carefully and Michael's a Kendo nerd and he told me that these wooden swords are called Chenise so hardest problem in computer science naming things so I'm calling the environment Chenifi and I'm just going to show you a little silly demo of what that looks like so here's the docker container running on my Mac and there's a whole other story about so if you're running docker for Mac just don't try and do this on that there are ways but like I'm currently was asked to politely take that stuff down by docker and so rather do it on your Kali's or your Linux boxes because it needs certain kernel modules but okay so here's a docker container doesn't have anything any hardware plugged into it so if we look at the Kendo module we can see that it's running on zero which means there's a Wi-Fi device and if you use Airmon you'll see that that's a software simulator of Edo211 radios so there's this kernel module Mac Edo211 HW sim which allows you to simulate fake Wi-Fi devices that can connect to each other and so if you then run if you put one of those devices to figure out when you're doing these things so if you run Error Dump you'll actually see Wi-Fi networks and devices that are there again no hardware these aren't real things there's a WPA handshake so you can try and capture that handshake if you bring up a manner network you'll see clients trying to connect to you you can capture those credentials and crack them and you can do all of this without needing any actual hardware so yeah we're going to release that docker image you can just docker pull it and run it and away you go and that's kind of the end of our talk so we're going to I bought a domain called Wi-Fi.net but with ones W1F1.net so a little bit later after this somebody will lend me a computer thanks guys I'm going to push all of the tools we mentioned up there so that you can grab it so don't be disappointed if you do it right now try and go to the chill room and do it and we also just want to use that as a bit of a repository for kind of how to do these attacks and which tools are working and keep updating that as time goes and maybe if some of you are playing with things in this room and it's going well you can send pull requests or write wiki things for up there otherwise you can tell us you hated the talk on Twitter so I'm at syng and he's underscore cable thief and we're going to check if Squirtle Boy is available and we're from Sandspost so thank you very much for your time and patience