 So, in all seriousness, we're going to introduce Ardvark and Dark Matter, who if you haven't seen the pictures all weekend have been wandering around having lots of fun and they're going to talk to you about wiggle like you mean it. Can you still hear me back there? Everybody good? I think I can hear me so that's all that matters. So yeah, I'm Ardvark that's Dark Matter. I'm not going to let you talk into my chest, sorry. But yeah, what we're going to talk about is yeah, war driving. It's like, but they have these cool things now that we didn't have a long time ago. So, war drive, everybody knows what this is. Everybody did it, but who did it back in the day? Who still thinks it's, who still does it? I do it. In fact, I'm doing it right now as we, well, standing. Yeah, so war driving, war driving. The original purpose is just find open networks so we could be anonymous, find cool stuff. The reason why I got into it, I'm in mobile forensics, so geolocation. A lot of locations on phones, map those up with positions, that's why I started using wiggle. What's out there? I kept doing it because I started finding really cool stuff out there like weird shit because you've heard of internet of whatever that thing is, things. Tracking people, finding things and it did actually get fun after a while. I know, when you have a hobby that's like making cakes or playing football or I don't know, whatever, people are like, cool, that's awesome. Why do you scan Wi-Fi? Why do you do that? That's really creepy. Yes, I know, but that's how it is. Okay, wiggle born, the wireless geographic login engine. This is the actual crew, the actual wiggle crew here. 7th September, I think they should have waited till it was all 9s, but whatever. And it's basically there to map 802.11 networks and for whatever your reasons are. Also cell towers, you got cell towers on there as well, which is nice. Wiggle itself, I don't know, anybody already on wiggle or use it or have an account? Cool. Okay, so you can upload data anonymously, but you need an account to do queries and search and stuff like that. So a lot of stuff you can do for free. Sign up though, it's pretty simple. Email, username, password, that's it. You don't need to put like a credit card, what's that? That's complicated. Yeah, it is hard. You can make one up, you know, dork at dork.net, whatever, you know, but it's all good. But no, you know, Mother's Last Name or anything like that. And some features you can use for free, like you can do mapping of nets. This is Chicago Airport and so you can map and do some simple filtering and things and limit them by geographical areas, stuff like that. Any of these searches though, if we want to do a major search, we can search by SSID, BSID, OUIs and that kind of stuff. You do get, make sure you correct me if I'm wrong, it's 10 queries a day if you're a non-contributing member. But if you need more stuff, you just contact wiggle, if you've got a project, they will work with you on getting you more data as long, especially if you're doing it for non-commercial purposes. So it's, I have 1,200,000 searches per day. I'm just kidding, I made that up. I wish, yeah. Okay. And you can bound them geographically. Here's a search of DEFCON 94 networks after July 2017 that have DEFCON in the title. They're like all in this room too. The wild cards are the percentage sign in the underscore. So they're SQL wild cards, so pretty good. And then there's also what's called a detail search. So if you have a MAC address, a BSID, you can see all the observations of that particular network and that gets really useful if you want to track if something's moved, where it's been seen, what countries it's been in, et cetera, et cetera. So, and you can also see I did obfuscate one of the name changes because it was pretty obvious, like Bob Stevenson's network. So I covered that one up. But okay, so why do I war drive? The first, back in the beginning when it was WRT-54Gs, it was just to find Wi-Fi, get on, remember wares? Do we still have wares? I don't know. But get free stuff, talk to people and honestly, that kind of stuff. When I got into Mobile Forensics, it was geolocation, and that's where I kind of hung out for about five, six years. Just show off at parties, not really, not those, I don't go to cool parties like that. Stage three, this started about a year ago and I just started seeing all the weird stuff out there, cars, controllers, government, exactly, Bluetooth pregnancy tests. Who'd have thought it? Anyway, not kidding, actually. Yeah, it is a thing. Next, I started looking at analysis of what I was seeing, mapping it, categorizing it. So I wanted to know not just what the vendor was, but actually what that was. You know, look at the OUI and go, oh, that's a GM car, that's a Ford, that's a government, insert government agency here, sort of thing. And so where I am right now is kind of one of these. These are a couple of tech streams from a friend and my wife. So I take it seriously now. It is getting a little bit weird, but that's okay. You know, I've thought, should I wiggle a little bit more? Should I eat? That's all good. That actually was from a day I had somebody on the monthly stats that was right ahead of me. So I did 50,913 with the help of my drone. I mean, my wife in a different state. And so, yeah. And then I waited until about 1150 at night to upload it. So to make sure nobody, there's like sniping an eBay auction, but yeah. It's really weird. I know, I understand this. Okay, 2001, what did you need? A lot of stuff. You needed to have a laptop, a computer. We didn't have all the cool stuff. Now wireless cards were very limited. Amplifiers, GPSs, software, time. You had to be able to put up with strange looks from people. Today you need a phone. And I travel a ton. So for me, phone is the thing. And I usually, TSA agent said to me, he says, when somebody has four or five phones, I think that's kind of weird. You have 125 phones. So I figured you know what you're doing. And he actually says this to me. It's like, you don't try to sneak in with 125 phones. So I believe they call that safe agent. Yeah. And honestly, I hear these stories about the TSA and how bad they are. You guys are doing it wrong. Like I carry weird stuff onto the airport. Nothing illegal though. Anybody a Yorkie in here? They're delicious chocolate bars, but anyway, they're very good. Okay, equipment. These days, we have all sorts of stuff we could use. I mean, you know, you got pies, you got Wi-Fi, whatever the hell this is. Beagle bones, Arctic boards, all sorts of bananas, orange pies, minnow boards, all sorts of crazy stuff that we have that we can use. There's all sorts of possibilities. You can put, you can drink beer while you kismet. You can use a phone with a little guy in your back window. And you can even put kismet on other devices possibly. Oh yeah, it's anything you can get Linux on basically you can you can run it on. So it's good to go. You may have to compile it, whatever software. So my choice has been the war driving app because it's purpose built to use with wiggle. It's easy to use. But we got kismet ostensibly is running on this thing kismac insider. There's a bunch of other softwares, but these are the biggest ones. I think right now 80 plus percent are using the Wi-Fi app. The app is nice because like I said, it's it's GPS is purpose built. It stores all your fires locally. So all of your observations are in a sequel DB, a sequel light DB, and then you've got CSVs. Every time you upload, it creates a CSV of what you just uploaded. So easy to pull. If you know if you ever use ADB or MTP, you could just pull those files. They're always in the same location. And so you could just pull about and use them. And also I use blue hydra along with it, which doesn't have its own GPS. So I just use that. Yeah, he'll hide. Wait, it's supposed. Yeah. Yeah, anyway. But it doesn't have a GPS feed. So I just use Wiggles locations and I marry him up with a Python script. So I'm lazy. So good deal. The sequel light DB, all of them, you could pull this down to your account at any given time. It's really easy to use. There are only two tables. You have networks, which lists all the nets by BSS ID and then all those locations. So simple queries, sequel light queries work just fine. And you could pull all the data. And they look basically, I know you probably can't see this now that I like tiny screen, but easy to read. Unix times, last times, best longitudes, etc. The CSV files, these are kept right in the SD card. They have all the observations of all nets. So if you see the same net three, four times, it'll be listed three, four times with different lots and longs. Like I said, I use that as kind of a master timeline to apply to other things. They're GNU zipped. And I think that's the proper command to unzip it, to tar, A, B, C, D, X, just kidding. It's X, V, Z, F file name. Yeah, anyway. Anybody ever type in a tar command correctly the first time? No. Sorry. Nope. Oops. Nope. Wait. Yeah. They're, they're, like I said, when I go out and I war drive a particular area real quick, then I upload that's that file just has that one run, which is kind of nice to have. And so if you've got, if you got ADB, which you should all have, it's just an ADB pull command and you can pull that entire folder. Or you can use MTP to pull it, but it's a little easier with ADB. So there's a look at the CSV files. You've got the type of encryption, the SSIDs, the, the, the RISD values, the lots and longs, altitudes, stuff like that. What's that? Yeah. Yeah. Oh my gosh. They're every, I love Xfinity. Okay. They're new routers have like eight to 10 unique max on them. So when you hit an Xfinity neighborhood, oh yeah. Your numbers go like an apartment complex with Xfinity. It's awesome. So you want to talk now? Yeah. Yeah. Here you go. All right. Thank you. All right. So Kismet has traditionally been the war driver software of choice, right? Everybody using Kismet. It's freaking dope. So classic Kismet, or if you go on GitHub or on Kismet's website, the stable Kismet has basically everything built in and it has GPS support, right? So you just get yourself a nice little dongle like this, dump it in and you're good to go. And so the advantage of that is you can just get your laptop and go start collecting things. And it also stores in a format that is easily uploadable to the wiggle website. They support it out of the gate. So super simple. And it's also super easy to install with pseudo apt git install Kismet and you're on and good to go. So and one other thing it's also compatible with basically every wireless card. And you don't even have to have anything special really. Like the Intel in my HP Elite book works the Intel chipset because all you're looking for is SSIDs. You're not doing any injection. You're not doing anything. You don't even need true monitor mode to try to pick up clients. You just start looking at SSIDs. So basically everything works. So now this guy is running actually the bleeding edge version of Kismet which the AirBud guys also running on his setup back there. And with that one of the features that we got in that is remote capture nodes. So each of these devices looks like an individual radio as if it were plugged in with like USB or something. So I actually have 50 radios in this device here. The disadvantage of running bleeding edge is it doesn't have GPS support. It hasn't, Dragorn hasn't gotten to that yet. So he's working on it. It'll come out soon I'm sure. But it's web based. He's added a ton of functionality so it exports EKJSON. And then basically I just wrote a custom script which we're going to put on our GitHub that allows you to take GPS from your receiver and then marry it to your Kismet PCAB file. So that way you can still stumble with bleeding edge until it gets official support. So just real quick I want to talk about Kismet stable. Just run through some of the config stuff. I'm sure this is stuff that you guys have done a hundred times. But I just want to make sure that I point out some of the key components of the Kismet conf. Basically there's the hopping velocity. That's how quickly you're changing channels. When you have a situation like this, you don't need to change channels at all because you're covering 50 at once. But typically when you just got your laptop you got one or two radios. You'll want like five, maybe ten channels a second. It depends on how fast you're going. If you're doing like 20, 30 miles an hour that should be plenty. You may want to go a little bit faster than that. If you're going faster on the road but then you might miss some of the coverage. So I typically use five. That's the default setting. It seems to work out pretty good. Another thing too is there's an option in there to do preferred channels. And that's just going to limit the radios you pick up. Because if you're doing war driving, you don't want to have any preferred channels. You just want to make sure it's jumping on all of them equally so that way you can get a chance to pick up any of the radios that you'll see. Because guess what? Some lady down the street, she loves using channel two. She doesn't know why. It's set to automatic mode. The router just does it all by itself. So it's crazy. And then the GPS settings, that's just right in the comp file. You can actually use GPSD if you're brave and want to have all that stuff. But I just like to run raw because Kismet has built in parsing of the NMEA packet. And so I just use the raw device. It works brilliant. Haven't had any issues with that. And there's the command for that. Another thing too is if you're out war driving, there is some kind of gray area of like wire tap laws. And I think Google had some issues with that. So basically be polite. Like hide the data frame so it doesn't even capture. So if you're doing that, you don't run the risk of getting in trouble with networks you don't own. So I would encourage you to do that. And then finally there's just a couple of commands to get started on that. We got Kismet server at the bottom. And if you want to, it will automatically launch your capture source. If you don't have it in monitor mode, it'll do it for you. So just super easy. Like I said, Kismet's a great tool to get started with. So in all fairness, I have used Insider and I've used Kismet on my Mac. And I want to talk about those tools just a little bit. They're going to get you the same functionality. You're going to be able to stumble. You're going to be able to get your GPS on. And I thought it was pretty funny. I went to the Insider website. I remember when I first started using Insider, it was like really low key, just super put together or not put together very well. And now it's like they got corporate. This is from their website. So they got this dude in sales and corporate. So yeah, go Insider. It must be getting that corporate money. Anyways, by the way, go support Kismet on Patreon. Like, cause let's make this thing rock. I really want to get you going. Developing on this stuff full time. And then this is back to you. Software support, my brother. Okay, support software. For various purposes, I want to possibly gather maybe a photographic evidence of my war drive. Nexar is a really great dash cam. It keeps a track. Apart from the video, it keeps a track of that trip that you do. So you can go back and refer to it if you run into a particular item that you can marry up with an access point later. You've got video of it already. My tracks is just a simple app that just draws a line where you've been. So it tracks exactly where you've been. Maybe that'd be a great feature for the wiggle app in the future. But it's pretty cool. And I just run that on the side on one phone. It works really good. Fake GPS location. I don't fake GPS locations. If I go in a building and I don't get GPS, I just use fake GPS to set it to that building so that I can do it inside. I don't ever fake the GPS, right? Sorry. That ruins the data. It breaks it. Okay. And with the new version of the app, one thing I used to have to use is I would have to check online on the map to see what areas had already been covered. But now that's actually showing it right in the app, which is kind of handy. So you see, it's already pulling that up. I couldn't get enough internet to actually pull up the whole map there. And there's another nice feature in the settings, which is new. You can have it just show your networks that you've seen, everybody's, and then you can set a date range. So you could have an area that was, it was war driven back in 2007. Yet you need to go hit that area because there's going to be all new stuff there. So it can show you the new stuff that's available. Okay, using phones, pros, everybody's got them. They don't look weird. They're small. They're cheap. This is why I use them because I travel so much. The app built, it's built to work with wiggle. It works. Mozilla, Mozilla location services has their stumbler as well, which is a good one. And you can use multiple scans, phones to scan more effectively. I'll talk about that in a bit. And then range. And there's a little bit of debate. Do you use Yaggy's directional antennas for war driving? Well, yeah, if you want to map a network that's a half mile away to your position, sure. If you're looking for nets, maybe, but for tracking close stuff, phones work really well. Cons, you don't usually get monitor mode. There are some phones that support OTG, you can put in an external card, and you can use that. TSA does look at you weird when you have dozens of phones. And iPhones don't work. They don't let you scan your Wi-Fi unless you've got a jailbroken iPhone. And then range, okay? This is also a con because you don't get very great range with phones, but it's usually good enough. Other equipment, the pros, they're kind of obvious. Powerful, you got monitor mode, large screens, you got a bunch of other stuff, you can look at porn while you're while you're war driving, all that kind of stuff, cool stuff. You can put in multiple Wi-Fi cards if you're retarded, but no. And there's a lot of form factors. So you can go with say a Raspberry Pi with a seven inch screen or a Raspberry Pi with no screen or some God awful thing, whatever. It does get expensive. You got monitor mode is hard sometimes. Some cards just don't work, right? Set up and wiring can be a hassle. I love having this because it's a good prop for all this stuff. You need an external GPS, GPS, all that stuff. It's a little bit harder to look incognito with that. Hey, what are you doing? You know, with this, nothing, right? Mounding equipment. I can't stress enough how important it is to put the phones up in the windows up high. Okay. I started doing that. I bought these little scoche magnetic mounts. So my now I get in, I put my little blue hydro Raspberry Pi in the center console, phone number one, phone number two, phone number three back in the back window phone number four, and then my actual phone to drive with. They but they've got nice mounts that you can use lots of different mounts so you can mount multiple you can get laptop mounts, they get pretty pricey. Dark drive. He actually put his account on there. Yeah. Next time you take a lift, ask them if they'll install wiggle. Totally worth it. That's it right there. I got him. And then put your account in there so you get points obviously because screw that anonymous guy because I don't know who it is, but they are winning and I'm tired of it. Yeah. Right. Yeah. So good. Good deals. Okay, other things. You can make up some stuff for the Aggies like you've got an extra tripod. The problem with the Yaggy though is that yeah, it does pull in distant networks and then maps them to your position, which is a problem. Any words on that? Yeah, I mean, yeah. Basically, you know, what are you trying to accomplish? Like if you're trying to do like the true mission of wiggle, then you don't want to be using huge crazy receptive dishes off of your vehicle because then it's going to basically make the database tainted. You're going to pick something up that's 10 streets over. Somebody's be like, ooh, I found this and it's like it doesn't really matter because you're still going to be off. So, but then again, it's like if you're trying to find the networks, if you're trying to just get stuff and maybe you just have a quick run, like, all right, whatever. So I would argue that, hey, try to use smaller antennas so that way we can get better precision. And so it makes the data more interesting. So, oh, yeah, it's still me. Okay. Yeah, yeah, yeah. We'll get to that. He's got that stuff. All right. So, basically, sometimes it's fun to wiggle with a cactus. Basically, what I did is this project real quick, I'll just give a quick rundown. It's 25 tetras. It was sponsored by hack five. I went, I was in DC at Shmucon, and I ran in Daring Kitchen. I was like, you know, it'd be awesome is if we built something that we could listen on all the channels at the same time. And he's like, what would you need? And I'm like, um, I don't know, maybe like 20 or 30 like radios. Two weeks later, 40 tetras showed up at my house. Like, holy crap. So then it's like crap. Now I have to actually build this. So, basically, I've got an Intel Nook. It's got 16 gigs of RAM, 250 gig hard solid NVMe drive. And then two Cisco switches, 500 watt power supply. We got a battery that's about 30 amp hours. It pulls about 200 watts of power. Yes, it gets hot. Yes, it weighs about 45 pounds. It's not the most practical thing, but you're going to catch everything. So and I went over to black hat and kind of party crash their knock. And in seven hours, I got 40 gigs. So that was pretty dope. So anyways, just, uh, yeah, be creative with what you can do because it will definitely help out what you're trying to do. All right, back to you questions. Where do you go wiggling? When I cover an area, when I wiggle an area, it stays wiggled, right? That's what we want to do. So how do you find places? There's good places, apartment complexes, especially low end ones. There's they're packed in a little tighter, especially if they have Xfinity or Cox cable or something. There's a lot of those high university universities have high turnover. So every six months, you can go hit it again. Townhomes, condos. I really hate speed bumps, really hate them cul-de-sacs. Right? Okay, but high density neighborhoods, the new, I don't know, those Euro style. Hey, I'm looking at you guys back there. Well, I know Australian and New Zealand, but whatever, same thing. Okay, straight streets are awesome, right? Through these straight streets, as long as they're not like one way streets, large, some large businesses, some have nothing and some have lots of stuff. And then high density areas downtown. So this has been covered, but it hasn't been covered with five phones yet at the same time. So lots of different places. You can use the wiggle net mapping function. So these would be horrible areas because I just covered them. It's west side of Chicago. These are really great areas. They're mouthwateringly great. Like look, apartment complexes packed in houses. This guy right here, he just got sick and went home. Actually, I had actually I had to pee. So I was like that I really got to go. That was about seven hours into a nine hour set. So I really had to go. So and then sometimes when you look at the map, you think, oh, wow, that's really covered pretty thick. But then if you zoom in, you notice they haven't even touched the neighborhoods. So it's just major streets. So from a distance, it looks like, oh man, that doesn't look good at all. But you look you go in there's all sorts of crazy good stuff in there. Here is Salt Lake City kind of I saw like city. What's the other one? Las Vegas, Summerland. So and you zoom in and you see there's all sorts of crazy tight stuff in there you could go. In fact, you've got two schools you could go stock. But it's all good. No way if there's one way streets and streets with medians, you don't want to get out and want to do a left and have to turn and go back around the way you came. When you're doing apartment complexes, it does make a difference. Go the direction that puts you closest to the buildings because you have 10 feet closer makes a huge difference. Sometimes I deploy foot mobiles. I don't know how many times I go on a date with my wife. We hit a huge apartment complex with an internal courtyard. I drop her off here. Go around. Yeah. But yeah, yeah. Oh, no, she walks through like this. She doesn't care. It's just college. She'll walk through. I pick her up on the other side. She's got another 500 because it's right. Okay. Optimist speed probably I've found is about 25 to 35. Maybe it depends. I even put it in kilometers per hour. I think those are correct. And people think it's expensive but Galaxy S4s are cheap and they work really well. I've got like four of them. The only better one is the note three that I love. Just research and then if you don't want to take time when you're going home, just pick a couple of side streets on your way home. Every day hit a different area. It's really easy. No big deal. Other things. Consider why you're war driving like dark matter of saying, are you just looking for free Wi-Fi? Hit the businesses. There's lots of coffee shops with free Wi-Fi. Are you looking for things to exploit? That might be businesses. It might be houses. It might be the other things. Are you looking for geo location to mapping? You're going to get everything. You want to get everything. Are you looking to track humans for reasons that you might do? Okay. I went to Park City and we did Pub Crawl a bit. Park City, Utah. Have you ever been there? It's pretty awesome. I got like 11,000 networks. I didn't even know that I forgot to upload them for two days but it was good. But I believe that all access points, they don't have to earn the right to be scanned. They deserve it. They deserve to be mapped. They deserve to be cataloged. They don't have to do anything good or earn this. Okay. A little bit of diversion into MAC addresses. As I started scanning a lot of weird stuff, everybody knows what a MAC address is. An OUI, BSS IDs, all that stuff. But what I found is that a lot of access points will modify the first bite of a MAC address and then it won't show up as that brand and that's a very common thing to do. You can look these up. MAC vendors has a good little API. It's super easy to use and it pulls all its data from the official OUI text file from the IEEE. So, all it is, you can use Curl. You can use requests in Python directly. But URL lib2 does it very well. It's very simple. Okay. The OUI is the first three bites. Remember though that OUI, just because it says a particular vendor, that's who made that Wi-Fi chip or that board or that module. It may be something else. GM cars, for example, use Mitsumi electric cards. So, if you see a Mitsumi, that's them. Ford uses Ford. So, it comes up as Ford. Texas Instruments is in all sorts of things for Bluetooth and other stuff. Some of them pick Random Max. Bluetooth LE stuff does Random Max. iPhones, their access points are random. So, look at the name. We're going to have to look at the SSID and some of those to identify it. And then sometimes the first bite and the last bites get changed. Here's an example. This is from a Netgear router. So, you see you got Stargate 5 and Stargate 2. This is all fictionalized, by the way. Don't go looking these up because you won't find them. But then notice the last one, your mom's shop actually changes the first bite to A2 and then increments the last bite as well. If you look up the first one, it shows up as Netgear. If you look up the second one with the A2, you get no vendor. But if you just focus on the second and third bite or the middle four bites, you should be okay. Other ones, this is an Xfinity. It's a new router. So, you've got nine MAC addresses on one router, which is pretty sweet. I haven't, does anybody know what they're doing with the hidden ones? Like a mesh thing, secret data, something. I had some new neighbors move in about a month ago, and you know how I knew? Seven new MAC addresses. I was like, hey honey, the neighbors moved in. So, that's how they show up. So, you've got a couple of open publics. You've got the regular ones. If you had guest networks, they would be on a couple. And notice, if you could see it, hopefully the last ones are all 6A or 6B. It looks like the 5 gigahertz or 6B. But again, if you look up this one that starts in 06, you'll find nothing on the first when you get Aris. This is a view from Wiggle. The top three OUIs, the second one doesn't show up as anything unless you change it thusly, and it's Google. Those are actually things like Chromecast, Google TVs, and a bunch of other crap like that. So, they shift off by two. They change it by a value of two, and we're not fooled. Okay, interesting stuff that I started finding. Anybody ever heard of cradle point? It's basically commercial Mi-FIs. It's high powered 4G to Wi-Fi bridges, 3G Wi-Fi bridges. They're used in remote monitoring, irrigation, solar installations, power, insert organization here, vehicles, buses, shuttles, signs, anything remote. They're everywhere, and they're super interesting because whenever I see zero, these are the ones I've memorized. So, it's like 0033, it's 3044. I was like, oh, what is that? And I immediately want to see what it is. Novitel Wireless makes all the Verizon Mi-FIs. The 5510, 6620, 77, whatever the hell. Those three OUIs are GM automobiles. The last, I think it's three model years. They're putting access points in them and by experience. I don't know how I got that. About 95% of the people have them on. And so, now we don't care about clients, so we can track their vehicle directly. Yeah, it's there. It's always there. Then you got a couple from Google. Ericsson access points on Comcast. Those I would like to filter out. Because they're everywhere. And then I got Cosico, that's Lisk Cisco. And then Ford. Those are the sync system in the Ford cars. Those are interesting stuff. Now, one, there's a company out of Orem, Utah, makes these LVT stations. It's live U-TEC. And they have permanent ones. Then they have these ones that they can move around to construction sites to do video surveillance. And they're everywhere. And so, I did it. I could map those. I could pull those out. And so, you see a lot of Utah, Colorado, Wyoming, and then a smattering of other stuff. But those are pretty interesting. If there's an LVT station, that might be something you might want to investigate. Other cradle point stuff. This is Las Vegas. And the cradle point stuff I matched here. You got up in that American coach, Mustang 1 and 2. This isn't Reno, right? Anyway, you got a bunch of stuff. So, there's this stuff's everywhere. You see a couple of yes co-signs in there. Those electric signs. Okay, other things. These GM vehicles. The first OUI, F-Zero AB-54, is the number one on Wiggle. Number three is the next one. And the third one, I think, is newer ones. They're a little bit farther down. But this was just stopped at a stop sign yesterday. I had a ZTE phone, a ubiquity. Those are everywhere. And then four Wi-Fi hotspot. The default is Wi-Fi hotspot four digits. And then you see things like this. I've seen these ones like that. I've seen politicians put their title on their hotspot of their vehicle. Like, hey, thanks dude. Yeah. Awesome politician guy. Speaker of the house so-and-so. Yeah. Anyway, you could do photographic correlations with this. This guy had his name on his license plate and on his access point. It's not too difficult to marry that up with the vehicle. When Johnson's suburban, that's also been fictionalized, pulls up next to me. I'm like, oh, okay, now I know who they are. I take a picture. And I just did that with photo grid while driving with one hand. Sadly, I'm not kidding. But it's so good. Okay. Then other things you could do. For example, here's Jim. He drives a GMC, a Colorado. He showed up late one day. He left on time, almost got in late, left early, barely showed up, left for a two-hour lunch, left really early, very late, and then went home and never came back after that. And poor Jim because he's not going to be able to pay off his truck now. But remember a static wiggle installation. You can see when that arrives. You can see when your neighbor gets there. You can see when things show up. And all you need is the app. You don't need to have to do anything. Okay. This is a profile of an actual wireless user fictionalized. So here we're marrying up a couple of different things. So I'm in the breakfast area at a Fairfield Inn, I think, and up drives Bob's Malibu. That disappears because Bob got, well, excuse me, a nondescript man, got out of Bob's Malibu, walked in, and then on Blue Hydra, Bluetooth, Robert Allen's iPhone, not his real name, an Under Armour foot pod and a Fenix 5X, the Garmin watch. Costs about six, seven hundred bucks. So he's got money, right? He's got a foot pod, so I know he's in the fitness. What's that? I'm not sure what you're doing. Oh, what'd you say? No, I have no idea. No idea. His wife was driving the other car. There you go. Anyway, so then looking at the Wi-Fi pineapple probe request, his phone asks for Bob's Malibu because it was gone now, had recently departed. Then Starbucks, residence in guest, and then his employer, which was not Evil Corp. It was something else. Okay, then another one that was even more fun. I was sitting in a toffee shop one day with my laptop and my wiggle and my, maybe a Wi-Fi pineapple the nano in my bag, possibly, and Susan comes on the scene. What I saw first actually was an Audi 42175 fictionalized again, and a Galaxy S7 for Verizon. So I thought, wow, she's intelligence, she's rich. Of course, I didn't know it was a she yet, but hey, whatever. That's why we have light switches. Next, Blue Hydra pops up, and I see Susan's Audi. Hey, you guys like that one, right? And so her Bluetooth system, I see. And then Susan's iPhone and Apple Watch. I'm thinking, okay, the iPhone's her personal one because she has an Apple Watch. That's probably her, that's probably her work phone that she got at her employer, which her phone is now asking for. And Susan's a smart girl. She's a rich girl, and she really loves to read, but she is a bit clumsy. Just a bit. 11 Kindles, seriously. She's dedicated to the Kindles. She loves to take them to read at the coffee shops, all of the good coffee shops, which is a little strange because of this one. I'm not sure how many are familiar with the LDS church. No coffee. And so I figured maybe the Audi is her work and coffee vehicle while the Denali is the one she drives to church every Sunday. So it's good stuff. And this was all in the space of about two minutes, approximately, maybe. And then I also have the other ones, Susan's bathroom echo, her backyard, Susan's mother's house. No, I'm just kidding. Right. Okay, so things that you can see out there, these are just examples. We got OBD2 adapters, Audi's, an Osmo Gimbal, TVs, GPS's, SMA, if it starts with SMA, that's a solar controller. They have Bluetooth and Wi-Fi, Mercedes Benz, PNET, FedEx trucks, other trucks, et cetera, AutoNet. There's a couple of police vehicles up there. Okay, so there's a lot of tons of stuff. And like I said, this is why I started doing this more because I started seeing all this cool stuff that was out there. And I want to track that cool stuff really. I mean, let's be honest. What time is it? Cool. All right. Okay, the Wiggle API. This is what I really wanted to talk to you. The biggest thing is it's not rest, which is really annoying. No, I don't really care. But it's an RPC style. It's JSON. That's what it gives you back. I've heard that's really good, honestly. And before this, there was kind of some semi-official, but not really supported stuff. And depending on how much you contribute and how much you beg, you can get more queries per day. And that will put an end to this. Who's done this before? Really cool Wi-Fi's, et cetera, et cetera, right? But many monks have lost their employment in the procedure because they no longer. The handwriting, yeah. Okay. Somebody asked about the Wiggle API key. It's with your account, you get an API key. You get an API name and a token. All you got to do is log into your account. You go to Tools API and then go to your account. It will show you what you can get your API key name and token. And so it looks like this and then those are what you're going to use to log into the account for API use. And as I said, if you want to ask for more, is that the right email right there? Wiggle admin. Yes, awesome. Not that they're with wiggle or anything. Okay. So basic authorization. So if you want to use curl, you can do this. So you've got a curl capital X to get. And these are, oh, by the way, it's not the user password. It's your API name and token. And then they have a base 64 encoded user pass. You stick in there in one of that in the header. And then you've got a application JSON and then the query itself. The first one I'm showing is a geocode query. They're using the open street maps, the nominatum. I'm not sure how you pronounce that, but what it'll do is it'll record a, it'll return a, among other things, a bounding box for a location. So if I want to wiggle or I want to do queries on Clark County, I just put in Clark County, Nevada, it spews back for two lats and two longs that gives me a box of Clark County. That way I can feed it into further queries and get just stuff in that area. The second one shows a basic search. So that's a network search net ID. For this one you need either an SSID, you can use an OUI or you can use the full MAC address. And then on the last one is what's a detail search like I showed before on this other search. That's where you give it a full MAC address and it will go give you all the observations, okay? Okay, there is a library called Piggle. It actually works really good. It installs with pip so not a problem. And on that one in the site packages folder you have the config.py and there you just put your API name and token. So whenever you do searches it automatically pulls it. You just import the config and it works there. This is the website for that. But you can just do pip install piggle and it installs fine. I'm using 2.7. Yeah, I honestly don't... Yeah, I honestly... Yeah, I will never move. That I will fight anyone who claims otherwise. Now I'm kind of stuck with Python too. But okay, so a basic search with piggle. This is just a bare bone. So you import config, you import network that gives you the searching. An SSID pretty fly for a wi-fi, pretty good one to use if you want to look at Cognito by the way. And so we just do a network.search, plug in your SSID, tell it what offset you want to start. It pulls an increments of 100 so you want to start at 0, 100, 200, so forth. Lat ranges, those are longs I believe. Doubles, they're doubles, they're floats. And then I just loop through the results, I get back a JSON element. Piggle does not push back a JSON object, it gives you a dictionary. So you don't have to import JSON or anything like that. It gives it to you already to be used as a dictionary. And so I want to pull the SSID, the NetID, the trilaterated latitude and longitude, that's the averaged one. And then the last update time. So very simple. I'm going to demo these two. Now this one I did a little bit different. I did a detail and I wanted to pull the details of both a GSM network and a wi-fi. So there we have the NetID, my BSSID. The operator is 310, 410, that's AT&T for the U.S. And then a LAC and a cell ID. And so then I just pull through and I'll demo these in a second so you can see what they look like. But it just puts you about, I just did a simple example to show how those work. So I'm going to go ahead and do that real quick. So the first one, wiggle search, just run that. Oh shoot, you're kidding me. I got no internet. My internet's went away. Yeah, I don't think so. But hey, thanks. Let me see if I can do this. Give me one sec. I'll see if I can. Okay, we're fine. Don't look at the name of my access point. Not still break. Yeah, it doesn't want to play. Yeah, we might not be. Okay, so I'm just going to roll with this. I'll just explain the explain the script a little bit. The ones I'm doing later, I already have the data, so it's just fine. So what this does is the first one is going to pull a wi-fi record. Now what it does is it pulls a JSON object and all of these are available in their online. They have an online demonstration piece and you can look at every attribute and every method. You can do tests and it shows you the JSON object, the curl command, all that stuff. It's really awesome. In fact, that was the first time I'd ever seen that swagger UI, but it's pretty cool. So if you have any questions, you just do the query on the site. It tells you all the stuff that you look for, all the options and everything. So I'm going to pull out the net ID, the SSIDs, the last updates, the trial at the trial on. So I'm pulling that one record, the main record for that access point. Then the next one, I'm going to loop through all the location data for all the observations and then print out all the regular LATs, longs, the type of encryption, et cetera. The next one, GSM, the format slightly different. The record has an ID, you've still got results, but it's got an ID, last update, trial at trial on, and then the individual results down below. So pretty simple. Now this stuff, we do have a GitHub where I put these examples on there so you can use them. No big deal. So skip forward. Okay, other useful APIs that I've used. Geopie is really great. Do geocoding count against your queries? Oh, does it? Okay. So if you want to do nominate them, you can import geopie.geocoders and that has nominate them into. You can get bounding boxes there. I've got that on that GitHub as well. Facebook dash SDK. You can import that, install it with pip. I won't tell you why you would do that, but you might do that, right? Reasons? For reasons, right? Mexicans post a lot of porn, just saying, where's Nicholas? Yeah, anyway, add tweepie is what you'll use with that for Python. Other things, open cell ID has their entire database of cell towers you can download. It's a CSV, so you maybe want to filter it to your area, but then you can use that. Mozilla, MLS, they were, I'm not sure if they still are, but they were in cahoots with open cell ID, so same stuff. Mac vendors has OUI lookups. Google's geolocation and geocoding, you get 2,500 free searches a day without paying money, and then over that it's like 50 cents per thousand or some crazy thing. Then all the Facebook, Twitter, Instagram APIs, there's tons of stuff, and you might want to use those for, again, reasons that are whatever you want to do. Okay, so what's that? Geolocation is yummy. Geolocation, I loved you. Seriously, I get excited when I see like, oh. Anyway, okay, so what if you want to be in Cognito? Look like a GM car, first of all, that's good. GM cars drive around, so background a little bit. I work in Mobile Forensics, so I work with a lot of agencies, and sometimes I'm scanning things with them, and their cars have very obvious names, both Bluetooth and Wi-Fi, and I ask them why, and I'm saying, why don't you just call yourself Bob's iPhone or something, but have a list, you know, Bob's iPhone is this car, but so this would look in Cognito. iPhone is good. Audi's, Android AP's. Here, Xfinity, in Mexico, Infinitum, in Central America, TurboNet, you've got all sorts of crazy stuff. Cable Wi-Fi. Pretty fly for a Wi-Fi. Tell my Wi-Fi, these are all great ones, they're everywhere. FBI Surveillance Fan, did you see that FBI Surveillance Fan the other day? That somebody's selling, right? If I ever had an FBI Surveillance Fan, I would just call it FBI Surveillance Fan, because holy schnikes. Nobody will notice, okay? Yeah, yeah, yeah. Oh yeah, they're everywhere. Right, so, at this was just a limit search of only 10,000 results. Okay? So there you go. That's with the KMLs right there, that's good stuff. Okay, you know what else is huge besides FBI Surveillance Fan? What else, anything? Your mom. Don't read this one, they're bad. This is your mom, to mama, and to mama también. It's basically, yeah. It's your baby, your mom's baby. Yeah, don't read these, these are bad. Some of them are terrible. Your mom has an Audi, that's a good one. That one's good. Yeah, but that's a good one to masquerade as. Nobody's gonna notice, right? I have my phone, actually my Bluetooth name is your mom's, because when I pair with stuff, it's paired with your mom's. Never gets old, seriously, it never gets old. Okay, so what we're doing, what we want to do in the future is we want to look at, like I said, not just get the vendor of a device, but actually figure out kind of what it is. So I've been started to categorize, and I'll probably put this up on the GitHub soon, OUIs, and then what they are. Cradle points are there, that was my first one I put on, that's soon electric of the cars. Wistron New Web, they make direct TV receiver stuff, and they also are in Audi's, BMW's, Volvos, et cetera. I've seen DVRs, Comcast Business Class, what's that? Oh, they could, yeah, I haven't seen those, but yeah. And then, you know, Pegatron routers, et cetera, for Comcast Business Class Internet. So I'm starting to do these digital signs, I love those. Every time I see an LED sign, there's a stop sign in my neighborhood that has Wi-Fi. It's like, pretty cool, but it's awesome. Okay, so that's kind of what we're doing. So the summary, and then I'm going to try and demo that stuff again. There's a lot of wireless stuff out there and it's really interesting. It can tell us a lot about people around us, and turn your wireless off most of the time. People go out of their houses and they leave all their crap on and make sure everybody leaves theirs on. Turn yours off, leave it on. Go get on Wiggle. Join the cause. If you want to, I'll give you my account information. You can put it in there. Human drones. I have my wife, two federal agents, one cop and two other friends. I have phones with my account info in them. So yeah, you're like, how does he get around so much? So right, Lyft drivers, wives, partners, federal agencies, whatever. On Twitter, I'm at Rject and he's at Dark Matter with fours where the A's should be. And then you got Wi-Fi cactus. I threw that in there because you know what? I will, if you follow my Twitter, I will post that GitHub. Just that has these little snippets on it. And we're going to be posting more stuff on there as we go. So let's see if I can get this thing to work again. Okay, let's see. Give me one second. We'll see if we can do it. Well, I'll just show you some of those. I'll show you some examples. Okay, so one traveling Android access point. So one of them, my map, I do a regular network search. Oh shoot, it still can't. Just go ahead and say yes. No. And I get some, yeah, I know you can't talk to that. I get a few hits on this Android access point. But when I run an actual detail search on all the OUIs that tie back to that access point. Yeah, yeah, yeah, I know, I know. I can actually see a lot more. Geez, go away. A lot more interesting information like when Ardvark drove to Defcon, for example, when he went to Chicago, when he went to Columbus, Ohio, when he went to Don't Know Why, Mexico. You could also see a few places. The name changed. Right here in El Salvador, it was called Your Moms in Guatemala. It was called LDS Access. You know, that is me. Yes, that's me. And then in Panama, it was FBI surveillance, man, because because reasons, right? Okay, so just as a review on the API, easy to get into, easy to play with, go play around with a little demo thing. And I'll be posting examples of how to do KML, nominate them, how to pull in like Mac vendor stuff. And so I will tweet that out. If you follow atarject and atdarkmatter, you can get that stuff. Also, we have stickers up here. The wiggle guys are back there. They're in the lab coat. They have stickers. And do you still have shirts? Okay, so go mob them. I also have stickers up here, so you can get that. And that is all. Thank you for attending. Appreciate it.