 This is day two of the Speaker Workshop stand. Of course, they're here, ultimately here at DEF CON, and let me tell you, I think first and foremost on a very personal note, we were just talking about it. I think this is a lot of people here, you know, joining us so early on a Saturday morning because I'm pretty sure a lot of you folks here, I think a lot of people may have had a few late nights. Did anyone go to a concert last night? Yeah. Did anyone go to a concert? I heard it was really good. First up last from the past, you know, from the 2000s as well. Who here? This is your first DEF CON. This is your, wow, it never seems to amaze me, it never seems to amaze me, the number of people who attend DEF CON for the first time here, and looking at the room, it's usually like at least a good 50, 60, 70% is like first time here. On a personal note, my first DEF CON was in 2006 or DEF CON 14, and you know, like then, I knew nothing, and I absolutely knew absolutely nothing, and you know, what I learned from that first DEF CON was, it really, really makes a big difference when you work with other people, collaborate, learn as much, just try to eat up and learn from the experience. I know it's very hard to do now. I know it's very hard to do now, because I've heard, I saw in the social media pictures that it's an absolute, I don't even know what the right word is, zoo, getting into the tracks, and I know it's harder to do here at the main DEF CON, but you know, you definitely have spent your day wisely already here at the Packard Hacking Village, because it's a little more intimate, and plus although it's a little far out, it's definitely a lot intimate. If you don't believe this, this is what a DEF CON track was like 10 years ago. It was nice and small and intimate. Now it's like a stadium, I mean that's the biggest difference, and this is the reason why I still come to DEF CON as the Packard Hacking Village, and I'm not sure if some of you heard that I said. The reason why I still come to DEF CON is because my first experience, you know, at DEF CON was working, it was what they call the Table of Noom, the Wall of Sheep, and working with the people at the Wall of Sheep when I had my first DEF CON gave me the networking and security foundation I never got out of school. I never got any of that out of four years of college, and a lot of people still don't even get that stuff out of four years of college, and that's why I'm still here working for the Packard Hacking Village. The only big difference now between the Packard Hacking Village then in 2006 and versus as it is now, I mean it was just a user name and password posted on paper plates in 2006. Now what we have here, we have the speaker workshops, we have the Wall of Sheep. We also have a bunch of learning opportunities as well. If you are new to network and packet analysis, there is Packard Detective all the way in Neapolitan 1. It's like to my left. There is, if you're really, really hungry for this stuff and you think you're really good at dissecting networks and PCAPs, there is Capture to Packard, which is traditionally a Black Badge event. We also have the Wife by Sheep Hunt. We have Honey Pots, and we also have Sheep City, which has returned, and Sheep City what it is, it's just a bunch of, you might have seen a little train track that is out there. You may see a little train track, and there's a big bottle of booze that has an IOTs thing to it. There's a whole bunch of routers that were donated by 360.cn that were from China. As far as I know, if you can break into them, I think you can take one home. We don't know how any of that stuff works. We had trouble trying to get the manual because no one can read Mandarin here. I think some people, we finally figured it out. I don't know. It's all on display there, but knock yourself out. Just knock yourself out over there. With that said, actually, with that said, just mentioning about 360.cn, I want to take a brief opportunity to also say, if you take a look around the village, you take a look around even here, it's a core for this room and for this village, none of the stuff comes cheap at all. We are very grateful for the number of sponsors that we have that have made this year's packet hacking village possible with all the free swag and all that for the attendees. The Wallachieft title sponsor is Flunk, packet detective sponsor Fidelis, Capture the Packet title sponsor Packet Slid, Capture the Packet Platinum sponsor Talos, Sheep City title sponsor Dark Matter, Sheep City sponsor 360.cn, and the Honeypot title sponsor 802 Secure. Those are our sponsors. Thank them, but most importantly, I want to thank you for spending the morning here. In a few minutes at 10.10, what we're going to do is we're going to introduce two to kick off this morning's speaker workshop. We have two old friends and two DEF CON veterans, Vivek, Thomas, and they'll talk about making your own 802.11 AC monitoring gadget. You won't be disappointed, believe me, because they've come quite early, this isn't your first time, and we always welcome your back. In a few minutes I'll just give you the intro, but does anyone have a, oh, one keynote, one note here. If you have any questions, thoughts for any of the talks, the mic is right there, you know, at the, you know, when it's time for a question and answer, please feel free to use the mic here. So, also, very important, we have a lot of people ask us, each and every, almost like each and every talk, each and every talk, you know, what will these talks be made publicly available? The answer is yes, and this is how it works. We have a video, we have a video and AV recorder over there. Thank you so much, by the way, for everything that you've done for us, for so far at DEF CON. So, all the talks for the speaker workshops are video recorded. The videos for all of our talks, for each and every one of our talks, will be made available at the same time as the DEF CON video. That usually takes two to three months, however, even better than that. What about the notes and PDF slides? Thanks for all, almost all, if not all, of our speaker workshops, unless it's like into serious intellectual property and corporate matters, they will be made available within the next two weeks on the Wallachiep website, wallachiep.com. So, talks, all of our talks, this talk, will be not only video recorded, but your slides will be made, and slides will be also be made publicly on the Wallachiep website. Okay? So, yeah, all the content is there for free for the taking for future use and future reference. One last keynote, one last note before I make the introduction to Vivek and to Tomas. Want to start the morning off also to give each and every one a public service announcement. This is something that I've made over every so often, is a public service announcement which is a serious problem that is affecting cybersecurity and tech community and that is sexual harassment. I mean, just, this is absolutely not tolerated here at the packet hacking village with us. It's a no-no. I mean, don't do anything dumb, don't do anything stupid, don't give sides, don't give this community and tech more black eyes, because this is a matter that has affected us because we had a few volunteers who were victims at the end of last year's DEF CON. This matter is really, really affecting the community. I just want to make everyone aware of it. It's absolutely not tolerated, absolutely not tolerated. Definitely also take a look at the code of conduct. Don't do it. Don't go there. Don't do anything dumb. So now with that said, I've rambled enough for 10, for almost 10 minutes, you know. So why don't we might as well just kick it off, day two of the speaker workshops at the packet hacking village. And I said earlier, you know, we're going to start this speaker workshop with a bang because we have two old friends and two DEF CON veterans with us today. I think how many of you here use, either go to, how many people go to security tubes and you won't go to security, okay, you have an audience, air crack NG, air crack NG, okay. And these two need no introduction, we've got security tube and air crack NG. Vivek Tomas is all yours, ladies and gentlemen. Thank you so much for the introduction. It's always a pleasure and an honor to be invited to the packet hacking village. Thank you all for coming early in the morning. You know, we were always worried 10, 10, nobody shows up, but thank you so much. So we are going to be talking about making your own 802.11 AC monitoring hacker gadget. My name is Vivek and I have Tomas along with me. I'm just going to run through our introductions real quick. I've been hacking for the last 15, 16 years, started my career as a low level engineer, spoke first in DC 15, so it's been 10 years for me, broke web cloaking, discovered a couple of attacks, the cafe latte, won a couple of competitions. Tomas and I speak and train at multiple conferences. We've been running the Wi-Fi training at Black Hat for the past five years. I also run security tube and pentester academy. So you probably already know me, well, those of you who have used air crack NG are any of the GUI tools like Fern Wi-Fi, J-Rex and all those ones that are using underneath air crack NG. I also created a long time ago the offensive security course, waifu, which has been renamed to wireless attacks. And I speak and train at multiple conventions. I'm now self-employed, so I do infosec trainings, links consulting, and software development. This was supposed to be back, I authored a couple of books. I think we're playing with the keyboard, it probably, this is good, okay. The agenda, so we have a lot of exciting things today. We are going to be looking at 802.11 basics, understand the current challenges at trying to monitor 11AC, look at different commodity hardware we could use to get started, and then see how we can create our own custom open WRT solution. So we could pretty much run tools like AeroDump, Air Crack, Horst, even Python on some of these commodity hardware routers and create your monitoring attack defense platform. After we cover that, Thomas will show you how to go ahead, capture the packets, analyze them using a little tool he's created called the Wi-Fi Beat. Okay, so let's step back if you remember the last 10 golden years of Wi-Fi monitoring, right, when we had just A, B, and G networks, typically a single input, single output system, extremely easy, right? We had our alpha cards, the directional antennas, set the card on the same channel as the access point, start monitoring, you get to see all the packets, right? It was wonderful, it was paradise. And then N and 11AC came along and started making matters bad for us. So what is so complicated about N and AC that requires us to create a custom solution? And why using a USB-based adapter which we're all used to does not scale or work properly as we move along 11AC speeds? So the very first feature with N and AC have is channel bonding. Now, putting it simply with A, B, and G what we really had was 20 megahertz channels, right? N and AC said, hey, why not combine both of these channels to adjacent ones, there are other variations as well, and create a 40 megahertz channel? From our perspective, if you want to monitor a network using 40 megahertz, using channel bonding, you need to ensure that your card supports channel bonding as well. A very common question which I get from pen testers in the field is, hey, I am monitoring this network, I see nothing. Well, that is because either you have a 20 megahertz only card or you have a card which can operate on 40 but you set it on 20. One of the most common mistakes I've seen people do. So channel bonding requires you to have compatible hardware and to make sure that you set the channel appropriately. Then we have five gigahertz channels, right? A bunch of channels, some of them, of course, you can use 36 to 48 and then you have DFS channels which are dynamic frequency selection channels. So on these channels, there could be radar or other communication happening and what access points are required to do is sense those channels and if they see that there is any form of radar or any other communication, then to back off and not use them. Now, this is great. Unfortunately, the bad guys, if you're monitoring a network, don't play by the rules. So I've even seen a lot of million dollar 11 AC monitoring products actually back off from channels where there is radar communication happening but attackers can very easily create backdoor APs, rogue APs on these channels even though there is probably something happening there. So our monitoring solution also requires that we sense and monitor all channels regardless of other transmissions which might, depending on the jurisdiction you're in, mean you need permission. So from an attacker or a defender's perspective, we need to make sure that the regulatory domains which we are setting on the monitoring platform is coherent with what we want to do. Again, one of the most common mistakes I've seen people do, they start monitoring, don't see any traffic from some channels, they just assume nothing is happening there. In all probability, your card is probably not even going on those channels. Okay, if that wasn't enough, NNAC has MIMO, right? Multiple input, multiple output. Very simply put, this is really multiple transmission and receiving antennas, all of them sending out the signal. The DSP on the receiver side is going to pick up these signals from these different receiving antennas and combine them intelligently so you have a much more powerful stable signal. Now, with NNAC, they actually brought in an additional complexity. So the ideal case is if you want higher reliability, you would want to transmit the same signal, let's say from both the antennas, right? Now, in NNAC, you have what are called spatial streams. So this is really trying to go ahead and get higher throughput at the cost of reliability. So what they do is we have a high bit rate signal and they split that signal up and every antenna is actually going to transmit part of that signal. So now each antenna is really sending a part of that data stream. On the receiver side, they have a lot of DSP going on which can intelligently combine that together. So essentially, now we have multiple spatial streams which send data independently of each other. In the case of N, we can have four streams. That is the maximum. I've seen most commercial equipment go up to three streams, but you can do four streams. With AC, we can go all the way up to eight streams which is quite a lot. Just to give you an example, all your phones or rather most of your phones which even are 11AC compatible are probably single stream. Most of your laptops probably are two stream. The last I checked only the MacBook Pro was three stream. So keep that in mind. From our perspective, if you're monitoring a network which is four stream or eight stream and you do not have compatible hardware, you're probably not going to see most of the data being sent, right? Again, very, very important. So pen testers buy equipment. Again, I've seen that teaching WiFi security now for 10 years. They go to the field, start monitoring, don't see anything. And then you realize they have a single stream adapter while the network is operating completely in four streams. So this is important. Keep this in mind. You have to purchase equipment which is compatible with the number of streams of the network you're trying to monitor. Okay, if that wasn't enough. They also came out with Siu and MuMimo. So what is this all about? SiuMimo is really 11N and AC way one. Now, we talked about the fact that we have multiple streams, right? Four streams, eight streams. That's what these APs can do. But the clients themselves, unfortunately can be one, two stream. In general. So with SiuMimo or single user MIMO, the access point time division multiplexes between these devices. So let's say we have a laptop which is four stream and two mobile phones which are single stream. The access point is going to multiplex between them. So it talks four stream to the four stream laptop. It talks single stream to the single stream mobile phones. As you can clearly see, that is not optimal, right? It's more like a hub model where when an AP is talking to a device, it's essentially just occupying the channel with just that device. So with MuMimo, which is really bleeding edge, 11AC wave two, what they try to do is actually simultaneously talk to multiple devices. So in that figure which we have, let's say the laptop has two streams and we have two mobile phones, single stream each, the access point can simultaneously talk to the two stream laptop and the two single stream mobile phones, right? There are some limitations, there are some cases of how grouping and all of that happens, but this is the overall view. Another example, a four stream AP on the left can talk to four single stream clients or the same four stream AP can talk to two single stream clients and one two stream client, okay? Okay, more challenges. And as you can clearly see how vastly ABG versus NNAC differs, especially as we move towards wave two. So additionally, what we have with AC is also beam forming. So what is beam forming? Now, previously in the good old days, we used to have an access point, typically omnidirectional, sending out power in all directions, right? So which means if the AP is communicating with a client here, an attacker is located in the other direction, he might still be able to pick it up. Unfortunately, what they decided to do, and this is unfortunate for us, good for of course, the larger consumer market, is now they actually try to detect the direction in which the client or the device, either party is communicating with and they try to channelize the energy in that direction. So this way, it is more directed, which means you get more range and of course this is an optimal solution. From our perspective, location matters, right? You just can't get away now with just having, I mean the physics is against you. Unless you're Neo from Matrix, you are probably going to have to have more sensors or an optimal location. Okay, so to summarize, NNAC actually bring about a lot of additional features, which is going to make monitoring more and more difficult. Couple of them as I mentioned, channel width, you know we have 2040, with AC that can be 80 and even 160. The 160 megahertz equipment, I've not seen too many enterprises use, but the adoption is increasing. Probably a year, year and a half from now, you should see more and more 160 megahertz, 11AC networks. We are packing more bits per megahertz, so the quam or the quadrature amplitude modulation, that is increasing as well, all the way to 256 quam for 11AC. Spatial streams increase, beamforming, MIMO and all the stuff we talked about. Of course, with all of this new technology coming in, you have the monster APs invading, right? You may have seen a lot of these photographs with 6, 10, 12, you know how many ever antennas, and with of course every antenna getting added, the price gets bummed as well. Some of these are pretty powerful platforms. And many of them are actually based off open WRT and other Linux platforms. The sad part, not all vendors acknowledge that publicly, but if you just try to log into the box and do a little bit of digging, you'll actually find almost 50% of these APs are just running Linux based on open WRT, DDWRT or one of the other variants. Interestingly, when I bought the ASUS one for one of the trainings we were conducting, I even saw this little home assessment kind of banner ad. I don't know if you've seen it. So now you can actually invite a wireless expert to your home so he can lay everything out for you in an optimal way. And of course, then your neighbor in the next apartment decides to change his AP's locations. And then you have to call him back again. Okay, this is just a diagram of how you could go ahead and use multiple radios and chain together more and more bandwidth. So to summarize, these are the challenges we are looking at. Beamforming, challenge of course, location matters, spatial stream count. We have to ensure that our capturing and monitoring platform has equal number of spatial streams as the network we are lying to monitor. High speed. Now, this is really where I'm gonna disappoint many of you because as these networks are really fast, unfortunately you'll find that USB based solutions aren't going to work anymore. So I'm sorry if I have to break the bad news, but we really cannot use USB anymore unless all you're interested in is just macro statistics. If you wanna do deep packet inspection, look at what is happening at a much more micro level, detect threats and all of that, anomaly time correlation or spatial correlation, you do require a much more robust solution, which is what we're gonna talk about. Multiple channels, channel bonding, again compatible hardware. Okay, so as I mentioned, I'm gonna go a bit fast, we have a lot to cover, I'll take call questions at the end and even outside. Okay, so as I mentioned, the Wi-Fi adapters, especially the USB ones, aren't going to be very useful. So what we want to do is AP based monitoring. Now there are many commercial APs available, which are based on open source. I've tested probably over a hundred, and I'm not kidding you, over a hundred. The ones which I've found really good, reasonably priced is the Ubiquiti range. I don't work for them. And I don't have a referral code anywhere there, so just so you know. So Ubiquiti actually has a series of Unify APs. Some of you might have already bought it. These are based out of open WRT. I don't see that acknowledged anywhere on their website or maybe my cert skills are bad, but after digging a little deep, what I've found is it's just open WRT. So what we are going to do is pick up one of these access points and see if we can do something with them. First with whatever manufacturer firmware is in it, and then see how we can load our own customized firmware so we can port attack tools and all of that in it, okay? So the USC AC Pro. Now these little access points are supposed to be either cloud-based or to be controlled by a local embedded controller. Now when you buy them, my recommendation, if you want to use it for monitoring, do not connect and provision them. Rolling back all of the stuff the provisioning scripts do is a couple of hours of work. So just buy them, take it out of the box, power it up and just wait for two to three minutes. What happens is the AC Pro tries to get a DHCP address so it can connect to a cloud system. When it fails, the entire Unify series goes ahead and assumes a static IP address which is 192.168.1.20, right? It's a predictable single IP which the entire range of APs take. The good news, SSH is enabled because SSH is what is used to provision these APs. Do we have to reverse engineer the firmware? You know, user NIDA, do something to get the default username and password? No. It's someone posted that on the forums. The default username is UBNT and the password is? UBNT. So what I've done is this is an access point which I've bought, contains the manufacturer firmware, no modification made. I've just powered it up, it uses PoE and now I'm going to go ahead and log into the AP. So it is going to be difficult to type with one hand. I'll try. Okay, so the IP address, as I mentioned, was 192.168.1.20 and the password is UBNT. As soon as you log in, people who've worked with embedded systems or routers, that must be a familiar prompt, right? Busy box. Is this visible at the back? Okay. Now the first thing which I like to do and I'm kind of running you through how I experiment with newer platforms which I look at is just hit that twice and look at all the built-in utilities available. A lot of times manufacturers may have, most utilities you would require, which is the case for the Ubiquiti series. So if I were to just scroll up, I always love to see IW config because this allows me to quickly look at interfaces without having to go around in circles. And then I actually find that there is a WLAN config, which is fantastic, come to that. We have WPA supplicant, host APD and a couple of other utilities. So let's actually run IW config and look at what interfaces are available on this system. So we have at zero and at one. And if you notice, at zero is currently in master mode. So when it says mode master, it just means it's an access point, okay? We can see this is the 2.4 gigahertz radio. So this actually has two radios in it. One for 2.4, the other for five, fantastic. So we don't require two APs, we can just use one platform to monitor both the bands. Then you have at one. Interestingly, this seems to be managed mode and at one, of course, is the five gigahertz radio, great. Unfortunately, can't do anything with these interfaces. So what I'd like to do is destroy these interfaces and go ahead and create monitor mode interfaces in turn, which we can use, right? Again, a lot of hit and trial and what I've actually found is even though you should be able to destroy these interfaces directly, it's always a good idea to kind of bring them down before you destroy it, okay? So let me bring these down, I'm gonna bring these down at zero down and then at one down. Now, to destroy them, we are going to use the WLAN config utility. Again, let me retrait every single utility right now is built in with the manufacturer firmware, right? These are not my additions. We'll come to my additions later. So the usage to destroy an interface is as simple as it can get. WLAN config at zero, destroy and then WLAN config at one, destroy. Now, if we look at the list of interfaces, we see that at zero and at one have been destroyed, right? Now, keep in mind, this is the running config. I haven't saved this in a persistent way and I'll talk about that later when we look at our customizations, right? So now that we've destroyed both of these, we'd like to create monitor mode interfaces which we can use. Again, WLAN config comes to our rescue. I mean, unbelievably simple. All you have to do is WLAN config. Let's name the monitor mode interface. So let's actually call this mon zero, the first monitor mode interface. I'm going to say create and again, all I'm doing is copying this command out, WLAN dev. Now, you want to create this virtual monitor mode interface on top of one of the cards. So I'm going to be using Wifi zero, right? The first card. And then the WLAN mode, I am typing with one hand, so. And of course, the option is monitor. Okay, so what this is going to do is create a new interface mon zero as a virtual adapter on top of Wifi zero and this will be a monitor mode interface, right? So I hit an enter, it goes ahead and echoes back mon zero, which means everything went well. Similarly, I'm going to go ahead and create mon one on top of Wifi one. Fantastic. Now we have two monitor mode interfaces. Let's bring them up. So if config mon zero up and then mon one up. Let's type in IW config and there we are, right? So what we've done so far, if I were to summarize is we've removed the interfaces the manufacturer had by default and we've created monitor mode interfaces on the box. So now let's actually set this to a channel. So I'm going to go ahead and say IW config mon zero channel six. Now, we'd like to look at the packets. Good news, TCP dump is also in there. So TCP dump dash I mon zero and there you go. So we are now monitoring 2.4 gigahertz, channel six. Where's the clapping? Thank you, thank you. I haven't slept the whole night because I had to kind of flash firmware so you guys had to keep me awake. We have a booth and just trying to flash firmware for it. Okay, so this is good. This is great. Bad news, right? The device does not have storage capacity. It probably has around 10 megabit or something like that. Well, what they did is they've kind of removed some functionality here or there but I'll show you how to find the disk size in just a bit. But we can't do anything on this device. Well, we can look at the packets using TCP dump and that's great from a research standpoint but what more? So what we can do is stream packets from this device using SSH back to a central server where we can analyze them as a pcap file or actually even just have Wireshark receive that stream and look at it live. So let's do that. This is the command. Let's explain the command in a bit. Okay, so what this command does and now I'm running this on my host machine, right? Which is connected to this box. Now keep in mind that you could connect this to even your local network in your enterprise and still stream it to any server. This doesn't necessarily have to be connected physically to the collection, you know, station, right? So all I'm doing is logging in using SSH. The username is UBNT. The IP address is 1.20. I'm just gonna be a bit fast. You don't have too much time. And then I'm going to invoke TCP dump, give it mon zero, tell it to snap the entire packet length and then write it to, you know, SGD out which comes back over SSH and gets piped into Wireshark. K is start immediately. I is interface which is the input, right? So once I go ahead and run this, Wireshark pops up assuming you have that stored locally. Now the moment I log in, packets will get automatically streamed into Wireshark. Isn't that cool? And you can go ahead and write your own channel hopper, you know, simple bash script or, you know, something similar and that work as well. So this is how you can go ahead, get the packets from the device to a remote collection server. You could even just go ahead, redirect this into a file and then have multiple utilities read from it. Great. Now, this isn't enough, right? We want to run Thomas' tool. I mean, he's been a good friend for 10 years is the least I could do. So we want to run arrow dump and G on it. We want to run, you know, Python on it. We want to run pretty much whatever we want, right? So that we can convert this into a fully customized platform. So there are a lot of steps. What I'm going to be doing is I've shot videos of every step which you guys can look at later of how to install the firmware. It's pretty straightforward. We don't have enough time. So I'm just going to go through it in the slides and at the end I'm going to give you a link which you can use. So all we do is download a compatible open WRT and basically write that onto the device using MTD. Once we do that, we can restart the device extremely straightforward, nothing complex. Restart the device. You get a familiar open WRT prompt. If you haven't used it, open WRT is an embedded Linux used by a lot of commercial routers, both home as well as enterprise grade. Extremely flexible, has a lot of package management and support from a security perspective, AircrackNG, MDK3, SKP, a lot of these tools are supported in the package manager itself. So you don't have to do any of the cross-compiling exercise. The next thing of course, which we notice is we only have around 10 megabit. So we are going to use a technique called EXT Root which allows us to extend the root onto an external storage device which is a USB key. So this is the modified one and if you notice I have a USB key connected to it, right? It's a 16 gig one though, you can pretty much go as high as you'd like. So you could have that external storage and dump everything in it or load the US and other things from it, a lot of possibilities. Okay, we have to install the AT-10K drivers. Again, everything is there, no cross-compiling required. Now, what I'm going to do is I have gone ahead and put all of this on that device and I'm going to now connect to that device and show you how it looks like, right? The entire customization process is very simple. Just you have to follow the steps. I'm going to give you videos for that. Just a second. Okay, the demo gods are with me so far. Let's see if a simple SSH works or if that is what is okay. Hopefully this will work. So the OpenWRT system, I'm root on that unlike UBNT. I had to check what privileges UBNT was but I'm probably sure it's close to root. I didn't try installing anything. And the IP address of my customized device now running OpenWRT is 50.150. I'm going to SSH into it and there you go. You have to change the welcome message, right? Why mon? That's all the customization I did. So with the manufacturer firmware, of course we had to go through all the pains of creating the monitor mode interface and all of that. With the customized one, okay. Looks like the USB key. So this does take roughly, I think a minute or two to start. Just give me a second. Okay, I'm waiting for an IP address. I should have shortly. Okay, there we go. Okay, so now that I have the USB key connected with all my customizations, as soon as we log in you see we see WLAN zero and WLAN one, do you see that? So what I've done is I've changed the init scripts and these automatically are set to monitor mode. So we don't have to do anything, it's just plug and play. I'm going to quickly just demo three tools. The videos have a lot more and then I'm going to give it to Otthama. So the first tool we all love and we have the creator here with us is of course AeroDumpNG. And there you go. Collapse. Yeah. I'm going to remind you that. So here is AeroDumpNG. And Thomas has a little plug there which says contact the author. This is a trick so that he gets fan mail. So along with that, what I'm going to do is run another tool called horse. Now this is actually quite an underappreciated tool in my opinion. Horse allows you to do scanning on five gigahertz and is aware of channel bonding and all of that. There you go. I use this actually to hop channels, do other interesting things, they have an API. I would highly recommend looking at this tool. Now right now if you notice at the bottom right, we are on channel 60. At the rate 80 means 80 megahertz, right? Right here at the bottom, might not be too visible. C8 036 at 80. So channel 36, 80 megahertz. I can go ahead and tell it to scan by selecting S and this now starts scanning all the channels. And you can even set it for HD 20, 40, 80, 160, whatever combinations you want. It has a config file which you can change and modify as well, okay? The videos have more detailed information. The last thing I want to quickly show is, and by the way you can run MDK3, you can run all your attack tools on this, right? Air replay, injection attacks, everything. The last thing I want to show is for people who love Python. Scapey. Scapey, right? So extremely simple code is just the POC just to show you that we can run Scapey very easily. So this is like the simplest Scapey code ever. All it does is monitors the interface, takes a number of packets and just prints the summary. Now on the other side, there you go. So there it is. Scapey running. Great, people remembered. And of course you can pretty much port more sniffers and injectors if you want. So I'm gonna give it to Thomas now what he's going to show is how you can now take all of these packets and do deep analysis. Yeah. Great. So I created recently another tool called Wi-Fi Beat. So you store all your packets, parsed in Elastic Search and then you can search for them using Kibana or you can use other tools such Elast Alert to create alerts and send you emails or using other channels. So I'm gonna quickly go through and explain the different Elastic Tools. What is a Beat? Wi-Fi Beat itself and the two libraries that I created along with it. And a quick demo and let you know where you can download it. So all the Elastic Tools, so you have Elastic Search which is a pretty much a NoSQL database and stores JSON documents. And you have Kibana that does visualization so it connects to Elastic Search to do that. You have LogStash that can connect also to Elastic Search and stores all the logs from a bunch of different sources. And you also have Beats. And Beats are pretty much data shippers and can send data either to LogStash or directly to Elastic Search. So here are some of them. You have FileBeat that reads log files much lighter than LogStash if you only need to read log files. You have a MetricBeat that is metrics. WinLogBeat that is Windows logs because Windows had to do something different. HeatBeat that shows the uptime and PacketBeat that does packet monitoring and parsing. You might think that PacketBeat is the one you're looking for but no it doesn't understand RadioTap which is the header that comes with Wi-Fi packets, the metadata. So basically you have all the information, say it says which channel is best captured on, the signal and a bunch of other information. So that's the error that appears when you start a program. So I created Wi-FiBeat as well as two libraries that I needed for it. So Wi-FiBeat captures all the packets from one or multiple wireless interfaces and store them on Elastic Search. So you can even read pcap file. You have full packet decoding pretty much like wire shark filters so you can transpose pretty much your wire shark filter, display filter in Kibana so you can search for the packets. You can also do decryption if you'd like but in that case you have to provide the key in the configuration file. It doesn't do any cracking whatsoever. You have to use a crack engine or any other tool to do that. Another library that I created was simple.json-cpp a C++ library that just do a simple generation for JSON. Then here's what it looks like so you have some of the codes. You create an object here, that's the main document. You create values and you simply add all those values to the main document. Here I create another object and I create a key and value in that object and I finally add that to the main one. For example, here is a vector, an array that we add to the main object and then I exploit it to a string. So that's very easy, very simple to create a JSON. I used to use a rapid JSON but that one was very complicated. It's very nice, very fast but the problem here has some very weird memory allocations so and you had for example, for this one, for this one you had to do like four lines of code and considering the amount of code that is even in Warsaw decoding 27,000 lines that was out of question, not maintainable. The other library that I did was Elastic Beat and that is both of those library are header only so you don't have to compile any code so you just include it in your main project and it gets compiled with it. So for now it uses rapid JSON for parsing JSON documents and it inserts stuff using the bulk API from Elastic Search. So this is what it looks like. So you connect to Elastic Search here. So on our local hosts, we display the version. Here's another example where you can get indices, all the tables pretty much. You can check if an index exists and then create it and here's for example that bulk request that we do. So you send a bunch of documents to Elastic Search to store them so you don't have to do one by one. All of them are gonna be sent in one query. You can do either index or delete. So the index is pretty much insert for those who have done a relational databases. And finally, you can see if there are any errors, if there are any, so you will just display that into the error field and if not, you get all your IDs back in case you want to process them. So to summarize, so the Wi-Fi beat is GPL V3. It parses and so the data in Elastic Search you also have a Kibana dashboard with it and it's in C++. The two libraries that created were in BSD license so you do whatever you want with it. You can even include them in your commercial product. It doesn't matter and they're both C++. So Elastic Beat communicates with Elastic Search and simple JSON generates JSON. So now let's switch quickly to the demo. Okay, so now you can see, I have a search field so in Kibana you have three main items so you have discover where you see all your logs or documents, you visualize where you can create visualization and you have dashboard. So here's just a search for a specific time frame because I already have a ton of data for that and here's one of the document. So you can see here exactly all the data parsed and in database. So one thing about it is Elastic Search for Kibana displays everything flat so you can see it here. So that the W9.MGT.ASEL and you see a bunch of them ACL.Cable.CSI.IF.Reserved.Irex. And so all those things were in a single JSON document and here you have a different item so you can see that image here. So Elastic Search for Kibana cannot handle arrays so it just displays it like this. There's a workaround, there's a library for that for either Elastic Search for Kibana and I give the link to it in the project. So here's you if you want to take a look at the JSON. That's what the document looked like. So the familiar fields in the baguette. So version type subtype, so the type of the frame and subtype of the frame. And if I look at the water shark here so if I can open that one and I can actually take my filter all the way above here I just have to modify a little bit since it changes the column to equals and so we have the exact same bag as well, different capture, the same thing that are parsed. So the frame control field that we had and you can see all the information in Elastic Search here. So in the dashboard for now I created a very simple dashboard with a bit basic information about a network. So that way it looks like you can see a different type of frames, the amount of frames. You can even calculate the other searches that are added so that you can calculate the amount of data that is stored that has been transmitted in the network. So that's what the tool looked like when you run it. You have the version, it's the version of configuration. You can change the configuration file if you're doing some testing. You can make it go in the foreground if you want to debug some stuff and all the logs go to syslog. So everything, all the action that are logged to syslog in case you want to sit and you're running a background. You have a pit file, very useful when you're running as a service. So we already went through all that. So a few last words, elastic beat. So I'm gonna add the beat protocol in the future built in a rapid JSON or even get rid of it and built in a library. For simple JSON, I'm gonna do more JSON parsing with it and for Wi-Fi beat. I will do persistent queues, support for NP-CAP, so some Windows adapters supports monitor mode so you can use them. Very P-CAP supports unusual channel width, so 5, 10 megahertz, even HG and VHG channels which is already in the code but not enabled yet. P-CAP and G and a bunch of other things. So if you want to take a look at all the projects they're all on GitHub, github.com slash Wi-Fi beat. The case doesn't matter so you can even put a lower case, that's fine. It will redirect you to it. Or you can just go to Wi-Fi beat.org that contains the links to it and just a brief description. Be good back to back.