 Alrighty. I hate reading bios so I'm not gonna. This is Alex. He's a good friend of the village for a couple of years now because he makes cool toys. Those of you that have been in the village for more than a few seconds have probably noticed one of his cool toys in the back where he's been posted up. And he's going to talk about what that device is and why it's cool. So this is Alex with large-scale wireless monitoring using Kismet packet sniffer on a multi-radio array. And if you don't want one of these, you're probably in the wrong place. So thank you Alex, please. Okay, hi. So hello everyone. First of all I wanted to thank this cool bunch of village people for giving me this opportunity to speak. This is my first time at DEF CON, I mean presenting. So be gentle with me and, you know, you'll see how it goes. This is my presentation flow. Nothing really important. A few words about me. So I spent about like 25 years in the high-tech industry, turned to the security field about like six years ago to find out that actually all 25 years I did security as a matter of fact. Sorry. Is it better now? So I spent about 25 years in the high-tech industry like big names like Siska, Alcatel, Ericsson, whatever. About six years ago I moved to security domain and found out that whatever I did for 25 years was actually a security field, right? Don't pay attention to all this alphabet soup, you know, underneath. I have to maintain my security profile to, you know, to work for living. I do own a small consulting company in Ottawa, Canada. Our main revenue stream is professional services. Mostly in the security assessment and authorization field, which gives us enough money to reinvest into the all kind of cool R&D activities. So our goal or our vision for our R&D domain is create appliances to support open source software. I know like it's kind of like old stuff. You probably most of you know about this. It's just like small recap. This is a 2.4-gear-gears frequency band and Wi-Fi. We do have total of the 14 channels. Not all of them are visible for you like due to the regulatory domain, which is maintained by the firmware and the high-level applications. When it comes to the 5-gear-gears domain, things are becoming a little bit more complex, right? It's more channels. It's provisioning for like wider this channel like 40, 80 and up to 160 mHz recently. So you kind of get a picture how many channels one should cover when we do perform sniffing and monitoring. The basic concept of the wireless monitoring is like it's RF monitor mode. Which does allow wireless network interface controller to monitor all traffic received from the wireless network. Now, the difference is between like, you know, promiscuous mode which is most, which is less relevant in the wireless domain is that RF-1 allows packets to be captured without your network controller to be associated with any access point or like ad hoc network entity. So RF-1 is the feature that is implemented in the hardware. So when we talk about hardware, the support of RF-1 mode or not is kind of by fault. It's end hardware capability as well as a driver capability to turn it on. So very selected subset of chipsets do support RF-1. If you go to the websites, for example, like guys like Aircracking G or Kismet wireless, you will see the list of the supported cards or supported wireless appliances in the USB or PCI express domain and you will see which ones are supported, right? Sometimes they do refer to the card itself. Sometimes they do refer to the chipset that this card employs. A small word about the antenna arrangement, so as you can understand, antenna is very important sync when we monitor. Like, think about it like you have like Hi-Fi audio system, the top, some notion you do connected to the, you know, lousy loudspeakers. Result is obvious, right? Good antenna, good antenna arrangement is critical for the successful monitoring. The quality or like characteristics of antennas are basically you can describe in three domains like power gain, directed for gain and polarization. So power gain is basically it's a ratio of it's a ratio between power produced by antenna from the remote power source and hypothetically lose this antenna, right? Which is measured by DBI, which stands for the decibels isotropic and decibel is logarithmic unit when you do compare it to various of the same physical quantity. Directive gain or directivity, it's sometimes it's kind of more relevant to the receiving antenna, which basically refers to the ability of the antenna to receive signal from one direction and basically gently reject signals that are coming from the other directions. We'll come to this later on. Polarization is a way that antenna emits signal into the air. So we do recognize two kinds of polarization, vertical and horizontal. And basically rule of thumb polarization is it's the same plane as main antenna elements are at. For example, if you do take vertical antenna, right? So it's vertical polarization. Horizontal, horizontal. It's very simple, right? You know, I did deal with the very knowledgeable RF antenna engineer who could explain me all the stuff using fingers on one hand. It's kind of really simple without diving into the glory details. Shortly overview of antennas that people use for the monitoring. So everybody knows like rubber duck or deep hole antenna. Yag antenna it's more kind of narrow bent antenna. Log periodic, Vivaldi patch and panel. So what's cool about these two antennas in a particular log periodic and Vivaldi is extremely wide frequency range coverage. Another quality. One, two, three. I'll keep them together. So what's really cool about this log periodic and Vivaldi antennas is that they can be implemented using simple printed circuit board. Right? So it's very easy to manufacture. If you go Google you'll find multiple designs and multiple applications. What makes these antennas unique is very high gain and very wide frequency range coverage. That's kind of small overview like what each antenna stands for. So rubber duck as you see like all these guys are using is omnidirectional and propagating radio frequency energy like 360 degrees in the horizontal plane. And basically you can find like do it yourself kids on the web if you'll take like piece of wire make it like half or quarter wavelength so the desirable band. It's probably the best thing that you can get. A log periodic antenna is multi-element directional. So it's approximately 30 degrees horizontal and 30 degrees vertical. But in terms of gain, so rubber ducks you'll find somewhere between like 3 dBi up to 7 dBi for like 2.4 and 5.8 gigahertz bands. A log periodic you may gain in a small form factor up to 16. Right? So it's even though being directional somewhat gain is incomparable. Another thing is with rubber duck antennas when you do buy dual band rubber duck antennas you have to remember that it's always a compromise. Right? So it's kind of performance okay ish on the 2.4 and okay ish on the 5.8 but not on the both of them. Right? So if you compare quality gain of rubber duck antennas that are mono band, it's much higher gain. Right? And so on. Vivaldi, patch, yag antenna, panel antenna, so all of them do have certain you know area of application. We started to play internally with the Vivaldi and log periodic antennas and we do gain extremely good results. Right? So it's kind of for fun. You know what? When I did you know study this all this horizontal vertical sync, right? I found out this block by the senior Apple RF engineer which I kind of found funny by the same talking obvious. Right? And I tested this thing at home with my kids like MacBooks and believe it or not it's just like amazing results. Right? I see gain boom. Right on the spot. The whole thing is that in the you know MacBook where do you think antenna is? Right? It's kind of metal aluminum shell. Right? Where do they put antenna? Well they put the antenna in this small plastic area on the hinge. Right? So the only way they can do it is just to put it like you know horizontally. Right? So here you go. You have your horizontal polarization. Now if you will just move your outer antenna one of them you know horizontally you will see significant gain in crease and significantly significant power level increase. Kind of stupid but it works fine. You know like I tested it at home it just works just fine. Yeah. Sorry. This is this is omni. Right? But again you know where the main element is which plane here or you know there. Obvious but you know what no one does it. Right? Now when you come to the Wi-Fi monitoring hardware there are actually multiple choices. Right? You can always start with the purposely built appliances like Wi-Fi, Pineapple which you can buy here at the Wendros area. Many people use USB based dongles. Right? For example these guys over there they heavily utilize USB based dongles as I noticed. The problem with USB dongles is that they are mostly made in Asia. It's kind of like mass production thing. Right? And antenna wise unless it's external antenna it's internal built in PCB or ceramic chip antenna with very low quality. Right? So don't expect to you know to see a lot from this chip USB adapters. Even though they might be compatible with the RF-MON no one says that it's wrong but drivers are an issue as well. Whatever sources that we have that are coming from overseas are well they need heavily fixing. They need heavy fixing and they're not as polished as the you know as for example PCI express. In a PCI express you have much more offerings in terms of like quality products. Right? We do have readily available few kinds of PCI express radio cards. So the first two on the top is PCI express mini which is basically your PCI express single lane interface minus 12 volts power rail to be like to simplify things. Right? They do come as a full length and as a half length. Depends on the chipset, depends on the manufacturer. When we talk about the powerful cards like for example the ones that are produced by company by name MicroTik or like powerful 8 to 11 AC cards which are produced by for example company like Compex. They do equip them with the heat things because they do have heat dissipation issue. So you have to drive heat off the card. Newly like relatively new standard is M2 which basically is going to replace wireless cards on each and every one of them. You'll see coming forward. Form factor is almost twice smaller than the normal PCI express mini. The quality cards are from Intel. It's 8,260, 8,7,260. But again if you do have PCI express mini slot in your system you'll have to go and buy of eBay or from Amazon adapters that will convert M2 pin out form factor to PCI express mini. Now talking about PCI express mini. Historically the most friendly chipsets ever produced were from company by name Atyros. This is where I don't know if you heard or not like driver family like ATH 9K, ATH 10K and so on and so forth. So these are probably the best chipsets in industry. So majority of them if not all of them are PCI express based. So if you wanted to go and expand your PCI express mini you can sell in the monitoring. So and you have choice between USB and PCI express I would say go to PCI express. Now this is kind of short overview of whatever tools are available for the scanning and monitoring. You can always Google them and take a look what they do. We tried recently, where was that? We tried recently acrylic Wi-Fi. It's a small company in Spain and they make amazing piece of software that is capable of producing so called heat maps. Unfortunately it's Windows based software. So whoever hates Windows need to suck it up. Our darling in our like and we talk about this going forward, our darling in our favorite scanner is Kismet. And I'll explain why in a few slides. Now when we talk about wireless security monitoring or wireless monitoring challenges, right, so there are a few aspects. First of all we do have like legitimately two frequency bands, 2.4 and 5.8. Across these two bands we do have multiple channels arrangements, right. For example, applying for the bands that we are going to present today, cards are 802.11 ABGN and aggregated channel capability is 84. So each card is capable of scanning 84 channels with different arrangements, different frequencies, different channel V's and so on and so forth. Now if you do monitor 84 channels, so basically scanning goes like you tune to the channel, you sit there, you listen, whatever you can capture from the air, when you're happy you move on to the next channel. Like if you will hope like this 84 times you can understand that once, when you will finish your loop and you will go back to the channel number one, some time will elapse, right. So chances are that you or you will miss something, right, or you will not capture whatever you need, right. Another challenge is discovery versus tracking, right. So under circumstances it depends on the task in hand, you may need not only to discover wireless appliances in a proximity, you also want to track them down, right. Means that okay, how often they do appear when you did see them first time, when you did see them last time, how active you are and so on and so forth. So all of this creates a challenge for fast and full monitoring. Now when we talk about monitoring, like if I'll say you that okay now, we have single radio card, we have 84 channels to cover and we kind of hope from channel to channel, sitting on each channel for certain period of time, waiting frames to arrive once, we're happy, we move on. What if you have like multiple cards, what if we will have ability to talk simultaneously to multiple capturing devices or multiple resources, right. So let's say you have two cards, right, you can always say it's okay. Now card number one will be tasked to capture from channel H to channel B and card number two from channel C to channel D. In a sense what it gives you, it gives you twice more presence on each given channel, right. And so on and so forth. More cards you will employ, you know, more you will be present on each particular channel, more you will capture. You can distribute this workload or balance workload across multiple sources. You can switch between channels faster, right, because you will come back to them faster, right. And another thing is that with all these 20 MHz channels, this 40, 80 in the AC, 80 plus 80 and 160 MHz, you are physically kind of in the same frequency sport, right, but you should tune your radio differently to capture data from different channels. And we talked about balancing versus tracking monitoring. So here's appliance that we created, right. So idea behind was very simple, right. So we wanted to give to community something that can utilize multiple high quality PCI express mini and M2 radio cards to be easy to use, right. We did keep the sub lines with standard X86 Intel platform. As you can see it's sort of standard mini ITX low profile motherboard. Such as developers, they won't spend time with ARM or MIPS or like whatever CPU they have with patches, with, you know, current kernel and so on and so forth. So this appliance actually runs whatever any PC would, whatever any PC would, right. Appliance has a provisioning for nine PCI express mini slots. So you can choose your commodity or whatever compatible cards from Amazon, from eBay, from other sources, right. Install them and just have yourself multi-radio array. Choice for the antennas as the end connectors rather than SMA was a field application because we, our first prototype was based on a SMA connectors and SMA antennas. Like after like 20, 25 times of like putting them on, taking them out, we found out that thread on the connector was gone, right. So it's no point. And connectors are professional quality. You have much more professional antenna offerings from the market. And we found it like, you know, some would easier to use. Again, so it's flexible because it allows you to install any op. So our PCI express slots in this device are fully populated with the USB 2.0. So if you have like, you know, Bluetooth cards or something like that or cards that are combo cards, Wi-Fi plus Bluetooth, they will work fine as well. As I said, uses any commercially available mini PCI express, radio card, x86 platform compatible with anything that is available with any open source. Well, it's kind of just walk over through the main feature. This is how device looks like inside. And you see this fat nice RF cables, which do have very low signal loss. As I said, it's, our standard offering is quad core brass, well, Intel, Celeron, 8 Geek of RAM, 64 Geek of solid state. We can also populate it with up to 2 terabytes of the retention storage. 9 PCI express mini slots, which can accommodate any PCI express or M2 card. Well, it's basically what do we plan to do, what our plans to do next as the hardware goes, right? We just finalized the development of the 12 card carrier, which looks like this. It's the first prototype board. It looks like visually as a standard PCI express mini carrier board, but it's actually fine tuned for the wireless applications. And I explained in the second, on the next slide, what do I mean by this? We do plan to, it's in works mini PCI express form factor quad channel sub gigahertz radio card. This coverage from 119 to 960. And then when I mean, when I'm saying quad channel, I mean quad radio. It's true quad radio card. We do plan to, to create quad, quad card mini PCI express mini Bluetooth low energy, which will be compatible with the new 5.0 standard. And we also plan to create our own form factor, our own quad channel, quad radio, ABGN AC receiver. So all these cards will be in a purely receive mode. No need to transmit, no nothing, but we'll do it as, as we need. Also, our plans are to create 360 directional antenna array to try out to track physical location of the wireless appliance in proximity. This is how this card will look like. It has kind of two layers. So lower layer, lower layer will have four PCI express mini slots. And another eight are going on the top. So when I said that it will be fine tuned for the wireless application is the following. Currently, developing can soon to appear on the market. 8 to 11 AC with two radio cards do have excessive power budget requirements. So standard PCI express mini slot can supply only up to certain watts of the power. So new 3 plant quad chain AC cards do have special arrangement for 5 volts rail on addition to the standard 3.3 volt rail on the PCI express slot. The reason for that they need this voltage to power up the power amplifiers on the card. Right? So in a sense it's beyond certain watts. So if you have chance to buy this card, you will not be able to use it in the standard PCI express mini slot. So what vendors do, there are certain pins on the PCI express mini connectors that are unspecified by the standard and actually vendors are free to use them as they see them fit. So in a particular big vendor like complex, they just about to release quad chain AC cards where they have 5 volt power rail on these pins. So we do accommodate this feature as well. So another thing is that we do recognize this card as a maybe standalone gadget. So we have arrangement for the remote PCI express connectivity. Which will be done through the USB C.0 cable. Now, keysmet. So keysmet, I mean I'm sure like many people used it in the past. I just will go through this tool very fast. It's network detector and packet smiffer for like 8 to 2 11 wireless LANs. Even though like a maintainer wants to add and Bluetooth and sub gigahertz radio functionality and so on and so forth. It used by thousands of professionals as a baseline for intrusion detection systems. Maintainer of keysmet wireless claims having in excess of 50,000 downloads a month. So this is just to give you an idea how big community is. So this is keysmet probably one of the very few passive scanners. Which means that it doesn't emit anything to the wireless environment. It doesn't produce any beacon request frames. It's not detectable because it doesn't send anything out. It has capability to detect both like access points, wireless clients and corresponding associations. Is the most widely used and up to date open source tool. As we speak the changes are going to the gate on a daily and hourly basis. So it also has capability to get in GPS data in NMEA format. And has capability to create the wireless objects detected versus the geolocation of the sneaker itself. So this is demo that you will see over there near the wall. So we do have our airbot appliance which runs keysmet server. We do have client which is basically simple web browser. It's kind of, it's a screen shots from the latest gate version of the keysmet. Probably not the same keysmet as you saw like in the past. Now it's purely sort of like client server architecture where the client or like visual GUI is your browser. Same functionality underneath. It has a major improvement last four or five months with lots of optimizations. When I walked here like I checked the counter, how many devices do we see on the keysmet right now? It was, I think it was 14,000. This is how many devices we see around here right now. So if you will approach this desk, I'll show you all the screens kind of life. All the particulars for clients associated with access points. This one is interesting because it shows you all the resources capable in a color schema and then shows you dynamically how each resource hops from channel to channel without overlapping. It's a plug-in that shows you how many devices it sees right now, how many packets a second keysmet takes in, how many channels are subject to scan and how many active sources are employed. No, all of us do this stuff, you know, we are passionate about what we are doing. Like open source community of people are actually doing something for living, right? Whatever they do create, they do create in their free time, you know, like taking time from family, from kids, from et cetera. The maintainer and the author of the keysmet is Draggorn. He created this tool both in need and the passion, he could have charged for it, but he did choose not to. It takes great amount of time and effort and skill to maintain keysmet and enhance it features. He never charged community for this. So what we are saying that we kind of strongly suggest community to support the guy, right? I mean any kind of donations towards his project will be helpful. Whatever it will be like, $1, $5, $10, $100, whatever. Corporate support is welcome as well. So me personally I'm going to like, you know, tweet smoking today and I'll dedicate my, you know, smoke money to this guy right now, right? So help us to improve this tool, help us to make it perfect. If you go to the Patreon website, you have all to the keysmet wireless website, you will see the link how to become a patron. So any support towards project would be greatly appreciated. This is my particulars, my data, you can always email me, call me. I'm in the Eastern standard time, so make an adjustment please. That's about it. So if anybody has any questions, so demo is over there. So whoever wants to see the demo, it's near the wall on the back. Thanks.