 I wanted to introduce this next speaker because quite frankly I rejected his talk outright. He submitted. I'm gonna teach you how to foxhunt. That was it. That was like the whole submission. Like one almost a sentence. And the whole team said well maybe maybe you should let him talk. I'm like I'll email him something mean and see what he comes back with. He came back with a fully fleshed out presentation including slides that was actually half decent. And I said well he's more prepared for anything than I have ever been so I guess I'll let him talk. Todd everybody. Thank you very much. Appreciate it Zero. So Zero's not lying. I think I may have broken a record for CFP accepted. CFP submission accepted with the least amount of words. I think I had eight words in there. All right. So how's it going everyone? Hopefully you're doing well. It's story time. My name is Todd Parity. This is Mini. And we're gonna tell you kind of the experience we had last year hunting for rogue access points or competing in the wireless CTS challenge known as hide and seek. Just like Zero said neither Mini or myself are on drugs right now. We're just on very little sleep because we're also competing this year. Joined us last year was Ronan and Lazy Sprocket. They're over there competing right now. Everybody wave at them and say hello. No love. Come on. Give them some love. All right. Those are good guys. You wanna check that mic real quick? We're gonna do a mic check and then we'll get started. Check. All right. Awesome. Okay. Hunting rogue APs. AP stands for access points and what we say or go off on tangents on in here do not reflect the views of our employers. This is about last year not this year. This is important because this year the rules for hunting the rogue access points or competing in the wireless CTF have changed. Arguably it's gotten harder. We've faced our own challenges this year so far. And obviously all this happened here in the wireless village. It's important to note that what we explain to you here took us a lot of time. We're gonna try to condense a six hour experience into 30 minutes. But know that that is only one category of competition here in the wireless CTF. So it's important that if you're gonna compete here in the wireless CTF that you come with a team that other people can focus on other things. With that also a disclaimer what we're gonna go through here is both a how to and a how not to. So if you don't pick up on the cues of how not to and you go do it we do not take responsibility for that. All right. Okay. So let's talk about the challenge. The challenge is it's called hide and seek. And if you're here for the intro brief zero explained it very well. What it is is it's a stationary wireless access point on 2.4 gigahertz or 5 gigahertz. But stationary is very important means it doesn't move. So you have to find it. But in order to find it the only information that they give you is the MAC address of that access point. That's what you start with. So that's what we're starting with. We are going to walk through how kind of we thought about this process solving the problem. Some of the assumptions that we made. How we ended up solving it and some of the challenges that we faced. So for those of you who don't know just the MAC address for the wireless access point is six bytes of data. It's a unique identifier and that's what we need to use to find it. Part of the challenge is the search space that was given. If you were here for the intro earlier that search space has gotten bigger this year. But for last year it was just here at Caesars Palace and here's a little bit of data about Caesars Palace. There's about 4,000 rooms. It spans a physical space for about 60 acres and it's probably a conservative estimate that there was about 30,000 people here at one time. So what that means? That's a lot of reinforced concrete. That's a lot of human bodies. A lot of interference for wireless signals. And within that whole space we're looking for one wireless access point. So you could call it a needle in a haystack and you wouldn't be wrong. So with this there were some unknowns as we got started. When competing in this challenge it would be nice to have a little more information than just the MAC address but there was some very critical information that we didn't know that forced us into guessing about a few things. So one of the unknowns was power. How much power is this access point broadcasting with? For reference your standard wireless dongle that you plug into your laptop will broadcast will use about half a watt. Which doesn't get you very far. It would be nice if the hidden access point had more power. That way we could find it from further away. But we didn't know what the power was. We also didn't know the frequency or the channel within that frequency that we were looking for. Since other teams were competing we didn't know how much time we had to actually find it. It wasn't a timed competition. The hidden access point stayed hidden until it was found. If nobody found it during DEF CON it would just go away. Or no points would be awarded. And then obviously we would like a little more specific location than just Caesar's Palace. That makes things very difficult. We also made some assumptions with all this that the access point was plugged into a power outlet. Which kind of tells us maybe it's up against a wall. Close to a door. And we weren't sure about the wireless village team. But if I were doing this I wouldn't want my access point just to walk off. So we'd want some sort of physical security in place. So that wouldn't happen. So we assumed that there was either human or by location the access point was being physically guarded. And then obviously we assumed other teams were looking which made it a race against the clock and a race against the other team. We couldn't just lolly gag and take our time. So in order to do this we had to come in with a few tools. We're going to talk about the slide talks about the tools that actually helped us solve the problem. Here's the how not to. When we started this we started as a team. Many went off one direction. I went off another. Ronan and Lazy Sprocket did the same. My tools were a Pone Pad. Which is Nexus 7 with Pone OS installed on it. Which I thought was nifty because it was a little touch screen tablet and I'd plug in a wireless adapter and I'd be on my way. Light weight. No need for an extra battery pack. Turns out that was the wrong choice and you'll see why a little bit later. But what did help us out was a Raspberry Pi. And a we didn't build out the Raspberry Pi with like Cali Linux or even Pen 2. Probably get struck by lightning for saying that. But it was just plain Raspbian on the Raspberry Pi and then we loaded the Air Crack Suite which brought us Aero Dump. That's all you need in terms of software. It's super lightweight. Hardware. We used a TP Link 722N which is a 2.4 GHz wireless adapter. And then we had two antennas. This is important. You'll see this pop up here in a second. But we had one that was omni directional. For those of you taking notes, omni all around. It's radiation pattern is like a donut. And then we have a directional antenna that was more high gain 15 DBI of gain. That looks more like a laser. It looks more like a soda straw in terms of radiation pattern. And it reaches super far. I think I've seen five kilometers at any given time that a directional antenna can reach. The one specifically we used is a Yagi. So you saw that in the previous presentation. Or you may have seen a few roaming around here. And yeah. So that was our tools. And then we had one rule. This same rule applies this year. And I harp on this because at the end of this presentation, this is something you can actually go do. With just a little bit of software and maybe borrow a Raspberry Pi if you don't have one. But the one rule is do not go on the casino floor with RF equipment. Casino is very sensitive to that. And they will pick you up and ask you questions. And they're not nice about it. Okay. So before we start the actual storytelling, it's important that you see the slide or kind of read it because I'm going to point out a few things. Apologize if the text is too small. But in red, what you see is the output of AeroDumpNG when you are sniffing for a specific access point. You'll only see those two lines. So the top is just kind of column headers. And then on the bottom, sorry, the bottom is actually the command that you run to start AeroDump. And we're specifying the access point with the MAC address that was given to us at the beginning. If you're not near it, you're not going to see a second line of text at the top because AeroDump has not found the access point yet. And we begin. It also gives you a lapse time. Pay attention to that. I told you this was a long, arduous process. We're trying to condense six hours of experience into a 20 minute talk here. So as we began, our team split up with my PONEPAD. I grabbed a Yagi antenna and I thought, you know what? This is super high power. All the stories I've ever heard about DEF CON. You hear about somebody walking around with the Yagi antenna and everybody gets super scared. What's he doing? What's he trying to hack? So I thought, you know, what better way to actually find something than look like a hacker of stories told? So I grabbed a Yagi. Thanks to Lazy Sprocket. He had one on him. And the good thing about the Yagi is from a single location, I can see a lot of, I can see a far distance, right? So that means me physically, I don't have to move around a lot. Less walking. So the, but the bad thing is that in order to get good signals, you have to have line of sight to the access point that you're looking for. So I thought the best place to do that was in the middle of Caesars in their little courtyard area. And that's where the pool is as well. So I walk out there with the Yagi and I start scanning all the windows thinking I'll get into the windows and find the access point. The problem with that though is I am human, so there's lots of errors. And with the Yagi, you kind of need to dwell in a specific area for a long period of time. And I wasn't able to do that. I was a little impatient and it was hot outside. It's Vegas. So I kind of rushed through that. But thought I might find it super easy with less effort and did that for about an hour and a half. Then we kind of regrouped and talked about as a team how we might tackle this better because we had already wasted an hour and a half. The other teams were probably, you know, getting close. So me and I discussed maybe like, okay, what's a better way to do this? Well, the directional antenna is good for one thing but maybe we need to stop being lazy and actually get on our feet and walk around. So we decided to go with the omnidirectional antenna. And all that is is just the standard one that comes with the wireless adapters that you buy. Using the same arrow dump command. And for the next two hours, we walked around Caesar's property. That was all around the lobbies and the hallways. And still, if you notice, there's no second line of text. So we're into this about three hours now and nothing's happened. So a lot of stuff starts running through our mind. There might have been some injuries from all the walking. And we have to figure out, how do we actually solve this? And do we actually? Lots and lots of stairs. Yes. So speaking of stairs. Right. So we figured since this thing was powered in a stationary manner, it was probably in a hotel room. We were convinced after we had scanned the conference floor a couple times, it must have been in the tower. So that kind of led us to this assumption that we just need to walk the halls. With the Omni, we also had the assumption since we were in channel hopping mode. That's just where you're looping through the channels and constantly setting them in firmware through arrow dump that we would have to, if you can picture your hotel room if you're staying in Caesar's, you have four hotel rooms in a cluster. So we had to kind of sit there for a second. Okay, there's nothing. Go to the next cluster and do that on every single floor. We went floor to floor door to door. Because if you think about all that steel reinforced concrete, the signal propagation is probably going to be somewhat horizontally siloed through the door. That's just our assumption anyways that the signal probably wasn't going to make it through the walls very well. So we ended up just lining ourselves up at the door and hopefully catching a beacon. So five hours later the solution is coming. We didn't just dive into this without a little bit of math. We did understand that there was about 120 floors that we were going to have to walk. So we did split our team into two and did a rough version of a parallel search so that we could reduce our time. But still after three or four hours, we had no luck. We didn't get any results. Arrow dump was still showing that our adapter had not seen that MAC address. And just imagine the level of doubt you have after five hours, like was the omnia good choice? Was the agi a bad choice? Was anything powered on? I mean that's a valid question. After three hours of walking and you kind of get into this rhythm and the carpets have these patterns that like lull you into a sleep, you have to ask yourself these very basic questions. And one of the questions that we forgot to ask ourselves at the beginning is, is our equipment working? Well, I guess we did ask that but we didn't really test it. Is our equipment really working? And also crashing parties throughout Caesars Palace and getting free red bull and beer was definitely not out to gray log. All right. So we made one mistake and well, we made several mistakes, but this was definitely our biggest mistake. If you notice here in the output and how many of you noticed this at the beginning? Awesome. It wasn't a typo. This was actually a copy and paste unfortunately. So using my PONE pad for whatever reason, at that point I thought to myself for whatever reason, I'm not switching to all the 2.4 gigahertz channels which there are 14 of. I was only switching to 1 through 11. To this day I can't figure out where in PONOS that is hard coded or whatever. But doing a little bit of research and talking to the gents up here, what we did find out is that for about the last few years, channels 12, 13 and 14 are restricted by AFCC because of a company called Global Star. Global Star is a satellite communications company that obviously does satellite communications but they reserve channels 12, 13 and 14. The limitation is you just can't broadcast wireless Wi-Fi 2.4 gigahertz Wi-Fi in high power on those channels for fear of interfering with satellites and you know all the satellites that come crashing out of the sky all the time. So we think because of that the PONE pad was not switching into channels 12 and 13 and 14 and this is where we had our come to Jesus moment. We had just spent three and a half hours, three and a half four hours walking Caesars Palace going into the every single floor going door to door, drinking lots of beer, yes, eating pizza in the hallways perhaps and what did we do at this point? We know how to fix it because we did find some hardware that worked, the Raspberry Pi, it actually switched to channels 12 and 13 but now that we wasted all that time do we go back and retrace our steps and see if we miss the access point or do we continue on with our parallel search of the towers and hope that we hadn't passed it before and have to retrace our steps. We're also getting thoughts like well maybe it's outside, maybe there's an outlet outside somewhere, maybe it's in a bush, maybe it's in China, maybe it's in the parking, I thought it was in the parking garage in some guy's car. Yeah, all sorts of thing, about this time it's about midnight which to us felt like about 4 a.m. but it was only midnight and we sat down to have dinner with the rest of our team and we all kind of decided no, we're not going to continue on, you know, we tried for four hours, let's just not do this and then we moved on with other things. Luckily, Minnie and I drank some Red Bulls at dinner though and we were like all right, we've got a few more hours than us, we can do this. So we packed up the Raspberry Pi, it's got a touch screen on it and then a wireless dongle and do the same thing and run Aero Dump and this is the same output except this time, oh, wrong way, this time we're on channels 1 through 13, you can see it in the top left. I guess it kind of killed the punchline here but after two hours we had that come to Jesus talk again and said look, we've been doing this for another two hours, we haven't found anything, we made it through one and a half more towers at that point, going floor to floor, door to door and we were exhausted. I don't think either one of us had walking shoes on. Bear in mind that every hallway looks exactly the same. Yes, it does. You have to look at numbers to know where you are but even that gets confusing. Okay, come to spice market buffet for dinner with us, dang it. So literally at the moment that we decided to give up, we looked down at the Raspberry Pi and boom, the second and third line of tech show up. It's 2 a.m., we should have probably gone to sleep about an hour ago. We should have stopped walking about four hours ago and we had to kind of pinch ourselves and figure out if we were hallucinating because we had just made this decision to stop yet we found it. So at this point, a lot of stuff goes through our heads like okay, we found it, we're done, let's go. And one thing we forgot to mention was that last year's rules were whoever gets a picture closest to the access point wins the points. And one of the assumptions at the beginning or the unknowns were are there other teams looking for this? So what we didn't want to do was give up now and then another team get a closer picture. Like actually see the access point, all we saw was the signal. We wanted to see the box plugged into the wall. At this point, we thought we were only going to be on the floor for about another 10 minutes. We basically figured we had it in the bag, right? Yeah. We wanted to go to sleep in a hurry. But for whatever reason, we had some clarity and we decided to verify what we found. A couple of other things you'll notice and if you go try this, these are two pieces of information that will help you solve this puzzle. One is your, well, I guess three pieces. One is your search strategy, which we're showing you how poor ours was. But two is the power of the signal that you find. So if you notice in the top left, you get a power reading for the signal that your adapter picked up and it says negative 98. Well, the lower, the smaller the power, right? So the weaker the signal. So that means we're far away from the access point or it's just a weak signal. We don't know, we only have one data point. So we need to get some more data. But the other really good piece of information is the receive quality, RxQ. Receive quality tells you how good your connection is with that access point. So two, and it's out of 10, 100, sorry, sleep. It's two out of 100, so that's really low. So that still means that it's not enough information to tell us that the access point is on this floor itself. And then of course, because the gods hate us, it's on channel 13. So chances are we scanned past this with the Yagi or we walked past a bouncing signal at one point and we just, our tools just weren't set up correctly. But either way, it's 2 a.m., we found it, so we go up a floor. Not a slide, but a floor. We go up a floor. We went down a floor, too. And we know we had been there already, remember? Is that what we did first? Yeah, we were trying to catch the signal below it, too. Just to verify. It wasn't there. So we go up two more floors to the 43rd floor and we catch the signal again. This time you'll notice power is at negative 80, which is greater than negative 99. And our received quality is 86, which is greater than 2. So we're getting closer. But that's still only two data points. And what we could do is go up another floor and we have, one of two things would happen. We'd either get a lower power reading, which means that the access point is on the 43rd floor, or we get a higher one, which means it's either on the 44th or higher. And we find that on the 44th floor, it's actually lower at negative 99 and received quality is four. So process of elimination, that takes us to the 43rd floor. And here's where I think that we spent the next 40 minutes because we wanted to be absolutely sure. And what Minnie was talking about earlier, we took one of our assumptions and actually verified it by going where we found this signal, the strongest going to each door at 2 a.m. in Las Vegas and touching the door of the antenna. And we found the power was a lot higher at a specific door. Also very hard to explain to room service why you're putting raspberry pies on people's doors at 2 in the morning. Don't worry about it. What happens in Vegas. So the other technique that we used is body shielding. So we had, we still had the Yagi with this, but we were using an omnidirectional antenna. And with the omnidirectional antenna, like I said, its radiation pattern is like a doughnut. So if you pick up a signal, you have no idea which direction it's coming from. But you can take that omnidirectional antenna and use your body, all the flesh and water that's in here. And you put that omni antenna just right on your chest, like this. And it will block all the signals, not all of them, but a majority of them behind you so that when you get the power reading and the received quality, it's pretty good indication that that signal is coming from in front of you. And so we just kind of turned around like this and tried to figure out which direction we were getting the highest power from. And sure enough, that led us to room 4365 in Julius Tower at 2 a.m. And we tweeted this picture to the wireless CTF. And you'll see, I think we had a power of negative 66, but this time received quality was 100 on channel 13. Quick, quick note, even though we had resorted to the omni at this point, we still took up the agi directional, we're just pointing them down at the doors like this to try and see if we could calibrate the, or triangulate whatever you want to call it, find the signal in a more reasonable manner because the omni can kind of drive you insane if you're just watching the RX. It was a bit of a field test for us too, and what we learned is that the agi doesn't really give you much more data. So, if we were to do this again, which may or may not be true, we would go and start with an omni directional rather than the agi and just leave that out completely. The, Well, I mean, with the agi, you could also, if you had a really good line of sight from a long range, such as from another hotel, potentially pick up signals very well. Yeah, and that's what the agis are built for is long distance transmissions. The last thing I want to mention here is that even though this was 2 a.m. that we found the signal took this picture, we waited outside of this door for probably another 40 minutes sitting on the floor dozing off of it, hoping that whoever was in that room would come out or go in so that we could take a picture of the access point because this is as close as we could get. We couldn't get it any further without cloning some RFID badges, which we weren't going to do. So, lessons learned. What did we learn last year? One, you have to limit your assumptions or at least eliminate them. There was a few that we made that were very risky. One of them, if you're keeping notes, was we used the TP-Link 722N that is only a 2.4 gigahertz adapter. We did not start equipped with a 5 gigahertz adapter and we could have wasted all of our time if it was a 5 gig access point. Number two, test your tools before you get here. And then number three, definitely wear comfortable shoes. I think we had blisters and lots of crazy stuff. We brute forced this entire thing and it took us six hours. There's much smarter ways to go about doing this. For example, everywhere you go, you could just collect BSS IDs, make sure you know where you went before. When the map gets dropped on Twitter, you search through your stash of BSS IDs and try to match up with where you were and go back to that spot. For the hidden access point for the hide and seek, that works very well because it's supposed to be stationary. So you can just go back to where you were, find it and you're good to go. Much smarter, not harder. Improve the search pattern. If you notice, we found the hidden access point on the 42nd floor. That was the first signal. We also picked it up on the 43rd, which is where it was, and then we went up to the 44th and we could pick it up across three levels. So instead of walking floor to floor and door to door, we could have walked every second floor or every third floor and door to door. There was like a vertical siloing, if you remember though. In the middle, yes. Like under 43.65 and above 43.65, we could pick it up. But like five meters down, if you were on the four below it, not so much. Correct. The signal was only strong in the middle of the hallway. So we could have improved our search pattern. Another thing we could have done there is use the Yagi more intelligently. Maybe with a three-axis motor to point and scan. And then the last thing we thought about throughout this whole time is at 2 a.m. we thought, what if this is a decoy? What if somebody's screwing with us? What do we do? So we can either confirm nor deny that the future work for this year includes or does not include decoys. Because that would have been very disappointing if after all that time we only found a decoy. Because they didn't DM us back until the morning. So like we spent the whole night just tossing and turning like, was it worth it? I still ask myself that question. Okay, any questions? We're done. I don't know. No questions? Alright, thanks guys.