 I'm going to talk about a framework that I've been developing over the past couple of years. At least when I have the free time to develop it, I've been the sole developer on this project since it started. And it's kind of my contribution, the open source community. I'm very passionate about open source development and believe that it is the right to everybody to be able to have this knowledge and share that knowledge because knowledge is the freedom of man. And we want to get that out there. And if I can get something out there that inspires someone else younger or someone new coming into this field, that they can go from, or they can take it a new direction just by sparking a new idea, that's my goal. And that's why I love to produce some off-sex software in the open source community and what gives me my passion for continuing our involvement in InfoSec. You can find me in all of these channels listed. I run the hack all the things on FreeNode. It's a very basic IRC channel based for pen testers. There's a lot of really good guys there. And there's a lot of new people there. And our involvement is we didn't want a, or really didn't want to have an IRC channel that was based solely on a project because there's all the ones we see are project-based, set, menace, B, whatever. They have an IRC channel for hacking and it's based on that project. While we will support N4P and Pen2 as things are developed from Pen2 and I like to work within that community and help develop for Pen2, we just wanted to leave it open to help out but you can always get any information you have. Don't feel free like, oh, I don't know enough to be there. You do, we want everyone new and just to enjoy the experience of this community and be able to get with the right people in the community right away. The GitHub is where you can follow my live builds until they get pushed down, until I release a new copy, a stable or unstable and it gets pushed into the Pen2 repo. So you can watch live builds and anything that's going on and talking about is in my blog at WordPress. A lot of us talking about what we're doing with N4P and where it's going but now that N4P, the SDLC I feel in this project is really starting to come together at a sound position. So we're gonna actually start doing a lot more training and tutorials on that blog so you can catch some great attacks and new attack vectors that you can utilize not just with N4P but in pen testing. So my vision through my development cycle has been how do I feel void or things that I miss? They're almost solely based on while I'm on engagement, pen testing, what do I see is wrong? What's taken me too long? How can we create a scenario that we can perform our job more efficiently and effectively and produce a better product for our clients or whoever we work for at that time? The second portion is I like to be a functional developer by that way I make that software functional but how do I feel void? If I see a void in the industry we want to fill that void and I did not see anything within InfoSec right now that covered the layers and the attack vectors that we were going to do inside a framework structure. That's why N4P started to be created or evolved to what it was. So as far as that handles and thinking about it like there was nothing in the wireless space and there was nothing in the low level space. Like we have Metaspoly and that really covers everything on the ISO level from like five to seven. That doesn't get us down to our infrastructure level. When we have set covering our social engineering and we have grown to really rely independent like these tools because they hold everything together into a nice package framework for us to search, build from and it allows the community to contribute with new ideas and modules based on their research and proof of concepts. So that was actually a goal design that I had in this project. It's gone a lot further into becoming a full-blown framework and because of that the community can get involved now and create modules of their own design and use them through this framework. That's why my mouse wasn't working. So the original proof of concept was far beyond wireless. When I decided to come up with a proof of concept for this project it was based on sales exchange vulnerabilities POCs or sales exchange vulnerabilities. I wanted to see what I could do with a lot of point of sales services and circumvent the security that's in place by PCI because I don't really feel like that's an effective model. It's pretty broken and they're trying to secure things at each endpoint. So it was designed to make man and middle attacks by utilizing the infrastructure hardware on our systems creating, bringing up a switch and then just stealing lines at a POS terminal. And then we can control in the firewall settings what packets were allowed in and out. That way we can be completely incognito on the system gather packets forward by never changing any MAC addresses and then adjust ours on a different interface. Nate will clone their MAC addresses and then we can do packet injection through Scapey after we've modified what's in. The scenario for that might be if you went to a point of sales terminal and sniffed what was going on and you put enough packets together to figure out how tickets were printed the table numbers, the food, and to what printer you could just, you know, you could just push that. You can, sometimes you can flood the printer with Ncat and Ncat flood that or you can use Scapey and change that packet and send it over. And basically what would happen is a receipt would print in the kitchen with a table number and then go on the service on the line and someone would deliver to your table and there would be no track record to pay for. So you've exfiltrated free food. If you're ever hungry, you can do this or go further than that and think about, well, can we assign any information back to the database back in a lot of places you use like QuickBooks? Is that information secure coming across the wire? If it's not, it's gonna be using SSL more than likely we can run SSL strip right from where we're at because that tax vector is built in. The firewall controls for controlling the port forwarding are also built in. So now we can maybe even think about injecting us a paycheck through their QuickBooks. It goes through payroll properly. It would take a lot of investigation and get down to it. So these are some more exploit vectors and attack structures that aren't thought about within the PCI model and shows why the information's broken and the ways that we can have fun exploiting it that we couldn't exploit based on saying application processes to metasploit because we wouldn't have that. So I started this project and this is pretty much my theory how it went. I start writing this code. I automate process. Exfiltrate all kinds of great stuff and have a lot of extra free time at work to go snowboarding because it's all automated now. The bottom is what really actually happened during this project. A lot of bugs and then it became an ongoing development. I've yet to go snowboarding or find any free time. But it's okay because when I started this I saw that the potential would more likely make me feel like I could add some more leatness to my name in my handle and I could kind of look like Boris and think I was completely invincible and everything. I promise you guys there's no cat pictures in this slide. Don't worry. The reality of what started happening after that was, oh crap cat picture. Rick, did you put cat pictures in my slide? Hackers. So I don't have 99 little bugs in my code and I got rid of some. Then I had 127. So the past two days I've been in the con completely just writing code. And I think it really got at a great place down. We can have some real fun with it. The reason the bugs happened was, most likely I was watching Swordfish and you can understand why the bugs got interjected and the exiltration process. Now let's try to understand why this framework is so much different. What we're gonna be looking at is on our OSI model of how N4P controls our system state. We're gonna be operating mainly between layers one through five, but more often two through five. So we're not really concerned about the application, the presentation layers or layer seven and six, which is where most of the frameworks rely on for exploitation for web exploitations and general expectations through metasploit. That's its main concern. So we're creating a framework that is designed in an entire different OSI level that we're not seeing yet in the industry. So if we can get this to keep going and taking off, it opens up a whole new level of attack factors and thought processes that companies can use internally for internal penetration teams or for a lot of vulnerability research processes. This is great because why we're controlling network level adapters, the softwares can also dictating how the firewall configurations are based between the structures and attacks that we need for different OSI based attacks or OSI levels that we're gonna participate in that attack. It also allows you to control like SSL strip and Ettercap and you can adjust the options based on the configurations for whatever type of work and reconnaissance you're doing and then if it's gonna be very incognito or not. But because of what we had laid out because this is the main concept as I was creating the POC, I really found that this was very vulnerability research and niche, it was difficult and it's very hard to constantly manage your states, bridge in the adapters, which N4P does, it will bridge everything for you. It can call a VPN that you have predefined and pull things to the VPN and route it through the firewalls all automatically as well. So the process of us remembering all the commands of everything all the time and then typing it up, bringing it down, changing the interface, bringing it back up, setting the IPs and the routes is very daunting. So we wanted to cover that for us and get that done. Now I looked at it, what can we do from here? What is also really awesome that we can deliver and fund? And I can get people interested in using these products. And the answer was wireless. Wireless is based initially on these layers, one through five and controlling the access points, spoofing them in the MAC addresses and how we're gonna capture packets and crack them. So I was like, okay, let's start and implement it. And we slowly started implementing, it's first started with WPA2. Well, we got some extras. And why don't we take a look at what type of attack vectors you could expect that is built into this framework already from the start. Based on the lower level of the OSI models that we're gonna do, we have packet capturing injections, we can circumvent SSL. Now that we are ran in the middle lane, most of these situations, we can control our DNS servers locally. We can spoof DNS, we can redirect people. And through that, that means, hey, I can spin up a coffee shop AP and I can run in my own DNS server and forge Facebook or make when they go to Facebook, come to my 127 because I'm running a patchy local service. I can even get a cell sign cert like a third party CA cert so that you don't get as many error messages or people think that it's more secure. There's a whole lot there in that realm that we can control and have fun. We can set up applications for beef hooks and go after more application exploit levels. And then because we also have that wireless ability and we're bringing that wireless point, you can't bridge a wireless adapter, but if you put it in a monitor mode, we can bridge the AT0 interface with like our E0 interface or WLAN interface that we can bridge WLAN, sorry, our E0 interface that we have internet from and we can redirect it either through bridging and then run a VPN to that if we want or through packet forwarding. And N4P knows how to set all those things up automatically based on the configuration structures that you set. Now, if we're not gonna run that way, we can go a little bit further in our wireless attacks. We can crack WPS built in, we can crack WEP, WPA2, EAP Enterprise or the WPE, which is the TKIP Enterprise. Those are used in the host APD. We can crack WPA2 through Airbase and we can also choose to bring up that basic access point through using host APD if we rather prefer that or Airbase if we prefer that. We have all the attacks at our disposal between that we can possibly do with host APD and Airbase. A lot of those attacks are already built into modules that I've given you, but I like to encourage anyone if they have a different way of doing it, they have another module structure that they find usable. There is an example module packed in the software that you can use, look at it and say, hey, I need to add a few variables. This is the code that structure I need and copy it into the modules folder of M4P. And now you have produced a new module for whatever engagement you found it useful. Then you can contribute that to the community and everyone else can start using that as well, which I think is what's really gonna set things off and make it fun. The great thing about the structure of how the modules work are they are not language dependent. M4P is written solely in bash at the current moment, but you could write your module in C, Python, Pearl, bash, whichever you choose. As long as you follow the configuration structures and parse that information the same way that we are doing it, it'll work. So let's take a look at what we're gonna see when we open up M4P initially. There's two modes. There's a basic mode and there's an advanced mode. And the basic mode is I have set up several options and abilities that you can just press one key and it goes ahead and completes the whole process without you having to do anything else. And then the main things there, like capturing or sorry, doing recon scans of the network, finding the MAC addresses of the stations and the SIDs of the network we're gonna attack. Then we can dump that in, we can use like air dump for that information for capturing the handshakes just by running option three in this case. And if we change our attack vectors, it could run wash and bully if we're trying to crack WPS. Those functions are right there and I'll show you how you set that and for differentiates between that. We can just go ahead and bring up a basic access point right here with hitting one button because the configuration file already knows where we have our host APD config or what we're gonna be setting up with Airbase. And then we have the firewall control. When we go through the configuration structures, the firewall browse looks through your environment setups saying what type of attacks am I doing? What type of interfaces am I using and what am I gonna be doing with them? And then allows the rules to be used just for those. It initially drops everything and then allows just those rules. So while you're performing these attacks, you are also securing your box behind a fully staple firewall. You don't have to always hack naked now. We can de-auth everyone right from here. We can start like SSL strip if we want at any time. We can start at our cap at any time and we can arc the network at any time. And all these functions are built a part of or they utilize the adapters that we have predefined. And we'll move into that in just a little bit but I just wanna give you an overview of what the interface is gonna look like when you initially start N4P and what to expect. N4P also uses a temporary file called temp N4P. So any type of information while we're doing a wireless hacking capturing doing cap files or capturing the handshakes or catching IVs on WEP web encryptions. It's gonna save them in this log file based on the client's MAC address that you are attacking as we see the MAC address dot cap. There's also recovered passwords and logs. If anything's going wrong, there's logging available. And there's also verbose logging available that UAU can get more log information if you're debugging during the process that it will provide. All right, this is getting pretty complicated. As we can see the project has evolved and it covers a lot of attack surfaces and these attack surfaces, they really aren't simple. They do take a lot of experience and knowledge and fighting. So I tried to keep things real easy but I didn't wanna make it script kitty. I wanted you to still have to have an understanding of what you're doing. But because we've added so much functionality the configuration structure has gotten pretty intense and I don't have a way of fixing that yet. So it's gonna be hard to see from here but this is our configuration file. And I'll try to give you an overview of what you're gonna expect in this configuration file. I really need a laser pointer. All the way at the very top box that we have separated I try to separate things in boxes. This is to designate what type of operating system we're gonna be rerunning on OS is Pentu. Right now we're designed to work on Pentu because we utilize the open RC init system. Eventually, you know, there is some functionality that will work in Cali. So you need to change that option as it will say options available to Cali. And then it will know how to handle the interface structures through the init system. Network manager manages and network interfaces. You are a wonderful man. All right. Comfy mode. All right, if you're familiar network manager it can manage your adapters and interfaces in X environment. It's really good and it's really cool for the sense that it can manage keys. If you have VPNs, it can handle the key structures for you. You don't have to type your 90 character password in there. If you're as paranoid as me, 90 characters. In the interface that we're launching and for PN as we said, there's basic and advanced mode. You can switch these at any time just by typing basic and advanced in the software. But we initially started as a basic out of the box. If you're not using network manager you can just set that to false. It's not needed, but sometimes I found that it picks up on wires cards that I couldn't get to initiate. It just picks up the module. But there is also a lot of issues it's caused and there's a ton of redundancy checks and loop checks in N4P that does everything it can to try to recover the system states when network manager borks about 95% full-proof. Then we have our wireless options. This is considering if we're just gonna run an access point for ourselves, what type of options are we gonna use for it and what are the base configurations for that? And we can use host APD or airbase and we're defaulting to using airbase. And our main interface right now, iFace zero is ETH zero. This is our interface that we have like our internet connected to. That way if we spin up an AP and we do the port forwarding for people to connect to and do the DHB assigning, it will forward it through that interface. That's how the firewall tells us what interface to use. If you're using WLAN one, you would change that to WLAN one. All right, iFace one is the next one. That's the interface we're using for our attacks. That is the main one we're concerned about when performing an attack. Now, if we're gonna spoof anything, because we can control the ESID or the SSID, whichever you're more familiar with, the name of the access point that's coming up right there, we named it pen two, one. If you just bring the access point up, that's fine. But if we're doing an evil, evil twin attack, we want to make that the name of the SSD or the access point that we are trying to impersonate. This is the channel. That channel equals channel one, throw 11, add the channel that you want to be on. That's also important if we're impersonating. And then there's monitoring modes. Monitoring modes, because we can custom monitor or monitor who's connecting to us. So if we're just launching an access point to see who's coming on or what needs SSL strip, if we have monitor mode enabled, there's an interface that'll pop up and track the IP addresses of everyone who connects to your access point. This IP range is held in a DHCP file that's provided and when we call DHCP, it calls that particular confile and gets your DHCP lease range. If we want to cause bridging for our interfaces, if we're gonna do multiple ethernets, like we have a switch and some USB ethernets, we plug them all together like we talked about if we're doing some POC stuff on point of sales exchange, we can say that if we're gonna bridge true the name of the bridge and if we're gonna use a VPN in this process, all right? Likely that should be false in those scenarios. Before we do anything in type attack, we need to go through and familiarize yourself with what you're gonna type of your attack you're doing and how to understand the configuration file. We're not bridging, so we'll make sure that's false on your setup. Now let's get into like some really fun processes of hacking and attacking wireless networks. And this is where the fun comes in here. We can see our attack options are set for null, which will bring an access point, handshake attacks for WPA2, if we wanna use karma, if the attack's gonna be using SSL strip, if we're gonna do a WS attack, WPA attack, or EAP attack. So under attack, we just say what we're gonna use. And this, when we launch the situations, the environment or N4P knows what configurations need to be set and what flags can be called within Air Base or host APD as well as within the firewall based on what you choose. Now if we're doing a handshake, which is one thing where we will be doing the panel, our attack for that is handshake attack is Z for WPA2, right here is Z. And then the encryption type for that is for CCMP. So our encryption down here is gonna equal four. So when we do our recon, it's gonna tell you on the access point we choose what encryption is using. So we just need to adjust for the encryption we're using. And then we're gonna copy in that victims VSSID from our recon as well as their station. That's gonna allow us to do our WPA handshake. If we're on an enterprise network and we're gonna hack WPE or EAP, we have our configurations files down here for host APD. So we would just change our attack to WPE and would automatically use this location, which you need to adjust to whatever location you have your host APD file for WPE attacks. Any questions so far? That's a lot of information. Yes. There's no way to make that slide bigger is there. No, but when you follow along and you launch the application, you'll definitely see it and it will make sense. Yeah, it is. Like I've noticed that. My theme is pretty dark. This is, I wrote this theme. It's based on the movie Tron. It's on my GitHub. So if you like it outside of the slide, you can download and use that theme as we're on the installer. We have packet options. This is what we talked about on our lower level on the like OSI 2 model. And it's gonna be using Ettercap. The options that we use Ettercap are right here. The interface we're on and TKZ we're choosing and if we're gonna ARP this network and right now we're not ARPing the network. But if we were, we could add the IP address or the gateway of the target to get some ARP packets back. But if we had SSL strip running and we want to launch Ettercap, it will do that and then automatically view off of that interface that we told it and it will save it in the temp folder we talked about recovered passwords. So that way you can retrieve some sniffed passwords. Getting more complicated. What do we do after? Could we really get more complicated? I know, yes. What can we do with these capture files and how do we retrieve passwords out of them if it wasn't through SSL strip? Maybe it was hashed or maybe it's a capture packet and it's AES. Really there is no exploit vectors for wireless access once you're using WPA2. It's not a cracked or flawed method of security but it is vulnerable to guessing the password or brute force attacks. So I have two options built in. We can use Aircrack. Aircrack's what's originally set up and it can just run off a dictionary but there's no GPU support. It works really well for web if we captured IVs and if our attacks web, it knows this on what Aircrack runs and sets it up just to crack some IVs and get a web key. But if we're using WPA it's more complicated and it's just gonna use a word list. And that word list is based right here. Word list equal, share, dick, crack, libs, words. This is a dictionary that is predefined in Pentu so you're gonna be ready to go and our test lab is set with a key for that. But that's not cool enough. We're trying to add some more strange lead characters to my name. So I built in Hashcat. This was kind of hard. The syntaxing for this is daunting and anything wrong completely messes up and there's log files go, hey, it just messed up. Thanks. Detailed logs. So Hashcat has several options. Like OCL Hashcat 64, Hashcat 32 Klee depending on what type of hardware we have. I have it pre-set up for OCL Hashcat 64 for using GPU cracking. Obviously no one in here is probably gonna have a GPU unless you're a crazy person gamer on your laptop in here. So it doesn't make as much sense for us to use this feature right now. So we're just gonna be basing off the air crack. But anyways, as we set the Hashcat system we're gonna use we set the Hashcat location because it's a time bomb binary and I can't rely on you just having it on your system. So you're gonna know where you install it and you're gonna need to know where that link location is. So here it's in the home, your user directory, OCL Hashcat and then you just call the binary. So just change the location to wherever you have dumped the binary install. Because we're focusing on WPA2 authentication here, our modes are gonna be dash M2500. We're gonna do this on three threads and then we set the rule sets of what kind of rules are we gonna be using based off of this word list. So I'm gonna use rules rock you dash 3000 and also use the rules best 64. You can change it to whatever you want. The cool thing about the way it's designed is you might not wanna use that and maybe you're hacking like a AT&T two-wider network which an older one, which you knew was 10 digit numerical only. You can just change the rule set based on what it tells you in here to use, hey, use this string here word list or word list equals A3, question D, question D based on the wild card values increment of up to 10 and start at sector choice. So that option is still in here. I'm not restricting you from Hashcat. I'm just trying to keep the functionality you need and can utilize in a concise manner that could benefit you the best I can. Further down is just information about how you need to utilize this config file because you can't just comment a line but maybe I wanna have three different rule sets I use a lot. I can just as it says here add a backfash or something right before the equal sign that I can have Hashcat rules back just equals A rule again with a different rule again with a different rule and then just uncomment it with that backslash that way I know what it's using the next time I run it to make it the best I could. So all of these little blurbs should help walk you through the configuration file and the bottom one just tells you how N for P is gonna handle custom modules for their variables. The module that is provided for you has a little feature and if you read it saying create my custom module equals here and it will check if those variables are in this configuration file already. If they aren't it'll go ahead and put them in for you the first run and tell you hey you need to go back and adjust the configuration files before this module works. That's mostly it from the config it'll make a little more sense as you guys boot and you can see it. If you don't have a laptop and you wanna see it we'll do it over here as well on my system and help walk you through it. So now let's talk about the advanced features. It works a lot like Metasploit. So now that I want it in advanced I can actually run shell commands directly from here. Any shell command I want IP adder or whatever it can start coming up and you don't ever have to leave the interface. But I can run list modules. This tells me the list of modules that are pre-established or packaged right now with N for P which is air base for bridging utilities for cracking if I wanna bully if I need to assign my DHCP. This allows you to handle individual processes. The key features up top are just saying I know what you need to have happen. So I'm just gonna call these modules as they need it because it goes with this module then this module then this module and it makes the attack happen that you need. But if you're really cool when you're trying to do something more unique you might need to have the ability to manually control this. So we're just gonna be concerned with the recon module. So I'm just gonna say use recon and then it confirms that we're using the recon module at this point. If you typo it would tell you that you're confused. When I wanna run that module I just type run and that module will run. And at any time I can also type show options. And if you type after you've called use recon to use this module you can show the options that module and it will show you a list of all the variables that that module is gonna rely on for the config file. So you can go back to the config and know that you need to be concerned about these exact variables. We can exit at any time with zero. As in this interface we can see that we were using network manager during this time. So it knew that I needed to kill network manager to free my interfaces to run. But now that I'm leaving I need to go ahead and bring that back up. And any interfaces that I changed broke had crazy configurations in the process. It remembers and it'll go ahead and try to bring your system back to an original state unbroken just like it was before you even opened N4P. So where is N4P taking us? And how has this project changed the entire script landscape of wireless hacking? The reason I think this has continued to change this landscape is we are now offering a module-based design. We are packaging all these attacks in and you can rely on the community and say a cafe latte attack, anything random that someone's figured out. They can just publish for you. Now we're not just continually reading this help file and these band files and figure out why things are broken. We're doing a really good job of putting together. And I think providing a framework that we have now going forward it covers all of information security as we have it. We have MSF covering the application layer infrastructures and exploit vectors. We have set covering our social engineering projects. Where were we lacking? Now we have N4P continuing to close that gap and bring us in an environment where we can have wireless and lower level infrastructure exploitations available to us. And it's also worked really well for the reverse engineering process. So we're touching quite a few bases. And Rick has proposed and it is an option for this year that we want to evolve it even better. So we're probably gonna like add some different languages maybe the interface on Python to make it stronger understanding list and dices more instead of clumber summon and bash as it's getting a little hard to write and bash at this point. And we're also gonna start pulling code that pony's written some of the pony express code revamping it and easy creds code. So the work that easy cred has done that is previously deprecated. We're gonna start bringing in as modules and building an even bigger platform for you guys to move on for. So I think this will really help improve wireless and new framework for everybody. As it starts coming to Cali it's gonna bring more recognition, catch more traction. But the main focus is to hope to really enlighten and bring people to see Pentu. Cause not many people know of Pentu or they think it's so much complicated because it's based on Gen2. But Rick really has done a fabulous job of making Gen2 work out of a box and give you penetration software. So we're gonna utilize that and make sure it works as best as I can right now out of the ISO for you. Yes. Unbiased or biased? I started on Gen2. And I was actually scared when I started when I moved from a Debian based system like man, this is gonna be really hard. You know what, it was pretty hard but it had such a good community. Like everyone in the community was so brilliant that they would help and the documentation was excellent. And about six months later, as we started getting the hang of it and understanding and another year goes by, the amount of control and aspects I have over my system now, it does what I want and only what I want. There's nothing interfering. If every, cause everything's compiled. If I don't want functionality, I don't have to compile it in. It reduces attack vectors on my system based from that. Plus I get a hardened kernel out of the box. So my system is much more manageable. It's more secure in my opinion. And all of the code is, that is very rigorously gone through by Rick and BLSK VR that nothing comes in our package list. That is not sane. If we reviewed an application, even if it's in Cali, something I think I want to share with Reaver of another one, the code just was not very sane. Like this isn't done right. We're not putting in the project till it's sane. So we really make sure that what you're getting for a code based structure and attack works the best it can. The other really cool feature is that all the developers, the main developers for Pentu are live in the IRC channel. So when you have issues you want to talk, they are right there directly helping say, hey, I found an eBuild issue. It's not building Python use flags change. We need to set targets to use Python 2.7 cause our system's on 3.4. They will go ahead and fix it and move it off for you. So I think the community, the more we get involved, will really help out in that aspect. So that's my opinion on using it. I'm trying to get this to Cali user just because I want them to have the ability. I think this is great for everyone to use, but because I realized so much on infrastructure layer, it was hard to use system D. When they went to system D and we're on open RC, it made it pretty difficult for me, but Rick says he's got some magic in his hat that he hasn't told anybody about that we can really make this work. So that is the future of why I think it's gonna be even great cause we can make it cross-platform and independent. That'll really help out. So that's it for slides. And I think it's time to play some games and hack some stuff. Is everyone ready to hack? Still downloading. Rick, your network sucks. I'm telling you, what I can do, I have the ability to show you a little bit and walk you through wireless downloading. And we're gonna go ahead and I'm gonna keep this AP up. So if you can't actually get things hacking while we're going at it right now, I'll be here and I'll go and help you answer as it needs. Thank you, brilliant person. All right, I'm actually running network management at the moment, as we can see, our wireless information. So let's go ahead and take care of that and we'll go ahead and look at my interfaces, what I have going on. I'm using WAN2, 1, and 0 as my main interfaces. As we can see, nothing has IPs, nothing's going anywhere. The interfaces are all down. So let's ask them for P what to do. All right, it knows I'm using network manager so it killed everything that it needed that would interfere with our application. And we can go ahead and, as foremost, understand the configuration file. All right, network manager is true, we're good. Our interface is still on basic, our operating system's correct because I'm using Gen2. We're gonna use host APD, our attack interface is going to be WAN2, that is correct. We're gonna spin up the AP and for P. Let's make it alive. Here's a random BSID, we do channel one, it's all good for both locks. Now, because we're just gonna do an AP, our attack does need to be empty. So our attack is null at this point and that pretty much means nothing else matters for this. So we can control X, Y, get out and save. All right, let's go ahead and bring up that AP. Oh no, yeah, yeah, bring up that AP. Yeah, my phone is already set to connect. So we brought up that AP and if you guys can see, I cannot make that font bigger. Hopefully highlighting helps. There's a victim pull that comes up because we have moderate enabled. So as it came up, we can see already that this victim has it logged onto our service after creating that access point. But we can go ahead and close, close the access point. All right, so the access point's shut down now at this point. I'm gonna do a little bit more. Oh yeah, that's why, because this was host APD. Let's do, so now let's do this with Airbase because Airbase is a little bit different because we have to bring up monitoring interfaces and we don't just have to launch host APD like we did. Host APD is very quick and easy, I think. So let's keep Airbase there and we'll keep our attack still at nothing and see the difference what happens with Airbase. Airbase needs to initiate a monitoring interface, that's what it's just doing on the top left. And now we've just launched our Airbase with verbose logging and we just got our victim associations over here. So anyone that wants to connect to this interface and for Plive, you won't get anything. Why won't you get anything? Because I have not called DHCP yet. So how can I call DHCP from here? I can just go advance, advance. Okay, I'm gonna list our modules here. All right, good, so use DHCP. All right, all right, let's also do, is there any options in this one? Oh, see, those are show options. So we can set our AP and our interface. Are the options required for this? We're on it. Now our DHCP is ran, the wireless in this room is highly congested. It is so congested. 2.4 does not like congested areas, just saying. You're right, it will. It's still trying to get an IP from this environment. We'll probably at least see the client association coming up from over here. Cause I'm getting probes from everybody. There was the N4P live client authentication there of where it's tried to authenticate. It's just not authenticating at the moment. It's okay, that's just a basic air base infrastructure. Really hard to see off of this structure. Anyway, so I just killed it, and we say we just killed the interface. And at any time, if I check my IP, you can see it's already brought the interfaces back down and it controlled them. It does it fine, and it's hard to do that. So I wanna go back through a little bit more and I really wanted to try to do a handshake attack. So we do have air base. We're gonna go into, that's fine for now. So we need to understand the reconnaissance. All right, so now we're already reconning the environment. This is gonna be really difficult with how busy this is. And so if anyone's familiar, you're gonna watch for the BSID and the SSID of who we want and try to match their station down here. And the one we're looking for is N4P hackable. Okay, there it is, but I don't have a station yet. So I can't read it over here real quick. I can read it on my screen perfectly. I just hit control C and paused it. That way I can go over here and read it and modify what I need, make it figure out configuration file for what we're doing here. We're not gonna do an evil AP because you can because during this attack, you can just bring up air down and try to capture it or you can also run a evil twin AP where you can copy the BSID and that would be done here as well. So you make sure all of these features match, but in this case, we don't. So since it's just the attack, we have handshake for that attack that we wanna do. Both of these are right, but we aren't gonna be concerned about this. So this is our BSID, who we're attacking. The name of who we're attacking is, hopefully it works without the station because I couldn't let that run long enough to capture the station itself. So we're gonna go with it like that. So now I'm prepared to do the attack. We can just run air dump right here by three, but if you were in advanced, you could just use dump like that. I'm confused. I can run it right from there. I wanna go back. So we're gonna try to stay in the easy mode and just run a dump. Our monitor interface has been brought up and we're scanning and waiting for a handshake. Now let's try to be a little more expeditious on capturing a handshake. How can we do that? We can just kick everyone off the network. I hope I have the channel right. I don't remember if I have the channel right, but we can continue to keep kicking them. Oops, that was a fireball. Not needed, seven kicks. Not capturing the handshake. I'm dumped down and bring our recon down. Let's just try to recon one more time. Normally this would be a lot of work bringing up air monitor and air base each time back and forth. So this is a lot of we were not time value to this situation. No, I had the channel right. Ooh, ooh, ooh, I got the station. Yeah, that made me excited. Time it loved me more. Unlike Rick's 7A. Demo guys, please love me. Please. All right, we've already done our reconning. So we don't need a recon anymore. We set up the station, the channel, and the SSID to spoof before the dump. And we can go ahead and try and do it now. All right. We'll be, oh, we already got the handshake right there. How about that? See, that was sexy, huh? Fastest handshake anyone's ever gotten. So now let's just go ahead and force a temp for us, and for P. And in our log file here, you can see we've already captured the handshake with this handshake, which is the MAC address that we just attacked based on this router here that we set up to be attacked. So great, we're here to go, we're ready to go. So we don't need to be hanging out here anymore. We got it. We don't be hanging out here anymore either because we got what we came for. So let's think about cracking this wireless network. Option four, crack it. See what that says? It says it wasn't a valid handshake. So you might just have to go back and do it again to get that handshake. Oh, okay, never mind. I got it. There we go. And actually already says key found. So we basically just hacked the wireless access point in less than five minutes, and that's probably a new world record. Hacking wireless access point. What happened? I had previously had the MAC address, a file in the temp folder with that existing MAC address. So when you do that, it enumerates it to the next number up, zero one, zero two, zero three as you capture more. And when I call it, it's only looking for zero one. And that was was invalid. So I had to go back and remove zero one, rename it, and then it worked right away. That was our key feature. So that was WPA hacking. Do we have any questions on how to perform that or go through the config file a little bit? Everyone's WPA to hacking experts now. Yeah, the way it's, the way air base names that is pretty confusing. The ESS ID would be, which we normally see as the SID, but it's actually ESID. So that's just the name of it. Then the go back through. Okay, right. So yeah, our ESS ID is just the name of the access point we are attacking or utilizing. The BSS ID would be the MAC address to that device. And then the station is the address of what that particular access point is operating under. So if you were an enterprise network and they were spanned, you would see the same type of MAC addresses, but you'd see a different station between different rooms. So if we wanted the access point that was just in this room and not the next one down, we'd adjust our station to go through there. And there might not be clients on that. So when you're on a pen test in a bigger environment, you can walk around like a spectrum analyzer and start seeing how much traffic is there. Or when you're just running Airmon and viewing what's coming through there, you'll see how much traffic's on which one. And then you want to just wait to use find that station. When you see the one with the highest traffic kind of station that's the one you want to go to and utilize attack that particular AP. Be much more likely to get a handshake right away. And we did all that without a clientless handshake. We did that with a client handshake that wasn't clientless. The other option is at this same time after we brought the air dump up, if we weren't catching anything, we can just also launch our access point at the same time. So that brings us up an evil twin which people can also connect to. So not only were we likely to catch a handshake that way, we can now infiltrate their traffic structure that's coming through the network. So that can even be useful for many reasons, they know, corporate environments. I didn't really want, I'm not really gonna get into the enterprise because I don't have anything set up or we don't have a radius server set up for that structure. Thank you. Use recon. All right, the other thing we just want to understand and I'll probably show you some of the rule structures here on enumerating the firewall. If I brought that access point up just as a basic access point, our firewall is gonna need to understand how we're gonna utilize that and I'll show you how it uses that. If you're waiting and waiting on it, there might not be anyone on the network. If you're not getting it and then you can't kick them. One thing you can try is a lot stronger antenna because maybe someone's further in the building that does have authentication and if you appear stronger, they'll want to connect to you. You can use IW config and adjust the tux power, excuse me, if you change the region to like a bump the power up to like 30, that way it's exponentially stronger than what the standard wireless controller is gonna give out, making your clients more susceptible to connecting to you. So it's just about making yourself feel more appealing to the environment that we're working on here. Recall launch, let's do this. All right, let me just go ahead and try and show you the firewall. I purposely used a white background. The initiation process is it starts to understand everything that we're using, what interfaces we're using, the access points, the bridges. If we're using VPNs, it starts by dumping the tables and flushing the system. We just allow our forwarding and we set our default policies for the chains that we're gonna utilize. If we have a VPN enabled, it's gonna change the rules. If there's no VPN set, it's not going to, just some basic traffic dates for the DHCP server, for the DNS servers. If you're running all of that locally, if you're running Samba, maybe someone connects to the network and you want to run an NTLMNR listener to get their information. Like if you know someone travels a corporate network, you can get them to connect and run NTLMNR listener. You're gonna want these ports open. So those are there. If you bridge the interface or if you don't bridge the interface and you need port forwarding, it controls the rules differently. So if we're using an access point like Airbase, it knows that and it's gonna allow the post routing masquerading and accept the package through. But what's allowed down here where it's commented, if you go in here, if you're doing a lot of reverse engineering on applications, say you have a Windows box, you reverse that engineering web, web authentication of the software to crack, you can go here and uncomment these lines and then comment these lines up and then you can control only the ports that you want to have access through your AP. That way it really reduces the noise in your traffic while you're running Wireshark to capture how the web authentication is working for cracking that piece of software. So that's some more control that you're getting inside when we're talking about the infrastructure layer. And this is just if you're using host APD, allows the rules differently. And then we have a lot of incognito things. If we're gonna allow ICMP or not or port scans, that way if we're doing vulnerability research on a network, we wanna stay incognito. These situations will keep us invisible to the network and not allow any traffic to leave until you designate it based on an interface that can only go out and can't receive. So those are some of the strengths that we're receiving with inside the firewall controls. That would really just be if an application itself is vulnerable to it, to a buffer overflow on a hardening kernel because Gen2 is compiled, if you're compiling it with checks in different canaries in the memory structure where a buffer overflow wouldn't happen to the system if it was vulnerable. So that's just why hardening's a little bit more secure. I don't know if anyone's gotten it downloaded yet or not. Yeah, it is with single global D off. And then if you didn't get a handshake, wait a second, you can do it again. Just keep going ahead and doing it as you want. Who will? That who kicked you off? That would be pretty weird because you're just flooding the beacons of that and they're not really able to walk, you're still flooding it. If it just theoretically, if that happened, I mean, I'm not the end all be all and everything wireless, try changing your Mac address of your device and do it again, because obviously we can set it here. So just change it while you're doing the D off and you should be back running. Anything else that anyone would like to cover? I know it's a really in-depth application to kind of understand, I've only kind of touched the surface of actual attacking. Yes, I will absolutely go ahead and keep this AP running for you. That way you can have practice. I'm gonna be around. So when everything does get things set up, I was trying to do it while we're in the panel that when people can fall along and actually get some handshakes together, I'll be happy to help anyone there and push you through the software, understand how to get it and crack some WPA if you haven't done it before. You're gonna need to use the Pentuvium right now because it's the only way you can get the software. When you update it, as I said, in the initial slides, I should probably bring this back up. There we go. So how this timer, how do you do that? Weird. That's fine. I can just leave it up like this. I'll just leave it like that. I don't know what the heck it's doing at this point. Yes, all of that will be available all day while you're here for the rest of the con. You can download it off of where the red instructions are and try it. And I will leave this AP up and it's N4P hackable is in as a name. The password to the dictionary is in the Pentu already in our dictionary folder. So that's part of the reason that I just made sure that the dictionary file that I'm gonna be tackling would have a valid crackable key. But we're almost out of time. Who's ever a lovely person that gave me this pen. Thank you. All right. Well, we have a few minutes and I thank you guys so very much for coming to the panel and I hope you learned something, want to be involved in the community or follow the project from here on out. Because I'm kind of tired of being the only developer. I'm gonna rephrase the only developer. We're done. We're done. Yeah. Not everyone's gotten to download it in time. So I kind of had to breeze through it on my own. Yeah. Here's what it is. It's Rick's fault. Yes. I had IP6 running. Well, I have to say it doesn't really affect it too much. What happens is I had IP6 running on one of my routers and I was having a really hard time with things just being flaky. So I think it's just gonna have me take some research and understand how to handle IP version six within this attack factor. Yeah. But I mean, it will come. It will come. All right, now I gotta finish implementing the EAP technology. You can do it now if you know how to configure the host APD profile. Just make the couple adjustments and then start a radius server on the back end. But to make it more usable, I'll add the radius server as a dependency in the eBuild package. When we install packages on Gen2, we use eBuilds and because it's compiled by source, we can associate dependencies with applications and configuration files. So in the next update when that's available, I can require that if you choose to use Telet, use EAP technology for hacking, then go ahead and associate radius. So that way the radius server will install and then I can package a cont file for that already with you. Sure, if you have a good site that you know that you wanna parse, yeah, and you have online activity, this does kill your interfaces. Constantly, it makes it difficult. So if you kill your, I knew I'd need it like that. So what you can do around that is you can run a wired interface. Just launch your DHCP server in Oven or ETH0 or ETH1, then you'll have an interconnection on your base. And for P's only at that point, gonna kill your wireless structure and utilize it. So if you wanna have a module that says upload hashes that parses this site, it can take it from the temp folder, set it up and automatically parse and pull it down. So that could be a module that could very easily be implemented. App in the hash in. Yeah, one of the good things that happens while we're using a hash cat in here, as we saw the cap file, that doesn't work with hash cat, it has to be converted. So it does that conversion already for you and removes all the jump behind you and starts the hash cat going. So there's a lot of work to do that on your own. If you've ever used all that stuff, it's hard. If you can use one button in me to get things done, I'm like, in, out, you're hacked, see ya. Like who else gets hacked that quick? Nobody. I actually just hacked AC. This is my end, I have an AC over here and I was using the AC interface to do that. Now, I know this is the car to go to. I found it, since I used the AC one, this is much flakier. I've had a lot more, I've had a lot more issues with the modules. You know, the car dropping the driver interface just disappears and bringing it up, or it would get hung, it would get hung in PIDs. So I had to add a lot of extra redundancy checks in N4P right now as when it rebuilds a network or it tries to launch a new monitor interface, if it's not doing it, it throws it in a loop and then if it resets network manager, if the monitor doesn't come back on, it restricts for the PID, if there's a PID there, it kills the PID and loops back through. Basically, if you just call PS-A and you get a list of all the PIDs, you can grep that for the applications I'm using, like AirBase. And if I see AirBase come up as a positive, then I know that the PID's locked and I can just parse out the PID number and kill it and then go back into the loop. It's just forcing a way to kill it down. Yeah, that's what I did. I immediately started using to finish this coding after I got it and ended up finding that it was, it's been the best car that I've used so far, so I recommend it. Yup, very welcome. It's about our 10 minutes that we had to goof off. But thank you very much, people, guys for coming panel. Yeah.