 All right, without further ado, I would like to introduce Vivek Ramachandran Nishant Sharma, and I can't say that. I'm sorry Ashish Ashish, all right they will be talking about Decepticon Wi-Fi deception in under $5 and Afterwards you can ask lots of questions about what else you can do for under $5. Excellent. Have a great time. Thank you Thank you Rick tip your servers So Thanks again, Rick. It's always a pleasure to speak at the wireless village I've been doing Wi-Fi stuff for I think the past 10 years from that con 15 So it's amazing that this is my 10th year and I'm also speaking in a couple of villages As Rick mentioned, my name is Vivek and today. I'm going to be talking about Decepticon of course taken from transformers Wi-Fi deception under $5 a Little bit about myself Started as an electronics and communications engineer. I implemented a lot of the cat 65 802.1x import security back in the day broke web cloaking Created the cafe latte attack was one of the winners of the Microsoft security shootout contest I speak and trains at conferences. We do black hat every year the Wi-Fi training I also run security tube net and pen tester Academy Written a bunch of books and Let's come to Decepticon Okay, so what is Decepticon now as a Wi-Fi hacker? I have created a lot of honeypots right all of us have What I really wanted to do is see if we can create honeypots which can trap attackers Probably both trying to attack your home network as well as enterprise So the whole idea is now why not create honeypots which trap attackers and That is where the idea for Decepticon came Now when you look at honeypots deployed, you know in an enterprise Even doing extremely simple things has actually netted me a lot of attackers to give you an example If the office network is called pen tester Academy and that's WPA to enterprise And if you have an open AP or probably WPA PSK with an easy passphrase you'll actually see a lot of people trying to break in As far as WPA passphrase is concerned pick one of those from rock you dot txt Right. Everyone uses Kali. Everyone is going to use the same dictionary I think you know the attacker might get a gratifying feeling that he cracked the network Logs in does a lot of mischievous stuff, but of course we are watching So I tried out many of those But interestingly what I wanted to do is see if we could build these Wi-Fi honeypots in under dollar five So which means you can pretty much leave them deployed anywhere at your parking lot At probably you know kind of hanging from one of your windows and see what happens right just for fun so I Did a lot of research on the different devices available and I finally picked up the ESP 8266 Any of you guys worked with it? Okay, just one So this is actually a very interesting chip It is used for the internet of things. It's it's a full SOC The wireless card on it actually has BGN capability, which is fantastic The SDK is open it can actually do of course open WPA WPA 2 and the latest firmware even allows you to do WPA enterprise Which is almost unbelievable for a chip that size It's a full blown 32-bit risk You can use the 80 megahertz option or the 160 megahertz option Either of which is pretty reasonable for the task in hand So I looked at this chip and then Decided to use this to deploy Decepticons all over the place So here is a deployment scenario So let's say you have a corporate Wi-Fi network or your home network You can deploy a bunch of these Decepticons attached long-range antennas I even tried using a couple of signal boosters and Then misconfigure them Right use a different passphrase make them open networks Because when you do an aerodump scan you're probably thinking Corporate Wi-Fi someone forgot to configure that AP properly, right? So If someone is attacking that's probably going to be the first target Still even enterprise deception solutions Which is out there in the market doesn't use too much of Wi-Fi from what I've seen I've never seen a complete Wi-Fi deception solution So how would this work? We create the honeypot network and Then we actually connect to a backhaul network. So here is what I want to do The chip is actually on the development board But the chip really is half the size of the development board you can see right now Now what I wanted was I could just power this over USB anywhere And it actually creates a fake honeypot network and at the same time Connects back to one of the corporate AP's so that when an attacker connects to the honeypot We can go back and tell the admin, right? Now unbelievably this little chip can do both an access point and client mode at the same time So it can maintain dual stacks So we do not require two different Wi-Fi cards or two different chips Of course, the only limitation is your honeypot would be on the same Channel as your corporate AP if you wanted to connect back That's not necessarily a bad thing because the attacker is expecting the corporate AP's to probably be in one of those channels, right? so We create the honeypot network and I'll show you you know What is the IDE and I'll give out all the sample code today? We create the honeypot network and then this actually connects back to your home Wi-Fi or to your corporate Wi-Fi After that any time an attacker connects to the honeypot we automatically send out these little messages Over to our remote server which it can access over the backhaul network How many of you have heard of MQTT? Okay, think of it as Twitter for IoT devices, right really short messages You can pack a lot of things in there So this uses MQTT to go ahead and communicate with a remote MQTT server I'm just using a free server on the internet cloud MQTT You could if you want configure your own there's one called mosquito Okay, so Once we've connected the device actually waits for an attacker to connect to it the moment he connects It starts engine all of those little messages Back to the command and control Now another option which we have is if you actually wanted to deploy this on a hotspot environment Let's say have Starbucks AP on it or T-Mobile Then I'm also giving out a program where you can create your own splash screens all on this device So this has an embedded web server in it There is an interesting little way by which you can put web pages along with it by encoding And I'll run you through it a little later But with that you can put your own splash screens right or mimic existing ones So the other option as I mentioned we have a splash screen the victim tries to log in and every activity is Logged and sent back to the MQTT server I'm also working on an enhancement where this can even store all of that locally. So you could deploy this Come back after a day Bring it back connected to your computer and it can start dumping all of the user names or whatever was collected When people connected to your splash screen? Okay So this is the overall as a view of what we want to achieve, right? So now the question is how do you program this device? Now, how many of you have ever programmed an Arduino? Okay, good news the ESP 8266 SDK integrates flawlessly with the Arduino ID and There is actually a lot of wrapper routine so that you can use the Wi-Fi module and a couple of others There are certain SDK specific APIs, which you may have to call which don't exist in our, you know And well, I have all the code and everything documented So Decepticon the first Example which I'm going to show you is how to break Decepticon up and look at these smaller building blocks Now keep in mind the idea is not to run through a whole programming exercise We have limited time. So I'm going to show you code run a couple of live demos Run couple of them on video just so that we can cover everything After the class, I have a couple of ESP 8266 So if you want to try it out live or do something just let me know okay, so Let's start from the basics I wanted to give you an idea of how simple it is to actually program these devices This isn't as difficult as probably, you know taking open WRT customizing it This is really simple. A lot of the sample code is already out there okay, so let's actually start with the obligatory hello world So I have connected this to my USB the ESP 8266 has a serial port and The development board has a serial to USB converter So you can just directly talk to the chip, you know over your USB port So I have set up the chip here If you look under board it says node MCU The frequency is 80 megahertz most importantly You just need to make sure that you have selected Your USB to UART port, okay now extremely simple When the device comes up We can run what is called setup code now if you've done Arduino, you already know this This is this is for the rest of the gang who probably hasn't used Arduino before So setup only runs once and all we do in setup is I set the serial port speed Along with probably just printing a couple of hello worlds After setup runs We actually go through what is called An event loop and that loop keeps running and you can pretty much put in whatever you want inside of it, right? Simple example, so I'm going to go ahead Upload the code run it So we are compiling the sketch all of this code and Decepticon is completely free and open source So I'm going to be adding a lot of things to it You will love this little device. I've fallen in love with it for the last six to eight months And they've come out with ESP 32, which is the next version. I'm already working on that as well So should be fun to see. Okay, so now that the code is uploaded We can look at the serial port of the device by Just opening the serial monitor on Arduino Now I'm going to reset the device real quick. It has two switches on it as soon as I reset you'll actually see The device once again, just print the hello world right quick introduction as I said two important things the setup function Where you run stuff one time and then the loop function where you want your event loop? So now let's take on something a little bit more Interesting so how many of you use arrow dump in G everyone, okay So what I did was I took the base Arduino code looked at a couple of APIs with the SDK offered and I tried to create a simple arrow dump in G So I'm going to upload this code I've tried my best to document the code as elaborately as possible as I said, I don't want to make this a coding exercise But if you do have any questions, you can always reach out to me later So let's wait for this to run Okay, you just see that so this is under dollar five Right Interestingly because this is actually talking over, you know USB to you are you can actually connect this to your Android phone and Use any serial monitor application on Android and you could pretty much be able to see all of this Seems to be an unknown one which might mean I had to look into my parsing code a little bit more But this is how easily you can create a Network monitor Using this little guy, okay all the code again completely open source okay, so The good news is the ESP 8 to 6x because it was meant for IoT They actually have a lightweight TCP and Wi-Fi stack in it So all we have to do is leverage that stack to create a Wi-Fi access point Creating an AP is as simple as what you may have done in you know, a couple of the Arduino based platforms. So let me Show that code and run it So just to show you how trivial it is to actually create an AP. That's all you have to do Wi-Fi or soft AP give the SSID if you'd like to create an encrypted access point Give the passphrase followed by the channel and if you want this to be a hidden AP That is a flag. You can just set that to true. The default is false Okay, so I'm going to quickly go ahead and run this Aren't you guys already falling in love with this little chip? five dollars Actually, if you order from Ali express you can even get it for three dollars Okay, let's wait for it to upload a version of it does so there is a version called the VMOS D mini Which is just so he has a good question. Does this support external antennas? So the ESP 8 to 6 6 I am demoing this doesn't but there is a VMOS D mini based on the same chip and They actually have an SMA connector and you can use that with a 3dbi antenna. I can actually give you a link after the talk They have a little resistor you have to kind of desolder and kind of solder it back So you can switch the circuit from internal antenna to external, but that's about it. So Let's see. What was an AP called ESP 8 to 6 6 AP? So let's switch Wi-Fi on and there it is to see that So you should be able to see the ESP 8 to 6 6 AP in here That's how easy it is to actually create an access point using the ESP 8 to 6 6 Right you can create an open AP no encryption You can create a web AP WPA PSK and WPA to PSK for enterprise. You have to kind of Do a little bit of kind of work arounds because they don't support that natively, but if you are interested you can You can talk to me after the talk Okay, so what I'm really trying to do here is Connect the different blocks we would require to create decepticon, right? So decepticon is a honeypot AP which means of course we'd have to know how to go ahead and create a Wi-Fi access point We just saw how to It has to connect back to its backhaul network, which means the scanning facility and the connect back facility and Then finally it has to run a web server and make sure that there is DNS redirection So that as soon as someone connects DNS can redirect Okay, now the connect back We are at Defcon, right? So my ESP 8 to 6 6 might not be able to connect to the Defcon live network right now For for things. I mean of course understandable. So what I'm going to do is just the connection part I'm just gonna show you a quick video because I don't want someone to hack the device while I'm doing a demo That would not be pretty So here is the connection part again really simple Let me give you an example and show you how the code looks like first Okay, so we mentioned the SSID and the passphrase You know what I can give it a shot. Let's try to see if we can connect to the Defcon open Wi-Fi I'll take the risk Okay, let's see if we can connect to the open wireless at Defcon Without getting a BYOD on my screen or or something worse Right. Yeah question. Yes Yeah, so that's a good question. Her question is does the chip have GPIO? Yes It actually has one more serial port and you can even do software serial with it People have even done USB software serial with it from what I recall it probably has eight GPIO ports So you can connect and originally this was meant to be for IoT So they really wanted it to be able to connect to external devices and be controlled By probably, you know your fridge or maybe a kettle which is IoT on it. How many of you have that? Okay, so it might have a bit of issue here connecting the the kind of only thing is if you're an environment with a lot of deots I don't even know what's happening in the background But I'm gonna try to reset it and see what happens. This is a little error message. I print till the time I'm trying to check stuff Okay Trying to connect to the DevCon network was not a good idea clearly Let's actually go ahead and look at the client functionality I'm also going to put up all of these videos online the videos run you through every step They have voice which means you'll never forget how I sound You can look at them later Okay Okay, so Once we actually run the code it's supposed to connect to the backhaul network and After that we can actually have full internet connectivity This uses LWIP, which is a lightweight IP stack. It's actually used in a lot of embedded devices So let's go back. Okay Now let's actually look at Decepticon itself. I'm just going to run you through a little bit on the code organization Okay, so the way Decepticon works is First it has to create a honeypot AP, right? So that honeypot access point is actually being created over here in a deception AP It creates a honeypot AP the SSID is free internet of course I Live in a downtown area. So it's actually quite fun to hang this from my window and See how many people try to connect to free internet? So So that's basically the deception AP Now once the honeypot comes up We want the backhaul network to also work right so that we can send all these messages back to the command and control server That's actually done in in it back-end reporting again. We've already seen the sample code snippets Now after this We are going to go ahead and start the DNS server. How many of you have had trouble Doing DNS redirection attacks You know, you probably used a couple of tools where you have to ensure that all your DNS replies Get redirected to only your IP address, right? And it's pretty painful sometimes to get right now with ESP 8 to 6 6 It couldn't be simpler They have a DNS server and in DNS start The second argument if you actually mention a wild card it Automatically goes ahead and responds to every DNS request with the ESP 8 to 6 6 is IP Which is fantastic? Right, this is the most difficult part. I've always found kind of getting right when you create MITM setups or You know any form of deception or honeypot setups, but hey, I mean they supported in the stack itself. I Don't even know why they market it as an IoT device. They'd probably have a lot more success marketing here in the vendors area So This is how you start the DNS. I Have a couple of error checks over here so that you know, we can make sure we are reconnecting etc This is a dummy account. You can see all the passwords. You can try it if you like. It's all yours But this is the back-end MQTT server And what we actually do is As soon as we bring up the access point we tell the remote server. Hey, the AP is up when someone connects to your AP we say hey XYZ client with this MAC address connected to you When the client opens a browser We go ahead and send a message login page sent right And you'll see a mapping of all of that with the GUI in just a bit the web page So with the ESP 8 to 6 6 you have a file system, but it is pretty limited However, what you can do is embed the web page itself into the code so that it pretty much is Kind of fetched at runtime directly from memory. You don't have to do any of the disk access I did that. I wasn't too happy with the performance It has a very very small disk. I think a couple of kb if I recall So I have the entire hotspot page the whole HTML and everything in here Embedded inside the code as a variable finally we have the web server So all the web server does is as soon as a client connects the DNS redirection happens It throws the splash page Regardless of whatever URL is being requested right just like any captive portal Okay, so let's actually Run this Now as I mentioned through the Defcon network might be difficult to connect I'm going to run it show you how it kind of looks like in the serial monitor You can try the code later, but I have a full video of how it works in general, right? I have tested it I've even deployed it in a lot of fun places with people's permission Is he recording? Okay So yeah jokes apart of course just for just for research purposes so it's actually Wait for it to compile. So right now the access point is up and If you use your phone, you should be able to see a free internet Feel free to connect to it. I have a friendly malware. It'll just occasionally say hi to me So as I said, you can pretty much try this Okay, so we have one connected client. Who is that brave heart? Who connected someone did connect? Okay. He did So feel free to connect if you notice Because we don't have an outgoing internet connection at this time the MQTT message says We aren't able to connect but that's okay. You can try that later so Feel free to connect to it. I'm just going to show you how this looks like When you deploy it in a much more senior network than here So let's actually go in Okay So This is the remote server. I'm using There is a free service called cloud MQTT. You can sign up for a free account which is really what I did and This is the MQTT server the ESP 80 to 66 talks to when it actually has to send messages You can set up your own as I said there is mosquito couple of others But I generally prefer free options, but I don't have to set up too many things. Okay, so Now it's actually fast forward a bit, okay, so the device started up What is happening here is free internet is now up and running it is broadcasting It then started the HTTP server and after that it connected to the backhaul network, right? Which as I said to the DEF CON network is difficult to connect and It just tells you what IP address and all of that it has configured itself with so this is now serving a honeypot Simultaneously being connected to a backhaul network so it can talk to the MQTT server Now if I go back and look at the MQTT server GUI You will see momentarily us getting messages. So this is the free The deception SSID free internet is up as you can see that's an IDS alert Honeypot update the SSID is up and the current client list zero now all this means is no clients connected This is a phone any device which might connect to free internet So once we connect because we do the DNS redirection Automatically all mobile devices tell you to sign in We get the MAC address and the IP and then you get the splash page for legal reasons given This is recorded. We have a custom page called hacker arsenal, but you can create any splash page in there Too many bad things happening nowadays to people presenting so And then you can actually put in the username or the victim would go ahead and put in the username and password All of that is immediately going to be sent over the internet to the MQTT server There you go. So at the very same time what I'm working is you can actually send the device back messages as well So you could probably tell it to do something interesting I was even thinking about having it do a port scan Once the client connects to see what services are available Okay So all the code is going to be available as I said, I've tried connecting the Defcon network Maybe by tonight. I'll have everything up on hacker arsenal.com And you can download it. Okay, so that's all I have. Thank you any questions. Thank you questions so yeah So I've actually managed to power this literally for weeks with one of those little You know USB charger batteries like the amtech ones or It works fantastically. Well, that's a good question Additionally the ESP 8 to 6 6 actually supports a low-power mode where it can switch itself off And pretty much operate in very low power and then automatically switch itself on periodically So doing that someone even claimed to run it for a year I mean, I don't know how how much truth is there in it, but So you can do a lot of stuff with this. They also have a new chip called ESP 32 Which allows you to do both Wi-Fi and Bluetooth low energy and your regular Bluetooth My recommendation is look at all the new IOT platforms coming out This is actually a treasure trove for wireless hackers Because I mean, you know, they've done the kind of time investment and research to miniaturize them anyway And all of them need to have full-blown stacks so that we can use it And I mean I go crazy just buying stuff from Ali express and just most stuff seems to work I mean unlike the time when you have to hunt for wireless cards or platforms endlessly for weeks Some of the new platforms are great all the IOT platforms, especially the ones with wireless and Bluetooth Okay, thank you very much