 So, it is now 10 a.m., and we are ready for our first talk, and I know you've been waiting for both of you have been waiting to do this talk for a while, and it's my pleasure to introduce you, Vesem and John. Hello. Backside, can you hear me? Okay, thank you. Today, we will talk about Wi-Fi threat modeling and monitoring with my co-worker. But firstly, I want to introduce myself and my co-worker. But before I begin, I want to say we love Wi-Fi hackers. I am Vesem. We come from Turkey, and this is a lot of information about me. And for now, I'm working as a security engineer in Barikat Cyber Security in Turkey. And I am developer of the Wi-Fi Hunter project. Wi-Fi Hunter project can detect a lot of Wi-Fi attack and can monitoring a lot of Wi-Fi threat. And today, I will talk about the Wi-Fi Hunter. And I'm founder at Pantester Training about Wi-Fi. And now, I am student in Turkey in computer security and Suleyman Demiral University. And before then, I will attend a lot of conference in Barikat in Davkon. Before then, I did presentation in Barikat Arsenal. And I have a book in Turkey about wireless attack and monitor defense. But just now, just Turkish. And if you learn a secret information from my book, you should learn Turkish maybe next year. And I have a hobby for fight against the Wi-Fi hackers. And now, my co-worker will go on and I will come back again and we will enjoy with Wi-Fi pineapple and karma attack. Thank you. Hello, everyone. Hello, everyone. Is it clear? Great. I am John Kurnas. Actually, I'm originally from Turkey. We worked together then I moved to Netherlands two years ago and I'm now working for KPMG Netherlands. I already presented on Blackit this year and also last year's Davkon and this year's Davkon on IoT Village, etc. My hobbies are IoT and ICS security. I'm working as a penetration tester and I'm also contributing to Wi-Fi Hunter. We are also discussing each other for ideas, etc. And also, this project come up with collecting the ideas when we are discussing. So, today's agenda, we will talk about, of course, Wi-Fi networks. We will try to profile Wi-Fi hackers. Then, after doing this, we will try to create some sort of threat model about Wi-Fi hacking. Then, we will try to fight against Wi-Fi hackers. And of course, at the end of the presentation, we will discuss about the recommendations. Sorry. Okay. I made a mistake. Sorry. Yeah. So, about the Wi-Fi networks. Yeah. Basim was developing a tool called Wi-Fi Hunter. Basically, the idea was trying to see the Wi-Fi pineapple around your company or around your environment. If you run as an individual. So, after that, we come up with an idea that we can maybe create some sort of a tool that we can do every single step to catch Wi-Fi pineapples. And then, we started trying to implement some tools in order to have some sort of protection for the Wi-Fi hackers. And as you can see in here, mostly, if you're already connected to a Wi-Fi with your phone, after that, basically, your phone will take a look on everywhere. If your Wi-Fi is open on your phone, it will take a look everywhere by just sending the proper request to the air if the access point is still over there. Yeah. Your phone or your laptop will constantly send this, then it will be looking for an answer as a proper response from an access point. So, if an access point that you already provided the password, or if you have been connected to an open, let's say, access point, with the same SSID or the same name, if any of any other access point will answer to that, answer to your phone, it will try to create an authentication request. Your phone or device will send authentication request to the access point, then access point will send back to authentication response, then the connection will start, and also the association request and association response. After that, you will be connected, basically. So, your access point is just sending the beacon frame, and your device will try to find the SSID that already knows. So, we try to create a profile of the Wi-Fi hackers. We take a look to the, let's say, field, what they are using at the moment. And mostly, we've seen that they are creating open Wi-Fi networks in order to prevent any password authentication, because it's really easy to connect for you. And a lot of stores, a lot of places, malls, etc., are providing these kind of open networks, so it makes sense, right? I mean, you can just connect, then you have free internet. That's why attackers use that. You realize that's important for them. And also, they tend to use interesting SSIDs for rogue access points, because it will also bring your attention to these access points, and you will try to connect them, like, I don't know, coffee break, like, if you sit on a Starbucks a lot of time, you will see SSID names related with the coffee, etc. So, they are just creating smart and catchy access point names. Then, of course, it's really easy to create rogue access points by using Wi-Fi pineapple. They're also selling it in here, I think. It's quite famous. It's really easy to use. So, we've seen a lot of Wi-Fi hackers are using this device. So, they are basically performing automated attacks, automated Wi-Fi attacks, like collecting SSID information, creating SSID pool, and creating rogue access points with this SSID pool. So, basically, they are trying to catch you by using the smart names. And they're also using host APD mana to perform automated Wi-Fi attacks, like GTC downgrade, which is basically on the enterprise networks. By using this downgrade method, you can get the password on clear text. They're also using this technique, and also they are using karma attacks, that this one basically will explain it later on detailed. And then, after collecting these kind of profiles, we try to create a threat modeling for Wi-Fi. Because, of course, the security of an object is quite associated with the other objects that it's used. So, I mean, if there's a weak point on a chain, it will be a problem for you. So, we come up with this map. We are, of course, open to, let's say, develop this with you guys. If you have any advices, or if you want to discuss anything on this, please don't hesitate. So, we focused on, let's say, roughly three points. First, the access point, of course. The second one, your Wi-Fi IDS and IPS, intrusion prevention and intrusion detection system. And, of course, the environmental threats. So, for the access point, we realized there are some open source tools or open source, let's say, sources that you can find your SSID, your geolocation, your password. Basically, some tools, right, on Android or something, on iOS. Basically, when you go somewhere, if you get the password, then you're just writing there and providing everyone the password and the location. So, someone else would come there, and then they can check if the password is over there, and they can use, connect for the free internet. So, we are checking Wi-Fi map leak. We basically downloaded by using the API. So, it's also risk. Of course, the other open source, let's say, source places are also risk. And also, we are considering the version of your access point and also brand of your access point as a threat, because it could be, I mean, it could be vulnerable to a certain type of attack, or it could be vulnerable to, I don't know, some sort of an exploit. So, we also need to be aware of that. We are also considering that as a risk and threat. And, of course, broadcast denial of service is a risk that could affect your access point, and it won't be available when this attack comes. And also, for the access point, pretty sure, we are also considering the password is a threat because if you are using weak password, which is quite easy to crack, it's also a risk, right? And, of course, for these access points, we have users which are connected to the access points and also the user devices are a threat for the Wi-Fi environment because basically your phone, your laptop, et cetera, are saving the password of the access point. And also for the users, if someone else sends proper requests for the user, sorry, so the user sends proper requests to the air, then it might leak some sort of information about the access point or about anything else. Yeah, some location like a hotel name, et cetera. So, it's sort of... I mean, what can I say here? I mean, last year you stayed in Vegas and you didn't tell your wife but your phone connected once, then when you go home, your phone will try to send it again, try to find the access point of the Caesar's Palace, then it would be a threat if it's detected right. So, you can think about something like this. And also the karma attacks are a risk. And for the Wi-Fi intrusion detection systems and intrusion prevention systems, we also wanted to know how secure are them or how mature are them because, yeah, you are having them, you are setting this up, but you don't know if you set it up securely or if you are not sure if it's correctly implemented. That's why we are also considering this as a risk. And of course, rogue access points are quite a big threat for this environment in the corporate or inside of your company, et cetera. And out of the corporate or outside environmental threats, we will discuss it later, but basically we come up with this threat map. So, we will try to fight against Wi-Fi hackers and Bessim will continue after that point. Thank you. I come back again. Everybody ready for enjoy for Wi-Fi pineapple and karma attack and some deception techniques. Before fighting against Wi-Fi hackers, we must know all solutions don't need to be complex. So, we will think as basically and think basically and apply basically. Firstly, I will explain some technique for detect karma attack and in this techniques, we will use FF methods like fake probe request, probe response and beacon packets. But before detect karma attack, we should know what's going on around here during karma attack in environment. If you know what happened during karma attack, you can solve everything. So, karma attack generally use a lot of probe response for all probe request. If your devices want to connect another network and send probe request and if there is an attacker in environment like karma attacker, always generate probe response and want to trap client for collect a lot of information. And this is a detection method and I collect a lot of information from air and some analysis about this packet and I see some interesting information. Karma attacker send a lot of probe response from just WEMAC addresses. This technique first method for us and I create a tool name of tool pKarma and pKarma can detect karma attacker with first method like this, I won't say. Firstly, I am my tool with help option and I check my interface name. It is monitor mode or not because I need monitor mode interface and I set for the send the authentication attack when I detect a lot of probe response from WEMAC addresses. I send the authentication attack for save all client from karma attacker and as you see now, collect information from air and detect karma attack. As you see, this is karma attack activity, WEMAC addresses and five probe response for create a fake access point and send a lot of the authentication packet as you see in Wireshark and save all clients. This is the first method for us and like same previously methods but I did show difference. This is a free Wi-Fi different tool and generated probe response like karma attack and I can catch again with this method. And another method for us if attacker creates a lot of probe response with different MAC addresses, first method doesn't work for us. So we know if send a probe request to environment and if there is karma attacker in environment send to us probe response. So if generated probe response generated probe request with fake SSID firstly and send to environment if some devices send to us again probe response with same SSID we can say yes, we catch karma attacker in environment. So for this you can use SCAPI and generate fake probe request. In other methods if know how does work access point and how does work karma attack we can solve everything as you know. Access point always send beacon packet and probe response and beacon packet and probe response same so generated by access point. Beacon packets include the SSID SSID and target information as a broadcast and probe response same SSID and broadcast information. So if I see some information like probe response and I want to show you I run karma attack with my disk computer and I catch a lot of packets and I save I save for analyze this is host APD mana activities for karma attack and I want to show you from Wireshark if you want to analyze from Wireshark some Wi-Fi threat activity you can use wireless and wireless local network traffic and you can see in here a lot of information like this one MAC address created with Adrum SSID a lot of beacon packet but same MAC address send and a lot of probe response from just when I make addresses and if you choose this and click and apply as a filter select it create for us a step link I will create some special filter with Wireshark and this is a probe response and I want to see if this access this real access point I must show I want to see beacon packet with this SSID but if I cannot see beacon packet with this SSID I can say this is fake and this is karma attacker because karma attacker cannot generate beacon packet generate just probe response yes as you see I can see just probe response with this SSID and I cannot see beacon packet so I can say this is a karma attacker because there is no any beacon packet related with this SSID and now I will show something about Wi-Fi pineapple detection technique and firstly we must know like karma attacker how does work Wi-Fi pineapple and what happen when during attack in environment Wi-Fi pineapple in environment so we will show three methods firstly same SSID analyzes secondly beacon packets and fingerprint techniques for Wi-Fi pineapple and this is a first method for detect Wi-Fi pineapple and generally Wi-Fi pineapple collect all SSID information from air and parse beacon packet and probe request and collect all SSID information and create SSID pool after create SSID pool generate beacon packet for create a fact access point so if you see two access point two beacon packet one of them encrypted and another them unencrypted with the same SSID you can say yes this is a this is Wi-Fi pineapple activity but you should see one more then and I will show demo and write tool and this tool analyzes pick a file for detect Wi-Fi pineapple activity activity use first method with same SSID and different encryption and now running and read pick a file before then I create a Wi-Fi pineapple and generate some activity generate some packet for activity and save it for analyze now reading pick a file and we should wait just one minute this is a real demo live backside can you see okay now reading all pick a file and I want show my code analyze all packets and give us some information I write with this copy and find total packets and found unencrypted Wi-Fi and found encrypted Wi-Fi networks and as you see find same SSID but different encryption in a lot of Wi-Fi broadcast and now we can say yes this is Wi-Fi pineapple activity in the environment yeah and I will share this tool after our presentation you can access from GitHub and I want to explain another method about Wi-Fi pineapple activity same karma attack this is same karma attack but different with this point karma attack generally send probe response from one MAC addresses but Wi-Fi pineapple generate a lot of beacon packet from just one MAC addresses and if you see a lot of SSID broadcast from one MAC addresses you can see this is a Wi-Fi pineapple activity or let another hacker tool activities and same method with the karma attacker and finally we can detect Wi-Fi pineapple with the fingerprint as you know before I begin I say all solution don't need to be complex this basically but does work for us every time and for fingerprint Wi-Fi pineapple firstly create one fake access point if attacker create one access point first method and second method doesn't work but if you use this method and fingerprint when connect the network you can detect Wi-Fi pineapple and how many people use Wi-Fi pineapple no I did see your sticker in your phone yeah okay and when I connect Wi-Fi pineapple I did see some interesting information like port number over HTTP and clients and users cannot change port number from web UI and as you know Wi-Fi pineapple is automatically devices for Wi-Fi attacks and if users cannot change port number from web UI don't change every time use with same port Wi-Fi pineapple if you check when you connect to network Wi-Fi network if you check port number maybe you can find Wi-Fi pineapple and another item for Wi-Fi pineapple use default hostname and a lot of user don't change this feature and detect from this and when you connect to network if you check DNS support maybe you can say yes it could be fake access point or Wi-Fi pineapple and I have a demo for this I developed tool name of tool P finger and as you see firstly I will check my interface as a client mode not monitor mode and I type my interface sorry and as you see I find port number as a true and manufacturing information and other check information for detect Wi-Fi pineapple and fake access point when I detect port number is true I visited from website like this yes we catch Wi-Fi pineapple is correct for us you can try if you have a Wi-Fi pineapple you can try or if you don't have any Wi-Fi pineapple just connect one open Wi-Fi network and check this feature this options and we think if attacker use another Wi-Fi pineapple techniques and to a mission we develop new tool name of tool P open and as you know firstly my co-worker explain Wi-Fi hacker profile and Wi-Fi hacker generally use Wi-Fi open Wi-Fi network when want to create fake access point and in this screen as you know firstly P open detect all open network in environment after detection we can connect automatically with external or internal Wi-Fi adapter and after connection we must do some fingerprint techniques and firstly you should know some Wi-Fi hackers profile information generally Wi-Fi hacker when want to create a fake access point use DNS and or open Wi-Shark and or use are spoofing like this and generally access all access point has one web interfaces with username and admin when I connected network with P open after detection open networks I check this information like Wi-Fi pineapple if I want to check Wi-Fi pineapple firstly check default configuration with same P finger techniques and check another information like DNS spoof if there is a DNS spoof ARP you can say yeah it could be fake access point because it is anormally not normally it is not normally if you see DNS spoof ARP in Wi-Fi networks and this is another techniques for deception if there is a attacker in environment you can run this deception technique for hackers and as you know generally Wi-Fi hackers use hostAPD-WPA for create enterprise fake access point when create the fake access point enterprise you can send a lot of information fake with the fake username and when attackers see all users want to connect to fake access point wow what the facking and I have a demo for this as you see this is a attacker mission and create a fake access point with hostAPD-WPA and this is a blue team mission and creates fake connection request to enterprise access point and as you see always send fake connection request and in attacker mission you can see fake request okay and we name of tool p-trap as you see create a lot of fake request to enterprise network if there is a attacker in environment you can confuge mind yeah you can confuge the hacker and another deception technique for Wi-Fi pineapple and for karma attacker this is a pinocchio John if it's possible can you explain pinocchio no okay this is tool firstly collect all SSID information from air and can parse all MAC addresses and all MAC address SSID information from probe request after parse all information you imagine this is a proxy on air and collect all information and change all SSID and send again to environment to air and if attacker in environment you can put a lot of fake probe request like amroge turn off Wi-Fi and fake access point dangerous Wi-Fi to SSID pool in Wi-Fi pineapple you know and if you generate like this SSID probe request you can karma attacker always generate probe response with this and when you check your phone like this and check your computer you can see a lot of information and attacker inform to you am attacker always inform to user in environment this model just collect SSID information and change all SSID information and send with the same MAC addresses to environment and if there is attacker in environment you can see like this and attacker inform to you about attack and another threats for us and as you know John explain something when talk about the Wi-Fi attack map this threat for us the authentication attack hidden Wi-Fi network SSID brute force similar SSID open network in interesting SSID all of them threat for us and we create tool name of tool Pdance Pdance can detect and monitoring all environmental threat environmental threat not a direct threat for your company this we can we should think it could be threats maybe next time but not now so if you see a lot of the authentication packets in the environment you can say maybe hacker try collect handshake and maybe hacker try jamming for disconnect all client from networks and maybe hacker try trap clients with the ROJ access point and always disconnect client from real access point yes it could be threat for us not now but maybe next time another threat for us interesting SSID and as you remember John explain this feature when talk about Wi-Fi hacker profiling and hacker generally use interesting SSID and sorry if you see a lot of information with interesting SSID in environment not directly to your threat you can say yeah it could be threat and it could be hacker here because we see a lot of interesting SSID in environment and another threat for us similar SSID if you have a company and broadcast some SSID like barricade can you explain this John basically if you are using a name with the capitals and if someone else will create with some of the lower characters or if someone else would use for instead of A or I don't know at instead of A like this and yeah it's quite likely that you might connect on these networks because you already know the original name and if you are drunk or if you are not having attention it's likely to connect to these networks thank you and finally threat for us in environmental threat how many people know malicious cable and VHD injector how many people and as you know devices when you plug to your computer or some client computer create for you hidden network and you can say you can connect to hidden network and hack clients but this is so this is threat for us we should hold monitoring all hidden network all hidden Wi-Fi network for the tech this activity if you detect some hidden network in your environment and maybe if you analyze and detect real name of the hidden SSID maybe you can detect malicious cable in your company or malicious VHD injector like usp like this this is just example it could be another devices and as I say we create a tool in Wi-Fi Hunter if you use this tool can detect all of them hidden SSID information same SSID and authentication attack density like this and now we have no any recommendation yeah if you have a pineapple Wi-Fi pineapple please turn off your Wi-Fi pineapple and get us okay thanks to all Wi-Fi hackers thank you for listening us