 Hi everyone. The sound is okay. Yes. Everybody listens? Okay. My name is Andres. And this is a brief introduction of myself. It's not really interesting so I will skip it. But the important thing is we here we are to talk about Wi-Fi fingerprint printing. Okay. We want to fingerprint devices. So this is the first part of a pentest or to seek for a target. So I think it's really important and it's also important as we are defending our network to understand what we are exposing to the air. Because we used to think that networks or Wi-Fi networks was an access point and some devices connecting to it. But nowadays the protocol has changed and it's quite difficult to know the boundaries of a network. And also it's an interesting way of how to bypass macronomization that in something vendors are implementing to protect a user from reading track. But in some cases this is not working as expected. So I will show some example of this. So also an important thing I want to focus in is explaining that if we are connected to an open network and our traffic is not encrypted, it's quite easy to fingerprint a device because we can see DNS traffic, we can see HTTP traffic and we can see a lot of traffic that is not encrypted. So it's quite easy to identify and fingerprint a device. Like if you grab the user agent from HTTP traffic, you can get the OS and other stuff on a computer. So it's quite easy. But if you are connected to a secure network, you are almost not leaking any traffic. Or let's say you have a device that is connected to, it's not connected to a network. How can I fingerprint a device that is not connected? So we are going to focus on management frames only and in some of those management subtypes in a specific. So I'm going to talk about some specific protocols or extensions on Wi-Fi. The first one is WPS that is called Wi-Fi protected setup. It has some vulnerabilities in the past. But here we are going to focus only on fingerprinting devices. So I don't know if this is the best screenshot I can get because it's not really clear. But this is an access point. And as we can see here, the access point is leaking the model, the version, the vendor. It's giving a lot of information in the pre-response frame. So this is leaked every time an access point is queried with a pre-response frame. It will reply with this and you will get a lot of information on the target. And maybe if you get the model or a specific version, you can know that it's vulnerable and then you can target it for an exploit or something else. I'm going to go really quick because it's only 20 minutes. And then if there's questions, please ask me after the talk. So I can answer everything you want and I can do also a live demo afterwards also. This is CCX that if you have worked with a Cisco iRONET, this is an extension that it was used by default on most Cisco iRONET networks. And this is a portion of a text in the manual. And it's really, it's really, it's really great for us because it says that Cisco iRONET, it sends an information element on the beacon frame that as we all know, the beacon frame is sent every single time in the air. And the information element that is a portion of the beacon frame, the tag that is with the number 85 in HEX, contains the access point name that is internal for the network administration, the load of the access point, the number of associating clients, and so on. I'm not sure what someone is, but apparently it's also giving more information. And then it also says that if someone is like doing roaming, moving from one access point to another in the same network and it sends an association request with this tag, the access point is going to reply you with an accession response frame with the tag 89 and 85. And this can contain the controller IP address. So now your access point is giving to anyone that is looking around the IP address of the controller inside the network. So again, sorry about the, I don't know, someone could read that or no, sorry. I can show it afterwards. In this case, this is a beacon frame and we see the information element and we see the name and the number of clients that access point in particular has connected to him. Again, the name of the access point I think is really useful because we're not going around and doing work driving. Sometimes the administrators of the network define the access point name such as IT access point or second floor access point. And you can get like an idea where the access point is in fact without GPS also. So it's a really good information to make context of what you're dealing with. Then Wi-Fi direct that is another extension. It was designed by Wi-Fi alliance and it's designed so we can connect directly without needing to have an access point. So if someone want to share with my phone something, I can connect phone to phone without having an access point. This one also gives a lot of information. In this case, most devices supporting these are Android mobile devices, TVs, printers. There are a lot of devices that support this. Windows, Windows desktop machines support it. So you get a lot of information. In this case, we can get the name and the model of a TV that has this support for this protocol. The important thing here to understand is that Wi-Fi direct needs an active scan. It doesn't work if you are doing passive recognition. So it needs you to send some frames to get this information. But again, this information can be get by anyone. Then we have HP. HP has decided to, besides supporting Wi-Fi direct on most printers, scanners and office devices that they design, they also added like a custom information element that they are sending through the air that has like the serial number of the printer, the IP address that the printer has where it's connected to. Again, Wi-Fi direct needs, it's a protocol that can be used to connect directly to the printer. But if your printer is connected to a wireless network and you connect with Wi-Fi direct to the printer, it could be used as a bridge to connect to the network it's connected to. And let's say you are not using Wi-Fi with the printer because you say that it's insecure and you only use an internet cable. But you don't disable the Wi-Fi direct that again is by default on the printer, your printer can be a bridge to your wire network. So again, wireless is not only about access points, you can have devices that support wireless that could be acting as an access point or as a bridge to a network. This information element is not processed by Wireshark, but I release a tool that you can get all the information from this information element and I explain how you can reverse it or parse it. Then we have this one that lately has a lot of people looking into it. It's the Apple wireless direct link. It's used by AirPlay and AirDrop. So if you have an Apple device and you have Wi-Fi and Bluetooth on, your device is going to be sending a lot of information into the AR. So if you have a friend nearby and you can share some information, this one has something really interesting because this hasn't been fixed in a lot of time. I've been speaking about this I think a couple of years and it's like Apple is always saying that it's protecting the users and they are trying to do micro-randomization for example so you cannot be tracked in a conference or any place you are, but there you, I don't know if it can be read because it's a little bit small but it says the transmitting address or the source address is the random MAC so you cannot be tracked but in this action frame that is not encrypted and it's sent for anyone to read, inside the frame it says device ID and there is the real MAC. So you create micro-randomization, you add this feature and you broke it, like it doesn't work. And it's not, in this case in particular it's for AirPlay and it's affecting Apple TVs but as you can see here this is an iPhone and iPhone is doing, with AirDrop it's doing almost the same. So it's sending your device name into the air. So if you have a particular is like your name like Andres iPhone it's going to say Andres iPhone with all the random MACs so I can continue looking into it and I continue tracking you and knowing all your random MACs that you have leaked into the air. So again, micro-randomization with Apple AirDrop or AirPlay is not working as expected. So let me see how I'm doing with the time. Okay, I'm good. As far as here any question, any brief question I could, no. Wifi direct, it's active. These are passive but if you want to force it maybe you need to do something active. The Apple protocol requires to send some Bluetooth, BLE, Beacons to be activated. So if you have another device nearby it's going to be activated but if you don't have a device you need to force it but the CCX is passive. Yes, you can do something active but I can tell you afterwards it's sort of a vulnerability more or less. I will explain it later. So how you can find this stuff and understand what is going on and look into these custom protocols. So there's a lot of them. Okay, so these are only some of them that I look but I'm looking to more of them and there's a lot, a lot. Vendors are like extending the protocol and leaking a lot of information into the air. On management frames they are not encrypted and they cannot be encrypted because it's the way the protocol works so there's no fix for this. So we have three different places where we can look for these protocols. We can look in firmware, for example printers, embedded devices that they support Wi-Fi. We can see on the kernel, I'm going to show two examples of kernels but usually Linux kernel, kernel module or kernel extension of macOS. Also windows, I haven't looked into windows once but I think that they are not so difficult neither. And then you have user LAN applications that I will show one that the HP case that is the more interesting, sorry. So this is quite difficult to read again but this case I'm looking into the IO80211 family kernel extension that again this is a module that is placed, you can be finding on iOS devices or macOS and it's almost the same on the iOS and on the macOS so if you want to reverse it, you need a mac and you don't need an iPhone. Let's say you are looking into iOS and you want to look into an iPhone but you don't have a jail broken device so you can look into the macOS that the kernel extension is there, you can grab it with root privileges and then you can reverse it and it's almost the same. So if you want to look into this, it's easier to look it on macOS than on iPhone unless you have a jail broken device. But this is a function on a particular class that is called 802.11, 802.11 and 8.007 violent petrified, A Diddle View DLP're Azer that is doing all the direct link stuff and all the functions they are dealing with the parsing on other stuff, there have been some vulnerabilities also reported here, you can look in the web, there are some stuff there. I think there are more vulnerabilities. I have some ideas, maybe I will share it in the future. Then this is a host APD as some of you could maybe know the host APD is a user run application that does a lot of parsing on the on the 802.11 protocol on Wi-Fi mostly on routers, Android, Linux devices and again because we have a specific license on on the host APD a lot of vendors extend the protocol modifying the host APD and adding the specific features. It doesn't it's really really really tiny here but here it says air ties air ties it looks like a vendor that is giving some measuring information into the air. I recently started reversing these these drivers so I don't have more information but this is just to show you that there's a lot of information we can process just reversing some drivers or firmware and this last one is the let me check my time okay and this last one is the HP one that is the it's it's weird because I never find something on Java like to on Wi-Fi like with Java but in this case is this this application for HP only works on Android devices so if you have an Android device and you have the HP application to connect to a printer and print directly from your phone you have this application that will ask and the OS to the Android OS to give the all the beacon and the proof response frames and the Wi-Fi direct frames that they are proof response but with little modifications and then it's gonna parse the header on the Java application so if you find something wrong in the Java application I don't say it has something wrong but if you find something wrong you can maybe attack the application directly with Wi-Fi frames you are attacking directly the application in this case I I decompiled some code and I was able to reverse the protocol HP printers were were like customizing they give a lot of information it's amazing they send these in a management frame so future work there's a lot of things anyone come grab and look into it there's a protocol that there's WPS has something called vendor and application extensions that I when I was driving I look I I found a lot of devices that they are leaking information there's also the Wi-Fi direct this call a service discovery that again is something useful because you can ask the device what type of service they are providing so again you can finger print based on the service that they are providing remember that this is everything is without authentication okay the device is there and you talk through them do you talk to them no authentication needed then you have why why why if I display there is something about a Ruba network that they are sending some custom frames it looks like they are used to like manage the network I haven't looked into that but they are like pretty big frames I I'm not sure what way they have and again there are many other information elements that you can look into it so I'm gonna I'm gonna show a brief demo of a of an application I wrote this application this application is not to be it's not a replacement for the other tools you usually use it's not a replacement for Kismet for air crack or for better cop it's just a compliment okay you can use it this application is gonna parse all the frames that it finds with extra information with the protocols and it will give you this information in a way you you can later parse it and add it like to a report or or maybe a plan for for when you are doing a Wi-Fi pentas or something like that so I will try to do a demo it's not gonna be a live demo because before starting the talk I check what devices they are here and they are not so many devices with these protocols but I give a I walk around the hotel before the talk and I have some captures that we can use as an example but if you download the tool and you tested yourself you will see that there's plenty of devices around us that they are using these protocols and you can get a lot of information from them so this tool I wrote can receive a pickup file or it can or it can read directly from the Wi-Fi card in monitor mode it has only one active mode that is the Wi-Fi direct mode because again you have to send something to the device to get the information but all the other ones are in passive mode so here I only put a couple of devices so we can see what what type of information we can get in this case the this printer that maybe you have seen stuff like this like direct HPE office something there are printers and as Wi-Fi direct requires the UPS to work it's gonna leak in two in two different information elements you're gonna get information on the Wi-Fi direct information element and in the Wi-Fi protected setup information element so in this case we don't we don't get so much information it's like the serial number is it's zero the version this is not model name it's zero so we are not getting too much information we only get a little bit of information from the SSID but if we go here and we see here that this is the module of the HP printer vendor specific one we can see that they are giving you like a USB connected so we now that know that printer has the USB connected we also know the model the product is Q the serial number and this IP address here is the IP address of the of the printer that is connected as a Wi-Fi station to an access point so this printer is connected to a computer by via USB and it's also an access station connected to an access point so if you connect to the printer and you let's say you have you connect with Wi-Fi direct and you exploit the printer and you get access to the printer as let's say root it's not root but something more less and you get access to this you will be able to maybe pivot to the USB device that is connected to the printer and maybe attack that or you can get access to the local network so maybe you have a really secure network the WEP A3 with a really hard hard difficult password maybe you're using any protection you want but if your printer is gonna be the entry point you are in you have some trouble there so again all this information they are sending it every single time into the air you you can do it passively or actively the HP printer is sending me like passively it sends in every beacon they are sending this information then we have the CCS the CCX here Cisco client extension and this is from a hotel nearby and it says the access point name it says how many clients are associated to this particular access point again this information public you don't need even to interact with the access point this is sending through there then we have this one this is an Apple TV the Apple TV is giving a lot of information here the MAC address here is the random MAC address and as we can see this one here it says device ID and this one is the real MAC address so that's that is not working as expected and you also have the model and here says that is an Apple TV I think that is this is five generation not really sure but you can get from this information you can also know maybe the version they are running and here you have an iPhone I don't know what country code is this because it's also leaking the country code of the device how it's set to and and here it has a MAC address I'm not really sure what this MAC address is but I'm gonna research into it maybe the iPhone is also really is leaking the real MAC address of the device so if this is true iOS has MAC address randomization broken on iOS 9 that this was broken because they were giving the real MAC address inside the frame but then after iOS I think 10 they fix it and I think this is a new so I think they like put the back inside again I'm not really sure but I have to look into it so this was a it's not a live demo but if you want a live demo now after doc I can show you I have another computer this one doesn't work really good with my Wi-Fi card but this is it so any questions no one last thing I forget to say is remember that every single custom protocol that is in the air is extending the tax surface of the device if you have air drop air play or any other protocol and there's a vulnerability for that protocol you can get on so it's not about only leaking information it's also about extending the tax surface and being able to find new vulnerabilities on the parsing code so it's it's it's getting chaotic the protocol so again we should look into it more more more deeply