 Hello, everybody. Thank you all for coming. I want to apologize again for the safety inspection snafu we had today And we really appreciate your patience and not fucking up the hotel Security actually came by and said hey, they didn't do anything for the last two hours. That was pretty cool. I Said the day's young So just just a couple of real quick warnings. So like I said earlier this morning, please do not hack the fire system That this is a hotel that would be very bad Because if there actually is a fire and people don't know about it then people could die That'd be very bad So please show some restraint All right, let's get this thing started here. Okay so Again apologies for all the delays and everything. I think the only people actually making any money off this whole thing or the Telephone companies trying to round up all the speakers Okay, we are at least some of the Church of Wi-Fi Basically, let's get this going here. Come on Yep, okay. If anybody has a good deal on a new laptop, I'd really like to hear it There we go Okay, so the Church of Wi-Fi just a quick background here. Oh to my left. This is Thorn Over here. We've got a Kari Apparently you brought a cheering section Okay I'm render man Okay Church of Wi-Fi basically we were founded by a black wave Who is well known within the war driving community? Basically, it was a joke site that started off and just kind of grew and became this whole thing The idea was just a place that people could put their wireless projects So that they could collaborate just get the information out there because there's a lot of guys working on stuff in their basements that just never sees the light of day and It's really cool stuff out there. Why not give people a platform to get it out there? Anybody can join so if you've got some project in the back of your mind that you want to get some help on or Just collaborate with other people or similar interests just hop on there and see what people are posting We just want Ideas, you know ideas are cool ideas are what this whole community runs on. This is our currency This is what we trade and share You know, this is really cool. We got lots of good ideas out there. Let's use them Yeah, man, and I think I locked up Yep, I really need a new laptop Though she went down hard. Yeah, that was bad Okay Yes, but there's also Linux on there. You got to deal with the devil sometimes This is at least it's not Vista This thing would not run Vista believe me All right, so I'm gonna try to remember what my slides were here and we'll just go from that Basically what we're here today is just to show us some of the new stuff that we've developed since Schmuck on We had a really good time there showed off some new stuff You know, but some really nice shirts. Thank you, Bruce and Just wanted to elaborate on what we did there and how we've expanded in just the last few months Okay, I hope nobody was filming that Okay, that's gonna be seconds here. Yes. I suck. You can blame me later What's that? Does anybody get a really big hammer, okay, I'm burning up time here Okay, how you doing you want to You might give a shot. Okay, we're gonna like sort of bounce to the end here. One of the things we developed for Schmuck on was in Cal Patty. There was always the ability to just take the WPA PSK key exchange hash run against a Dictionary and just you know, see if we have a see if we have that Okay, I'm really sucking up here. I do have to apologize All right, so basically what we did was Cal Patty Previously you had to feed it the four-way handshake feed of the dictionary and the computer would sit there just cranking away at Hashing out all those dictionary words and if it eventually found the same hash as what you had captured You'd know the key well, there's this whole time space memory trade-off that a Lot of groups are now using It allows you to just do all this work once to get the information Hashed out and into a table and then every time you calculate from that SSID You're good to go Okay So unfortunately Dutch couldn't be here Here's one of the other members that we're hoping to be here. Is anybody else on the the church of Wi-Fi site? Anybody around here? I know mother is down here. Yes. Oh, there's a few others. All right Okay Okay, here's what we've been up to The church Wi-Fi WPA lookup tables seven gigs of pre-hashed Passwords for the top 1,000 SSIDs from wiggle Now online as a torrent and if you talk to thorn afterwards, we've got on a removable hard drive You can suck it off to your laptop if you like Basically the demo that we did at shmucon had my laptop doing WP running cow patty Normally doing 12 keys a second you do a pre-hash of all that information on a much faster computer You bring it back and now we were doing it somewhere in the order of 18,000 keys a second So three or magnitude increase. So these are really useful things The evil bastard was another thing that we released which is a attempted a man in the middle Modified WRT, which is a real favorite toy of ours Unfortunately Dutch was supposed to be here and he was supposed to bring it and we haven't found him yet So if somebody knows where he is, please wake him up We hopefully have the evil bastard around the rest of the weekend here. We can give you a demo on that Another update is Kiswin. How many of you have played with Kiswin? A couple of back there. It's the Windows Sigwin port of the kismet client I've been maintaining this and in all my talks with drag on and everybody who was involved in it We're just appreciating this until new core comes out because the only changes he's making at this point Or just minor driver tweaks not anything that affects it So don't go looking for any new updates until that's but I do have it on good authority from drag on that He's looking at a new Finally getting the client running within about the next month. So hopefully we'll have a new core released by the end of the summer We've been busy One of the things that came about on the net stumbler and church Wi-Fi forums has been the advent of the headless war driver I know that there's been various efforts for car computers and everything to try to get Just a simple computer you plug it in it fires up start scanning immediately Well, Beekman was a really Brilliant guy who came up with a way of doing this just on a modded WRT We've also got some some information about the sneaky bastard, which is the project I came up with Also going to throw out a concept to you guys for the a Concept of a wireless virus based in hardware Really curious to see where this goes. It's just I think we're it's going to be the next vector for wireless attacks Bigger better faster WPA cracking. I'm never happy. I always want bigger and better tables. This guy can attest to it He saved my butt a few times WPA it's good target, but kind of went for WPA to it's a little more fun. I'm kind of rushing here, but Headless war driving Everybody's got their laptops sitting in the front seat when they're out war driving They got their rigs. I got the antenna on the roof and everything I want us to see something I've always had this dream of something you could just give to your grandmother say here plug this into the 12 volt cigarette lighter away It goes, you know give the give me the Thing back and all your informations on the card What you need is GPS storage something to power it. It's Surprising I have not seen any before Beekman came around and started pioneering this project They've been small embedded PCs and everything like this, but using a WRT, which is cheap Plentiful and get them anywhere It just makes a nice tight little package and it fits beautifully on a dash and A couple of guys Beekman King Ice Flash mother Scourge They all stepped up. They all did their own Variations on things we've actually got a couple of them up here. You can check out afterwards Beekman has ported GPSD over to the MIPS processor on the WRT so that Was the major hard work that's been done That's going to be an eye package available on his site if you just Google for it Believe we're also going to have that on the this church Wi-Fi site. I told him to upload that I don't know if he has yet or not His first one small GPS SD card was an external GPS unit Logs are saved to an SD card. He's just basically pioneered everything It's got rough eye packages and he's also working on a backup power circuit so you don't lose connectivity or GPS lock when you're moving it between the vehicle and home and everything Picture here. This is how it all started just a cheap eBay parts a little soldering nothing Truly groundbreaking. It's just nobody ever seemed to have put it together before If I'm wrong, please prove it to me, but I don't know. I just think it's really cool and you see the SD card up in the the back corner by the power plug and the GPS hookup right in between the WAN and links a Switch port one King Iceflash who's kind of enough to send me his version so you have it here on site He has a temperature controlled heat sink on this thing because his was always Overheating you wanted something so he's got a nice little fan on the CPU heat sinks a whole nine yards this guy has a co2 laser milling machine in his basement the lucky bastard and Really cut this absolutely beautiful hole in the case for the SD card mod You can take off the other case. You don't have to you know wiggle everything out or anything like that I could pop it open afterwards. You take a look. It's really nice Internal GPS so as long as this thing's just sitting on a backpack a shelf or your vehicle or something It's just good to go It's quite literally what you could just give grandmother and say here plug this in You know pop out the card and give it to me afterwards and there'll be data There's a picture of something internals here That's the really nice hole that he cut. I can't tell you I'm envious Mother who is kind enough to bring his unit went even a step further and all of the GPS SD card and even put in GPR has backhaul onto this thing All on a custom circuit board that just plugs right in and away it goes You really need to start putting that on in a kit because I want one As you see here that you don't see a lot of the wiring that it's all buried underneath, but you know etched his own board I Just love these things because this goes to show one person gets the idea other people just grab it and run with it This is the kind of development that needs to happen more and more you get a really good idea It works You know just collaborate share because there's somebody else on the other side of the world It's probably got a better idea or you know in a lot of cases. I find they've already figured out the solution But are looking for the problem. Oh There we go. Oh Shot right to the end Okay, I suck Yeah, okay, I'm just gonna switch over to the other laptop here and you can see some of the data that we've pulled off of the One of these headless units Yeah, let's worry about it later. We're a little press for time here There we go. So yeah, this is just the SD card that we yanked out of the King ice flashes, you know had running about 10 minutes for the talk and you see we've got full data We don't have GPS because obviously we're indoors and we're not going to be getting signal But you know, it's just that easy all your kismet logs come out on the data card for ready for submission to wiggle So yeah, it worked Okay, the sneaky bastard was a project that I came up with when I had way too much time on my hands and Way too much crap relying around invent geek is a invent geek comm has All sorts of interesting projects on there They put an LCD panel on the side of a case and just other kind of make like projects they had a rogue server where a guy took a UPS and shoved a Linksys NSL U2 Network hard drive NAS unit and an external hard drive into this case You know the idea being so you know your evil mp3 collection Well, you can just stash this inside of a UPS case and you know the feds will never find it when they're rating you or something I thought it was an interesting idea But you know the whole idea of just storage just didn't make a lot of sense. However, if you have a rogue access point inside of this case This is a much better platform. I think than just for storage a UPS is normally plugged straight into mains power on Into mains power and a lot of UPSes have a network passed through search protection as well So you've got power you've got network This is all we need if we wanted to have a rogue access point Previously for pen testing I had used this guy This is Edward Edward has a belkin access point built into him and matrix style connections through the back of the neck this was This was built because a friend of mine was always joking that when his daughter was born You know I'd be handing his I'd be handing his daughter a teddy bear with antennas sticking out of it and say yeah Just go past the security man go past the security man So just to shut them up. I actually built the thing This is the little lady. It was built for next to her next to him, but You know This sort of thing is kind of hard to get past on a professional pen test or anything. You're not You know a teddy bear kind of sticks out, but a UPS under your arm doesn't So I had a flood in my basement a couple years ago and for some reason I kept the case off of an APC 350 UPS. They got wet battery was in circuitry was all fried was of no use But I kept the thing for some reason Gutted the interior ripped out all the power circuitry the battery case the battery and everything a Little bit of soldering jumped around the where the power control circuitry was so now all of the Power plugs on top still work. So you can plug it this thing into the wall plug in a lamp. Everything works Spliced in a power for the WRT's wall work because I still wanted to be able to use the WRT for other things a couple of patch cables run into the network surge suppression Access or the RJ 45s on that and you've got the perfect hidden access point you know an UPS sitting under somebody's desk plugged into the network plugged into the power isn't going to raise a lot of alarm bells You know it's something like the evil bastard firmware or something like for is a WRT and Who knows what kind of mayhem could occur with this thing? I mean the imagination is your only limit A few pictures here, you know from the outside looks absolutely normal Our button still works everything but on the inside you got You can see on the the right side. You got the WRT spliced into a standard wall wart. You know it all fits Come on. Don't lock up on me Okay, the picture is not that big. Okay after the wireless contest. I think this thing's ending up in Lake Mead No, and I'd make another prize Now this is a when wireless hardware turns evil, this is something that Was just rolling around inside of my brain Ever since Cisco gate last year the idea being that if you own the hardware that everything's routing through you own everything You know standard men in the middle stuff however There's all these questions that were running through my mind about Because Cisco gate was about the high-end the enterprise stuff, you know the most expensive stuff on the market stuff. I can't afford But there's so many other devices out there now. They're running various firmwares and everything How do you know that the firmware you're running is the original one that was meant to be there? This question kept bugging me and I kept investigating more and more because so much consumer stuff like these WRTs like you know so many network switches and everything are running proprietary or even open operating systems But there's no Verification method that what is actually on there and running is what is meant to be there and or what you put there We didn't do a proof of concept on this one mostly because it was just too dangerous and Nothing really useful could come out with it. So I'm just trying to throw the idea out there and just see what happens other team For the wireless contest that I know is going to be competing as preset kill limit These guys whoop my butt last year barely and I am going to be winning the jacket this year They have I Want to win fair and square? No, but these guys at their job have the unenvious duty of hunting hunting down rogue access points on their network and You know running around with the directional finding these things is always a pain in the ass So what they did was they came up with the kill bot which? Motted wrt once again You hire a summer student you plug this thing into the wall It goes out in client mode connects to any open access point it finds tries to connect to an internal network address and PHP page and then if it does figures out which switch connection that Connection is coming in on and just turns off that port on the switch So the person install the rogue access points trying to connect and do their thing. It's like oh I Can't get out anymore because well the switch is killed Didn't you guys upgrade that thing to put them through a captive portal now big skull and crossbones on it? Yeah, you get a page that says you violated the acceptable use policy So they always come in whining is like why can't I get access? Why can't I get access? Well? Here's the piece of paper you sign Open source firmware is Both a boom. It's both a good thing and a bad thing. It's a good thing because it keeps costs down Allows for additional development for fun tools like this But any vulnerabilities all the system internals everything you need to know to do bad things is also available on The WRTS all the settings are maintained through the nv ram So if you reflash the unit you're changing the the software, but the nv ram memory stays the same this was a little fact that kind of scared me because if You can reflash things and all your settings stay the same the old the few little pieces of information that the average user sees and Would be able to tell if Something bad happened to their access point They're still gonna be there. So how do you know what engine is running under there is the one that's supposed to be there There are There's no integrity checking for any of this stuff Nobody seems to Care that you have any idea of what's running on this router You buy a links this access point at Best Buy or something like that. How do you know? What is actually running on there is what is an honest to God links this firmware? You don't you have to take it on faith if it fires up you see a links this page it connects It does everything it's supposed to right, but how do you know you don't know what's going on under the hood? This makes default access points a lot more dangerous There's how do you run an antivirus on your router your router is a little computer now You've got Linux on there. You've got open ports. You've got you know, it's doing full PC type things How do you check this? Any vulnerabilities on the WAN side could lead these things to their death from remote flashing across the internet You can see a virus that starts flashing Routers across the world and making your own little you know DOS botnet or something You could even carry from that to infect the hosts inside the network, you know, just anything snarling passwords, you name it To give you an idea. This is the the situation that I envisioned You get a wrt-54g With an infected firmware at 3 o'clock in the morning wrt runs a cron job Looks for any nearby access points named links is a known default If it's open it connects to it tries to connect to the admin page This is pretty much the same as what the killbot was doing if It's already got a links this name. They probably haven't changed the default administrator password on the unit and Hey, if you can connect to that you've got direct access to the flash utility and you can actually flash these units over wireless This is dumb. I don't know why they they're like this out of the box unit gets reflash reboots because the nvram doesn't get changed the SSID channel all that stuff is maintained and As far as the user sees, you know, there was just a little blip at 3 o'clock in the morning Still connects still gets out to the internet, but you don't know what's being snarfed in the middle you know So this is my my really craptacular Visio drawings Bisco scans connects Sends the new firmware And then once that it hosts gets infected Does the same thing connects to the any other access points that are open passes it along In a campus type setting this Can be a real problem because as anybody who's worked on a university knows The amount of rogues that show up the amount of students that bring in you know that their default links as access points from home They're everywhere So and they're usually right on top of each other So one access point could see like six other links this networks and theoretically infect all of them a few caveats to this idea Default modes are assumed but given the statistics that are out there There's an awful lot of default access points could be a huge problem And anybody who might be driving by and using those things, you know, willy-nilly like at a coffee shop or something They could be hosts for something who knows they could get infected whatever You could make rudimentary brute forcing of the admin page, you know every day at 3 o'clock in the morning at Kinects Tries, you know a certain chunk of key space Shuts down just you know only takes 10 minutes off Login banners could trigger unit specific attacks So if an access point has a known vulnerability to bypass the admin page Log in you could use that You can also brick the router really easily if you're flashing over wireless It's not a hundred percent thing, but having wireless routers just dropping off Isn't a good thing anyways You can just imagine the guys at Best Buy trying to figure that one out, you know Everybody bringing these things back saying why is this thing not firing up? Well, you got a bad flash in there It's like well, I didn't do that Just a lot of access points using open firmwares, so How do you verify? What's running there? I keep coming back to this. How do you run an antivirus scan on? Your heart on your hardware side You know if I'll get it for our PCs and our networks, we don't actually look at The stuff that is handling all that traffic. It's a computer You could also do really evil things like the Linksys admin pages Because it's an open source OS It's right there in the source code from Linksys just take all those pages copy paste done Just turn on something small like telnet in the firmware and you get yourself backdoor access You know Solutions I see a checksum facility Somehow of verifying what is running on there make sure it matches to the known Check some for that version. However, that's really easily spoofed. I mean if you're loading an axe a rogue firmware on there Anybody can say oh, yeah, I'm this firmware number. Here's my checksum, which is precisely what's on the Linksys page You know kind of a not a good solution would be non flashable hardware But again if there's other problems found you wouldn't be able to upgrade legitimately Proprietary firmware. I hate to say it, but sometimes not having access to all the source code can Make things a little bit safer still means you have to audit everything and all that usual fun stuff, but There's something to be said for it Antivirus could do TCP profiling for changes if the firmware gets rebuilt. There's a good chance that some of the Flags and everything are gonna get changed and you'll see that okay. It's gone from running a Linksys to open WRT or something It's just so much hardware out there that you know switches modems routers access points. They're all running this stuff and Nobody seems to be addressing what is running on them. Okay, this is the fun stuff WPA PSK. I'm sure most of you are in here. You've probably heard of this At Schmucon we added the gen PMK utility to cow patty 3 which allowed you to pre-compute large tables of keys So that future attacks on that SSID went Significantly faster. So if you had a customer that had you know For the sake of argument an SSID of Linksys you could compute, you know a billion word table for a Linksys access point and be able to in a very short period of time test For a billion words before you actually started brute-forcing It's a time space trade-off if you're doing a lot of these like if you're verifying installations This can be a real help Like I said earlier we went from 12 keys a second on my laptop here to 18,000 keys applying a pre-computed table So it's a big speed increase The lookup tables that are currently available is the top 1000 SSIDs with 172,000 word dictionary Came out to about 7 gig Audit and converge I have to thank them because they're hosting the the torrents and putting up with a lot of grief trying to keep them up It's at Schmucon. We're trying to release them Things fell through I want this stuff out there. We need seeds. Please see this stuff And OS X can also do run cow patty as well. And there's also a built-in utilities for the For pre-computing keys with an OS 10. It's got the 10 minute flash there 7 gigs is a good start, but you know, I wanted more I wanted to be able to Walk up to pretty much any network and take a whack at this thing and have a good chance of getting a password Two guys Skynotes OS and GB3 they wrangled up 14 high-power CPUs for you know testing purposes in their office Most of which was my data Kevin Mitnick of old people put me in contact with Mart Burnett who wrote a really nice book called perfect passwords Yes, I am pimping this But he collected somewhere in the range of four million passwords from porn sites and other places just through Google of actual used passwords These are things that people actually have used So we mixed his password list in with a bunch of the regular dictionaries You know they computed this for three weeks three blown fuses And the damn tables didn't work Previously I had screwed up and accidentally sent in the password list with a control character at the end of every single line Which was computed into the hash and completely changed everything. So I did it again So somebody wants to write a patch for this version that we're releasing that checks if it's Unix or DOS text file input and Corrects this I will be very thankful Oh You already put it in. Thank you. Thank you learning from my mistakes however, Hikari was Kind of enough to step up and his research was already going on and I got in touch with him and said hey You're doing research into FPGAs and WPA cracking. I Think we need to work on this You want to get in you want to get in on this? Can we get testing oh cool, okay, so Yeah, I had it in a bunch of FPGA support for Cal Patty and I don't know if you know what an FPGA is but it's basically a chip that you can Basically design a whole chip and software and then compile it and throw it onto this chip and the chip will function Basically like however, what sort of chip you you wanted to function like so you can basically code a processor like Whatever sort of processor you want upload it and it'll behave just like that And in my case I coded it so it basically just does pvkdf 2 and sha 1 and stuff really fast I just accelerated that portion and so it's actually Like the transistors are set so they actually you know compute all that stuff on in the hardware So it's a lot faster than on a PC So anyway The performance numbers I get on on like a decent laptop aka not render man's laptop You can get about you know 70 keys per second I'm one of my FPGA cards. That's actually wrong. I get about 450 per second and I'll be demoing that in a minute Okay, you don't optimization since we last talk. Oh, okay Well, yeah, it's about 450 per second and that's on a tiny little compact flash card I've got eight of them in the system. This will take up to 15 This is actually a bigger card It's a this is the compact flash cards are less than half the size of this and they get you know about 450 per second So anyway Let's see. Yes, that should actually be about 6,500 keys per second instead of 3,000 there But yeah, I ran it through This system right here and it only took about 48 hours. So it wasn't actually three days. It was 48 hours and Managed to do that in the time that you know took him three weeks on 14 CPUs. So pretty big speed improvement and Yeah, basically generated 40 gigs worth of hash tables for the top thousand SSIDs million word-word list and Oh, so we have a torn online. Cool. So yes, help see For the 40 gig one. Yeah, we'll hopefully have that up Just need to talk to a few people before that But if you do start downloading this thing, please seed as long as we can You don't we don't have a lot of money for bandwidth or anything like this So the more seeding you do for the torrents the happier will be Okay, so yeah, cool. You can you can start downloading these if you want I don't think I brought a copy with me, but do you guys have a copy? No, no, okay, so just download Yeah, so we released Calpaddy 3.0 and Releasing Calpo I kept at a 4.0 today, right? Yeah Josh right. I think he he took off yesterday. So he's not here, but he threw all that stuff together and It turns out that WPA to has the exact same authentication as WPA And you're only attacking the authentication. So it's pretty much the exact same attack for both of them So it was did even have to modify anything to get it to work I think you just had to add support for the parsers for the packets. That's about it Okay, so a couple lines mod of mods It was surprisingly simple and yet nobody else really had a valid attack vector against WPA to until this Yeah, so amazingly simple. I guess I'll switch over to a demo just so you can see Calpaddy in action Let's see if this works There we go. Cool Yeah, we don't have a monitor for this up here. So he's got to look behind them I don't know if you can read that. That's just a prompt thing oops So normally you can just run Calpaddy and those are the different options here the typical usage is You just do like dash F and then a dictionary file. So I've got this really tiny one here Then you give it a p-cap file. I think that's dash R and Then you give it the SSID And normally on your computer it goes pretty slow right now. This is maybe doing like About 50 or 60 per second possibly and that's just running on the CPU here so I'm just gonna take this and Tell it to run on FPGA zero. I don't know if you can see that but basically dash capital F zero and this is only running on one card. So It's doing about 450 per second right now and should go through and find it. Hopefully and that's just one card Yeah, I'll demo all the cards if you want to see that. Yeah, so it just found the passphrase Oh 435 per second You can also use Gen PMK, which is the the tool that he was talking about earlier and And the usage is pretty similar. You just give it a dictionary file Like a hash file that's the output the SSID and Yeah, so normally it's really slow. I'm just gonna run on the FPGA just so it's nice and quick So it's basically doing the same thing, but it's actually saving out All the come all the computed stuff to a file And then we should be able to take that file and run it through cow patty and you can see how fast that is so see dash D and So this this doesn't use the FPGA at all You can run this on your computer as long as you download these hash hash files and there we go so it did it about 70,000 per second and it just found it just like that and With these huge tables that we have, you know It's it may be only take you like less than a minute to scan through all of them and you know go through a million words So it's pretty quick. So it sure is I could be sitting there on site waiting for like five hours for you know To go through a really short dictionary Yeah, you can crank through a million words and you know a minute get ahead of the game Yeah So I since since I basically made it so you can just specify which FPGA you want to use If you have like eight FPGAs or 15 FPGAs or a thousand I wanted to make it a lot easier for people to spawn all these sessions and do cracking really fast so I just made a really tiny little pearl script that Basically starts up screen and then creates a screen session for like every FPGA and starts up everything properly So I'm just going to demo that real quick So if this all you do is give it a dictionary file. I'm actually going to put in the million word one just so you can kind of see it in action and Exact same p-cap file there yeah So it found eight cards in the system and now it's starting up the screen session So this is one of the instances here and there's another one another one. Oh, we are okay So it should find it in there we go So it just found it out of the million word word list and it was doing basically 450 per second times eight Whatever whatever that is we're getting told we're out of time here. So I'm just kind of kind of zipped to the end here, okay But since WPA one and WPA two share the same key hash Basically all of these tables now work for WPA two as well So we have 47 gigs worth of words pre-computed for you start downloading them enjoy I Think that's about it. We're getting the the big crossbones here. So we got to get out of here But thank you. I'm sorry for all the technical goofs