 you guys ready for this? Everyone ready? That's what I like to hear. So this is uh uh a little talk of him putting together and uh been working on this for a little while. So let's start off with a little bit about me. Um my name is Mike. Uh I'm also known as Dark Matter. Um I consider myself a mad scientist hacker uh who's particularly obsessed with wireless if you couldn't figure that out. Um I also love reverse engineering. I love uh doing wire uh website pen testing. Um just everything in this field I absolutely love. Uh I've created this project. I've also created another project called the hashtag wifi kraken. I'll be doing a demo lab. Plugged my demo lab tomorrow at ten a.m. Uh in uh Planet Hollywood at the demo lab. So come check that out. Um also I'm a Kizmet cultist. Uh Kizmet is the most amazing wireless software for scanning. Uh also recently I've become a runner. So I love running and doing all the running things. Alright, let's talk a little bit about the history and background. Um in the early 2000's uh we wanted to get out and uh figure out what's uh what wireless networks we could connect to because we didn't have internet service at our home that was better than like maybe jank DSL, right? So we wanted to find better service. So we're driving around trying to get it so we could get all of our sweet wears off of our CF serves and and kizaz and stuff, right? Uh things have changed a little bit now. Uh uh uh almost all of us probably have unlimited data plans now on our 4G et cetera, right? So internet is not that hard to find. So why would you want to start doing wireless stuff? Well it started for me in 2015. I had this idea that I wanted to monitor uh all of the wifi's at Defcon. So a few days before the conference I took a single board computer and threw some wireless antennas on it, put it in my backpack and started hoofing my way around Defcon thinking yeah this is going to be amazing. Well I learned a lot from that. I didn't catch very much data, I learned a lot. And from that, that led me to the project the the following year. And that project was Project Lana and what I was able to do is deploy 12 boxes around the conference, sensor nodes, that we're able to gather a bit more data um and they were covering 2.4 and 5 gigahertz wireless. Uh that project was uh sponsored to shout out to Warhawk who helped me uh secure the equipment to be able to pull that off. And then that led to, I learned a lot from that project and that led to the creation of the wifi cra- the wifi cactus. Uh the wifi cactus basically solved a problem that I noticed with the previous year's project. Uh I only had 4 radios per box and I was missing a lot of data and I want to catch it all, right? Because you got to get all the data. Um and so I was talking to Darren Kitchen from Hack 5 and I'm like hey you know I had some problems and he's like I think I can help you with that. So he hooked me up with uh 25 pineapple tetras and I was able to pull off the cactus. Okay but why though? Why why would you want to do this? Well the number one thing that I always would typically hear is DEF CON's wireless network is the most dangerous, well network in general is the most dangerous and crazy network in the world. Um and I wanted to know why. Like why is it that way and how right? So what did I do? I decided to build a thing. Once I built a thing then I could start to understand this and try to figure it out. So another interesting thing is uh we live in a world where literally everything is interconnected now right? So you've got like smart fridges right? And you probably have a smart toilet too right? So it comes to a situation like maybe you haven't pooped in a few days. Uh maybe your toilet will then tell your fridge to order you some fiber and next thing you know you got yourself you're you're taking care of right? And of course those devices are wireless right? Because it wouldn't make sense to connect your toilet to your to your fridge with a wire. So anyways I mean we've got I we've got um devices tons of devices around us all the time uh that are broadcasting. You probably have multiple radios on you right now. So I kind of think of them as Pokemon. We gotta catch them all right? Uh and then the other thing is hackers. It's important for us to verify trust right? There's a lot of uh claims and you know everything's secure this VPN will keep you you know super you know I go through seven proxies type stuff and it's like but do you really know that you know you're going to uh that your data is not out in the clear. So as hackers it's important for us to do that. Alright let's talk a little bit about the data. Um this is a graph of the data over the years of the the evolution of this project. And as you can see it kind of grew a little bit. Kind of got bigger and bigger. Um the interesting thing is like the DEF CON one on 2018-2019 kind of got a little small and the only reason for that is because I ran into a new problem is I kept running out of storage space and so that would limit the amount of time I could capture. Uh which was entirely new problem that I hadn't had ever experienced before. Um but basically like you can just see that year over year I've been iterating and creating uh an environment where I'm getting more and more data creating hardware making changes for thank you. Uh so that's how this is going to work. Okay good to know. Um I love you guys. Basically you're I'm creating a situation where I'm just collecting more and more data and figuring out the bottlenecks and figuring out how to do it. So when you have that much data um how do you do an analysis on it? Um it gets kind of rough right? Uh I don't know how many have opened up uh a 2 gig p- uh 2 gig file size PCAP in Wireshark before. Anybody? A couple of you? What does that feel like? It's painful right? It hurts. Like you're just like I want it to query faster and it just doesn't and I mean it's it's PCAPs are complicated. They cover a lot of data. So um yeah and then uh I used another tool called Network Miner. Network Miner uh the the creator that offered uh supported me with a license because he thought my research was kind of cool. Um and that's great for data spot checking right? But if you're going to thoroughly look across your entire data set that's maybe not the best solution. Uh another tool that I use is I use Kizmet as I talked about. Uh Kizmet has a wonderful web UI that allows you to search in real time. So that's great for like if I'm trying to figure out what the threats are in the environment, what's going on right now in real time I can pull that up. Also you can now load your previous capture files into uh a running session and then from there you'll be able to then replay all that fun you just had. Um and then the other cool thing about Kizmet is it's stored in SQLite database. So you can just immediately open it up in your favorite SQLite data browser or even you write some Python scripts and start scraping out some really interesting data without getting into you know processing PCAPs. So and then I came to a point where I'm like all I want to do is I want to run a thousand instances of T-Shark at the same time. And I couldn't find anything that exists so I built a tool. Uh shout out to Ellicontaro for making this sick logo for me. Thank you sir. Um so PCAPinator basically it's a tool that runs a ton of T-Sharks at the same time. So here's the uh the help file for it um and it gives you some of the base information. Uh right now what it supports is it will pull like DNS out, it'll carve it out, it'll carve out uh wireless information like all of the MAC addresses involved in commute wireless communication, the frame types, SSIDs, fun stuff like that. It'll also grab handshakes and it will push, it will convert them all the way to HCX files so you can dump them right into a hash cat if you're down with crack and passwords for some reason. I don't know why that would be useful. Um and then also the GitHub link is right there on there and I'll also have it at the end of my slide. Uh that is live right now so I just opened it up a little while ago. So you can go get on that. Uh don't judge me harshly, it's still really rough around the edges. It's uh first like major release of code into the wild so uh yeah we'll see how this goes, yellow. So this is just a quick example of PCAP destroying my uh 96 core uh 48 core uh 48 logical or uh 96 logical core server. Um yeah so it's it's pretty effective I'd say. Alright let's do a quick demo video. Okay so in this demo video oopsies. Let's see I would have had a demo fail. Uh so in this demo video basically what we've got is we've got a 2.5 gig PCAP file and on the top we have just a single T shark instance running and on the bottom I'm running PCAPinator and so uh they're running the exact same query basically I'm just pulling out uh Mac address and a bunch of wireless information and what this is doing is it's actually taking the PCAP and it's uh splitting it into a bunch of uh individual PCAP files and then it processes each of those smaller PCAP files uh on um uh on uh uh at the same time. And so uh that that file took 5 minutes and 49 seconds to process whereas traditional T shark took 19 minutes. So that's significant and also there's still room for improvement. I always leave like you know things in my code so that I can always make it better and faster later because you don't want to you don't want to do your best work on the first shot right? Okie dokie. Alright so what did y'all do last summer huh? Let's get into this shall we? First off let's let's get to know you a little bit shall we? So uh people bring their devices to DEF CON you know as you do and those devices are happy enough to probe out you know things and look for networks that they want to connect to and there's this wonderful website called wiggle dot net that you can then cross reference those SSIDs to and from there you can create a map of where you're from! And so the other interesting thing is on here, oh cool 10 minutes, um uh the other cool thing about this is uh you've got uh uh uh a lot of WPA2 so I'm really happy you guys are using it your home networks and at your work it looks like most of you are using WPA2. However Russia there's a lot of unknown up there and I don't know what you're doing but I want in on that action I want to get some more unknowns on wiggle. So if you know that secret let me know. Alright let's dive in a little bit now too take this from a little bit different angle uh this is uh showing population throughout the world where you're coming from and so the larger it's a heat map so you know the larger the dot the higher the place that you're coming from. So this was pretty interesting to me too. I don't know what's going on over there I believe that uh uh oh I just forgot Baton Rouge I believe is what that is. So I don't know what they're doing over there but there's either a lot of people there or a lot of devices or something's happening there. Pretty interesting. Alright let's look at South America. The one thing on this one that was really interesting to me is over in Chile. Like you see that just nice heat map all the side up that uh on the side of Chile over there. That was pretty interesting. Alright let's look at uh let's look at Europe now. And for me the most interesting thing on here was the one in Iran. Whoever's wiggling in Iran in Tobriz dude shout out to you let's keep it up let's wiggle all the things. We need every place wiggled on earth alright. I need that I need that to happen for you guys. And now we're looking at Asia you can kind of see what's going on here. This is it's it's crazy you know we can kind of see these heat maps and look at where people are from. Okay another thing that we can do too is because I don't just know the SSIDs you've been beaconing I can know the MAC address of the devices you're beaconing or probing or connecting to so your MAC address. And what can you do with that? When you've captured data at multiple conferences uh thanks to this tool called graphistry uh I was able to create this wonderful graph and each tiny little dot that you see on the screen there is a MAC address of a device that's been at a conference and so this is the only filtering that's here is uh if it has been at two or more conferences. So as you can see there's quite a big flow over from black hat 17 to DEF CON 25 which makes sense you know there's some pretty good overflow from there people come over um and then there's other some other small conferences uh St. Con, Shmucon, Cactus Con and DEF CON uh DEF CAMP uh to say a few um and I mean it's just interesting to see these these groups uh and then the ones that are most interesting are the ones year to year. So we can definitely see that DEF CON has some retention um for people coming back. I don't know why. Why why do we keep coming back? It's amazing that's why. It's amazing. Alright let's talk about wireless attacks. They happen. We have wireless attacks. Strange right? So a number one thing that I I see and it's really noisy and it's really loud is de-authentication attacks. And one thing that's kind of helpful is you randomize your MAC and then when you randomize your MAC address you did it so it's an unknown OUI, an unknown vendor. So basically what that's telling me is this is somebody doing shady stuff so I'm gonna keep track and try to then figure out where you are and triangulate and try to track you to try to track you down. Uh so maybe pro tip for all of my red team fellows in the audience or not fellows excuse me all you red teamers in the audience um uh uh uh go ahead and use like a Cisco OUI or something and they'll and someone will look at it and be like oh my gosh you've got an AP that's malfunctioning. It's not really de-authenticating it's an AP. Let's go track down this AP that's miss that isn't working correctly. Uh so the other types of attacks that I saw was there was a couple of um what looked like cracks attacks. And cracks attack the key reinstallation attack is is one it's really difficult to identify by just passive monitoring. So I am just passively listening. I do not connect. I do not make an active connection with anyone. I'm just sitting in the environment doesn't even know that I'm here. So um you need more information than that. But however based on the fact that these are unknown vendors uh we know that it's something really weird is happening um and so that we could go do more uh more investigation into what's going on. Um and of course it's DEF CON so we're going to see you know Pineapples Karma attack uh Pine AP uh we're going to see man in the middle stuff that's going to happen there um and what's even more awesome is when you leave the MAC address is zero one or zero zero one three three seven uh you know because who knows what that is. Um and there were at least 50 of those. Now on the other side let's say you want to go freak out somebody that's got a wireless IDS uh you might as well just start using that OUI for everything. Uh another thing too is people really like to mess with SSIDs for some reason. Wait what what number was that? Okay uh they they like to mess with SSIDs for some reason. They throw in more data and just it's it's crazy. So yeah there's a lot of things you can look for in this data. Uh also there's a little bit of wall of sheep action. Um most of this I think is just super trolley people trying to trying to uh do some clear text stuff to be funny. I don't think any of this is like legitimately like wall of sheep. Um but uh yeah some pretty funny stuff up there. Uh also there were some data leaks uh you know cause sharing is caring uh this is from uh website called met dot no. It looks to be some sort of weather related uh could be an app. I'm not sure I couldn't find a lot of information on it. Uh but it does leak uh your latitude and longitude. So if this was something that was given privileged information for that from your phone um yeah yeah you you just gave me your your latitude and longitude thanks in a get request uh completely in the clear. Also the API is is been upgraded. It's been upgraded to 2.0 as you see at the bottom there. Uh still is in the clear though. So uh and there's another one too. This one is uh Accu-weather and this is a ZTE desktop widget or yeah desktop widget from an Android phone. So uh yeah what's up with these leaks on these APIs? Another one I found was this is uh an Alienware bloatware um and it contacts back to the server with uh serial number, Windows build, etc. So uh thanks to you know Dell support website I was able to find out that your warranties expired. So I'm sure they can help you with that. Uh we also can see DNS right? Cause DNS isn't encrypted or if you are doing encrypted DNS like you know more power to you like awesome but how many orgs are actually doing it? Um so we know that people at least wanted to go to these websites. I don't know if they did, I don't know what's going on but they definitely tried. Um at least looked it up. You know there's a couple on here you know Fine Aid you know who's going to come fill out their financial aid. I mean this is a great place to figure out your career and what you want to do but doing your financial aid at DEF CON maybe wait till you get home for that one. Uh huh also uh Pornhub uh I know I know I just go there for the stats too. Oh another wonderful thing is um yeah like uh Slack uses uh uh sub uh sub domains which is beautiful right? So now I know all your super secret slacks. And why haven't I been invited? Alright so let's talk about some of the summary real quick here and wrap this up. DEF CON is truly a global community. We're going to have DE-Auths uh it's a protocol level issue we've got I mean we we need stuff to happen to get that better. Pineapples are a thing and they are going to happen. APIs are going to leak. Uh DNS is DNS. For some reason I don't know why you guys use Slack. Uh and also I just want to say you know don't believe the hype because that was one of the things that I looked into this the reason we brought this out is like this is the most dangerous everything's your own as soon as you connect. It's like don't believe the hype like use common sense like don't just connect to the open wifi and then log into your bank right? Um use the secure there's a secure for a reason there's you know use cell phone service uh uh uh uh instead not 3G not CDMA none of that make sure it's 4G or 5G uh which leads me to my next asterisk um I don't know I heard there was research being presented on the LTE stuff uh so uh asterisk I'll get back to you on that uh some other points I want to just point out on how to counter measure and protect yourself. Don't auto enable auto connect um I know phones now have the ability to do geofencing so do that so the that way you're you can broadcast uh only connect to the the geofenced area where you're there. Also use VPN but verify your VPN actually works uh the way you think it is so scan your traffic cause you don't want to be leaking out of your VPN. Um I just want to say thank you to DEF CON and hack 5 and Kismet, Sankon, DC801, Network Minor, Graphistry, the uh and so many more there's so many people even in this audience that have that have helped me and built me up and made me like able to do this to be here on this stage I'm so thankful for that and I especially want to say thank thank you to every single one of you because you know the the likes on Twitter the you know the fact that you're here like it blows my mind thank you so much I'm super honored uh to have been able to do this project and to present it to you and and to see your guys's reaction your reactions I'm very thankful of that and with that I thank you.