PLACE HOLDER FOR RIGHT NOW
THE Hashtag Wifi-Cactus (#wificactus DEF CON 25)
This adventure starts out at Shmoocon, Grifter talked me into going even though at the time I didn’t have a pass and was 299 miles away. Luckily someone had an extra and hooked me up!
Additionally, I was lucky enough to be talking with Darren Kitchen from Hak5 about my previous years DEF CON Wireless Monitoring Project and told him that I wished I could create a system that didn’t have to channel hop since nearly all of my data had fragmented frames. From our discussion we came up with the idea of the WiFi-Cactus using a ridiculous number of Pineapple Tetras. Two weeks later 2 boxes showed up at my house with 40 Pineapple Tetras, Hak5’s sponsored contribution to the project. It was time to go to work.
I quickly went to work on a proof of concept using 6 of the Tetras which I dubbed the Mini-Cacti. I figured if I could make 6 Tetras work it shouldn’t be hard to scale it up from there.
The first roadblock came when I wanted to have the Tetras each rotated 90 degrees from each other. Each Tetra has 4 antenna, 2 on each side of it. If you stack them on top of each other and try to move the antennas vertical they interfere with each other. The solution was to rotate each Tetra by 90 degrees. The problem is that they were not designed to be stacked this way. The feet wouldn’t be touching the unit below it. Additionally stacking Tetras this way makes it extremely difficult to support them. My friend Austin came up with a way to create 2 channel plastic rails that would hold the units in place. He designed and machined the base frame which would secure all of the devices.
The next challenge was software. Also at Shmoocon I met Dragorn the author of Kismet. He showed me the bleeding edge of Kismet which had a web-based dashboard and tons of new features. We began to collaborate about my project and how to accomplish it. I couldn’t have done this project without him!
Once the WiFi-Cactus was assembled and working, it was missing something… the ability to be mobile. I brainstormed with my friends Bryan and Henry and we came up with the idea of mounting it to a backpack frame. At this point we had run out of time to order anything online. I went to a local sporting goods store and found the perfect frame. Bryan and I spent the next few nights attaching the WiFi-Cactus to the frame.
Lastly, we had to put lights on it and what better to use than Adafruit Neopixels. There is something about adding Neopixels to a project that enhances its awesomeness!
What does it do you ask? According to CNet’s Alfred Ng, its “a goofy but terrifying device…” I was very excited to get the mention in his article! The main goal of this device is to passively listen on 50 channels in 2.4Ghz and 5Ghz at the same time without channel hopping. Each individual radio is acting as a remote capture device to the Kismet server session running on the Intel NUC. During my demo lab I showed the crowd 50 wireless capture devices active at once which saw 14k wireless clients active in the vicinity of my demo. 
The hardware was made up of the following:
- 25 – Hak5 Pineapple Tetras (Sponsored by Hak5)
- Intel NUC (7th Gen Core i5-7260u, 16GB Ram, 250 GB Samsung NVME)
- 2 – Cisco 16 Port Switches (10/100 Mbps)
- ABI 12v 500W power supply
- Binzet DC 12v to 5v 10A converter
- Arduino Micro
- Adafruit Neopixels Strip
- Custom milled aluminum plates and custom milled plastic rails
- Backpack frame
- 30 Amp-hour lead acid battery and box
It blew me away how excited everyone was by this project. I was constantly being asked about the project and if they could take pictures of it.
I also had the opportunity to do a few interviews which can be found here:
- This guy hunted Wi-Fi hackers using a giant backpack made out of radios
- #WiFiCactus: When You Need to Know About Hackers #WearableWednesday #defcon #wearabletech #DIY
- I play the security odds in Las Vegas by rolling the Wi-Fi dice
- @SwiftonSecurity tweeted a picture of my cactus!!
- WiFi Cactus? DEF CON 25 – Hack Across the Planet – Hak5 2220
The photos below are credited to l34n who took them.
I am very thankful for the support of the DEF CON community and everyone who made this project successful! Thank you for coming to my demo lab and for stopping me in the halls to ask questions! Thanks to the BlackHat NOC team (especially grifter, stumper, l34n, caesar, and everyone else I’m forgetting) who let me hang out! Thanks to the organizers and volunteers of DEF CON (especially kampf, supertechguy, Luiz, and NOC staff) where something like this can be presented and encouraged! Thank you all for such an EPIC SUMMER CAMP!! <3
-d4rkm4tter
Getting hands on with a PirateBox
I am a huge fan of Twitter without it I would have never heard about this project. I saw a post by @thedarktangent (DEF CON founder) asking if a PirateBox would be a good option for the data duplication village next year. 
Intrigued I googled PirateBox and found a rather interesting project. Because I like to keep spare hardware around I was able to setup a box very quickly. Reading through their website I found that they have OpenWRT compatible and RaspberryPi hardware options. Thanks to a run to Frys during DEF CON 24 I had an extra RaspberryPi 3 ready for use. In addition, I had plenty of extra wireless adapters left over from my DEF CON Wireless Monitoring Services Project.
After downloading the PirateBox image I took an extra 64 GB MicroSD card and used dd on my Mac to write the image just like most other operating systems for ARM hardware. The PirateBox team has created a very great getting started guide: https://piratebox.cc/raspberry_pi:diy
One thing to note on the installation steps is that it is important to follow the post installation instructions or you will limit the functionality of the box.
The wireless adapters I used were not on the list, but were the same chipset as the TP-Link TL-WN722N and they worked without issue. If you know which chipsets your cards are and have used them in Linux, I doubt you will have a problem. The drivers must support being put into to master mode since the box becomes an access point.
The setup on the PirateBox was very simple and seamless. I think it took longer to image the microSD card than it did to get everything running.
After you have finished configuring the box you then should see a new access point SSID “PirateBox – Share Freely” which is an open network. Once you connect to this network it will assign you an IP on the 192.168.77.x subnet and also redirect most DNS request to the main PirateBox page.
There are some very neat things on the main page. The first is the chat. It is a realtime anonymous chat system. I haven’t dug very deeply into how it works but I love the simplicity. Another thing on the main page is the ability to upload files. I started pushing a number of video files to my PirateBox so that I could test out the media stream possibilities. The final thing on this page is the disk usage. For this base test I just used the extra space on the microSD card for storage. But I believe it would be trivial to switch to an external USB drive by changing the shared directory in /etc/minidlna.conf.
The next feature is the message board. This clever little box gives you a private message board that functions like a limited 4chan. I think this could be useful for some interesting private conversations with file-sharing.
The last feature is a file listing that also allows you to download. The only draw back of this feature is that you can only download one file per click at a time making it more difficult for people to download a large list of files without a lot of clicks.
Overall I think the PirateBox has a lot of good features but has a few areas for improvement. Even though the idea is free open sharing, I’d prefer to see them use an encrypted wireless network or help you configure one in the installation instructions. I think the transfer speeds are going to be limited by the microSD card or by the USB 2.0 speeds of the RaspberryPi. I also think the 802.11n wireless adapter is going to be another limiting factor. I would expect a maximum throughput of 10-20 MB/s transfer. In my tests downloading files from the web interface I was getting a maximum of 10 MB/s.
There are more features I have not tested yet like mesh networking with the B.A.T.M.A.N. protocol and streaming video via the pre-installed ReadyMedia Media Server.
I think I’m going to start packing this device with me everywhere I go and see what I can amass.
DEF CON 24 Wireless Monitoring Services
One of the frequent things you hear leading up to DEF CON is that it is the most dangerous network in the world. Ask anyone, and they’ll tell you that if you don’t lock down your devices you will get pwn’d. I wanted to know if it really is the most dangerous network. Also I wanted to know how I could protect myself. It isn’t until you have visibility into the threat that you are able to protect yourself. Because I thoroughly enjoy the social nature of the conference I am not one to just turn off all of my device or put them in airplane mode. In fact my twitter and IRC usage spikes around this time. I am the type who likes to understand the threats and dissect them so that I can mitigate them appropriately.
Before DEF CON 23 (2015) I built a system that I could use for “War Walking” around the conference. Go here for a full write up on that device. After successfully “War Walking” DEF CON and analyzing the data I submitted a talk to Saintcon (saintcon.org). That talk was very well received and can be seen here. One of the things I wanted to do was to expand the project and place nodes throughout the conference. “War Walking” although interesting only gives you a small snapshot of whats going on in the airwaves.
Thanks to the Minnowboard.org Foundation I was able to make the goal of multiple fixed nodes a reality. They sponsored the project by providing 12 MinnowBoard Turbots, USB 3.0 hubs and wireless adapters. Without their support of this project it would not have been possible!
The Hardware
* The box is an SRA Gun Case 13.4 x 9.5 x 4.7″
Inside the box is the following hardware:
* MinnowBoard Turbot (Specs: http://www.adiengineering.com/products/minnowboard-turbot/)
* Powered 4 port USB 3.0 Hub
* 70 watt AC to DC power supply 5v output
* 8 post terminal block
* Alfa AC1200 802.11AC USB wireless adapter (RTL8812 Chipset)
* 3 x TP-Link TL-WN722N (AR9721 chipset) | AR9271 High-gain USB adapters
* Ethernet feedthrough
* 64 GB USB 3.0 flashdrive
The MinnowBoard Turbot was chosen because of its immense power. It features a 64-bit Intel Atom dual core 1.46 gHz and has 2 GB of DDR3L RAM. With power like this it opens up the possibility to real-time filtering, and multiple adapters monitoring simultaneously without being lagged by hardware. Couple that with the speed of the USB 3.0 bus and you’ve got a lot of options. One other feature that was key early on with the prototype is its extremely low wattage. In my tests I did not see the MinnowBoard Turbot exceed more than 15 watts under load.
The Alfa AC1200 was chosen since it seemed to be a very robust 802.11AC adapter with support for both 2.4 gHz and 5 gHz. When I first began investigating 802.11AC cards I found only very few that had Linux driver support for managed mode and none that had monitor mode. I found some forum posts about people who had gotten this card working in Kali but I was not able to make it work. I finally found some beta drivers which I patched to make work with Linux Kernel 4.22. There is a write up here for that.
The TP-Link TL-WN722N cards were chosen because they are a cheap way to get access to the AR9721 chipset which has very stable support in Linux for managed and monitor support thanks to the ATH9K drivers. By using 3 cards instead of 1, I was able to spend more time capturing wireless frames and less time channel hopping. My next build will have much more of these cards.
64 GB USB 3.0 Flash drive was used as the primary system disk as well as storage for the system to hold the capture files. I used both Samsung and SanDisk drives since both have proven reliable and fast for me in the past. Even though the Turbot does have SATA2 support, the advantage over USB3.0 is not that large and would have complicated my mounting of SSD hard drives. It would have likely caused my costs to go up too.
The Ethernet feedthrough was used to make provision and wired networking easier. Since the devices were to run headless and some were attached to a network this was a no-brainer.
The 5v 70 watt AC to DC power supply was chosen so that we could provide up to 10 amps or 7-8 amps without deregulating caused by heat. When I used a smaller supply in my prototype I started noticing the voltage was starting to sag to 4.7v after the device heated up. The Minnowboard Turbot doesn’t like to be more than +/- 0.25v from the 5v input. As the voltage would sag it seemed to trigger the brownout point on the Turbot and shut it down. Once I used a larger power supply this no longer was an issue. The wireless cards are hungry for lots of milliamps.
The Software
On the previous project I used Airodump-ng which is part of the Aircrack-ng suite. I simply assumed that Airodum-ng was the equivalent of tcpdump but for wireless. I hadn’t realized that it was written specifically for capturing IV, capturing handshakes and to aid in the cracking of wireless passwords/keys/pins. I found this out thanks to #aircrack-ng on freenode as well as reviewing the source code to find large parts of the frames removed to reduce overhead. In short Aircrack-ng was the wrong tool for the job.
The right tool? Kismet!
Kismet is a very feature rich tool that includes wireless IDS, wireless analysis, frame dumping and a simple GUI to access it. In addition the developer is very helpful and responsive. Out of the gate Kismet is configured to support channel hopping and some basic IDS alerts that enhanced my presentation.
To use Kismet with multiple cards simply run:
kismet_server -c wlan0mon wlan1mon wlan2mon wlan3mon
You can also add the cards to the kismet.conf file located in /etc/kismet. Inside the configuration file you can also specify time to spend on each channel, what channels are hopped by what interface, what priority each channel has and much more. I have only begun to scratch the surface of what this tool is capable.
Because of the power of the Turbot, I also ran some custom Javascript using NodeJS that was able to execute tshark commands against the PCAP files, parse the returned data, and then push that information to a REST API. Its purpose was to give me some real-time information about the system without sending the entire PCAP. There is one script that simply checks in to let the server know it is online and another that sends unique mac addresses, SSIDs, and signal strength. There is a bug in this code where when the PCAP file is over a few hundred MB it crashes my NodeJS Javascript with a memory exceeded error. I hope to have this figured out and then will post this code somewhere.
The last piece of software on these devices was a simple bash script that started monitor mode on the network cards. I’ll leave this up to the reader to figure out. A hint is to use airmon-ng start wlan0 for each card you plan to use. I dug into the source code for airmon-ng a bit and determined what they are doing to start monitor mode was way beyond scripting my own, so I stuck with theirs.
The Deployment
During BlackHat I was only able to deploy 2 nodes because the rest of the hardware hadn’t arrived yet. 1 node was placed in the NOC and the other was place under a stage next to the keynote track. During BlackHat 4GB of data was captured. One of my nodes was seen in the first picture of this cnet article about the BlackHat NOC.
For DEF CON, 12 nodes were configured and 11 deployed throughout the conference. Because it was held at both Bally’s and Paris deployment locations were complicated. The conference used both convention centers, the 3 floor of the Jubilee tower at Bally’s and the 26th floor of the Indigo tower. Conference room blocks were positioned in both Paris and Bally’s. And yes, that is the CGC stuff in the background of this picture!
Thanks to the help of some AWESOME DEF CON goons I was able to deploy nodes covering the 3 speaking tracks, the chill out areas, the contests area, the 26th floor and the Bally’s room block. It took roughly 6 hours to get everything deployed.
The Demo Lab
Even before I had finished setting up my table a mob of people were wondering what I was doing. I was truly blown away with the amount of interest my project had. If you came to my demo lab, THANK YOU!!!
One thing I must correct, during my demo I was saying that the Minnowboard Turbot is a quadcore when it is really a dual core. I apologize for saying the wrong thing.
One of the cool things that happened during the demo lab was someone launched a deauth attack while I was monitoring live. So thank you to whoever began that attack, it sure made my alerts a lot more interesting!
The photo below was taken by @wifiluke and I shamelessly stole it and posted it here because I forgot to take pictures or video of my demo. Thank you Luke!!
The Interview
I had the privileged of being interviewed for Hak5’s Technolust! That interview can be seen here or below. I am a big Hak5 fan and always love seeing the Hak5 family at all the cons! They are very supportive and helpful to the community and always have great content on their youtube channel!
Initial Findings
I hope to write another post about the results more in depth results but there is a lot of data to analyze.
I was able to gather 40 GB of data from my 11 deployed nodes at DEF CON. I proved feasibility of wireless monitoring at DEF CON and am very excited to work on the analytics!
More coming soon!!
-darkmatter
Monitor Mode with Alfa AC1200 (RTL8812AU)
I finally have a few seconds to write this up. The attached file to this post is the source code for the Alfa AC1200 (RTL8812AU)
Simply extract the files, modify the Makefile so that CONFIG_POWER_SAVING = n (ctrl+f all the things)
Then type make
Wait for a few minutes for it to finish.
This should work for any kernel version >4.0. I have not tested it with anything older.
Download Here: drier-4.3.22-beta.tgz
Project WristHUD + War Walker
For Def Con 22 the DC801 group with help from The Transistor created an epic badge for the annual party. Some commented that it looked like a Pip-boy while others thought it looked like some amazing future tech that must hold the keys to the universe. I fell in love with it once I first saw it and couldn’t wait to get my hands on it. It had a Cortex M3 which I had never written code for so I wasn’t able to make it do much more than print some words on the screen. During the week leading up to Def Con 22, I started to loose my voice and got sick enough to leave the Con early. Needless to say that ended up being one of the worst years in history.
Since my DC22 was such a failure, I began planning and scheming for Def Con 23 very early. This year I wanted to take the same idea of the DC801 badge, but make some minor improvements that would allow it to be the keystone of my War Walker project I was going to debut at Def Con.
I built a prototype on some modified perf board. I wanted to keep the hardware as modular and simple as possible so that I could get deep into the software side of it. I used a TFT 340 x 280 display and Teensy 3.1 from PJRC. I also used an RN-XV WiFly from Sparkfun. This initially was going to be an Xbee/ZigBee but then saw this presentation by Sergey Bratus, Javier Vazquez, and Ryan Speers which made me dump 802.15.4. The RN-XV does have some limitations, like depending on the layer 2 encryption and not having support for hosting higher layer encryption such as SSH. Instead you get telnet, so make sure this network segment is locked down or build encryption over telnet.
The next phase of this project was to get my War Walker hardware ready. For this I used a Beaglebone Black, a powered USB hub, and 2 Alfa USB adapters. One of the Alfa was running the Realtek chipset and was what I used to communicate to the RN-XV on the WristHUD. The other was the Atheros chipset which is used for all the magic. Then I powered this setup with a 7200 mAmp hour USB battery.
I initially had some issues when I was using a non-powered USB hub. I measured my current draw to be around 300 mA with both radios, but the BBB would freeze after a few seconds even though I wasn’t maxing out the capability of the USB port. I changed to a powered hub and it fixed everything. Also USB hubs are not all equal and I discovered that some do not work at all with ARM linux. Thanks to some help from the Raspberry Pi community, I discovered that the Amazon 7 port USB hub works awesome.
I started writing some bash scripts to start monitor mode and to make the war walking process much easier. The goal was to have a script running that would communicate with the WristHUD to get interactions and then execute the scripts I selected. The primary software feature I got working for DefCon was to start the Alfa in monitor mode, configure a dump directory, and then run airodump-ng.
At this point Def Con 23 was about 1 week away and I wasn’t sure if I was going to be able to get all my tech fully functional to show off at the Con. I decided to order some PCB’s from Pentalogix based on my prototype and went all in. Once I had assembled my PCB and components I had no clue how to make it wearable. The DC801 badge had a custom made leather strap that was fitted to hold a LiPo as well as the electronics. I have (+0) on my leather working skills and so I started asking for help. My friend Jeff came through for me and machined some plastic that would mount my hardware. I used some zip-ties to attach it to my wrist.
The zip-ties didn’t bother me because everything else seemed to be working great! I had the software communicating to the base station in my backpack. At the Con I met @jaysonfennimore who helped me change the zip-ties out for some sick velcro!
I was able to collect data on Thursday from Blackhat 2015 and through the weekend collected roughly 15 hours a day around Paris and Balleys (Def Con). I have already started doing some data analysis and have found some very interesting things. I will be speaking at Saintcon on October 27th about my findings and maybe I’ll submit to Def Con 24.
I can’t wait for next year. I’m going to build on this platform and perhaps share. No promises though.
Here’s some more pics
OpenWest Metasploit Presentation
Here are the slides and some notes about my presentation. Even though I wasn’t able to execute the payload due to a weird network issue, the exploit was running on the target. I will post a screen cast of the process once I root cause the issue I had with my virtual machines.
Here are some additional tools I didn’t get to:
- msfpayload – build stand alone binary that have the selected payload in them with the options set
- msfencode – encode a payload
- virustotal – quickly scan your payload to see if your modified payload gets detected
Here are some commands I ran under msfconsole:
- workspace -a sploiting
- workspace sploiting
- search ms08-067
- use exploit/windows/smb/ms08_067_netapi
- set PAYLOAD windows/meterpreter/bind_tcp
- show options
Sources:
- http://www.dailysecurity.net/2013/05/11/fix-metasploit-database-not-connected-or-cache-not-built/
- http://www.offensive-security.com/metasploit-unleashed/Msfconsole_CommandsOpenWest 2014 – Intermediate Metasploit
Friday H4k V|dZ pick
I was looking through the list of vidz I’ve watched recently and had to start telling you about some you need to watch!
Seeing The Secret State Six Landscapes
Trevor Paglen
The work that Trevor is doing has brought visibility to many things that are supposed to be secrete. His intuitive reasoning has allowed him to collect photos or documents that are classified. His ‘artwork’ is stunning. Among my favorites: Area51, Stealth Drone Video, Utah NSA Datacenter, and images of spy satellites!
Summary of this presentation: It takes logistics and infrastructure to support things that are secrete and there are visible elements surrounding the classified. Don’t participate in the culture of fear.
Hardcore SQL Injections, optimizations and obfuscation
Conference: Blackhat LV 2013
Title: ‘) UNION SELECT `THIS_TALK` AS (‘NEW OPTIMIZATION AND OBFUSCATION TECHNIQUES’)%00
Presenter: Roberto Salgado, Websec
Thoughts: This presentation really took my thoughts on SQL injection to the next level. He initially discusses some optimizations to being able to retrieve data from the victim database by using a method he created called Bin2Pos Method. This method uses the position of the binary number representing the character being retrieved. Here is an example:
IF((@a:=MID(BIN(POSITION(MID((SELECT password from users where id=2 LIMIT 1),1,1)IN (CHAR(48,49,50,51,52,53,54,55,56 ,57,65,66,67,68,69,70))),1,1))!= space(0),2-@a,0/0)
This is a very clever idea but it requires the ability of using 2 different parameters. In addition he talked about obfuscating different syntax to bypass scanners and firewalls. He has does very extensive research on the documented strange behaviors of the different SQL platforms. A truly epic thing he included in his presentation was how to combine multiple SQL test for quote types into one test. This eliminates the total number of tests needed to perform which means fewer calls to the server which gets the job done quicker. Here is his example:
3 Total Tests:
OR 1=1
OR '1'='1
OR "1"="1
OR COMBINE:
OR 1#"OR"'OR''='"="'OR''='
AND COMBINE:
!=0--+"!="'!='
For anyone building web applications using an SQL backend needs to watch this video. Anyone who does web application firewalls and scanners needs to pay close attention to this as well. Ultimately this presentation opened my mind to whole new thoughts on information encoding to achieve injection!
Resources: US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-WP
∞d4rkm4tt3r