Advanced Wi-Fi Hacking With $5 Microcontrollers
9:53PM Jul 25, 2020
Hello, welcome back to HOPE Conference. This session is called Advanced Wi Fi hacking with $5 microcontrollers We have with us, Cody Kinsey and Stefan ramseur. Cody's with security researcher with varonis. And Stefan cleanser is a computer science student. You want to say Hello, guys. Hello. All right.
Hey, nice to meet you.
Okay, very good. All right. So we're going to go right to your video and then we'll have some questions right after the show. We'll see you there after the show. Thanks.
Hello, everyone. Welcome to our talk on Wi Fi hacking with Microsoft controllers. Although the alternative title to this is why you should be afraid of smart light bulbs. Today, I'm also going to be joined with Stefan Kremser, who is the creator of most of the software that we're going to be talking about today. Alright, so who am I? Well, if you haven't seen the noble channel, the hack, five channel, the ready channel, or the security for channel, I am the host of all of those shows. I also have started the production company that's behind all those shows called radio. So if you see radio, that is me, if you want to follow me after this presentation, you can always do so on twitter at Kody Kinzie. And my specialty is Wi Fi, hacking, Open Source Intelligence, and generally just really small cheap devices, because I'm really interested in the types of devices that anybody has access to, and that are really, really cheap to buy. So that's what we're going to be focused on today. And there are a bunch of contributors to the ability to hack Wi Fi on the ESP 8266, the most substantial contributor is Stefan Kremser. Stefan, welcome Introduce yourself.
Hello. Yeah, I mean, I wrote the thing we're gonna talk about most of this talk, I guess, the ESP8266 deauther. And yeah, I do a bunch of like, microcontroller hacking stuff, mostly Wi Fi though.
And Stefan is based in Germany, I'm based in the United States. And our other friend James, aka howdy burgers, which is hacking handle is based both in the UK and in the States. And James, you can see all of us here at 3C hacking conference, we all met and started working on a couple ideas to really push the envelope in terms of what this could do. I had a lot of ideas for Wi Fi attacks that I wanted to try out, as well as some Wi Fi games. And Stefan had a ton of experience making these little devices do things that they weren't supposed to do. Now combined with James who managed to create a really simple interface for us to use. We managed to push this project a lot further than we ever really thought we would. So we're really proud of our results. And you can see here all of us having a great time I see three and also every Anybody that isn't James is also James. Hmm. So we also were inspired by some other people's work. Personally, I was really inspired by Matthew van Hoff. He is a Wi Fi security researcher who has discovered a number of really interesting attacks against Wi Fi, both WPA2 and the upcoming WPA3, I had the opportunity of interviewing him fairly recently at a conference. And it was really inspired by some of his work that we'll be citing today at our presentation. So I'm gonna let Stefan explain what a microcontroller is, because it's an important thing to understand when we're talking about what these things can and cannot do. If you've worked with like a Raspberry Pi before then it doesn't really prepare you for what this is, because this is a level below a Raspberry Pi. It doesn't have an operating system. It requires you to know if not a little bit of programming, but at least how to upload other people's programs. So Stefan, go ahead and take it away and explain what this thing is that you've been working with for several years now.
Yeah, so basically, this is a very small inexpensive piece of hardware that you can program. So Yeah, think of it like some piece of hardware that does a thing. For example, it has Bluetooth, or Wi Fi, which is what we are going to talk about today. And yeah, you can program it and tell it what to do like open access point, or whatever. And the code runs directly on this piece of hardware. So this is like a tiny computer all bundled into one chip. And yeah, you can program this, for example, with the Arduino IDE, which makes it a lot more user friendly. And you can tap into the whole community there. But you can also, if we're talking about the ESP 8266, in particular, use micro Python, or other languages, but out with the Arduino ID is probably the most common and user friendly way to program this. So what's the difference to something like a Raspberry Pi? Essentially, a microcontroller is something you program and the code You flashed onto it runs then bare metal directly on the hardware. There's no operating system in between maybe there is some like real time operating system. But that's something more specific we won't cover here today. But essentially, you flash a piece of software software, so pieces of code, compiled code onto the memory. And then this, this piece of hardware just runs it. That's it. You have direct hardware access to the inputs and outputs. So these like I opened, you can see on the picture on the left, we have led connected that you can control, which doesn't have resistors on there, Cody, what did you do there?
I always do that resistors are meant to be destroyed in the pursuit of science. Yeah,
whatever. So free vode microcontroller, it's gonna be fine. But essentially, these things are low power, small size and often very cheap. And you have this Yeah, very direct hardware access. But a Raspberry Pi is more like a tiny Linux computer. yeah, you have Linux running, you need like a microSD card to install it. The advantage here is, if you're used to Linux and like desktop OS, kind of things, you can just run the same code on this thing because it's like a tiny computer, it runs the same software. It has still, it has a lot more computing power, probably, yeah, less than like a desktop computer, but a lot more than something like a microcontroller. But it also means that, you know, it's bigger, it's more expensive, it gets hotter. It's not really a thing for all applications you can think of, but you know, compared to microcontroller, it has advantages and disadvantages. One advantage definitely is that you can run the same code because it's Linux, but you also have desktop like IO, like USB, Ethernet bus, those sorts of things.
Yes, you need a lot of accessories to get started with it as well, as opposed to a microcontroller. You just plug it in, right Yeah,
the microcontroller, you just flash it and then run something the Raspberry Pi, you have to install a bunch of stuff to set it up first. So how would you program a microcontroller? I already mentioned the Arduino ID. And basically how this works is very oversimplified version, you get some piece of software, for example, the ESP 6060 offer that you can get on GitHub source code is available there. So you don't have that piece of code or you write your own. Open it in the Arduino IDE, which is like a very simplified user friendly IDE. You select the board you want to upload it to so the kind of microcontroller or development board you're using. And then you just press upload, it will compile the code and send it over USB to that microcontroller and then you have it flashed have the software installed. That's that's kind of it. So what is this ESP 8266 essentially, this is a Wi Fi system. The chip so it's a tiny computer or a tiny computer with Wi Fi. All in this tiny five by five millimeter package. You can see it in the top right corner there. I'm sorry, what's a millimeter.
or 0.2 inches. Thank you.
Sorry, this conference is in America. Sorry, guys. Right. Okay, so
yeah, tiny, tiny thing all in one little piece of hardware. But again, then like, what do you do with this? Chip, Mike can really access it. So that's where development boards come in. So some development board examples is the V mosty. One many maybe you also have heard about the nodemcu. The VMO sports are something you can see in the bottom picture there. And those are insanely cheap. You can see it starts at $1. And that's essentially a little PCB that has the ESP 8266 on there, together with another chip and USB connector. So you can Talk to it over USB also has, you know the required power management and also breadboard friendly pins so you can put it in a breadboard and control led these sort of things. basically making the whole thing very accessible, easy to program and yeah, makes it makes it easy for you to get started right away. There are plenty more dashboards, I just named the most popular ones. And yeah, the price is insanely cheap. So where can this be found? Essentially any where
that can any IoT device. So you can see here the light bulbs actually made a video about this and I think the bottom left corner picture is actually from the thumbnail of my video where I just I bought a bunch of these cheapo Wi Fi enabled light bulbs and open them and I found all of them had ESP 8266 is in them. And in the bottom right picture you can see me Trying to flash actually one of them. I soldered on a bunch of wires to make it accessible. But yeah, essentially you know it's the same chip as on like a development boards if you find this you can just refresh it with the same software, same Arduino ID. And it's, it's crazy. You can put there's like an open source project for this as well. So yeah, can kind of funny. So you find this about
evil light bulbs is is kind of the subtext here, not on this, not on this particular demo, but I think in the future evil light bulbs,
right, what we are going to talk about is like how you can hack with this Wi Fi chip, it's quite interesting to think about where you find this, and that's in like, all kinds of IoT devices. And yeah, just think about you can reflash and like override the default firmware and have like a light bulb to all the crazy stuff we're gonna get into now as well.
So maybe you have also heard of The ESP 32. I'm just going to go over this quickly. It's the successor of the 8266. You know, it has more power has its has a dual core, a lot more RAM, more IO, but most importantly Bluetooth support. So that can be quite useful. And yeah, bunch of more pins you can see in the bottom, not always breadboard friendly. But if you have applications that need that, then yeah, that's, that's more useful. But it also means you pay a higher price. This is a chip more on $5 if you buy just chip ins, but cheaper than the development board, but yeah, in the grand scheme of things still very cheap. And that's Yeah, you find this basically anywhere you will find it needs to be at 266. But in applications that require a bit more data processing, because of the more RAM and CPU power this chip has, it can do stuff like basic video streaming or surveillance or even facial recognition. And that's where this is ESP 32 cam dashboard you can see on the right bottom comes in, you can actually buy it, it's quite easy to use. And Cody actually made a video on I think hack five right when you use this. Yeah, so if
you want to check that out, we have a video on using the ESP 32 cameras, facial recognition built in capabilities, and then how you can actually break them. So if you check out hack five, defeating facial recognition, there's a really good video on how these little microcontrollers can actually do facial recognition and how to mess them up. It's crazy.
So again, differences really quick. The 8266 has more limited power, but and it doesn't allow us to sniff for Wi Fi frames, but we can still access you know, like the basic metadata, which is essential to the types of attack we're gonna talk about. It doesn't have Bluetooth. It does, however, allow us to do unrestrained panic. packet injection meaning we can define our own Wi Fi packets or raw frame data and just send it out over the radio, no restraints, basically. Meanwhile, on the ESP 32, we have a lot more power because of the dual core and all that stuff. It offers better sniffer API that is, like, unrestrained in any way. So we can sniff all types of packets for length, and all that. It comes with Bluetooth as well. But it doesn't allow us yet to inject our own packets completely unrestrained, at least only a few. So for example, it can be off which is a technical cover today. So basically, think of it like the 8266 right now can send whatever we want, and it's really, really cheap, but it doesn't have that much power. But the ESP 32 bit more expensive, can do more of the signal intelligence stuff, but it can really sense packets not as well. So the 8266 for security research.
Yeah. So with a guy I partnered up with, we actually created these development boards that you can use that you can just buy and pick up and use as a hacking device. So this comes with a firmware road pre flashed. And because it has this little OLED and the little button LED, it makes it very easy to use just right away. But it's still a development board. So you can actually flash your own code onto it. That's really useful. And it removes the whole having to interface over Wi Fi to controllers or any other things. It's just like, you buy this thing, you pick it up, you can use it right away. So how did the ESP 8266 Learn to hack? Basically, it was always able to do packet injection and sniffing but these functions are not really well documented. There are also some limitations. For example, you can sniff the full packet length, and you can inject all types of packets. But if we use an old SDK and apply some changes, we can actually undo the whole center restraints so we can send whatever type of packet we want. And the combination of this sniffer. And an unrestrained packet injection means that we get a tool or piece of hardware that we can use to turn into a very good hacking tool. Because we can do most kinds of Wi Fi attacks with this. We can't get into like stuff that runs in the network. Like if you're connected to a network, for example, it's more complicated if we talk about encrypted connections and those sorts of things. But everything works on the overlying Wi Fi layer is to even though the sniffer is somehow limited, because we can get all this metadata. We can we can do all these great attacks we're going to talk about now.
Cool. So I'll take over here. This is where actually I originally contacted Stefan over Twitter because I was doing research into all the different attacks you could do, and all the cheapest ways of pulling them off. And the idea authentication attack has been around for a long time, because it's a fundamental flaw in the way that the Wi Fi, most people use everyday works. Now, what happens here is basically the short of it is that using this little tool, you can kick any device off Wi Fi, and it will not be able to reconnect until you decide to let it reconnect. And the way that that works is this device is able to read all the packets that are flowing around it and determine the MAC address of the router, as well as any devices that are connected to the router. Now this tool can basically lie, it can allow the ESP 8266 to send packets that are basically forging who they're from, and directing them to devices that we want to kick off. So if we want to to kick a device off the network, we can send a packet called a deauthentication packet to the device and lie and say that it's actually from the router. And the device will just accept it as a fact, because these packets are unencrypted. They're used to manage connections. And because they're often used before devices fully connected to a network, they can't be encrypted. And they need to be in plaintext. So we can take advantage of that to basically use the small tool to lie and figure out what the MAC address of any access point nearby is, so that we can click kick their clients off and do so either continuously, or just once in order to do something like grab a Wi Fi handshake. Now another kind of attack we can run is called a dis Association attack. And this is basically a very similar type of packet that's used for everyday things. And it's important to note that these packets are normal. They are used to regulate Wi Fi connections. Maybe you're moving to a new Wi Fi network, or maybe you're going out of range, maybe your phone turned off the Wi Fi connection. That's what these packets are for, and they're necessary to maintain normal Wi Fi connections. So what we're doing here is we're abusing these normal everyday packets to create undesired behavior on the network by targeting a specific device and bombarding them with packets that seem to be from the router telling it to disconnect. Now, these packets have slightly different effects on different devices, because some of the way Wi Fi works is determined by the manufacturer. And we can use one or the other of these packets in order to attack devices that are on the network, according to the tool, the song Stefan has written here. So why would you want to do this? Well, as you already mentioned, you can use this to attack things like IoT devices, like maybe a web camera that relies on an internet connection in order to be useful. You can target individual devices like maybe a cell phone or a laptop, or you can also just do this to hurt a device from a safe network onto a sketchy one, which we're actually going to be doing a demonstration of today where we get someone to automatically join an evil access point using the ESP 8266. Now if you have another Linux computer like a Raspberry Pi or even If I just have this MacBook Pro here, I can pop up in Wireshark. And then use the ESP 8266 to briefly disconnect any device from the network. And as soon as they reconnect, I can capture the Wi Fi handshake and try attacking it with a tool like aircrack ng G, which could give me access to the Wi Fi network in its entirety. So I like to think of these as almost a replacement for a wireless network adapter in some regards, because they're kind of like a programmable wireless network chip, where you can preload it with different behaviors and then script them to do basically whatever you want in order to maybe help out another attack or be able to do something like generate a Wi Fi handshake in order to save time, or if you're on a device that's not capable of doing this sort of packet injection.
So our first application of this and one thing I was fascinated by and you'll see I think the link on the next slide or in the resources is the D off detector. So this is an application where we just use an ESP 8266 and with no resistors to fun, no resistors plug in a three color led And what this does is it allows us to anytime we detect these packets at a certain rate, so let's say more than three per minute, we turn on an LED and say, Hey, there are D off packets flying around, or directed at my network, or, hey, there's the dis Association packets flying around, or, you know, if we get both, and I think it's red for one and blue for the other, so we get purple. So if you see purple, let me know someone's using a tool that sending a combination of the authentication or disassociation packets. And actually, I was able to show that you could determine the exact type of tool that was being used to attack a network by looking at the pattern of the authentication versus just Association packets through just visualizing it with an LED. So something like MBK three, when you use it just flickers back and forth between the two packets, but something like aircrack or airplay, and G only sends one type of packet so it only keeps hitting it with D authentication packets over and over. So it's really interesting way of detecting attacks, as well as finding out what tool someone might be using. So we can also do Wi Fi scanning and signals intelligence And what we can learn here is what Wi Fi access points are nearby, what their clients are basically also clients that are not connected. So clients that are nearby but haven't associated with an access point yet. We can also see from those clients that have an associated yet, I guess I would say, trusted networks or networks that they've connected to in the past. So this is a feature where a device that has recently connected to Wi Fi networks is calling out for them in plain text using the real name of the network. So we can identify information about where a device has been by listening to these broadcasts, we can also determine the manufacturer devices and even search through them by this. So if you want to find for example, every nest camera in an area, it would be relatively simple for us to do so. We can also determine signal strength information. So this gives us relative information about how close the devices maybe if it's increasing or decreasing and signal strength or when it's present or not present. Then we can also see activity whether somebody's using data packets or when someone actually connected to a network using it or when a when is their device just idly connected the network not actually being used. Now another application Stefan made possible through his peak app library is the ability to actually save in an Arduino device, a peak app file to an SD card, or even
Well, in a limited fashion stream it to Wireshark can be able to open packets and see them. But they are limited because you can only see basically what's called packet metadata, or the first part of the packet, because the rest of it is cut off. So the ESP 3266 can't see everything the ESP 32 is more capable of digging into packets and better suited towards doing sort of packet sniffing. But the fact that you can use this as a packet logger to do something like determine when someone comes and goes from a house or something like that is a really cool application of this sniffing ability. Now, I really liked the ability to create fake networks. And the ability to create fake networks is something that leads into some of our more advanced attacks that we're going to go into in a little bit. Now there's two two different types of fake networks that we can create. We can create purely fake networks that basically devices could never ask. Join. And this is called a beacon spamming attack. We're recreating the appearance of all these networks by broadcasting the packets that advertise a network is there without any of the subsequent packets that allow a device to connect. Now the alternative to this is that we can also create an actual access point that someone can join. And this means we can capture devices or basically have them join our network and then do something either drop the connection, so they're not able to connect the data or serve them up a phishing page. Now in our first example, devices still will react as though these networks are real. So even though we're creating fake networks, devices around us will react as though they were real. And we can, for example, monitor when devices are trying to connect to these fake networks in order to determine which one of these fake networks they've connected to in the past. So now we're going to get into the first version of the Wi Fi, the author, the v2, which has a lot of really powerful features that make it easy for beginners to learn and use on pretty much any device. So fun. You want to explain the Wi Fi Wi Fi D author v2. Yeah,
you said First of all, And then v2. So yeah, this is the second version. So the current version. And yeah, it's like this Wi Fi attack platform. So basically a piece of software, you can flash on to an ESP 3266. And it can run all these attacks that we're gonna talk about or already talked about, and makes it really easy because this thing, basically, it runs on any ESP 8266 development boards are just like the raw chip, you just like have to get the code onto it, and then somehow give it power. And it will open an access point so that a Wi Fi network you can connect to where it also hosts a little web server. So if you then go to the right IP address, you are greeted by a little web interface where you can control the whole thing. And this tool allows you to do your beacon spamming and D off attack where you disconnect devices and Yeah, you can even script to a certain extent the whole functionality.
So this is the web interface I talked about. So yeah, we use the the Wi Fi interface, we also use to attack and sniff for devices. You can also use that too. Yeah. Have this access point on and this web interface available for you so you can control it. So yeah, this is basically a way of to control this tool. It's very easy and user friendly. And yeah, when you started it automatically automatically scans for devices nearby. So you can see it here and you can see the the networks available and you could just connect and run some tests on them. So the deauthentication attack is the most basic but also the most powerful attack I guess. Because when you run it, you will just continuously disconnect and therefore effectively block Specific Wi Fi connection. So basically how this works is we select the target, and then we just start the attack. This has some limitations. Talking about the web interface here. Because we only have a single Wi Fi radio, we can either run these attacks or surf the web interface, not both at the same time. It also means that when we are actually scanning for devices, the web interface and the whole access point has to shut down. So this is also unavailable, it will then go online again. But if the scanning time is too long, you will be disconnected and might have to reconnect manually.
So yeah, you can't really do more advanced attacks. For example, something where you would try to fish another user by serving like a fake page, because we are already using the web interface to surf a page that controls the whole device. There is, however, another way of interfacing with it. And that's the USB serial connection. But as of right now, the version two, there is no good cross platform tool for it, you can use the Arduino serial monitor, which I used for most of the time. Because Arduino, it works on most operating systems there. There's also a screen and other similar monitors you can use. The whole point is the experience isn't really smooth across operating systems. And you will always have some sort of setup you have to go through first. And that's not really user friendly. So why this is, this is a way to control the device without having this whole, you know, shutting down the Wi Fi or the access point while you're running an attack isn't really user friendly with with the current version. But this brings us to version three, and that's also where I feel focus most on the serial interface.
It's already. Yeah. So the whole idea is with this version right now to dedicate on more advanced text more advanced signal intelligence. Because through that serial interface, it's basically like a little Terminator where you talk to the ESP 3266 through that USB connection. And yeah, the whole goal is to interface more advanced kind of attacks and all that stuff. And as you can see, it's, it's pretty wreck formatted here. And you know, we have colors and everything. And yeah, the whole idea is just to make it a bit more advanced and circumvent this whole Wi Fi radio problem by using the serial connection. And that's possible through the Huni tour, a little rust based cross platform server monitor, maintained by James aka holy burgers. Find me. So yeah, this one's on all operating systems and makes it just much more easy to connect to the USB 266. Because you just installed this little tour plugin ESP 3266 in it has to be flashed with the offer, of course. But then you know, it automatically connects and gives you this properly formatted colored output and just makes the whole experience easier. and fix this this whole problem we had with the old version where you don't really have a good experience because you have these all these different serial monitors and all that stuff. So this is our own little application specifically made for the v3. And yeah, just makes the whole series determina. More better.
Cool. So this is where I'm going to cut it in and show it basically some of the attacks that are made possible with the couture and some of the advances that I think people will find very Exciting. So if you want to start scripting attacks with the DEauthor v3, it is extremely easy to do this. And basically, what you can do is find a command that consistently gives you in this case, a whole bunch of fake networks that look really convincing. So for the Southern California area, I can just script all that and even make compound commands that are really complicated and long, and save them all in a text file. And I can execute these one by one by just using the Hoon, read command. And in this case, I've selected one that creates I think, like 6565, fake networks that are really common in the Southern California area, and then also monitors for devices that are attempting to connect to it. And we'll take a look at what that looks like in just a little bit. So if you're a total beginner, you can also just use the start command. And this will basically give you an interactive series of prompts that lets you do anything that the device can do and gives you all the optional settings in a series of just questions that where you can press enter to do the optional, the default value, or you can put in whatever custom settings you want, and it'll formatted command for you at the end. That's exactly what you wanted, which helps you kind of learn the command system if you don't want to go through the very long but very helpful Help menu, which you can just type help at anytime to see. Now let's take a look at something we can do. That's very simple. This is a command that we'll use to just identify every Apple device around us. What I like about this is it's shareable and it's repeatable. So we can use this to share things with maybe another hacker who wants to do something that relies on first identifying Apple devices. So oops, play not advance.
Here you can see I'm using scan and then I used a to semi colons. And what that does is allow me to chain commands together. So first, I did a scan than I did semi colon, semi colon Wait, and I'm basically waiting for the first command to finish executing so the scan will finish. And then I did a results command that filters for Apple devices as the vendor. So as soon as this kind of scan completes, you can see the second command ended up finishing There, we were able to locate the only Apple device
in our immediate area. And this should work for you, too. If you run the same command on your computer or on your ESP8266 deauth'r, you should be able to also find any Apple device around you using basically the same script. So the repeatability is really what's cool about this. Now, I took an attack that was documented by Matthew van Hoff and really wanted to apply it to this platform. And as I mentioned before, I was using the beacon spammer to create, like 100 plus fake networks that were really common in the Southern California area, and monitoring for which were the most popular, or which of those had the most devices nearby automatically attempting to join them because they had joined that network in the past. Now, what we were able to do here is use that to basically unmask these devices that are trying to connect and what I mean by that is that every Wi Fi device like a smartphone has a MAC address that is able to be tracked if it never changes and because of that manufacturers may Make sure that that MAC address is randomized when you're just out and about so that nobody can track you from place to place. Now I can basically peel back that layer of protection by creating a bunch of fake networks. And if any of those fake networks match, a network that you join in the past, your device will automatically assume that network has is safe to join and attempt to join the network using its real MAC address, allowing me to track you and also removing the layer of privacy and protection that these manufacturers have built in. So we're going to use this tactic to create 60 plus fake networks, and then monitor which ones are basically getting the devices nearby excited and getting them to want to join because they've, they've basically joined that network before. Let's see what that actually looks like. So I'm using the script that I wrote, which is the beacon script, and as you can see, it just automatically creates 65, fake networks. A lot of them are restaurant networks or some coffee shop networks. But these are things that are pretty expected. and here we can now see that we're monitoring attempts to associate With these networks, so we're seeing the MAC address of the individual devices that are now attempting to they think they're at Burger King. So they're joining Whopper Wi Fi, and also joining the Marriott Wi Fi. So this is a really, really cool way that we can not only identify which networks devices nearby will join if we want to hit them with a more advanced attack, but we can also unmask devices near us. So we can verify this is the same device, even though it's trying to use MAC address randomization. Now, kind of the crown jewel of this is forcing a target to join the evil access point, as you see this hacker doing here manually. Now we're going to do this automatically by combining our previous attacks to first identify the target we want. Then we're going to kick it off the access point it's currently on. And we're going to serve up an access point that we know it will join because we basically did the previous attack. And we were able to identify networks that are in it's called what's called its preferred network list or networks that is joined in the past and will automatically connect to. So let's see that in play. Here, we're going to simultaneously using our semi colons to separate the two commands D off our target. And then also create an access point that's called test net. And in this case, my computer is connected to an open network called test net before, so it should automatically connect once it's been disconnected. So once these compound commands run, and these because they didn't put weight in the middle will run simultaneously usable run in parallel together, I'm both attacking the devices connected to a network, and I'm also creating the access point. So as soon as that device connects to the access point, automatically, it's going to get served a phishing page. And if that person is unfortunate enough to put their password in that phishing page, you can see they just hit the phishing page. Now they're probably typing something and we boom we get the password. So we just got the password, my password, which is not my password, so don't try that any of my accounts, but my password 123 that's my secure password.
You can see that it's just as simple as that to force somebody onto an insecure network. That Basically steals any information they put into a phishing page has popped up. And on the left, you'll see the actual phishing page that I was typing into. This is on my cell phone. And of course, it thinks it's burger at Burger King. It's like, Hey, your burger king getting your password. But in general, you'll see this in attacks like the air get in attack, which kicks somebody off of their device, kick some of this device off of their network offers of a plausible page that looks like their routers update page on an open Wi Fi network with the same name and entices people to put in the password to complete the update, and basically won't get them Wi Fi until they actually do it. Now, this is not all bad. We've also put this together into a hacker game. So the people looking to do things like crack passwords can do so without getting in trouble. If you have a single ESP 8266. You can actually playback traffic from multiple devices, which means we can capture a handshake and then just play it back from an ESP 8266 on a loop. So if you have a Raspberry Pi or wireless network adapter that's capable of capturing handshakes, then you can capture them and crack them without any need to do anything because for a lot of schools Other organizations deauthentication attacks are a deal breaker because the students might accidentally do the wrong thing.
Now we put together something like this for the RSA conference. And you can see here, we actually took two microcontrollers and connected them on the back via serial, and we had one of them create an access point, and the other one join it continuously. We liked this solution because we were able to just send it a command and reset itself to a different password each time. And rather than having to capture traffic, store it and upload it to the ESP 266 on a single device, which is possible but a little tedious to change, we were able to make a Wi Fi hacking game that was able to be changed in seconds, just by linking these two devices together. We also created the absolute best game I've ever created the chicken man game and you can tell it's good because of the ASCII art. Now what this is, is basically two different teams each person well each team gets a Raspberry Pi computer running Kali Linux, and then we have two access points for them to hack each on an ESP 8266. Now we have a 30 ESP 8266 that keeps the score and also lights up a string of NeoPixel LEDs. And as one team starts to win, it'll shift the lights from one team's color to another, so any spectators can see who's winning. This is a really cool game because it lets large groups of people get together and hack. It's a safe target that people can physically attack that will react to their attacks so they can see when they're winning. And it's a really great way for groups of people to learn to do this. So if you want to check out a really great Wi Fi hacking game, Stefan, myself and my friend, Brandon all collaborated on this project. And this proved to be very popular.
Now our future goals for this project are numerous and we're almost out of time. But basically, we're looking at customizing phishing pages, making proximity based sensors. So basically being able to tell when a device comes close by monitoring signal strength, and either triggering a script, like maybe doing some dr thing on the device, or plugging this into a computer so you can monitor the signal strength of a targeted device and maybe execute a script on your laptop. As soon as a certain device is nearby. You can also expect us eventually to get around to doing more signals intelligence stuff, because that's a big passion for Stefan and I. And I'm really passionate about trying to eventually exploit Internet of Things devices automatically, after we're able to detect them by their Vendor ID. You can, if you have any ideas for Wi Fi hacking games, please send them our way. Because we really want to develop more interesting Wi Fi hacking games that make this sort of thing safe, fun and effective for people who want to get out there and do this. And of course, the ability to record full pcap files to actually grab handshakes and maybe even try to crack them against a really common list is something we're looking at in the near future just to get the absolute lowest hanging fruit and see if we can actually do some cracking on the ESP 32.
Now if you want to follow up with anything you've seen in this presentation, check out our Discord server. You can see the link on the top there, you can join our meetups which are no longer just in LA since everything is online here at the cyber weapons lab, la Meetup group. You can also Check out the chicken men game the ESP 260 60 author, the hoonah tour serial monitor the d alpha tector, WPA two handshake generator, the two ESP Hs 66, Wi Fi dual game, the beacon spammer. And finally the ESP 8266, CTF game compilation GitHub, at these links here, please go ahead and take a picture or check this out later, I think you'll find all of these links very interesting. So that's our presentation. Thank you, Stefan so much for not only joining us today, but also doing all of this incredible work on making these small, low cost devices accessible for anybody who wants to get started with Wi Fi hacking, as well as advanced hackers who want to maybe start scripting attacks that wouldn't be possible for such a cheap price. If you hadn't put in so much work. Yeah.
You're welcome. I mean, this is quite fun for me too. So yeah.
Cool. So that's our time I'm looking forward to any questions in the QA and again, if you want to follow our work, you can always follow me on twitter at Cody Kinsey and Stefan, what's the best way to follow you? I guess Twitter works at spacesuits or just anywhere else you find spacesuit.
Any spacesuit anywhere spacesuits are sold you can find Stefans's work
Yeah. To just to iterate more, we are working actually on on a new discord community. You saw the link in the previous slides if you want to join. You're welcome. Yeah,
please, we would love to talk to you hear your questions. And even if you don't get a chance to answer ask your question or give your idea in the q&a. You can always do so in our discord community, I think says hi, light.
Okay, so thanks for sticking with us. And welcome back. We've got Stefan and Kody with us. And Kody has an announcement about workshop coming up. Go ahead, Kody.
Awesome. Well, thank you. First of all, this was my first conference talk. So you Thank you guys so much for watching it. If you were interested in the subject, we actually have a workshop coming up tomorrow where we're teaching you guys to use the version three of the Deauth'r. So if you're interested in that, please check it out. It's on the HOPE Conference website. And you'll get to actually learn all the stuff that we're talking about today, as well as try it out yourself.
Very good. And I think we do have a couple of questions in the chat. But while I'm looking for that, I do have a question for you about when you're using your tool, you know, are using the what kind of batteries you usually select when you're running your, your device? Does it come with like double A's or you know, do you need more power? How does that work?
Yeah, so if you just run it on like a development board you can buy then you just powered over USB. There are boards that have something LiPo battery connector, some like jst? Whatever standard it is connector. So those were this those would be 3.7 volts lipo cells you can buy on for example Adafruit.
Okay. And oh, what a question questions that I want to know. Do you have a story about how you might have used this for a business where they were under attack, and your tool was able to resolve the issue?
Well, Stefan, you want a better show? I,
I think you probably have better stories than I.
Well, all right. So this tool is both offensive and defensive. And we've shown some examples today of how you could use this to do an attack or how you can also use it to detect attacks. So for us, I found it really easy to just solder this together on a perf board and use it as kind of a permanent way of doing Preventing whether an internet issue is being caused by a pension a potential attack, a misconfigured router or something like that, that might be sending off the authentication packets when it shouldn't be. One example was there was a while where I was living in Los Angeles where there was a neighboring network that was configured to like disallow devices that were trying to connect to it. And for whatever reason, it was just do nothing devices that it shouldn't have been do nothing. And we were noticing a bunch of problems with our internet, we could not figure out what it was. But as soon as I wired up the def detector, I was able to very quickly determine like, hey, there's a bunch of DDoS packets going around, and I was able to see how frequently it was going. So if you wanted to just hook this up to an LED and use it to detect when your networks under attack. It's a really easy way of ruling out scripting attacks or things that are really just simple for anyone. Well, in this case was about $1 and a microcontroller to do
well, that's very interesting because, you know, I can't you know, being in the business clients call up and say, you know, hit my Wi Fi, etc. I'm sure you know the drill. Let me just check the chat and see if we have any thing here. Um, is there anything else that I don't see any more questions, but is there anything else that she wants to add to your video before we finish up or stuffings? One question
that we also get all the time is does this work against five gigahertz networks? And the answer is no. As of right now, this little microcontroller, I have one because we have hundreds everywhere. But this little microcontroller only works on 2.4 gigahertz Wi Fi. So if you have, for example, a device that has both the both 2.4 gigahertz Wi Fi and you kick it off of its 2.4 gigahertz Wi Fi, it can grant a capture on an evil access point and it just moves over to the five gigahertz network, you're kind of screwed. You know, there are some limitations to this. But we're really enthusiastic about how much you can do and how far we've come with these attacks. And there also are microcontrollers out there that do have five gigahertz access, we're looking at some that are, I think, from Texas Instruments that are really promising. So there are some really exciting advances that are coming out that we're looking at that might make this more capable in the near future. So if you're interested in this stuff, I highly recommend that you try it out for yourself. They're super cheap. And if you want to support our project also, you can pick up kits for these on the hacker interchange comm website. And you'll find the link also in our workshop for tomorrow.
And want to get that, as far as I know, as pressive is working on a five gigahertz ESP 32. But who knows when that's finally released, and even when it's released ready for us to be used. So that could take a while. But I'm sure five gigahertz chips are just coming. Just have to wait. Yeah.
That makes sense. All right. I think we're out of questions. I want to thank you all very much was very, very, very impressive and put a lot of time and so all this work, and thank you for sharing it with hope. 2020.
It was our pleasure. And we'll see you guys
Thank you. Yeah, thanks.
Thank you. Bye bye.
Cody, I love your sticker