[0:04]a small team of hackers in Southern California who write for Nullbyte, and we also consult for businesses occasionally on uh issues that they have and try to just make the world generally a better and more secure place. Um some of those speakers, uh some of my speakers today are also from my team. So, for myself, I am a WiFi hacker, social engineer, and uh open source intelligence and human intelligence researcher. Uh I've worked at startups to organize processes and in business development roles. So, uh today, uh a lot of people ask what WiFi hacking is, and there's actually a number of different things that can, we can be talking about when we're talking about WiFi hacking. Uh one of them is just gaining access to the network password, that's kind of what most people think about. But there's also tricking users into connecting to a fake network that looks like a real network. Uh we can also pivot into a wider network based on another network device like a printer that has like an open network. And finally we can use some flaws in WiFi chips to exploit devices that basically people don't have any choice at, you you really don't have much you can do about that sort of thing other than turning the WiFi on your device off. So, when people hack WiFi, it's always for a reason. People don't just hack for no reason. Uh sometimes people just need free WiFi. Uh other times they want direct access to home and work computers, uh and all the devices attached. So as soon as you join a WiFi network, you have a lot of things you can do on the network, you can manipulate traffic, you can uh like explore the network and find out what devices are attached, if they're vulnerable, and start to kind of uh doing things with the flow of information between those devices. Uh another one is the ability to hijack uh police drones, IP cameras and other infrastructure that we rely on in order to type critical information. You can either disrupt those or you can actually tap into them and start uh doing things like, you know, hijacking drones and telling them to do stuff they shouldn't be doing or watching the feed on security cameras you shouldn't be able to watch. Uh the ability to monitor user devices and when users come and go. A lot of people know that you can hack WiFi, not a lot of people know that you don't need to necessarily when it comes to being able to monitor uh whether a user's home or not for example, or who is uh in the area with them. If you needed to keep tabs on someone and you didn't know their WiFi password, it doesn't really matter because you can still detect the devices when in the area and when they're associated with the network. So, uh corporations and other like uh government agencies use this kind of information regularly to track you when you're in a store, when you're making purchases like where you kind of like go with the thing around. Uh and generally seek to understand how people move uh by recording where their phones are, which uh can also lead to things like uh just generally tracking people who haven't consented to being tracked in kind of like warrantless searches. So, relaying criminal VPN traffic is a problem. If you have somebody breach your network, any kind of uh traffic originating from your network seems to be from you. So, if somebody wanted to email the vice president with bunch of death threat, it would seem to come from your address. That's something that people have done, people have done some very bizarre things and if you guys had ever heard of swatting, uh that's a tactic where people pretend to do a 911 call or otherwise uh originate uh emergency call or some sort of uh disaster call from a specific IP address or a specific phone number so that the SWAT team comes in an effort to actually just attack the person who really owns it. Um so, this can also be escalated because if you're on the network, you can also appear to be uh an employee or somebody else who's authorized. And that can cause problems for anybody who's trench with strict access to their network. Um if you can, for example, seemingly send an email from the owner of the company to uh a business partners and ask them to, you know, deposit money into a sketchy account, like that can be a real problem for me for an organization that's based on trust. So, what is at stake when your WiFi is compromised? Well, a lot of people don't really care. Some of them even will leave their WiFi open, which is really funny, because that's not a good idea. Uh in fact, anything that you do on a WiFi network, if somebody gets your password later, if they're recording it at the time, and let's say they they were doing it for months, they could go back and decrypt all that traffic later once they get the password. So, surveillance isn't not just kind of limited what people can get after, they get your password, they can actually be in place a while before. And if you're doing what's called a penetration test, which is when a professional team of researchers would go in and kind of test for these things, one thing you would do is uh be persistent. You would go on site and begin to record information before you necessarily have the ability to decrypt it because you know later on, you could have user passwords already. You could have stuff in plain text, the only thing you need is really the next step, which is just getting the password, which you can get from later on. Um so, you don't know how long your information might have been recorded, and once your password is breached, that information is out there. So, uh all traffic may also be manipulated and changed by an attacker, including diverting to real-looking fake login sites to steal passwords. This is called fishing. Uh a number of members of our team are very familiar with this, and the way that it works is when you try to go to a real website, somebody on your network will route you instead to a real-looking website that will steal your credentials, relay them and then log you back into your site as though nothing happened. Most people don't notice it, it's a very small disruption and everybody's getting kicked off their Facebook or something once or twice, sometimes that, you know, what that is. So, uh routers can also be converted to spy on you, and this is something that the CIA does, it's something that the government is really into, because they don't need to put a spy device on your network, they just create one out of your router. Now, your router is a Linux computer. It has a little operating system, it does different things, and you can tell it to do things other than what it was intended to do. It stresses it out but it can handle it. So, what the CIA has done for example, is create something called Cherry Tree, which is a really interesting system that terms the router into a rogue device. So rather than sitting around and spying on people, why don't you just turn their router into a device that will do your work for you? So, uh another issue is again, criminal traffic may be associated with you. It is actually super profitable to route criminal VPN like credit card like uh like stolen credit cards, like check and see if they're valid, like that kind of traffic often will flow through VPN networks that are through compromised WiFi networks. So if the FBI shows up and wants to know why you're carding so many uh people and to like stealing credit cards, it could be because you just left your WiFi password uh to something bad. So, uh ransomware can also take over your network. A lot of these new modules like WannaCry after you have Hunter modules where if you join a network and you're infected, you will find every device on the network that is also infected and spreads through it. So, the security of WiFi is a real concern. If you're going something like a school, a hospital, a police station, anywhere where records are critical to the operation of what you're doing, this kind of stuff can destroy your business. Uh so what kind of criminal masterminds can actually defeat WiFi? Uh this is Betsy Davis, uh she is, I believe, seven years old, and she cracked she hacked into WiFi in 11 minutes. So when we look at the kind of people who can get started and start doing these kinds of attacks in the real world, there's literally no barrier to entry anymore. Um children can do it, angry neighbors can do it, techno criminals can do it. That's people that, you know, use technology to commit crimes but they're not so good at coding, like they use credit card scammers and stuff like that. Attractive women with large breasts are very, very good at this, they walk in and they ask for the WiFi password and it's the easiest way to get it because people don't like to say no to them. So often, we get off on all these technical details how to hack WiFi and it does not matter because you can send somebody that the person who administers the WiFi something they have in common, send somebody that's willing to talk to them. Someone who makes the rules seem not so important because giving out the WiFi password is a very, very common thing to do. And even if the rules are to not do so, if you like someone, chances are you will do it. Um college students with bad credit and bad grades frequently will hack into their schools uh grading system and change their grades. Uh criminal syndicates targeting specific businesses, nation states targeting infrastructure, security researchers like myself wanting to get paid and robots will all do these things. So, uh this is a really handy way of kind of classifying the real world threats that are out there, and I'm borrowing this from uh CPT hacking. Um but this kind of explains the different categories that people that would do this kind of attack fit into. We have unsophisticated threats, unsophisticated persistent threats, smart threats, smart persistent threats, advanced threats and finally advanced persistent threats. So, the difference between those, uh first we have unsophisticated threats, and those are people that are not very good at this. Um they take a long time to learn, they need stuff that has been documented and out there for a while. They need stuff to click on that just does it. Uh and they don't have to really follow up on anything. We're talking about crazy dads, lazy criminals, teenagers, neighbors that are angry at you for past aggressive stuff that want to get back at you but don't want to confront you, robots. Uh all these things can do unsophisticated attacks, and the kinds of attacks that unsophisticated threats like to use are things like WEP cracking, uh tools like E-SydNG, AirCrackNG, and WiFi are automated tools that require fairly little user interaction to out and out crack WEP networks.
[9:35]Now, WEP stands for wireless equivalency privacy, and it was kind of the first type of privacy that was implemented and encryption that was implemented for WiFi networks. It was not very good, and it was broken, again, in 2005. So if you are running a WEP network, you are opening yourself up to anybody cracking into your network. Uh and there are tools that make this so easy, that you run them, you walk away, you come back 15 minutes later and if there's any WEP networks in the area, they're just, you have the password. The WPS setup pin. In older routers, there was a setup pin that could be brute forced in a number of hours, sometimes, I think the maximum was about 14 hours. So if it had this feature, you would get into the router within 14 hours, usually sooner, but it was just a matter of time and of powerful, if you can say you can defeat WPA, which so far hasn't been cracked, it's the newer standard, in 14 hours or less, that means that nobody is really secure if they use this stuff. But people have gotten smart and they've started phasing this stuff out and it's much, much harder to find something that will actually be vulnerable to this nowadays. So, WPA cracking. Nowadays if you want to be able to crack WPA, which is the current standard that kind of superseded WEP, there's one way to do it basically. You can get a handshake, which gives you the ability to guess against a big list of passwords. And if you get it right, you know. So, the speed with which you can guess a large list of passwords and the accuracy with which those passwords reflect the likelihood that being the password, if we're working off a big list of passwords that are harvested from real users that are used all the time, they're very common, we have a pretty good chance of being able to break in.
[11:11]We're using a bunch of random letters and stuff. It'll probably take a long time and then we'd need a very fast processor so we could try many, many, many guesses. Because we're just trying random things. By targeting things, we can kind of narrow it down, and that's what we started to do with things like RockYou. So RockYou is a stolen list of passwords from real people, and because people tend to reuse their passwords, that's kind of a thing people just do, these passwords work all the time, because it contains almost every terrible password you can think of. Like the top like million terrible passwords that people use are in this list. So if you're guilty, most of your stuff can probably be exploited by an idiot with this list. So the last is uh so, going a little bit more into that, when you have this word list, all you need to do in order to attempt to crack a password is get a handshake from the network. Now, anybody is connected to that network, if you disconnect them for just a second, you can capture the necessary information to test against this list. So, you can go home after you get the the handshake and crack for as long as you like, with as many resources as you like, and really kind of escalate this thing if it's a priority for you. So, the way that WPA is vulnerable is vulnerable in a very specific way, if you choose a bad password, it is vulnerable. If you choose a password that computers can guess very well, it is vulnerable. But if you pick a very, very, very secure password that's hard for computers and people to guess, and you don't tell anyone, it's still pretty good. So, that's kind of the situation with WPA and why there's a lot of different attacks for it but it's still a strong system. So, the last one is social engineering. Uh there are tools like LinkSet and Fluxin which will actually uh block the legitimate WiFi network and then create a fake one and attempt to trick the user into uh joining that one. Now, that one's pretty pretty bad because the the fake screen looks not very believable, but a lot of people fall for it. The first time I heard of this attack, I was working in a business, and the WiFi went out, I connected to the same thing that just didn't have uh any security on it, and immediately asked told me the router was rebooting and needed my WiFi password to do so. And I was like, I know exactly what this is. And I didn't know who was doing it, but I knew it was a fake password that was trying to get the uh it was a fake form, that was trying to get the password for the WiFi. So, things like this are used in the wild all the time. I don't know who's responsible for that, but you will see this kind of stuff pop up, when you see the legitimate WiFi suddenly go out, and there's sketchy WiFi right next to you that has the same name, but it's open, and you're getting a weird login portal, there's probably a reason. Because it's way easier to get you to tell me the password than it is to try to crack with you break it, because why would I waste the processing power if you'll just tell me? So, next up is smart threats, and that is what me and my team are kind of paid to simulate. Smart threats have specific skills. They contribute on what's called a Red Team by having kind of specific areas that they're good at. Like being red teaming, uh like social engineering, coders, like people who are Python, people who are good at all kinds of different aspects of IT and even breaking into buildings are going to be people that can contribute to a red team, because physical access is a thing too. So, the types of people uh who tend to be smart threats are effective criminals, organizations that actually make money, hackers, advanced students, private businesses, insider threats, that's people that work for these organizations that want to make money and they're smart enough to try to get away with it. So, they typically use tools that aren't free, or if they use tools that are free, they're very good at them. Uh they use advanced frameworks and tools used by professionals. They tend to use Linux-based operating systems and they use clever attacks that exploit widespread vulnerabilities. So, uh a couple of attacks used by smart threats, one is getting personal with passwords. They realized that it does not make sense to run a default password list, so we came up with things like Cupp.py, which is an interactive script that asks questions about the user. What is their mother's maiden name, where did they grow up, what is their dog's name, what is the first address they lived at, anything you know about them, it will create a custom word list based on those details, because people like to use their sister's birthday or their anniversary. So, this would hit all of those things. So anybody that's sentimental, you just fire up this Python program and you create a customized word list that cuts down the amount of time you have to spend guessing.
[15:24]Then we get Cuwl, Cuwl just scraped an entire website if you're going after an organization, especially if they're not smart. You can scrape all the unusual words that they use, especially organizational buzzwords that they'll probably make passwords out of because they're stupid, like integrity or something like that. You can scrape all that stuff off their website and use this script to generate a custom word list just for that. So you have a better way of attacking specific organizations instead of using just a general word list. And then we get Crunch, which is a specific word mangler where we take things like RockYou and we modify them so that they become a permutation, we use leet speak and like throwing all the other stuff that people think is really clever, but in actual fact, it's not very original. And it allows us to once we kind of know maybe the format of the password or how many letters it has to be, to get pretty fucking close. So, next up we have uh cracking by GPUs. CPUs are not that great for cracking. Uh things like CUDA and pirates uh can take advantage of GPUs to significantly speed up the time that we spend cracking these passwords. When we speed up the time to which we can burn through these lists, we can use bigger lists and we can use things like rainbow tables to eventually make it so that it takes very, very little time to attack a network cryptographically. It's very intensive uh in terms of power, in terms of cost. You have to get a cracking rig, but it's something that people who are serious about it can do to gain a real advantage in basically breaking your password. Uh the last is distri- well, second last is distributed crackers. Uh distributed crackers take many, many computers, distribute the work of going up against your hash of the password hash and come back with the results very quickly. So by having a group of volunteers who are willing to run computers that crack against your password, you can basically get 50 handshakes just by driving as many as you possibly can, submit them to the service and then get back 10 results in a matter of five minutes. So, the last is paid services. If you're desperate and you are criminal, uh or you just really need to get the password, there are paid services, mostly based on AWS, uh where you can rent servers just to crack passwords specifically. Next up is recon and targeting. Uh with Wigle WiFi, you can actually locate in time and space, every network that you pass by with just a smart phone. It will tell you where it is located, who makes it, the security it has, whether it's running WEP or WPA, and you can even, if you're a programmer, take the information from the script and only come up with vulnerable networks so you can go back later and exploit only the vulnerable easy ones. So Kismet is a way of kind of uh monitoring which devices are connected to networks. It's a Linux program that's kind of a bare bones version of Wigle WiFi, and it's something that will allow you to not only geolocate networks but know specific information about who is connected to them, when they are connected to them, and log them over long periods of time. And finally, ProbeMon takes advantage of the fact that cell phones put out probe requests periodically to be able to detect networks nearby that actually reveal the last several networks that they've connected to. So if you're an attacker and you can see that somebody's recently connected to a network called Google Starbucks, you can create a fake network and know that most phones are going to automatically connect to it. Now, brief show of hands, has anybody here connected to Google Starbucks at the moment? You want to check your phones? One. Anybody else? So when you walked in, there's actually a rogue device here that is named Google Starbucks, and since most of you probably at some point connected to Google Starbucks, some of you might have been having trouble with your internet because it's not actually connected to anything. We're working nice, we're not actually routing traffic through it, but by simply placing a network that's open, that you have connected to before, your laptops and your cell phones will automatically connect to without telling you.
[19:04]So, I'm not providing data, but I could be providing you bad data or malicious websites or malware or any other thing and you would not know that, because your phones took that choice away from you. They automatically connected, and the reason I could do that is because I know that you connected to it. So, by doing things like listening in on probeprints and seeing where the people around you have not only been, but what kinds of networks they've been connecting to, you can figure out if they've been connecting to an open WiFi network in a airport lounge, pop up that network, see if it connects. So, Ian's going to go into this a little bit more, but men in the middle attack is kind of what I just described. It's uh creating a network that does malicious things, we're not doing that today, we just created one to demonstrate, but you can create fake IPs, uh APs, jam real IPs and force the user to switch to a rogue device. Devices like the WiFi Pineapple are designed to seek out, clone and then uh replicate uh these wireless networks that you are kind of trying to take over and trick the user into connecting to that network rather than the legitimate one in order to do all these nefarious things. Tools like MDK3 and WiFi jammer.py will actually operate as software-based WiFi jammers and completely take out WiFi, including any devices dependent on it, like IP cameras, command and control servers, anything, for up to two blocks depending on the wireless network adapter that you use. Doing that with hardware would be illegal, and doing with software is arguably illegal, uh it's part of why uh being able to get handshakes is a little bit a little bit controversial. Because in order to do that, you have to disconnect the other person for just a moment, which is technically not supposed to be done. So that is one thing to know. A lot of these tools are used by hackers because they're not totally legal, and you should always check before using any of these. Should have said that at the beginning. So, it is possible to jam WiFi, in fact, it's a tactic that's extremely effective because it forces the user to do something. If you are in a co-working space and you want to attack a whole bunch of people with a lot of wealth, you can simply knock them off the internet, force them to connect something and conduct all of their business including banking arrangements, financial transactions, everything through this fake network, gather everything and end up doing a lot of damage. So it's important to note that if you suddenly lose access to an WiFi network that you've always had access to and suddenly there's all these new alternatives around you, it could be for a reason. Um next up, Tim is going to be going into this a bit, but we have rogue devices like the USB rubber ducky. Once you have physical access, all bets are off. If you can plug in a device to a computer when nobody is looking and the device is unlo- the computer is unlocked, if somebody steps away on the phone for a second, if you call them, if somebody has an emergency they need to take care of or if they leave for a second, you can plug in a device that will bypass all of the security you can possibly set because it thinks it's you, using a keyboard. So, bypassing uh bypassing the WiFi entirely with Ethernet is also a tactic you can do, as well as just rebooting the entire router. So if you upload custom firmware to the router, so it is running your program instead of theirs, you can also kind of bypass the entire process and needing to uh know the WiFi password. So, Advanced Persistent Threats are the last kind of group that we'll cover. These are nation states, these are people who have cyber weapons. These are not people that are using commercial products to do testing, these are people that are looking to smash shit. Uh the reason that they are doing that is because they have resources like personnel, money, processing power, nation state backing and access to military grade cyber weapons. And they have very specific agendas, each one of these people is kind of what, each one of these groups is out to do something. So because of that, uh you don't see a lot of minor players in this group, and you don't see people that are kind of getting into your WiFi to like do some tame stuff. Like these are generally people that are operating weaponry that is real and is something that the world kind of hasn't really seen before. So, when we talk about uh who these people are, again, it's nation states, intelligence agencies, hacktivist collectives, terrorist organizations, criminal enterprises, and increasingly criminal proxies and intelligence services. What that means is hackers will get caught, they won't get put out of business. Instead, intelligence agencies will use them to do various things so that things don't get traced back to them. So for example, if you're caught hacking into the Pentagon, then a Russian hacker being sent to jail for that is a lot easier than a, you know, a military officer being caught doing that. So, uh the signature of an APT attacker is they have a huge toolkit to choose from. Most smart threats will use what they know, they will use what is comfortable, they will use what is worked before, but an APT hacker can use things that are exact, they will pick the exact right exploit that works exactly correct for the exact situation they're using, and that is their signature, the fact that they have such a wide toolkit to draw from. Um they use many zero day vulnerabilities, which is something uh that basically means nobody else knows that this vulnerability exists, and therefore you cannot defend against it. Microsoft does not know, the vendors do not know, because the government keeps it a secret to basically power these kinds of weapons. Um they are highly focused on achieving their specific goals, and they are capable of actually causing widespread death and destruction. Uh we're talking about disrupting infrastructure, critical things like power, electricity, water, gas that would actually cause people to die if it were to go down. So, this is not the kind of thing where, you know, they're just trying to like prank us, these are things that in times of war would actually be real things to think about. Um so attacks used by ATPs are going to be zero day frameworks, that is vulnerabilities that have not been disclosed, uh implants, which is actually putting hardware into things before they get to you, and cyber weapons. Like uh you might have heard of WannaCry, um things like that. So when you do not know about a vuln, you cannot hope to protect against it. This is the essence of a cyber weapon. Um things like the Broadcom BroadPwn vulnerability, uh which was released a little bit before DefCon, were actually a flaw in the firmware of the chip that runs WiFi on almost everyone in this room's phone. So because of that, and it was not patched up until when DefCon were a little bit before DefCon was announced, if you had your WiFi on, not connected, but on, and walked by somebody who was running this exploit, they could run arbitrary code on your phone, which is insane. Because you have no way of batting that. There's no, I mean aside from just turning off WiFi, which is a good idea by the way, um there's not really a way of getting around that, and that's dangerous. So it's important that people know that there are ways of doing kind of breaking into WiFi in a much more advanced than kind of the other things we've covered. Cherry Tree is something you might want to look at.
[25:51]Uh and finally, nation states have access to supercomputers, your passwords are laughed at by supercomputers. Um so finally, uh at the end of the talk, uh WiFi is a liability if you don't know anything about it. If you use WiFi, you should be aware that many people will actively seek to exploit a vulnerable or misconfigured network. If you're not a target, I hope you know that it is actually super valuable for the right people. So, by understanding what these problems look like, we can identify them and build a stronger infrastructure. If you're interested, check out Nullbyte.com for more WiFi exploitation and ethical hacking. So, we hope you will come back to see more talks like this, and also check us out on Nullbyte.wonderhow.com.
[28:36]Thanks guys.
