One of the frequent things you hear leading up to DEF CON is that it is the most dangerous network in the world. Ask anyone, and they’ll tell you that if you don’t lock down your devices you will get pwn’d. I wanted to know if it really is the most dangerous network. Also I wanted to know how I could protect myself. It isn’t until you have visibility into the threat that you are able to protect yourself. Because I thoroughly enjoy the social nature of the conference I am not one to just turn off all of my device or put them in airplane mode. In fact my twitter and IRC usage spikes around this time. I am the type who likes to understand the threats and dissect them so that I can mitigate them appropriately.
Before DEF CON 23 (2015) I built a system that I could use for “War Walking” around the conference. Go here for a full write up on that device. After successfully “War Walking” DEF CON and analyzing the data I submitted a talk to Saintcon (saintcon.org). That talk was very well received and can be seen here. One of the things I wanted to do was to expand the project and place nodes throughout the conference. “War Walking” although interesting only gives you a small snapshot of whats going on in the airwaves.
Thanks to the Minnowboard.org Foundation I was able to make the goal of multiple fixed nodes a reality. They sponsored the project by providing 12 MinnowBoard Turbots, USB 3.0 hubs and wireless adapters. Without their support of this project it would not have been possible!
* The box is an SRA Gun Case 13.4 x 9.5 x 4.7″
Inside the box is the following hardware:
* MinnowBoard Turbot (Specs: http://www.adiengineering.com/products/minnowboard-turbot/)
* Powered 4 port USB 3.0 Hub
* 70 watt AC to DC power supply 5v output
* 8 post terminal block
* Alfa AC1200 802.11AC USB wireless adapter (RTL8812 Chipset)
* 3 x TP-Link TL-WN722N (AR9721 chipset) | AR9271 High-gain USB adapters
* Ethernet feedthrough
* 64 GB USB 3.0 flashdrive
The MinnowBoard Turbot was chosen because of its immense power. It features a 64-bit Intel Atom dual core 1.46 gHz and has 2 GB of DDR3L RAM. With power like this it opens up the possibility to real-time filtering, and multiple adapters monitoring simultaneously without being lagged by hardware. Couple that with the speed of the USB 3.0 bus and you’ve got a lot of options. One other feature that was key early on with the prototype is its extremely low wattage. In my tests I did not see the MinnowBoard Turbot exceed more than 15 watts under load.
The Alfa AC1200 was chosen since it seemed to be a very robust 802.11AC adapter with support for both 2.4 gHz and 5 gHz. When I first began investigating 802.11AC cards I found only very few that had Linux driver support for managed mode and none that had monitor mode. I found some forum posts about people who had gotten this card working in Kali but I was not able to make it work. I finally found some beta drivers which I patched to make work with Linux Kernel 4.22. There is a write up here for that.
The TP-Link TL-WN722N cards were chosen because they are a cheap way to get access to the AR9721 chipset which has very stable support in Linux for managed and monitor support thanks to the ATH9K drivers. By using 3 cards instead of 1, I was able to spend more time capturing wireless frames and less time channel hopping. My next build will have much more of these cards.
64 GB USB 3.0 Flash drive was used as the primary system disk as well as storage for the system to hold the capture files. I used both Samsung and SanDisk drives since both have proven reliable and fast for me in the past. Even though the Turbot does have SATA2 support, the advantage over USB3.0 is not that large and would have complicated my mounting of SSD hard drives. It would have likely caused my costs to go up too.
The Ethernet feedthrough was used to make provision and wired networking easier. Since the devices were to run headless and some were attached to a network this was a no-brainer.
The 5v 70 watt AC to DC power supply was chosen so that we could provide up to 10 amps or 7-8 amps without deregulating caused by heat. When I used a smaller supply in my prototype I started noticing the voltage was starting to sag to 4.7v after the device heated up. The Minnowboard Turbot doesn’t like to be more than +/- 0.25v from the 5v input. As the voltage would sag it seemed to trigger the brownout point on the Turbot and shut it down. Once I used a larger power supply this no longer was an issue. The wireless cards are hungry for lots of milliamps.
On the previous project I used Airodump-ng which is part of the Aircrack-ng suite. I simply assumed that Airodum-ng was the equivalent of tcpdump but for wireless. I hadn’t realized that it was written specifically for capturing IV, capturing handshakes and to aid in the cracking of wireless passwords/keys/pins. I found this out thanks to #aircrack-ng on freenode as well as reviewing the source code to find large parts of the frames removed to reduce overhead. In short Aircrack-ng was the wrong tool for the job.
The right tool? Kismet!
Kismet is a very feature rich tool that includes wireless IDS, wireless analysis, frame dumping and a simple GUI to access it. In addition the developer is very helpful and responsive. Out of the gate Kismet is configured to support channel hopping and some basic IDS alerts that enhanced my presentation.
To use Kismet with multiple cards simply run:
kismet_server -c wlan0mon wlan1mon wlan2mon wlan3mon
You can also add the cards to the kismet.conf file located in /etc/kismet. Inside the configuration file you can also specify time to spend on each channel, what channels are hopped by what interface, what priority each channel has and much more. I have only begun to scratch the surface of what this tool is capable.
The last piece of software on these devices was a simple bash script that started monitor mode on the network cards. I’ll leave this up to the reader to figure out. A hint is to use airmon-ng start wlan0 for each card you plan to use. I dug into the source code for airmon-ng a bit and determined what they are doing to start monitor mode was way beyond scripting my own, so I stuck with theirs.
During BlackHat I was only able to deploy 2 nodes because the rest of the hardware hadn’t arrived yet. 1 node was placed in the NOC and the other was place under a stage next to the keynote track. During BlackHat 4GB of data was captured. One of my nodes was seen in the first picture of this cnet article about the BlackHat NOC.
For DEF CON, 12 nodes were configured and 11 deployed throughout the conference. Because it was held at both Bally’s and Paris deployment locations were complicated. The conference used both convention centers, the 3 floor of the Jubilee tower at Bally’s and the 26th floor of the Indigo tower. Conference room blocks were positioned in both Paris and Bally’s. And yes, that is the CGC stuff in the background of this picture!
Thanks to the help of some AWESOME DEF CON goons I was able to deploy nodes covering the 3 speaking tracks, the chill out areas, the contests area, the 26th floor and the Bally’s room block. It took roughly 6 hours to get everything deployed.
The Demo Lab
Even before I had finished setting up my table a mob of people were wondering what I was doing. I was truly blown away with the amount of interest my project had. If you came to my demo lab, THANK YOU!!!
One thing I must correct, during my demo I was saying that the Minnowboard Turbot is a quadcore when it is really a dual core. I apologize for saying the wrong thing.
One of the cool things that happened during the demo lab was someone launched a deauth attack while I was monitoring live. So thank you to whoever began that attack, it sure made my alerts a lot more interesting!
The photo below was taken by @wifiluke and I shamelessly stole it and posted it here because I forgot to take pictures or video of my demo. Thank you Luke!!
I had the privileged of being interviewed for Hak5’s Technolust! That interview can be seen here or below. I am a big Hak5 fan and always love seeing the Hak5 family at all the cons! They are very supportive and helpful to the community and always have great content on their youtube channel!
I hope to write another post about the results more in depth results but there is a lot of data to analyze.
I was able to gather 40 GB of data from my 11 deployed nodes at DEF CON. I proved feasibility of wireless monitoring at DEF CON and am very excited to work on the analytics!
More coming soon!!