Add Beholder Name with airSlate SignNow

Add beholder name

so thanks everybody for showing up i am luis this is nelson we're going to be talking about a to that Nelson road and here just because I'm funny kind of not really I gave him some ideas on that so let's get to it so we're going to get a little bit of boringness and a little bit of Brazilian accent this morning so have some coffee so we're going to go over the agenda is going to be like who are we what we do kind of for a living I'm going to do a brief introduction about Wireless attacks something that probably you guys know better than I do but it's going to be really quick just to get you in the mood for 4p holder then going to just mention some attack tools solutions existing solutions for for wireless attacks then I'm going to pass it over to Nelson who's going to talk about the development of beholder what does he do what is what does it what it doesn't do we're going to run us up from like some diagrams some scenarios on how to implement the beholder and we're going to try to do a demo at Def Con if it doesn't go well we have a few videos to show you but hopefully it's going to go well and then we're going to go over the futures of beholder and also wireless attacks so I guess let's do it so who the hell are we I'm release I been working with wireless for quite a while now actually if you have somebody to blame the network the wireless network here that's me so boo me or buy me a beer later how take it and pretty much that's how I pay the bills it's working with wireless Nelson Nelson this is the man the guy flew all the way from Brazil he gave with the idea of coming like a few months ago so let me do a brief introduction here a few months ago Nelson told me I want to write something like this and that I'm like dude that's so freaking lame right everybody does that already they're like 10,000 wireless to one a day and he said no I want to do something a little different and since you've been working with this for a while too maybe you're going to have a few ideas and let's try to do a talk at Def Con and here we are now so if you wrote the whole thing I'm just like wow this sucks Oh put this there oh man you don't know how to do anything so this guy who wrote a book it has like a couple of books published in Brazil is the author of the Czech brute kete so that's the guy so this is the man like a few years ago one of the first wireless talks that I've seen was from him so big props to this guy here okay so this is the boring part ok so I'm going to try to be really fast so we're going to talk about wireless attacks Wi-Fi attacks things that we've seen for the past seems what DEFCON eight we've seen things all around so I put the slides in an order that is kind of like an evolution could be wrong I'm going to forget some stuff actually I have my cheat sheet here so let's see if I don't forget okay so the very first one doss attacks water dog attacks in wireless networks dos attacks could be like different things could be from packet types of sending packets G off packets to clients d off packets to access points faking beacons trying to steal associations or simply just attack the network even like from layer one from like the wireless if use a jammer like this that you can buy for two hundred bucks to actually like throwing rocks at access points hexis points is something that actually wireless is good works wireless works well that's again how I pay my bills but it's you have you don't have the wire there other problems that you might have is interference interference sometimes acts just like Jamie 2.4 gigahertz as you guy now as you guys know it's an open frequency so everything sorry so everything there is very much free for all so that's a problem men in the middle attacks usually it's used in combination with some sort of DOS attack or packet injection as well so you have a client that is connected to a valid access point you want the password from that guy at starbucks you run your laptop then you do a man in the middle and you steal whatever you want from that guy if the guy doesn't yet use encryption impersonation that means you have one guy with a laptop so there are three scenarios here one the guy has a laptop and he wants to pretend he is a valid user to gain access to the network in an open network and it's starbucks or some airport that's okay because there is no encryption then people thought oh let's put encryption on and then it gets a little harder and we're going to get into it but the second one is when sorry when the attacker he wants to be wants to act like a valid access point so the user the valid user is going to connect to that guy too and then most likely to be a man in the middle or like karma we're going to talk a little bit about karma in a little bit but it could be different things and lastly is some device most likely on AP that is going to be acting as a valid AP as well surveillance is just a matter of like packet packet is sneaking so you have your wireless network somebody's on the outside is different packets there could be encryption yeah but encryption today is pretty much the only way to block that you cannot stop the package from going through the windows and things like that some of the wireless ideas vendors they're doing some pretty neat stuff actually to install antennas outside the building and try to block the signal but again you're just sending more wireless packets but apparently it is effective I didn't try test that myself yet back an injection I talked about that most likely used to in combination of the other ones so when you do men in the middle first you have to do the valid user to connect to you or you send like or do back an injection to to simply break the network and send the off packets to everybody and things like that crypto cracking up web we all know that web has been broken forever that's why they created wpa then josh and some other guys they came over and they broke wpa so that your PA in theory is still kind of secure but not totally so go on the internet again i'm not here to preach to the core go to the internet and probably you know how to make your linksys router at home safe or kind of client side effects either ad hocs so how many here flu-like open your laptop in an airplane and look for networks although the FAA say you can you cannot use wireless devices on board but that's okay so you see free public Wi-Fi on the airplane is there an access point there of course not is there an attacker there may be especially flying out of DEFCON but usually what happens is there was a for example bug a twin on Windows that the client search for networks if it doesn't find the preferred let any of the networks in the preferred list it starts at advertising the last one it connected to simple Nomad presented there's actual con two years ago anything and lastly of course is client attacks on the same network you're at Starbucks you run n map you see that guy has certain ports open you try to do something on those ports rogue access points this could be a whole talk by itself because when you say rogue access points what could be a rogue access point not her rogue access point is any malicious access point so from a vendor perspective some vendors they classify a rogue access point as an access point that is blood into your network which is true so somebody went surprise for lunch just doesn't feel like working so I call let me test this router that I bought through for home and he plugs it in and his chillin out there suddenly somebody oh you we have a meeting oh let's go and the guy has well as they have the best wireless network using 80 2 and X wpa2 all the the whole nine yards but guess what now you have a linksys open network in your office so that's not cool and other things too now we're going to talk I think right now Oh more about rogue access points so when you talk when you we think about Wireless IDs systems rogue access points you think they wonder why I fries data to 1180 802 11 BG things like that but if you can buy and I bought one at eBay not too long ago a really old access point from cable channel digital like Rome about it's not 802 11 b or a some are 802 11 I'll writing the 2.4 gigahertz range but some there are 900 megahertz so if you have sensors that only work in two point four and five guess what you're not going to see that guy so if you can find this old stuff on the internet that's there you go then you have wireless bridges this is not a wireless bridge this was actually in Aruba the island the Natural Bridge the largest natural bridge existent but guess what happened to it it turned into a wireless one because it doesn't exist anymore but they still do tours to that so you get on up as you go let's go see the bridge and halfway to show the original doesn't exist anymore by the way so that's a ripoff impersonation 20 what is the impersonation 20 people came with just names we as security folks are turning pretty much into marketing people because say oh now we have the evil plan yes it is a new attack but guess what it is just impersonating a valid access point so everybody knows what the evil twin attack is right okay good or even better just run karma karma is whatever you want it to be it's like you're at DEFCON you're drunk you go out on the street it's like oh she's beautiful yeah she is so it retains it is whatever you want it to be we thought my nation I didn't talk about i mentioned crypto cracking but then you have faster crypto cracking dakari here most likely not so hikari implements any type of like crypto breaking into FPGAs so guess what through rainbow tables implemented in fpgas they can break him and Brenda man and Johnny Cash all these guys they did like some awesome work about like WP a crab cracking and that's how it goes that's Josh right one of the guys that know just a little bit more than all of us together here about wireless and his last talk is less finding that he told us about his rogue radio service so everybody knows how 802 an ex works right a little bit you have a radius server in the back end usually so everybody keeps saying it it's one XO wk2 yeah it's secure yeah and then a few years ago we found out that well if the client is is configured to use beep and does not validate the server certificate guess what it's not secure so then people start doing that then josh came with the idea okay if you want to validate a check for a valid certificate I'll do a fake access point i'll do a fake rogue a fake radio server and guess what I'll put a valid certificate on that thing and then so there there are other options that of course mitigate that so search on the internet for his video that's pretty cool and so josh is one of the bad guys so I just want to say there's a lot of people that in the past few years put a lot of work to make wireless more secure breaking it so big drops you all these guys that's that guy I'm sitting there stand up Eldon see you thought it was going to make me a sheen big hands were out and he did a pretty good research on wireless ideas is a few years ago dito from why fight club the shmoo goood hikari a render man my Kershaw dragon from kismet and that guys can Caruso he just drinks he doesn't do anything about tools so we all know about like there are several tools that you can use to make bad things and most of them you can find here from the stuff that all these guys like backtrack is an awesome live CD you should know that already so let's do solution so we talked about the attacks how to break it how do we fix that Wow some of the stuff as you know there's the way to fix it you cannot like matrix style dodge the packets that the evo 8 these are our seining or the evo attackers are sandy so what can you do there there's wireless solutions so I was I'm gonna do an introduction to wireless IDs and put you to sleep but I'm just kidding so I'm just going to talk a little bit about wireless idea so we get into the mood for beholder so w ids is not that i did a search on google and found that guy oh my god he looks excited talking about wireless so imagine the guy on the left he is the integrated wireless ids what is an integrated wireless IDs that's the guy who's sitting there you buy from a vendor a solution that you deploy all the access points anyone wireless IDs that is already implemented on that system and then you have the leading on the right she is the over the one that means you have your wireless network but that doesn't have any white wireless ideas capability so you buy from a vendor sensors and a total solution that is going to put their sensors along with whatever you have already so you have two separate systems which one is better I don't know it depends on the situation but both products do really neat things usually from one perspective is good to have something that is always they're not serving clients just watching for the network so that maybe that would be a better solution do I have anything else to say about this and of course you have wireless IPS systems usually the same systems but of course once they detect something they're going to attack back usually in wireless this is interesting because you could be tossing yourself if you if you say I don't want to I don't want any ad hoc networks here guess what if you're not that close from the AP if two laptops are close to each other they're transmitting the sensors are going to start attacking those guys to say disconnect but it's on the same channel then your wireless network could be using so that's a problem so keep that in mind but again I'm not here to say bad things about wireless IDs I think if you have a wireless network you need to have some type of ideas so you have some tools out there that help you find networks even windows crack your windows does that so you have netstumbler as well you have kids Matt then not only does that but what does it tell you it says there's a network or the network went away there is no they were not intended to be a wireless IDs and that's the idea that Nelson God so from a wireless from a free wireless IDs perspective the only thing that I know rogue scanner network chemistry released rogue scanner a few years ago that was a free to to search for rogue access points in your network it's they got bought out by aruba networks so I think rogue scanner is somewhere on the internet it's really easy to find and not on the wireless IDs but something that helps not only fan testing of course you're going to use Y craw from the midnight research labs to do pen testing on wireless but again if you have a wireless network most likely you better do some type of pen test every once in a while to see if it's working the way it's supposed to so before we get Nelson here just going to talk a little bit about 802 11 beacons beacons are management trains beacons are the packets that the access point sensing hey I'm here I am t-mobile I am hotspot whatever and some people have the wrong perspective out so here are the becomes you cannot see crap Kenny now but most likely the good things that it say it say it says the data rates that that wireless network network supports it says the name of the essid it says the speed is a high speed i already said that but it says the transmit power and all that all those values that it is really important for the client to know why to connect to that network or not guess what it lets everybody know everybody know about that as well so one of the things that people say oh I'm gonna make my wireless secure so I'm going to configure my beam not to send a fella the name of the SSID is it good yeah of course you turn on netstumbler or orchids Matt and you see there is an EP but I don't know what that AP is what SSID that is but guess what once the valid user connects to that AP the AP has to say yeah I am that guy so guess what now you know the wireless network name this is not new this is actually kind of lame but on the beacon and you might be able to see on the top left some vendors they actually send some information about because they want to make them a neat network kind of think right to help management and things like that they send some information that is really important that probably you should not need to know like this one here in this case yeah it's sent the SSID name but not only the name it get it gives the ability for the network admin to put on EP name so even if you didn't have any SSID or if you're trying to find an AP that one on the one two three four on the fifth process ap name success 8011 lagoon something I was in Cancun Mexico when i did this so my Oh awesome so I might not know what SSID name is but if I want to steal that AP or do something to that API know it is close to Laguna to F what or to e whatever that is number of clients connected and things like that so of course this is going to get more and more populated along the years so behold they're pretty much is based on beacons right now and I'm not going to get ahead of myself and without further ado Nelson burrito hi everybody thanks Luis okay let's go some about beholder behold is writing in cnc and base it on w ids wireless tools you know that to linux environment yeah just just another network scanner but behold it changed same change in IP assi gmac mode many change this so keen and meaningful sign of variations i will you talk about them and the cool feature is a syslog support to large networks you can use many sensors behold the sensor in your large environment and our reports to one syslog centralize it i will talk about that that that's cool that's a nice features but but it's not so cool same batter is Berra mint martini on his hand is ready for theft yeah behold it can be detected karma I are you show to you and can use rejects regular expression to that select what exactly you can be alerted and detective access point suddenly disappear to for example see if if somebody is a jamming sigh no but fix behold that don't do behold it don't put any interface in monitor mode don't sniffing that wireless traffic don't cracking around and don't detect anything about client behold it just for just the tech sign of a beacon sign just just that ok some design challenger weho this is can be easy to use style and maintains could be compressive to understand to implementing new features and some issues scanning time different power adapter beholder can use any wireless adapter in Linux environment if you if you if you have you your net you can use it for for behold for us behold Matt Wi-Fi caching it's a problem because if the if access point disappear may be delayed to detect that and don't use any libraries external libraries adjust choo-choo source codes do you make and that's okay for now just for linux and the future I don't know me is real maybe let's let's check the technical details how beholder detects karma behold the sands a random ssage quest any wait for response if if the gas response probably probably probably Karma's running I I can set one changed the ssas SI g random and wait for response that that that mode to detect karma environment so how many SSID is do you create like faking 30 or two I don't remember better better versions just one just one attack I planned change to free before that is a clear right how it works you randomly creates an SSID and says hey I want to connect to this if Karma's sends back hey yes I'm XYZ so it's probably karma because it's totally random the SSID so it's a really easy and neat thing that he put in ok that's that scenario is to check if some a access point disappear I have my net to my net and another net I don't care about that net so i use beholder dash my net interface and if that that s that s SI g disappear behold i don't care but if my net disappear beholder we will at about that another scenario i can use this integral expression both the case in missing disappear or to check if some to check if some if some similar i SS IG appear in environment that's my net appear that that SS SS IG appear I don't care but if someone created my nets Wi-Fi that match my regular expression behold they are let about that so if you ever configured a wireless IDs system that you have imagined that you can think of anything similar to your e SSID name it's a pain a but if we can do it so this is a really neat thing to do you put like something that is going to be similar So Def Con if you have a zero instead of an oh yeah that's an easy one to think about and configure on your wireless IDs system but why how many o's can somebody how stupid is a user to connect to a network that is kind of similar it has a kind of similar name that's all ok thanks Lou and that the last scenario if you have large networks you could come tonight some sensors and I'll use his log service to centralize the information for example you can use as watch to select what kind of message do do you want to to get ok time to demo there we go DEFCON live demo laissez-moi dolphin program floral Findo bronchial airplane let's see is a batter it's better okay that's oman that's the the base the normal use of baroda some rogue happy now did the first one Def Con def count of course some net net DEFCON networks if you you on a P is add the d-list but the the nice feature is dead it's okay what Nelson is going to be doing here he will be connecting a as a USB access point and he was going to connect that access point with a network with with a similar name of Def Con and he's going to do put beholder to watch for any names similar to that phone so right now he's typing the right expression is going to walk with a fancy way not a hotel enough no no it's not going to be home so let's write for a bee to come up tension there we go no not yet so we see the regular DEFCON one we got a shitload of EP singer okay so you can see up there highlighted it says what's the SSID I cannot read that it's all lowercase that fun right so the name is do lowercase def con or something similar to Def Con and so it says it matches a pattern so again in distributed systems what you can do you can have many laptops running and send everything to a syslog server and then have a decent since log message parser or something to look for the beholder stuff so now it's totally the opposite is going to tell beholder to watch for the networks so in this case is saying I care for any networks that all the abuse that match this and he's going to unplug the AP and he's ap and behold it was going to say that the the access point went away so again that's something that Eldon mentioned on his talk at shmoocon a few years ago that many ideas vendors didn't do that so if he sees that attack is like whoa i saw a tad but if all the abuse go down it's okay that's okay that's not a problem so if you see there are def con with a no and stuff said beholder says it disappeared and i was going to plug it back and then to say so you don't freak out and it's going to say yeah it's okay your abs back or your aps so it could be more than one AP and again with the regular expression you can search for any aps so it doesn't really has it doesn't have to be your AP if you're if you're concerned about your neighbors abs and just in case you use it you can monitor those two level 3 somebody starts in the wireless network that's awesome love that that's my jam Iran I sure there we go see so it says relax your AP is back so go back to bed or something like that so that's what we have for the demo right so following so this is a great picture he found so there are many tools out there the holders and again this is just the beginning so again we're gonna release this or tomorrow right tonight we're drinking so tomorrow this is going to be on the website and but you have many things out there you can use all the tools possible to to make your life better on the wireless network so beholder is going to help you a bit as buddy jesus says and what is next on Wi-Fi attacks Wi-Fi attacks everybody there was a big hype a while ago about 80 to 11am and well at least beholder works with that just got a 802 11 n wireless card that fries and pop in your Linux system behold their words with that I I tested that but i think there's we kind of got stuck in into a really interesting phase of wireless in the past few years because either anything coming out now is going to be type of a toss attack which is kind of lame but really effective but we have it all to 11 n now so some people said that 802 11 n aps were a problem just like i mentioned the 900 megahertz was a problem that no other sensor would get it either they p that I got at frys 02 11 n is broken because with an 802 11 be I can even when i put in greenfield mode when i put it to work only on 802 11 n i think the beacons and management frames are still hurt by 802 11 beat devices bng so i don't know if that's my AP with problems or if that's the way it should work another thing that I and the wireless bridges kind of thing that I mentioned before it's a problem if you have a bridge that it's not really an 18 so the packets are different there are two feuds one that is called from the s and the other one qds that says one and one meaning it's from Wireless IDs wife to a wireless distributed system as well to the WDS to WTS some tools they don't get that and with 802 11 am going as fast as in real life one anyone 50 megabits per second it's freaking fast already so if people want to suck stuff from your wire network using wireless bridges could be a problem or even rogue a piece right so tomorrow not today tomorrow behold our wireless org is going to have the tool you're going to have a contact email right if people want to contribute to the yeah and this is this is GPL free all that stuff right so yeah so you guys can help out as well so before we take questions across there on the other room want to thank you all for coming thanks for the patients I want to thank our one beta tester who gave us feedback Kevin 350 so thank you