Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Year of the #WiFiCactus

67 views

Published on

Mike Spicer in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on https://def.camp/archive

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Year of the #WiFiCactus

  1. 1. Y e a r o f t h e # W i F i C A C T U S
  2. 2. ABOUT ME Who am I? Hardware and software obsessed. BS in Computer Science. Freelance cybersphere consultant. Maker and hacker. Runner, Gamer (Fortnite FTW), Traveler Forever curious. @d4rkm4tter palshack.org
  3. 3. THANK YOU!! This project wouldn’t have been possible without all of the support from the community, my friends, family and all of you!! You are what inspires me to continually improve and build bigger!!!
  4. 4. CONTENTS What We Will Talk About Part 1 What is the #WiFiCactus Part 2 New features and mods Part 3 Effect of upgrades Part 4 The Year of The WiFiCactus Part 5 The data Part 6 The future Part 7 Conclusion
  5. 5. The WiFiCactus Description The #WiFiCactus is a wireless monitoring tool that is capable of collecting wireless data from up to 50 WiFi channels at the same time. It can gather entire communications including ones that happen across multiple channels. It is mobile and has over 3 hours of battery life. It uses Kismet Wireless for the primary monitoring software. It is made up of 25 Hak5 Pineapple Tetras
  6. 6. The #WiFiCactus is a wireless monitoring tool that is capable of collecting wireless data from up to 50 WiFi channels at the same time. It can gather entire communications including ones that happen across multiple channels. It is mobile and has over 3 hours of battery life. It uses Kismet Wireless for the primary monitoring software. It is made up of 25 Hak5 Pineapple Tetras The WiFiCactus Photo Gallery
  7. 7. New Features New for DC26 Moved to gigabit switches to increase the throughput from the Tetras to the Intel NUC Upgraded Switches Lead acid batteries are cheap but a terrible solution for a mobile project you put on your back. Switched to Lithium Ion to increase the run time to 3 hours from 45 minutes and reduce the weight nearly 16 Kg (35 lbs). Thanks @glytech!! Upgraded Batteries
  8. 8. New FeaturesNew for DC26 Increase Rigidity Beta Testing Diplexer Upgraded the switch and Intel NUC mount to increase the rigidity and mobility of the rig. Added a 16 antenna to 2 diplexer supplied by Alftel. This device reduces the number of required antennas .
  9. 9. 44 568 Results of Upgrades A new problem was uncovered, lack of storage space. The amount of data gathered was much greater than anticipated and managing data became a new bottleneck. DC BH 2017 DC BH 2018 1,290%
  10. 10. Results of Upgrades Theoretical and Actual Theoretical 125 MB/s maximum throughput to the Intel NUC which translates into 450 GB/h Caught over 200 GB in 8 hours during Blackhat. Actual data capture depends on the utilization of the environment. Maximum Tetra throughput is theoretically 312.5 MB/s which would require more bandwidth to achieve. Future work pending on this front.
  11. 11. LOCATIONS Year of the WiFiCactus Saintcon DefCon China Bahamas DefCamp (Romania) ShmooconOakland/SF NYC DEF CON Colorado CactusCon
  12. 12. Places Visited Year of the WiFiCactus Defcamp – Located in Bucharest, Romania - November 2017
  13. 13. Places Visited Year of the WiFiCactus Shmoocon – Located in Washington DC – January 2018
  14. 14. Places Visited Year of the WiFiCactus Hak5 Headquarters – Located in Oakland, CA – March 2018
  15. 15. Places Visited Year of the WiFiCactus DEF CON China BETA – Located in Beijing, China – May 2018
  16. 16. Places Visited Year of the WiFiCactus BlackHat / DEF CON– Located in Las Vegas – May 2018
  17. 17. 2018201720162015 Total Data Collected The raw amount of data gathered by year. Total project data is now over 1 TB. 100’s MB 10’s GB 100’s GB TB
  18. 18. Data Gathered 2017 vs 2018 Total data gathered over the last year. Results are in GB. 7.41 37.1 21.5 84.3 96.1 479 83.4 27.9 5.96 116DC China Defcamp DEF CON 20182017 Oakland Shmoo Saintcon CactusCon BlackHat
  19. 19. Technology Hardware 2 x 24 Core Intel Xeon Platinum Processors 96 GB of DDR ECC RAM 512 GB NVME Drive 1 TB SATA SSD 6 TB Seagate 7200 RPM Windows 10 with Ubuntu WSL Analysis Hardware
  20. 20. Analysis Techniques Live data view and replay of existing PCAPs. Offers comprehensive search and linking. Can be daunting with large amounts of data. Kismet Dashboard The go to method for packet analysis. Useful for inspection and filtering of the data. Miserable with files larger than a few 100 MB. Wireshark
  21. 21. Analysis Techniques The command line Swiss army knife for packet analysis. Uses Wireshark filters but can output to a wide variety of formats. tshark Elastic Stack, formerly ELK Stack is a datastore and visualization tool that is popular for a wide array of uses including traffic analysis. Thank you Spencer (@_bin_sh) for bailing me out! Elastic Stack
  22. 22. AnalysisTechniques Network Miner A fantastic PCAP forensic analysis tool. This tool allows you to deep dive quickly into PCAP files and discover files, credentials, sessions, IP address and more. THANK YOU Network Miner Team!!
  23. 23. AnalysisTechniques Graphistry ViFi / Neo4J Amazing web based graphing software that supports millions of edges. Beautiful way to interpret data. Uses accelerated graphics to allow for interaction with the data. THANK YOU GRAPHISTRY!! Custom application to read PCAP files and import them into Neo4J which is a visualization software. Shout out to @sundhaug92 for letting me beta test his software!
  24. 24. Useful for things like quickly finding handshakes, beacons, higher layer information and summary statistics. Example Wireshark Cases
  25. 25. This was an interesting find with Network Miner Network Miner SRC: https://www.symantec.com/content/dam/symantec/docs/data-sheets/proxysg-s200-s400-s500-en.pdf
  26. 26. An interesting find from DefCamp 8 Network Miner
  27. 27. An interesting find from DefCamp 8 Network Miner
  28. 28. Utilizing data caught from DC 24 to preform device tracking Graphistry
  29. 29. Utilizing data caught from DC 24 to preform device tracking Graphistry
  30. 30. Utilizing data caught from DC 24 to preform device tracking Graphistry
  31. 31. More interesting finds here. ViFi / NEO4J
  32. 32. Live Demos WE’LL DO IT LIVE!! Kismet Dashboard using live data.01 Graphistry on really big data 04 Wireshark on big PCAP files02 Elastic Stack goodness 03 Network Miner on PCAP 05
  33. 33. The Future Don’t get your hopes too high Automated analysis pipeline for real-time feedback. 01 PCAP tool release so you can do this too04 More storage capacity02 Adding more wireless technologies. Especially LTE and 5G. Anyone interested in funding research? 05 UnRAID NAS and VMs for processing03 Real-time summary statistics sync using 4G or other out of band method. 06
  34. 34. Thank you DEFCAMP!! @d4rkm4tter palshack.org twitch.tv/a_darkmatter github.com/mspicer

×