1. Y e a r o f t h e
# W i F i C A C T U S

2. ABOUT ME Who am I?
Hardware and software obsessed. BS in
Computer Science. Freelance cybersphere
consultant. Maker and hacker.
Runner, Gamer (Fortnite FTW), Traveler
Forever curious.
@d4rkm4tter
palshack.org

3. THANK YOU!!
This project wouldn’t have been possible without all of
the support from the community, my friends, family and
all of you!! You are what inspires me to continually
improve and build bigger!!!

4. CONTENTS What We Will Talk About
Part 1 What is the #WiFiCactus
Part 2 New features and mods
Part 3 Effect of upgrades
Part 4 The Year of The WiFiCactus
Part 5 The data
Part 6 The future
Part 7 Conclusion

5. The WiFiCactus Description
The #WiFiCactus is a wireless monitoring tool that is capable of collecting wireless data from up to 50 WiFi
channels at the same time. It can gather entire communications including ones that happen across multiple
channels. It is mobile and has over 3 hours of battery life. It uses Kismet Wireless for the primary monitoring
software. It is made up of 25 Hak5 Pineapple Tetras

6. The #WiFiCactus is a wireless monitoring tool that is capable
of collecting wireless data from up to 50 WiFi channels at the
same time. It can gather entire communications including ones
that happen across multiple channels. It is mobile and has over
3 hours of battery life. It uses Kismet Wireless for the primary
monitoring software. It is made up of 25 Hak5 Pineapple Tetras
The WiFiCactus Photo Gallery

7. New Features New for DC26
Moved to gigabit switches to increase the
throughput from the Tetras to the Intel NUC
Upgraded Switches
Lead acid batteries are cheap but a terrible solution for a
mobile project you put on your back. Switched to Lithium
Ion to increase the run time to 3 hours from 45 minutes
and reduce the weight nearly 16 Kg (35 lbs).
Thanks @glytech!!
Upgraded Batteries

8. New FeaturesNew for DC26
Increase Rigidity
Beta Testing Diplexer
Upgraded the switch and Intel NUC
mount to increase the rigidity and
mobility of the rig.
Added a 16 antenna to 2 diplexer
supplied by Alftel. This device reduces
the number of required antennas .

9. 44
568
Results of
Upgrades
A new problem was uncovered, lack of storage
space. The amount of data gathered was much
greater than anticipated and managing data
became a new bottleneck.
DC BH 2017 DC BH 2018
1,290%

10. Results of Upgrades Theoretical and Actual
Theoretical 125 MB/s maximum throughput
to the Intel NUC which translates into 450
GB/h
Caught over 200 GB in 8 hours during
Blackhat. Actual data capture depends on
the utilization of the environment.
Maximum Tetra throughput is theoretically
312.5 MB/s which would require more
bandwidth to achieve. Future work pending
on this front.

11. LOCATIONS Year of the WiFiCactus
Saintcon DefCon China
Bahamas
DefCamp (Romania)
ShmooconOakland/SF
NYC
DEF CON
Colorado
CactusCon

12. Places Visited Year of the WiFiCactus
Defcamp – Located in Bucharest,
Romania - November 2017

13. Places Visited Year of the WiFiCactus
Shmoocon – Located in
Washington DC – January 2018

14. Places Visited Year of the WiFiCactus
Hak5 Headquarters – Located in
Oakland, CA – March 2018

15. Places Visited Year of the WiFiCactus
DEF CON China BETA – Located in
Beijing, China – May 2018

16. Places Visited Year of the WiFiCactus
BlackHat / DEF CON– Located in
Las Vegas – May 2018

17. 2018201720162015
Total Data
Collected
The raw amount of data gathered by year. Total project
data is now over 1 TB.
100’s MB
10’s GB
100’s GB
TB

18. Data Gathered
2017 vs 2018
Total data gathered over the last year.
Results are in GB.
7.41
37.1
21.5
84.3
96.1
479
83.4
27.9
5.96
116DC China
Defcamp
DEF CON
20182017
Oakland
Shmoo
Saintcon
CactusCon
BlackHat

20. Technology Hardware
2 x 24 Core Intel Xeon Platinum Processors
96 GB of DDR ECC RAM
512 GB NVME Drive
1 TB SATA SSD
6 TB Seagate 7200 RPM
Windows 10 with Ubuntu WSL
Analysis Hardware

21. Analysis Techniques
Live data view and replay of existing PCAPs.
Offers comprehensive search and linking. Can
be daunting with large amounts of data.
Kismet Dashboard
The go to method for packet analysis. Useful
for inspection and filtering of the data.
Miserable with files larger than a few 100 MB.
Wireshark

22. Analysis Techniques
The command line Swiss army knife for packet
analysis. Uses Wireshark filters but can output
to a wide variety of formats.
tshark
Elastic Stack, formerly ELK Stack is a datastore
and visualization tool that is popular for a wide
array of uses including traffic analysis. Thank
you Spencer (@_bin_sh) for bailing me out!
Elastic Stack

23. AnalysisTechniques
Network Miner
A fantastic PCAP forensic analysis tool. This
tool allows you to deep dive quickly into PCAP
files and discover files, credentials, sessions, IP
address and more.
THANK YOU Network Miner Team!!

24. AnalysisTechniques
Graphistry
ViFi / Neo4J
Amazing web based graphing software that
supports millions of edges. Beautiful way to
interpret data. Uses accelerated graphics to
allow for interaction with the data.
THANK YOU GRAPHISTRY!!
Custom application to read PCAP files and
import them into Neo4J which is a visualization
software. Shout out to @sundhaug92 for letting
me beta test his software!

25. Useful for things
like quickly finding
handshakes,
beacons, higher
layer information
and summary
statistics.
Example
Wireshark Cases

26. This was an interesting
find with Network Miner
Network Miner
SRC: https://www.symantec.com/content/dam/symantec/docs/data-sheets/proxysg-s200-s400-s500-en.pdf

27. An interesting find from
DefCamp 8
Network Miner

28. An interesting find from
DefCamp 8
Network Miner

29. Utilizing data
caught from DC 24
to preform device
tracking
Graphistry

30. Utilizing data
caught from DC 24
to preform device
tracking
Graphistry

31. Utilizing data
caught from DC 24
to preform device
tracking
Graphistry

32. More interesting finds
here.
ViFi / NEO4J

33. Live Demos WE’LL DO IT LIVE!!
Kismet Dashboard using live data.01
Graphistry on really big data
04
Wireshark on big PCAP files02
Elastic Stack goodness
03 Network Miner on PCAP
05

34. The Future Don’t get your hopes too high
Automated analysis pipeline for real-time
feedback.
01 PCAP tool release so you can do this too04
More storage capacity02
Adding more wireless technologies.
Especially LTE and 5G. Anyone interested
in funding research?
05
UnRAID NAS and VMs for processing03
Real-time summary statistics sync using
4G or other out of band method.
06

35. Thank you
DEFCAMP!!
@d4rkm4tter
palshack.org
twitch.tv/a_darkmatter
github.com/mspicer