SlideShare a Scribd company logo

WiFi Data Leakage by Solomon Sonya

EC-Council
EC-Council

This document discusses building a wireless sensor suite called Theia that can intercept and analyze 802.11 WiFi frames to reveal sensitive location and identity information about users. It begins with an overview of the Theia components and live demos showing how it can track a device's locations over time and tag individuals. It then discusses vulnerabilities in the 802.11 protocol and offers recommendations to enhance security. Finally, it provides instructions for configuring and running the different parts of Theia, including building the wireless sensor from scratch.

1 of 62
Download to read offline
Wifi Data Leakage: How your phone, laptop, and smart device can reveal where you live, work, and places you’ve visited via 802.11 inception Solomon Sonya @Carpenter1010 The problem always seems to become more tractable when presented with the solution…
What to Expect 2 • Hand-Waving! • Intro / Background • Building Knowledge Requirement • Deep Dive into 802.11 Protocol • Developing the Sensor • Live Demos! • Tagging and Geotracking people • 802.11 Vulnerability Exposure • Security Protocol Enhancement • Future Work • Questions http://logout.hu/dl/upc/2011-06/230806_gremlin_in_my_computer-lyvind_berget.jpg, Retrieved 17 Sep 13
Solomon Sonya @Carpenter1010 Whoami… 3
Security at Present… • How far have we come? • Is it good enough? • Discovered vulnerabilities are fixed with patches • Known malware removed with AV (signature based) • Emerging malware “detected” via baselining (anomaly) • Digitally signed software • We still believe “Detection is the key” • Avg malware lifespan (depending on source) ~294-300+ days still! • Fallacy with Security: • Current [incorrect] view: start-state is secure, bolt on security from here • We’ll remain ahead of the adversary ;-)
Anatomy of a Cyber Attack Reconnaissance Scanning Penetration Stealth & Persistence Cover Tracks Pivot Pillage Paralyze Privileges++ Source: Solomon Sonya @Carpenter1010
Updated Anatomy of a Cyber Attack Reconnaissance/Research Scan Targets Penetration Pivot Pillage Paralyze Privileges++ Stage Exploits Water-Hole Drive-By Phishing Social Engineering XSS Trojan Ping Sweep ARP Scan Port Knock Active & Passive DNS Lookups IP Reservations Embedded Devices Management Protocols Insider Evade Detection Maintain Access Source: Solomon Sonya @Carpenter1010
Security of the Future • Root of the problem lies with how security is considered during creation and deployment: • Bolted-on vrs. Built-in approaches • Integration of Smart Devices • A country’s greatest spy • IoT… Are we ready?
Cell Phones: A country’s greatest spy • When was the last time you audited the permissions granted to your apps? • Is all of this necessary to show a light? (I would avoid apps like these!) http://www.snoopwall.com/wp-content/uploads/2014/10/Flashlight-Spyware-Appendix-2014.pdf Really?!!!
Thought Question… Even if we secured it all… What are we doing still to secure the protocols these devices are using to communicate?
How did we get here… 12 • Researching threat intelligence last year • Sitting at an airport enroute to a conference, watching people pass by, I wondered if it is possible if I could determine where each person is coming from a priori… • Knew people usually carried cell-phone, smart device, and/or laptop on travels and these devices are constantly probing to connect to a known network • Hacker’s Mantra: “I wonder what happens if…”
The Research has begun! • Developed the following research questions to direct new research project: • Is it possible to intercept PNL (preferred network list) probes to fingerprint certain people? • If so, can a profile be created to reveal the area-of-habitation (likely places of work, live, play) • Can we determine a likely device and alert on likely “places of interest” such that we can identify a person that works/lives at specific places? (Think Intel, Google, military, etc) • Can we expand profile on a person to determine their previous geolocations, SSIDS, and activity times within an area such that we can know when to expect a person within a particular area? (think home and work, etc…) • Determining each devices’ PNL, can we establish a rogue AP and MiTM a user’s device to route all traffic through our machine without the victim’s knowledge?!!!! • Spoiler Alert: YES YOU CAN!!!! Let’s see how! 13
Initial Knowledge Required… • 802.11 Frames: • Management Frames: Setup and maintain communications • Authentication, Deauthentication • Association, Disassociation • Synchronization Messages • Probe • Beacon • Control Frames: Assist in frame delivery and reduces collisions • Acknowledgements, Request/Clear to Send, Block, Poll, End • Data Frames: Transport data from higher layers (HTTP, etc) • 802.11 Client Authentication Process 14
Initial Knowledge Required… • Distributed Computing (Efficiency, Optimization, Updates) • Socket Programming (Connections, Tokenization) • Threads • Wrappers(Worker Process, Conversion, Parsing, Encryption, etc) • Coding not your thing? No problem, just use Theia! Demo coming in a few slides from now! 15
802.11 Pertinent Frame Subtype Identifiers • Authentication 0x0b • Deauthentication 0x0c • Association Request 0x00 • Association Response 0x01 • Reassociation Request 0x02 • Reassociation Response 0x03 • Probe Request 0x04 * * * (NIC is in the area) • Probe Response 0x05 (now know AP is in the area) • Beacon 0x08 (now know AP is in the area) • Request to Send (RTS) 0xb0 (usually present with hidden Aps) • Clear to Send (CTS) 0xc0 • Control and Data frames handled in future research • More Info: https://supportforums.cisco.com/document/52391/80211-frames-starter-guide-learn-wireless-sniffer-traces 19
Solomon Sonya @Carpenter1010 So… What do we do with this information? 20 Let’s bring it together by understanding the 802.11 Authentication Process, PNL, and then let’s demo!
Client Authentication Process and PNL 21 BROADCAST NETGEAR linksys Free_Airport_WiFi Device routinely probes to discover available access points in the area and rejoin previously associated networks http://www.alohaorganizers.com/4-productivity-tools-already- exist-iphone/ http://www.alohaorganizers.com/4-productivity-tools-already-exist-iphone/ Device Access Point Client Authentication Process Time Probe Response Authentication Response Association Response Probe Beacon Client Probe Activity
Solomon Sonya @Carpenter1010 Let’s Build the Sensor! 22
Hardware Setup on the cheap… • Minimum • Wireless Card (Alfa Card) • Wireshark (Tshark) • *NIX OS (Kali 2.x.x) • Extra Credit • Long Range, High Gain WiFi Antennae “BAA” (12dbi Antennae) • GPS Receiver (GlobalSat BU-353-S4 USB GPS Receiver) 23 http://mindprod.com/jgloss/wireshark.html TShark KALI LINUX
Intercepting Frames to Begin Analysis • Collection process: acquire/query, parse, analyze/interpret, present, visualize • What data should we collect? • How do we collect it? • Let’s begin with the protocol analyzer Tshark (shortlist) • -Y wlan.fc.type –T fields Focus and filter on 802.11 protocol • -e wlan.fc.subtype Display different frame types (mgt, ctrl) • -e wlan.sa Display transmitter MAC address • -e wlan.da Display receiver MAC address • -e wlan Display WiFi protocol information • -e wlan_mgt.ssid Display the SSID (if present) 24
What can we do at this point? • Active devices within range • Preferred Network List broadcasted by active devices • MAC addresses for devices and access points • SSIDs broadcasted by non-hidden Access Points • Vendor identifying information (when linked to OUI database)
Solomon Sonya @Carpenter1010 Sensor Construction 26
Initial Sensor Construction • What did we first capture?
Solomon Sonya @Carpenter1010 How do we process this information to derive meaning from the data? 28 “Everything should be made as simple as possible, but not simpler.” – Albert Einstein
Frame Acquisition Process • Process: • Acquire/Query, Parse, Analyze/Interpret, Present, Visualize • Recall: • If we build our own sensor, what components are required? • Wouldn’t it be nice if we had a tool to process all of this information for us? • Options you could use: Kismet, NetStumbler, inSSIDer, Airocrack-ng suite… OR, you can build your own and add custom features specific to your environment… I chose the latter! 29
Components to Build the Sensor Suite • 802.11 Receiver/Antennae (Sensor) - Theia_Sensor • GPS Receiver (GPS Collector) - GPS_Collector • IEEE OUI Specification - Theia_OUI • Geo-Location Retrieval Agent - Theia_GEO • Collector: Acquire/Query, Parse, Analyze/Interpret, Present - Theia_Collector • User Interface: Visualize - Theia_Interface GPS Collector Sensor OUI Agent Log Collector GPS Collector Sensor GPS Collector Sensor … Theia Interface Theia Interface … Geo-Retrieval
Solomon Sonya @Carpenter1010 Enough Talk… DEMO!!!!!
Theia Sensor Suite • Distributed Wireless Sensor Suite to acquire, analyze , process, and visualize data extracted from 802.11 frames • Extensible: Allows multiple sensor integration back into the central collector (s) • Displays linkage between PNL from each device and APs within the area • Provides geolocation ability to display and map locations where a device (and user) have been • Provides tagging, alert, and notification capabilities for entry and departure of devices and base stations 32
Theia Introduction and Live Demo 33
Theia Introduction and Live Demo 34
Theia Introduction and Live Demo 35
Theia Introduction and Live Demo 36
Solomon Sonya @Carpenter1010 So What Have We Discovered so far… 37
So What Have We Discovered so far… • Device Profile (Vendor, MAC, etc) • Device PNL (full probing list) • Relative Proximity of devices within range of sensor (RSSI) • Arrival and Departure Activity Window • Encryption Specifications for each requested SSID • Frequency and communication channel for each device
Solomon Sonya @Carpenter1010 Use Theia to Tag a Person to a device… 39
Solomon Sonya @Carpenter1010 Vulnerability Exposure
Vulnerability Exposure [1] • Profiling People (e.g., social engineer connection to planted AP, you can now specifically tag an individual person to a device) • Intercepting frames from a device can reveal much more than details about the device, but locations of the user!
Solomon Sonya @Carpenter1010 Geo-Location Tracking and Tagging 42 Hello there, simply because you left your WiFi enabled… I now know where you’ve been…
Solomon Sonya @Carpenter1010 Theia Live Geo-Tracking Demo 43
Solomon Sonya @Carpenter1010 Theia Live Geo-Tracking Demo 44
Solomon Sonya @Carpenter1010 Theia Live Geo-Tracking Demo 45
Solomon Sonya @Carpenter1010 Theia Live Geo-Tracking Demo 46
Solomon Sonya @Carpenter1010 Theia Live Geo-Tracking Demo 47
Solomon Sonya @Carpenter1010 Vulnerability Exposure 48
Vulnerability Exposure [2] • 802.11 protocol fails to tuple SSID to geo-location, BSSID • Your PNL is blindly built on a system of trust… surely the AP that responds to your probe is legit right?...  This leaves room for exploitation since any device will suffice! • Thus, if another device “suddenly” comes into the area that matches your probe, your device will attempt to authenticate with it • This is especially dangerous if authenticating to OPEN WiFi networks! • Don’t believe me? Welp, let’s start further exploitation with the WiFi Pineapple and then build our own attacks to go after victim devices http://www.reidlitchfield.com/these-arent-the-droids-youre-looking-for/ This is the access point you are looking for…
Solomon Sonya @Carpenter1010 802.11 Protocol Security Recommendations
Security Recommendation • 802.11 Protocol Enhancement • Devices should restrict full broadcast of entire PNL unless within range of known BSSID • Update required to tuple SSID, BSSID(MAC), and GPS Coordinates to known SSID and base station • Notify when anomaly detected • 802.11 MiTM Mitigation • Never store OPEN WiFi SSIDs on your devices • If so, device should notify when reassociated to “previous” base station • Geo-Location tracking and Personnel Profiling Mitigation • Remove all inactive SSIDs from devices • Disable WiFi when not in active use • Audit active WiFi connections on devices • Rename AP SSID broadcasts (it turns out less unique is actually safer for you in this case…!) • A new capability is required and we must audit 802.11 spectrum… (stay tuned, Connectionless (C)overt Channel: data- exfil and C2 module release in the works coming next summer) simply from 802.11 frames… whose auditing this right now??? “We can't solve problems by using the same kind of thinking we used when we created them.” – Albert Einstein
Solomon Sonya @Carpenter1010 Configuring and Running Theia… 53
Establishing Theia Sensor Suite • theia_oui.exe [*NIX] or [windows] • Will autostart and establish serversocket for new connections • theia_geo.exe [*NIX] or [windows] • Will autostart, establish serversocket for new connections, and allow you to import geo-location database table • theia_sensor.exe [*NIX only] – because of the wifi drivers • Will autostart, search for wireless interfaces, bind to interface, establish serversocket for new connections, display 802.11 collected frames ready for transmission to collector • GPS_collector.exe [*NIX only] • GPS agent, autostarts, binds to GPS receiver, displays telemetry data from receiver, establishes serversocket to relay data through sockets • First time: will download and configure dependencies for GPS reception  • Connect theia_sensor.exe to GPS_collector.exe • theia_collector.exe [*NIX] or [windows] • Will autostart and establish serversocket for new connections • Connects to theia_oui.exe, theia_geo.exe, theia_sensor.exe, theia_interface.exe • Collected frames will now be processed by the system ready for visualization • theia_interface.exe [windows only until Java1.8 FX release on *NIX] • User Interface providing visualization from collector 54
Theia_OUI 55 • Provides Vendor lookup information for detected MAC’s • java –jar theia_oui.jar • (I have already prepackaged the OUI table within the program. )
Theia_Geo • Provides Geo coordinates lookup for detected SSIDs • java –jar theia_geo.jar • Import geo-database table configuration file(s) 56
Theia_Collector • Heart and Engine of the entire system - Processes raw sensor data from theia_sensor to establish appropriate linkages ready to visualize in the interface • Self configures environment ready for you to connect to theia_geo, theia_oui, theia_sensor, theia_interface • java –jar theia_collector.jar 57
GPS_Collector (OPTIONAL) • Interfaces with GPS receiver to supply GPS data to all connected sockets • java –jar gps_collector.jar • NOTE: If this is the first time running, I programmed it to configure your system for you, and then interface with GPS receiver 58
Theia_Sensor • Actual sensor capturing 802.11 frames and transmitting to connected Theia_Collectors • java –jar theia_sensor.jar • After started, connect to GPS_Collector.jar (if applicable) using command: • gps_connect <IP> <PORT> 59
Theia_Interface • User Interface to visualize data intercepted by Theia Sensor Suite • Connects to Theia_Collector • java –jar theia_interface.jar 60
Solomon Sonya @Carpenter1010 Establishing Theia Sensor Suite and configuring the environment 61
Solomon Sonya @Carpenter1010 Building the Sensor… From Scratch! 62
Building the Sensor - 1 • Determine wireless interfaces and place into monitor mode • ifconfig • ifconfig wlan<#> down • iwconfig wlan<#> mode monitor • ifconfig wlan<#> up • Frequency Hopping! • Very important otherwise, you’ll capture only on 1 channel • There are scripts to do this, we’ll implement programmically based on our interrupt timer • iwconfig wlan<#> channel <#> • (we’ll code this later in the presentation) • GPS Collector • ServerSocket • Transmission of frames across connected sockets 63
Building Sensor • //Remaining slides will cover development of the sensor programically • GPS_Collector • Interfacing with GPS daemon, process and present telemetry • Sensor • Reading 802.11 frames directly from wireless interface card • Geo • Wigle.net API • Database construction • Google Map API construction • OUI • IEEE specification, HashTable construction for efficient retrieval • Collector • Most critical and robust component - HashMap, TreeMap, LinkedList required to efficiently store and link devices • Interface • Processing all data from Collector into User Interface • WarDriving 64
Solomon Sonya @Carpenter1010 Upcoming Features 65
Upcoming Features / Releases • Light-weight deployment module to Raspberry Pi • Sensor distribution package for Windows OS • Simultaneous multi-antennae integration • Crowd-source SSID database (distributed sharing) • Increased accuracy: GEO lat/lon to address • Additional wardriving compatibility with Kismet and Netstumbler 66
Acknowledgements:  TakeDownCon – RocketCity  Devona Valdez  Paul Coggin @PaulCoggin  Wigle.net, @bobzilla  Google  Vivek Ramachandaran, @securitytube  Sushail M. “The Boss” @hackcon Solomon Sonya @Carpenter1010 Solomon Sonya @Carpenter1010
WiFi Data Leakage by Solomon Sonya

Recommended

All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
EC-Council
 
How to Get into ICS Security byChris Sistrunk
How to Get into ICS Security byChris SistrunkHow to Get into ICS Security byChris Sistrunk
How to Get into ICS Security byChris Sistrunk
EC-Council
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Positive Hack Days
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare Infrastructure
Positive Hack Days
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis Protocols
Riscure
 
Mobile App Security - Best Practices
Mobile App Security - Best PracticesMobile App Security - Best Practices
Mobile App Security - Best Practices
RedBlackTree
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
Yogesh Ojha
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
Digital Bond
 

Recommended

All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
EC-Council
 
How to Get into ICS Security byChris Sistrunk
How to Get into ICS Security byChris SistrunkHow to Get into ICS Security byChris Sistrunk
How to Get into ICS Security byChris Sistrunk
EC-Council
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Positive Hack Days
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare Infrastructure
Positive Hack Days
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis Protocols
Riscure
 
Mobile App Security - Best Practices
Mobile App Security - Best PracticesMobile App Security - Best Practices
Mobile App Security - Best Practices
RedBlackTree
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
Yogesh Ojha
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
Digital Bond
 
IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process
EC-Council
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
ANURAG CHAKRABORTY
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
Digital Bond
 
Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018
FrenchTechCentral
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure Introduction
Riscure
 
Security Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersSecurity Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for Beginners
EnergySec
 
Ethical hacking by shivam
Ethical hacking by shivamEthical hacking by shivam
Ethical hacking by shivam
Shivam Ðreamchazer
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
WSO2
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
Priyanka Aash
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!
Justin Black
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
WSO2
 
Cryptography Tutorial
Cryptography TutorialCryptography Tutorial
Cryptography Tutorial
Intellipaat
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
Digital Bond
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)
Priyanka Aash
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
ST_World
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationThe Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric Authentication
Veridium
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Securing Internet of Things
Securing Internet of ThingsSecuring Internet of Things
Securing Internet of Things
Rishabh Sharma
 
Recruiters' guide to hire an Ethical hacker
Recruiters' guide to hire an Ethical hackerRecruiters' guide to hire an Ethical hacker
Recruiters' guide to hire an Ethical hacker
Ayman Hussein
 
Housebook
HousebookHousebook
Housebook
Dennis Arendonk
 
Tealeaf
TealeafTealeaf
Tealeaf
gigamon
 

More Related Content

What's hot

IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process
EC-Council
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
ANURAG CHAKRABORTY
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
Digital Bond
 
Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018
FrenchTechCentral
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure Introduction
Riscure
 
Security Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersSecurity Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for Beginners
EnergySec
 
Ethical hacking by shivam
Ethical hacking by shivamEthical hacking by shivam
Ethical hacking by shivam
Shivam Ðreamchazer
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
WSO2
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
Priyanka Aash
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!
Justin Black
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
WSO2
 
Cryptography Tutorial
Cryptography TutorialCryptography Tutorial
Cryptography Tutorial
Intellipaat
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
Digital Bond
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)
Priyanka Aash
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
ST_World
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationThe Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric Authentication
Veridium
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Securing Internet of Things
Securing Internet of ThingsSecuring Internet of Things
Securing Internet of Things
Rishabh Sharma
 
Recruiters' guide to hire an Ethical hacker
Recruiters' guide to hire an Ethical hackerRecruiters' guide to hire an Ethical hacker
Recruiters' guide to hire an Ethical hacker
Ayman Hussein
 

What's hot (20)

IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
 
Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure Introduction
 
Security Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersSecurity Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for Beginners
 
Ethical hacking by shivam
Ethical hacking by shivamEthical hacking by shivam
Ethical hacking by shivam
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
 
Cryptography Tutorial
Cryptography TutorialCryptography Tutorial
Cryptography Tutorial
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
The Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric AuthenticationThe Password Is Dead: An Argument for Multifactor Biometric Authentication
The Password Is Dead: An Argument for Multifactor Biometric Authentication
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Securing Internet of Things
Securing Internet of ThingsSecuring Internet of Things
Securing Internet of Things
 
Recruiters' guide to hire an Ethical hacker
Recruiters' guide to hire an Ethical hackerRecruiters' guide to hire an Ethical hacker
Recruiters' guide to hire an Ethical hacker
 

Viewers also liked

Housebook
HousebookHousebook
Housebook
Dennis Arendonk
 
Tealeaf
TealeafTealeaf
Tealeaf
gigamon
 
Unit plan
Unit planUnit plan
Unit plan
courtneykramer
 
Varun Sharma Resume
Varun Sharma ResumeVarun Sharma Resume
Varun Sharma Resume
Varun Sharma
 
Vista PR. What we do.
Vista PR. What we do.Vista PR. What we do.
Vista PR. What we do.
Vista Public Relations
 
Fazeley Studios Photography
Fazeley Studios PhotographyFazeley Studios Photography
Fazeley Studios Photography
LaurenClarke123
 

Viewers also liked (6)

Housebook
HousebookHousebook
Housebook
 
Tealeaf
TealeafTealeaf
Tealeaf
 
Unit plan
Unit planUnit plan
Unit plan
 
Varun Sharma Resume
Varun Sharma ResumeVarun Sharma Resume
Varun Sharma Resume
 
Vista PR. What we do.
Vista PR. What we do.Vista PR. What we do.
Vista PR. What we do.
 
Fazeley Studios Photography
Fazeley Studios PhotographyFazeley Studios Photography
Fazeley Studios Photography
 

Similar to WiFi Data Leakage by Solomon Sonya

Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
Cisco Canada
 
IoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackIoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation Track
Priyanka Aash
 
Weaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat LandscapeWeaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat Landscape
Priyanka Aash
 
Elements of Connected Products
Elements of Connected ProductsElements of Connected Products
Elements of Connected Products
Jordan Husney
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxLesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptx
Jezer Arces
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Iot Security
Iot SecurityIot Security
Iot Security
MAITREYA MISRA
 
Onion routing and tor: Fundamentals and Anonymity
Onion routing and tor: Fundamentals and AnonymityOnion routing and tor: Fundamentals and Anonymity
Onion routing and tor: Fundamentals and Anonymity
anurag singh
 
Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 Hacking
Barcamp Kerala
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
Felipe Prado
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
Eric Klein
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
Yury Chemerkin
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
Priyanka Aash
 
Airheads dallas 2011 wireless security
Airheads dallas 2011 wireless securityAirheads dallas 2011 wireless security
Airheads dallas 2011 wireless security
Aruba, a Hewlett Packard Enterprise company
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
Sophos Benelux
 
SFScon19 - Francesco La Spina -7 Steps to Industry 40
SFScon19 - Francesco La Spina -7 Steps to Industry 40SFScon19 - Francesco La Spina -7 Steps to Industry 40
SFScon19 - Francesco La Spina -7 Steps to Industry 40
South Tyrol Free Software Conference
 
Co se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel MinaříkCo se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel Minařík
Security Session
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
PacSecJP
 

Similar to WiFi Data Leakage by Solomon Sonya (20)

Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 
IoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackIoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation Track
 
Weaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat LandscapeWeaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat Landscape
 
Elements of Connected Products
Elements of Connected ProductsElements of Connected Products
Elements of Connected Products
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxLesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptx
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Iot Security
Iot SecurityIot Security
Iot Security
 
Onion routing and tor: Fundamentals and Anonymity
Onion routing and tor: Fundamentals and AnonymityOnion routing and tor: Fundamentals and Anonymity
Onion routing and tor: Fundamentals and Anonymity
 
Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 Hacking
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
Airheads dallas 2011 wireless security
Airheads dallas 2011 wireless securityAirheads dallas 2011 wireless security
Airheads dallas 2011 wireless security
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
SFScon19 - Francesco La Spina -7 Steps to Industry 40
SFScon19 - Francesco La Spina -7 Steps to Industry 40SFScon19 - Francesco La Spina -7 Steps to Industry 40
SFScon19 - Francesco La Spina -7 Steps to Industry 40
 
Co se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel MinaříkCo se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel Minařík
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
 

More from EC-Council

CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber WorldCyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
EC-Council
 
Cloud Security Architecture - a different approach
Cloud Security Architecture - a different approachCloud Security Architecture - a different approach
Cloud Security Architecture - a different approach
EC-Council
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
EC-Council
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
EC-Council
 
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith TurpinHacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
EC-Council
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
EC-Council
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
EC-Council
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
EC-Council
 
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea AmicoData in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
EC-Council
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
EC-Council
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
EC-Council
 
War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019
EC-Council
 
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
EC-Council
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
EC-Council
 
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes WidnerAlexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
EC-Council
 
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law EnforcementHacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
EC-Council
 
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
EC-Council
 
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
EC-Council
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
EC-Council
 
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
EC-Council
 

More from EC-Council (20)

CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber WorldCyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
 
Cloud Security Architecture - a different approach
Cloud Security Architecture - a different approachCloud Security Architecture - a different approach
Cloud Security Architecture - a different approach
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
 
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith TurpinHacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea AmicoData in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
 
War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019
 
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
 
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes WidnerAlexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
 
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law EnforcementHacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
 
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
 
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
 

Recently uploaded

20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 

Recently uploaded (20)

20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 

WiFi Data Leakage by Solomon Sonya

  • 1. Wifi Data Leakage: How your phone, laptop, and smart device can reveal where you live, work, and places you’ve visited via 802.11 inception Solomon Sonya @Carpenter1010 The problem always seems to become more tractable when presented with the solution…
  • 2. What to Expect 2 • Hand-Waving! • Intro / Background • Building Knowledge Requirement • Deep Dive into 802.11 Protocol • Developing the Sensor • Live Demos! • Tagging and Geotracking people • 802.11 Vulnerability Exposure • Security Protocol Enhancement • Future Work • Questions http://logout.hu/dl/upc/2011-06/230806_gremlin_in_my_computer-lyvind_berget.jpg, Retrieved 17 Sep 13
  • 4. Security at Present… • How far have we come? • Is it good enough? • Discovered vulnerabilities are fixed with patches • Known malware removed with AV (signature based) • Emerging malware “detected” via baselining (anomaly) • Digitally signed software • We still believe “Detection is the key” • Avg malware lifespan (depending on source) ~294-300+ days still! • Fallacy with Security: • Current [incorrect] view: start-state is secure, bolt on security from here • We’ll remain ahead of the adversary ;-)
  • 5. Anatomy of a Cyber Attack Reconnaissance Scanning Penetration Stealth & Persistence Cover Tracks Pivot Pillage Paralyze Privileges++ Source: Solomon Sonya @Carpenter1010
  • 6. Updated Anatomy of a Cyber Attack Reconnaissance/Research Scan Targets Penetration Pivot Pillage Paralyze Privileges++ Stage Exploits Water-Hole Drive-By Phishing Social Engineering XSS Trojan Ping Sweep ARP Scan Port Knock Active & Passive DNS Lookups IP Reservations Embedded Devices Management Protocols Insider Evade Detection Maintain Access Source: Solomon Sonya @Carpenter1010
  • 7. Security of the Future • Root of the problem lies with how security is considered during creation and deployment: • Bolted-on vrs. Built-in approaches • Integration of Smart Devices • A country’s greatest spy • IoT… Are we ready?
  • 8. Cell Phones: A country’s greatest spy • When was the last time you audited the permissions granted to your apps? • Is all of this necessary to show a light? (I would avoid apps like these!) http://www.snoopwall.com/wp-content/uploads/2014/10/Flashlight-Spyware-Appendix-2014.pdf Really?!!!
  • 9. Thought Question… Even if we secured it all… What are we doing still to secure the protocols these devices are using to communicate?
  • 10. How did we get here… 12 • Researching threat intelligence last year • Sitting at an airport enroute to a conference, watching people pass by, I wondered if it is possible if I could determine where each person is coming from a priori… • Knew people usually carried cell-phone, smart device, and/or laptop on travels and these devices are constantly probing to connect to a known network • Hacker’s Mantra: “I wonder what happens if…”
  • 11. The Research has begun! • Developed the following research questions to direct new research project: • Is it possible to intercept PNL (preferred network list) probes to fingerprint certain people? • If so, can a profile be created to reveal the area-of-habitation (likely places of work, live, play) • Can we determine a likely device and alert on likely “places of interest” such that we can identify a person that works/lives at specific places? (Think Intel, Google, military, etc) • Can we expand profile on a person to determine their previous geolocations, SSIDS, and activity times within an area such that we can know when to expect a person within a particular area? (think home and work, etc…) • Determining each devices’ PNL, can we establish a rogue AP and MiTM a user’s device to route all traffic through our machine without the victim’s knowledge?!!!! • Spoiler Alert: YES YOU CAN!!!! Let’s see how! 13
  • 12. Initial Knowledge Required… • 802.11 Frames: • Management Frames: Setup and maintain communications • Authentication, Deauthentication • Association, Disassociation • Synchronization Messages • Probe • Beacon • Control Frames: Assist in frame delivery and reduces collisions • Acknowledgements, Request/Clear to Send, Block, Poll, End • Data Frames: Transport data from higher layers (HTTP, etc) • 802.11 Client Authentication Process 14
  • 13. Initial Knowledge Required… • Distributed Computing (Efficiency, Optimization, Updates) • Socket Programming (Connections, Tokenization) • Threads • Wrappers(Worker Process, Conversion, Parsing, Encryption, etc) • Coding not your thing? No problem, just use Theia! Demo coming in a few slides from now! 15
  • 14. 802.11 Pertinent Frame Subtype Identifiers • Authentication 0x0b • Deauthentication 0x0c • Association Request 0x00 • Association Response 0x01 • Reassociation Request 0x02 • Reassociation Response 0x03 • Probe Request 0x04 * * * (NIC is in the area) • Probe Response 0x05 (now know AP is in the area) • Beacon 0x08 (now know AP is in the area) • Request to Send (RTS) 0xb0 (usually present with hidden Aps) • Clear to Send (CTS) 0xc0 • Control and Data frames handled in future research • More Info: https://supportforums.cisco.com/document/52391/80211-frames-starter-guide-learn-wireless-sniffer-traces 19
  • 15. Solomon Sonya @Carpenter1010 So… What do we do with this information? 20 Let’s bring it together by understanding the 802.11 Authentication Process, PNL, and then let’s demo!
  • 16. Client Authentication Process and PNL 21 BROADCAST NETGEAR linksys Free_Airport_WiFi Device routinely probes to discover available access points in the area and rejoin previously associated networks http://www.alohaorganizers.com/4-productivity-tools-already- exist-iphone/ http://www.alohaorganizers.com/4-productivity-tools-already-exist-iphone/ Device Access Point Client Authentication Process Time Probe Response Authentication Response Association Response Probe Beacon Client Probe Activity
  • 17. Solomon Sonya @Carpenter1010 Let’s Build the Sensor! 22
  • 18. Hardware Setup on the cheap… • Minimum • Wireless Card (Alfa Card) • Wireshark (Tshark) • *NIX OS (Kali 2.x.x) • Extra Credit • Long Range, High Gain WiFi Antennae “BAA” (12dbi Antennae) • GPS Receiver (GlobalSat BU-353-S4 USB GPS Receiver) 23 http://mindprod.com/jgloss/wireshark.html TShark KALI LINUX
  • 19. Intercepting Frames to Begin Analysis • Collection process: acquire/query, parse, analyze/interpret, present, visualize • What data should we collect? • How do we collect it? • Let’s begin with the protocol analyzer Tshark (shortlist) • -Y wlan.fc.type –T fields Focus and filter on 802.11 protocol • -e wlan.fc.subtype Display different frame types (mgt, ctrl) • -e wlan.sa Display transmitter MAC address • -e wlan.da Display receiver MAC address • -e wlan Display WiFi protocol information • -e wlan_mgt.ssid Display the SSID (if present) 24
  • 20. What can we do at this point? • Active devices within range • Preferred Network List broadcasted by active devices • MAC addresses for devices and access points • SSIDs broadcasted by non-hidden Access Points • Vendor identifying information (when linked to OUI database)
  • 22. Initial Sensor Construction • What did we first capture?
  • 23. Solomon Sonya @Carpenter1010 How do we process this information to derive meaning from the data? 28 “Everything should be made as simple as possible, but not simpler.” – Albert Einstein
  • 24. Frame Acquisition Process • Process: • Acquire/Query, Parse, Analyze/Interpret, Present, Visualize • Recall: • If we build our own sensor, what components are required? • Wouldn’t it be nice if we had a tool to process all of this information for us? • Options you could use: Kismet, NetStumbler, inSSIDer, Airocrack-ng suite… OR, you can build your own and add custom features specific to your environment… I chose the latter! 29
  • 25. Components to Build the Sensor Suite • 802.11 Receiver/Antennae (Sensor) - Theia_Sensor • GPS Receiver (GPS Collector) - GPS_Collector • IEEE OUI Specification - Theia_OUI • Geo-Location Retrieval Agent - Theia_GEO • Collector: Acquire/Query, Parse, Analyze/Interpret, Present - Theia_Collector • User Interface: Visualize - Theia_Interface GPS Collector Sensor OUI Agent Log Collector GPS Collector Sensor GPS Collector Sensor … Theia Interface Theia Interface … Geo-Retrieval
  • 27. Theia Sensor Suite • Distributed Wireless Sensor Suite to acquire, analyze , process, and visualize data extracted from 802.11 frames • Extensible: Allows multiple sensor integration back into the central collector (s) • Displays linkage between PNL from each device and APs within the area • Provides geolocation ability to display and map locations where a device (and user) have been • Provides tagging, alert, and notification capabilities for entry and departure of devices and base stations 32
  • 28. Theia Introduction and Live Demo 33
  • 29. Theia Introduction and Live Demo 34
  • 30. Theia Introduction and Live Demo 35
  • 31. Theia Introduction and Live Demo 36
  • 32. Solomon Sonya @Carpenter1010 So What Have We Discovered so far… 37
  • 33. So What Have We Discovered so far… • Device Profile (Vendor, MAC, etc) • Device PNL (full probing list) • Relative Proximity of devices within range of sensor (RSSI) • Arrival and Departure Activity Window • Encryption Specifications for each requested SSID • Frequency and communication channel for each device
  • 34. Solomon Sonya @Carpenter1010 Use Theia to Tag a Person to a device… 39
  • 36. Vulnerability Exposure [1] • Profiling People (e.g., social engineer connection to planted AP, you can now specifically tag an individual person to a device) • Intercepting frames from a device can reveal much more than details about the device, but locations of the user!
  • 37. Solomon Sonya @Carpenter1010 Geo-Location Tracking and Tagging 42 Hello there, simply because you left your WiFi enabled… I now know where you’ve been…
  • 38. Solomon Sonya @Carpenter1010 Theia Live Geo-Tracking Demo 43
  • 39. Solomon Sonya @Carpenter1010 Theia Live Geo-Tracking Demo 44
  • 40. Solomon Sonya @Carpenter1010 Theia Live Geo-Tracking Demo 45
  • 41. Solomon Sonya @Carpenter1010 Theia Live Geo-Tracking Demo 46
  • 42. Solomon Sonya @Carpenter1010 Theia Live Geo-Tracking Demo 47
  • 44. Vulnerability Exposure [2] • 802.11 protocol fails to tuple SSID to geo-location, BSSID • Your PNL is blindly built on a system of trust… surely the AP that responds to your probe is legit right?...  This leaves room for exploitation since any device will suffice! • Thus, if another device “suddenly” comes into the area that matches your probe, your device will attempt to authenticate with it • This is especially dangerous if authenticating to OPEN WiFi networks! • Don’t believe me? Welp, let’s start further exploitation with the WiFi Pineapple and then build our own attacks to go after victim devices http://www.reidlitchfield.com/these-arent-the-droids-youre-looking-for/ This is the access point you are looking for…
  • 45. Solomon Sonya @Carpenter1010 802.11 Protocol Security Recommendations
  • 46. Security Recommendation • 802.11 Protocol Enhancement • Devices should restrict full broadcast of entire PNL unless within range of known BSSID • Update required to tuple SSID, BSSID(MAC), and GPS Coordinates to known SSID and base station • Notify when anomaly detected • 802.11 MiTM Mitigation • Never store OPEN WiFi SSIDs on your devices • If so, device should notify when reassociated to “previous” base station • Geo-Location tracking and Personnel Profiling Mitigation • Remove all inactive SSIDs from devices • Disable WiFi when not in active use • Audit active WiFi connections on devices • Rename AP SSID broadcasts (it turns out less unique is actually safer for you in this case…!) • A new capability is required and we must audit 802.11 spectrum… (stay tuned, Connectionless (C)overt Channel: data- exfil and C2 module release in the works coming next summer) simply from 802.11 frames… whose auditing this right now??? “We can't solve problems by using the same kind of thinking we used when we created them.” – Albert Einstein
  • 47. Solomon Sonya @Carpenter1010 Configuring and Running Theia… 53
  • 48. Establishing Theia Sensor Suite • theia_oui.exe [*NIX] or [windows] • Will autostart and establish serversocket for new connections • theia_geo.exe [*NIX] or [windows] • Will autostart, establish serversocket for new connections, and allow you to import geo-location database table • theia_sensor.exe [*NIX only] – because of the wifi drivers • Will autostart, search for wireless interfaces, bind to interface, establish serversocket for new connections, display 802.11 collected frames ready for transmission to collector • GPS_collector.exe [*NIX only] • GPS agent, autostarts, binds to GPS receiver, displays telemetry data from receiver, establishes serversocket to relay data through sockets • First time: will download and configure dependencies for GPS reception  • Connect theia_sensor.exe to GPS_collector.exe • theia_collector.exe [*NIX] or [windows] • Will autostart and establish serversocket for new connections • Connects to theia_oui.exe, theia_geo.exe, theia_sensor.exe, theia_interface.exe • Collected frames will now be processed by the system ready for visualization • theia_interface.exe [windows only until Java1.8 FX release on *NIX] • User Interface providing visualization from collector 54
  • 49. Theia_OUI 55 • Provides Vendor lookup information for detected MAC’s • java –jar theia_oui.jar • (I have already prepackaged the OUI table within the program. )
  • 50. Theia_Geo • Provides Geo coordinates lookup for detected SSIDs • java –jar theia_geo.jar • Import geo-database table configuration file(s) 56
  • 51. Theia_Collector • Heart and Engine of the entire system - Processes raw sensor data from theia_sensor to establish appropriate linkages ready to visualize in the interface • Self configures environment ready for you to connect to theia_geo, theia_oui, theia_sensor, theia_interface • java –jar theia_collector.jar 57
  • 52. GPS_Collector (OPTIONAL) • Interfaces with GPS receiver to supply GPS data to all connected sockets • java –jar gps_collector.jar • NOTE: If this is the first time running, I programmed it to configure your system for you, and then interface with GPS receiver 58
  • 53. Theia_Sensor • Actual sensor capturing 802.11 frames and transmitting to connected Theia_Collectors • java –jar theia_sensor.jar • After started, connect to GPS_Collector.jar (if applicable) using command: • gps_connect <IP> <PORT> 59
  • 54. Theia_Interface • User Interface to visualize data intercepted by Theia Sensor Suite • Connects to Theia_Collector • java –jar theia_interface.jar 60
  • 55. Solomon Sonya @Carpenter1010 Establishing Theia Sensor Suite and configuring the environment 61
  • 56. Solomon Sonya @Carpenter1010 Building the Sensor… From Scratch! 62
  • 57. Building the Sensor - 1 • Determine wireless interfaces and place into monitor mode • ifconfig • ifconfig wlan<#> down • iwconfig wlan<#> mode monitor • ifconfig wlan<#> up • Frequency Hopping! • Very important otherwise, you’ll capture only on 1 channel • There are scripts to do this, we’ll implement programmically based on our interrupt timer • iwconfig wlan<#> channel <#> • (we’ll code this later in the presentation) • GPS Collector • ServerSocket • Transmission of frames across connected sockets 63
  • 58. Building Sensor • //Remaining slides will cover development of the sensor programically • GPS_Collector • Interfacing with GPS daemon, process and present telemetry • Sensor • Reading 802.11 frames directly from wireless interface card • Geo • Wigle.net API • Database construction • Google Map API construction • OUI • IEEE specification, HashTable construction for efficient retrieval • Collector • Most critical and robust component - HashMap, TreeMap, LinkedList required to efficiently store and link devices • Interface • Processing all data from Collector into User Interface • WarDriving 64
  • 60. Upcoming Features / Releases • Light-weight deployment module to Raspberry Pi • Sensor distribution package for Windows OS • Simultaneous multi-antennae integration • Crowd-source SSID database (distributed sharing) • Increased accuracy: GEO lat/lon to address • Additional wardriving compatibility with Kismet and Netstumbler 66
  • 61. Acknowledgements:  TakeDownCon – RocketCity  Devona Valdez  Paul Coggin @PaulCoggin  Wigle.net, @bobzilla  Google  Vivek Ramachandaran, @securitytube  Sushail M. “The Boss” @hackcon Solomon Sonya @Carpenter1010 Solomon Sonya @Carpenter1010