How to Hack Wi-Fi with No Wi-Fi
This webcast originally aired March 6, 2025.
In this video, John Strand and his team discuss the challenges of setting up and running wireless labs, particularly focusing on the issues faced during Wild West Hackin’ Fest events. They highlight the development of an open-source project aimed at virtualizing wireless labs, which allows learners to practice wireless hacking techniques without needing physical hardware. This project is designed to make wireless security education more accessible by removing the barriers of expensive gear and complex setups, thus fostering a deeper understanding of wireless technologies.
- The webinar discusses the challenges and solutions in virtualizing wireless labs, highlighting the difficulties faced with hardware and software compatibility in traditional setups.
- Wi-Fi Forge is introduced as a tool that allows for wireless hacking without the need for physical hardware, using virtualization and emulation to create realistic training environments.
- The future plans for Wi-Fi Forge include adding support for WPA3, Dockerization for easier setup, and creating a tool to emulate real client environments before engagements.
Highlights
Exploring Kernel-Level Magic: The Journey of Enhancing Mininet WiFi
Developers use this tool for testing protocols, creating virtual interfaces, and simulating wireless access points on computers.
Exploring Wireless Security with Monitor Mode and BetterCap
This text explains switching a wireless interface to monitor mode for network analysis, highlighting tools like BetterCap and Airmon-ng.
Understanding WPA2 and the Deauthentication Attack
WPA2 encryption secures wireless networks, while outdated WEP is insecure. Deauth attacks exploit WPA2 to capture passwords.
Exploring WiFi Fisher: The Innovative Phishing Tool for Creating Realistic Fake Networks
WiFi Fisher is a tool for creating fake WiFi sign-in pages, deceiving users into revealing their passwords through realistic captive portals.
Demo Day Dilemmas: The Unpredictable Challenges of Live Presentations
A humorous account of technical difficulties during a demo, highlighting the unpredictability of technology and human resilience.
Exploring Wireless Network Security: A Practical Guide to WEP and Traffic Simulation
Explains setting up wireless attacks using WEP encryption, monitoring network traffic, and simulating interactions with iPerf tool.
Future Plans: Dockerization and Version Upgrades
Future plans include dockerization, version upgrades, and integrating WPA3 with new attacks like Dragon Blood for enhanced security.
Executing a Wi-Fi Fisher Attack with Kali Linux
Launching Firefox in a Kali Linux terminal, simulating a rogue access point for WiFi phishing, demonstrating user agent discrepancies.
Harnessing Virtual Environments for Wi-Fi Security Training
This text describes a virtual environment for practicing wireless attack tools, emphasizing its use as a safe training tool.
Full Video
Transcript
John Strand
All right, everybody, thank you so much for joining us today. I don’t come out of the woodwork very often for webcasts. I should be better at joining the webcast. But this one is very, very special, to me for a large number of different reasons.
the first reason is when we were doing our labs and we’re traveling around with Wild West Hackin’ Fest. And, we would have to bring all of this gear. And anytime you went to a con and they had like a Wi-Fi hacking village, you, you could always see the stress of the people putting on the village, right?
They had like all of these aps and they have the wireless cards, and you got to have the right wireless card that works with this particular device that has packet injection and it doesn’t actually work with my specific system. And then you have people that don’t understand how virtual machines work.
Then you get into VMware issues, because Broadcom bought VMware and VMware absolutely was destroyed. So the support for virtualization and passing things through on usb, especially whenever you’re trying to do Wi-Fi stuff, was an absolute disaster.
What I’m trying to say, what I’m trying to get at, is it bad? and we had a number of different situations where we would take all this gear and then something would break and then labs did not work.
Just didn’t work. And this wasn’t a problem specifically to us because we’re relatively like, like not right. This, is something that’s consistent across the board for a number of different villages and a number of different classes that attempt to teach wireless in those classes.
So a long time ago, Jordan, and Kent, were talking to me about a weird project, that they had discovered. And there was a chance, there’s just maybe a chance that this open source project could be used where we could virtualize the entirety of our wireless labs.
Not emulated. we’re not. Well, it does some emulation under the hood. But, if you remember those old Cisco exams where you had to type the commands and it was like enable config T and all those things, and you, if you didn’t type things perfectly, you would get it wrong.
You could have set up a wireless lab that was like that. But we wanted to completely virtualize and abstract all of the hardware and do it completely on a local system with no wireless capabilities at all.
And what this does is it opens up the ability to learn wireless more, opens up the, the ability for people to do things and learn things that they maybe would not have gotten the opportunity to learn and do because they don’t have to the gear or they don’t have access to the infrastructure or they can’t get specific cards.
Because one of the biggest problems that we have in information security today is the blind spots that we have in information security. A, blind spot would be like testing AI in the cloud, testing cloud services in general blind spots like testing mobile devices like iOS and Android devices, because they’re not really general purpose computing platforms.
Not everyone can gain access to them. It’s not super easy to learn how to hack on a phone. And wireless is absolutely one of those technologies that has a barrier to entry. And if there’s one of the things that we thrive on at Black Hills Information security, if there’s one of the things that we absolutely thrive on at Antisyphon security training is it’s trying to break down the barriers.
Because as Jason said, yes, Black Hills information security, we do hacking things. Need to get hacked. Afraid you’ve been hacked. Want to present yourself from getting hacked? Call Black Hills Information Security day. Start up a conversation by sending an email to consultinglack hillsinfosec.com
There we go. We did it. Also training Antisyphon. Check that out.
Joseph Boyd
It’s cool.
John Strand
So this is an example of the type of work that we do. So that’s the first reason why I’m excited about this particular webcast because it highlights the commitment to Black Hills information security and Antisyphon security training to give back.
Always watch for the firms, training organizations and consulting firms. See who has their hands out to give and see who has their hands out to take. Always, always support the firms that have their hands out to give. They’re easy to find.
The second reason why I am excited about this this particular webcast is I get to introduce you to two just, amazing security, professionals that really sort of by mistake fell into our lap.
I, remember when Ben came in, it was like, who is this guy? And he had this whole thing of like, what am I doing here? And that’s how our whole relationship started. Like, who are you? Why are you here? I don’t know. Someone told me to.
And it’s blossomed from that. The third reason why I’m excited about this webcast is Joseph. Joseph has been a tremendous asset to the research arm of Black Hills Information Security working on this project with Ben, Also working on an AI project that is coming up soon.
Hi, Ryan. Ryan’s picture just popped up. That’s good. I’m just going to say it there, we go, but, but Joseph has been doing some amazing research and development and he’s just absolutely impressed, all of us at Black Hills Information Security.
And I love the opportunity to introduce our family, the Black Hills Information Security discord community, and all the people that are showing up to the new people at Black Hills Infosec. And with that, gents, are we ready?
Ben Bowman
Yeah. Ready as ever.
John Strand
All right, let’s kick out the jams. I’ll see you on the other side later.
Ben Bowman
Later. Thanks, John. So, yeah, like, like John said, I’m Ben. I started at Black Hills almost two years ago now. and I just kind of fell in into it. I, I showed up one day and the rest of the story is history.
Joe.
Joseph Boyd
Yeah, I interned here. Ben actually got me into the company. I used to work at Case New Holland doing policy stuff. Not my thing. I’m having a lot more fun working on code and actually getting to solve real problems with this company.
John Strand
So just, I’m just going to throw out there real quick. Like people are going to think that they just walk in off the streets, sit down and working. And that’s how you get, that’s how you work here. And then once you’re in, you’re bringing your friends. 100% true.
100.
Ben Bowman
Guys, take notes.
John Strand
Wait, you guys nailed it. Well done.
Ben Bowman
Take notes, guys. You can just show up. No, no, it was a little bit more than that. But I always like to tell that story. I showed up and, and they didn’t know if I actually worked here yet. It was a whole thing. yeah, Joe was my roommate in college. We’ve been friends for, I don’t know, four years now, and we’ve just been on the same ride together ever since.
so one of the things before we start, I want to talk about is John talked about why he was excited. I want to share why I’m excited. I started hacking when I was 12. And the way I got into it was I got a shopco cell phone. If you guys remember, Shopco, back when that was a cool thing.
It was like 70 bucks. My family didn’t have money for, for data, and so I googled how to hack Wi-Fi. Ended up landing into air, crack and all sorts of stuff. And one of the first issues I encountered was I was a kid and I didn’t have money to buy an alpha card.
Right. So this tool is special to me because anybody that’s getting into it that doesn’t have the money to make that jump over the first wall now can. So with that I suppose we’ll get into it.
Joseph Boyd
Yeah.
Ben Bowman
So this is our presentation. WI FI list. WI FI exploitation with WI Fi Forge. A lot of WI Fi. These are the topics we’re going to be covering. We want to go over the purpose purpose, the technical overview capabilities and workflow and we’ll do some examples with you guys.
Future, questions or questions and future features. The, the future features is going to be really cool. Excited to discuss that with you guys. go ahead.
Joseph Boyd
All right, so WI Fi Forge, we kind of already touched on it. It’s WI FI list, WI FI hacking. So you don’t need any hardware, you just need a VM or even on your own computer you can run this.
It only works with Linux systems. Ubuntu is what we recommend. We’re going to be running on Kali, so hopefully that goes well. Today we had to troubleshoot some issues with it, but it’s all within this singular menu. And I’ll go briefly into the technical details but not too much.
This chart is really scary looking but all you really need to know is that all of the virtual WI FI interfaces are created at the kernel level through this piece of software called the Mac 80211 HW SIM.
And that’s normally used by developers when they’re making their own protocols to test out their own thing. So that was the intention of it. We’re not using it. Well I guess we are kind of using it for format testing, not so much development. so when you run the program it’ll use that kernel level to create a bunch of interfaces on your computer and then it will use some other user space software to take those interfaces and decide whether they are going to be acting as a host or an access point.
Ben Bowman
One of the biggest takeaways is this tool is not skin Skin level, right. This is the deepest of deep. We had to learn about kernel modules and machine level stack traces, all those scary terms.
This tool took it. We took a tool that pre existed called Mininet WiFi and one of the issues we ran into is stability and ability to understand. Right. So we built this hat to go on top of an already decent tool and made our own improvements.
Right. it’s a scary topic but the general idea is now you can give your computer hallucinations to see wireless access points that don’t exist. Your computer doesn’t know they don’t exist. It’s having a hallucination and it’s kind of black magic.
Joseph Boyd
So yeah, that being said, if you do want to install from Source, I highly recommend installing it on a virtual machine and not an operating system you care about because it is very stable. we’ve worked at a lot of the kinks, but I wouldn’t trust it to install on a computer I care about because there, when we were developing it, we did brick a virtual machine.
Ben Bowman
So whatever you wear, don’t look at the GitHub commit history from like 20 minutes ago.
John Strand
Are you saying it’s. It’s very stable, but it could just brick your entire system?
Ben Bowman
Yeah, I was wondering about that. No, it’s. I would say it’s as stable as it can be. Right. When you’re working with black magic, it’s. It’s not. It’s never going to be perfect. So if you find issues, please create an issue on GitHub so that we can work.
Work on it. Put your own patches, forward. Love to see it. Help. Help helps, right? This is a huge undertaking for two guys, so it would be awesome to have some extra support if you guys are willing. so, yeah, this is pretty much how the virtualization works.
And what it does is it, it introduces a whole bunch of stuff. But the idea is now we can practice all sorts of different attacks that exist in the wireless landscape without any overhead hardware. that goes all the way ups, WPA 2, 3.
the list goes on. Anything WI FI does, this does. And it does very well. So, yeah, I’m excited to show it off. New version looks cooler than the last version. pull it up. We want to show off the tool.
enough talk. Let’s. Let’s look at what it looks like. And it always breaks on the demo, so be ready, guys. Super secret password time. Thank you, guys. the discord is supportive.
Joseph Boyd
That’s cool. It’s a. it’s a black screen.
Ben Bowman
Hit control.
Joseph Boyd
Great start.
Ben Bowman
Here. I’ll stand by. There we go. There we go. Can you make it full screen so it’s easier to see?
Joseph Boyd
Yes.
Ben Bowman
Like, I don’t know how to explain it. Just, like, make it pretty.
Joseph Boyd
I’m not very good with VMware virtual.
Ben Bowman
This is why VMware is better. You guys think VMware is better by chance or what? Are you Oracle or VM? What’s. What’s the majority?
Joseph Boyd
Scroll down.
Ben Bowman
No. VMware. Yeah, I’m a VMware guy, but we, we constantly have back and forth about Oracle and vm and, it’s okay to have a wrong opinion. that doesn’t upset me if you guys are wrong about this VMware. Thank you guys.
Joe, you’re wrong. so this tool is kind of cool, right? So our first version was, was kind of like janky. We put it together as fast as we could and it was an uphill battle for sure. But now in this new version, Instead of hitting 1, 2, 3, enter, for the menu selection, we use up and down arrows and enter keys.
So navigation is a lot easier in this newest version. And we have these pre made labs. Right? This is pretty cool. You can, you can pretty much try every different attack vector besides WPA3, which coming with patience.
but you can try every different tool and attack that you could probably think of. so there’s, there’s no limit, right? And we also have templating, so if you want to make your own labs. But more on that later. What, do we want to start with for a lab joke?
Joseph Boyd
I guess I can show off the general workflow of how the tool works before we hop into it. So we got a menu. Of course you don’t have to interact with starting a Python file or, compiling things should all be like this. You hit enter and then it runs some black magic.
And now you have a TMUX session with clickable panes. And then every host has its name up here.
Ben Bowman
For the few of you that got to use this tool before version two, you understand that it used to use xterm. I don’t know how much you guys know about Extern. It sucks. It’s horrible, right? Changing the font size is like shift, left click, move.
Your point? It’s horrible. TMUX is a new addition and it’s extremely useful to keep your workflow straight. So that’s why we added this, right? The first Wild West Hackin’ Fest was kind of like our, our guinea pig trial.
What works, what doesn’t. So version two should be a lot more accommodating.
Joseph Boyd
And then when you’re finished with your lab, the cool part, you just type main menu. There’s some more black magic.
Ben Bowman
It looks scary and that’s because it is terrifying. Right? We don’t understand it fully, but that’s okay. so yeah, there’s different things we can do. let’s do a run through. my understanding, and John, correct me if I’m wrong, is that we’re going to give out VMs after this for people to play with.
John Strand
Not yet, not yet. it’s still puked on my call. Evm. I’ll give you guys access to it. And how about everybody that showed up? We will send out a link to an environment where they can go through the instructions, install it, and we’ll make sure it works for them.
and you’ll get like 16 hours of lab time with this tool, but it will take a while to install, but you guys keep going and we’ll get that out, to everybody so they can play with it virtually in the cloud.
Ben Bowman
Sounds good. Yeah. Like I said, one of the, one of the issues with the tool is stability. Right. Getting it installed is a huge pain. If you manage to get it installed, it works like a charm, it’ll never break. But getting it installed, dependency issues, the tools written in Python, other features are in different languages.
Right. It’s a bunch of shoulders of giants that we’re standing on to make this happen. So there’s going to be compatibility issues. We try to dockerize it. So, yeah, let’s, let’s run through a demo. I’m excited.
which one? We’re going to start with Better Cap. All right, this one’s all you. So if you guys have never used BetterCap before, Joe, what is Better Cap?
Joseph Boyd
So Better Cap is a tool we can use to identify networks for us to target in the area. It’s got kind of a cool little panel set up where you can collect information and I think we can run an attack through it as well. If I remember correctly, I got to pull my notes up so I get the commands.
Ben Bowman
Yeah. What’s cool about these labs is we wrote everything in an Obsidian file. Right. So, we share this with you. I’m not sure how we’re going to share this to you, but we have this ready for you, the audience. all the labs have walkthroughs that come with them.
Right. So these are kind of confusing if it’s your first time going through them. Don’t worry, we covered that. Right. We have this file. Shows you how to do everything. Can’t, be made easier. there’s still always issues that show up. Of course. Go ahead.
Joseph Boyd
Also, I got to rep Obsidian. This is the best note taking app. If you don’t have it, you gotta get it.
Ben Bowman
I like to put all my notes in sticky note. the Microsoft app, I did that all through high school and college.
Joseph Boyd
Yeah, we’ve got all the commands here. You can copy and paste them and screenshots as well for all of this stuff. So we’re going to start by turning on I’M going to put our interface into monitor mode, which will take it out of manage mode.
Joseph Boyd
You want to explain monitor mode while.
Ben Bowman
I. Yeah, yeah, it just takes. You have a wireless interface WLAN 0. Right. And it’s in a mode, called managed mode. Basically it just works the way you’re used to wireless, working. Right. So it authenticates to different APs, that kind of stuff.
And what we do is we put it into monitor mode. Right. That allows us to see the wireless landscape all around us. Start checking channels. If you don’t know, there is multiple things that go with a WPA network.
Right. There’s encryption type, there’s channel type, there’s the bssid which is like your Mac address pretty much. And then your ssid which is like the name, like you always see the FBI surveillance van, that kind of stuff. That would be your ssid.
So all these different factors play into the wireless landscape and there’s different types of encryption. In this specific case, I think we’re showing you, WPA encryption, I think.
Joseph Boyd
So I think with this lab we’re going to just be collecting a hash.
Ben Bowman
Okay. So yeah, it’s a, I think it’s a four way handshake lab. but basically what we’re doing is we’re attacking it with this tool. So rather than teach you about Wi-Fi in this case, we’re showing you more about the capabilities of the tool.
Right? yeah.
Joseph Boyd
And if you actually run through all the labs on your own, you’ll might, you might find some of them repetitive. But we’ve done that to showcase, hey. That you can run it with this tool and do this and then process this hash with this other tool or you can use airsuite entirely to crack it.
Ben Bowman
It’s to show versatility. Right. We obviously want you to understand the wireless landscape, but to be a hacker you don’t always have to know what’s happening under the hood. You need to know how to use the tools and that is going to help facilitate this quite a bit.
Joseph Boyd
So yeah, if you look back over here now at our screen, I ran that Airmont ng start a WLAN zero. So we’ve taken that a WLAN zero interface. And if we type ifconfig or IPA in this case to look at our interfaces, it’s been renamed to Awlan0mon.
And this is a pretty standard naming scheme when you’re moving things into monitor mode. That means we can now use that to look at all the channels and networks in our area. My Copy and paste works. We’re now going to launch BetterCap with this command BetterCap iFace and then we’re specifying our interface in this case.
Joseph Boyd
That’s the one we just put into monitor mode and the app packages didn’t go through so I’m going to have to install that real quick.
Ben Bowman
Yeah. Now like I said, dependency issues. It’s something that we’re working on. We’re trying to switch from Pip to Miniconda or Anaconda for stability reasons. Right. The further we go, the more refined it gets. So sometimes packages are there, sometimes they’re not.
it just depends. But Better Cap is a versatile tool. I saw somebody in the, in the Discord chat say that they knew it could be used for other things but not WI Fi. And yeah, it can be used for Wi-Fi stuff. personally I never use the tool, but it’s good to know that it exists and how it works.
I’m, I’m an aircrack airgeddon kind of guy. Right. I like my point and click tools, but it’s, it’s a preferential thing for sure.
Joseph Boyd
I’m just relaunching it right now and back into the command line and I need to reset it. I’m going to put it back into monitor mode and hopefully it works this time.
There we go. So you can see my prompt has changed and has the name of interface.
Ben Bowman
I just want you guys to know that these, these errors seem super unprofessional and annoying. Right. It should work the first time. But what I, what I want you to understand is that when you’re actually doing wireless testing, it never works. Right. Like John said, when you bring the hardware, adapters don’t work with certain drivers.
Like there was a guy going to do a wireless test at the company and the Alpha card driver just stopped working like a couple of days before it happened. So this is actually pretty standard and realistic.
Joseph Boyd
So I’m going to run these commands over here. We’re going to set our kind of display our information in a way that’s a little more legible because we don’t just want stuff showing up on the line and building up.
Ben Bowman
You gotta, you definitely gotta make it pretty. Right. What is it, what is it called? Prettify Pretty. It’s in like Cyber Chef or something. There’s like a, Is it beautify? Does anybody know Cyber Chef? You can like beautify YAML, and stuff. Beautify.
Thank you. Yes. Yeah, that’s that’s what we’re trying to do here, we want to make it human readable, right? Unless you’re some sort of robot that can like look at this stuff and just know or write assembly from memory. If you can do that, you’re a monster.
By the way.
Joseph Boyd
See, all this really does. The gist of it is that it refreshes the screen every so often and runs these commands again so it brings back that information. Okay, we’re now going to set a handshakes file. So we’re going to be conducting a four way handshake attack.
And we want to save the output of that data to a file in our system so we can reference it later.
Ben Bowman
Somebody’s got a good point. We could add an uglify feature and just make it as unreadable as possible. You guys have great ideas. Feel free to, make a fork and try to push that to mate. I’m sure that’ll go over good. Also, don’t look at the commit history.
Our like 50 commits are just like Meow. TXT at the very start of this.
Joseph Boyd
Next we’re going to turn on our WI FI recon module.
Ben Bowman
What does the recon module do, Joe?
Joseph Boyd
This will actually look for networks in the area. So I believe the way it works and you can correct me if I’m wrong. your router is beaconing out. So when you go to a new place and your phone shows you all the networks, it’s receiving a specific type of packet called a beacon.
Joseph Boyd
And this is basically what it’s looking for. It’s using the same principles that your computer uses when it’s looking for networks to connect to.
Ben Bowman
Perfect. Yep. Probe requests, beacons, all sorts of stuff. it basically does recon, WI FI recon. It’s in the name, works.
Joseph Boyd
Modules on, and it has this beautiful little table for us and shows us all their networks. So we have a handful, we have a WPA2 network.
Ben Bowman
And I want you guys to take note real quick. These networks, they don’t actually exist, right? These are virtualized. The computer thinks they’re real, the tools think they’re real. That’s because we’re giving it a kernel level hallucination with what is it called, 802.11 Mac something?
Joseph Boyd
Rather the, 80211 Mac HW SIM kernel module. I had to look at a lot of error logs for that thing.
Ben Bowman
Yeah, under documented is the best way to describe it. But this is real to the computer, so you’re tooling. If it fails, it’s not because the tooling that we made is bad. It’s because there’s actually an error with, with, with it. So like for an example, we did a WPS Pixie, dust attack and we’ll demo that later, but it actually failed to crack the pin, which is a real world thing that happens.
I’ve, I’ve done it before. You have to run it a few times. Sometimes you get it to crack. So it’s not just like a very controlled environment. This is real world just without the hardware and the legal liabilities continue.
Joseph Boyd
Yep. And, there’s a whole bunch here on different channels. Shows you the encryption. And each one has its own BSS id, which is kind of a Mac address that identifies that access point. now we’re going to set our channel.
Joseph Boyd
So the one we want to attack, I remember this lab correctly, is. Yeah. W. The WPA2.
Ben Bowman
Yep. So, if you guys don’t know every wireless signal has a channel and you don’t need to understand why, I just understand that it does. Right. So 611 and one of the most common used channels, except for in Japan, I think there’s like two other weird obscure ones.
But in, in America, this is pretty much the standard. And mostly worldwide. basically you just have to set the channel so that you can attack it. Right. If you go to do a deauthentication attack, with the wrong channel, it won’t actually deauth it.
If you guys don’t know what a deauthentication attack. I’ll go over that in a minute.
Joseph Boyd
All right, we’re going to set our channel and all of the stuff that’s not on channel six has disappeared.
Ben Bowman
Filters it out.
Joseph Boyd
We only see our WPA2 network.
Ben Bowman
Right. And so what’s next is. Let me, let me kind of roll back for a second and, and help make, sense of this. Right. So WPA2 is a type of encryption in the wireless world. And it’s the one that I see the most. WEP is an older one that you don’t see very often anymore.
It’s insecure. Really bad. WPA2 is kind of the standard right now. WPA3 hasn’t really come out yet, but WPA2, what it’ll do and how this attack works is if you’re connected to the router, and you move to another room and there’s another router in there, the signal is stronger.
That router will send a deauth request to the other router and knock you off it to get a stronger connection. And that’s why the deauthentication protocol exists, right? So that it can keep you hooked to the nearest router without getting super far away, losing connection, and then transferring.
It’s for, ease of use. but what you can do is send deautha packets to a host, and, the host just says, oh, and disconnect. It just believes you, right? You forge packets. It works. The reason why is because when the host goes to reconnect, what do you guys think it sends over the airwaves for you to grab when it goes to reconnect?
I’m asking the discord. That’s right. There is an encrypted password in that reconnection, right? And so we grab that password and we’ll go from there. So go ahead and run it.
Joseph Boyd
All right. I’m going to launch our attack. And now we should see a bunch of messages. And the handshake came through pretty quick.
Ben Bowman
We got two of them, two handshakes, right? So we kick a device off of that Wi-Fi network called WPA2 network. When they go to reconnect, we grab the passwords out of the air, right? when you’re doing this attack, something I like to warn you about is, you can either deauthenticate one device and get their one handshake, or if you’re like me in middle school, you deauth the whole school and knock everything offline and get about 500 handshakes.
something to be aware of, right? Yeah, there’s a couple laugh emotions. Something to be aware of. Yeah. Don’t do that. I don’t recommend that, allegedly. But yeah. So now turn off recon, right? And this is. There’s a lot of people that think that’s funny.
I got a thousand stories. But I want to keep my job. So event stream, we turn that off, too. All right, so what do we got?
Joseph Boyd
I suppose we can move on and show the, hashtag cracking, right? Or just the file.
Ben Bowman
So this is part two of the lab, right? So now that we have the handshake, it’s not very useful, like, to us until we decrypt it or crack it, I guess, is a better term. So we’re going to use hashcat.
How many of you guys are familiar with hashcat? Let’s see, more Strand Aid stuff. Me? Yep. Hashcat is. Is a very important tool, to have in your arsenal. I can’t. Can’t, recommend it enough. If you don’t have it, you need it, that’s for sure.
I don’t know how you survive without it. Something to look into, but this password is encrypted. And so what we’re going to do now is. Is this the decryption then?
Joseph Boyd
I think so. Oh, I hope it works because these instructions might not be up to date.
Ben Bowman
Okay. Do, where the handshake file is?
Joseph Boyd
Yeah, I think we can at least show off the handshake.
Ben Bowman
The handshake file. So, we’re going to show you guys the handshake file, right. And show you what the. The password looks like. So we’ll see. CD materials. There’s so many files, it’s hard to keep track. There’s a hash in there, so you then cat it.
Maybe you cat the hash.
Joseph Boyd
Oh, that’s not the right hash.
Ben Bowman
That’s not the right hash.
Joseph Boyd
I don’t remember the direction.
Ben Bowman
Aren’t these segmented so that, like, the next one assumes you already have the hash and it shows you how to crack it?
Joseph Boyd
Sure, I believe so.
Ben Bowman
Okay, can we do that?
Joseph Boyd
We’ve just been having trouble with the. The browser stuff showing up on Kali. Specifically.
Ben Bowman
Send it. If it works, it works. Yeah. So we just added Kali compatibility. Before this, we had Ubuntu, and there’s a whole bunch of little niche things that Kali does because it thinks it’s better than everybody else. But, it’s an uphill battle.
You got to do some browser configuration stuff to get it to work with Kali. I definitely recommend if you’re going to do this on your own, for ease of use, Ubuntu is the best way to go. Minionet WI FI was built to work on Ubuntu, so.
Joseph Boyd
Yeah, I don’t know if it saved the hash, to be honest with you, though. Oh, yeah, it’s not in here. Okay.
Ben Bowman
So typically it would save the hash.
Joseph Boyd
I think this is user error, though.
Ben Bowman
But it’s. It’s probably user error. Let’s see. Go back, standby. Guys, we’re going to get this WI Fi forward recon, on Channel 6.
Joseph Boyd
No, I think it’s this command may have. Not going to run properly.
Ben Bowman
Okay, we’ll try it again.
Joseph Boyd
Run through. You hit the copy button on this. It doesn’t copy it. You have to manually copy.
Ben Bowman
Okay, Run through it real quick. I’ll just talk more about the tool. So, yeah, this is. This is kind of why it’s. It’s nice and it’s not right in an extremely controlled environment. It’s just. It works. but this is real world and it gives you real world training.
So obviously there’s going to be issues. Looks like we got the handshakes, but we didn’t capture them properly. And that is something that happens. and definitely something to be aware of. But let’s see. Start making this circle.
Joseph Boyd
All right. Yeah, I gotta start from the rig. Resets the entire environment.
Ben Bowman
Yeah. So, what’s cool about this too is every time you restart, it tears down. So if something breaks, like you bust a WI FI access point somehow, you just go to main menu, restart. Respins it all up new and fresh. You can try new attacks.
Right. Let’S see.
Joseph Boyd
Copy all this.
Ben Bowman
Yep.
Joseph Boyd
Make sure it saves.
Ben Bowman
Okay. It’s good. Yeah. So this is real world hacking, guys. Troubleshooting, getting it to work. Obsidian. Yeah, Obsidian fans. What about Quartz? Anybody ever use Quartz by chance?
Quartz? Well, if you guys don’t know Quartz is tried it. Yeah, people are trying it. Haven’t used Quartz. Quartz is really cool. You can import, your Obsidian, vault into a. Essentially a web browser.
Super handy Obsidian notion for my notes. Avenues. Chords. Yeah, no, wi, Fi Forge is hard to get to run. Right. On the version one, we had a pretty stable docker that worked almost flawlessly.
Right. Few small issues. we just pushed out this version not too long ago, so we’re currently trying to get it dockerized. Until then, installing from source is going to have inherent issues. But it I would say at max, we’re looking at a week for a stabilized docker for this stabilize.
Ben Bowman
Right. Famous last words.
Joseph Boyd
All right. Did you get something else?
Ben Bowman
Well, we might have to switch out to. What, was the next one.
Joseph Boyd
I think we’re going to show off the Wi-Fi.
John Strand
We can just do another lab. We don’t have to fight to get this one working. I mean, they can see that it’s doing wireless stuff and we can just move to another lab.
Ben Bowman
Sounds good. We’re going to go to the next one then. Guys, we can’t get this one to work.
Joseph Boyd
well, it worked. The user just doesn’t know how to make it.
Ben Bowman
The user doesn’t know how to make it work, but, the tool itself works. one thing I like to say while I. While we have some downtime when we’re switching up labs, please. There’s a guy at the company named Nick Caswell. I love Nick, he’s a great guy.
But he has a GitHub project with more stars than Wi-Fi Forge and I told him that I would beat him if you. If 900 of you would go to the GitHub for Wi-Fi forge on black Hills Infosec and star it.
You would make it so fun to pick on Nick.
John Strand
And what is Nick’s GitHub project?
Ben Bowman
I think it’s the defcon stuff, so you can like, lock down your domain. controller, I believe.
John Strand
Yeah, why don’t we, why don’t we share Nick’s GitHub project too? Just so people know what project they shouldn’t star.
Ben Bowman
yeah, yeah, don’t start that one.
John Strand
We could share that one. So somebody in discord, could we get one of the Nerd Herders, find Nick’s project? Just, just so people avoid it, but let’s make sure we do that. All right, you guys ready?
Ben Bowman
I feel like, I feel like you might be dis. Might be being disingenuous with me here because I, like I said, I’m trying to beat Nick. I. That’d be okay if you didn’t want to share.
John Strand
And I’m all for beating Nick. I am absolutely for that. So let’s make sure we don’t mistakenly hit his project.
Joseph Boyd
Maybe some of them have started.
Ben Bowman
Well, we have a bone to pick. I heard that the popularity of this webcast was due to the emails working, but really the true answer is our content is just better. Right? We just do amazing content. You guys want to be with us, not the emails, right? That was my other bone to pick.
Right. Thank you, guys. That’s right. I like this audience. All right, so what was the next attack we’re going to?
Joseph Boyd
So I’m going to just jump into Wi-Fi Fisher. Wi-Fi for the sake of time.
Ben Bowman
What is Wi-Fi Fisher as a tool? JoJo.
Joseph Boyd
Wi-Fi Fisher lets you phish people. So what we’re going to do with this is we are going to use, Wi-Fi Fisher to set up a fake WI Fi sign in page. So we’re going to launch a browser and it’s going to take you.
If you go to that IP or that link that you’ve, fabricated, the user is going to think, oh, I can put my password in here, authenticate to the network. In reality, you’re just giving us their password.
Ben Bowman
Right. And we’re going to show you why this tool is so novel here in a second. Because it does something that other tools don’t do. Super excited to show you. I don’t know of any other tools that do this. Go ahead and demo it. So when you’re doing phishing, right. It’s all about deception in any.
In Any scenario, email, Wi-Fi, whatever. So you want to make it just realistic enough that they don’t notice. And one of the cool things that Wi-Fi Fisher does is, is it an evil twin ap?
Joseph Boyd
I think so.
Ben Bowman
It’s an evil twin access point, which, if you don’t know, is a, one to one clone of an access point. I think the BSSID is different. Obviously you can’t have two of the same Mac addresses or it freaks out. But what it does is it has ideally, a stronger strength than the actual ap.
And when you get near it, you’ll connect to the fake AP over, the real one. Right. And then it does a captive portal thing where it pulls up a captive portal and says you need to authenticate. But the way it does it is cool. Instead of just having a pop up, which if you’re like me, you get on free WI Fi and you’re like, wow, I’m not signing into this.
And you disconnect this one. Makes it look a little more realistic. And we’re going to get to show you that.
Joseph Boyd
I tested this. This is the one. I verified work and now it decided to, not.
Ben Bowman
Why don’t you close Wi-Fi Forge entirely and then relaunch it?
Joseph Boyd
Yeah, I wonder if the.
Ben Bowman
That’s my guess. But, it kind of does something novel, right? So it’s. It’s kind of a cool tool to know about. again, it’s not one that I love using, but it’s definitely important to know.
Joseph Boyd
I’m going to be really sad if this doesn’t work for the dam.
Ben Bowman
Yeah, because this is the coolest one. It’s not wps, it’s WI Fi Fisher. Yep.
Joseph Boyd
Sir, begging you. Wow.
Ben Bowman
Invalid byte. Let me see the command.
Joseph Boyd
I’ve never seen this one before.
Ben Bowman
There’s your command. Up E Corp. WI Fi Connect. Kb. Check that command.
Joseph Boyd
Yeah, I ran it earlier. I’m not sure what.
Ben Bowman
Does ECORP Net actually exist?
Joseph Boyd
Yeah, it should. It’s initializing the code.
Ben Bowman
Okay, well, try it one more time.
Joseph Boyd
Something something, definition of insanity.
Jason Blanchard
Is this like the double slit, like test where once you actually look at it, it stops working?
Ben Bowman
Yeah, pretty much. It always does this. We go to conferences, we take this thing, like wild west. It works just fine. As soon as we put it up for demo, things start breaking.
Joseph Boyd
I kid you not. I just tested this before we went live.
Ben Bowman
Quantum demoing. Is that what this is? One second, let me. What is this the Joe. Which one?
Jason Blanchard
Is this the thing I’ve always liked about when demos don’t work is that when people are trying stuff at home and they’re like, but it works so easy in the demo. And so this is the other side of it where like it didn’t work that much in the demo. So I feel good about myself that it doesn’t work.
Right. So it’s all good.
Joseph Boyd
This is us inspiring you.
Ben Bowman
This is an inspirational moment for you guys. Let’s see if it works on this one.
Joseph Boyd
So funny.
Ben Bowman
If it works in your works on my machine, guys.
Joseph Boyd
Well, if this doesn’t work. I know. Well, I don’t know anymore.
Ben Bowman
We’re going to run it on my laptop real quick and see if we can get it to work. If it is, we’re going to swap laptops real quick and we’ll go from there there.
John Strand
So, so let’s all go to the lobby. Let’s all go lobby, let’s lobby. While they switch their HDMI M cable to a completely different computer and try it on that one.
Joseph Boyd
Well, we gotta this.
Ben Bowman
There you go.
Jason Blanchard
So. So John, one of the pieces of advice I gave them before they started was don’t stop talking no matter what.
John Strand
Never, never. Because then you and I are going to come in and we’re two grown men who can’t get enough of each other.
Ben Bowman
Yeah, they’re doing great. Are we doing good guys? What do you think? What does the audience think?
John Strand
I feel been there. Yeah. Awkward is what they’re saying. Yeah.
Ben Bowman
Lots of love though. Yeah.
John Strand
And we will, we will be releasing a YouTube video that goes through step by step how to get it installed. so that is going to come out. It’s just the demo gods have just have struck lightning in this particular event juncture.
Ben Bowman
So yeah, I know I’m going to do this one, but you want to.
Jason Blanchard
The good thing is there’s some of you that haven’t been here since 2023. So welcome back. apparently the emails haven’t been getting to you for about two years. so we’re fixing it, John.
Ben Bowman
Yay.
Jason Blanchard
So also the content people wanted the content. I’m going back.
Ben Bowman
What we’ll do.
John Strand
I did, I did find that GitHub project, everybody and I just want you all to stay away from that GitHub project.
Ben Bowman
And don’t touch that GitHub project, guys.
John Strand
Stay away from that. Get up. Don’t go there.
Ben Bowman
You don’t want that. He’s got cooties.
John Strand
Yeah, M. Cooties. Yeah. You do not want to do anything with that project at all. So so we about, switched over, gentlemen.
Ben Bowman
So what we’re going to do instead is we’re going to do, we’re going to try another lab while I try this on mine and see if I can get it to work. So Joe’s going to run through the WP key cracking lab, which I swear we ran before this and worked just fine, so.
John Strand
I know, I know, I know. Go ahead, Joe.
Joseph Boyd
So we’re going to try and break WEP key cracking. So like WPA2, WEP is I guess an earlier version of WPA2. So we’re going to go through this lab, we’re going to simulate traffic between two hosts and then we’re going to have, using the AIR suite tools, monitor that traffic and collect data and then use that packet capture to break the encryption and get ourselves a authentication key.
Ben Bowman
Right? And wep, if you don’t know, is a super old encryption type for the first, like wireless routers. I don’t know if there’s one that pre exists, but everybody’s doing slot machines like, like the Are we gonna get lucky?
Maybe. I appreciate the confidence though, guys.
Joseph Boyd
Right, so this one has three panels. It’s the most panels you’ve ever seen any of these labs because we have two directly interact between our victims to simulate the traffic. But we’ll start with the attacker. We’re going to do the same thing we did with the previous lab and start up.
Ben Bowman
One thing about this tool is at the top of the TMUX panes. it has a for attacker and then host or like it labels them for you and then pre provisions them so it’s easier to look at, easier to deal with. So that’s just.
Yeah, A is always attacker in the labs we made. But.
Joseph Boyd
We got our interface started and we’re going to use aerodump.
Ben Bowman
We’re going to put it in monitor mode. Just like last time with the four way handshake. We’re going to put it in monitor mode. We can’t do anything unless the card is in monitor mode. Right.
Joseph Boyd
And this is going to behave. This command here that I’m about to run is similar to the better cap tool we ran earlier.
John Strand
Right.
Joseph Boyd
It’s going to be looking for those networks.
Ben Bowman
Right. And you can see at the top left the channel is constantly changing. It’s scanning through different channels and looking for different APs and stuff like that. So you can see right there we got wep Network Environmental storytelling.
Ben Bowman
Do you guys think that might be the network that we’re going to Attack.
Joseph Boyd
Not a lot of options.
John Strand
I hope.
Ben Bowman
So it’s working so far. Right? Which is making me giddy. I’m feeling yay.
Joseph Boyd
We haven’t done the attack yet.
Ben Bowman
We haven’t done the attack yet. So as long as we can sniff.
John Strand
Wireless packets, we’re good to go.
Joseph Boyd
And we got this command. So this is airodump again. We’re actually going to be running the attack and collecting network, traffic with this one. So we’re going to be outputting to this attack capture, and it will automatically create a bunch of files associated with that name.
Ben Bowman
Right, and the goal of this is to do what, Joe?
Joseph Boyd
We, want to collect a bunch of traffic, which will give us little artifacts which we can then use to crack and decipher what the authentication key is throughout that traffic. So we’re going to get a lot of traffic, though, to collect a lot of data to detect those patterns, to eventually break that password.
Ben Bowman
All right, let’s see.
Joseph Boyd
So Tax C, we want to put our channel.
Ben Bowman
And the channel is 6. Like I said, 6, 11. And one of the. The ones that you always see, Japan, the outlier. No idea why they did that. I think it has to do with airplanes. Not positive, though.
Joseph Boyd
and then we want to put our bssid, which is going to identify the specific network we want to collect this traffic on. And then, fingers crossed, it works. So it’s sending. It’s collecting beacons right now.
Ben Bowman
What are beacons, Joe? I don’t know what beacons are.
Joseph Boyd
Well, they’re the stuff that broadcasts out of your routers and access points to let hey, we’re here. You can connect to us.
Ben Bowman
Yep. So what do we do next?
Joseph Boyd
Now we have to simulate traffic between our two hosts.
Ben Bowman
And how do we do that?
Joseph Boyd
I’m going to use a tool called iPerf.
Ben Bowman
Okay.
Joseph Boyd
We’re going to have one set up to listen, and we’re going to have another one. Just send garbage.
Ben Bowman
All right, let’s do it. So we’re going to send garbage. Yay.
John Strand
Garbage.
Ben Bowman
Yeah, garbage. Make sure it’s right.
Joseph Boyd
So now this one’s listening.
Ben Bowman
And are we the host, or attacker? Right there.
Joseph Boyd
Oh, yeah. Make sure you click on Host 2 and do this here. It doesn’t really matter which host you do it on. One just needs to talk to the other. You want to go up?
John Strand
So basically, what’s happening under the hood with WEP is. The big problem with WEP isn’t necessarily the fact that it’s using des. It’s the problem. Well, It’s a stream cipher. It’s using des. And one of the problems with using DES with the stream cipher is if you look at packet lengths, for example, Microsoft Windows DHCP request is always the exact same size.
John Strand
So you can take that packet that’s a DHCP packet, and you can xor it with another packet that’s encrypted using wired equivalency protocol, and then it’ll basically decrypt to the point where you can actually get the pseudo random generated key.
John Strand
And what that allows you then to do is crack easily any of the packets that have that specific initialization vector value. So the more packets you capture, the more initialization vector values you intercept, and the more packets you can crack.
John Strand
Nerd alert. Okay, thank you. So what we got? What do we got?
Ben Bowman
Geez, geez.
John Strand
I haven’t seen that on our webcast yet.
Ben Bowman
Like, sorry, Don sounds like he’s taught before. They’re saying that in the chat too.
John Strand
Oh, he sounds like he’s taught that before. Yeah, absolutely.
Ben Bowman
John M. Are you familiar with public relations and how to talk to people?
John Strand
I do. I am familiar with public relations.
Ben Bowman
You are?
Joseph Boyd
Okay.
Ben Bowman
All right, so what are we doing next, Joe?
Joseph Boyd
I’m gonna hit enter on this command, and we’re gonna watch the frames numbers skyrocket.
Ben Bowman
The frames numbers are gonna skyrocket.
John Strand
Skyrocket frames more frames more to the moon.
Joseph Boyd
And I’m gonna wait till we have about 20, 25,000, which seems to be a good spot for this to work pretty quick, right?
John Strand
The more we have harvesting initialization vector values. by the way, just for the record, like, yeah, we’ve had some hiccups today. We’re literally emulating entire wireless traffic profiles right now, like, completely.
John Strand
And that’s like, come on. That’s cool, right?
Ben Bowman
I also. I also can’t stress this enough. It works perfectly on Ubuntu. The reason why this is so unstable is because it’s cali. It’s not built on.
John Strand
So in hindsight, shouldn’t have picked for this webcast. right, we get that now.
Ben Bowman
It’s too late, but it seems to be working.
John Strand
There we go.
Ben Bowman
All right, we got. What are we doing now, Joe?
Joseph Boyd
Now we need to, So I ran the attack there. We got a whole bunch of packet data, and this is the file that contains all of that traffic, all 25,000 packets. so we’re going to run another command to actually process that, and we’re going to use aircrack ng, which is another tool in there.
Ben Bowman
And if you don’t know this tool. It’s really finicky in real life. Right. I have a old professor, Kyle, Cronin, who said he talked to the creator, a French gentleman. I don’t know his name, but he said, hey, what are you going to do about these issues where it doesn’t sometimes recognize a card?
And he said, unplug it and plug it back in. So. Right. This tool is unstable in the real world and doesn’t always work. So especially with this, it’s kind of finicky because it’s just a finicky tool. You’re doing things you’re not supposed to do with hardware that wasn’t meant to do that.
Joseph Boyd
So. Speaking of finicky, it does like to mess up my prompt here, so we’ll see how it does it this time.
Ben Bowman
Go for it.
Joseph Boyd
It’s in there.
Ben Bowman
It’s in there.
Joseph Boyd
There it is. Key found.
Ben Bowman
Key found.
Jason Blanchard
Yay.
Ben Bowman
Nice. A demo worked. Can we get a round of applause?
John Strand
Yes. Finally. Yeah, that’s cool.
Ben Bowman
Yay.
Joseph Boyd
I’m sweating here. This is terrible.
John Strand
We got the black hat hacker stuff going.
Ben Bowman
Yep. So, yeah, it’s, Look at all the applause. I never use them. This is cool. We got all the bubbles on the side because you.
John Strand
You had positive vibes. You had a lot of people like, she has positive vibes.
Ben Bowman
Joe and I. Joe and I just have nothing but positivity in our heart.
John Strand
Yeah, sure.
Ben Bowman
I’m not a pessimist. Trust me, guys. Yeah. All right, so what’s our next lab that we’ve got? If, you want to try to run it, I can yap some more.
John Strand
Do you want to talk a little bit about what the future is? the Docker container is huge. Right. We just haven’t had time to get it completely dockerized yet. But you were going to talk while Joe’s getting it ready for the next lab. Do you want to talk a little bit about future plans with this?
Ben Bowman
I really do. So, the future plans are obviously dockerization. Right. It’s going to be massive. I think last time we dockerized it was five gigabytes. It’s huge. but.
John Strand
And that was the one we ran at Wild West Hack Infest. And literally all of our labs at Denver and at, Deadwood were running this, like, completely virtual on really crappy notebook computers, by the way.
Ben Bowman
So, yeah, they just. They’re. They’re not intensive on any sort of memory or cpu. They just take a ton of storage because of all the Dependencies. Once we get a dockerized, I can’t imagine it’ll be more than a week. it should be stable, but the docker container is the first and foremost.
Right. And then we’re looking at version 2.5, which I’m M going to skip over and talk about three real quick. Version three we’re going to add WPA three, we’re going to add new attacks like Dragon Blood and all those things that you’ve probably never seen because WPA3 is widespread yet.
Right. So something, something to, to watch out for. But version 2.5 I’m excited for. And the reason is if you’re going to do an engagement, right, and the client doesn’t know exactly what their wireless landscape looks like and you want to know more what they look like.
What, what we’re building is a tool you send to them. They run on a Linux laptop. And what it does is it looks at all the surrounding wireless networks, their channels, bssid, strengths, even you can customize the strengths.
Takes a snapshot and then in a YAML file what it does is it has all the APs that are authorized to attack and it makes a distinction between wpa, wp, wps. It does attacks and pulls the information and then it stores it with the ap, right?
So basically you’ve got their password and then what it does is it spits out a file, you feed that file into Wi-Fi, forge, it auto populates and boom. You have a one to one copy of their wireless interface.
And that allows you to practice attacking before you go. That’s the idea and that’s the hope. It’s. I worked on it a ton last night, almost got it. So I expect another two weeks probably.
John Strand
Just let’s give them M4 guys. What do you say? Four weeks for that? I think it’s.
Ben Bowman
You guys think I always double it.
John Strand
Like anytime I’m talking to anybody that’s dubbing anything, it’s always like it’s going to be a week. I’ll give you two. yeah, go.
Ben Bowman
what? Give me a year maybe.
John Strand
All right, so we got 10 minutes. Good enough for one more if we.
Ben Bowman
Sure we can get it working. Hold up everybody.
Joseph Boyd
Okay, so it does work in his machine.
Ben Bowman
So we’re gonna swap over real quick to my machine because Joe, he has works on my machine, guys.
John Strand
Let’s remember that as we move forward. So go ahead guys, take it away.
Ben Bowman
All right, I think you pull out the hdmi. Swap it out right here.
Joseph Boyd
Is this gonna kill everything?
Ben Bowman
I don’t know.
John Strand
That’s, that’s cool. We’ll take care of it on the back end. Just unplug, and plug it back in. So there you go. Oh, God, not that wire.
Ben Bowman
Joe’s fired. Guys, it’s over for me. I think it’s on the back. Yeah.
Joseph Boyd
Why is yours weird?
Ben Bowman
Why is mine weird? Ask Owen.
Joseph Boyd
He gave me the laptop controlling functions. Wrong. And it’s on the back.
Ben Bowman
You’re on the back.
Joseph Boyd
Huh?
John Strand
I don’t even know what that means.
Ben Bowman
That’s supposed to. All right, Joe, take it away.
Joseph Boyd
All right, so I don’t have these.
John Strand
Let’s get the screen share going. Ryan.
Joseph Boyd
Here, this and open.
John Strand
There we go.
Ben Bowman
Here we are. We good?
John Strand
Yeah, we good? Got it.
Ben Bowman
Let’s pull up our instructions. Also. Thank you guys for the stars. On GitHub. I’m. I’m not there yet, but this definitely helps. I’ll be able to rub it in his face soon enough.
Joseph Boyd
So I’m going to kill this and go back to the command I ran earlier, just so we can start from the beginning. So there’s that WI FI Fisher command that didn’t work earlier.
Ben Bowman
Okay.
Joseph Boyd
And we’re specifying a fake network called CorpNet and we’re using the WI FI connect profile. I forget exactly what KB does, but it was something important.
Ben Bowman
Yep. We make tools, we don’t understand them.
John Strand
When you guys had to read. Because while we’re waiting on that, when they were modifying, Mininet, the lead developer of Mininet was not interested in, updating. Like, what was the version like? It had a virtual machine that you could get and you had to run that to get it to work.
Joseph Boyd
Some Linux.
Ben Bowman
So yeah, it was an Ubuntu version. So we’re not the only ones that fights with stability on this. Right. The main creator works for University, and I think Portugal, and maybe super bright dude and he’s super smart, but he has determined that the issues of dependencies aren’t worth fighting.
Ben Bowman
We tried to push a new, more stable version to him and he was like, no, I don’t think so. It’s because of stability issues.
Joseph Boyd
Yeah, this, this kernel module, I don’t think they ever intended it to be used in this way specifically.
John Strand
Never.
Joseph Boyd
There’s a lot of spaghetti things being put together that really doesn’t want to work together.
Ben Bowman
We’re making it work in a completely backwards way. It’s not supposed to do this, but we can get it to do this all, right. What are we doing now, Joe?
Joseph Boyd
So I got, we got our console up here and you can read if you can see that it’s sending 60 known beacons. So it’s emulating those beacons, saying, hey, there’s a, there’s a router here.
Ben Bowman
Hey, I’m a router. Connect to me, Connect.
Joseph Boyd
And we got fun names like free Wi-Fi, totally legit, hotel Wi-Fi.
Ben Bowman
Okay.
Joseph Boyd
And if we go down here to our host one, which would be an unassuming person walking nearby us as we run this tool and we scan for local networks using IW list, it’ll show us a bunch of networks nearby.
Ben Bowman
Okay.
Joseph Boyd
That are probably not legitimate.
Ben Bowman
All right.
Joseph Boyd
And we’re going to go ahead and connect to one of these, which you should never do in real life.
Ben Bowman
Don’t connect to rogue access point, but we’re going to simulate like we’re an unsuspecting person, and connect to it and see what happens. So, yeah, WI Fi Fisher is a cool one. I actually didn’t know about it until we built these labs. Super, neat.
And its support for like, OS stuff is interesting. So what it does is if you visit from a Windows user agent in the captive portal, it does a little pop up. That looks like a Windows pop up. Right. So it’s super convincing. But, but it’s got wide range support for like, versions of oss.
I’ve never heard of operating systems that I didn’t know existed. CentOS. Who uses CentOS? Right. All right, go for it.
Joseph Boyd
So we’re launching a Firefox session from our virtual terminal here. And it doesn’t particularly matter what profile we create, we just need to have one.
Ben Bowman
And this is only for Kali. Ubuntu doesn’t do this because Kali’s lovely. And, we figured this out this morning, right before this.
Joseph Boyd
fingers crossed we get a browser somewhere.
Ben Bowman
Please give it time. Firefox is super efficient on Cali, so there it goes.
Joseph Boyd
Beautiful.
Ben Bowman
Yeah.
John Strand
Would be a lot cooler if you popped Calc, but whatever would be cool.
Ben Bowman
If we got remote code execution from this.
Joseph Boyd
In a real scenario, there would probably be some sort of auto redirect or some other things you have set up to make that look more legitimate. But we’re just going to type the IP address of our attacker in here.
Ben Bowman
Yeah. In the real world, it’d say log into captive portal before using network. Right. You click that, it would take you to this, web page immediately. In this case, we’re just going to type it in because Kali’s. Kali, can you guys tell. I like Kali.
All right, look at this. So what user agent are we specifying on this one, Joe?
Joseph Boyd
this is, I think, just the default. So this is what you would see if you were on a phone or Linux.
Ben Bowman
Right. So this looks suspiciously Apple. Right. So any say, like your grandma and grandpa, they go to, to log into this, they’re not going to know the difference. so it’s Apple based and that’s because the default user agent is Apple. If you visit from other user agents, which can we demo that?
Joseph Boyd
I don’t have the.
John Strand
Let’s do this one first.
Ben Bowman
Okay. So basically, it does Windows, it does Android, it does iPhone, it does Apple.
Joseph Boyd
Apple.
Ben Bowman
And when we log in.
Joseph Boyd
And also the attacker knows when you connect.
Ben Bowman
Yep. It shows connection attempts. So if you’re getting traffic or not. Log in, join, and then you want to save that to browser. Yep. There we go. Hey, look at that. We got it to work.
It works on my machine. There you go, guys. So that’s how we do a WI Fi Fisher attack with an evil, rogue access point. I think we’re probably running up on time because I heard 10 minutes about 20 minutes ago.
John Strand
I think we can open it up for some questions.
Ben Bowman
For the last time.
John Strand
That’s okay. Type in the questions in Discord, folks. This is how to make your laptop a WI Fi pineapple. Yeah. And you don’t even have to have any wireless. So.
Jason Blanchard
Real quick comment, if you haven’t checked in yet for Hackett, please do so in Discord. So, it’s live and we do it manually. It’s not automated. It’s a thing that Deb and I do during the entire webcast.
Joseph Boyd
Well done, y’all. You guys did great.
John Strand
So the question, I got one question. How do you protect against WI Fi Forge? Remember, what we’re showing here isn’t necessarily an attack tool. We’re showing a virtualized environment that allows you to practice the wireless attack tools and learn the wireless attack tactics.
John Strand
So that’s really what’s going on. So you, you’ll be, you’ll be able to get this, you’ll run this, and then you’ll learn how to do the attacks that these guys just did.
Ben Bowman
Right. And this like, like John said, just to kind of double down. This is a training tool. This is a tool to learn tools to attack, WI Fi without actually having to be near WI Fi. You can import profiles, from other companies. So, if you want to take a snapshot of your wireless landscape, import it, poke at it.
That’s something you can do.
John Strand
And I, I, I, I can’t stress this enough. Like when I was learning wireless hacking, it’s really sketch to be on an airplane and just pulling out a whole bunch of USB WI FI adapters like and just having things scrolling across your screen.
It doesn’t go well. Doesn’t go well.
Ben Bowman
So somebody asked what was the snapshot tool for your network testing that’s coming out. It’ll be out, John said four weeks. It’s not a super big project, but essentially it’s a tool. Six now, maybe even eight if you guys are lucky.
What it does is it takes a snapshot of your wireless landscape. So like your SSIDs, BSsIDs, and then there’s a geofencing file you drop your APS that you have access to attack in there, their SSIDs, so their names. When you run it, it snapshots the wireless landscape, channels, encryption types and it gets the hashes, the wps pins, the WEP passwords and it stores them.
You import it into Wi-Fi, forge, run it, Boom. you have a one to one copy that you can practice attacking before actually going on location and poking it. This gives you a chance to look for low hanging fruit. Like here’s an IoT device that’s connected to the, the corporate WI FI and has its own AP that’s like wep.
So you can pivot through that kind of stuff. Right.
John Strand
So one of, one of the questions I wanted to ask is we went through like three labs and we circled back and got one to work, which is cool. Now my question is what tools and labs does it have now that we’ve got built into it?
Ben Bowman
we got two out of three labs.
John Strand
No, no, what’s the, what’s the total? Yeah, we got two out of three, but what’s the total number of labs that they can work and play with?
Ben Bowman
I think there’s 10. So what we did is when we made this tool, we wanted to take the workload off of the people that are setting up for Wild West Hackin’ Fest, right. So we just made one to one copies of all of those. And so they’re, they’re all virtualized.
I believe it’s 10. There’s your count right there.
John Strand
What are the if we can share out the screen real quick. I think they have those right there. So can you walk through this because it’s kind of hard to see. Can you just name them off real quick?
Ben Bowman
WI Fi forge.
Joseph Boyd
so we got better cap, WI Fi which is one of the ones we demoed. We have packet capture to HCC APX Hashcat cracking, which we’re using an online version of hashcrat to upload the hash uploaded in a previous lab.
And it shows you how to use that tool and crack it. Wps, Pixie Dust Attack. That’s a type of authentication that lets you log on faster with a button. And we just use a tool called WI FI to and it just runs an attack in it and shows you what the PIN is airged in dos, which is a type of denial service attack with aragedon cracking WPA with aircrack.
is that what we did?
Ben Bowman
That’s the one that we almost got. So there’s aircrack. we use Air Suite a lot WI Fi Fisher. We do an NTLM attack in John to get like an NTLM hash. what tools for that one you remember it’s epammer. I think we demo epammer and then we and John and Better Cap.
So there’s, there’s a wide array of tools and like I said, if you want to try a new tool, you can just install a tool and use it. You don’t have to integrate it any way you do sudo app install tool, run it. It should see the wireless access points without any sort of code changes or integration.
So if you’re demoing a tool and you’re researching, this is a good way to do research and, and tool building as well.
Joseph Boyd
And we have WI Fi Fisher, Evil Twin. Those are pretty similar. And then the NTLM one you mentioned, Air Suite, Recon, Web Attack and Better Cap.
Ben Bowman
Right. Let’s see.
Joseph Boyd
There’s some repetition there because we’ve segmented the labs so but there’s about 10, nine to 10 unique scenarios in total.
John Strand
But you would be doing a lot of those same steps because a lot of those tools need other things to. I mean you’d be redoing a lot of the same steps anyway. So.
Ben Bowman
Right. One of the, one of the things that we originally did is lumped all these labs together as one attack chain. But we ended up segmenting it out because we wanted to show you the difference between getting a four way handshake for WPA2 and then a different lab to show you how to crack the handshake.
Right. So if you want. That’s a good idea if you already skip it. Hey, I know how to do a four way handshake. I just want to learn how to use John. Just go straight to the John lab. The hash Is there. You can crack it from there.
John Strand
Cool.
Ben Bowman
So we’re getting a lot of questions about.
Jason Blanchard
Oh, we’re getting a lot of questions about the VM and, and when it’s going to be sent to people and where these labs come from.
Ben Bowman
Where these labs come from.
John Strand
We show them the Wi-Fi forge. GitHub. So you just do a search on GitHub. Wi fi forge. It should take you right there.
Ben Bowman
Right, right. And, you have to start to use it, right, guys?
John Strand
No, no, no, no. And then we’ll get it. so it’s installed and it runs on the, we’ll give you the instructions. So it installs and runs in the virtual environment. hopefully, we’ll, we’ll get that out to everybody that registered for the webcast.
So they get instructions and we’ll get them rolling for it. So.
Ben Bowman
Thank you, guys.
Joseph Boyd
You’re liking your tattoo, Ben?
John Strand
Hey, now they like the tattoo.
Jason Blanchard
All right, so, at the end of our webcast, we always ask Ben, if you could sum up everything you just talked about in one final thought, what would it be?
Ben Bowman
Oh, man. One takeaway.
Joseph Boyd
Star Our repo Star.
Ben Bowman
Repo.
John Strand
No, no.
Ben Bowman
Whenever you’re doing this kind of work for research, it’s almost always going to be a bigger undertaking to make a stable environment to research in rather than, actually attacking. So research tools, I think, are the future for the wireless landscape, which kind of leads me to my last thing, which is watch out for LTE forge.
Ben Bowman
Right. There’s nothing out there for cellular right now. And I would love to do.
John Strand
Not yet, man.
Ben Bowman
Too soon. Too soon.
Jason Blanchard
All right, Joe, what are your final thoughts for today?
Joseph Boyd
I, had a lot of fun making this tool and I’m very glad that we made the decision to make it open source because it’s. There’s not a whole lot of resources out there to really learn hacking easily. And I’m happy that we’re able to make another resource that people can get hands on experience with, even if it is kind of hard to set up.
Jason Blanchard
All right, John, what are your final thoughts today?
John Strand
Final thoughts? Just keep your eyes open and, be watching this project and hopefully we can get you guys something that you’ve been running in the cloud. Because what we want to do is get this working in the cloud and, in the VMs, and there’s going to be a wireless hacking workshop or class coming up here shortly where these guys will be teaching how these attacks work, what’s going on under the hood, and this will be the lab environment, because we aren’t hoarding the labs and being like, all right, my labs are my intellectual property.
It’s going to be like, we share. We share. Hands out to give always, everybody. Thank you so much for attending, everyone. And we’ll see you in the next webcast. Thanks again, gents. And look at that. Love and cookies.
Jason Blanchard
Thank you all so much for being here.
Joseph Boyd
Thank you, guys.
Jason Blanchard
See you on Discord. Don’t forget, Discord is for forever. It’s forever. An hour.
Ben Bowman
All right, thanks, guys.
Joseph Boyd
Ryan.
Jason Blanchard
All right, Ryan, go ahead.
Ben Bowman
Go ahead, Ryan. The one thing you do.
Ready to learn more?
Level up your skills with affordable classes from Antisyphon!
Available live/virtual and on-demand
