Track & Connect to Smartphones with a Beacon Swarm [Tutorial]

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

A tool to disable wifi when it disconnects from the home wifi would prevent this. Or just manually disable it from the notification area.

👍︎︎ 2 👤︎︎ u/crippledCMT 📅︎︎ Oct 05 2020 🗫︎ replies

Captions

most smartphone users aren't aware the fact that their device is constantly sending out information that can be used to track or identify them today we'll use a node MCU programmed with arduino to send out hundreds of fake Wi-Fi beacons in order to decloak and even potentially take over the Wi-Fi data connection of nearby devices on this episode of cyber weapons lab [Music] [Applause] [Music] it's any device that connects to Wi-Fi has a MAC address and this unique address can be used to track you which is by most manufacturers as smartphones have switched and made it so that these phones use a randomized MAC address now MAC address randomization is a good idea it prevents in general retailers from like Walmart / for example from knowing when you come in and make the same purchase because it will change over time however this doesn't mean that you're perfectly safe because there are a number of attacks against this process which we'll go into and explain the first is the Karma attack which basically creates a echo of different program s your phone is sending out the second is some excellent research into sending up a KPS by Mathieu Van Hoff and the third is the esp8266 beacon spammer by space hoon which creates a whole bunch of fake networks which we can use to basically group forest a list of networks that a particular device trusts to explain this I'll show on the whiteboard now the first attack we'll go over is an old classic called the Karma attack which relies on phones basically supplying the information you need to create a man-in-the-middle condition now the way this works is you have a client device maybe a cell phone which is asking if a certain network is nearby let's say Starbucks so based on the fact that it's calling for Starbucks an attacker has all the information they need to pop up an open wireless network and say hey I'm Starbucks why don't you connect to me so this is a pretty real threat and especially if you have an open network which if this is something where you're using a password it's a little different and this particular attack would not work now most manufacturers actually face this out because it presented a risk however it's still fairly easy to defeat MAC address randomization even though this attack of kind of utilizing a probe frame it gives you all the information you need doesn't really work anymore now instead I read this paper by Matthew van Hoff who goes into the various ways you can defeat MAC address randomization and in particular I was interested in the part that goes over creating fake ape now in the paper Mathi goes over a technique where he uses a SSI I think he used air base ng to create five different fake networks that were popular SSIDs which has service state identifiers now service set identifier z' now the way this looks is you have the attacker creating five different networks and hoping that nearby devices happen to respond to one or maybe two now this is pretty cool because it shows off at a relatively small amount of common SSIDs being advertised in networks can basically unclog a whole bunch of different devices nearby who normally would have randomized MAC addresses and and not be as easy to kind of follow but I thought that this attack could be improved upon in order to increase the number of SS IDs that your advertising kind of brute-forcing this list instead of just looking for one now in order to accomplish that we need to create a swarm of beacons that basically pretends to have a whole bunch of common open networks from a given area now this list within a phone of trusted open networks is basically a goldmine for hackers because it allows you to not only take control of the person's Wi-Fi connection whenever you want but also unmask them whenever you want so that you can be able to see if they're in the area or connected to a particular network now to accomplish this I took a look at space wounds excellent beacon spammer program which takes the node MCU and allows you to run with Arduino a sketch that will basically send out a whole bunch of beacons that pretend to be networks in order to kind of trick people into thinking a bunch of joke networks are in the area now this didn't originally work for this purpose because when the beacon spammer sent out a bunch of beacons they were all formatted to 32 characters long which basically wouldn't match up inside any nearby devices because the lists inside of it would take a look at that string of characters and know that 32 characters wasn't equal to you know the the length of the network name that it was used to so even if the first part match it still wouldn't work so I reached out to space soon and he modified the program so instead it changes it so in it's just the actual length of the SSID so nearby devices are like oh wow there's all these open networks I'm used to so they'll respond with multiple attempts to connect which is pretty exciting because for a particular device you can get a list of four sometimes even five different SS IDs that they respond to this is basically brute forcing the list of trusted networks that are inside the phone allowing you to kind of pick and choose which one you want to use to take over the device if that's your goal now to pull off the sort of attack will need a node MCU so that we can program it in Arduino which requires that Arduino IDE as well we'll also need to monitor our progress to make sure it's working so I recommend Wireshark in order to follow this guide once you have all those things together you can begin so before we get started I also want to point out that this research is based on a paper by Matthew Ben Hoff and you can go to his website here if you want to check out his paper now the paper is called why MAC address randomization is not enough an analysis of Wi-Fi network discovery mechanisms so in this paper Matthew goes over the way that he's able to use a fake access point in order to t cloak different networks and we're going to go ahead and use space hoons excellent project which you can find at his website spacing the D and then under projects so he's worked on a lot of really awesome stuff and you should definitely check this out if you're interested and he also has a patreon if you think this project is cool and want to support some more cool stuff but we're gonna go and go go ahead and go to the esp8266 beacon spammer so aptly github page here you can see that the installation is pretty straightforward and this project is designed to create a whole bunch of fake networks that look something like this now if you were to tap on one of these the actual attempt to join it has a really long space at the end and a quotation mark and this is because the original program was designed to make everything 32 characters so this was more of kind of a prank device which is really cool and shows people how they can quickly configure something now in Arduino to have an effect over Wi-Fi but we can take this a step further and fortunately space soon modified it so we can go ahead download it and be able to with a little bit of modification create a local beacon swarmer that can unmask nearby devices and determine what their trusted networks are so to get started we'll need to have the esp8266 development board we'll need to install the arduino ide and then we'll need to install the esp8266 arduino core in order to be able to interface with this board now we covered all that in our last video so I'm gonna go ahead and open arduino ide and show you what everything should look like now while this opens it's worth pointing out that you should plug in your node MCU at this point and if you're having some issues communicating with it we found that different cables have different qualities in terms of being able to either power it or allow you to communicate so keep that in mind if you're having issues now here's our actual script we'll be using and let me expand this and show you what the settings under tool should look like now the board selected should be the node MCU and if you don't see this it's because you haven't first installed the required libraries so go to file and preferences and under this setting you should see additional board manager URLs and this is where you should put this JSON address right here so once that is provided you should be able to go to the board manager here and go into the search to install the esp8266 once it finishes downloading community version here now once this is installed you'll be able to interface with the board and do all kinds of cool stuff so go ahead and install it in my case I'm just going to update it and this will include all the libraries you need to be able to write to your board so I'm going to go ahead and cancel this because we're doing a demo but since this is already installed I can close so once you have our adrenal IDE installed and you have the known MCU library or the esp8266 library ready to go with the note MCU selected you can see that it auto selected the port for the node MCU when I plugged it in so make sure that yours looks something like this and that the other settings more or less match and you should be good to begin pushing a program to the node MCU now we'll go back to the github page and we can see that the next step is to download this project you can also go ahead and look at the most updated version by going to the top clicking on the esp8266 and then clicking on this sketch here if you want to just take this and copy it and paste it in you'll need to click on raw so that we don't get these line numbers and then ctrl a to get all the text from there we can go into the sketch and paste it and there you go we should have a complete sketch ready for us to push to the node and if we expand it we can see all the examples that space soon put in here for us drop it's like a hotspot it hurts when I pee oh these are great so we want these to actually reflect the local area so what we're going to do is take advantage of one of our previous videos which covered with a Wi-Fi now if we go to with net we can actually go ahead and download individual captures that we've taken on which allows us to use our phone to gather a bunch of open networks in the area and then download a list that is a CSV export that just has a whole bunch of SS IDs that are basically open networks nearby so what I've done just as an example and you can gather as many or as little as you want but I've taken a list of these and overcome a couple problems which is the fact that you'll probably see a whole bunch of networks with the same name now if you want to sort these you can go ahead and use this example I've created nets dot text and I put a couple examples here of the kinds of networks that you might see from let's say a wardriving dump where you have network four one two three four and these names might overlap a little bit so we don't want them to overlap so we can compress control X here to save and if you want to sort this list we can use the command sort and then the name of the text file sort pipe unique taxi pipe sort attack R and what this will do is it will sort it by so that everything is unique and show you how many times each one occurs that way if you pass a whole bunch of open networks with the same name it'll put it higher up on the list and you'll be able to make sure to include that because you know it'll have a much higher chance of causing nearby devices to react to it so if you're incorporating wardriving to make this technique more effective I highly encourage you to use this sort method in order to make sure that the networks that you're adding are good ones for getting a whole bunch of traffic so I also created a Python program in order to help organize these and I'll show you briefly how it works if you want to take a look at the file you can type Nano and then we organized off high file and when it's open you can see that all it does is it appends a newline character and apostrophe at the end and an apostrophe at the beginning now this is helpful because the script in arduino needs this in order to correctly add it to space homes examples here oops that's the update example this is the older example so in order to replace these we need to make sure that they match that means having an apostrophe here and a newline apostrophe here so I've gone ahead and done this already so let's take a look at what this looks like and in our updated sketch here which I call the so-called D cloaker because these are SSIDs from Southern California we can see a whole bunch of networks that I personally more driven by and captured so we have LAX the airport here we have JW Marriot a hotel we have la see that's a community college and a whole bunch of other networks that I've observed including coffee shops and other popular places that Southern Californians like to go in order to D cloak nearby phones now we have a whole bunch of these and all we need to do once we have the correct board selected and these changes done is go ahead and push this by hitting upload and I'll need to make sure that this is plugged in properly now here it's important to go through and make sure that we have the correct board selected and when we scroll down we can see we have the node MCU 1.0 available once we select that we should be able to hit upload and we should be able to on our node up see you see the LED flashing this will take a little bit to compile and then send over and once it does it should immediately start creating a bunch of wireless networks that will potentially trick our computer into thinking that all these networks that we see on the screen here are nearby now once the percentage at the bottom hits a hundred percent your node MCU should restart and begin immediately spamming out these packets now it's worth pointing out that I have seen the condition where you can see these packets on Wireshark but nearby devices can't spot them and this is usually because for whatever reason plugging it into a laptop maybe it just doesn't give it a give it quite enough power so I'm going to unplug this from the computer and plug it into a outlet power source and should see a stronger signal overall now this is because some cables and some different computers USB ports don't provide enough power for the note MCU to be able to do what we need it to do so now when I actually click on this we should be able when we click on select network to see a whole bunch of fake ones and we are nowhere near a Burger King so a lot of these networks are obviously fake so it looks like it's working now in order to test and see what exactly it looks like when devices react to this begin spammer let's take a look at some packets that we captured earlier today in a location where we don't care about so we don't need to blur anything I'm gonna open this up in Wireshark and I'll show you how we can begin sifting through the information to learn more about the devices nearby that are kind of reacting to this beacon spammer we've created in order to make this all work you'll need to make sure that everything appears under channel 1 in this column here now that's important because if different devices are responding on a different channel you won't see them because you're just staying on this one channel and you can control this behavior as well by taking a look at the way that I've modified the beacon spammer code if you look in Arduino IDE you can see that the variable that is responsible for both appending spaces and preventing the packet from being seen as a WPA network are both selected as false whereas the channels that were operating have been reduced to only indicate we want to operate on channel 1 this is because if I included other channels it would produce packets on those channels but we wouldn't be able to see the activity because we're stuck on one channel one real estate on Wireshark now in the real world you can go ahead and use whatever channels you want but it will be more difficult to monitor the responses if they're happening on channels you can't listen in on now back in Wireshark we can begin to filter through this data with a couple of Handy filters now the only real difference between seeing this live and seeing a pre-recorded version of the data is that at the very bottom of this it will constantly be increasing but you'll see that we very quickly get a whole bunch of packets that are kind of able to manage now I chose channel 1 because there's typically not a ton of traffic on it in our area but you might want to choose one that is relatively deserted in your particular area to make sure you don't get too much interference now I'm gonna go under filters and the first thing is I'm going to use is this no beacon frames filter now what this will do is you can see these are mostly beacon frames announcing all these fake Wi-Fi networks so we want to be able to cut through these and start seeing other activity that's happening on the same channel let me put in this filter it'll go ahead and start displaying them and give us a percentage of the packets that are being displayed on the screen this percentage tells us how many of the packets overall are being displayed based on the filter that we've input now we can see different types of packets have been sent we have data packets of requests to send clear send acknowledgment and other types of less interesting ones but we want to learn more information about the devices that are reacting to our note MCU now in particular we want to learn about authentication requests and also pro requests that have been directed at one of the fake networks that we've created so I'm going to go ahead and use one of these authentication filters to go through the results and show only the authentication frames I'll input the following capture filter and then press this button here to apply it and you'll see it'll scan through again in this case only showing us point 1% of the 33,000 or 1333 weight of the 330 9362 packets we captured this equals 294 packets and as you can see these are all authentication requests going towards the fake networks we've created now you can see in the destination here that there are slight variations in the last octet of the MAC address of the fake networks that are attracting these authentication requests this is interesting because it tells us which networks are more effective at attracting attention from nearby devices now we can also go into tools I'm sorry wireless and then WLAN traffic and here we can see some very interesting statistic about the wireless traffic we've managed to record now typically this takes a little bit to parse but as soon as it does you can go ahead and click on two different columns in order to learn about the network's that were the most effective at attracting attention from nearby devices we'll go ahead and click on off to order this list by authentication packets that we've detected being directed at a particular bssid now this can take a little bit of time to compile but once it does you can click on the office column here and we'll organize everything by the amount of authentication packets that were directed at it now you can see here that Google Starbucks guessed t-mobile McDonald's free Wi-Fi and DHS guests were all very popular which led to a whole bunch of responses from nearby devices you can also click on progra quests and see which networks had a lot of requests directed at them in particularly the airport looks like there was a lot a spectrum Wi-Fi and t-mobile wingman these networks we've discovered will cause nearby devices to automatically connect to them and you can tell by the amount of activity in packets which ones are more popular you can even go and see the individual breakdown to learn which individual device responded to which individual network to create kind of a fingerprint by going through and looking at the data now I can go ahead and close out of this view and back in Wireshark I can use an interesting technique to detect only two that transmissions to our fake networks so in order to use this we'll need to go back here and type two brackets a colon and then zero and three now what this is telling the program is to basically only now what the cell is telling the program is basically to only pay attention to the first three octaves of the MAC address so it'll match these and basically not discriminate between the small difference in the end of the last octet of the MAC address on our fake networks now as this goes through we should be able to see all the traffic that's being directed at our fake networks because this WLAN da means destination address meaning traffic that is directed towards this Mac that matches the general pattern of our fakes the result of this filter is 262 authentication attempts to our fake beacon and as you scroll down you can see that these are actually a lot of Apple devices so it seems from our testing that Apple devices in particular really like these fake hot spots and we'll go after them pretty indiscriminately but then again we might have just been in a place where there were a lot of people with Apple devices now a hacker could take a look at the source MAC address here and see that this is an apple device that is willing to connect to a fake network which we see the destination MAC 4 on the right side here this means that the attacker could just create a fake network with the same name and the Apple device that's associated with this MAC address on the left side would just connect to it without warning the user now obviously that could lead to a man-in-the-middle attack like phishing pages or even just being able to be tracked but either way the ability to take over someone's data connection without them knowing is a pretty big advantage as a hacker if you want to prevent this kind of tracking there's a number of steps you can take that might improve your chances the first and most obvious is a turn off your Wi-Fi when you're not using it however this might not actually go far enough most modern phones use a GPS or assistant GPS in order to find your relative location when a GPS signal is not available that means you need to go in and turn off the assistant GPS or high accuracy GPS setting in order to actually turn this off and make sure your device isn't actually sending out things on Wi-Fi when you thought that you've turned it off another option is actually just turning on airplane mode but that goes pretty far and most users don't want to take that additional step now the most most basic thing you can do is always remember to delete networks when you were done with them especially open networks because they're an opportunity for an attacker to basically take control of your data connection that means as soon as you connect to a hotel or coffee shop Wi-Fi and then you're leaving if it's an open network especially make sure to go in and delete that from your list of trusted networks because do you really trust it popping up in the middle of nowhere especially if it's a common sSAE you can see that this is a pretty easy attack to execute so make sure you get rid of those if you're not really using them that's all we have for this episode of cyber weapons lab make sure to LIKE comment and subscribe and if you have any thoughts on the show we'd love to hear from you one of my Twitter we'll see you next time

Info

Channel: Null Byte

Views: 986,653

Rating: undefined out of 5

Keywords: wht, wonderhowto, nullbyte, null byte, hack, hacking, hacker, hacks, hackers, how to hack, howto, how to, tutorial, guide, cyber weapon, cyber weapons, cyber, Beacon Swarm, Node MCU, Adruino, De-Cloaking Devices, Mathy Vanhoef, Space Huhn, Beacon Spam, Fake APs, Smartphone tracking, beacon spammer, decloak, de-cloak, arduino ide, wireshark, wifi, mac address, MAC, esp8266, NodeMCU, smartphones, phone, kody kinzie

Id: o95Or-Z_Ybk

Channel Id: undefined

Length: 25min 21sec (1521 seconds)

Published: Fri Oct 05 2018