David Switzer | Wifi Tracking: Collecting the (probe) Breadcrumbs

I I feel like I'm in a boy band with a silly thing on but hi my name's Dave um I'm talking about some very simple stuff today that amuses me so hopefully it amuses you basically metadata getting leaked from your Wi-Fi device mostly your phone talk louder yes oh okay sorry I'll talk louder uh my name is Dave uh this talk is pretty much dealing with metadata with your wireless devices predominantly your cell phones but it kind of works for other devices too uh requisite stuff I'm old I am interested in boring stuff I've got a bunch of Sears uh I think my technical term is a red team operator I work for a company called riquest out of Tampa

Florida do manage security services red teaming a bunch of other fun stuff um you know we can find someone who's probably called sales guy if you guys AR interested but we will move on from there um just to go ahead and warn you if you couldn't hear from me stammering this is my first talk so I very much apolog in advance I will try to get through this as quickly and painlessly as absolutely possible um someone told me I should have a lot of fun Graphics in here so let me try to get those out of the way as quickly as possible I've been looking at these things for years so I'm just going to try to do what

everyone else does for information security talks but um quick and easy intro I am fascinated by autodiscovery and auto config we all know this stuff they try to make it easy it's it's for our moms and our grandmas and all that it has to be that way cuz then they will have problems and have to call the Geek Squad we don't want that so basically we know wireless network you're already connected to it then you go home your cell phone reconnects it's because it's sending out Beacon saying hey wireless network you out there your AP at home says yep I'm here it connects everyone's happy we all know that's a great way to do a man- in-the-middle attack um it's

pretty simple to detect those probes going out and well we all pretty much know that that's very very possible but everyone else pretty much knows that too so let's be honest there and I'm still kind of amazed that these things work as well as they do as long as everyone has known about these things because businesses watch these things now these things are in the news left and right and then you still hear about people getting owned by them so my thought was kind of okay probes are cool what else can we possibly do with them so again first off nothing you're going to see here is new nothing's really complex almost everything we're going to

go over you could just do on a Windows box completely with a web browser bouncing between some pages and stuff this is really just get nerdily focused on something and I decide to connect some dots and write some scripts and automate this stuff so to try to put some ideas in this to perspective a friend I work with told me a fun story that I thought seemed to fit and it was a story about some guys that were arrested in Italy in 2005 courts sent out warrants for 26 American Nationals for Extraordinary rendition of a Muslim cleric from the streets of Milan and extraordinary rendition got him that was a new one for me it sounds really cool

but kidnapping is so much quicker to say usually it's when it's you know operatives and people doing that kind of stuff so kidnapping you think jerks on the street but well this is official jerks CIA operatives easier to say than American Nationals and it comes down to pretty much this was cell phone obsc fail people didn't know what the heck they were doing we're going to share these slides you can find this talk by a guy named Matthew Cole who with memory service was an NBC producer who did a talk at black hat totally non-technical guy got to a black hat he did a fascinating talk about this story definitely would recommend you go and

check it out it's like 20 30 minutes long so really comes down to this guy got kidnapped and the Italian authori started looking into information they started pulling metadata from cell phone towers in the general area and they quickly went through and found a pattern of about 18 people with give or take 30 cell phones and they noticed that all these cell phones were talking back and forth to each other and this just screamed out in analytics and data to them so they start started looking closer to this so they started figuring out the phone numbers and names Associated and they started mapping times and location and they pretty much figured out and mapped it all the way to

where this guy got picked up and then those cell phones kind of disappeared because they let her figure out these operatives grabbed this guy and got the hell out of the country to eventually get this guy back to an American territory but one thing they did was they kind of did the profile up until where these agents days would end which would be at a home or usually a hotel and these guys thought okay I'm smart I'm going to protect my cell phone by putting it in a faraday cage and they thought I'm going to get a snack packet of some chips or something and tuck my phone in there and not turn it off or

disconnect the battery and I get the concept behind what I think they were doing is you know if go off the machine here pull out some chips you open it up it's nice and silver inside CU it's aluminum foil that's how they are in America apparently in European and Middle Eastern countries over there the snack packets don't have the metal stuff inside so they just stuck their cell phone into a light thin piece of plastic and thought that that was blocking stuff and didn't really work out so good for him but this is a great story and all that but at the end of the day favorite phrase nation state we're talking nation state budgets people who have damn near

unlimited money we can't really do that so I I thought with this story let's let's see how close we can get so ignoring stuff like big expensive devices to check stuff ignoring Wi-Fi pineapples just what else do stuff like Wi-Fi probes show us really simply shows Networks you're trying to connect to the MAC address of the device that kind of gives you the brand of the device gives you some stuff that may be helpful like you know what modes the devices can connect in speed stuff the chips set on the device you helpful stuff potentially so if we wanted to try to pretend we were a government and look at this stuff and try to figure out where

these agents were kind of like the Milan guys did you you could kind of take a swipe at it I mean you could look and see the Mac addresses and see patterns and device Brands like if you all saw a bunch of Samsung or apples and the Mac addresses were pretty darn close you could kind of surmise that maybe these were all bought into a batch and all that and you know were distributed at the same time to these different folks um multiple devices probing to reconnect to the same otter unknown networks if you're seeing something funky and all of a sudden you're seeing probes from all these different devices probing to it maybe these are guys that are hanging

out the same place connected to the same network and all that so just for an example you know let's I figured let's look get some data decide on a Target and see what we can do just kind of theoretical again I apologize this is the sixth or seventh version of this talk it bounced around so much I had to stop myself from adding more stuff to it because there's just so much data so I'm going to go through a lot of these slides quick they'll be up and available if you're interested you can find it later um first fingerprinting a Target like I said fairly easy you got to be near this person their cell phone's

probably blasting out these probes here left and right and just go ahead and record them it's very easy it's passive you're not connecting to them the ically you're not breaking any laws in this country or as don't quote me as far as I know any other country since you're just passively listening to stuff and then step two is to kind of figure out because you're going to see a crapload of Mac addresses everyone's got everyone in this room's got at least one device is sending out a probe right now probably given that this is a technical conference we've all got three or four let's be honest so usually you can look at the SSID if you know a little bit

about your Target and kind of narrow it down like if you do know the target's name you can look at the name it's it's still kills me how many people have like their name or their last name and just their home networks boom done if you know where this person Works look at their business name might be a really simple name especially if it's like a small business or something they often do have like their their name in there uh device type if you're in the same area as the person you can check it out and see oh this guy's got a Samsung S5 or they've got an Apple iPhone or something and you can look up the oui

and kind of get a Vibe of okay this device probably is that maybe not and then again if you know the target's name and a little bit of about them you can just dig online to their favorite social media sites look at freaking for square to see where these folks are checking in every weekend at their favorite bar hamburger joint or something great chance they're listening in on their Wi-Fi there and they might be proving about it here because they used to just walking back in there and having free Wi-Fi because yeah it's cheap why not so you're down to a MAC address you're pretty sure you know who it is and back to again looking at other ssids

it's like I said office SSID company size name could be unique restaurants like I said are great uh obviously locally owned stuff or have weird names and stuff almost always they're going to either have a generic name like lynxis or they're going to have you know Mom and Pops restaurant or whatever or then even some of the bigger chains like Applebees I found a lot of times Applebees and a lot of other places like that will have something either store name or just a information about the location of it like you know my example here is applebe UCF I'm actually from Tampa and over there there's an area called temp Temple Terrace where I live

the applebe there is called Applebees Temple Terrace not too hard there um back to if you know something about them there's a chance their home might have a weird name again connected back to their name a nickname a phrase maybe it's ISP based which could be even more helpful because if you know that that's them and you see that get broadcasted out often times those are unique um I found this online though I think I would probably die laughing if I found Uncle touch's puzzle basement but um a quick sidebar I love ISP don't get me wrong if you go to certain websites and see like a national average of the most popular ssids out there you

will find like linkis and stuff like that then a few of them I think Charter and Comcast will use kind of a generic one based on their service but since we're in Central Florida let's look at the ones we have here Bri House Networks you will see a lot of these around like bhn these like we have on there tgn blah blah blah c812 these are fantastic cuz these are almost exactly unique they're unique to the device mind you but depending on when you've seen it and when the data you have to analyze was done that can pretty much narrow stuff down because it looks sort of kind of random unless you know a little bit

about it and you know that that's bhn it's the model device and then the last four is just the MAC address of the actual device you're looking at so then it's completely unique you can easily find that person uh bios in the area similar you'll see uh originally when they first came out you'd see like the uh five characters random letters and numbers I think a lot of us probably knew that they figured out that they had a weird pattern for web encoding where their password was basically based on that SS ID and you could run a little mathematical formula on it and it would pop out one of two passwords which like 90% of the time was the password so you

could log in they've mostly fixed that but you do sometimes find those networks you start seeing more modern equipment from FiOS it's about the same just has fos tagged on the front and has that um the basis of those names and how those are based I unfortunately have zero idea but the good thing is they're still unique they're still you're probably only going to see one of those unless those get redistributed elsewhere so if you know this guy's phone is advertising out this SSID you know a unique device to go look for them so again we look and we have some ssids and the question there is how easy is it to take an SSID to a street

address and the answer is actually pretty darn easy um the script that you see there I am very bad so I tend to name scripts a very very bluntly what they do that's just taking SSID translating it to a l latitude and longitude going to an address on Google API and poof this is a real SSID I use this one because I'm not exactly positive what it is but it's some sort of business in kind of an industrial area in Tampa so I went ahead and put the address on there that's the latitude and longitude that that SSID had been detected at and then I referenced Google's Maps API and there's a street address and I went from maybe standing

next to someone that I don't know uh passively sniffing some stuff not touching their device to knowing where they work or live depending what that address qualifies as so again not quite that easy this does have some scripts behind it but I'm going to put the scripts up and you'll see these saysh on the end because they're bash scripts because I didn't have time to try to do this cleanly in python or anything like that that's the next goal but it's really simple at the end of the day like I say here this is what I would say would be resolving metadata goes from SSID to a latitude longitude based on finding that SSID in

a database that could have been a local remote one and then it just grabs latitude and longitude and hands it off to Google Maps says give me a street address and poof Google comes out with an address and suddenly like I look like I've done something really cool and it's really really simple and kind of scary that it's this simple in many ways um I almost say that this is stunt hacking when we hear stunt hacking we think about the guys that go hack jeeps and stuff and specialized little locations where they hack the Jeep and the News comes out and talks about it like you know you driving home will randomly get you know your vehicle flip

over and you'll be in a ditch and die and really it's in more specialized locations really honestly there's great uses for this but to an extent one of the best use is I would say stunt hacking if you have someone you need to impress or scare the crap out of this will do it you go from someone not knowing knowing nothing about them and then thinking okay you're just some you know sec guy whatever what do they know to being able to say here's your home address here's what you connect to here's what your cell phone is here's where you like to go hang out and get your drink on they suddenly start listening to you really quickly so it's

it's a good use for it uh at the end of the day really and and this I tell the woman at home cuz she often looks she's not a technical person and she still lets me stay and be around her God L her she says it's creepy and my answer is can this get any creepier and I think it can um so say in this example we didn't know their name say this is someone that we saw someone we were pretty sure okay this person's got an iPhone maybe we know because where they're at this person works for XYZ company and we use some of these examples that we had in there earlier and we figured out okay

this is their Mac address and here's our ssids and we got it down to a street address well I think we've all done here in the states property records every county has got their property appraiser you can go on if someone owns property you can find their name their address you can find out that's their primary location if it's been homesteaded or maybe that's an investment property well the problem is not everyone owns where they live so what about voter records a lot of people vote it's luckily and either for good or bad depending on what side you're on has become much more common a lot of people there vote absentee ballots make it easy so what

about voter records um so finding a voter is really really easy as well because just like property record you'd be kind of freaked out by how much voter records is considered public domain information and is searchable um look for your state online if you're looking for information about someone in another state search for that state and you'll find it most examples I found it's csvs broken up by counties so you can even kind of narrow it down so you're not searching through a bunch of data they make it shockingly easy which creeps me out so again back to this I'm blocking out for obvious reasons this is actually one of the ssids that's my own

personal equipment at home I typed it in it came back with the SSID it had been seen came back with a latitude longitude bounced it against Google address Google Maps API it didn't quite get it it said that the address was basically the house like I was walking into my house it's the guy right to the left of me's house and then I ran against the database I had for voting information and I'm blocking that out but it came back with the name of the dude that I know rented the house right next door to me so knowing one SSID I now know the guy's street address so I mean it's one thing to keep in mind this stuff is not

getting you down to exactly the location if you know you don't want to use this specifically if you're going to use it for any sort of legal purposes or if you're shady and plan to go hunt someone down and beat them up probably you want to kind of check on this stuff a little bit first but still even an example for myself going from my own SSID to the guy who lives next door is a little creepy so back to we know who they are we know where they live if the goal is to man in the middle of them but you know like we discussed a lot of times Enterprise Wi-Fi stuff knows how to look

for all of us crazy bastards with our Wi-Fi pineapples or just car on your laptop whatever the their office will have that stuff their house probably does not no matter what training these people have of how to watch out for Wi-Fi in public when they go home what are they going to do this is my Wi-Fi device I'm connecting to it I'm going to start looking at Facebook on the couch on my phone uh another benefit it is is 99 99.9% of everyone at home the traffic that they're producing or creating on their network is going straight out to the internet to Facebook Gmail whatever it it's not getting bounced internally usually I'm sure a lot of folks in this

room considering this conference it does but the average person depending on who you're looking at it's going straight out to the Internet so less likely they're going to notice you in the middle as long as you give them some internet on the other side so then boom you've man in the middle of them you're looking at all their traffic they're looking at Netflix and Facebook or Russian Facebook or whatever and so the question again is is there any way to get a little bit creepier with this this is unfortunately kind of one of those times where I started getting realizing this was getting a little bit too long and had to stop myself another thing that I'm fascinated

about is Bluetooth and with stuff devices becoming more smart I'm back to being terrified because now we know where these people what their name is probably where they live and work there's probably some sort of Bluetooth device in their house there's smart televisions I see these things all over the place and they are just horribly designed you'd be amazed what you can connect to and start finding info on there and the thing is smart televisions tend to have microphones and cameras just like devices that you know laptops or whatnot uh you got gaming headsets you got telephone headsets like people all walk around with everyone's got those things on so there's plenty of devices out there that have microph

connected to them if you wanted to go so far as start to listen into these people so the first part of this is again with the problem of this not exactly being an exact science so to speak you know I'm think I'm targeting myself and really I have to address the guy next door is you want to make sure if you're going to start looking at these people's Bluetooth devices you're looking at the right ones so the first step is if you're going to go the farther step and start sniffing Bluetooth traffic is you want to see traffic going off you you know pretty confidently you know what their cell phone is is you want to make

sure you're looking at Bluetooth devices that they're definitely connected to so you need to figure out the Bluetooth address on the phone and the best part about that is the cheapness of cell phone providers they do it all in one sock it's Allin one chip they're Wi-Fi and their Bluetooth so that means they have a whole bunch of mac addresses handed to them and 99.9% of the time it's one hex decimal off from the Wi-Fi address you already have people call this an exploit the off by one seriously it almost always is either up one or down one in HEX I'm super lazy so I spent the time to write a little script in to actually do the math and then do

an HCI name info request out just to automate it for myself but it's really not complex so now you know what they're listening to or what they're talking to um again actually breaking into that connection is probably not so easy maybe you can do it maybe you can't go start spending way too much money and Bluetooth fun like I do but even not necessarily listening into active conversations or or connections that these folks are having from their phone to these devices may be easier once they're done connecting to it to just connect directly to that device and then start listing in their home theoretically as someone I know likes to say again this is all kind of

questionable but at this point I kind of realized I was getting a little bit too far down this rabbit hole and that's a little bit more for another time I'm going to start digging more into this but let's see quickly the the moving Parts about this cuz like I said nothing is complex nothing is brand new I didn't reinvent anything I created a bunch of scripts to make the stuff easier for myself uh I made it easier than Googling like I said nothing here is 100% if you're actively going to use it hopefully for legitimate purposes sanity check anything you're looking at make sure it makes sense make sure you think you're looking at someone's house not the guy next door

like in my case uh like I said the locational stuff works a lot better if you have a bunch of data to look at at most especially if you know kind of what you're looking for that you've actually driven by these locations and collected this data yourself it's quicker but then also you can kind of trust the information more all the scripts that I'm mentioning just as a sidebar I try to make them Unix friendly which is basically simple command line inputs uh quick outputs very simple so you can kind of pipe it back and forth if you're cleaning stuff up proper exit code 01 in case you actually want to use this stuff or

something else and make sure it like ended correctly or if it bombed out so some of the stuff I've used uh this kind of started with a little toy called Woods or Wi-Fi user detection system by a guy named Tim Toms I'm guessing you guys have heard of landmaster 53 mostly known for Recon NG uh it's really simple it's a python pkb based system for Unix that records Wi-Fi probes and you can have it kickoff and alert the idea was he was just scanning people near his house and understanding when people were showing up that maybe he didn't know about and he did a bunch of fixes to it and all that but I kind of get the vibe

that was more of just something fun for him and he apparently was smarter than me and basically put it out there and didn't get too crazy and go farther down the rabbit hole uh I made a few slight modifications the really the biggest one I've had a few issues with it detecting signal strength and some Hardware I'm still kind of working on but the biggest one was something super simple I just made it start recording the local host name of whatever device it was recording onto so theoretically in the future if you want to or if I want to you could put almost like little little simple sensor kind of Concepts so then you have

data coming into a centralized location you have a way of separating it out and know okay it came from this host you know was over there and then you can kind of look at signal and do kind of a a mediocre location spotting of a device if you wanted to do that haven't really gone down there but seemed like a simple addition uh a few of the scripts that I've added SSID scan just to quickly go through the database that it kicks out um a couple scripts called check all Targets and detect targets you can kind of configure it to know certain things about a Target and this is just a script to go through and see if it's seen the

target recently uh I mentioned the Bluetooth address script that is just to go through and like I said go up one and hex and down one and hex and try to connect to the device and just let you know if it found what it believes to be the correct one so if you want to bust out your Uber tooth or do whatever dirtiness there you can uh and then quickly some of the hardware if you're using Woods it uses python it use pkp we all love us some python but it's it's a little heavy depending on what you're using it on if you're using it on a real machine a laptop a server you're great even down

to raspberry pies and Beagle bones it's great um when you start getting into the smaller devices like the drop boxes and stuff like that it gets to be a little bit strong but I have a script that I need to clean up a little bit and I'll add to the rest of these where you can just pretty much do a TCP dump and then it will grab all the data just pull the probes out and kind of clean it up a little bit and then make it so you can import it directly into the same Woods database so you have kind of a centralized location for this stuff um well the black text is a lot too dark

the thing on the left left is a zon Wireless SD card reader the goal of this is you can put little micro SD cards in plug it into your machine and get to it or if you just plug into something with power you can use your phone to get to your SD card uh it it's basically running a small embedded Linux open wrrt and so want to figure out how to actually put open wrt on it to give yourself a lot more flexibility so the downside of that is it has no built-in power so you have to plug it into Power um the positive side to me is if you're one of those people that have 10 million

little like one g s micro SD cards laying around that you just can't throw away perfect use because that can be the file system and also while I haven't found a good place for them in the state so prepare to wait from China these things are about 10 bucks a pop little teeny things you could plug them in anywhere as long as you provide it power to the USB port so I mean think about stuff like uh your televisions in places the public places that would have those adapter USB ports inside just for power perfect for something to legitimately place there if you'd like uh the thing on the right is a and I'm going to

forget the exact BR model it's a TPL link 3040 50/40 it's basically small access point that has a built-in battery nice thing I love about this is the batteries actually pop off the back like a cell phone you can swap out the battery in case it goes bad it's 35 bucks youever take off Amazon Prime uh you will see this online this is actually if you ever followed the mini poner guys Kevin bong and those guys this is the mini poner 2 the hardware they did it on the guys outside yesterday the hacker Warehouse sell these not to take away from them if you want to just go and spend I think 120 bucks or whatever they've got all

the mini poner stuff on there all ready to go for you but again it's 35 bucks on Amazon if you want to do it yourself they have the instructions online if you want to add all that stuff but again these are two very simple devices that could easily do lowend TCP dumps and collect this data for you and do processing later uh so another not exactly connected recommendation that I use Woods for that is again the main goal for any of this just to amuse myself really is you can keep track of people as they come and go uh Tim Toms added support for pushover but his support was pretty much like if I get an alert and it's not an exclude

list I send out if I get a probe and it's not on my exclude list I send out an alert I don't want to get every single alert I don't want to see all that stuff so I kind of like added some scripts to basically only alert me when I want and has some lock files to make sure only does it so that way you can get alert through pushover when certain people show up like in this example would be my ciso or VP so when I'm running a little bit late and still driving across town I know when they showed up or the VP of sales when they're in the office so I kind of know

what I'm walking into it's a little bit a little bit handy I would say wiggle a data source I'm guessing a lot of you if not everyone has heard of Wiggle Wiggle Wiggle is awesome wiggle is crowdsource W driving this is a website where people get information they W drive go around just collect SS IDs and being broadcast from access points and geolocations and then they upload it the site you have to have an account to go on and actually do a search the account completely free they hand you an Android app for data collection so you can just download it completely for free start collecting it and Pros like I said it's free there's a

ton of information I mean I I used an example earlier today when I was trying to work through some stuff quickly and it was like here's something in Shanghai I'm like pretty sure my guy didn't go through there but the con is it's slow there 's really no API for Automation and while I started working on that the common thread of this talk is I ran out of time to script that but I will get that finished if you do want to check back later my personal favorite side again is the local databases whenever possible I try to get my data local on my laptop right here it's quicker if you don't have internet access if you need

something quickly you still have it the wiggle Android app collects this data you can enter an account and then share it with the wiggle website so then anyone can grab your information and use it if they want or you can be a jerk like me and just drive by specific locations you think you may need and never upload this data and have it all there um the actual app will let you export this stuff in CVS but if you've ever tried to export a really data big database to CSV rather on a small cell phone it's not fun but then I realize there's no real point because it stores all this on a SQL light database which

is way easier to deal with so the pro free app easy to get all this information if you pull the database which I have scripts that actively know how to read those databases do stuff with it really fast um the con if you didn't drive past it the script doesn't know about it and it may or may not be some data that you like to believe in another data source as I mentioned Google Maps Google Maps web API without an account or paying them anything we'll hand you a Json of information based on the latitude longitude um this Json is actually kind of impressive it breaks down the results into metro area the city the neighborhood down to the

rooftop as it defines the location from the Northeast to southwest corner of what it believes is the rooftop of the address you just said I mean it it it's kind of crazy to put this in and realize how far they've taken it down when you think about sometimes when you look at the top down view on Google Maps how you can kind of tell where it's like pieces stitched together these are the pieces stitched together they actually have the coordinates hand it to you the pro it's Google so it's free and fast and the con is it's it's Google and it's not quite perfect kind of like the example Street adresses are often off by one not really

necessarily Google's fault because it's really kind of down to how the information was stored uh another thing I found that Google does a lot more than the other source I used is they'll often give you a side street instead of what would be the main location like for example my office is off Kennedy Boulevard and it Nails the address but it gives like a side street which is the little street that I always you know cut through and speed up to get to work cuz I'm running late so it's a legitimate address and if you just have some reies you need to physically get there to look at more information it works but again like I said you need to kind of Sanity

check all this stuff and like I said at the bottom Google knows and sees all you might as well use their information they're collecting it from you anyways the original Source I Ed for this stuff is Texas A&M university has a geoservices project which isn't exactly free you can get a free account and has some limits uh the accuracy is a little bit closer than Google it's not by a ton uh it's not Google uh the cons like I said it's not completely free with most of these uses you're never going to use what you get with the free account you're never going to go over and have to start paying them uh it's slow compared to Google not a

shock there and quite frankly I kind of like using Google better than a university and wasting their bandwidth on the silly stuff that amuses me on the weekends or night times but it's still another source of information so I went ahead and put that up there data sources voter record like I said you can find this information online just Google for it uh the data like I said typically CSV format it's really not that big Florida was just give or take about 3.75 gigs uncompressed that's the straight CSV files straight text format sitting on a drive Pro it's it's free as far as I could tell all states make this available 3.75 gig of information that

could actually be multiple addresses for people and a little bit more historical information it's that's really not that bad when you think about it and again the benefit of not having to worry about is this address in the name I just found is that the person that lives at that house or the person that owns that house and is renting it to someone else you get a little bit more accurate information if you're down to looking for an actual individual cons it's CSV so loaded into a database that you can search with or at very least like I said it's broken up by County so you can make it a little bit faster like again I'm

from the Tampa area so I can narrow down my searches by searching for letters H for Hillsboro P for Pasco pelis and a few other ones so then I'm looking through three or four out of 50 some files so it definitely speeds it up a bit I'm always told I have to do a demo and again this is my first talk so I did not want to screw with the demo guys I'll be completely honest this demo is semi sort of live in the fact that I spent 20 minutes towards the end of the day here recording some information it was seriously about 20 minutes just grabbing probes nothing big and you will see why this say fail demo I didn't get

that far with it but again I wanted to be honest with this so I went looked at the data picked something looked interesting and try to take it as far as I could so here you go so again here's this demo here's the data I sat down at one of the tables outside it was like 5 5:30 maybe yesterday it was maybe 20 minutes didn't really catch it here's the probes I saw some of them really not that surprising Disney e-club Ballroom those things I got to assume as Disney I'm really amazed how often I see people advertising and looking for a network called FBI surveillance fan no matter where I am through this freaking country

it seems like the FBI surveillance fans are are very common um how deep does the rabbit hole go down there on the bottom left that was kind of a new one for me uh actually when I got to the hotel last night to start working on this portion I saw one called totally not the police so if you were at the lenta High um and then if you look at the rest of these nothing too exciting not your Wi-Fi 5 GHz holiday in some stuff like that so I kind of look through those and after looking at the stuff for a little while I try to find one that seemed interesting or at least somewhat kind of

unique and could be used so I I noticed this one called FLVS honestly that stuck out to me because it it it's not because it's only four characters it kind of reminded me of the Verizon 5est ones they five letters so I decided to go with that one and take a look at it so I did a quick search with one of my scripts across the data that I collected to see who was looking for that so it came back with two different Mac addresses as you see again I do not know who these people are I probably should have blacked out that last part but your devices are sending out this data anyway so anyone could go look for it so I've

got two devices that are looking for this so then I decided to see these two devices what other Wi-Fi networks are they may be looking for what do they have in common so I went and looked for all of those and then had it count and summarize them so I could see which ones came up most between them there's the list of all the other ones kind of looking down through them it to me personally the apple vs was still the more interesting because most these are pretty you know home to Apple TV belon 54g muffin and orange muffin I'm curious about that but I've seen muffin a lot lately and I have no idea why the two

wire one that's interesting to me but I haven't figured out or found anything that describes exactly what those names are those are AT&T Erse uses devices called two wire gateways I was really hoping those were unique kind of like the brigh house stuff or the F stuff but I'm seeing like the same three digits being used many many times you'll find them on Wiggle all over the country so I really don't know what those are and I really can't narrow it down so I decided to stick with the FLVS so I went to go look and well it wasn't in my local database again what I'm calling my local database is the database I keep on my laptop that was

completely sourced by my little crappy phone that I have running the wiggle app this is totally just stuff I've driven by I was really hoping to rank up a lot more of them driving here from Tampa and back but I don't think I've actively driven around anywhere on purpose just to collect that data this is me driving around to where com errands or whatnot so again unfortunately got to go to the website CU I haven't written the web API stuff yet so here's the website if you go for a search as you see it pulled up the SSI and it pulled up a bunch of them and then as you see there's a bunch of

different Mac addresses so usually what I'll do is I will look for the most recent stuff and it looked like the most recent spotted and submitted the website was December 11th of 2015 pretty recent I'll go with it the thing that kind of was interesting to me was if you look at it there's a couple different Mac addresses spotted give or take the same time with the same thing so this is probably multi access point Network probably a business maybe a public Wi-Fi network or something for metro area I have no idea to me FLVS I think Florida something don't know this could be anywhere H what is it Forida oh God bless you sir that would actually Mak sense what's

going to be on the next slide or too so thank you um so I go back and look and I did a slight variation on the script to just take latitude and longitude and it comes back and gives me an address so well it seems kind of like a waste of time doing this since I pulled it from Google Maps but let's go back to Google Maps anyways and like I said that makes sense it pulled up G Holmes bradock Senior High in Miami Florida which again I'm I'm now entertained and that would explain the other locations for Florida Virtual School but this one specifically the most recent ones were spotted there so that's now making me feel that this is

probably less sure of a find right here um pretty much at this point I stopped because there was not much more to go on even going past now that that Florida Virtual School thing could mean that it could have been other schools even in the Orlando area I decided just for Giggles to look I only found on Twitter for a quick search again this was this morning really quickly in my hotel room I found two people referencing Miami and Orlando at the same time cuz that's where the school was these two notes right here are from two different people went ahead and blacked it out cuz you know whatever obviously the 2014 thing little old the guy on the top was

possibly talking about being here but again he's in Orlando for the week so maybe he's at Sans coming this week who knows I didn't find anything that really narrowed it down so I decided not to move any F farther cuz there's no point and it'd be boring information or maybe putting someone's information out here that doesn't make sense and back to Florida Virtual School it could be Orlando could be someone down the street or something so again thus why I entitled that fail demo I wanted to give you an honest View and well I picked one I got 20 minutes of info looked at something and didn't get that far but so again what's your phone telling

us where you work where you eat where you hang out where you live but again this this comes down to if you're using their Wi-Fi and this is this crowd probably doesn't use it quite as much I mean people are actively encouraged to not do this anymore I've seen commercials for this you see stuff on the news about not connecting to public Wi-Fi but again people still feel safe to go to their house or their office and connect to it because I mean they're safe there it's what I connect to every day the IT guy down the way says it's cool but to kind of fight again against connecting this stuff there's even a lot

of cell phone plans like Republic Wireless or now Google fi that heavily encourages this how they give you a cheap Bill offload all of your stuff to Wi-Fi whenever possible your phone calls and all that stuff it's a cheaper bill I mean and a cheaper bill is one great way to encourage people to do something in this case connect to Wi-Fi so really it comes down to thinking about who your target is and who is your target more likely to be and nine times out of 10 i' you willing a wager it's more likely to be someone that could get found by these methods than necessarily folks in this room right now so a quick

overview again as I mentioned this is probably a little bit more for protecting your mom's grandmas and all that and keeping them from calling The Geek Squad and paying them don't let your devices connect autoconnect anywhere I mean obviously there's sometimes you may want to um don't advertise your SSID at home that obviously they people can still find it if they're sitting outside your house and want to work at it but you know I like to make people work for the fun use a boring SSID like linkis obviously then you could argue that people could you know your phone could potentially connect to linkis anywhere and that's common one two sides of that argument but another fun thing about wiggle is

you can get stats on the most used Wi-Fi ssids across the country and I think lynus is number one then it's sudden net gear is two or three but then it's mostly followed by Comcast stuff and then Charter stuff and then another paranoid one is keep your known networks on your devices to a minimum and even clean them out right if there's you know some place that you go to once every couple months to go meet someone and have dinner maybe you don't need to leave their SSID in your phone to constantly probe out for on a regular basis I mean don't get me wrong I'm just as horrible with that as anyone else because it's convenient then you put

your phone back in your pocket you forget about it so tinfoil hat version of that regularly change your home SSID they can still find your SSID so mix it up a little bit you know if you think someone might be actually screwing with you make it hard for them uh one that I'm going to probably try to start making myself do your home is my home go on to wiggle and find something across town from you that has a unique ID like one of those ISP examples I gave you and manually set your home to be that one so if they figure out and see your phone advertising that out they go to wiggle and look it up and all a sudden they're

going across town and looking at some other guy's house and not yours um another big thing is a lot of stores are starting to use stuff for Wi-Fi tracking and a lot of times they are actually using probes so if you think you're going someplace like this you can go back and look at some of those small devices that I showed like the TP link and write a small script to just go through a loop of spewing out SSID probes that mean absolutely nothing that maybe are being sourced from Mac addresses that look like different types of phones just because that way it'll make your device hopefully get lost in the mix and really confuse the crap out

of whoever is looking all those logs and again the easy mode down to just turn off your Wi-Fi if you're not going to be around anything I mean there there's apps uh drag orang the guy who does kismet has smarter Wi-Fi give that guy two bucks we've all probably made more than two bucks off of his work over the years and that way it tries to actually see a networks that it may know and know when to turn stuff on and off and I don't know if he actually finally did it but he was actually going to set it to start recognizing cell phone towers that you mark as safe so that way if it sees a cell phone tower near your

house it'll turn on Wi-Fi then so it's a good easy option and that is it thank you for listening if you want any of this stuff there you go appreciate your time and I'll say any questions if there happens to be any but ye it's not there now but yes check in a week or two and all this stuff will be there you'll look at you like why did I ask that guy for these scripts I could have written this garbage myself but yeah uh anyone else thank you for your time and thank you for supporting bsides it's good that Florida has these things