CG - Introduction to Software Defined Radio – For Offensive and Defensive Operations

all right thank you everybody thanks for the introduction I appreciate that it is 6 o'clock on a Wednesday before Defcon I'm surprised anybody is here you all should be taking your naps while you have it you all should be hydrating while you can so thank you for sitting through this um who he is familiar with software defined radio even to a basic degree show a hands all right good good stuff if I'm mess something up or if there's something better I could do please come find me after and let me know a lot of the stuff that I'm doing here I'm trying to recreate with commercial off the-shelf equipment that I would have used very expensive

military equipment to do so it's not going to be perfect it's not going to be one to one but we're going to do our best so what we're going to talk about essentially is just a very foundational introduction to SDR for those who didn't raise your hand this this is more for you than anyone else but for those who did raise your hands this this is going to be something where maybe I give you a slightly different idea about what you can use your sdrs for um and we're going to focus on tactical things which you know Everyone likes tactical stuff you know but the reality is anything that's tactical in the world you could

translate to more mundane things just listening to the radio if it's an FM broadcast listening to your favorite song or whatever well you can mess with your SDR to listen to the local Chick-fil-A which my local Chick-fil-A operates on F FRS Channel 20 if they get my order wrong I know before they do but it's going to be more application than Theory if you're looking for Theory you know I can Google that for you you know but the fact is I'd rather show you how to do stuff I don't know very many other talks that do live demos but I'm going to try these live demos here and hopefully the live demo Gods which today

is posidon is going to favor me on this one this is not going to be comprehensive and I think we've already covered that I have about 40 minutes worth of stuff if I had an hour two hours maybe even three hours we can get into some really heavy nasty stuff you know but for now we're just going to deal with some of the basics I don't want it to be complicated either I want this to be something you can go home and do yourself if things get a little bit too complicated I apologize again I only have 40 minutes but feel free to find me and I will walk you through it we can spend as much time as you like and also

and I mentioned this before radio is Radio is not an exact science it's fantastic and I love it but it's going to mess with you when it can Murphy's Law definitely applies here so if my demos fail I'm sorry the demo failed it happens but but hey you know it's a live demo things things aren't always going to go right little bit about me I'm former Air Force I just retired a few months ago the stick up my butt is still taking its time to dissolve but you know eventually I will reach civilian life I started to grow my hair out that's cool right I'm still not embracing beard life I don't know if I could do that yet

we'll see what happens um but I was basically an intelligence analyst for a very long time and when you're an Intel analyst you get into signals intelligence human intelligence um instrumentation intelligence all these things well all of it is defined by signals so it was inevitable that I was going to get into radio both for defensive and offensive purposes even if I wasn't specifically a radio guy um the last five years of my career I did special operations with offensive and defensive cyber and many of our enemies would converge their radio technology with cyber technology so we were looking at a lot of digital Mobile Radio we were looking at a lot of uh digital modes for HF we were looking

at Wi-Fi Bluetooth all kinds of other iot protocols that were sort of hijacked and used for tactical purposes and that's where a lot of this is coming from um also yeah I um I don't like long walks on a beach I never have just not a beach guy I've had enough sand in my life not going to do it so software defined radio and I put here in a very very small nutshell but it's kind of impossible to do that it's impossible to really Define you know SDR in just a few sentences but essentially what you're looking at is if I pick up a radio like this you'll know what this is it's something that has a speaker it has

a bunch of numbers on it it has a liquid crystal display you can talk into it you could hear other people talking back to you A softwar Defined radio is all of this without the buttons without the display without the speakers without the antenna without anything that you would look at and think of as a radio it's just a radio on a chip your computer is what's going going to become all the buttons all the displays and all the speakers so that's what's cool about a software defined radio it's versatile you have one little thing one little chipset that's going to take sounds and it's going to modulate it demodulate it from you know whatever Airwaves

electrons at Whatever frequency and then it's completely up to you and the applications that you're using on your computer to do something with that and that makes it way more versatile than this this is a onetick pony transmit and receive that's it software defined radio I can do all kinds of stuff and we're just going to scratch a surface we are going to use an rtlsdr this is probably something like a $30 software to find radio dongle you can get it off Amazon be careful there are imitations out there but if you go to rtlsdr they will show you pictures of what a legit one looks like and then you can pick it up and you can do all kinds

of really neat stuff with it they're receive only but they have a pretty wide range that they can receive in um obviously it requires a computer interface because that's what we're doing it's software toine radio but it's just a lot of fun and the barrier to entry to be able to use this and do all the cool things that we can do is really really low next we're going to use a hack RF the hackrf obviously is way more expensive but that's because it has a lot more features it can send and receive not just receive now we're going to demonstrate that when when I do some of my you know neat sending techniques but you can do a whole lot of really

great stuff with the hack RF it's just a matter of making sure you update the firmware and also making sure where you buy it from you can get it off of a whole bunch of different sites where it's going to be drop shipped from wherever fine as soon as you get it make sure you flash the firmware get the latest Mayhem firmware or something to make sure that it's legit uh but if you get it from something like Great Scott gadgets or you get it from hack five or something it's already going to have everything flashed for you but you're paying a premium for that and then we're going to use the flipper zero I bet none

of you guys have ever heard of this no it's a brand new thing I mean I just kind of found it somewhere yeah only I really know about it it's nuts I'm it's amazing I got through the airport with this stuff like all of these things The Flipper zero was a least of my worries I was afraid somebody at CSA was going to recognize a hack RF and be like sir you can't bring that on the plane no nothing they stared at my shoes more than they did at my bag so I was lucky so for software what we're going to use is Windows 10 Windows is perfectly fine it's a perfectly good platform for using the applications we

want to use some people prefer Linux I prefer Linux but for those of you that are just getting into this I would probably venture to Guess that you may be Windows users if you're a Linux user great good on you continue to be who you are if you're a Windows user you don't have to change you don't have to become a Linux snob you can do all this with Windows most of the stuff you can use on Linux you can also use on a Mac because it's a NYX kind of system so all the software that I'm going to be demonstrating today you're probably going to be able to use on whatever kind of operating system that you like we'll

use SDR Angel SDR Angel is freeware it's open Source you can download it and you can install it I'm going to show you how to set it up dump 1090 is another one that I like this is how you pick up adsb signals this is not the same as aircraft transponder frequencies but it's similar to it and they call it dump 1090 because you're picking up packets at 1090 MHz and you're dumping it into an interface virtual radar server is the user interface that's going to manifest everything I collect from dump 1090 and we're going to demonstrate that hopefully I use momentum firmware on my flipper zero I used to use extreme but they had some politics and extreme

firmware is now defunct so I use momentum other people might use something else that's fine everything we're doing will even work with the stock firmware so don't worry about trying to copy what I got if you don't want to go through that pain and for the hack RF what I'm using is version 20231 Mayhem firmware you can get later versions if you want to everything that I've done I've done with this version and I feel like if I flash it and upgrade it it would break everything so for now I'm sticking with this it doesn't mean follow my lead and downgrade everything yes definitely patch use the latest firmware but this is what works for me

now so the first thing I want to demo is how to set up SDR angel I would do it live but instead I made this recording and I'm just going to follow the recording so when you open it you get this blank interface but the first thing you do is you go to these icons that are up in the upper left and you pick your receiver my receiver is an rtlsdr as soon as you have that manifested you go to your add-ons if you want to listen to regular fm broadcast you can pick a wideband fmd modulator if you want to listen to things in the iot space or sub gigahertz you pick a narrow band FM

demodulator you want to listen to pagers you can pick the poag demodulator you want to listen to telegraphy you can pick a demodulator for that it's pretty cool you have a whole lot of different options next thing you do is pick a transmitter if you have a transmitter I'm picking the hack RF and now that I have the hack RF I need to know well what am I going to transmit in this case I'm transmitting narrow band FM because I'm going to be transmitting in the 400 MHz space so that's what I'm picking so I went from a blank screen to this really pretty cool looking thing it took me I'm not going to lie probably a good

month and a half to learn how to use this program because it is not intuitive there are more intuitive applications out there for software Define radio but this one I like because I can have a receiver and a transmitter at the same time and a lot of the stuff we're going to do is going to require that and so this is the finished product this is what it's going to look like and if you can follow my mouse up here you're going to see what the frequencies look like you're going to see like the histogram down here you're going to see something called a waterfall it's going to be a bunch of blue color that's going to be

coming down and then you'll see some red some orange some yellow maybe some green the brighter and hotter the color than the hot higher the uh amplitude of the frequency that you're seeing or the power of the frequency and so if you record that stuff and this is something that we used to do we used to send an SDR out on a plane into the middle of nowhere where we thought the adversaries were operating we would set it up and we would have it run and we would have it record something exactly like this playing with the waterfall and then when we were finished we'd retrieve those data and then somebody would take that waterfall that you're going to see and

they would put it on like 50 times play speed 100 times play speed and they would ident identify those hotpots those changes in color and they would correlate that with the frequency and then we'd be able to analyze the frequency to see what is going on in that space we call that electronic preparation of the battle space ipb when those data come to me then I take a look at the frequencies and I try to check all the reporting to see who's operating or what's operating now I'm doing intelligence preparation of the battle space ipb so it all goes in hand and it all starts with being able to collect radio I am doing this so far

with nothing but my Windows computer and freeware all right so moving right along the first demo is going to be me using a radio now I have a picture here of a balang uv82 that's not what this is this is um this is a uv9 but it's an upgraded one similar characteristics it's still going to be basically a radio on a chip inside of a radio housing you know but for a very simple demonstration we're going to start to receive signals and I'm going to key this and you'll see what it looks like when an SDR receives a signal so let's get started all right we'll leave this I will open up SDR Angel and you

see when I open it up it's going to come up in the configuration that I had already demoed for you it takes a second it's a pretty sophisticated piece of software even though it's free which is really nice all right here we go you can all see this screen right all right fantastic now I have my art T lsdr it's receiving I have it set to 433 920 mahz so you can see the waterfall down here you see that blue space you can calibrate that so it can be Bluer Greener whatever you want but now I'm going to key on that frequency that I have the SDR set to 433.92 megahertz and there you go it's not a

clean transmission you have the peak at the frequency that I have said but you have a lot of spous Transmissions to either side that's because these are not very sophisticated radios but they still do the job that being the case if you have audio then you can actually hear when someone speaks into your radio because your SDR is going to receive it check check here check maybe you heard that maybe you didn't check check check check okay it is out of that speaker all right okay well if you heard it then success you are now able to listen to Chick-fil-A so that is the most basic advantage of having a software defined radio is you know with a little tiny

dongle that looks like this if you're far away you won't be able to see it and I'm ruining everything but with this little tiny thing I'm able to pick up signals everywhere in the Spectrum if I want to pick up HF high frequency is like um you're looking at like 50 mahz something like maybe 30 MHz all the way down to 12 10 MHz when you're using a software defined radio to pick up signals like that you need something called an upconverter you're taking that signal you're converting it up into VHF space where it's going to be able it's going to be human audible so you can do something like that you can get a down

converter if you wanted to pick up something in very high frequency like satellite or microwave transmissions and then you can do the same thing you downon convert it to something that would be able to be human readable something that the software defined radio is able to demodulate and it's pretty good stuff

yes it is additional hardware and that's a really good question so you can take that Hardware an up converter or a down converter is similar in profile to the SDR dongle it's about the same size maybe they're a little bit smaller maybe they're a little bit bigger depending on how much power you want behind it but you do the same thing that you would like connecting an antenna you know you take an SMA cable or some kind of coaxial cable you connect the down converter to the SDR dongle then you connect your antenna to the down converter and you're creating a radio chain so you could do it with software too but the hardware is a lot better

because you know with the software it could be finicky and you have to really know how to use it whereas with the hardware the software is already defined inside of that Hardware the work is already done for you nope that's what we got now because it's going to interfere with the next demo I'm going to close this down and I'm going to restart now remember I mentioned adsb signals typically I would use an rtlsdr receiver but you can use whatever receiver I'm using dump 1090 which I already explained and I'll demo that virtual radar server is a software that is going to give you a user interface and a map that'll show you visually graphically

what the D what the uh dump 1090 data looks like usually I would use a dedicated 1090 MHz adsb antenna which is pictured here it was big to pack so I didn't pack it so instead I am using this very small sub gtz dipole antenna which does the the job almost as well as this big old adsb antenna and this can also pick up a whole lot of other cool stuff I typically use this as a gpio attachment with the hack RF but it works just fine with your software defined radio too so this dipole is what I'm going to use to pick up these signals so let's see what we can pick up because of the amount of material that

is between us and the sky this may be a complete failure or may not but we're going to try it out all right this is dump 1090 if I reposition the antenna I start picking up some signals if you look in the column that says alt that's altitude I'm picking up something that's grounded but is still putting out some signal and I'm picking up something that's at 4675 ft you're picking up lat long for location speed heading all kinds of cool stuff that's all great and everything but instead let's see it on a map and because this is a super professional talk I have to hold the antenna up now if I were picking up anything and

virtual radar server were picking it up too then I would see it here and I can zoom in on it and this is what we got so far we have these two aircraft one of these is American Airlines it's a Boeing 737 you can see the altitude you can see the speed you could even see its Flight Plan Phoenix Las Vegas and Phoenix and back again let's pick this one what does it look like it's a Southwest flight another 737 it's not transmitting a call sign it's not giving a root but that's okay you can probably guess where it's going to go typically things go to either McCaron or the various Air Force bases that are around here like Nellis for

instance but it's not a very good demo because I don't have a lot of dense collection because of the antenna and because of the structure I have here 1090 MHz is a really high frequency and it's going to get soaked up by nearly anything that this place is made of specifically um all the non-conducting stuff it's going to soak up your RF the conducting stuff is probably going to take it and retransmit it if I were to hook up a coaxial cable to any of like the I beams in here then maybe I'd even use those and turn those into an antenna I'm not going to do that remember 40 minutes but you can do stuff like that and so

that's a demonstration of what adsb can do free open source I still spent just maybe 60 bucks on the rtlsdr and that antenna this is the kind of stuff that people use to generate worldwide intelligence all over the globe there are people that collect this stuff they put it on a server and you can go and you can view it from anywhere in the world hugely good intelligence gathering source so it's another way that you can use passive radio collection for intelligence let's get rid of this let's get the show back on the road this is a demo of what I took with a little bit more ideal conditions you can see you could see a lot more stuff

um there are things that are flying around that are like coming in Northbound eastbound whatever if you have more computing power and you have the proper antenna you can see the movements of these aircraft almost in real time which is nice but using the antenna that I had I can only see it up updating every few seconds but there you go that's what adsb looks like and since we were able to do a live demo I'm not going to show you the entire video I'm not going to subject you to that but we can move on and like I said you can use other people's stuff for this so I use an SDR to pick up my radio signals

well you can go to shortwave radio receiver maps and you can pick up shortwave from receivers all over the world same thing with web web SDR people that have these things set up and they have all the collected data go to a server you can go to their site and you could listen all over the world you want to know what's going on in Radio free Cuba there's a website for that somebody is collecting probably in Miami maybe Key West you want to know what's going on in Ukraine there are people all over mdova that are collecting the same stuff adsb exchange is a good one too you want to track Grandma's flight when she's

coming to visit you can go to adsb exchange and you can see the flight as it it's going along its flight path that's how good the coverage is for the continental United States so you know way better than having to go to the Delta app or something like that at least in my opinion but other than using other people's stuff let's get into some real groovy things so sub gigahertz this basically means everything that is from a gigahertz down when you start getting into broadcast FM around 108 MHz down to maybe 75 MHz that's no longer technically sub gigahertz now you're getting into broadcast FM and then you get into HF sub gigahertz would be your

iot stuff your garage door openers your key fobs um your skater systems things like that between 315 and 433 MHz in the United States 95 megaherz for lower W and um different IAC networks that's what you're talking about with sub gigahertz um it's everywhere if you do a frequency analysis of your house you'll start picking stuff up and be like what is this it could be anything it could be the tire pressure sensor monitors on your car it could be various remote controls it can be some smart device you didn't even know you had that's generating signals to something else it could be anything um it's scary it could be your neighbor's alarm system and

you're picking up those packets don't get any ideas but if you do get ideas it's a lot of fun so that being said be careful with this stuff I'm going to demonstrate a few things where if we're doing it in this condition at this power it's not really going to make too much of a difference but if you start increasing power and you targeting things you're not supposed to Target they will come get you maybe the FCC is not going to come get you specifically but there are people all around that do stuff like Fox Hunt if you interfere with their signals or you break their stuff and you transmit a signal continuously they will try angulate you

they will find you they will report you and it may not be the FCC if you're interfering with government federal or state level equipment it may be the FBI so just be careful when you're dealing with these things let's talk about signal analysis there's a way that you do this if you pick up a key fob or a remote control anything that's supposed to have some kind of capability to transmit it'll have an FCC ID you can look this up on fcc's website when you look up that ID you'll find the operating frequency you'll find a whole bunch of different engineering and Technical information about it um you can do a lot of this stuff yourself if

the FCC ID isn't giving you what you need you can use some equipment like what I showed you to demodulate a sign and you could figure it out well what is this is this digital Mobile Radio is this a satellite signal is this encrypted or is it just you know coded encoded into something you know is it video is it audio is it Morse code you it's demodulation is it's a crapshoot but eventually you learn to look at that waterfall and you can identify what the signal is just by what it looks like visually sometimes it's a lot simpler than that you look at something it's a big fat red and yellow bit inside of

your uh inside of your waterfall you go and you point to it and you start hearing people talking okay I know what that is it's audio you know sometimes it is that simple other times it could be some weird protocol that no one's ever heard of that's proprietary and then you got your work cut out for you I decided to start with these alarms they're available on Amazon they're very cheap I bought a bunch of them because I like to install them on cabinets or doors or whatever if I'm traveling somewhere and I'm going to be away but I want to have some kind of like an audio deterrent for robbers I'll put this on a door like a hotel door

whatever if the magnets of this unit get more than a centimeter apart it'll be loud it'll be as loud as

this I had this inside of a Pelican case if I took it out it would be so loud that everybody would hear it it's pretty good deterrent I like it um I got this and I'm like you know what let's play with it let's try to figure out what's going on it has no encryption it's got no rolling codes it's nothing I can play around with this and I can do all kinds of really neat demos right now as soon as I opened it up all I found was what I expected to find from something that is mass-produced and drop shipped no FCC ID nothing I had nothing to go on so I had to go and I had to

manually get a spectrum analyzer something like this and I had to keep on pushing this button keep on pushing it keep on pushing it and keep on looking at my waterfall to see when the heat map was going to change and so I eventually did that and I used a flipper zero to do it so now we're going to demo a signal replay signal replays are pretty good normally I would do this live I still actually might do this live I don't know but essentially what you're doing is this is Q flipper Q flipper is a graphic user interface that you can use for your flipper zero I'm using the stock sub gigahertz or actually in this case it's

momentum but it's the same as a stock you can go to read raw and if you program in the frequencies correctly you can play that frequency and you can record it so that's what I'm doing over here now I'm going to stop it there because now you know what the basics are but I would rather demo it for you because I think that's way better so here we go this is me live going at the start going into sub gigahertz and now I'm going to read a raw signal this is that signal this is going to be the unlock code for that alarm everybody hears that I'm going to read

it wi is and there it goes there you go there it is picking it up I'm going to move it a little bit closer it's picking it up even better I'm going to move it far away and it's picking it up about the same but that's basically it now I'm replaying it flipper zero was able to record it no sweat and then replay it that's how much no encryption and no encoding this thing has so it's a whole lot of fun to play with now moving right along some of you are probably already thinking this but if you can record a signal and play it back then can you possibly dos a signal like that and the answer is yes I'll let

your mind run wild with the Tactical implications of something like this but while it's running wild we're going to do a demo so I'm going to go back to SDR angel I'm going to turn it on now I'm going to use my hack RF The Flipper zero and the scr Angel and my target device is going to be this same alarm so as soon as I get this started I'm going to play the rtlsdr here sometimes it's got to be refreshed so I'm going to do that all right refresh all right here you go play that signal it resets to 435 that's why you didn't see anything let's get that back 433.92 there it is God that's an ugly

signal but anyway now I'm going to generate that same signal with my hack RF I'm going to show you just how little power it takes to disable an alarm like this why would you want to disable an alarm like this I I don't know I'm not going to say it don't make me say it there you go now you see the signal you see that it's a little bit off that's because radio is not an exact science but we're still going to work with it anyway now I am generating that signal so so if I play this the signal is not strong enough to interfere so you still hear it but what if I Amplified it a

little bit that's not working either what if I gave it a little bit more horsepower uhoh let's dial that down just a little bit you can still see the signal from the key fob or the alarm fob but it's just not reaching the unit dumb it down a little more a little more there we go so we kind of found our power threshold I can sit here and like have you guys give me wild guesses on how this could be useful to an adversary you know let's say that I wanted to disable transmission capabilities for key fobs for a parking lot for a US Embassy somewhere or maybe the US does that to a foreign adversary Embassy maybe there's

critical infrastructure somewhere that we want to disable maybe there's a Communications Network we want to disable this is jamming this is denial of service and this is is how we do it I was just able to disable an alarm it took a little bit of work but I did it not every alarm is that unsophisticated but with a right knowhow you can do the same exact thing all right let's stop these because somebody somewhere is having trouble with their Pacemaker and I don't want to I don't want any of that shade on me so I'm going to demonstrate this now with a car modern cars maybe not because some of them are some of them use

frequency High in but old cars most definitely so this is me doing the same exact thing and I'm disabling the capability of me being able to unlock this Tacoma so you see the lights are going and you see the waterfall is registering you can see the signal over there now as soon as I turn that signal up so I generate the uh the Dos signal from the hack RF and then you can see that I'm uh turning up the power just a little bit and now I'm pushing the button and you see no lights nothing nothing is happening I just dossed the car I dossed that key fob really unsophisticated kind of attack but it's something that you

can do in somebody's driveway to mess with them yeah haha funny don't do it to a cop don't do it to the local sheriff ask me how I know but yeah that's basically it so now that we've now that we've seen what a flipper zero what an rtlsdr can do what a hackrf can do there are a lot more possibilities if I wanted to have wideband Spectrum analysis because I was doing some EPB or I was doing some ipb I can get something like a tiny sa Ultra which gives me a much wider field a much wider waterfall than any of this software would be able to do then I would be able to like take

from like say 300 MHz up to 800 MHz and just look at that and see where the spikes are and then I'd be able to drill down if I want to do Direction finding I there's an SDR for that the crack and SDR has anywhere between depending on the model anywhere between five and six different antenna ports and if you position these antennas all along a line and you receive a signal then you can basically Direction find VIA you know for your eyes it' be Parallax but via antennas it's triangulation where the signal source is coming from professionals use this to to find signals it's right there you can buy one if I wanted to simulate

a cell phone station somewhere who would want to do that I can use blade RF you can go to GitHub and you can get the software it's it's as easy as that takes a couple hundred dollar if I wanted to spoof GPS signals let's say that Grandma's plane finally landed she rented a car now she's driving to your house let's say you're not happy about that you can set up a lime SDR or a hack RF on the side of the highway with the right software and the right amount of power spoof GPS to make Grandma think she's in Thailand and you've just bought yourself another hour so what I consider Wi-Fi to be one of those

cool software defined radio targets that everyone overlooks because there are much better things you can do to mess with Wi-Fi but what I have on the desk over here you can definitely mess with Wi-Fi who here has ever messed with Wi-Fi with a flipper zero oh a few people okay this is what we're going to do with a flipper zero that has a Wi-Fi Dev board and I I couldn't live demo this because then I'd interfere with the facilities WI Wi-Fi but you can set this up with a gpio board that contains you know the right kind of software to demodulate 2.4 GHz you can set up your own little test router and if you have a mobile phone

that you can use to be the victim then you can do your own deauthentication attack this is how I did that in video form with a flipper zero you go to your gpio settings and you go to your uh esp32 board I'm using Wi-Fi Marauder so I'm picking that then the first thing you do is you scan for the access points you collect all those access points you stop the collection then the next thing you want to do is go and list which access points you collected give it a couple of seconds you'll soak up however many happen to be in your area so here I found one that I want to mess with I'm going down to list AP and which

one is oh it's a trap that looks good that's selection number one so maybe I'll pick that one so I go back and I select my AP I am selecting number one then I hit save and then I go back so now I have my target access point next thing that I want to do is send de off packets but before you can send a doo packet you have to start collecting those packets or you'll send Deo and you're just not collecting anything if you're not collecting anything then a dooth packet it's not going to give you um any of the encrypted credentials that you're looking the crack so first you have to go to sniff and then I go to

sniff raw this this allows me to get everything not just a Deo packet because it's a little bit finicky if you try to go a little bit too specific now that I'm sniffing I send my do off packets stop the do off and now that I'm collecting I'm getting the de off packets and then if the endpoints on this router have a setting to reconnect to the access point then as soon as I de off it then it's going to want to come back when it comes back I can collect my four-way handshake now I've done that there's my file so I'm going to take my file I'm going to download it onto my desktop and then bam I can do whatever I

want with it I can analyze it with wire shark I can possibly open up Cali Linux and do whatever I want with it but this is what it looks like right here this is this is what I did this is what I did with this flipper zero that the airport just kind of let me through with so it's pretty badass I like it so what can you do with something like that well now that you have that packet you can analyze it to see if you got those four-way handshakes they're called EA pole packets so extensible Authentication Protocol over Lan these packets are what's going to contain your encrypted password and whenever you're trying to crack Wi-Fi this is what

you're looking for I would crack it I would say that's beyond our scope but I feel like we have a few minutes to do that so let's do it so again couldn't do it live but this is just me demonstrating how to do it on Linux this is how I'm using that um that peap file that I just got I am going to use all the stock stuff that you would find on Cali I'm going to use a modified Rock you. text file that has all these passwords on it we're going to do the crack you're going to see it happen and while it's happening um I could explain some other cool things you can do with

SDR actually I'll explain one other cool thing you can do with SDR with the right kind of antenna and in this casee it would be like a helix antenna you could pick up satellite signals I was able to pick up the International Space Station while they were sending down recorded video and with ar with an rtlsdr and an antenna that looked kind of like a double helix I picked up that signal and I was able to use the right kind of software to demodulate it and then I got that full motion video and I was able to show it to a group of high school kids they were like wow this is awesome I was

afraid that they were going to say if you can do that what else can you do because then they would come to this talk they would see all this other crap you don't want high schoolers running around with a hack RF it's it's just not advised you know and here we cracked the password there it is so it's a trap is veritos one now I got to go change my password on everything so that's it we did a little bit of passive capture using a radio we did a little bit of active capture for offense you know and that's you know listening into Chick-fil-A or recording signals and replaying it because Electronics equals intelligence in my book we did some active emission

for defense in this case you are looking at um jamming signals that might be offensive in in nature like say you have an adversary team that's moving in you jam their radio their comms are down if they depend on their radio they don't know how to use hand signals they're done you got the upper hand and we use some active emission for offense which is cracking a password so just really simple things that we can do with commercial off-the-shelf stuff and we ran the gamut of what a military team would need if they on the ground so this is my question slide now I'm going to make it big I dare you guys to do a QR code scan

I dare you questions so you mentioned picking up the ISS with the SDR there are instructions you can build a v di Poole with coat hangers and it it's not great but it works so someone's on a budget yeah no that's that's a really good thing it's I've built antennas out of Christmas lights out of code hangers whatever if it's metal and it resonates and it's cut to the right size the answer is yes you definitely can do that the thing about satellites is that if you're on the ground you can see what an antenna is doing you can see how it's facing this is a vertically polarized antenna this would be a horizontally polarized antenna for you to get the

maximum gain when you're receiving or sending you want to match the polarization satellites are too far away to see where their antennas are pointing so if you do use a coat hanger you still want to try to make it a spiral or a helix so when you're pointing it at like whatever is transmitting you have a whole bunch of different parts of your antenna that are going to at some point match the polarization of the antenna of the satellite that's why you'd want to use a helix other questions yes sir what what's the uh cost on the um Spectrum analyzer and do you have a recommendation for a m model um I lost my hearing in the war

can you repeat that a little louder I'm hang on so sorry about that no no worries do do you have a recommendation for the Spectrum analyzer and what's the cost on that okay so my recom my recommendation if you're serious is the tiny sa Ultra and that's something that I that I had on the uh you know nice to have slide you're looking at maybe between 150 and $180 to buy one it's really small it's a small screen which sucks but if you have good eyesight or if you're able to use a magnifying glass you can see some good detail but that's okay because all you're looking for is where a spike is and then you can zoom in on that and you

can demodulate from there or you can at least see what the signal looks like you can see the frequency and then you can get more sophisticated equipment to pick up that frequency that's what I would recommend if for nothing else then the tiny sa Ultra is able to collect on an extremely wide B band so you can collect on anything from 10 khz up to 1 GHz you'll see a ton of things but you can do that if you're less serious about it a flipper zero has a frequency analyzer and a spectrum analyzer can that can do the same thing if you're even less serious this RTL SDR and I can unplug it now my demos are

over this RTL SDR with any antenna the antennas that come with it you know which are just telescoping aerial antennas like rabbit ears or something like this and the right kind of software whether it's SDR sharp or um gnu radio or SDR Angel like I was using you can do the same exact thing you can read those frequencies it's just a matter of what kind of like nice to haves you want you know but going from most expensive to least least expensive tiny sa Ultra flipper zero and things like that and then rtlsdr does that answer your question cool yes sir you yes okay thank you great presentation uh I had a question regarding the Wi-Fi uh

attack yes two questions one is how do you detect it and I assume it might be logs but then the second is how do you defend against it are there any options to defend so yeah unfortunately radio is inherently indefensible it's not like a wired Network you know there's no firewall for for over theair signals um so the way that I would detect it if I had a flipper zero with a GPI o board like an esp32 chip it would just be doing how I demoed it I would go to um AP scan and I would just scan all the access points and then from there because a flipper zero like the screen is so little I would take that and I

would dump that file you know which because it's going to record a sniff file I would dump that onto my desktop and then I would open it up with wire shark or some other um packet analyzer and that's what I that's what I would look for if I didn't have a flip and I had something like a hack RF if I were using like the right antenna like an alpha card or something then I can use a hack RF I can use an alpha card and I could record that way if I had just a laptop and an alpha card then I can use something like Kismet or even just air crack NG that's sweet and I can detect

APS that way there's so many different ways to do it it really just depends on what kind of antenna you're using because radio is finicky like that I can't use a sub gz antenna for something that's over 1 GHz it it won't pick it up the right way but that's those are the methods that I would use for defense your best defense is to make sure that your security is on point the way that I was able to collect packets and de off them and then get the EA poll packets and then crack the password was because the security on that was WPA2 and the password was weak if you're using WPA2 make sure that your passcode your pass

phrase your password is long it's complicated not something I'd find in a dictionary and it's something that you'd be able to remember because if someone keeps on forgetting the password they're going to browbeat you into making it simple you know don't listen to Grandma listen to the security um another good one is wpa3 if you don't use wpa3 on your access points use it now wpa3 wpa3 that protocol that security uh protocol that standard transmits four-way handshakes that contain encrypted passwords as a completely encrypted packet so wire shark or whatever wouldn't be able to see that it's an EA pole packet I would know which packets to try to decrypt that's the cool thing about that there

are attacks that would downgrade that like the Dragon Blood attack and it's basically just like an evil twin attack you know where you pretend to be the same access point and you make people log on to you and then suddenly you're using WPA2 when you start capturing everything you know look it up it's a really cool uh it's a really cool technique um but from what I was doing without doing anything more special wpa3 would defeat that and a long complicated unique not in a dictionary password would defeat that too other questions all right nothing seen thank you so much you guys I really appreciate it