Microcontrollers, Deauthentication, and AI

fun hello everybody and thank you so much for showing up today my name is Lev malusian and I've recently been employed as a staff training lead at project Empower but that's already too much about me let's get to what you're looking at in case you haven't figured it out yet today I'm going to be discussing microcontrollers the authenticators and this crazy new thing you probably haven't heard about yet artificial intelligence this presentation will go in depth into Wi-Fi de-authenticators following my project of actually making one as seen right here and how AI tied into this project so let's get started with what a de-author even is in the first place well to understand what a de-author is we need to First understand how it is that routers communicate and to do so they use what are called Data packets which there's a great picture of right below right there which transport these frames such as the authentication frame as the payload right there which is simply a request to disconnect deauthenticators exploit this Frame by spoofing an IP address and sending packets containing the authentication frames which in turn repeatedly asks to disconnect from the router while pretending to be the device that's connected to the router which means that basically this disconnects all the devices that are connected to a router because of this from the user standpoint it looks like there were internet connection just suddenly stopped working as it tends to do so but why is this beneficial to hackers simply disconnecting a user might seem like just a harmless prank to play but this can be exploited much further as discussed later first though why not check out how it works so right here is the the author let me switch over to my camera oh I didn't switch my camera so let me switch the camera there we go and right here is the de-author and we can see that I can scan all the networks around which shouldn't take longer than a couple seconds there we go so I overestimated the speed but here it is and it is all done and now we can select a network so let's go to APS and go to my network and then go back and go to attack now we can launch the authentication attack but this isn't going to work because my router supports both 5G and 2.4 gigahertz while this only runs on 2.4 gigahertz but let's stop that attack anyways and go back to you know the rest of the presentation so now you might be asking if you were there and you saw the actual thing go off wait a minute isn't that just a dumb Wi-Fi Jammer Wi-Fi Jammers are still cool you know I mean look at how sick that one right there looks and so does mine Jokes Aside though the difference between the the author and a simple Jammer conveniently makes one legal or at least legal-ish and the other illegal and that difference is that Wi-Fi Jammers indiscriminately create noise across a range of frequencies blocking all communication within their radius this lack of selectivity can lead to Serious consequences like for example preventing emergency calls making them illegal in many places yes including the United States but besides that Jammers also look awesome like I just said I mean look at that it's like a forest of jamming but once again so does this well I find the authors however are more precise in their approach they allow you to Target a specific Network or even a single device by once again spoofing that device or router's Mac address or physical address and then sending out the authentication frames from that device but not really but there is still an obvious catch while owning a de-authenticator might be legal its use is restricted and you should only use it on networks and devices you own and also always with caution and of course here's your little quick obligatory warning that unauthorized use is not only unethical but also illegal moving on though why would hackers deauthenticate well it may similar while it may seem trivial at first there are indeed a multitude of reasons for hackers to launch a de-authentication attack and one example of one could be creating evil twin access points or networks that appear as if they're the same one that you were on another great example is a WPA pass cracking attack which utilizes the handshake occurring when the user is reconnecting as well as many different exploits that can be used through a Wi-Fi Fisher it's logo seen up here and not only hackers have utilized the authenticator and tax in fact several hotels had actually gotten themselves into legal trouble with the FCC for using Wi-Fi D authenticators in order to force users off of their free network and pay for their premium Wi-Fi Hilton and Marriott I'm sorry that's something I thought there uh but anyways let's check out one of these reasons which is WPA pass cracking but before we dive deep into WPA pass cracking let's set the stage with a bit of background in the vast realm of wireless security WPA stands as a standard so it's essential to understand its roots and variations and as a side note by WPA I do mean its entire nomenclature so let's start out with wpa1 usually just referred to as WPA which stands for Wi-Fi protected access WPA was a badly needed standard patch rolled out to Shield networks worldwide from the vulnerabilities of its predecessor WEP and there were a lot of those vulnerabilities while there are newer iterations like WBA 2 and wpa3 each with their own set of cryptographic enhancements they all do share a common DNA if you will and of course they all have their own Achilles heels especially when it comes to pass cracking though the methods may vary slightly but for our deep dive today we're going old school focusing on the classic the original plain old WPA this protocol despite its age still Finds Its place in many networks and between you and me our home router used just that until very recently but anyways now that we know that our discussion is still indeed relevant strap in and let's get cracking and yes the fun was very much intended WPA password cracking typically starts by capturing a four-way handshake between a user and an access point and just to quickly clarify for those that don't know this handshake is simply the process of a user connected to an access point or a network and while this can be achieved by waste patiently waiting for a user to connect there is a more fun approach to this de-authenticating all users from the network with oh I don't know maybe a barely working shoddedly soldered the author you made in three days which is held together with a literal hair tie and now that you have a bunch of users reconnecting initiating the handshake see where this is headed once the handshake is in play CLI tools like aerodump NG or even more sophisticated packet analyzers like Wireshark for example come into the picture these tools allow us to capture the handshake which is then saved as a DOT cap file oh and a quick fun fact the dot cap extension actually stands for capture packet but here's where the magic happens the actual cracking process involves generating a series of pmks or pairwise master keys which are derived from a combination of a passphrase and the SSID or the Network's name so using a word list we can generate a bunch of these potential pmks and then compare them against the captured handshake when a match is found voila we've identified the passphrase it's kind of like brute forcing but with the added advantage that you don't need to be in the router's proximity or even online really to exemplify the why this would be used say you have a crappy laptop with Wireshark and you managed to snag one of those pmks from a router but don't have the ability to crack the hash locally from here on you can simply send it to a hash cracking rig somewhere else which is a machine specifically built to well crack hashes and after a bit of cracking you'll get your password but this is starting to get incredibly wordy so let me just recap this as a quick order of events the user provides a passphrase to connect to the network and then the passphrase and the SSID of the network are hashed together using a hashing function in this case pbk df2 which is unimportant but this hashing function then hashes the passphrase and SSID combination 4096 times to produce a 256 bit pmk this means that if we hash together the correct password on SSID or network name then we'll get an identical pmk to the one that was captured in the cap file and we can see this right here with the input of pass one two three and one plus which is my router name uh having the output of this pmk so from then on we can use a word list to make a bunch of these pmks as seen here in the bottom with pass one and one plus resulting in this key past two and one plus resulting into that one and so on and so on until we get to the combination of pass one two three and one plus which would result in an identical key however there is a catch this process can be time consuming and it could take anywhere from a few minutes to several hours all depending on your like you know the complexity of the passphrase the size of the worth list and your Hardware while it would be an easy way to lengthen my presentation time I don't think it would be the most riveting spectacle for this esteemed audience so let's get moving on with something else that's also fun Wi-Fi Fisher Wi-Fi Fisher is a vast streamlined framework of many many many different tools and techniques which deserve a presentation of their own so I will try to narrow it down only to the tools that are directly applicable here which are its phishing elements not only is Wi-Fi Fisher capable of creating evil twin access points as discussed earlier but it also has some built-in fake captive portals for these twin access points with some generic excuses such as Wi-Fi logins oauth logins Etc and in case you aren't familiar with captive portals these are the web pages that are brought up when you connect to say Starbucks Wi-Fi and then it asks you for your name last name email postal code social security number you know the normal stuff but all we need to know about these captive portals really is that in our case they're simply asking for a password to the Wi-Fi again and once this user inputs the password into the captive portal it's game over it gets redirected back to you and they keep surfing the web like nothing even happened you can now use the same password and in turn you've successfully completed an evil to an access point attack enjoy your access to the premium Wi-Fi oh and no please don't attack networks You Don't Own but again there's so much more to Wi-Fi Fisher and this is just a really specific use case of it and I highly recommend you take some time to look into it yourself if you are interested and as a side note thank you to so much to Wikipedia for this incredible graphic demonstrating an evil twin access point attack and let me just zoom in so you can all truly enjoy it just look at how beautiful that is the jagged lines the Straight Arrow I mean it's just it's so beautiful and the questionable looking router but moving on to the elephant in the room Ai and the development of well this the process to create this ESP based the author was of course long and convoluted given I had almost no experience with both my no I had plenty of experience with both microcontrollers and the authentication attacks I was a professional in the field but I will admit that AI such as Chad gbt greatly help with this and I don't think I could have done this project with no I could have done it without it definitely for sure but you know the great thing with it is that it is perfect for asking those simple but Niche questions as well as cryptic errors that you just can't find in stack overflow for example earlier in the flashing process I received cryptic outfit output which funnily enough expressed my thoughts quite accurately with the output of question pipe question exclamation point question question and so on and this would have most likely taken me hours to figure out pre-gpt but with chechi BT it instantly suggested that the improper baud rate may be the issue and for those that are curious baud rate is just the rate that information is being sent from the the author back to my computer or just any microcontroller really and again it is important though to consider what the downsides of these language learning models are which conveniently brings us to utilizing AI the bad if you've ever worked in any form of customer relations be it through tech support or even working for someone like a manager you'll come to know that the last person to know what they want is in fact the customer and during this project I was that customer a good example of this could be the countless frustrating hours I spent with some kind of Watchdog error which caused a single board computer to restart every few seconds this error was stupidly enough due to the fact that I was persistent that my board was a generic esp8266 and not a node MCU board so note to anybody that is you know that one these and is going to try the same thing it's a node MCU board save yourself the time this unfortunate lapse in judgment caused me in poor chat GPT to spend a solid day trying to get around this without Watchdog when in reality the problem was that the code was just getting compiled for a different board and I didn't need to do that but moving on to utilizing the eye the ugly although AI can be utilized to an extent in any field it is important to consider its limitations one of the biggest things to consider is how language learning models such as chat gbt can't truly comprehend things and are catered towards simply coming up with plausible sounding answers Based on data scraped off of the web and exemplifying that data although this is greatly improved on in more modern models such as gbt 3.5 and 4 it does still show its prevalence especially so if you've ever worked with the more outdated models through their API or if you ask it if 450 is 90 of 500. however the biggest issue with AI is its lack of privacy while for small personal projects like this one it might not be the biggest issue upscaling this to a company's cyber security rules could lead to some very interesting issues as demonstrated in the Android chat GPT data leak where confidential source code was provided to chat jbt three separate times in the span of one month and when consulted about their AI retraining data to further train itself they answered stating your conversations may be reviewed by our AI trainers to improve our systems so you know don't use it for confidential data especially if your company has introduced one of these many two new tools to avoid this as seen right here but you might have noticed that now we're moving on to okay so I didn't say any of this I'm just going to restart this slide defending against them does AI come into play you might have noticed that I had to use my phone hotspot for this exploit because I could limit it to 2.4 gigahertz so you might be inclined to just get a five gigahertz router right well a Wi-Fi upgrade is always nice but with all things Tech of course it can't be that simple and it isn't Mighty author is only limited to 2.4 gigahertz due to the Wi-Fi chip it uses and at this point there are several de-author softwares that can run natively on any computer at least assuming the existence of a wireless adapter capable of monitoring mode monitoring mode as well as packet injection which as a side note isn't typical on an ordinary network card but you can still find it on Amazon and here comes the AI some of the ways Ai and machine learning algorithms could defend against the auth attacks are through pattern seeking and analyzing normal packet behavior of devices in order to single allow Rogue devices or fake access points with Device profiling again but it's not even guaranteed if this or how this AI idps or artificial intelligence intrusion detection prevention system would even work which brings us to the much simpler application of AI and chat gbt which is simply asking you simply asking it how to update your router to the 802.11w standard which protects against the auth attacks by using protected management frames which encrypt all frames sent to and from the router and this greatly defends against frame spoofing such as the authentication frame spoofing which is exactly what this uses and in turn defends against that so you know the end or at least for now thank you so much to everybody here today for letting me blab along to you oh I can't see I got I don't got any notes for this so if anybody has any questions please feel free to ask absolutely anything and I will try my best to answer and if not Chachi but you will any questions can go to skeptic septic1 gmail.com and any and all questions at all whether that be to the project or to the process of making the project or the PowerPoint you know the presentation any questions at all are welcome and if you are curious I do have a short little quiz afterwards and let's start off with what does WPA stand for if you want to go through it just feel free to pause because the answer is Wi-Fi protected access moving on to which type of attack involves creating a network that appears as if it's the same one you were on and the answer to this one is evil twin access point attack and then what does pmk stand for the answer to this one is pairwise master key and now for a bonus question what does dot cap mean the answer to this one is capture packet as a legal disclaimer anybody that receives the esp266 is uh you know just normal standard stuff such as side effects of using the esp8266s may include but are not limited to seizure death rapid combustion spontaneous human combustion unspontaneous human combustion the normal stuff uh point is I'm not liable for that moving on as a one last thing I just wanted to thank project Empower and if you did well somehow manage to enjoy listening to me speak about this stuff and have a kid or maybe a relative that you want to get into the field there's a great opportunity to do so boot them off towards towards project Empower at Charlotte which is an awesome volunteer group aiming to address the digital divide through coding classes for youth in grades three to eight at Charlotte at no cost and the coolest part is that all the teachers there are fellow Tech aspiring teenagers in grades 9 through 12 just like yours truly and if you would like to support them in any way please reach out at projectempowerclt gmail.com because they are in need of many basic supplies as listed in the Amazon wishlist to the right since most of their kids do come from underprivileged backgrounds thank you so much and give yourselves a round of applause once again I just want to say thank you very much to each and every one of you here and I really do hope you learned something new from this I know I did and if there is anyone among you that would like to follow me on LinkedIn seeing as I'm just such a popular figure in the cyber security world this QR code right here will take you there thank you so much