Long Range WiFi Magic by Alex Farrant

right hello all i'm alex farrant i'll be giving you a talk about radio stuff for a change a bit by myself um i've worked in radio for over 20 years uh started out in electronic warfare in the forces then became a security researcher with these characters in the corner over at context and then in the last few years have been doing my own company over in barnwood we do propagation modeling which is very niche and you'll be pleased to know there's only a very small amount of that in this presentation this presentation is not a sales pitch for my company it's about the theory behind wi-fi and how it's used in the context of penetration testing or how it's not used

more to the point so the title long-range wi-fi magic magic is a word i hear i used to hear banded around by pen testers when they would try to articulate how radio works they just say it's magic [Music] it's interesting because it is complicated it is hard and what i want to do is try and boil that down into something that's applicable something that's practical rather than just lots and lots of theory and that makes people switch off okay this is my opinion trigger warning of a typical wi-fi assessment as performed by a pen testing firm [Music] it's always premises key point it's easy to scope guest network corporate network copy paste light touch on layer one by layer 1 i mean the

physical aspects of frequencies power coverage modulation that will get a very light mention in the report most of the report will be higher up the stack it will be talking about your radius about your rubbish pre-shared key about the rubbish guest network there's always issues on the guest network they always get implemented with the best of intention i can see some people giggling already they always get implemented with the best of intentions let's have a guest network for our guests good idea there's churn in the company people move on people move on new people let's have a grifana dashboard let's have a grafana dashboard so we can see our guests logging on and before you know it your

guest network's no longer segmented it's you're just your corporate network under a different name so the wi-fi tests normally bear fruit i think it's fair to say there's normally issues and they're normally the same issues but i'm not aware of many people doing these tests from beyond the premises from doing it from another premises from doing it across the road from simulating a hostile actor targeting that business in the same way that walmart was targeted with a long-range wi-fi hack years ago don't know if any any of you remember this one um it's a long-range hack on on the walmart and it was delivered from the car park walmart car parks in the states are vast and so it's delivered with a

directional antenna over some time it wasn't done in done in half an hour it was it was delivered in stages over many weeks and it was delivered from from an extreme distance okay the legal bit this is just a 20-minute presentation so i'm just going to skirt over this right u.s power limits in the uk i've seen this a few times with pen testers who say oh i've got this great gadget off amazon it's really powerful okay just because it's on amazon doesn't mean it's fit for use in the uk the limit in the uk is 20 dbm which is 100 milliwatts if you're in america 30 dbm one so one watt okay that's 10 times more powerful

so if you're using us equipment with u.s power limits in the uk you're actually in breach of ofcom regulations because this is a different itu region they're not going to come after you they only come after people when there's a lot of complaints um as happened in a in a valley in wales a couple of months ago there was a old lady with a tv and it was malfunctioning and it was it was killing everybody's wi-fi in this uh in this valley enough complaints reaches a threshold ofcom start sending vans out but their resources are very limited anyway saving a pcap a lot of people are guilty of this everybody likes wireshark i love wireshark

running a pcap yes running a pcap and saving it whilst in monitor mode as google did years ago with street view they got sued they paid millions for doing that and that that's that's interception that's saving off other people's information saving off the content so you don't do that that's bad there's little asterisks unless you're doing this in a controlled environment or have a warrant okay most of you don't a controlled environment and that's doing it in a box so you get a big ramsey box cops a couple of thousand pounds and you can do what the hell you like inside that box okay recording baseband with an sdr so by baseband we mean just opening up the

sdr and just recording everything even if the signal is encrypted so if you tune this over to lte 800 and record it all even if you think oh that's encrypted that's interception because you might be able to decrypt that later date in the future so you don't do that it'll also fill up your disk because baseband's massive but it's not all bad i want people to be empowered to know what is good what they can do because this isn't about beating people with a stick it's about education so scanning the ism bands which are which are designed for innovation they're designed uh for people to to to work in at low cost without a license

that's good testing a network security with permission obviously same as a wired network yep and applying antenna theory to use a network a long range hence the subject of this this talk that's very good you don't need to use 30 dbm of power you can use low power you just apply theory to stay within the law but also access that network from a very long long way away okay i don't know how well you can see those pictures there but this is a comparison of what's possible versus what's practical some chaps up a mountain here with a giant parabolic dish and they're working a wi-fi link over 300 kilometers now that's an incredible headline it's great for publicity but it's not at

all practical you require a lot of equipment a lot of expertise but more importantly you require a mountain because 300 kilometers you think of the earth's curvature 300 kilometers that's several hundred meters of gain in in height you need a mountain in order to achieve that line of sight so in one respect it's impressive and another it's actually not that impressive what's more practical is a cantenna so that picture there is just a tin can plugged into a sort of 20 pound alpha card and that gives you 12 dbi of gain 12 dbi of gain will get you a long way so can tenors were all the rage years ago you can still buy them now i

recommend you make one because it's a really good exercise in recycling but also antenna theory because you will be using um antenna theory in order to make that container good if you can't you can't just shove an alpha card into an antenna and hope it's going to be good you have to put it in exactly the right distance in order to achieve the optimal wavelength but with a good antenna you can get a couple of kilometers right this this question is why i have a business how far okay how far will my signal go it's a how long a piece of string question it varies not just by the hardware it varies not just by the environment varies by the time of

day varies by the season okay [Music] some of it is obvious so height obstructions local noise some not so obvious windows windows is a big topic i often get lots of emails about windows and glass and coatings in my inbox windows and glass have become incredibly complicated in the last few years glass is much more efficient has much more layers than it used to the net result is that for a wi-fi signal or a 5g signal going through a glass window is much more complicated now if you hit it perpendicular straight on you will sail through the glass with a cost of a couple of decibels for higher wavelength signals it could be quite significant it could be up to 10

decibels if you hit the glass at an angle you bounce straight off that's how screen protectors work so you can't see the screen from an angle but you stand in front of the screen you can see the screen clearly and with wi-fi it's just the same so that picture's quite nice found that on google it's an office building in london those people working at night are utterly oblivious as to how exposed they are and it's just the same with your wi-fi networks because each one of these offices will have wi-fi networks and they will be radiating and if it's an office building they will be going for a long long way so how far can you get well

using the power limits in in the eu at least 20 dbm about 300 meters with a monopole antenna but and it is a big but it all depends it all depends on the environment if you're in venezuela and you're in the jungle and there's no man-made noise you'll probably get much further if you're on a mountain 300 kilometers but with a yagi antenna or antenna or a parabolic which you can buy commercially from from stores because uh long range wi-fi links is a big big industry now you can go and buy these antennas as you can pick up on ebay or anywhere from under 50 quid you can get many many kilometers um on is m band

there's a tool i recommend here free tool uh pasternack it's a freeze calculator so it's a little path loss calculator allows you to punch in your your figures and it will give you a distance and so you could you can start with a distance and say what would my signal strength be at that distance or you could start with a signal strength and work backwards say how far is that distance it's a field test here we went up prickly hill so if you don't know quickly hill it's just to the back here overlooks cheltenham and gloucester it's a lovely view and because it overlooks you're able to get a magnificent range um with with an

antenna onto local wi-fi networks so we had a 18 dbi yagi so quite big about a meter long it was the one that was at the uh the opening slide and we popped it on a uh on a mast with a very cheap adapter because i don't want to demonstrate great range with expensive equipment because that's an own goal so saying we achieved 10 kilometers but i had to spend a thousand pounds that's not very clever but if i could spend under 100 quid and get a couple of kilometers that that is much more attractive and it's and it's a much more common uh risk that you're going to have an attacker with that sort of budget who's able to target

a network from such a distance that you wouldn't even see them doing it so what did we get well that's sherdington down there we looked up a couple of the aps that we were seeing we had we had a signal strength an ap over two kilometers of minus 65 dbm so if you've ever used wi-fi scanners in your home you know just to look at signal strength you'll appreciate that's not bad that's pretty good so that's that's pretty good that means if we can we can get that signal strength for that distance extrapolate that which i'll show you in a minute we can go much much much further what else did we see dash cams buses

we've got wi-fi and audis audi drivers don't know how to change their uh ssids or maybe they don't want to because they're proud of owning an audi but uh we we can see audis and bmws and and those uh those aps and that's quite interesting because you could actually track those those ssids on wiggle all the way home okay calibration and modelling so i said we could extrapolate that so we've got some numbers we've been up on the hill and we've got some numbers and we drove back down the hill and looked at the data the metadata so we feed the bs societies into wiggles network detail api there's different ways you can use wiggles very old tool

but still still cool the network detail gives you the latitude and longitude and the last time it was seen so if we're getting if we're getting a location in sherdington and it was and it was current as of a few months ago you know that's good enough for me it was a few years ago not not so confident but a few months ago that gives me some confidence that that's that's legit we then run the havasan formula which if you don't know is just uh getting the the distance between two pairs of coordinates and then we feed that distance into a path loss model to come up with the error so that error allows us to

um effectively work out what we're observing the empirical measurement versus what the pure measurement should be at that distance and come up with a delta so that delta that error we can then put that into modeling and model that and model everything else and the answer is that so you were able to do a large point to multi-point using free software like splat or radio mobile and you can do a large point-to-point using those parameters that you measured and see what was the effective range of your capability of your antenna now this this antenna is a cheap antenna but it's on a big hill that's shirdington there two kilometers that's a railway line five kilometers

could have gone further could have got better antenna could have done more however bigger is not always better in radio sometimes you want to dial it down gloucester cheltenham loads and loads and loads of wireless access points loads of noise so this this area in the middle the exception of sherlington is fairly rural and so it's fairly quiet so i did pick that deliberately but in a city you have to reduce your expectations so you have to dial it back and go well actually there's lots of noise here the noise floor is much much higher what can we do to overcome this so there's a couple of strategies for dealing with noise and if you if you

have a little uh list a little toolbox of strategies for dealing with noise then you can achieve much better signal-to-noise ratio and if you get a better snr you get a better range so the first one is just move really simple just move just go somewhere else try somewhere else try a few different locations because you might find that you are experiencing lots of noise over here because everybody's chatting but over here it's much quieter and you can do much more aim off you don't always have to aim at the target with an antenna it's not a laser okay radio wave has a big fresnel zone it's a big cone you can actually aim off so if you're

getting lots of interfering noise over here but your target's there you might want to just aim off just to the side of it and then you're catching it on the edge of the fresnel zone so you're still picking up the signal but you're moved away from the noise so you reduce the noise but you're still picking up your target use obstacles as a shield so obstacles will impede you when you're trying to work a network at range but you can also use them to your advantage if you've got a city off to the left and it's causing a lot of noise there's a lot of power bleeding over from that from that urban area you might find that

there's a large hill or a wall where you can actually get next to and you can actually point your antenna and use it as a shield to effectively block all that noise so that you you're you're not getting interfered with and be patient noise in a city follows a rhythm it's not constant so it might be quiet at night just an idea when all the audis and the bmws are not zipping around with their access points okay right operating from cars a bit of a trigger warning there might be a tesla joke let's see a few in the car okay um two two cars here any guesses which one is best for collecting wi-fi anyone

[Music]

why yep okay yep one of these is a high-tech second platform and the other is a tesla okay right a campervan is better on several counts first of all it's big and you've got room to work second you've got privacy with the curtains but third it's it's an old camper van with old glass and it's straight glass so you could have your nice big antenna right up against that glass or the curtain and it's not suffering any reflection of this nice streamlined windscreen and it's also suffering minimal attenuation what else do you think a tesla or any modern car has inside its windscreen that's going to cause a problem with radio heating elements thank you

so everyone likes to defrost their windscreen in the morning if you've got a modern car that's actually a problem for signals especially 5g as i found the other week field testing in wheelchair we were barely picking up the signal when when the antenna was on the dashboard we took it off the dashboard and put it up on the roof and we gained about 20 decibels so that's enormous and this is this is the effect of not just a 5g signal but also a windscreen with a heating element in thank you so watch out for the windscreens avoid complex glass get an old camper van kill the bluetooth obviously bluetooth in the ism band and it's not going to

help you and kill the engine because that generates electrical noise as well

okay just finish up here with a couple of references these are some free tools first one is a nice little tool that makes these really cool fresnel zones so this is handy if you want to pick your airbnb so i recommend you pick an airbnb if you want to really work in comfort and have some ac power for a prolonged enduring period so so you've got your target office go and go on airbnb find an airbnb that's that's overlooking that office and then use this tool to see what what you you will uh what you can expect and that will show you in google earth with google's awesome 3d buildings if you're clipping any buildings on the way to your target

splat is a free propagation simulation tool use that with some uk lidar you get something that's very powerful and very accurate it'll show you all the trees and the buildings and the clutter and i think i said there's going to be a free tool with this talk there's a little tool here which enhances aerodump output if you if you've used aerodump part of the aircrack suite you can export to log csv which is just a nice csv format um normally it's used for war driving so the latitude and longitude would be your location as you've been driving around but what this script does is it turns that on its head and it basically looks up

the bssids in wiggle and then uses the latitude and longitude of the ssid and then puts in another column with the distance so you can see i'm hitting society's at two kilometers three kilometers and this can be quite handy if you're on a hill and you're swinging an antenna around and you just want to see how far you're actually getting based on the data that you're collecting okay i think we're good for time any questions yes [Music]

so the question there was pcaps in monitor mode and what happens if we we want to run our own pcap on our own network well the answer is is as i just touched on is it's your network so if it's your network and your um your nic is on that channel and you're associated with that network and that's fine it's when you're not associated with the network and you are just scanning in promiscuous mode and you're moving up and down the spectrum and you're hoovering up your neighbor's packets as well so there is a risk because you're on that channel and other people will be on that channel let's say it's wi-fi channel one two four one two

megs that you might be picking up your neighbor's channels if they're on on channel one and so you will have to set a filter a capture filter in wireshark not a display filter capture filter for your network only okay any more questions

good question um it depends on how long you're gonna be there so my my best advice actually would be to not be in the camper van set the kit up remote it put up a raspberry pi as a remote head with a lte dongle and then go down the beach and drink the beer okay well if there's no more questions sorry more oh very good um nearly over time but yes it does in the summer when trees are in leaf then they do block signals especially 5g as a lot of 5g nvnos are finding out right now the hard way thank you everybody