ATGP - Intro For New WCTFers - Russell Handorf & Rick Farina

Intro for new WCTFers It is to say that it is not important who we are, what we do is important because what we try to provide for you. A safe, happy, fun-filled environment for doing Wi-Fi Capture the Flag, SDR Capture the Flag, and just general radio Capture All the Flags sort of stuff. The purpose of our talk is more or less, row—who's played in the Wireless Capture the Flag before? Damn you, Dan. So, oh there you are. All right, spiral suitcase. Yeah. So we have new folks involved with us who were previous individuals who played way too frequently and once way too frequently. So the bell curve has now shifted back out of their poisoning of the gate curve of all CTF challenges. So it should be fun again I guess.

But that aside, for those who haven't played, who plans on coming out to go into Defcon this year? All righty. Who's going to go to the Wireless Village at Defcon this year? Even better, this is what I matching wanted to see. Who's going to play in the CTF? All right. Good news for those who didn't raise their hands. We have a new scoreboard system, so it's easier to register and submit points. It's instantaneous feedback. The—we have a variety of challenges. We've got the Wi-Fi and the SDR stuff, but we've bolted on even crazier SDR things. So we also have Passive RFID, some Zigbee stuff, you name it, it's probably going to be there. So please come by, please enter. It takes—it's fairly easy now at this point to throw some points on the board.

And one of the new things about the scoring system is that it's not just maintaining your points and your score for Defcon. You'll be able to track your progress over the remainder of the cons that we're at, because we'll start holding onto that historical information so that you can see how well you're doing and eventually become an MVP for your own team. So I'll get off the soapbox for a minute and give zero a chance. I'll get back on the soapbox. This is great. I gotta stand a little closer. This thing is on. I'm short. There we go. Okay. How many of you are familiar with the talks that we normally present at the Wi-Fi village Defcon?

We do this stuff because we want to share what we find fun with everybody. We do this because we love it and we do this because we want more people to love it as much as we do and have fun. And this year, not only are we doing all the track talks here at BSides, we've got a whole series of workshops at the Wireless Village, just to get as much bang for your buck as possible. To come hang out, we've got a bunch of hands-on stuff. And the goal is really education. And that's why we're giving an entire talk on how to win our contest, because we just want you to play and have fun and learn things that you've never done before.

I know that I haven't won all of these challenges myself. So God forbid, everything's actually working. I'll be playing and see if I can beat you all just for the fun of it. The news is probably not based on the previous competition, but we'll find out together. Your Mac sucks. It already doesn't work. Good God. Okay. So reason why we do the Wireless Capture the Flag. RF technology is really, really, really exploding over the last couple of years. It's used for so many things. It's so cheap. China. There's just stuff everywhere and we've found that a lot of people don't understand a lot of this technology and they're not even looking for a lot of this technology. So many companies are like "Oh we don't use Wi-Fi, it's fine, we're totally secure."

When every device they have has a Wi-Fi chip in it, so everybody's walking around with two or three Wi-Fi radios, but they don't do Wi-Fi there. And that's just Wi-Fi. Now let's think about all the other radios that are in the building. The wireless headsets, the mics planted from, you know, some competitor. Even the bloody laser mic pointed in the window. I mean, we all know that this stuff exists, and we all call ourselves pen testers—a lot of us call ourselves pen testers—and nobody even looks for this stuff. So we decided that we wanted to be James Bound, so we started working on this stuff, how to use it, how to detect it, how to mess with it, and we're just having a good old time. So used to be special, expensive, now it's twenty freaking dollars.

There's a bunch of vendors that'll sell you an RTL SDR if you don't need—have one, or if you need a couple extra. HackRF some BladeRF should probably both be for sale. Buy some toys, start cheap. Trust me, start cheap. And have some fun with us. And your clicker—my clicker does not work on your Mac. It hates you. Legal issues. I kind of tried to put a little bit of a stop to this BS in the last talk. We're not lawyers. I will happily tell you things that I know. It really boils down to "don't be a dick." Seriously, quit trying to find loopholes in the laws. Just stop, because somebody's going to decide you were wrong and the fines are way more than you want to. How many of you stayed in the Holiday Inn Express last night? It didn't matter. All it takes is one person on the other side of the fence to think that you did something wrong and your life changes.

Yeah, so in all seriousness, FCC has lawful intercept guidelines on their website. It's really, really simple. You're allowed to listen to stuff, not use it for business gain, not really allowed to share it with anybody else with the exclusion of anything provided by the telcos which you're not allowed to listen to at all. So yes, it's great, somebody's got GR GSM on YouTube. Downloading it and compiling it is a violation of the law as far as I am concerned. You're welcome to consult your own lawyers on that, I've talked to quite a few. And in addition to being a little bit poorer, I still don't use GR GSM. So there's that. Wiretap, dual-party consents. Keep in mind when you're listening to other people's phone calls and doing something stupid like recording them, or other people's Wi-Fi packets. Depending on how far you go into the packet, you may be violating wiretap law. So it's or, for instance, in this lovely night circuit that we're in right now, Wi-Fi is not actually radio.

So you're not allowed to monitor Wi-Fi, because while you're allowed to monitor radio, Wi-Fi's not radio. Feel free to write the Supreme Court justice who decided that and kick him for me. So how do we do this? We divided our game up a couple years back. There was not really much of an SDR scene so it was all Wi-Fi, and now we're almost at a dead even split on Wi-Fi versus non-Wi-Fi or SDR-related stuff. So you know, there's crypto challenges we are breaking keys, there's looking for certain hashes and general communication interception like "well there's this network and there's a bunch of data being spewed out. I wonder if any of it's interesting." I guarantee it is because I don't bother putting data on networks if the anticipation isn't for you to intercept it. I might also be torrenting something at the time, but that's neither here nor there. SDR flags?

Yeah, we—I primarily focus around protocol identification reversal, pulling out the bit streams of those communications. Then you take a look at the files that you just pulled out and you can go into a rabbit hole on the files as well. I go so far into it, I actually now have started putting the word "stop" so that people don't continue to go along with them because they are pretty in-depth. Some of the challenges, you don't need a ham radio license, all you gotta do is receive. Some of the other ones you do need to have a ham radio license because you need to transmit. An example of that one is we have a Wi-Fi Fox and Hound, we have a Software-Defined Radio Fox and Hound, and then on top of that we also have something that I call the Software-Defined Radio Duck Hunt, which there is a transceiver that's roaming around the area where it is emitting a sound of a duck quacking.

You have to find where ever the duck is and transmit the word "bang" using FSK. I give the instructions on how to do this on the website. If the duck successfully decodes the word "bang", it responds back with a hash. That hash is your duck that you submit for flags. Well, you—I use a mismatched radio system for it, so you have to make sure that you are very directional in your shot at the duck. In other words, you put a choke on your shotgun. If you shoot too frequently or it detects the word "bang" incorrectly or anything along those lines, the duck flies away, you hear the Nintendo dog laugh at you. And it hides for about maybe between a minute to five minutes somewhere randomly within there to give the opportunity for the duck to keep wandering away. In order to play, you have to show us your ham radio operator's license and then we register you as an official hunter. Then on top of that, you can also poach.

However, do not shoot, you can collect the duck before—after it's been shot and submit the flags before the person, the legitimate hunter does. So this can turn into a bit of a goofy little team effort. The last challenge that we're debuting right now is Software-Defined Radio Russian Roulette. Which involves, who has dogs? No? Yeah? All right. Who has really horribly trained dogs? Who has dog shock collars? Not for the dogs, but for, you know, personal talk. You laugh, but we've been testing it all night. I'm still—I still can't feel my left leg. Exactly. So the object of this game, it uses FSK. It will either beep, vibrate, shock, or flash. I am randomly transmitting each of these signals. If you wish to play, receive the signals, try to guess which one is which, strap it to your calf, and if it does one of those four things, you win.

Depending on which one it does, you might really win. The shock is painful, it has a setting between zero and a hundred, and at—I only—when you buy the kit it comes with two collars, I think I broke the other one because I put it on my foot and set it to a hundred and kicked so hard that I think it broke, so I only have one. Next year, we'll probably have the game kind of a shootout. So in other words, you have to shock the opponent's collar before they shock yours. So it's kind of a rush to—anyways, we're coming up with kind of crazy, painful, fun ways to learn these things. So feel free to come by and learn something new with force.

You guys crowded around the door, we've actually got some spots right down up front if you want to come on in, sit down. Not a lot of chairs, yeah there are still some chairs left too. So just make yourselves at home. We don't bite but we may spit. Don't bite but we do have the dog collar with us. So recon number one. I've always been a really big passive analysis fan so know your wireless environment. Look around, see what's going on. That's absolutely first and foremost. One of the things I've always been surprised by is that nobody just sits down and starts logging everything. Like I expected the first year for like a team to show up with like a giant NAS or a shared hard drive or something, just be logging to it all the time.

But no, people take it one challenge at a time, they're not capturing packets ninety percent of the time, and it's like "well, yeah, that's a good strategy for losing." Seriously, know what's going on at all times, be monitoring at all times. I know that like PCI says if you go to a place once a quarter for five minutes that's it's totally secure, but there's a lot of other minutes in there that you should really be monitoring and we absolutely abuse that fact. Hint, seriously, monitor. Wi-Fi is good with Kismet, I definitely recommend Kismet over anything else because it just plain does a better job capturing, decoding. Airodump-ng is great for when you're trying to do cracking, it's got a bunch of stats in there for you that are really helpful, but Kismet really does a much better job of taking multiple cards, storing all the packets, that kind of stuff.

On the SDR side, there's a program called Freqwatch which uses a modified version of RTL-Power, or you can just use RTL-Power. It requires a little bit of massaging to get to work but it's not too much of an effort, but the easiest one is just gqrx. Know your wireless neighborhood, your radio neighborhood. You need to create and establish baseline, so in other words go somewhere outside of where we're transmitting in order to kind of get a lay of the land as to what's there. That way when you come in, you can easily identify which signals we're transmitting from the ones that we're not. The major difference that I'm doing this year from previous conferences is that I was fairly aggressive on my repetition of transmissions. So it'll be like when it would finish sending one message, it would pause for like thirty seconds and start all over again.

Not this year, they're going to be a little bit more sparse and some of them may require you to trigger them, so kind of like port knocking. So it's all folded around the theme that we have this year for the village which we'll get to a little bit later. But you really, really, really need to understand who and what is telling you, so that you don't get lost or distracted in an actual legitimate signal. Yay, break stuff. As we were saying, knowing your environment is really key. Knowing your tools is really key. We've got websites that are up year round that we update because we go to dozen plus conferences every year. SDR.ninja has guides, they're written by him. They include how to do a whole bunch of really random different things with SDR.

I would imagine that one hundred percent of them are exactly related to how you play the Wireless Capture the Flag game, because they pretty much eat up I think almost all of Russ's free time. So he's got nothing else to write about except for what we do. So we've got this stuff on the websites, we've got homework for you, you can look up, you can play these games at home, you can practice, you can learn, and you can score points. The game is set up so that a newbie can get points. You shouldn't need that much magical experience to do this, but practice means you're going to get a lot more points and you'll do it faster.

So come in, learn with us the challenges you don't know and rock out and beat up the challenges that you do know. Use it as an opportunity not just to play the game but as an opportunity to learn something, because that's the whole point for us. We always say full offense, full defense is in effect. That includes social engineering. That means come up and talk to us. Last year we had several contestants come up to us and ask us if they could have a key. We gave almost all of them a key. Some of them were good points, some of them were negative points. It really depends on how you asked us. But the point is, is if you don't ask for help, you're not going to get help. We have people come up and say "I've been trying to attack this challenge for hours. Could you just check if it's even working?" Yes.

What happens if we check if it's working? We're going to go through all the steps to break the challenge for you. Maybe if you were to be observing it, capturing on that frequency, social engineering us, stealing the flag that we just earned you. Just saying, this is a full game, offense, defense, learning. Come by, abuse us. It's fun for everybody. I would also mention that speed is of the essence when scoring the points. Some of the flags are static, so it's a hundred points, it's always an hundred points. Other flags decay based upon time, so if you score them now versus waiting five minutes you've lost points. We got really, really tired of traditional capture the flags, where people did BS like never submit a flag until the last three minutes so that nobody was really trying very hard, and stupid stuff like puzzles that have no real-world application.

So all of this is real-world stuff. This is stuff that we bought at like Home Depot and hacked on, or some past systems for toll roads, or things like that that we just came across. So I mean this is real-world stuff, and real-world consequences. The guy who breaks in first definitely is going to get more information than the guy who breaks in second, just like you're going to get more points for doing it quick than you are for doing it slow. So we really want to encourage this to not be a game. We want this to be as realistic as humanly possible, and that's the way we plan things out. So it's definitely important to do your damage and take your points home. Platform selection. Internet access, I would have to say is a must unless you are some kind of a savant. Even the guys who I would say are nearly savants have to look up this stuff. It's really critical.

Internet access, we offer it in the village. Defcon offers it if you've got a load of stones. Or you just plug your USB wire into your phone and tether. Whatever you need to do to feel safe about it, do that, because seriously the internet's going to be a big help. Laptop, almost everybody does it on a laptop. I have seen like one dude bring a desktop, and hey, that's great, you know. I mean if you really want to get that WPA challenge out of the way with your eight GPUs, that's fine. But a lot of times walking around doing duck hunt with a desktop just doesn't work very well. So laptops, tablets—we've had a guy take second place using nothing but his tablet. So I don't know if that's saying all of you suck or what, but seriously, equipment selection is really key. High-end processor for SDR stuff is definitely a benefit to you.

I can tell you that the faster I make my FFT move, the more likely I am to see useful things versus making it go really slowly on an old piece of junk. At least 16 gigs of RAM, or more. You don't need this, you can run on two or four or things like that. But especially when you talk start talking about people that are picking like a Mac, or they're doing something with VMs or something like that, having that extra RAM is a major benefit to you. So when you start getting really competitive for the prizes, this is more of the direction that you're going to want to work towards. This is close to the gold standard.

Yeah, hard drive space for lots of captures. Again, we do out-briefs, and every year we've made fun of people for not bringing a NAS, and so far that hasn't caused anybody to change their mind about doing that. But like a shared team hard drive, lots of dumps. Dumps. Seriously, log, log everything. Why wouldn't you? Yeah, screen space, decent screen resolution definitely makes a huge difference. I can tell you hacking on my N900 versus my Phone Pad 3 is a world of difference. One is a tiny little cell phone, the other one's an 8-inch tablet. And then good God, the laptop just makes life so easy. External radios, antennas—yes, it's got a Wi-Fi card built in and it mostly sucks. Seriously, get a couple of different Wi-Fi cards, radios, SDRs. We'll go into specifics. External connectors are your friend.

External antenna connectors are great. Power supplies, enough outlets, enough power. What most of us do is we say, "okay my kit, it requires three outlets." Go to Best Buy, buy the thing that turns one outlet into three. Throw that in the bag next to all the power bricks. It's really funny to see Russ messing with us. Yeah, that was kind of weak. It was there but now you stink. It's really important having enough power. We've actually seen people compete and just not be able to plug in all of their stuff. So like, we're providing power to a point, but like if you need six outlets your ass better plan for that. It's kind of key. Powered USB hubs. Anybody ever shut down a computer by draining too much power off the USB bus? I'm not the only one. Excellent. Yeah, you can totally do that.

Powered USB hubs are a good thing. They're not just for charging your cell phone anymore. Operating systems. We are heavily skewed towards Pentoo. Can't imagine why. Because I am a self-centered asshole and it's my distro. That said, if anything's wrong with it he doesn't care. That said, if we're heavily skewed towards Pentoo, and I'm the developer of Pentoo, and I work on the Wireless Capture the Flag, odds are reasonable that most of what you need happens to be in there. We also highly recommend the GNU Radio Live CD. Those guys put out a lot of stuff, they actually include some things that I am unwilling to include in Pentoo for various legal reasons, but they're happy to include it, so we recommend using it sometimes. You can use Windows. Amazingly.

Why am I able to still stand here that nobody throws in—this clearly is a Shmoocon and I am disappointed in all of you. Whatever. And then at the bottom of the list we threw Kali in there. Software tools. I'm going to advise that you can either grab Pentoo or you can go and install all this stuff on your own. Yeah. Download Pentoo, install all this stuff on your own. There may or may not be a release of Pentoo tonight. I may be a glutton for punishment, like I have electric dog shock collars. But he was wearing last night. Just saying, while I held the remote. Software tools. Here's stuff, this is all on our website.

So those of you that are trying to constantly take pictures of my slides, it's actually already on the website, like five different versions of this and I'll have these ones up tonight. Again, this is for your benefit. We want you to play our game and win it. So several websites. Ah, so, several different websites. We've got WCTF.us is the Wireless Capture the Flag website, then we own SDR.ninja and wirelessvillage.ninja. So we've got lots of websites, but those are the three main ones. They each focus on a major theme on their own. And they all link to each other, and they all cross off each other. So if you're looking for the Wi-Fi stuff, you'll find all of it on WCTF.us. If you're looking for the SDR hints, SDR.ninja. If you're looking to find out where the village is going to be where we do our talks and our challenges is the Wireless Village website.

Those of you in the back, there's still some seats up front. Russ and I both showered this morning separately. So you're welcome to join us if you want. We don't smell or anything. But there's a lot of spitting but—so these are the general pieces of software that we outlined that we recommend for use. This is not an exhaustive list but it's definitely a really good start. Bunch of Wi-Fi tools, bunch of SDR tools. SDR is much less of a one-trick pony than Wi-Fi. You can get really dangerous with Wi-Fi using just airodump and Kismet. SDR pretty much it's a lot of purpose-built tools. Almost all of them plug into GNU Radio. So you could do it pretty much just with GNU Radio and dragging little flow blocks back and forth if you're a masochist, but there's also some really great tools to help you out, so I highly recommend it.

In addition to that hardware tools, this is key having the right hardware is really important. We design this game so that you can compete with about forty bucks worth of hardware and get maybe seventy-five percent of the available points. Seventy-five percent of the available points is more than anybody has ever scored in our game. Don't correct me, Red Baron, I'll be upset. Seventy-five percent is more than anybody has ever scored in our game. We want people to win with forty dollars worth of hardware. There are challenges where three thousand dollars worth of hardware might significantly benefit you, but you could get points using just forty dollars worth of hardware which would be a simple TP-Link Wi-Fi card and an RTL SDR. Okay. This is if you want to get crazy we've got all kinds of fun stuff.

Different spectrum analyzers, the MetaGeek stuff, the Signal Hound, even the HackRF which is like my most favorite device to use as a spectrum analyzer. You can say it's the most expensive spectrum analyzer, but it's almost always the cheapest one. But we have a variety of the SDR tools that are specified based upon the different SDR radios. So there's an SDR challenge built that you need to have a HackRF to use. There's an SDR challenge built that you need to have a USRP to use. Then there's another one that you need to have a BladeRF to use. So it kind of showcases the difference between those different tools that are out there. So part of this is for your own learning and when you decide to bite the bullet to buy one of those slightly more expensive things, life will be peachy. Yes sir.

Yeah, no, we do have Bluetooth challenges and the Ubertooth if you Dominic Spill is—I recommend you saw that because it's not going to work with anything else. So the gentleman who works for Great Scott Gadgets in the background is telling us that we should add to our software slide software that works with the hardware we're recommending. But in actuality, if you were to download Pentoo the suggested distro Kismet works with Ubertooth, we've already got all that installed for you. Just throwing it out there that the slides are complete although not exhaustive. Yeah, having the Ubertooth utils is nice. There's not a lot of challenges that are Bluetooth related but that will definitely help you. Again, the right tools for the right job. If you're doing Bluetooth work, it's pretty exclusively Ubertooth. Not going to really have anything else for that.

It's like Class 1 Bluetooth adapter, Ubertooth, that's all of it. There's not really any other tools out there unless you got like ten grand or something. Don't you even talk about GR Bluetooth. Yes, as long as you use GNU Radio from 2011, so it'll probably work great with Kali. Anyway, got a couple different things recommended, different Zigbee radios, KillerBee. They've got some new hardware out that's actually good for Zigbee. Rosewell RNX-N600UBE is the dual-band card that I've been recommending up until about a month ago. Now I'm recommending the Alfa AWUS051NH version 2. That's because that device just edges out a little bit better in performance and it's easier to find because they keep changing the Rosewill chipset on me, making things a lot harder.

The TP-Link WN722N is like a thirteen, maybe twelve dollar depending on the Amazon day Wi-Fi adapter that is absolutely phenomenal. It's got fantastic performance, we keep like ten or fifteen of them in the village to run the challenges. That's what we use, and when they burn themselves out we throw them in the garbage and we grab the next one from the stack. Because they're thirteen dollars. When we first started doing Wi-Fi, my first access point was three hundred, my first client was an hundred and for several years that was it. Like if you wanted a good Wi-Fi card it was two hundred plus dollars. And now really good Wi-Fi cards are thirteen bucks, so just like buy ten and call it a day. I think we've bought Micro Center out like three times now on the way to Defcon. So yeah. GPS systems, sometimes it's nice to know where the hell you are, what's going on, making pretty pictures.

Timing and location is important sometimes. Timing and location is important. Mobile devices—Nokia N900s, Phone Pads, I think Kali's got some thing that they talk about. It's really nice to have mobile devices as I said, we had a guy come in second using just his Android tablet because he didn't want to bring his computer to Defcon and he didn't know he was going to play in the game. And he's like "oh this is all I've got, can I play on it?" Like if you can figure out how to submit keys, bro, you can play on that, we don't care. So he installed GPG on there and started playing and actually did a bang-up job. So I mean you don't need an amazing amount of hardware, you can play with whatever and sometimes having small stuff is really convenient. They were playing Fox and Hound last year with a girl with an N900 in her pocket and a antenna in her bra and she would just walk around looking around, just seeing what's going on.

You know she's just following people around, sticking her chest out which was absolutely hilarious. But it worked, she found the box eventually. First one. First one to find the box. Yes. USB hubs, USB power, USB Ethernet. As I said we try to keep these games realistic, sometimes having Ethernet helps. I think every year one of the earlier questions we have is "do you mind if I plug into your switch?" The answer is no, I'll save you time on that. No you can't plug into the switch. However, gotta ask, right? I mean if you don't ask the answer is no, and if you just do it without asking that's still social engineering, right? If I don't stop you.

Headphones, we'll have the chat about headphones in a second. We'll talk about headphones as well as antennas. Helpful Radios. This is some pretty pictures. Radios are good, lots of radios is better. There's a lot of different ones. If you go to the websites WCTF.us you'll see this list there. And on SDR.ninja, I hyperlink directly to various Amazon places and other web stores for antennas, accoutrements of glory and other tools and capabilities that you may want to consider to go from novice to crazy level. Anyone know what year it is? It's 2015. Anybody know when the grey Alfa card that everybody's so fond of came out? The AWUS036H. I'll give you a hint, it's been like almost ten years. The thing's like seven, eight years old now.

In 2015 we have this cool thing called 802.11 AC. Like it's really funny, like people don't come with equipment from this year. They say, "oh yeah I don't need that to crack WEP, I've got this 802.11 G card, it's totally fine." Yes, yes, you keep playing like that. We literally had a challenge at one of the conferences that was connect to the AC access point at AC speed and look at the splash page to get points, and we had exactly zero people get those points. Okay? When I say this game is easy to play I mean you could have gotten those points on the cell phone that was in your pocket, but these people are playing it on laptops that were a couple years old and they were plugging in even older Wi-Fi cards and they just couldn't figure out why it doesn't work.

They're like, "it's unencrypted, what's the trick? Is there MAC filtering?" No. No. Could you maybe look at the response frame that rejects you? "It says that I don't support the right mode." Really, that's funny. Huh. Speak of the devil. And the guy will be like texting his girlfriend on his S5 that has an AC card in it and then put it back in his pocket and go back to his ten-year old Wi-Fi card that's got no prayer, right? Having the right equipment is really key. Again, you can play this with thirteen bucks but sometimes even your cell phone is an amazing accessory to you. Headphones, headphones, headphones. Please. You will be thrown ass out if you don't have headphones and you're playing one of the SDR challenges. Yes, and also make sure that different headphones have different levels of clarity for hearing certain types of signals. They may be whispering at you.

The ham radio protocols. Would you say they whisper a lot? Anyway what you will also end up finding out, yeah the earbuds for the most part are going to be fine. However, wearing those earbuds for eight, ten, twelve hours at length will start making your ears want to reject your face hole. So anyways, I don't think that made much sense. Anyways make a really simple analogy you can get an hundred dollar set of Beats headphones that are going to blow the bass way out of proportion on the signal, or you can buy like a twenty dollar pair of reference headphones that are going to give you the signal correctly and be comfortable enough that you can wear them most of the day.

And pay attention to those other types of fancier headphones because a lot of them come with extra electronics that will re-process and re-sample the audio and essentially lie to you. So it's like a really elaborate game of whisper down the lane. So they'll filter out certain things that you just won't hear because, you know, why would you want to hear that? You're not anyways. Who needs static, right? Who needs static. Something to carry it all in. Backpack, we're very partial to Pelican cases. If you happen to have a large vehicle that's well suited to it, you know, whatever it is definitely how to carry your gear around. Whether it's the antenna in the bra or whatever works best for you. I find the antenna in the bra is very uncomfortable but you know, different strokes.

And in years past we've had people come try to find where we live in order to sit outside our houses in order to try to catch us experimenting and configuring and testing. So that vehicle was not exactly a total half-truth. Yeah, it's very good to not slow down while the pizza guy is at the door, just saying. It may be not the best time to drive by. Antennas, antennas, antennas, antennas. Lots of antennas, definitely lots of antennas. I'm a big fan of antennas. Two relevant polarization, that would be horizontal and vertical. Just like last night. Geez alright, three basic radiation patterns. That would be omni-directional. Omni-directional does not mean omni-directional. It means omni-directional on the horizontal plane. Gain is not an active thing when you're talking about antennas, it's a passive thing.

So what it's actually doing is it's re-shaping the signal and sending it in a more focused direction. In the case of omni-directional antennas, it's talking about omni-directional on the horizontal plane at the cost of losing the vertical plane. So if you've got a nine dbi antenna on floor two of your house and you go down the floor one right below it and try to use non-Wi-Fi access point, the answer is not an eighteen dbi antenna. More gain, more better, right? No. Seriously, learn what radiation patterns look like. This is an important fact. Imagine taking a donut and squishing it. That's effectively what you're doing when you're messing with the gain settings of a horizontally polarized omni-directional antenna. There are such things as antennas that are both horizontal and vertical omni-directional, they you start going into some fun little designs like a helix antenna design and some fun other things like that, but they're not going to be relevant for the challenges.

But they can be fun to make or bring. I think Shmoocon two years ago I made people try to intercept a weather satellite as a part of one of the challenges, and for that you did need to make a QFH antenna, and the GPS was important because you need to know where you were and when you were in order to receive and intercept it. But who knows maby that's here maybe it's not. Just saying. Omni-directional, then there's semi-directional which is a little more towards your classic directional where it's going to be nothing to the sides, nothing to the back, more towards the forward, but like an hundred and twenty degrees or something like that. Then you get down to the highly directional, the sixty or so or less degree directionals, where they're really going to push a lot of power towards it. One of my favorite talks, and thank God we've been recording talks recently so you all can get the benefit of it. Simon J who's now one of our team members gave a how to fox hunt talk, and one of the things he talked about in the video is learn your equipment.

This antenna I'm holding is supposed to point this way but it actually gets better signal that way. So you will literally be going in the exact opposite direction of the signal if you don't test your stuff. We did a fox hunt at Derbycon as part of our training class last year and there were people running these antennas and they didn't realize that the top lobe—that would be it's supposed to go this way but it's actually going that way—the top lobe was more powerful than the front lobe on that specific setup for these people. And because they had never used the antenna before they had no idea. So the guys actually tried to lock-pick their way into the revolving restaurant on the top of the building that was closed because when he held it up like this he got the best signal. But it was pointed back to the room where we had this stuff stashed. He literally didn't know which direction to aim his antenna. Because he didn't test. Because he didn't test.

Test your equipment, know your equipment. It's like the back of your hand. You should know everything. That's new. It's really important that you you go over this stuff, practice, test, and understand your equipment, because if you have no idea what you're doing you'll have no idea what you're doing. There's joke there somewhere. Omni-directional, you've got your ever-popular Smith chart. Very simple charts. Semi-directional is going to be pushing majority in a direction, but there's always a back lobe or a side lobe or something like that. Having these charts for your antennas is amazingly helpful. You can see in this case that the back lobe at a certain point is just as strong as the front lobe, so you can literally it could be dead in front of you or dead behind you you have no idea. And the side lobes on this specific one is pretty impressive. And I will quickly add on this.

It's important to purchase antennas most of the time because you end up getting these charts because they're tested by the FCC, they also have these charts available so you kind of get a better idea as to what you're purchasing versus one that you made yourself. Who here has access to an RF anechoic chamber? All right. So with that in mind, don't make your own antennas unless you can make your own charts and understand exactly what it is the spectral propagation out of that sucker is across different bands of frequencies. Or you can test, but every ounce counts. Kind of knowing what—what's happening is far better than just guessing and being completely wrong. Highly directional, we actually have people come to Defcon with stuff like this every single year and it's whole areas. We think it's funny as hell. Don't do it. Yeah, I mean seriously, don't buy your antenna a seat on the airplane just to bring it out here you're not going to need that kind of equipment. Not for us anyway. But hey, good on you. We've had people like with satellite dishes and stuff. It's fun, good for them.

Target selection—look for hotspots. Determining what the limits are that you are working within. Look for things that are within your target set. We're very good about telling you what you are attacking. We will list MAC addresses, often we'll list modes, we'll list most of the frequencies or very close to the frequencies of the things that we're operating on. For instance, we're not violating the law. I know that's a shocker, right? We're at Defcon, we're not violating the law. All our amateur radio tickets and then there's those unlicensed frequencies. If you're scanning in DOD space, you're probably playing a different game. I mean there's a lot of military around here, you could totally do that and if you're bored that's great but seriously we give you target set for a reason, look for stuff within the target set.

Transmitters vary from size, shape, form, some are bigger. Some are bigger, some are smaller, but they're all equally powerful so it's not the size that counts. Sometimes it is. Yeah, something like that. But the sometimes they're hidden sometimes they're not, so don't take something at face value for what it looks like because it may not be that. So you really need to—it could be a hidden access point, it could be a hidden radio transmitter, it could be a bug, it could be any one of those sort of things that's just hidden inside of people's sight. Things that we're not doing this year that we did in several previous years: we actually planted a bug on our own table throughout I think three different conferences.

And all it was doing was capturing everything we said and transmitting it over Narrow FM, and as far as we know nobody actually got the points on that one. No. Like we just left a bug listening to us work the whole time. They were giving out pass—like keys and answers—and passphrase "is this working, let me SSH into this system?" like the whole kingdom. Inside information to blackmail us with and no, and nobody—I mean, we had lots of conversations that would have been very helpful with social engineering and no. I mean check for things, seriously, come up and look at what's on the bloody table. Seriously. Last year we had three days of conference, two of those days when we got there in the morning we caught people in the room scoping out our gear on the table. I am not advocating breaking into the room, but the room was unlocked and they walked in and they looked at everything they took pictures, they had serial numbers, MAC addresses and you know, just saying. Recon's good, recon's good.

Putting it all together. Right tools for the right job, again this is as close to a real-world simulation as we can possibly make it and we try to make it even more so every time we do it. This is not a game where you are testing your puzzle-solving skills although some of us definitely degenerate into that if you go far enough into his meta-challenges. I think one he explained at Shmoocon for twenty minutes had like six different meta-challenges, like so you crack this and then you look at the metadata from that and then that's another key and then that leads you to this and then you can use that to decode the—maybe you can hop-scotched around. You can get crazy with that stuff but the vast majority of it is fairly straightforward like find this security camera transmitting picture and then put it on a loop so you can break into the bank. It's fun but it can go further than that. Sometimes.

Sometimes. So know your tools, know the limitations of what you're using, find the right stuff. SDR and GNU Radio, it's really definitely what we talk about the most because that's what people are trying to learn the most because if you can't crack a web key by this point, go back to YouTube. So on to the SDR side of the fence although having listened or read rather a lot of the messages in IRC and on various user forums trying to figure out what the signal is and all that sort of stuff, there's one website that you can go to that is called the Signal Identification Guide or the Sigint Wiki. So as you're looking at these things from a waterfall perspective in gqrx or any other GNU Radio Companion or any other available tool out there, there's a lot of people who have done a lot of homework on protocol demodulation and identification for you.

So the first thing that you're going to notice with SDR stuff is that you're going to probably use the best computer that you have available to you—your brain. And then that's connected to your ears and you're going to be listening to the signal. And AFSK, OOK and all that sort of stuff sound very different from each other. All the various ham radio protocols, if you listen to them enough you can immediately start identifying them faster than if you were to write a piece of code and start trying to demodulate everything on the go. So this website's awesome it's basically like the YouTube preview pane except it's all signals. it'll show you the waterfall and let you listen to everything and seriously that's why nobody has a software that does this because they're all terrible compared to you. Just looking at it, listening to it, they'll either look the same and sound completely different or sound the same and look completely different it's this is the best website we're giving you a hint for. Yes.

So write that down. They have the waterfalls, they have audio samples, they have descriptions of it and since it was kind of a real world sort of crowd-sourced signal identification there's other information about like where the people were, what frequency they were on and all kind of geospatial sort of stuff that's unimportant for the CTF. However what is important is the waterfall and the auto sampling and what the signal type is. The other things that you need to be aware of, so you're going to probably be hopefully in the future practicing some of the stuff at home. And if you don't have a ham radio license, definitely get that as a priority. But in addition to that, there's going to be some things that you're going to need to be aware about in your home lab so that you don't start sending random email messages regarding "what's the signal?" and everyone telling you it's Wi-Fi and it's not Wi-Fi and being insistent that it's not Wi-Fi when it is Wi-Fi.

When you ask someone what something is and about ten people tell you what it is and you still are defined about it, don't do that. Anyways, otherwise you wouldn't be asking, right? But the we'll cover some problems regarding common issues and SDR labs that you're going to be encountering. A little quick speech about lightning, because you may want to set some of these antennas up outside. Starting with antennas. When you buy those RTLs, they're not—the antennas that come with them are not that great, and they're not that great for a lot of really good reasons. One of those really frequent reasons is because the the conductor of the antenna is not actually connected together well. It may have been soldered there together at one point, but due to vibration or anything else it flexes and just disconnects. So in short—wait, that—that could be a pun.

Dad joked myself again. Well, that's what you actually have going on inside that thing. So what I highly recommend is ditch those antennas, go on Amazon, get an MCX to SMA adapter pigtail, they're super cheap, get a lot of them, and then that way you can actually start connecting up real antennas or better antennas that have SMA connectors. This goes with the "know your equipment" and "test your equipment" stuff. Test your antennas, take your antennas apart, see what's different between your antennas. If you have a bad antenna, it happens. I think the original lot of HackRFs, the Ant500s they were sold with had like a five percent failure rate. It was just they were shorting on the inside and you just had to slip open the cover to fix it and then close it back up.

But so many people were like "man this piece of junk doesn't work at all" and it's like "could you put a paperclip in there?" "yeah, okay" "wow this thing's amazing." Like okay if the paperclip is a better antenna, maybe fix the short. Yeah, like if the room is constantly off when you turn on and off the light switch, it might be the lightbulbs, or it could be the switch. But what's an easier troubleshooting method than replacing the electrical system? Change the bulb. All righty. Next one. Lightning wants to be your friend. Don't be lightning's friend. So when you start dealing with radio systems and antenna systems, nothing will save your life in your house and your possessions better than a really good electrical grounding system.

This is a photograph from an Ethernet connector off of a radio system that I manage, it's a packetized Ethernet radio system, and the grounding system that was built for it was engineered wonderfully. The radio survived an hundred percent, it came from the radio through a five foot patch cable into a lightning arrestor which also survived. That five foot cable, this is one of the connectors from it. I'd rather replace a five foot cable than a ton of extra Ethernet through walls and floors and ceilings and a radio or a lightning arrestor. So in all the various ham radio study guides they talk about making sure that you have good lightning arresters, really good solid equipment for that. If you don't have an electrical background, hire an electrician to do it for you.

My house has been struck multiple times. All of my radios have survived, there have been no fires, I've replaced grounding every once in a while. I'd rather do that. And my neighbor had to replace his electrical panel in his house, regrettably. I helped him with that. But lightning will want to be your friend. So as that bolt comes down, it's going to induce a lot of extra current and random stuff all over the place. So the best thing that you can do is if you're going to start putting these antennas up is make sure that you are hypersensitive towards spurse and high voltages in random places and random equipment. I've seen it touch random stuff. So don't let it control it, guide it, and you should be fine and safe.

Just a quick interlude for those of you who aren't staring at your watches, it is 16:53. This is the last talk in this track and I don't actually have to turn this room back over the hotel for like an hour. And since this is our track we're just going to keep talking until we're done. So you're all welcome to join us or you're all welcome to run to the next talk that you were planning on before we rudely ran over as long as we felt like it. So we're going to keep talking but I just wanted you to know that there is a time if you were desperate for the next talk. No hard feelings.

All righty. The next thing along with lightning, static is a problem. If you put your antennas up outside, as wind blows against those antennas they will generate a static charge. ESD is just as bad to your radio as lightning is bad to your radio. I've had RTLs on the tabletop and as the MCX connector rubs inside that bulk-head connector, it generates or passes off a small static shock that causes the radio to reboot. You'll actually see in Linux udev that it actually resets itself as if I unplugged it and plugged it back in. So be sensitive to the existence of ESD. Very sensitive. Because a lot of these RTLs do not have ESD protection. They're no diodes between the antenna and the rest of the radio system. We could literally do a "how to not design a radio" talk using just screenshots of RTL hardware.

So what would happen in this particular case is as a shock or a charge gets delivered through the system it fries your radio and then it can also potentially be passed across your USB bus which you don't want. So don't forget to check to make sure that you can easily just pop open your RTL and see if it has an ESD diode in it or not. Actually that was Department of Redundancy Department, electrostatic shock diode protection. Anyways. So be cautious about that. There's some other things that will drive you nuts if you're new to this sort of thing. You'll see random spikes all over the damn spectrum. Sometimes these things are clock sources. These could be clock sources from your equipment, from an harmonic off of the power that's powering your equipment, could be from your laptop, it could be from someone else's laptop.

I saw something that was so narrowband on FM and it was kind of coming in and coming out. It turned out to be a guy's pacemaker. My personal favorite example of this is when developing the Ubertooth, before when developing GR Bluetooth they were first practicing sniffing Bluetooth stuff, one of the developers spent like more than a week sniffing his CPU clock because he was trying to sniff 2.4 Gigahertz Bluetooth and he was using a 2.4 Gigahertz laptop. So it would literally be a really easy mistake to make. You can ask him about it over beer if you want, he's right over there and he's got a funny accent but it's these things are he's right though I mean one of the first things you're trying to do when you get a radio is like take the antenna off tune through the entire frequency set if you get anything that's a noise source a birdie something wrong with the radio it's generating stuff internal and you should be ignoring that. And if that's not the first thing you do with your radio then you probably should read these handy guides here.

Exactly. So they're from the government and they're here to help. So you have the Mitigation of Radio Noise from External Sources at Radio Receiving Sites. That's hyphenated. And then you also have the Naval RFI Handbook. And in these two guide books they talk about a lot of different topics but the two most important ones—sorry the one most important one that I have two examples of is called barrier feed and ground principles. BFG, we've all played video games that reference that moniker. But in this particular case, what is wrong about the power adapter on the power supply of that computer? It's a plastic bulk-head connector connected to a metal case. So in other words any noise coming across those wires are not being properly passed off into the ground bus. So you would want to make sure that the connector for that is a metal box connector.

This was an example from the Naval book regarding this spurse signal that was happening at a SCADA system and they were tracking it for weeks and they couldn't figure out what it was. It turned out that it was coming from that plug on the power supply. Another example is this grounding rod connector head. They have—who has done outside antenna feed work before? All right. What is the first rule of thumb about metals when connecting them together for long-term permanent connections? You do not want to have dissimilar metals. What do you think happened with that connector there? It's got some nice oxidized connection points on it. They used dissimilar metals and then they goofed around it, so it trapped water in it as well. This was a ground bus for a cell phone tower site that was constantly out of balance and that was the cause.

They couldn't figure it out for whatever reason but that—well they couldn't figure out what the problem was for a long time the FCC showed up and actually did some measurements for it and this is also in that guide book. So you need to really pay attention to all these subtle little nuances when you're setting this stuff at home. Clocks. So talking about clocks again, the RTLs have some of the worst clocks that are out there but they're usable enough. So one of the main things that you'll want to do when you plug it in is establish your offset. When it says it's an hundred megahertz, it's not an hundred megahertz. It's got an offset of a drift anywhere between one hertz to I've seen it as bad as maybe an hundred and forty kilohertz.

So one of the best things that you can do is find some of these well-known transmitter sites that are all over a particular country of choice where in United States, NOAA, Oceanic—they've set up transmitters all across the US that are very very specifically tuned on very very specific frequencies. And what you would do is you would take your RTL, find their frequency, center it up and then figure out what your offset is based upon what they say it is because theirs is an hundred percent accurate and your RTL is awful. Yes, and as you also use it longer it's going to start that clock is going to start to drift more. So your signal is going to move up and down the spectrum just a little bit. So if you're going to be watching for a longer period of time be aware that an hundred megahertz isn't going to be an hundred megahertz clean for a while longer, it'll start drifting.

You need to choke out your signal sources or your noise sources on your power lines and your USB bus. And one of the neat things that you can do is a unified PPM clock source, because when you do that you can do some really cool crazy modifications to your RTLs. So if you were to replace the crystal that's on this piece of awfulness ten dollar-ish bought in bulk RTL adapter and you replace their clock source with a unified clock source you can have more fun at a lower price. This clearly is my life. Question. Yes there are tools that are out there that will continually help you establish what your offset is. Absolutely. And black shirt question. No? Okay. All righty. So this is one of the goofy things that you can do. The price point for achieving this is you just better buy a HackRF. But it is possible. But seriously buy a HackRF. Now in regards to temperature management and the effects of signal noise and clock drift, there's options of being able to dunk the whole thing in oil. Sometimes it works better, sometimes it doesn't. I've seen other people make aluminum housings, passive cooling, every ounce counts in some degree or another.

You will eventually probably result in a stronger signal or a worse signal depending on what you got. If you go with the option of dumping it in oil, yeah you can use vegetable oil. Yeah it'll go rancid eventually. If you do go with the option of vegetable oil make sure your pets don't eat it otherwise you get two problems. And mineral oil you want to be careful about the ones that have vitamins because they will corrode the connectors and cause other electrical issues. So that is the bulk of the summary for what we have for everyone. Every conference that we're at we're bringing out new challenges we're constantly bolting on changing things up precisely between—for each major discipline, we can have as many as twenty-five challenges for that major discipline and we have probably about four different disciplines at a particular point. So at the major conferences obviously there's many more challenges.

Currently right now the majority of the challenges live between 30 Megahertz to 6 Gigahertz, but they do go lower so be aware of that as well so there's equipment for up converters and down converters that is also equally important. Questions Querys Posers. The meaning of life is 42. Yes. Question on, you mentioned having different challenges for the different SDR platforms to showcase the particular tool. What kind of differences do you see between the HackRF, the BladeRF, USRP? All righty. So what are the major differences or how are we doing the showcases for the different SDR major platforms like BladeRF, HackRF and USRP. Is that a good paraphrase? Okay. So on SDR.ninja, I break down the major differences. Sometimes those differences are based upon sample size or sample rate. Sometimes it's half duplex versus full duplex. So for instance, the BladeRF is a full duplex platform. One of the challenges may include the need or exercising of a full duplex communication real time, so you're receiving as you're transmitting at the same time.

But it doesn't cover the same frequency space that, say, the HackRF does. So the HackRF may be operating in frequency bands that the BladeRF can't touch. The USRP has all these really kind of goofy bolt on card adapters and all that sort of stuff. Some of them are pretty unique so you would have to have the USRP platform to begin with. That's kind of like the broad stroke answer without saying exactly what the challenges are. If you see any of our de-briefings we kind of cover exactly how some of those things are built. To give you a hint, some of the challenges may be submitted to us by friends, and we might match those with say, the guys that make HackRF, the guys that make BladeRF, the guys that make USRP. They might speak for us every year, so like if they give me something all I have to do is run this script sometimes it just gets run and it's a lot of fun because what we did last year was we actually took the the challenge from the BladeRF guy and that person won a HackRF and we took the challenge from the HackRF guys and that person won a BladeRF because if you need a BladeRF to win this challenge why am I going to give you another BladeRF? So we actually took something that they did and then mixed up their customers and gave them something else. Any other questions Querys Posers? No? 42. Yes.

When you announce the challenges like do you say this is a HackRF challenge so that everyone with an HackRF needs to be looking at a particular frequency? No we do not. So the question is do we categorize that Challenge A is a HackRF challenge challenge B is a BladeRF challenge? No we do not announce what tool you need to use to attack that challenge. But you will figure it out fairly quickly if you just don't either see it or interact with incorrectly. The challenge—we have an in-brief and it lists the challenges and roughly what you have to accomplish. Knowing your equipment definitely help but we're not going to give you an equipment list for each challenge, because some of these things are really, really easy and some of them I want you to know your own equipment. So it definitely will say silly things like you need to decode something on 5.8 Gigahertz and that pretty much leaves you with the Wi-Fi or a HackRF so figure it out. Yeah so I will say you know last year the HackRF challenge was Foxagon on just under 6 Gigahertz and that was mean. It was really mean. I think only three people attacked it and one guy got it. And then the BladeRF challenge was full duplex AFSK which is also equally mean and still possible because the packet rate for it you needed to do you needed to have at least an 16 16 Megahertz cycle on it as opposed to some other ones. So you had to capture it very quickly because it was farting it out really quickly otherwise you would see what you would see as one pulse was actually two or three. Any others? Okey-dokey we'll see you at Defcon.