Home

Published

- 8 min read

Visualizing WiFi for Intel

Offensive Security RedTeam Pentesting Cybersecurity
img of Visualizing WiFi for Intel

A horrible year is finally ending. Even without resources or support, we upped our toolkit to create actionable Intelligence. Enjoy your potato gratin, after consuming our article.

Capturing data

Not much to explain, airwaves are still free, everyone can send them, everyone can receive them.

Here’s 2 scripts to make things more automatic:

Where’s the rest? Not finished yet. It is on our roadmap though, if not too many things go wrong, the BlackViz code will become FOSS. Give us a couple more month.

Visualisation

We added mongodb as well as a new section in our BlackViz DB - visualising WiFi networks, using BSSIDs, ESSIDs, beacons, power level and time data along with Vis.js or D3.js gives you unique insights on connections.

For example, we could easily identify, which customer of the nearby tram WiFi was possibly hacked, has fallen for an evil twin network, now advertising these “tram Wifi and a typo” beacons. The fool’s cap of the 21st.

Clustering

Using data clustering, we’re able to tell that a neutral name like Our Wifi is most likely a Hotel - without any of the data saying literally “this is a Hotel Wifi” - but rather the unique combination of clients, their beacons like “Deutsche Bahn” and “Pool Lobby” etc. will allow this conclusion with high certainty.

This is a modified screenshot, data text blurred, controls are not final:

  • Rectangles: Stations - like a router or public network
  • Circles: Clients - like a smartphone
  • Triangles: Beacons - a formerly connected station

Size of stations and clients is based on signal strength.

Right now we can request data from the DB based on a day-of-month scale, we started to add more frontend controls, like time-of-day. On the backend we already prepared functions to combine devices based on ESSID or first 3 to 6 octets of the BSSID / mac address, which works pretty well and gives a much cleaner output. Devices of the same brand and model often share the first couple octets, and randomization functions sometimes randomize only the second half. This is meant as non-paranoid mode where we assume, no evil clones exist. Over a year ago, we also started to work on a similarity algorithm to be able to combine devices after full randomization, based on other properties like beacons, that may still vary between versions (e.g. the same device might have 1-2 new beacons). We currently have no priority on the cross-randomization tracking though, but rather focus on a clean output. We also added sorting by signal strength and by features of devices, trying to bring more interesting devices (e.g. those with many beacons or other datapoints) to the front, as we need to limit the number of clients, or otherwise some stations would have 50.000 nodes.

This kind of presentation allows an experienced analyst to get a good overview of complex networks with thousands of devices in less than a minute, identifying connections and other details, which would be impossible in purely list-style / log-like output.

Interestingly enough, switching between different methods of filtering and combining, will bring out different features of the network and the relationships.

Update: Our BigData Visualisation Plattform “BlackViz” is taking shape quickly.

Privacy

What we can’t take credit for, is the fact that most cars today not only advertise their own WiFi network, but many doing so including make and model (and “Christian’s iPhone” connected to it), some including their license plate.

We have to wonder, when someone will realize, what kind of idea they had there.

There’s still a layer of anonymity, we’re not interested in finding personal data behind these networks, but rather use them to refine our tools and analysation techniques. As we said on our homepage: We don’t need to hack or touch a target’s website, instead using experience, proven methods like diamond models or mind maps and relationships between anonymous data points, we’re able to “solve” many cases just like that.

Once you’ve done it yourself, you know it.

That this works has been shown by other Cybersecurity analysts on other data decades ago, and it shows again, how dangerous fully anonymized data can be.

Update: [Voice of Morgan Freeman] Guess we should make it more clear. We can see the red light phases of the nearby crossing in this kind of data. This data can solve crimes, which is worrying - cause pro level blackhat hackers and other larger-scale ops take precautions against such public data collection. So the kind of crimes it probably could solve are small-time, shoplifting, hit and run accidents, breaking and entering. It makes us wonder: Are we the first, or rather, the only ones, who tried this? It took us couple of weeks - while not in best form - to build this and collect the data, no pro level equipment, no money, no experts involved. Just a single station inside our office. Consider 10 stations spread over town. We probably will put it away at some point, continue with other projects, maybe dust it off again, when we truly get Redteam jobs. We definitely will.

Science - sort of

Analysing data in the way demonstrated is a rather scientific approach that some may find boring, we spend years however also on the Blueteam side analysing such data. No hacking needed and definitely not boring. The latest Kali Special Edition releases, which include tools like Elastic out of the box now, give us confidence that we were on the right track all these years.

This is our definition of Intelligence - creating actionable data, while respecting modern privacy.

Before we forget…

https://www.aliexpress.us/item/3256806047285410.html

The surveillance proto state has blessed us again with upgrades, fresh from Shenzen.
“Rd-03D 24G Multi-Target Human Motion Trajectory Localization and Tracking Radar Module On-Board PCB Antenna”

For around $5 (or 9€, but much cheaper if you buy more than 1000 pieces) you can now use the fun Arduino IDE to radar-track multiple people at the same time, their location, speed and trajectory. All in the cute formfactor of an ESP board. Cause tracking people with 8k cameras, biometrics and AI wasn’t good enough. Only a side note for those who wanted to know, what's next.

Should we mention the fact, that China just succesfully tested, they could shoot down only about 40% of their mass drone fleet with conventional weapons?

Multi-Target Human Tracking Radar Module

Multi-Target Human Tracking Radar Module Installation Diagram

We didn’t do it.

Personally: Happy New Year

Keep your hopes up, that those earning +10k a month will come to realize, the rest of us have been squeezed beyond the point, where we could save on hot showers and butter.

The Euro and the Dollar have lost about half of their value in the last 3 decades, while prices doubled, then again, then again - and the industry did their tricks as usual: box content was slowly reduced to half or less. Please subscribe for a smaller dose of your fake cigarettes and cheap gin. We haven’t yet started to look past the borders of our town and our small lifes.

Yes, it’s like 1984 - except that we did it, not the state. Because make capital…sm great for Musk.

I don’t wanna keep writing to be honest. This is insane. Guess we personally are still the lucky ones, let’s see for how long. My health has deteriorated a little bit and all I can see is growing hate - while hardly looking outside the window. Lately two random people on the phone asked me to kill myself. Yes, literally.

The attacks on me, that started around the time I closed my freelance business (CoVid), never stopped. They became worse - and sadly, they became normal. People making fun of my health issues, openly, in writing. Companies discriminating openly, while laughing. None of them is able to express, what’s their actual issue with me. Is it the hacking? Are you afraid of me? It’s beyond my understanding, primitive and even legally it has left the realm of “questionable”, what they do.

Whenever I asked, groups of grown men, to tell it to my face, in person - they cowarded away. Yes, you are cowards. And you’re a shame, 5000 years of human rights and equality, moral standards and love, passed you by. May it keep on passing you by.

At the same time, I cannot stop wondering, what everyone takes so seriously, or why. I’ve been in bad situations most of my life, but always tried to take things with a sense of humor. You can express pain or disagreement and expect to be taken seriously, but apart from that: does everyone really take things (and I still don’t know which things) for that important? Who are we to you? And who are you exactly? Why does any of this matter to anyone but us? Why is any dialog impossible? Like, you’re the Queen of the Pancake Islands and we’re ready for boarding? I can assure you, we’re not ready for boarding. Nobody is ready for boarding.* I hardly get out of bed, can’t walk properly anymore and… I better stop here while I can.

*(yeah well, the 2 million troups and their drone fleets, hacker armies and 6th gen fighter jets, but… NOT US!)

So it seems, slightly overqualified, disabled people with a tendency to tell the truth, should not get a job, besides all efforts. I’ve reinvented myself 12 times in the last couple of years, worked myself half-dead and continued to work more the next day, for no money most of the time, but they rather kept those on the job, that followed the orders to make my life hell.

Just, because… I guess?

“Hell to the liars - this is to you and me” - London Grammar