Intro for new WCTFers

Reason behind the WCTF

• Use of RF technology has exploded
• RF used to require special and
expensive equipment
• Safe Environment
• $20 gets most signals of interest
 Legal issues to be aware of
• IANAL, neither are you
• Consult your local laws (fcc.gov)
• Restrictions for telco services
(pagers and cell)
• Wiretap/Dual Party Consent
 How we do this
• WiFi Flags
– Crypto
– Keys
– Hashes
– Communication interception
• SDR Flags
– Protocol reversal
– Demodulate files
– Rx/Tx
 Recon
• Know your wireless neighborhood
• WiFi
– Kismet
– Airodump-ng
• SDR
– Freqwatch
– gqrx
 Exploitation
• Do your homework on the tools
• Practice in a safe environment
• Score the points!
 Platform Selection
Internet access
• A device with USB tether
Laptop (PC or MAC)
• Multi core processor (high end for SDR)
• 16 GB ram or more (especially for VMs)
• Hard drive space for all the things
• Screen with space for multiple terminals
External Radios/antennas
• Internal radios generally do not give the optimal
capability
• Built in antennas rarely give flexibility needed
Power-Supply
• Enough outlets to power all of your gear
• Possibly powered USB hubs
 Operating Systems

Pentoo
GNU Radio Live
Windows
Kali
 Software Tools

Aircrack-ng
Kismet-ng
Airodump-ng
Wireshark
TCPDump
Nmap
PGP/GPG
inssider
Reaver  
Pyrit
OCLHashcat
Wifite
Fern-wifi-cracker
 Hardware Tools
Metageek Wispy DBx
Signal Hound BB60(x)
GSG HackRF
Nuand BladeRF
Any RTL-SDR
GSG Ubertooth
zigbee radios
Rosewill RNX-N600UBE
Alfa AWUS036NHA
Alfa AWUS051NH v2
Ubiquiti SR-71
Airpcap Nx
TP-Link WN722N
Globalsat BU-353 GPS
 Helpful Radios
Alfa radios (ABGN)
Rokland N3 (BGN)
Rosewill N600 UBE (ABGN)
SR-71 (ABG)
AirPcapNx (ABGN)
WiSpy DBX (2.4 and 5Ghz)
TP-Link TL-WN722N (BGN)
Ubertooth One (many uses)
HackRF One (SDR)
RTL-SDR (SDR)
Nuand BladeRF
EnGenius EUB 1200AC (ABGNAC)
Signal Hound B60
 Headphones

• There are thousands of headphones

• Headphones are a very personal
decision
• They range in price and quality
• Find a pair that are comfortable and
clear
• Avoid ones with bass boost or other
signal processing
• Reference type headphones tend to be
cheap and well suited
 Something to carry it in
• Pack
• Pelican case
• Vehicle (MRAP)
 Antennas for WCTF
• Two relevant polarization types
– Horizontal
– Vertical
• Three basic radiation patterns
– Omni-Directional
• Most common type
• Radiates “equally” in all directions (horizontal)
– Semi-directional
• Radiates stronger signal in certain directions
– Highly-Directional
• Radiates a much stronger signal in one direction
 Omni Directional

• Radiates equally In all directions on

the horizontal plane
 Semi-Directional

• Radiates stronger signal in multiple

directions
 Highly Directional

• Radiates strong signal in a signal

direction
 Target Selection
• Look for “hot spots”
• Determine what the limits are that
you are working within
• Look for beacons that are within
your target set
Transmitters to be found
 Putting it together

• In WCTF as in the real world:

Right Tools for the Right Job
• Know your tools and limitations
• SDRs and GNURadio provides easy
access to much of RF and rapid
construction of custom tools!
• Now to put it into practice…
 What am I seeing/hearing?

http://www.sigidwiki.com/wiki/
Signal_Identification_Guide
 Common problems in SDR labs

• Antennas
• Lightning
• Static
• Noise
• Clocks and Drift
 Static protection is a must!

• The cheaper RTL’s do NOT have

static protection
• Wind generates static
• Rubbing things… generates static
 Noise Reduction Must Reads
• The-Mitigation-of-Radio-Noise-from-
External-Sources-at-Radio-Receiving-Sites
http://www.dtic.mil/cgi- bin/GetTRDoc?
AD=ADA468464

• Naval RFI Handbook

http://www.arrl.org/files/file/Techn
ology/RFI%20Main%20Page/Naval
_RFI_Handbook.pdf
BFG
 Clocks

• The cheaper SDR’s have a lot of

noise in them
• Choke them out and isolate noise
sources
• Use a unified PPM if you use more
than one for IQ
A bit of fun - Hardware Mods

Multichannel Receivers
http://yo3iiu.ro/blog/?p=1450
 Wireless Capture the Flag
WCTF
• Always new changes
• Typically between 12-25 challenges
for different disciplines
• Challenges are all RF 30MHz –
5.9GHz
Challenges
 Let’s get started

Welcome to WCTF! This is your first

challenge. Use the municipal Wi-Fi to
confirm you can connect, then submit
the flag to confirm you can use the
scoring engine for +10 point.
 Budget Your Time

• Challenges do not have to be solved

in order
• Difficulty range easy-insane
• Pay attention to details
• Don’t dwell on the problem
• Ask questions
• Learn things
• HAVE FUN
 The talk…

Time to talk about the challenges

Welcome to Voltronville

Zarkon Industries has the strongest

wireless network in the galaxy.
Attempts to hack this are futile. Seek
life elsewhere. +500
 It’s getting serious

The dark underbelly of Zarkon's

network has lots of delicious flags for
your benefit, if you happen to ever
gain access. Some are easy, some are
insane puzzles that you could lose a
day in. Budget your time wisely!
Points vary: +20-50 each
 Coffee time!

Grap a cup at Lotor’s!

 Pizza!

Pizza!
 Swag

Don’t forget to grab a souvenir at the

gift shop!
 Voltronville Bank

Banking hours are limited, but even

the CEO visits this vault. Know the
key and learn all his secrets, just
hurry! (points vary!)
 Residential Area

Not all residents of Voltronville use

the municipal Wi-Fi; some are still so
hopelessly broken. +300
 Residential Area

Sometimes people connect. Sometimes

they don't. +150
 Fox & Hound

• Fox & Hound: first team to capture

gets 750pts!
• SSID: Allura_the_Fox
• MAC: D2:E4:0B:F6:66:B8
 Fox & Hound

• Fox & Hound: first team to capture

gets 750pts!
• SSID: Lamina_the_Fox
• MAC: D2:E4:0B:F9:E2:F5
 Hide & Seek!

• Hide and Seek! These flags decay

over time starting at +1000 so
hurry!!!
• SSID: Voltronville_Hotel_1
 Hide & Seek

• Hide and Seek! These flags decay

over time starting at +1000, so
hurry!!!!
• SSID: Voltronville_Hotel_2
 Convention Center

The local HAM Radio club is having a

HAM Fest; find and capture their
error prone signals.
50 to 100 points that can decay
 Movie Theatre

The local movie theatre is branching

into digital movie broadcasts! Find
their management system. 50 to 250
points that can decay
Convention Center

There is an amateur radio SSTV

broadcast; 75 points decaying
 Who

There are spies amongst us; find their

transmissions, decode, demodulate,
decrypt and analyze. 250 to 500 points
decaying.
 Water Control Plant

The water station has misconfigured

their SCADA controller. Find it and
explore. 100 points decaying.
 SDR Fox

Frequency: 192 MHz

 Duck Hunt

Frequency: 172.75MHz

Details: http://sdr.ninja/training-events/sdr-dunk-hunt/

How to shoot:
#!/bin/sh
while true ; do echo "bang" | minimodem --tx -f -8 1200 -f
/home/pi/bang.wav && /home/pi/pifm /home/pi/sentence.wav 80.0 48000 ;
sleep 4;done
 Duck Pond

• Find the duck

• Shoot at the duck
• Receive the MD5 Flag
• Submit for points
 SDR Roulette

• Receive the transmissions

• Analyze them
• Strap the toy to your leg
• Transmit to win
– Beep, Shock, Flash or Vibrate