Wednesday, August 7, 2013

Making a Wi-Fi contest

Druid asked me to design a Wi-Fi contest for the LOL Bitcoin party at Defcon21; as far as I know no-one ended up finishing it.  I'm not sure if that was due to lack of interest or obtuseness of the challenge.

For hardware, I used a cheap-as-dirt Rosewill 125N as the multi-SSID AP, and a Raspberry Pi on a powered USB hub and a hand full of random wireless cards as the clients providing interaction with the AP.

The ultimate goal was to log into a WPA2-PSK network with a complex passphrase, designed to be non-trivial to brute force (and likely impossible given the duration of the challenge, 2 days).

The passphrase was comprised of 3 overlapping parts.  Each piece overlapped with the others to provide alignment hints.

Part one of the passphrase was the MAC address of a client probing for somewhat obvious networks - hints about other components of the challenge, etc.  Converting the MAC address to ASCII got you the first piece.  Additional hints were in the SSIDs probed for - "Part one is right in front of you".

Part two of the passphrase was the WEP key of an encrypted network.  A client routinely joined the WEP network and pinged, to force an ARP exchange.  Standard WEP cracking (aircrack-ng) would disclose the key.

The third and final part of the passphrase was concealed by a WPA-PEAP client.  The client was deliberately misconfigured to not validate certificates.  By bringing up a WPA2-EAP network for the client looking for "ARE YOU MY MOMMY?", with a radius server configured to accept any login, the client would join, arp for an IP address, and then send a UDP frame containing the final component of the WPA2 passphrase.

The probing client hinted towards this network by probing for SSIDs like "there's a lost client" "he's very trusting" "can you give him a home"

With all 3 components of the passphrase, joining the network would cause a client to ARP for a specific IP address again, then send another UDP frame with the target email address.

Originally the plans were much more evil - requiring a SDR of some sort and hunting across multiple frequencies given.  I hope at least people had fun!


  1. Are you planning to do this again next year? Sounds like fun, I'd love to give it a shot.

  2. I don't know - If I'm going to defcon again maybe I can try to do something similar in the wifi village