The Audit - Cybersecurity Podcast

Brought to you by IT Audit Labs. Trusted cyber security experts and their guests discuss common security threats, threat actor techniques and other industry topics. IT Audit Labs provides organizations with the leverage of a network of partners and specialists suited for your needs.

We are experts at assessing security risk and compliance, while providing administrative and technical controls to improve our clients’ data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, while our security control assessments rank the level of maturity relative to the size of the organization.

All Episodes

The Audit - Cybersecurity Podcast

It’s a Pwnagotchi Party!

February 20, 2023 • IT Audit Labs • Season 1 • Episode 11

Join the IT Audit Labs crew to talk about Pwnagotchi’s! We will review how a pwnagotchi collects keys/wpa/wpa2 information from 4-way wifi handshakes, and how to crack those keys/how the key exchange functions. It’s a pwnagotchi party!

Eric Brown: 0:05

You're listening to the Audit presented by IT Audit Labs.

Mandi Rae: 0:14

Hello and welcome to the Audit. We are here for a Ponegachi party, and joining me today is Eric Brown, kyle Rosendahl and our guest Jaden Truffler. Hi everybody.

Eric Brown: 0:32

Hey Mandy.

Mandi Rae: 0:34

Hello Well, thanks for joining the IT Audit Lab gang, jaden. We're excited to talk about Ponagachis Kyle. Do you want to take us through our agenda? Talk about ponagotchis, kyle. Do you want to take us through our agenda?

Kyle Rosendahl: 0:46

Yeah, absolutely so. Today we're just doing a quick episode on these little gadgets. They're called ponagotchis. I'll show it to the camera but for those not watching, they're built on a Raspberry Pi Zero, which is a tiny little microcomputer. It's like I don't know inch and a half by three and a half inches, maybe an inch thick, and you can put a little screen on them or not, and they're just little cheap gadgets. I think you can throw them together for 50 bucks and and they're made for kind of wi-fi research and for cracking wi-fi um passwords. So they're kind of fun. A lot of people in the defcon community and in kind of the hacking community in general all have one. They can connect to each other, talk together and we're just kind of going over how they work, how they crack passwords, how they collect the information that you need to crack a Wi-Fi password, and then kind of the types of fun that you can have with them. So that's kind of our agenda for the day.

Eric Brown: 1:41

I feel like these e-ink screens, or even the Ponegachi itself, would come in nicely for a DEF CON badge.

Kyle Rosendahl: 1:49

That would. Yeah, they've always done like the LCD screens, but I bet an e-ink one would be pretty cool. Anyway, ponegachi is a combination of two different words. We were talking about this before we started recording. Poneg, I don't know, we talked about maybe it came from World of Warcraft, but somewhere in the online world it's essentially just you know gamerspeak or hackerspeak.

Kyle Rosendahl: 2:21

Now, to like, totally own something, right, you pwn it, you own it. Slang on the internet, that kind of evolved into a real word. And then Tamagotchi right, the cute little guys on the digital pets from the 1990s. You can still buy them today. I think they're making new ones. Stick those two words together and it's a Tamagotchi again.

Kyle Rosendahl: 2:34

For people not watching, the little ink screens on the front have a little cute face on them and the idea is that these guys like to eat wi-fi signals. They like to eat wi-fi keys and the whole point is that these guys like to eat Wi-Fi signals. They like to eat Wi-Fi keys and the whole point is that they'll collect the information necessary, use that for their food and then give you something to crack so you can try and figure out what that Wi-Fi password is. There's a little bit of AI going on in the background. We'll talk about that. They're super easy to set up, they're super easy to use once you get them going, and it's just kind of easy fun to figure out. How does a Wi-Fi authentication protocol work? What can you do to get in the middle of it, crack it, you know, take over an access point that you might not be supposed to, and gives you a reason to get out, walk around your neighborhood and see what's out there.

Mandi Rae: 3:22

Did you guys have Tamagotchis?

Kyle Rosendahl: 3:27

I have two Tamagotchis at my house as of Christmas this year.

Mandi Rae: 3:30

I love it Really. I think one of the funnest aspects of this is what you guys name your Ponagotchis. Have we gotten into what the names of your little guys are that you shared with us?

Kyle Rosendahl: 3:43

We haven't. I named mine Skajigachi after a tattoo that I got.

Mandi Rae: 3:49

How about you Jaden?

Jayden Truffler: 3:50

Mine is Gloria. I don't really have a reason for her name, I think it just came to me.

Mandi Rae: 3:59

Every time I hear it, I think of the song and I want to sing it to your Ponegachi. And Eric, I think you have a unique name.

Eric Brown: 4:09

I do. Mine is Pone McPoneface from the Boaty McBoatface.

Kyle Rosendahl: 4:19

So getting into kind of why it matters right Again, it's for fun, it's to just do things with, to learn about Wi-Fi, to crack passwords, to learn. But from an educational standpoint for users and for people who create Wi-Fi, it can expose that again. Something that we like to preach in security is that the defaults are dangerous On the screen. Here again, if you're not watching and you're just listening, I've got a whole set of different wireless router photos of the backs of those routers by, like the barcodes and the MAC address and the serial address. Pretty much every router you get from Comcast or CenturyLink or Spectrum or whoever you go to for your internet connection. They have that router login page on there. They have the default username and they have that default password. There's a lot of people out there who snap a photo of the back of their router and they don't change it. They just plug it in once to their device, they forget it and then they never use it again until a guest comes over. They go get the router, get the photo and they bring it out and share it with them.

Kyle Rosendahl: 5:29

Hackers know that these things are generated in a certain way. I put a link on this. We'll share these slides in the show notes afterwards. But RedSquirrel7, out on GitHub he's a GitHub user that makes some cracking, hacking tools, things like that out on GitHub he's a GitHub user that makes some cracking, hacking tools, things like that. He figured out kind of the structure by which Netgear was creating their default passwords. So he wrote a Python script out there that takes I think it's essentially like adjective verb number, and so he made the biggest list of adjectives, the biggest list of nouns I think it was adjective noun number and then numbers, and then he just makes combinations of those while it does the cracking and it's got a pretty high success rate of getting into these net gears.

Kyle Rosendahl: 6:19

So again, if you've got a Ponegachi and you're collecting Wi-Fi signals and Wi-Fi keys, the first good place to start is with a tool like that where the password is created using some sort of method that's guessable or knowable. That's going to give you the highest rate of actually getting into access points. If you're not doing something illegal, it doesn't really get you anywhere. But if you're trying to get into a business or you're doing something illegal or you're trying to break into a network that you're not supposed to be in, right, leaving those default credentials in place makes it possible for someone to just grab it with a little $50 tool, crack it using just freeware out on the internet and get inside. So, again, easily guessable or known password combinations, you can kind of expose that security flaw with one of these.

Kyle Rosendahl: 7:07

So in talking about that Wi-Fi security, right, there's a few different protocols that are used, and have been used historically, to authenticate with an access point. When I say an access point, I'm talking about a router or I mean a wireless access point that's tied to some sort of central switch. Most people's homes, as you're looking at those, are just going to have your modem and your router or a device that's both in one um before you get on the internet and before you're able to get an ip address and actually connect to the internet. You need to authenticate to that router, right, and most people think of that as being a username or maybe just a password to authenticate to it. But there's actually a lot of pieces that go on in the background that can be exploited by something like a, like a ponagachi or other tools that exist out there, and the way by which devices authenticate with those wireless access points or with the routers determines, you know, how secure that password is as you input it. So, uh, wep was kind of the first wireless authentication standard that existed.

Kyle Rosendahl: 8:14

Um, it used an rc4 stream cipher to encrypt those keys. It used that due to us export laws and not being able to export anything of cryptographic importance I think that was back in a 1980s or 1990s US code so you couldn't send any materials that explained or did cryptographic processes. So in order to reach markets overseas, they put an intentionally weak cipher on them so that they could export them make money. In 2001, a whole group of hackers used just default freeware that they got. It's called AircrackNG and they could crack any WEP key in minutes. So this is known to be a bad security protocol. If you see it, know that basically anyone can get in within minutes without the keys or anything. Most people don't have it, most of it's not enabled. But I think if you watch the Dennis Pelton episode about Wi-Fi security, he talks about WEP and people have done scans on Shodan and there's still plenty of WEP sitting out there in the world. So it's not totally gone, but it's definitely not secure. So it's not totally gone, but it's definitely not secure.

Kyle Rosendahl: 9:24

Ponegachis, look at WPA and WPA2. These use a four-way handshake to authenticate with the wireless access point between the client and the access point. That can be exploited by something like a Ponegachi or someone who's able to snip that traffic over the wire. Basically, the only difference between WPA and WPA2 is the use of AES-128. So WPA2 uses an encryption method called AES-128. It's a fairly solid encryption standard. It just kind of improves upon WPA and then WPA3, we can talk about that more uses a totally different authentication protocol. These Pantagotchi's not able to mess with WPA3. There's some methods out there that deal with trying to crack WPA3, but in essence it's much more secure. Nothing's really sent plain text with that protocol, so it's much more secure. So, looking at WPA and WPA2 handshakes, this is essentially the meat of what the Ponegachis are doing when they are trying to essentially brute force the key to get onto the access point. Again, this is a pretty slide-heavy presentation so if you're not watching I'd suggest going out checking out the show notes, grabbing slide and I think it's six, but it shows just a basic framework of how WPA, wpa2, four-way handshakes work and what the Ponegachi is looking for and able to crack that key. So I'm going to use my mouse here to kind of point things out.

Kyle Rosendahl: 11:16

When a device is trying to connect to an access point or a wireless router or anything like that, there's four different messages that go back and forth between the two devices, called that four-way handshake, and each message that gets sent back and forth in these little tiny blocks of data contains a different amount of data that's important to authenticate with one another. So, essentially, what they're trying to build up to is called the pairwise master key, this PMK, and that PMK is, once it's crafted and correct, the access point knows what it's supposed to look like. And if they have the correct PMK, pairwise master key, then the device is able to then, you know, be a part of the network. So, essentially, whenever an access point and a device are trying to communicate, that device reaches out and says hey, you know, access point, I want to connect to you. So that access point is going to start out by sending one message back using just a known public key, and it's going to send that. And it sends an anons, and an anons is essentially just the access point nonce, a nonce being just a randomly generated string of digits and then it sends it via unicast, right. So it sends that over to the device and once the device receives that, it's going to generate a pairwise transit key right, and that pairwise transit key includes the supplicant or the device, nonce sendWUnicast. And then it adds the message integrity check to the end of that thing.

Kyle Rosendahl: 12:58

So as far as a Ponygachi is concerned, this first two steps is all it needs to see to begin cracking the pairwise master key that's eventually generated. Because in essence, that PTK includes the SNONs and the MIC. Message one includes the ANONs, and when you're creating a final PMK, the PMK is basically the ANONs, the SNONs, the two MAC addresses of the access point and the device, and then that's all stuck together with that message integrity check. So message one it receives that ANONs. Message two you receive the SNONs. You have those two pieces. You get the two MAC addresses of the devices.

Kyle Rosendahl: 13:46

The only thing you need to solve for is that PMK and just a little bit of basic algebra says you know, whenever the message integrity check for that PTK returns true, from this being in place, the PMK, anons, snons and the MAC addresses, then you know you're good. So since you have all the pieces to make the PMK or guess the PMK, all you need to do is then crack the PMK. So that's where the brute forcing comes in place. Then, essentially, what you're doing when you're cracking is you're just putting in random values for the PMK or educated guesses as the PMK, combining them with the A, the S, the MAC and seeing if they then match that message integrity check. Once you get a match, you know that you've gotten the correct password for that PMK. Does that make sense or does anyone have any questions on that?

Mandi Rae: 14:42

There's a lot of algebra.

Kyle Rosendahl: 14:45

Yeah, it's a lot, and I'm trying to explain it in a way that you know, our listeners can get an idea for it.

Mandi Rae: 14:51

You're doing a great job. It's a bad word problem.

Kyle Rosendahl: 14:54

It is, and I wish there were better ways to describe you know I could have come up with some goofy analogy for all of these pieces, but if you listen to it, you go. Look at the slide. I think it'll make a little more sense.

Eric Brown: 15:08

Mandy was smiling like she had walked into a Calc 3 class when she was expecting, like an English lit.

Mandi Rae: 15:14

Totally. You got to Unicat and I was like, okay, I'm lost here, but I do think your visual and being able to see it is imperative to understanding. So definitely check out IT Audit Lab website and or watch the YouTube.

Kyle Rosendahl: 15:31

So the Ponegachis come into play. Right Again, if we're looking at the slides, the access point is sitting out there. It's communicating with a cellular device, right? Let's just say, here, we've got an iPhone, you've got it connected to your Wi-Fi channel. Everything is good when you authenticate for the first time, that WPA, wpa2, four-way handshake takes place and then you basically stay authenticated. Now the only difference is most of our cell phones, most iPhones, most Androids, most every device that you can connect to the Wi-Fi, you can choose to save that password in the memory and say you know, I've authenticated once, keep my session valid. You know, if I drop the Wi-Fi when I go to work, when I come home, I don't want to have to retype my password back in, right. So it's not saving a plain text password, but it's saving that authenticated data and saying oh yeah, you've got the correct PMK, you've got all these pieces. So when you come back within range, yeah, just automatically reconnect, that's totally fine, no problem there. Essentially, what the Ponegachi is doing here is it's sitting in the middle listening for a device sending that signal to an access point and just kind of scooping up that information while it's in flight. So it's looking for the first two halves, two parts of that four-way handshake. You know, message one, message two to get the nonces, the message integrity check, and then it's trying to guess that PMK.

Kyle Rosendahl: 16:59

The Ponegachi also has a little piece of software built into it called BetterCap, and BetterCap can be used as kind of an attack framework to do deauthentication attacks. This is where these guys get into the gray legal area, because what they can do is if they're sitting on a network long enough, or they see a network long enough and nobody's authenticating to it, they can say hey, you know who's authenticated to you. I'm going to send a flood of deauth packets to the access point, which in turn disconnects all devices from the access point and then forces them to re-authenticate. Then it can sit there and sniff those authentication handshakes and try and grab more information, if all that makes sense. The last kind of fun piece about these Ponegachis is that they also have a little bit of AI kind of built into the background, the AI on these. It's nothing super fancy, it's a pretty quick little method. But since different Wi-Fi environments are different right, if you're at a hotel, there's a lot more access points, there's a lot more people connecting, there might be a lot more kind of varied authentication times and you'll see a lot more authentications without de-authenticating anybody.

Kyle Rosendahl: 18:14

The Ponegachi is sitting there and, as it's collecting handshakes and as it's de-authenticating people from access points, what it's also trying to do is it's trying to figure out how long do I sit there and try to deauthenticate. How long do I sit here and wait for handshakes to appear? You know how long do I search for new access points? And so it's taking those variables and, using a what they call A2C or an advanced actor critic model, it essentially tries to balance out the length of time for which it sits there and scans for access points, deauthenticates people and grabs handshakes to try and bring back the most valid sets of information that then you can take forward to crack. So the longer you have it online in a certain environment, theoretically the better it's going to be at collecting more handshakes faster and in a more kind of constructive manner, rather than sitting there trying to deauthenticate someone.

Kyle Rosendahl: 19:13

For 30 minutes Doesn't work, you know it's going to stop doing that and try something different, and its return value is basically just on. You know, if you got more handshakes doing this, keep doing that. You know if you got fewer handshakes doing this, keep doing that. You know, if you got fewer handshakes trying something different, go back to what you were doing before. So there's a whole write up on ponagachiai about how the model actually functions, but in essence it'll just kind of tune itself to whatever environment you happen to be in after you know being on for longer and longer. And then finally you've figured out how do the handshakes work, how do we de-auth people from access points? What are we trying to collect?

Kyle Rosendahl: 19:54

Once you have that, the Pwnagachi keeps a little tally in the bottom left corner that says how many things have you pwned, meaning how many handshakes have you collected that have enough information in them for you to start brute forcing? That's where you can start brute forcing some of these passwords and connect them back to those access points. So there's a few ways to take these. It'll dump those handshakes into a PCAP file on the local device and you can pull those off, and then it's up to you to choose how you want to crack those and decide whether you want to. You know, try and brute force the passwords for the access points that you saw. Again, if you're doing some sort of pen test or red team assessment you're trying to get into a business, you definitely want to take those two handshake files and try and get the you know wireless password for the corporate wireless. That's a pretty big target. So a few ways you can do it.

Kyle Rosendahl: 20:50

Hashcat has a converter. It's out on GitHub. I think it's actually part of the Hashcat installation if you get all the Hashcat utils off the Hashcat website. So I think you can get it GitHub or off the Hashcat utilities and it essentially takes any PCAP file that has enough of that information and it'll create a Hashcat hash for version 22,000. So as you're doing your Hashcat with your GPUs, you can crack those PCAP files as Hashcat files and speed it up with GPU processing. So if you have a lot, it's a good way to do it.

Kyle Rosendahl: 21:28

Another method if you don't want to screw around with hashcat and converting and GPUs and all of that tuning stuff, aircrack NG also can do PCAPs natively. You don't have to convert them to anything. The only downside is I think it runs only on CPU. If I'm correct, it'll crack WEP, wpa and WPA2 files. So you can just sit there, feed it a word list. If you want to do the combinator attack for the Netgear routers, you can throw whatever you want at it and it'll, one by one, try and crack that pairwise master key to get you your Wi-Fi password and get on.

Eric Brown: 22:05

Question for you when it's doing the deauths, is it doing it on every channel at the same time or does it hop between channels?

Kyle Rosendahl: 22:14

For the most part it's just flooding the access point with the deauth packets. So basically all channels it depends on your Ponegachi. So like the Pi Zeros these little guys they only have 2.4 gigahertz. So if someone's connected on five it's not going to deauth or even see those connections. If you get like a five gigahertz antenna to plug into this, you can get that five gigahertz channel and then it'll do it on that as well. There's a tiny bit more setup to do. Or if you build it on a bigger PI board that has both channels, then you can do that as well. But basically it's just dumping everyone off the Wi-Fi.

Jayden Truffler: 22:54

So it goes by access point.

Kyle Rosendahl: 22:56

So if you're in an environment where there's eight access points for one Wi-Fi signal, it's only gonna hit one of those and the client's connected to that. So if you're in some sort of mesh network, it's only doing like one MAC address at a time. Oh, I see.

Eric Brown: 23:11

That makes sense. Yeah, well, like in Wi-Fi 2.4, there's 11 channels, I believe, so it would go channel by channel to get all 11.

Mandi Rae: 23:24

Before we dig into these resources anybody, have fun Ponegachi stories. I'm living vicariously through you guys.

Eric Brown: 23:35

Jayden wants to say something.

Jayden Truffler: 23:50

I'll touch a little bit on my story. So, um, we went to defcon two years ago and I was working with kyle to set up my pono gochi gotchi uh, and I was very, very excited to get going with it. I think we set him up like a week before we left, so I had mine going all the time, but might have brought it to the airport, might have kept it in my backpack and might have gotten, I think, 500-ish handshakes in that time.

Mandi Rae: 24:23

That's a pretty amazing coming out party for Gloria.

Jayden Truffler: 24:28

Gloria was. She was having a good time. She was busy that first weekend.

Kyle Rosendahl: 24:34

I feel because you flew into DEF CON like overnight on the red-eye flight, I feel like we all met up the next morning and you're like, yeah, I've already got 550 handshakes. How did you get so many Like four hours of sleep?

Jayden Truffler: 24:49

Nope, we just kept going.

Eric Brown: 24:55

Is that the same year, Kyle, that you were cloning the hotel room keys?

Kyle Rosendahl: 24:59

No, that was the year after.

Mandi Rae: 25:00

Kyle that you were cloning the hotel room keys? No, that was the year after. There's always fun. Defcon shenanigans.

Kyle Rosendahl: 25:08

There is and another fun thing that you can do with them and I've never gotten the chance to do it with just a random person.

Kyle Rosendahl: 25:14

But the Ponegachis actually have an encrypted message thing built into them, so it's called the PwnGrid. So if you opt into it in your config files, you can see other little Pwnagachis that live nearby and if they're active and they're within range, they can actually communicate and so you can actually send peer-to-peer encrypted messages from one Pwnagachi to another by using just an open API. So if you're sitting there on your computer you see, oh, this guy's got his Ponegachi on nearby, there's Pone with Poneface. I could just pull up my API, go to a web address of my Ponegachi, say, send message to this guy. I could send an encrypted message directly from Ponegachi to Ponegachi, fully encrypted. So there's goofy little things on them that you can do that I've never done with anybody else, but I know at DEF CON every year I think, they have a Ponegachi party where people put them together, they raffle off you know sets and some people go all out and put like leds and shiny stuff on them and make them all fancy.

Jayden Truffler: 26:23

Yeah, we'll have to try that out next jayden shared her fun ponagachi story.

Eric Brown: 26:31

Do you have a fun ponagachi story, kyle?

Kyle Rosendahl: 26:35

I don't know if I have a fun one like that, um, for the most part, you know it's it's interesting to use them as kind of tools for crafting word lists, right.

Kyle Rosendahl: 26:49

So if you're just sniffing the wire and you're not de-authenticating people, they're not technically doing anything illegal, right, you can just scoop that stuff up as it's in transit, um, and if you're not using the information you gather to break into somebody's Wi-Fi, there's no malicious interaction with that person's network, so you're not breaching anybody's networks.

Kyle Rosendahl: 27:15

But one thing that I've found them very useful for is just collecting stuff, practicing cracking hashes, and then you get some really interesting context for how people create their passwords. So I've been able to use it to, you know, make better crafted word lists and things to try and crack other stuff. Because I think one of the things that you find, especially if you're in kind of the red team side of things and you work on creating word lists or if you work on cracking passwords or even AD password cracking people think they're kind of creative with how they build their passwords, but a lot of times they're very similar and and they're very not unique. So finding ways that people do their, their wi passwords, you know, kind of gives us a better idea on how to craft passwords more effectively in the future. So building those kind of crafted word lists is something that you know. I think they're super handy to do, so not nearly as exciting as Jaden's story, but a fun use for him.

Mandi Rae: 28:20

Eric, do you have any stories of your Pony McCone face up to no good?

Eric Brown: 28:29

No, I don't. I've just carried it around the office from place to place and gotten a couple handshakes, but nothing like, uh, nothing like Jaden's story.

Kyle Rosendahl: 28:45

Before we go too off topic, right, I think one of the things I didn't cover too much is is common defenses, right, against these types of attacks. Um, so, for those people using WPA, wpa2, to protect their networks, um, you know, one thing that you can do to protect against something like this is to use a secure password that's not easily guessable. If you want to be super secure, make sure that you're not remembering your password with any device so that if it gets disconnected it's not automatically resupplying that password to the access point. Doing those two things with WPA, wpa2 makes it much more difficult to breach. But then, kind of the last piece and I can try to jump to add some resources up to WPA3.

Kyle Rosendahl: 29:40

And talking about that handshake, you could implement WPA3. It's not super widespread at this point in time, just because, as it comes to WPA3 and WPA2 compatibility, essentially both the device and the access point have to be compliant with one another, and if one of them is using WPA3, the other one doesn't support WPA3, it's going to default back to WPA2 if that's enabled. And if you don't have WPA2 enabled, then it won't get on the Wi-Fi. So there's a compliance issue there between having a device and the access point, both compliant the same authentication standards and then making sure that you know you have widespread availability as well as a secure system. Um, essentially I could have looked it up, but uh, wpa3 uses like a simultaneous key exchange and then it uses like a diffie-hellman key exchange as well, with an epileptic curve. But essentially what that means in non-super technical nerd speak is that both the access point and the client are creating a private and a public key invisibly from one another and similar to how, like PGP, encryption works for email. The only thing that the other side sees is that public key as they encrypt their messages, and then they're using the other side's public key to decrypt the messages and make sure they match the privates on the back end. That stops this four-way handshake attack from working, because there's no kind of plain text data that's getting sent in between. That works for the authentication protocol.

Kyle Rosendahl: 31:22

Now there are some researchers who've tried to crack. What do they call it? They don't call it AES. There's SEO, maybe the way in which these things occur at the same time simultaneous encryption, something. Seo, I think, is what they named it. But some people have shown some security vulnerabilities. But it's still way more secure than WPA, wpa2. So if you can do WPA3, obviously do that. Otherwise, strong passwords and not saving your password.

Mandi Rae: 32:01

Those are really good insights to how to protect you against other people with Ponegachis. Let's dig into our listeners who are kind of jealous right now and want to take this next week to make their own. Is the first resource you have? Build a Ponegachi it is yeah, so Ponegachiai is the have built of Ponegachi.

Kyle Rosendahl: 32:21

It is yeah. So ponegachiai is the website for the Ponegachi. It basically has all your instructions. It gives you a shopping list of what items you need to buy, as well as links to the recommended hardware and then just basic installation configuration instructions on there. So it's pretty straightforward. Takes a little bit of technical knowledge, but they do a really good job of kind of spelling it out step by step. So as long as you read carefully and just kind of choose the most easy stuff to put together, I'd say you could get it done in an afternoon.

Mandi Rae: 32:59

I was reading as you were scrolling down here, someone saying it's cute AF, and I agree they are so stinking cute.

Jayden Truffler: 33:08

I like how they make different faces when they make a handshake, so you can hear. It's like he's wearing glasses. Mine looks like it's scared. But, yeah, they make different faces when they make new connections or when they're around another Ponegachi.

Mandi Rae: 33:27

What other resources do we have?

Kyle Rosendahl: 33:31

Yeah, the other resources. I don't know if we have to get into Learning about BetterCap, that framework that the Ponegachi uses to do deauthentications. I've got an explanation of the BetterCap attack and how it does that. And then again GPU and CPU cracking just some resources there for Hashcat usages and then that AircrackNG website. So if you're interested, obviously check out the slides, check out the ponagachiai website and if you want to learn more about the attacks, I've got some good resources there as well, anything with IPv6 and how that might relate to this at all.

Kyle Rosendahl: 34:15

Kyle, yeah, I mean IPv6 is it's post-authentication with the wireless access point, so probably not a ton to do with these access point attacks, but IPv6 is I mean we skip IPv5. Ipv4 is a 32-bit address. Ipv6 is a 128-bit address. 128? Yeah, because IPv5 would have been 64. So, yeah, it's a 128-bit address. 128? Yeah, because IPv5 would have been 64. So, yeah, it's a 128-bit address and essentially will expand. You know how many addresses can exist out on the internet. Ipv6 is going to be theoretically more secure from that standpoint, but I don't know. I think it'll be the standard someday. I'm not sure when that day is going to be, hopefully when WPA3 is fully standard. What are your thoughts on IPv6?

Eric Brown: 35:16

I was at CES last week and CES, if you haven't been, it's huge. It takes up multiple floors of multiple casinos, convention centers, and I was in one of the floors I don't remember which one, but I was walking along and there was a sad little table off to the side where these companies like LG, for example, have they've spent millions on their booth. It's hundreds of feet long and tall and wide and has all sorts of new technology in it. So just walking over all around seeing all these new technology things, and I see this sad little table off to the side and it's it's um, it was uh, there's a poster on it for ipv6, and it was the Wireless Foundation or whoever is advocating for IPv6. And they had a couple stickers on the table and everything.

Eric Brown: 36:21

And I stopped and chatted with them and asked them how people's reaction was to IPv6. And they said most people said that while they understood the need for IPv6, they weren't looking forward to implementing it or hope to be retired by the time it was implemented, just because it's changing the paradigm of how networks connect and talk to each other, with all addresses essentially being public. So from an information security perspective, that does change quite a lot around how you set up your networks. So not that it would be better or worse, just different. So it was cool to see them there and glad that they're advocating for it. But I've heard the same thing when I've talked to others about how much IPv6 they've put in their networks. I know when we go into client sites we don't see it a whole lot. Obviously it's already out there in some of the public space with Comcast and other ISPs. Your modem or your gateway will have an IPv6 address and your cell phone has an IPv6 address. But we don't see it a lot in corporate networks yet.

Kyle Rosendahl: 37:42

And I know from like an analyst perspective and maybe Jaden can speak to this too the one thing that doesn't exist for IPv6 very well right now is like a standard lookup table. So it doesn't apply to, you know, access point security. But when we see an IPv6 address come in as part of like an attack or as part of a you know threat framework or inside a piece of malware or something like that, there isn't necessarily like a public database right now. That's super accessible. We can do like a reverse IPv6 lookup and say you know, this address belongs to, you know, this group of Facebook data centers and here's the administrator for it. You know you can put in 111. You name it for your 32-bit address and basically find who owns it. Ipv6, there just isn't like a good curated database right now, so it feels more anonymous and weird. But I can see why people would be not wanting to do the work to get it implemented. That makes perfect sense.

Jayden Truffler: 38:48

Yeah, I agree, Kyle. There's just not a lot of info out there on analyzing these IP addresses, the IPv6, but I'm sure over time, once people start migrating that direction, they'll become more available.

Mandi Rae: 39:04

And I've heard a lot of acronyms today. So CES I want to try to guess Is that the Consumer Electronics Show.

Eric Brown: 39:13

It is. Yes, it's held once a year in Vegas, usually in the, I think it's first convention of the year, so it's usually first or second week of January, which is a great time to be in Vegas. Um, quite opposite of DEF CON, where it's like 120 degrees in Vegas it was a nice comfortable 40 and 50 degrees during CES, and this year there were, I think I saw, 160,000 people. They said that were there this year. In past years I think it's approached 200,000. Can you?

Mandi Rae: 39:57

state tech. You want to brag that you got to see.

Eric Brown: 40:00

Let's see. I was impressed with a couple of things. One of them is a 3D monitor. So where in the past, in order to see something in 3D, we've had to put on the glasses right, like you're going to the movies?

Eric Brown: 40:19

This year there were a couple of companies that had monitors that had cameras built into them and if you stood a certain distance away from the monitor, like three or four feet, it would capture where you were looking. So the built-in cameras would recognize your eyes and from that point on it would track where your eyes were looking. So if you moved a couple of feet to the left or right, it would track your eyes and the way the frame refresh rate was built. It was showing essentially two stereo images and what it looked like when you were standing in the right field of view was an actual 3D image in that monitor. So that was pretty cool and if you were behind somebody that was looking at it you could kind of see that it was 3D. But when you were right in front of that monitor it really looked 3D, which was pretty cool.

Eric Brown: 41:18

And then I saw some other technology where there's a company that had a camera off to the side of the keyboard that was paired with a pen and that pen then was moving in 3D space so you could manipulate the 3D objects on the screen with the pen. I don't know a lot of practical uses for it yet, but maybe in doing some engineering or bioscience you might want to manipulate models in three-dimensional space on a computer screen. Seems like it'll be pretty cool and I I would think in the next three years we're gonna see that mainstream, like we saw the curved monitors and I think before that, um, wasn't it like around 2010 you could go to best buy and get a 3d tv, but you had to wear the glasses, so that was cool. There's a lot in the robotics around home automation and yard automation with robotics, vacuum machines and things like that. We've seen those for a while.

Mandi Rae: 42:31

A few different companies had lawnmower machines that I was gonna say my neighbor has one where it's like dj roomba but for your grass and I. I thought that was crazy. So you're seeing more of that in the marketplace yes, uh, there's one company.

Eric Brown: 42:50

There's one company maybe it's called Yardbird they have. It's essentially the engine piece and then there are three different attachments at this time One is the lawnmower, another one is a leaf blower and then another one was a snowblower. So it essentially would would go out, and if you had the snowblower attachment on there, it's just going to continue to clear the driveway or the sidewalk throughout the snowstorm, because it it could only do maybe six inches at once, but the the thought was you would just have it continually running.

Mandi Rae: 43:31

Unless you lived in Minnesota with a good snowstorm.

Eric Brown: 43:38

Yeah, so there were some pretty cool things. I don't know that I would go every year. I might go every five years or every 10 years, just because I don't think the stuff is going to turn over. There's not going to be anything next year. That probably was there. This year Maybe there'll be one or two things that came out, but it's the slow progression of tech. Lots of electrical vehicles electric boats were a thing electric hydrofoils Not a lot of drones. This year it didn't seem. There was a dental device. I think it was a company out of Korea. It looks like a water pick but just the handle part and you could scan your teeth with it. It had a laser on the end. You could scan your teeth with it and it would measure the depth of any cavities that you had and then over a certain number they say you should go to your dentist. So it would kind of measure. The scale was between 1 and 99. So I thought that was interesting and they were selling that on the spot for $200.

Mandi Rae: 44:52

Crazy People are going to be triaging their own dental care needs now from home.

Eric Brown: 44:57

That's frontier medicine yeah.

Mandi Rae: 45:00

See what you see there and predict how soon in the future it will be readily available for us to buy markets.

Eric Brown: 45:07

Yes, and a lot of companies there were trying to get their products picked up by a distributor or a manufacturer, so it could be a company of like 10 people Like a low-key shark tank.

Eric Brown: 45:27

Exactly um, um, bloodless, uh, or or sorry, um, yeah, I guess bloodless, you could say where you didn't have to prick your skin to test your glucose levels, so it was using a laser to to get that information. So there there was a laser lance where it it burned. I think they said like at a thousand degrees, something like that. But it would. It would actually prick your skin with the laser, but you wouldn't feel it because it was such a small hole, and then you could put that on a piece of paper and stick it in the machine to get the glucose reading. I thought that was interesting.

Mandi Rae: 46:18

That's really cool as we strive to look for cures for things such as diabetes. Hopefully, technology can advance so it's not so uncomfortable to be able to manage your health. That's really cool.

Eric Brown: 46:32

And the last one I guess I could talk about was in that home medical device. There is a company and I don't remember the name of the company, but they had these almost like tongue depressor size sticks and the idea is you put that stick in a urine stream and then take a picture with their app. So you take a picture with your camera, with your phone camera.

Jayden Truffler: 47:05

You're starting to sound dirty. Okay, keep going.

Mandi Rae: 47:08

PMA stick. Take a picture of it.

Eric Brown: 47:11

And then it would tell you what was going on with you and all of your maladies, associated with what it could pick up, so glucose or other vitamin deficiencies, anything that could be essentially, I guess, detected that way. So I thought that was kind of interesting.

Mandi Rae: 47:38

Kind of brings new thoughts to using a stick and urine to find things. Notoriously it would be. Am I pregnant? And now we're finding out, oh, I'm vitamin D deficient. It's pretty cool how they're evolving on things.

Kyle Rosendahl: 47:55

It's just about gender equality with being on sticks.

Eric Brown: 47:58

I think there was a couple other things that were there, but we could talk about those in an After Dark episode, Okay yeah, that sounds good Well thank you for sharing with us.

Mandi Rae: 48:10

That's so interesting to talk more about the Consumer Electronics Show Pivoting back to Ponegachis. Anything else, team, before we wrap up for today.

Eric Brown: 48:28

Not for me, that we've got both Kyle and Jaden on with us here and we may have to have them come back for a future episode, Because right now there's a little contest going on between Kyle and Jaden where Jaden's got a project that she's working on essentially replacing the physical security, the door badges and the door locks for a company, and Jayden's got some pretty cool tech there and she did a pretty cool design on that security and Kyle thinks that he can bypass Jayden's security. So this could be a pretty good future episode.

Kyle Rosendahl: 49:15

Good luck, Kyle security so this could be a pretty good future episode. Good luck, Kyle. I tried to put a case of high noon on the line and she didn't respond, so I think she's afraid.

Mandi Rae: 49:22

I think a case of high noon is exactly what the bet needs to be, and I'm going to ask our loyal listeners to stay tuned because we will visit once Jaden has her security structure in play. If Kyle was able to penetrate it, this is going to be interesting Competition's on man. Well, thank you to Jaden for joining the podcast team here on this episode of the Audit, and many thanks to you, eric and Kyle, for bringing this valuable insight. As our listeners know, you can stream the Audit anywhere that you stream podcasts. If you want to check out the presentation material, get to see the video. Please check us out on YouTube or our website, itauditlabscom. Hope everybody has a great rest of your day. Talk to you guys later, bye, bye.

Eric Brown: 50:21

A well-designed framework will reduce organizational risk and improve overall security posture. Contact IT Audit Labs and have us lead your team in outlining a strategic approach to remediate organizational risk.