Every company uses wireless networks in some way and asking for the WiFi password, simply expecting a wireless network to be present, is the new normal. We are constantly surrounded by dozens of devices, constantly blasting out wireless packets that are not only full of interesting information but also unencrypted.
The WiFi attack vector has been identified a long time ago and the famous Wifi Pineapple devices make it possible to exploit issues with the 802.11 WiFi standard even without strong wireless expertise. To make things worse, access point logs are rarely centralized and even if they are, they don't contain information that could let you spot an attack early.
This talk explains important parts of the 802.11 standard, how it can be exploited and how to collect wireless frames using my Open Source tool ""nzyme"". Nzyme collects important 802.11 frames and sends them into the Open Source log management tool Graylog. We will demo a Graylog filled with 802.11 frames and show IDS and DFIR use-cases like spotting rogue access points or certain attack patterns.
[DerbyCon team: I am not intending to focus this too much on Graylog. I want to avoid making this a vendor talk and will clearly mention that you can also send the data into Splunk or an Elastic Stack if you want to, but will show Graylog because that's the tool I'm obviously most familiar with. I will focus on 802.11 and how to use the data. Not what tool the data is in. Used my graylog.com email address because I check that one regularly :)]
Lennart has a software engineering and architecture background and started the Open Source Graylog project in 2009. @_lennart