Getting Started With Tracking Hackers With HoneyBadger

Hello and welcome. My name is John Strand, and in this video, we’re going to talk a little bit about HoneyBadger. Now, in a number of other videos and a number of other things whenever you’re talking about attribution or cyber deception, you can focus on creating documents or elements that’ll beacon back and many times you can collect the IP address that’s making the beacon. That’s okay, but IP address geolocation isn’t all that hot, but we can do better, and we have a specific tool that was created by our very own Bradley at Black Hills Information Security building on the work of Tim Tomes, or lanmaster53. Hopefully, these two will be merged in the very near future called HoneyBadger.

Now, if we jump right in, HoneyBadger is on the ADHD installation and, once again, if you want ADHD, you can go to You can go to our free tools, check out our projects and you’ll see ADHD there. This is, of course, the distribution that I use for Wild West Hackin’ Fest classes and also at Black Hat, so check it out. All of the instructions once you get ADHD set up are on the desktop in a file called ADHD Usage. Once you have opened up that document, you would select Attribution, and then you would select HoneyBadger.

Now, once you’re in the HoneyBadger instructions, it goes into a lot of detail about how to set up HoneyBadger, how to configure HoneyBadger. One of the big gotchas is you do need a Google API Key in order to make the map function work in HoneyBadger. Let’s talk a little bit about what this actually does. Well, what it’s doing is a wireless site survey. Here I have a USB wireless adapter that I got off the Hak5 shop. Great stuff over there. With this USB wireless adapter, I can do a survey of all of the wireless networks. Now, you don’t need a USB wireless adapter for HoneyBadger to work. That’s not quite what I’m saying, but your computer system has the ability to see all of the wireless networks around it.

This is something you see every time you open up your phone looking for a wireless hotspot or your computer. That’s because these access points are beaconing out about 10 times per second, announcing their BSSID and their ESSID. The BSSID is the MAC address, the media access control address for the access point. The ESSID is the actual access point name. What HoneyBadger does is causes the attacker’s computer system to do a wireless site survey, give us those SSIDs, BSSIDs, and ESSIDs, and then it queries Google’s API for geolocation and Google responds back.

Let’s actually take a look at the interface of HoneyBadger and some of the things that you would see there. First, whenever you’re setting up HoneyBadger, you would set up targets. Now, the idea of a target is so that you can set up different campaigns that are identifiable from each other. I have demo, I have class, I have demo, I have Class, I have Spearfish, and they have different guids. This is important because if I set multiple different HoneyBadger elements, I want to be able to differentiate from them. I can put in an Excel spreadsheet, I can put it on a website, I can put it in a variety of different places and that distinction is important.

Also on this slide, you can generate a raw macro. Whenever I click the macro button, it actually takes me to the macro that you’d put into an Excel spreadsheet or, if you’re really desperate, a Word document. I tend not to use this technology much in Word documents because everybody knows not to run any macros that show up in Word documents. What this does is a PowerShell command where it does a wireless site survey of all of the different wireless networks that are around. That’s the macro.

We also have the capability of kicking out VB.NET code. With the VB.NET code, we can actually convert this to a standalone executable with something like vbc and Mono. This is all in the class and it’s also in the instructions, but basically you would install Mono, start the Mono shell as an administrator. I can actually show you what that looks like here. I can basically go down to the start button and type “Mono”. Then, when it says the Mono command prompt, I right-click and run it as administrator. Then, I would use vbc to actually convert that code, the macro.vb into an executable and actually convert it down to an executable. Then, when you run it, it’ll do the geolocation.

Now, that executable gives us tremendous flexibility to move it into a wide variety of different other formats. We can convert it and merge it with other executables like VPNs, things of that nature, and then we can get some really good geolocation on an attacker. Now, once I’m in ADHD, I want to show you what the maps look like and give you an idea of the accuracy.

If I click the map tab, these are all of the times that I’ve actually fired it off, and I’ll go over here to Las Vegas, the last time I ran this class at Black Hat. I went too far, a land where I cannot return from. Let’s see, I’m in Tuba City, so Grand Canyon National Park, Flagstaff, let’s go back down into my little arrow. Here we go. Let’s zoom into Las Vegas and on top of the Mandalay Bay and give you an idea of just how accurate this thing can be whenever you fire it up.

Now, this is the executable. The macro, if you put it inside of an Excel spreadsheet, would be also really, really hyper-accurate, but it really depends on a number of things. If they actually are on a wireless network, you can pull that up. Here you can see that it’s the Mandalay Bay, and if I switch it over to satellite, you’re going to see right exactly where we were in the conference center the last time I actually fired this off. That’s kind of cool.

HoneyBadger is designed for extreme levels of attribution. This is using macros or VB code to actually do that. Now, with that in mind, also remember you’re just getting the attacker’s system to give the wireless networks that are around it. If I click on the log and I scroll all the way down to the bottom of the logs here, you can see what it looks like whenever you’re actually querying that data. It actually pulls all of the wireless access points.

Here you can see Black Hat and then the BSSIDs, and then it submits that data to Google. Now, when Google receives that data through the API that Google uses on your phone all of the time, Google will respond back with the latitude here, it’ll respond back with the longitude here, and it’ll also give you the overall accuracy in meters. Sometimes it’s around a hundred meters, sometimes you get lucky and it’s down to 20 meters. This is extreme levels of attribution.

Now, is there a question as to the legalities of this?

Well, if you look at what we’re doing, the attacker would have to break into your environment, steal something, and then it would trigger. That’s kind of dubious they’d actually press charges in that situation.

Further, we’re using the same API that your phone is using hundreds of times per minute every single day. With that in mind, it becomes a little bit easier for us to use these technologies as defenders.

I hope you enjoyed this video. Be sure to check out more videos. Be sure to check out the class at Wild West Hackin’ Fest in San Diego and in Deadwood, and I hope to see you on Wednesdays with Enterprise Security Weekly with Paul, Matt, and myself. Take care and I’ll see you in another video.

Want to level up your skills and learn more straight from John himself?
You can check out his classes below!

SOC Core Skills

Active Defense & Cyber Deception

Getting Started in Security with BHIS and MITRE ATT&CK

Introduction to Pentesting

Available live/virtual and on-demand