Archived

This topic is now archived and is closed to further replies.

BlueWyvern

Detecting Jasager Attack

12 posts in this topic

Hey guys,

I think I read some where that it is possible to detect if you are currently the victim of the "Wifi Pineapple", but have had no luck in finding out what exactly that information was.

I have been playing around with C# and writing tech tools, or at least trying to come up with ideas of tools to write to make my job just a smidge easier.

I currently only have 1 written and it removes those annoying stuck print jobs, and fixes printer dependencies for those annoying lexmark printers.

so This post is two fold, first anyone know how to detect the pineapple, and second if anyone has an idea for a tech tool for me to attempt to write I'd love some suggestions! Also if it is allowed and people want them I will post them here.

0

Share this post


Link to post
Share on other sites

Nothing special just adding "Jasager" to your wireless profiles and make it the default. This way if you are connected to "Jasager" at starbucks you are wrong!

0

Share this post


Link to post
Share on other sites

The jasager responds to all SSID probes. So adding "Jasager" to your saved profiles will not work really. I still dont understand why people set static SSIDs with the Jasager.

The only way to detect this type of attack would be to know the mac addresses of the routers you are supposed to talk to and check them on connect for verification. Or in linux you can use airodump-ng to find out and determine rogues.

Another way would be to have a wireless auditing system in place. Like for companies who want to protect their wireless network and be able to audit it. A company AirMagnet does a service like that. I have a few of their sensors I was trying to re-purpose but they were used for monitoring all wireless activity for unwanted activities.

0

Share this post


Link to post
Share on other sites

The jasager responds to all SSID probes. So adding "Jasager" to your saved profiles will not work really. I still dont understand why people set static SSIDs with the Jasager.

The point is to set a preferred network that shouldn't exist. Then if you do connect to it you know it is an evil twin and not a safe network.

If you really wanted to remove the need to look at your network ssid every time you connect then you could create a program/script that runs after you have connected and either setup an configuration on your interface that won't work or pops up a warning message that lets you know that you are not on a safe network.

0

Share this post


Link to post
Share on other sites

Ah, yeah I guess that would work if there were no other APs around. Keep in mind if you try to connect to "Starbucks" AP and the Jasager/Pineapple is closer, it will connect to the strongest signal. In that scenario being the Jasager/Pineapple.

0

Share this post


Link to post
Share on other sites

Ah, yeah I guess that would work if there were no other APs around. Keep in mind if you try to connect to "Starbucks" AP and the Jasager/Pineapple is closer, it will connect to the strongest signal. In that scenario being the Jasager/Pineapple.

That is why you need to make the Jasager network the highest priority as then your machine will send out probes for Jasager and the real AP won't respond to that as it is only looking for probes for its network, but the pineapple will respond to it as it responds to everything. Of course it may be possible for someone to specifically set Jasager to only respond to one or two networks, which would be harder to detect but it would also limit the traffic that it manages to collect.

0

Share this post


Link to post
Share on other sites

Jasager attacks are great, cause its really hard to detect when someone is using jasager.

I think that in some ep was a tool, which was made to protect windows user for jasager, or was it artspoofing. Can't remember. Anyway that tool checked Real APs MAC and then pops up if that APs mac address has changed. It just doesnt work if you connect directly to jasager.

0

Share this post


Link to post
Share on other sites

That is why you need to make the Jasager network the highest priority as then your machine will send out probes for Jasager and the real AP won't respond to that as it is only looking for probes for its network, but the pineapple will respond to it as it responds to everything. Of course it may be possible for someone to specifically set Jasager to only respond to one or two networks, which would be harder to detect but it would also limit the traffic that it manages to collect.

It depends on if your computer probes out for it or not. It might not depending on OS, hardware, signal strength.

Do a field test and let us know? I don't have the spare time :P

0

Share this post


Link to post
Share on other sites

Jasager attacks are great, cause its really hard to detect when someone is using jasager.

I think that in some ep was a tool, which was made to protect windows user for jasager, or was it artspoofing. Can't remember. Anyway that tool checked Real APs MAC and then pops up if that APs mac address has changed. It just doesnt work if you connect directly to jasager.

I think that tool is to detect ARP spoofing for MITM if my memory serves me correctly. It watches if your gateway MAC is changed or changed since you connected. That is a way the ARP spoof MITM attack can be detected.

0

Share this post


Link to post
Share on other sites

It depends on if your computer probes out for it or not. It might not depending on OS, hardware, signal strength.

Do a field test and let us know? I don't have the spare time :P

I know that linux on my netbook (DebianEeePC) is set up so that it looks for a network of pineapple as the highest priority and that it probes for the networks. I have also got it set up so that if it connects a network called pineapple it breaks my interfaces IP details so that I won't be able to send and receive packets. Which is a fairly good way to stop it. I don't know if windows can be set up in a similar way so it would be interesting to hear from anyone who has.

0

Share this post


Link to post
Share on other sites

I know that linux on my netbook (DebianEeePC) is set up so that it looks for a network of pineapple as the highest priority and that it probes for the networks. I have also got it set up so that if it connects a network called pineapple it breaks my interfaces IP details so that I won't be able to send and receive packets. Which is a fairly good way to stop it. I don't know if windows can be set up in a similar way so it would be interesting to hear from anyone who has.

I do something similar on Linux but I have a shell script execute and disable wifi all together followed by blocking everything in ip tables with ufw.

As for the windows tool I believe you guys are thinking of irongeeks decafinateID which earns you of MITM attacks and rouge APs

0

Share this post


Link to post
Share on other sites

I know that linux on my netbook (DebianEeePC) is set up so that it looks for a network of pineapple as the highest priority and that it probes for the networks. I have also got it set up so that if it connects a network called pineapple it breaks my interfaces IP details so that I won't be able to send and receive packets. Which is a fairly good way to stop it. I don't know if windows can be set up in a similar way so it would be interesting to hear from anyone who has.

I do something similar on Linux but I have a shell script execute and disable wifi all together followed by blocking everything in ip tables with ufw.

As for the windows tool I believe you guys are thinking of irongeeks decafinateID which earns you of MITM attacks and rouge APs

0

Share this post


Link to post
Share on other sites