General Information on the Mark4:
The Mark IV is a new hardware platform based on a beginning-of-life chipset. It runs the recently released Jasager suite which is under heavy development and will continue to be backwards compatible with the MK3. Obvious hardware differences will prevent some features from being available on older hardware but all compatible features will be available on the Mk3 firmware for the foreseeable future.
The Mark IV is based on a customized AP from ALFA. As far as I know we're the first to integrate this board and as of writing it has not yet come to the consumer market. It contains the Atheros AR9331 SoC, two Ethernet ports, 802.11 b/g/n and USB. The clockspeed is a little over double that of the AP51 -- 180 to 400 MHz MIPS. We expect the dual Ethernet to allow us to implement "The Interceptor" aka "Network Monkey" (layer-2 bridge capture / rebroadcast). USB adds potential for a second WiFi radio (imagine an ALFA AWUS036H backpack), storage, GPS and 3G/4G. Also it's black, which adds 50 hacker points.
The MK4 hardware, for now, features 8MB ROM / 32 MB RAM -- which is expandable via USB. The processor architecture changed from Atheros AR23 to AR72, so cross-compiling everything has been required. That said we're well on our way to a stable build and adding features is the primary goal now
Power Specs of MarkIV:
Power: AC adapter accepts 100-240V ~50/60 Hz 0.5A (UK/EU adaptable)
Output: DC 12V 1A
Plug: Barrel 5.5mm OD 2.1mm ID center positive
Observed requirements: Using a USB power pack providing 5V we have observed 1A draw at idle with no WiFi.
1.7A draw with WiFi enabled and 3.5A -5.5A draw with USB 3G/4G modems. Some modems may require a powered hub for reliable continuous operation with 5V supply.
Teeny Tiny USB Stick sold by Hak5 for use on the MarkIV: http://hakshop.mysho...-cruzer-fit-4gb
3G Dongles supported out of the box:
# ZTE MF591 (T-Mobile)
# Novatel MC760 (Virgin)
# Novatel MC760 (Ting)
According to Darren the following list is also supported but untested: http://www.draisberg...e_reference.txt
How TOs Relating to the Mark4:
How To Add a Not-out-of-the-box-supported USB Cellular dongle:
In the web interface click the 3G page then look at the connection script. You'll find it runs lsusb and pipes the output to awk to find product and vendor ID pairs. This is followed by a switch case. You'll notice that if the PID/VID equal that of, say, the Ting modem it'll use uci to set network config options, then usbmodeswitch to "eject" the cdrom, then rmmod and insmod to add the modem to the system, usually they come up as /dev/ttyUSB0. Finally some iptables mojo is done for routing and the rest is done automatically by pppd.
To add a new modem, copy and paste one of the switch cases and replace VID/PID with your values, adjust the modeswitch command, rmmod, insmod, and you should be good to go. For CDMA there isn't really any uci network config stuff to change, the defaults should work. For GSM you'll need to specify the apn and depending on your modem you may also have to specify a pin. I haven't run into this personally, I think it's just for locked devices.
Schmoocon only reset button issue:
If you picked up a MK4 from Shmoocon please do not use the factory reset function on the Advanced page. I discovered a flaw in the firmware that will make the pineapple very unhappy.
The factory reset button executes the commands rm /etc/config/* and cp /etc/config/backup/* /etc/config/
Problem is, the MK4 from Shmoocon doesn't contain a /etc/config/backup directory filled with original configs.
Here's a quick hotfix for the problem.
From the advanced page paste the following into the bottom text field and click "Execute Commands"
cp /etc/config/* /etc/config/backup/
As always, MK3 or 4, if you're having problems with your Pineapple that you can't fix yourself please contact firstname.lastname@example.org and we'll take care of you.
Adding Packages to the Pineapple:
opkg is the package manager for openwrt. example command:
opkg install ettercap-ng --dest usb
Fixing internet bridge from pineapple to victims (No Internet for Pwnt targets)
Issue /etc/init.d/firewall disable; /etc/init.d/firewall stop from the Execute Commands text area a the bottom of the advanced page
You can also add the command to rc.local to run the command at bootup.
How to make a USB thumbdrive recognizable and usable for the pineapple (EXT4):
Download BT5R1 and burn the .iso to a CD. I use deepburner in windows to accomplish this.
Put it in and boot it up and startx after logging in (uname/pass=root/toor)
Once your in the GUI open a terminal and type:
apt-get install gparted
Then, after its installed, plug in your thumbdrive and type:
That will launch the creamy gui of gparted. From the top right dropdown menu select your thumb drive from the list and click the big center box that contains the drive size information. Then click "Delete" button on the top near the left. Then click the "New" button on the top far left. Select Primary and EXT4 from the drop downs. Click OK or whatever and then click "Apply" (the big green checkmark). Enjoy!
Make sure you select your usb thumb drive!!
You have been warned.
How to capture packets to the USB drive you just formatted with tcpdump:
Get a EXT4 formatted usb stick (see my other post on how to accomplish this).
Plug it into pineapple and fire it up with ICS and karma on and everything
SSH into pineapple
lsusb and make sure your stick is there - you can also verify with a little df -h
cd /usb to get into that dir
opkg install --dest usb tcpdump
That will install tcpdump onto your usb stick (which is fine, as the only time you'll be running it is when you have the storage capacity to handle the bigass cap files).
Then whilst still in the /usb dir run this:
tcpdump -i eth0 -w test.pcap -n net 172.16.42.0/24
That will capture any packets where the source or destination network is is in the pineappley range, thereby grabbing all your karma'd victims packets. It will display IP addresses and port numbers.
Theres a million and one ways to use tcpdump, this is just one basic example. Google for best results per your particular situation (size, how long you want to be capping, what info you're looking for, etc).
Here's a quick flashing guide for the MK4 via serial:
Connect a USB TTL Serial console cable to the pin headers next to the USB port. Set your com program (hyperterminal, minicom, screen, gcom) to use these settings:
115200, 8, N, 1, no hardware flow control, no software flow control
Connect ethernet between the PC and the Pineapple's WAN/LAN port. Set a static IP on the PC of 192.168.2.11 / 255.255.255.0
ifconfig eth0 192.168.2.11 netmask 255.255.255.0 up
Configure a TFTP server (Windows: http://tftpd32.jounin.net/ Linux: http://code.google.com/p/tftpgui/)
Download the factory firmware from http://wifipineapple...tory/kernel.bin and http://wifipineapple...tory/rootfs.bin
wget http://wifipineapple...ory/kernel.bin; wget http://wifipineapple...tory/rootfs.bin
Move the two bin files in your tftproot directory
Power on the pineapple. In your com program you will see:
U-Boot 1.1.4 (Sep 29 2011 - 16:39:41)
AP121-8MB (ar9331) U-boot
DRAM: 32 MB
Top of RAM usable for U-Boot at: 82000000
Reserving 248k for U-Boot at: 81fc0000
Reserving 192k for malloc() at: 81f90000
Reserving 44 Bytes for Board Info at: 81f8ffd4
Reserving 36 Bytes for Global Data at: 81f8ffb0
Reserving 128k for boot params() at: 81f6ffb0
Stack Pointer at: 81f6ff98
Now running in RAM - U-Boot at: 81fc0000
id read 0x100000ff
flash size 8388608, sector count = 128
Flash: 8 MB
Fetching MAC Address from 0x81feb688
Fetching MAC Address from 0x81feb688
: cfg1 0x5 cfg2 0x7114
: cfg1 0xf cfg2 0x7214
ATHRS26: resetting s26
ATHRS26: s26 reset done
Please choose the operation:
1: Entr boot command line interface.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
Press 1 to enter the U-Boot CLI
At the ar7240> prompt issue these commands:
setenv bootargs "board=ALFA console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd"
tftp 0x80600000 kernel.bin
erase 0x9f650000 +0x190000
cp.b 0x80600000 0x9f650000 d695a
tftp 0x80600000 rootfs.bin
erase 0x9f050000 +0x600000
cp.b 0x80600000 0x9f050000 23d004
Once OpenWRT finishes booting press ENTER to active the console. Issue passwd and set a root password. Next start the ssh service /etc/init.d/dropbear start
Move the Ethernet cable from the WAN/LAN port to the PoE LAN port.
From the PC ping 192.168.2.1 to verify a connection. From here you'll need to SCP over the latest MK4 update from http://wifipineapple.com/mk4/firmware
SCP the latest firmware .bin file to the Pineapple's /tmp/ directory (windows: http://winscp.net/eng/index.php linux: you already have scp)
scp firmware.bin email@example.com:/tmp/
Once the firmware has been copied to the pineapple's /tmp/ directory you're ready to update the factory firmware to the latest version of the Jasager suite. On the pineapple issue:
sysupgrade -n -v /tmp/firmware.bin
The upgrade process takes 2-3 minutes. When complete the Pineapple will reboot and all will be happy again in the land of the pineapple. Continue with normal usage (ie: change your PC's ethernet interface back to DHCP or static it to 172.16.42.42)
Projects on the collective to do list and issues that need attending:
Network Pineapple Monkey - Seb has acknowledged its on his list and will become higher priority after 1.0.1 firmware is released. See this thread:
Adding Alfa AWUS036H to the Mark4: Darren commented: "...adding a 2nd WiFi Adapter, say with an AWUS036H, seems as likely as adding 3G -- so tethering is on the table." Official current status on getting it to work is unknown. During my trials, the Mark4 recognizes the realtek rtl8187 but does not assign it as a wlan adapter. Openwrt should have support for it through kmod-rtl8187
Combining storage and 3G connectivity in one card: "Two birds, one stone". Many 3G usb cards have microSD slots. Novatel U760 is a prime example. Darren and hfam both have these cards and seem to be working on it.
Ngrep is gone now
URLsnarf is missing from the UI page, but is also accessible via SSH. Darren's comment on the matter: "We're working on a revised web UI for sniffing which should bring together the power of urlsnarf, ngrep and *ettercap" Swoot!
Reaver is not present on Schmoocon version but will be via firmware update 1.0.1.
Reaver has not yet been proven to work - a proper how to guide is needed. Issue lies with mon.wlan0 - what is it used for? Can we remove it and add a proper mon0? Do we need to? Will it affect Karma as I suspect? (I'm going to try my hand at it today!)
Further 3G Dongle research - Darren's hints for us regarding 3G dongles: "Usually it's just a matter of "ejecting" the USB CD-ROM so that the modem reveals itself, at which point a bunch of uci network commands set the config, pppd does its thing with chat and comgt." - Need to clarify ejecting the usb cd-rom...
Add support for encrypting USB drives using EncryptingFS or perhaps even truecrypt?
Enable airdrop-ng support by installing python and other dependencies to usb drive
Edited by telot, 05 March 2012 - 07:37 PM.