Issues with Karma in Mark IV

[catohagen]

Hi,

I bought the Pineapple Mark iV pro, a few weeks ago, and just wanted to (bug)report/confirm what a few others have posted about Karma not working properly.

I've reflashed 3.0.0 and 2.8.1 probably 4-5 times each and find that Karma is behaving the same, whatever I do on both those firmware versions....clients isnt automaticly connecting to saved open AP's

I got a android phone and a few tablets and the kids got android phones, every device have multiple 'free wifi's picked up from cafe's and public places.

I see from the karma log after a reset that it gets probes from 20-25 accesspoints thats stored in the phones and tablets around in the house, so I assumed if I disabled my home router or rebooted it, some devices

should connect to the pineapple, but none does.....but if I have wifi enabled on any device but its not connected to any SSID, and I *create* a new on that device, it connects instantly.

So my HTC One, deleted my home ap from list, and added a new open wifi accesspoint to connect to with name 'LOLNET' --> instant connect to LOLNET

and apple ipad, deleted my home ap from list, not connected to any ap, created a new 'LOL' network, --> connected.

I can enable my home wifi after this, go to the store and use mobile data there, drive home and see that the phone is connected to LOLNET, even when my real home wifi is enabled.

Tried the same with multiple phones and only like this Karma works, even if all the phones and tablets have several and the also same open ap's saved in the list,

either Karma doesnt create those SSID's or the phone never sees any of the previous saved open AP in devices around the house.

I basicly have a very cool $114.99 device here, that doesnt work.

[crepsidro]

Well, they say pineapple have 'supportive community', so.... Guess we'll have to wait... Again.

[Foxtrot]

You do realise it may take atleast a few hours for someone to reply. The community here is a forum, not a 24/7 helpline.

If you are able to just whiz up random open AP names and they connect, then karma is operating correctly.

[catohagen]

yes, it works for AP's you create on the device but not for other real non-Karma AP's thats already been connected to and saved on the device.

Reading the wiki and hak5 shows, the Pineapple should create fake AP's after probes after open AP's from devices and let those devices connect to the new created fake AP, if users need to create imaginary SSID's the whole concept goes away as my grandmother or any other noob have no idea how they can creating SSID's thats not visible in their list, if grandmother or a noob comes for a visit with their phones with saved free AP's from

random cafe's or airports, the Pineapple and Karma should listen and get those SSID's from the probes and fake those AP's and get devices to connect ?

Edited September 28, 2013 by catohagen

[catohagen]

After googling and reading more about the issue, several people have the same issue, so one can assume that wifi security have been upgraded or changed last few years, and the wifi pineapple and karma only worked flawless a few years ago(or on old devices used today)

In the threads linked below, several places its a confirmed bug and the 2.8.1 release should have this fixed.

https://forums.hak5.org/index.php?/topic/30113-clients-not-probingconnecting-to-karma-in-mk4-with-fw-281/?hl=karma

https://forums.hak5.org/index.php?/topic/29973-karma-issues-with-android-fw-281-or-300/?hl=karma

https://forums.hak5.org/index.php?/topic/29055-convert-probes-to-fake-networks/?hl=karma

anyway, the same results and karma.logs i have here have been discussed and reported before and no solution nor fix have been given.

[catohagen]

Found a tiny small difference,

going to /data/misc/wifi/wpa_supplicant.conf in my phone, i see this :

network={

ssid="dd-wrt_G"

psk="not_a_password"

key_mgmt=WPA-PSK

priority=95

}

network={

ssid="Stavanger TAXI"

key_mgmt=NONE

}

network={

ssid="NORLED_kundenett"

key_mgmt=NONE

}

network={

ssid="LOLNET"

scan_ssid=1

key_mgmt=NONE

}

there are 2 open AP's here i've been connected to before, the "NORLED_kundenett" one and "Stavanger TAXI", while i see these probes in karma.log, it never connects.

Notice the extra line in the "LOLNET" ssid that I created/added on the phone, it got 'scan_ssid=1' and karma sees this and fakes the ssid instantly, while the other open ssid doesnt have this 'scan_ssid=1' line

If i change the pineapple ssid to "NORLED_kundenett" the phone connects instantly.

I edited my /data/misc/wifi/wpa_supplicant.conf on my android phone, and added 'scan_ssid=1' to my already saved open ssid's and karma picked up and faked all open ssid's. All those open AP's had full bars (This was on my HTC One with android 4)

So Karma works as long as the devices sends out correct probes, but the updated changes on how wifi operates in new devices prevents karma from working properly.

KARMA: ENABLED

KARMA: Probe Request from 1c:b0:94:xx:xx:xx for SSID 'Norled_kundenett'

KARMA: Probe Request from 1c:b0:94:xx:xx:xx for SSID 'Stavanger TAXI'

KARMA: Probe Request from 1c:b0:94:xx:xx:xx for SSID 'LOLNET'

KARMA: Probe Request from 1c:b0:94:xx:xx:xx for SSID 'Far_East_Verksgata_Guest_5G'

KARMA: Checking SSID for start of association, pass through Norled_kundenett

KARMA: Successful association of 1c:b0:94:xx:xx:xx

KARMA: Checking SSID for start of association, pass through Stavanger TAXI

KARMA: Successful association of 1c:b0:94:xx:xx:xx

Station 1c:b0:94:xx:xx:xx (on wlan0)
ip address: 172.16.42.206
host name: htc-one-x
Karma SSID: 'Norled_kundenett'
inactive time: 520 ms
rx bytes: 16600
rx packets: 129
tx bytes: 16384
tx packets: 82
tx retries: 2
tx failed: 0
signal: -73 dBm
signal avg: -72 dBm
tx bitrate: 72.2 MBit/s MCS 7 short GI
rx bitrate: 19.5 MBit/s MCS 2
authorized: yes
authenticated: yes
preamble: short
WMM/WME: yes
MFP: no
TDLS peer: no

Edited September 30, 2013 by catohagen

[newbi3]

Can you remove that line from your AP's and post the karma output again with the same probe requests. I want to see what is different.

[catohagen]

@newbi3

I reboot the pineapple and load up the ui after boot :

KARMA: ENABLED

KARMA: Probe Request from 1c:b0:94:xx:xx:xx for SSID 'dd-wrt_vap'

KARMA: Probe Request from 1c:b0:94:xx:xx:xx for SSID 'dlink'

KARMA: Probe Request from 20:02:af:xx:xx:xx for SSID 'leneogbaari'

KARMA: Probe Request from 20:02:af:xx:xx:xx for SSID 'AIRPORT'

KARMA: Probe Request from 20:02:af:xx:xx:xx for SSID 'WAGNERTRANSPORT 4'

KARMA: Probe Request from 20:02:af:xx:xx:xx for SSID 'Sofitel-premium'

KARMA: Probe Request from 20:02:af:xx:xx:xx for SSID 'Norwegian Internet Access'

KARMA: Probe Request from 20:02:af:xx:xx:xx for SSID 'omg'

KARMA: Probe Request from 20:02:af:xx:xx:xx for SSID 'Flybussen'

KARMA: Probe Request from 20:02:af:xx:xx:xx for SSID 'GIGABYTE'

KARMA: Probe Request from 1c:b0:94:xx:xx:xx for SSID 'Norled_kundenett'

KARMA: Probe Request from 20:02:af:xx:xx:xx for SSID 'Coop-Guest'

KARMA: Probe Request from 1c:b0:94:xx:xx:xx for SSID 'Stavanger TAXI'

KARMA: Probe Request from 20:02:af:xx:xx:xx for SSID 'FERIEPARK'

KARMA: Probe Request from 20:02:af:xx:xx:xx for SSID 'SAFE'

KARMA: Probe Request from 20:02:af:xx:xx:xx for SSID 'Forsand'

KARMA: Probe Request from 20:02:af:xx:xx:xx for SSID 'D35Broadband'

there is probe requests to wpa password protected AP's and open AP's, without 'scan_ssid=1' on the open ones, none of these open AP's show up in the devices as fake

as soon as I edit and add 'scan_ssid=1' to the wpa_supplicant.conf file on any open networks thats been saved there, disable and enable wifi, i get all of these open networks with full wifi bars.

And I only see these probe requests once, if I reboot a device or turn on/off wifi on a device, one would assume new probes would be sent after a phone reboot or wifi off, but karma doesnt show new probes when phone is done rebooting. Rebooting the pineapple several times...will get those probes show up each time.

Edited September 30, 2013 by catohagen

[catohagen]

screenshots of adding 'scan_ssid=1' to two open saved ssid's in /data/misc/wifi/wpa_supplicant.conf

and turning wifi off and on, and those two ssids shows up after.

Edited September 30, 2013 by catohagen

[hakin]

Hello, I am having the same problems. I am getting the probe request from my device but that is all. It is not attempting to connect. I am using 2.8.1. I have created one network SSID called starbucks that is open without any authentication and also set the SSID on Karma as well to Starbucks (which we shouldn't have to do) and it still didn't connect. Any ideas?

[catohagen]

There isnt any solution to this unless karma/jasager is updated(if its even possible) to take account for how 2012-13 devices scans or connects to a saved open wifi accesssspoint, i sense the lack of response to threads taking this issue up(there have been several, just like this with no solution), speaks for itself about the low possibility that this can or will be fixed.

The wifi pineapple is a pretty cool device and all that, the writeup descriptions in the Hak5 Shop about how easy and simple Jasager / Karma works in 2008 to owning the network, isnt quite as true anymore as none of my 6-7 different phones/tables/ipad/iphones at home connected to anything unless tampered with. At a workplace nearby with

30 employees and god knows how many different phone brands/operating systems, getting 50-60 probe requests but not a single connect, and at this workplace there is no wifi available, so peoples phones where on mobile data and should look for known wifi's

I wish i've read about/looked this up before buying my Pineapple, as basicly i'm left with a basic router with 'MITM' tools on, but what i really wanted was the Jasager/karma functionality.

I hope future potentional buyers could get a heads up from the Hak5 shop about Jasager/Karma and how it may not say 'Hey Im your network!' to phones/tables sold for the last 2 years, as wifi probing clearly have changed since 2008 and got more secure.

I would very much like to have the Pineapple / Jasager fixed so it works as it should, and would help to test/debug any new firmware or solutions, but looking at threads posted nearly 2 years ago with little helpful reply's on the subject tells me this is difficult to find a solution for.

Atleast I would not bought it if i've known the main selling point of the device may not work as advertised.

Edited October 1, 2013 by catohagen

[crepsidro]

Yup, frustrating.

[catohagen]

just a follow up,

Yesterday I fired up my old Sony Ericsson X10i from 2010, with android 2.3.3 (2.3.3 was released in early 2011) and Jasager/Karma worked instantly, faking a stored open ssid's from the phone and let phone connect to it before my homescreen was up, when boot was finished it was already connected to wifi with blue wifi icon at notification bar (ssid was open 'wireless'). Wifi Pineapple working as intended, working as advertised.

Wanted to try get ICS on it, so I rooted the x10i, unlocked bootloader, installed a custom recovery and installed Cyanogenmod 10

(based on android 4.1.2, released mid 2012)

Created a portable hotspot, an open ssid with my nexus 7 tablet, connected the new upgraded X10i to the nexus 7 tablet, then killed hotspot

and the X10i should in theory send probe requests that Jasager/Karma should pick up, and make its fake SSID but the X10i didnt see any wifi network, rebooted a few times and still no open AP's.

EDIT : Seems I spoke too soon about android 4.1.2 , saw today when I moved the pineapple to another outlet, that when loaded up karma had faked the open SSID i created on the Nexus 7, so indeed Jasager/Karma works with 4.1.2 devices

Edited October 3, 2013 by catohagen

[catohagen]

seems the fucks given here by developers are totally minimal :)

[Sebkinne]

seems the fucks given here by developers are totally minimal :)

I assure you we give at least one fuck.

But no, in all seriousness, we are looking into it and working on a solution. There is no need to be negative about this - devices update and we follow. That's how this game works.

To expand on this, KARMA still works just as advertised. It will respond to any probe requests sent out by the devices. As I said - we are working on it.

If you want to know why we have been a bit.. unresponsive in the past few weeks, take a look at http://wifipineapple.com/ or http://wifipineapple.com/?blog.

Stay tuned.

Sebkinne

[catohagen]

@sebkinne

Not trying to be negative, sorry and apologies if anyone got that impression.

I've also edited my post (#13) as the android 4.1.2 device today did connect to Jasager/karma with the SSID from the Nexus7 tablet i created yesterday, i moved the pineapple as I needed the outlet, and when the pineapple was plugged in and up, it picked it up and created the correct SSID.

[J0nN1ck49]

i have the same problem and more problems but who cares ...

the problem its not in developers (they make good work but i think that need MORE MORE time to SOLVE the problems and then to create new things) or in the people , the problem is to the "company processes" and to the MEANING of the words

they say THAT the pineapple is a PROJECT , that solve all my problems , a project mean that all these problems are accepted (for me ,i work in project's but never we SELL a project that not work properly)...

BUT WE , the customers ... WE SEE the pineapple as PRODUCT ... and we want when we give THE money to take something THAT WORK and make all that in site says without SPEND many many hours to try to find what is going wrong (not to fix that is an other project for us) ... ok until now ? i hope yes

BUT yeap always that BUT destroy the "dream"

if it is a PROJECT that mean you STOP one and CREATE new (mark IV , mark V ... mark XXXXIIIIIXXX) WHY ? for the money? maybe ... BUT with that way you saw to us that you WORK A PROJECT LIKE A PRODUCT !!! and that is a PROBLEM guys ... huge problem

at the end you have STILL some stupid romantic people that they thought can buy a WORKING thing , you have give to other guys HUGE problems to solve with hundred lost hours BUT with the good side that they learn "something" ...

so i wish you to LEARN WHAT YOU SELL to the people .. and please someone to tell me where in SHOP write that is a PROJECT and not a product ...

my opinion ? PLEASE guys write that you DONT know if the product WORK , write that IF you want to use all apps YOU NEED a usb disk AND THAT MEAN need ENERGY and and and ... and please STOP to spell all the time "negative" why we cant be negative ? we spend a lot of money and we take a stupid box that cant work if you not rewrite a part of code .. what is that ? positive ??? ok i am positive negativ-isious !!! ok ?

good luck with your new PROduct oppss sorry .. proJECT ....

a very very very disappointment customer

[crepsidro]

what he ^^^^^ said, but with less caps and more grammar.... mark 4 was the lame duck from the start.

if mark 5 is just arduino yun - wow, that'll be a final straw ;)

[Foxtrot]

Crepsidro, You know that is just a rumour said by one person.

As sebkinne has said elsewhere, The WiFi Pineapple project is a cat and mouse game, This could very well be something to do with a mobile device, like an Android device, not the pineapple.

[iamk3]

It seems to me that people are expecting a "hack-in-a-box" product. With security and pentesting, that is never the case. What "we" as white/gray hat hackers do is point out flaws in the way things are done. It seems that Apple and Android have caught on to type of the issues that are pointed out with the current way karma works. Now we figure out how to exploit the new way they are doing things.

If you don't understand this, you are in the wrong field or have purchased the pineapple for the wrong reason.

[catohagen]

It seems to me that people are expecting a "hack-in-a-box" product. With security and pentesting, that is never the case. What "we" as white/gray hat hackers do is point out flaws in the way things are done. It seems that Apple and Android have caught on to type of the issues that are pointed out with the current way karma works. Now we figure out how to exploit the new way they are doing things.

If you don't understand this, you are in the wrong field or have purchased the pineapple for the wrong reason.

The purpose of this thread was not to bash the project, it was just to point out issues about Karma(the main selling point of the device) and seeing 4-5 similar threads in here with little or no response.

I know Karma works per se, it creates ssid's based on probes. Its just that devices these days doesnt send out the kind of probes Karma pick up anymore, Karma worked in much better in 2011...so I feel the desciptions about the Wifi Pineapple in the Hak5 Shop is a little misleading.

If a hobby 'hacker' understand the cat/mouse game around Wifi security and how Karma works or not is one thing, but the text written in the Hak5 shop about how Karma works will convince pretty much anyone.

I bought the Pineapple to support this cool project as i already installed the Pineapple firmware into the tiny TL-WR703N router, but if i've known what I know now and how you laid out the current state, I wouldn't pay 129 USD for something that didnt worked today (but worked 3 years ago)

I have no interesst in MITM attacks anywhere, but the Pineapple is a cool project, and i've been configuring and flashing dd-wrt/openwrt/tomato into routers for over 10 years so its a hobby of mine :)

I figured I could give all my friends and guests wifi access with the Pineapple as their phones would just connect and it would be cool to show them how they are connected to wifi in a hotel they visited sometime in another country.

But no devices connected....but we know why now....

Edited October 11, 2013 by catohagen

[inTheDMZ]

I use a manual method to get people to connect, I look through my karma probe list and manually change the network name from the pineapples interface, this lends itself to been a more direct attack and targeted towards the device/s you are authorised to be assessing. Leaving Karma on will yield a few auto-connects but devices update and become more secure, which is both a good and a bad thing depending on your stance.

I don't know what money goes where, but I would take a good guess that a lot of money goes back into the Hak5 episodes/ Recording Equipment and I can't imagine any of the pineapple development team get as much profit as they deserve, alongside any day jobs they must be very busy people, and I am grateful for their contribution to this project, personally I wouldn't know where to start with building openWRT. creating a very intuitive PHP interface and patching software packages.

[bigthinker]

It seems to me that people are expecting a "hack-in-a-box" product. With security and pentesting, that is never the case. What "we" as white/gray hat hackers do is point out flaws in the way things are done. It seems that Apple and Android have caught on to type of the issues that are pointed out with the current way karma works. Now we figure out how to exploit the new way they are doing things.

If you don't understand this, you are in the wrong field or have purchased the pineapple for the wrong reason.

??

products already exist that provide this functionally. ... Not to mention that kali supports arm now so you can turn lots of stuff into a hack in the box. When current exploits are patched, then kali, metasploit, hardware etc are updated. tada v2.

[iamk3]

That's exactly what I was saying. I'm sure updates are in the works. I however didn't put in that link to pwnieexpress. Don't know why you added that.

[bigthinker]

I assure you we give at least one fuck.

But no, in all seriousness, we are looking into it and working on a solution. There is no need to be negative about this - devices update and we follow. That's how this game works.

To expand on this, KARMA still works just as advertised. It will respond to any probe requests sent out by the devices. As I said - we are working on it.

If you want to know why we have been a bit.. unresponsive in the past few weeks, take a look at http://wifipineapple.com/ or http://wifipineapple.com/?blog.

Stay tuned.

Sebkinne

I guess the real question then is, will this fix be retroactive, or will we need to purchase v5?