Questions about Client mode Mac / Windows

[barry99705]

Heh. Wow, that escalated quickly. Every os has its pros and cons. I was anot Apple certified hardware and os tech for years. I gave up on them a couple years after they went intel. Jobs started getting too big for his britches this king he knew better than everybody else. I still support macs, but I won't spend another dollar on their hardware.

[audibleblink]

So what were the resulting configs?

Nano:

IP:

Gateway:

OS X :

IP:

Gateway:

[confuded]

winter_soldier, thanks for the script. I won't try it as it works it seems otherwise. I saw that thread, but the first post mentioned other issues and I thought it was not related to mine.

barry99705, at least they didn't completely hijack the thread...

audibleblink,

Nano:

IP: 192.168.2.2 (or anything up to 192.168.2.253)

Gateway: 192.168.2.1

OS X :

IP: NOT 192.168.2.1. Anything but that.

Gateway: Empty - or you will lose your internet connection.

Just for kicks.

~confuded

[audibleblink]

Something just popped into my head:

It's been mentioned before that once someone is connected to a fake AP, that client can access the IPs on the network providing the internet connection. For example: If my home network is 10.0.1.0/24 and I share my internet connection to the pineapple, the client that was captured at 172.16.42.XXX can ping something at 10.0.1.10. Bad Luck Brian if you happen to trap someone that knows what a pineapple is and knows how to use it better than you. This can be remedied with an IPTables rule saying that anything originating from the 172 network and destined for the 10 network be dropped. (or by not sharing your home internet when trying to pwn your neighbors =P)

I'm wondering if this is something that Apple disables by default.

@confunded - can you ping a device on your network from a trapped client with ICS enabled on the 192.168.2.0/24 network?

[confuded]

audibleblink, no I can't ping my Mac nor can I see it using Fing (network tool for android). What I could see, and is a huge derp, is my pineapple! I can even log in form my victim! Fing reports ports 22, 53 and 80 open (ssh, dns and http). This is a big problem. I really don't want my targets knowing that they are being pwned...

My thread was moves here. Maybe it is appropriate to rename the thread as it has to do more with ICS for Mac than for Client mode...

Here is my /etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
option ifname 'eth0'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.2.2'
option netmask '255.255.255.0'
option gateway '192.168.2.1'
option dns '8.8.8.8, 8.8.4.4'

config interface 'usb'
option ifname 'usb0'
option proto 'dhcp'
option dns '8.8.8.8, 8.8.4.4'

config interface 'wan'
option proto 'dhcp'
option dns '8.8.8.8, 8.8.4.4'

And here if the output from ifconfig:

br-lan    Link encap:Ethernet  HWaddr 00:C0:CA:8D:A6:55  
          inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9394 errors:0 dropped:64 overruns:0 frame:0
          TX packets:5959 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1818930 (1.7 MiB)  TX bytes:2447761 (2.3 MiB)

eth0      Link encap:Ethernet  HWaddr 00:C0:CA:8D:A6:55  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5732 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8048 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1646855 (1.5 MiB)  TX bytes:2289132 (2.1 MiB)
          Interrupt:4 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:42 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3442 (3.3 KiB)  TX bytes:3442 (3.3 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:C0:CA:8D:8F:E3  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6540 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4011 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:571506 (558.1 KiB)  TX bytes:648241 (633.0 KiB)

wlan1mon  Link encap:UNSPEC  HWaddr 00-C0-CA-8D-C0-6D-00-44-00-00-00-00-00-00-00-00  
          UP BROADCAST NOTRAILERS RUNNING PROMISC ALLMULTI  MTU:1500  Metric:1
          RX packets:69413 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:10567832 (10.0 MiB)  TX bytes:0 (0.0 B)

~confuded

P.S. How can I make the code quotes collapsable as not to clutter the thread?

Edited January 21, 2016 by confuded

[audibleblink]

The client will have to see the pineapple. It's their gateway. What you could do is drop packets coming from the client network to the gateway's dport of 1471

[confuded]

audibleblink, hmm. Can't apache, or whatever is running the web server, configured to only listen to certain networks? Same for ssh? Then the victims can be segmented into their own network maybe not in the tethering network. Although if a victim decides to change his NIC to an address in the 192.168.2.1/24 pool, it probably can still reach everything. Is there a way to segment that whole victim or tethered network off? It's a bit of a flaw having victims on your tethered network...

~confuded

EDIT (as not to double post):

I found Sebastian Kinne at DefCon 23 here (41m, 46s) speaking and saying that it is currently a problem, that you as the pineapple user and your victims are on the same network, so you are vulnerable to arp poisoning too. SSL is also off by default (they mentioned this problem and that there is a wiki for it).

So i guess it isn't so simple.

Darren Kitchen, if you are reading this - do you have any information on this point. Why can't we have 2 networks, one for victims and one for the pineapple user? They are on different NICs after all (in case of using the USB NIC).

Edited January 22, 2016 by confuded

[audibleblink]

For all future visitors looking for ICS on a Mac, regardless of version, here's a long-winded thing - https://forums.hak5.org/index.php?/topic/37483-ics-on-a-mac-a-future-resilient-howto/

[Brian3656]

For all future visitors looking for ICS on a Mac, regardless of version, here's a long-winded thing - https://forums.hak5.org/index.php?/topic/37483-ics-on-a-mac-a-future-resilient-howto/

Most concise methodology to sort the Mac OSx ICS problem I have ever read. IceFloor, various settings, this that the other thing, I slaughtered a couple of chickens and visited my local VooDoo priestess. STILL NO DICE!

Kali 2.0 on Oracle VMbox gets it done for me. But since I've read this......I just might have to try it again. Trix are for kids...right?

Thanks for the moment of clarity!

[Jsteve]

nano its don't able to connect on hide network throw client mode?

the scan results don't show me hide networks

[TaNk5665]

This message is for anyone to answer (if they can) but it is primarily focused to the Nano peeps... Could you give us MAC guys some love and assist us in getting the Nano setup on our MACS.. There are alot of ppl out there that use MACS with VM's on them.. I am one of them.. cant get the nano to the 'net through the VM or the OS X... We all paid some good money for this product, we would like to be able to use it on our laptops.. I spent 3K on a MAC so I wouldent have to buy a crappy windows lappy... Darren, if you could help us out with this, I would appreciate it....

[shadowmmm]

Is it to late to return your crappy Mac? After all it's Apple's fault why ICS is not working:p and now that more and more ransomwear and virus are coming to Mac no more excuses. Everybody already using Windows for superior video editing.macbooks have been going downhill...

[shadowmmm]

K not hangry anymore ate at Popeye s :) understand your frustration but some forum post showed a work around did you search for it yet

Edited March 10, 2016 by shadowmmm

[mikew]

I use a rMPB with Kali under Fusion.

The easiest way is connect the nano after Kali is running and tell vmWare to connect the device to Kali and not the OSX. Then you can just run the wp6 script and everything works pretty well.

I've also done it by connecting to the Mac, turning off assigning IP to that interface in MacOS then giving maping that NIC to a virtual switch in vmWare, but that's considerably more complicated.

Edited March 10, 2016 by mikew

[shadowmmm]

https://forums.hak5.org/index.php?/topic/37483-ics-on-a-mac-a-future-resilient-howto/#entry272061

[Purrball]

Can anybody help explain how client mode is intended to work with an additional usb wifi dongle? My trouble is that when using it no clients can connect via PineAP, in fact they don't even seem to exist. Running a recon scan shows only my phone connected with Management AP, and the hotspot I'm connected to providing it internet.

Here's the process and issues:

-I connected my WiFi dongle, it becomes wlan2, which I've connected to another AP to provide internet to the NANO.

-Connect via Management AP, able to control the NANO, great!

-Make sure everything in PineAP is running.

-Check for internet connectivity, it works, great.

-Attempt to connect with another client device (phone, laptop, etc) and it just doesn't exist or broadcast anything.

-Check Networking, and there's a bunch of stuff listed in DNS that wasn't there earlier (two 192.* entries for wlan2 and the default route for brlan)

Should there be a specific route configuration when using client mode? What are the correct routes for Networking to enable internet sharing and use PineAP with the NANO's built in adapters (wlan0, wlan01, wlan1) as it normally would?

It appears something is configured incorrectly, as it works flawlessly without using the additional adapter and just running through a host computer sharing internet. Am I missing something?

Any help would be appreciated!

Edited April 12, 2016 by purrball

[Crackananases]

Hello everyone,

Today I recieve my pineapple NANO and I am extremly happy.

But there is something I can't get to work.

How do i setup client mode on a wifi network that has a landing page that you need to accept?

Is there a way to let the pineapple accept this page?

Greeting,

Crackananases