My Impressions and questions on Nano

[PoSHMagiC0de]

Most of the products Hak5 have I can simulate with my laptop or my couple of Raspberry Pis but once I understand how they work, I like to buy the Hak5 product version because of simplicity in a package and to support them.  They do great work.  Also it is cool having a device that does things naturally to offload that to while your PC does the other stuff.

I bought the Rubber Ducky a year ago.  I loved it.  Still do.

I bought the BashBunny a few months ago, love that even more.  I even got a project going on with it called the BBTPS to be able to manage multiple payloads from a single switch that is working out great so far.

I have been messing with mana-toolkit and even fruitywifi.  I decided to get the Nano Tactical Elite because of that.  I love the Nano now too.  I had a couple of bumps but I got by them pretty quickly.

I have a couple of questions.

I notice this thing gets hot.  Really hot.  Has anyone had one of these burn up?  My BashBunny gets warm too and even had a member warp the casing of one leaving it in for a very long time but he also had it near a vent on his pc and stuff.  Mine got warm too but because of the location I think it gets cooling if I have it in for a bit. (normally I don't).  The Nano I had out in open air in a cool room and after while it was extremely hot.  Just want to know what to be aware of as a precaution.

Next question.  I like the Nano for the actual intercepting and the Pine functions but rather offload the MitM stuff to my laptop.  I have been seeing articles, even one on here pointing to someone using iptables with the Nano to route traffic to their PC's Burp or Bettercap.  I like Bettercap's interface and abilities and tried to replicate this but having issues.  Might be my iptable stuff.  I see nat tables to route port 80 to 8080.  I do not know if they are doing the iptables on the nano or the PC.  I looked through the iptables on the nano but man there are a lot.  I assume the Pineapple is just forwarding stuff to the PC directly so I should be able to apply these rules to the PC after I use the wp6.sh script to ics.  Didn't work as expected.

So, question I have is what table rules and on what device will forward my http and https traffic so I can capture it in Bettercap.  I know it naturally listens on 8080.  I also want to capture https traffic but I figure you do not forward 443 to 8080 or to bettercaps https proxy for ssl stripping (unless I plan on doing a regular proxy in which case the victims will need my bettercap cert) but will need to forward the dns udp 53 to port 5300 for sslstrip to work right.  Is that udp protocol?  When I netstat my PC while bettercap is running I see a port 5300 from ruby using tcp listening but the udp 5300 at the bottom is just there using process dhclient so do not know if I am doing the DNS proxy nat table right too.  Yeah, I am a little weak on my iptabling.  I can get by but when it begins to get fancy, I begin to go cross eyed.  Took me forever to get a reverse VPN gateway and some test reverse SSH tunnels in my test lab, all with my issues with iptables.  Open ports and allowing specific things and modes with iptables, no issue.  using tables to forward between multiple machines/devices...yeah, I begin to fall apart.

Any assistance can be repaid with my personal help on your BashBunny project if you own one.  I believe every good turn deserves another.  

 

Last questions.  I assume 1 wlan is used for pineap while the other is used for sniffing, injecting and other stuff on the side.  Which wlan is used to serve the management AP I see out there?  Well, not last question.  With this question, does this mean the extra usb wifi that comes with the tactical elite is used to maybe have the pineapple run independent?  Like you use the extra plugged in wlan adapter to maybe connect to a router to provide internet without having to be connected to your phone or PC to ICS? 

Thanks in advance folks.

 

[Just_a_User]

Not going to attempt the iptable stuff as im far worse than you at iptables :)

But the below bit

2 hours ago, PoSHMagiC0de said:

Last questions.  I assume 1 wlan is used for pineap while the other is used for sniffing, injecting and other stuff on the side.  Which wlan is used to serve the management AP I see out there?  Well, not last question.  With this question, does this mean the extra usb wifi that comes with the tactical elite is used to maybe have the pineapple run independent?  Like you use the extra plugged in wlan adapter to maybe connect to a router to provide internet without having to be connected to your phone or PC to ICS? 

From what I understand (but maybe wrong) wlan1 is for pineap/injection stuff, wlan0 is your listening radio and management is wlan0-1. The USB 3rd radio I guess is used most frequently for client mode to an AP or mobile hotspot while not limiting the pineapple functionality that you would if you were to use wlan1 in client mode.

As an afterthought, with my tetra I often connect to the UI via the ethernet/lan port so disable management wlan0-1 and on occasion I have found that recon sometimes works better or rather seems more sensitive. Maybe just me or chance but if connecting via the wlan2 3rd radio on a nano might be worth a try to see.

Edited June 17, 2017 by Just_a_User

[b0N3z]

5 hours ago, PoSHMagiC0de said:

I notice this thing gets hot.  Really hot.  Has anyone had one of these burn up?  My BashBunny gets warm too and even had a member warp the casing of one leaving it in for a very long time but he also had it near a vent on his pc and stuff.  Mine got warm too but because of the location I think it gets cooling if I have it in for a bit. (normally I don't).  The Nano I had out in open air in a cool room and after while it was extremely hot.  Just want to know what to be aware of as a precaution.

 

 

Mine does also and I have had it in a blazing hot car collecting ssid for a couple hrs and it was in a case.  I do not suggest this at all, I could barely handle the nano when i took it out of the case, but it still works. So what I did was took the case apart and opened up the premade vents on the case a little more to help disipate the heat faster, also put some RPi heatsinks on some of the chips.

Edited June 17, 2017 by b0N3z

[PoSHMagiC0de]

Thanks for all the responses.  May have to look into the cooling idea.  I think I may use that extra nic for my raspberry pi as a low power solution as I figured out the bettercap thing.  The solution came from another solution to use Burp to capture the traffic from the pineapple.

http://hackedexistence.com/project/wifi-pineapple/wifi-pineapple-mk5-with-burp-proxy.html

Judging by the script, he must be using one of the tetras so ignore his changes.  The bottom part is what I did after I ran the wp6.sh script.

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

Cool thing about this is it doesn't break ICS.  I made a bash script in the same directory I keep the wp6 script and run it when I want to use Bettercap to mitm clients on the Nano.

Parameters i use with bettercap are:

bettercap -I eth1 --no-spoofing --no-discovery --gateway 192.168.1.1 --proxy -P POST

The gateway ip is the ip of the gateway I am sharing internet through.  eth1 is the interface the Nano is on.

I was shocked when I saw requests.  Even sslstripping was working.

 

I didn't know it was going to work but I tried it anyway and did start seeing DNS requests.

iptables -t nat -A PREROUTING -p tcp --destination-port 53 -j REDIRECT --to-port 5300

Of course you can redirect 443 to bettercap's https listening port but unless you have its cert on the victim, they will get cert warnings as in any https proxying.  Possibility with this is to use some a BashBunny with some of its payloads to add your cert while they are not looking at a public place using a public wifi and get their MAC.  Then you can go back and target them with pineapple to try and get them to connect to you.

[Speed09]

Hi,

How did you managed to get bettercap running on your WPNano ? I thought the CPU was not enough powerfull to run it...

[Just_a_User]

34 minutes ago, Speed09 said:

Hi,

How did you managed to get bettercap running on your WPNano ? I thought the CPU was not enough powerfull to run it...

The WPNano traffic is being routed through his laptop which is running Bettercap. Its not on the WPnano itself.

[PoSHMagiC0de]

3 hours ago, Just_a_User said:

The WPNano traffic is being routed through his laptop which is running Bettercap. Its not on the WPnano itself.

Exactly. +1

Idea is to use another device to do some of the heavier lifting of the pineapple so it can do its core function, wifi attacks.  Possibility?  Use the Raspberry pi as the mitm machine to handle all the captures, stripping, proxying, whatever. :-)

 

Hey @Sebkinne

New idea for a Pineapple Excalibur. Raspberry pis come as RAM like boards that are lower profile you can integrate into your projects but you have to build the interface board.  They like to sell them in bulk and was put out by request from folks wanting smaller profile, more integrate-able units in real world applications.  Maybe use one as the auxiliary machine with some external storage to do extra functions.  All in one unit that can do it all.  Need a wifi "Rat in the Box"?  You have it.  Need to have a unit running hidden in your pack that is automatically getting clients and mitm them with cutomizable stripping, proxying working on an auxiliary platform put there just for that so the pineapple part can focus on what it needs to do?  There you go.  This one will definitely need active cooling though.  :-P

Control can still be done through module packs and a web config that controls the iptable rules of the pi.  Module packs have access to these rules through a service to prevent modules from colliding (so to speak) like burp and bettercap both mitm at the same time may not work out so good.  Though burp being graphical it may not run anyway hehehe.  You get the point.  In essence, if someone is fancy about it they may have a module that installs something on the pineapple and something on the auxiliary pi to do some sort of combo attack. (If someone does, I demand it has a cheesy factor and include the sound clip of Killer Instincts "Ultimate Combo" sound when it is successful.)

[RazerBlade]

Thats where the idea of Pineapple core comes in. Using a bashbunny to run for instance bettercap. But a easy to use interface to route the traffic to a computer to do the mitm would be highly appreciated. 

 

[b0N3z]

There are a couple tutorials written up that explain how to route traffic from the pineapple to PC to run things like bettercap

 

 

[PoSHMagiC0de]

Yeah, I read through a few but they seemed dated.  One wanted to change iptables inside the pineapple.  The one that I was able to adapter was the link I posted above about using OSX, pineapple and burp.  His seemed to be geared toward a Tetra but his nat tables were sound so used them and they work. So, the above can work as a template for after you run the wp6.sh script.  It also doesn't seem to break the existing ICS if nothing is listening on the newly natted port.  So, just changing the protocol, source port and destination port for the service you desire to the listening port you want may do it.  I only have done it with http and stripping https traffic so far though through bettercap.

[b0N3z]

The one that changes the up of the pineapple can be done by default but you have to change the NAT ip on your machine to get the pineapple to have Internet access otherwise everything else is the same 

[lild4d]

Now that the tetra was on TV maybe they'll start focusing on fixing the firmware now since more people will start to buy it like crazy 

[M@s0n]

On 6/18/2017 at 2:13 AM, PoSHMagiC0de said:

Thanks for all the responses.  May have to look into the cooling idea.  I think I may use that extra nic for my raspberry pi as a low power solution as I figured out the bettercap thing.  The solution came from another solution to use Burp to capture the traffic from the pineapple.

http://hackedexistence.com/project/wifi-pineapple/wifi-pineapple-mk5-with-burp-proxy.html

Judging by the script, he must be using one of the tetras so ignore his changes.  The bottom part is what I did after I ran the wp6.sh script.

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

Cool thing about this is it doesn't break ICS.  I made a bash script in the same directory I keep the wp6 script and run it when I want to use Bettercap to mitm clients on the Nano.

Parameters i use with bettercap are:

bettercap -I eth1 --no-spoofing --no-discovery --gateway 192.168.1.1 --proxy -P POST

The gateway ip is the ip of the gateway I am sharing internet through.  eth1 is the interface the Nano is on.

I was shocked when I saw requests.  Even sslstripping was working.

 

I didn't know it was going to work but I tried it anyway and did start seeing DNS requests.

iptables -t nat -A PREROUTING -p tcp --destination-port 53 -j REDIRECT --to-port 5300

Of course you can redirect 443 to bettercap's https listening port but unless you have its cert on the victim, they will get cert warnings as in any https proxying.  Possibility with this is to use some a BashBunny with some of its payloads to add your cert while they are not looking at a public place using a public wifi and get their MAC.  Then you can go back and target them with pineapple to try and get them to connect to you.

Awesome! Thanks so much for the reply on my thread. This is exactly what I was looking for.