Jump to content


Photo
- - - - -

Detecting Jasager Attack


  • Please log in to reply
11 replies to this topic

#1 BlueWyvern

BlueWyvern

    Hak5 Zombie

  • Active Members
  • PipPipPipPipPip
  • 175 posts

Posted 13 January 2011 - 07:31 PM

Hey guys,

I think I read some where that it is possible to detect if you are currently the victim of the "Wifi Pineapple", but have had no luck in finding out what exactly that information was.

I have been playing around with C# and writing tech tools, or at least trying to come up with ideas of tools to write to make my job just a smidge easier.
I currently only have 1 written and it removes those annoying stuck print jobs, and fixes printer dependencies for those annoying lexmark printers.

so This post is two fold, first anyone know how to detect the pineapple, and second if anyone has an idea for a tech tool for me to attempt to write I'd love some suggestions! Also if it is allowed and people want them I will post them here.

#2 lopez1364

lopez1364

    Hak5 Pirate

  • Active Members
  • PipPipPipPipPipPip
  • 258 posts
  • Gender:Male
  • Location:Katy, TX

Posted 13 January 2011 - 11:59 PM

Nothing special just adding "Jasager" to your wireless profiles and make it the default. This way if you are connected to "Jasager" at starbucks you are wrong!
"Everybody can make something complicated,
what's hard is to make something simple."








Visit My BLOG

#3 Mr-Protocol

Mr-Protocol

    Hak.5 Packet Ninja

  • Administrators
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,449 posts
  • Gender:Male

Posted 14 January 2011 - 05:41 AM

The jasager responds to all SSID probes. So adding "Jasager" to your saved profiles will not work really. I still dont understand why people set static SSIDs with the Jasager.

The only way to detect this type of attack would be to know the mac addresses of the routers you are supposed to talk to and check them on connect for verification. Or in linux you can use airodump-ng to find out and determine rogues.

Another way would be to have a wireless auditing system in place. Like for companies who want to protect their wireless network and be able to audit it. A company AirMagnet does a service like that. I have a few of their sensors I was trying to re-purpose but they were used for monitoring all wireless activity for unwanted activities.

Mr-Protocol @ irc.hak5.org #hak5
Mr-Protocol @ chat.freenode.org #hak5
 
https://wifipineapple.com/
 
Im just watching a bad dream I never wake up from. -Spike Spiegel
DerbyCon


#4 Jason Cooper

Jason Cooper

    Hak5 Pirate

  • Active Members
  • PipPipPipPipPipPip
  • 461 posts
  • Gender:Male
  • Location:Great Britain
  • Interests:Cards,
    Computers,
    Cryptography,
    Hacking,
    Lock Picking,
    Programming,
    And many more

Posted 14 January 2011 - 07:02 AM

The jasager responds to all SSID probes. So adding "Jasager" to your saved profiles will not work really. I still dont understand why people set static SSIDs with the Jasager.


The point is to set a preferred network that shouldn't exist. Then if you do connect to it you know it is an evil twin and not a safe network.

If you really wanted to remove the need to look at your network ssid every time you connect then you could create a program/script that runs after you have connected and either setup an configuration on your interface that won't work or pops up a warning message that lets you know that you are not on a safe network.

Edited by Jason Cooper, 14 January 2011 - 07:23 AM.


#5 Mr-Protocol

Mr-Protocol

    Hak.5 Packet Ninja

  • Administrators
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,449 posts
  • Gender:Male

Posted 14 January 2011 - 08:46 AM

Ah, yeah I guess that would work if there were no other APs around. Keep in mind if you try to connect to "Starbucks" AP and the Jasager/Pineapple is closer, it will connect to the strongest signal. In that scenario being the Jasager/Pineapple.

Mr-Protocol @ irc.hak5.org #hak5
Mr-Protocol @ chat.freenode.org #hak5
 
https://wifipineapple.com/
 
Im just watching a bad dream I never wake up from. -Spike Spiegel
DerbyCon


#6 Jason Cooper

Jason Cooper

    Hak5 Pirate

  • Active Members
  • PipPipPipPipPipPip
  • 461 posts
  • Gender:Male
  • Location:Great Britain
  • Interests:Cards,
    Computers,
    Cryptography,
    Hacking,
    Lock Picking,
    Programming,
    And many more

Posted 14 January 2011 - 08:57 AM

Ah, yeah I guess that would work if there were no other APs around. Keep in mind if you try to connect to "Starbucks" AP and the Jasager/Pineapple is closer, it will connect to the strongest signal. In that scenario being the Jasager/Pineapple.


That is why you need to make the Jasager network the highest priority as then your machine will send out probes for Jasager and the real AP won't respond to that as it is only looking for probes for its network, but the pineapple will respond to it as it responds to everything. Of course it may be possible for someone to specifically set Jasager to only respond to one or two networks, which would be harder to detect but it would also limit the traffic that it manages to collect.

#7 Jamo

Jamo

    Hak5 Pirate

  • Active Members
  • PipPipPipPipPipPip
  • 358 posts
  • Gender:Male
  • Location:Finland

Posted 14 January 2011 - 09:06 AM

Jasager attacks are great, cause its really hard to detect when someone is using jasager.

I think that in some ep was a tool, which was made to protect windows user for jasager, or was it artspoofing. Can't remember. Anyway that tool checked Real APs MAC and then pops up if that APs mac address has changed. It just doesnt work if you connect directly to jasager.

#8 Mr-Protocol

Mr-Protocol

    Hak.5 Packet Ninja

  • Administrators
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,449 posts
  • Gender:Male

Posted 14 January 2011 - 11:14 AM

That is why you need to make the Jasager network the highest priority as then your machine will send out probes for Jasager and the real AP won't respond to that as it is only looking for probes for its network, but the pineapple will respond to it as it responds to everything. Of course it may be possible for someone to specifically set Jasager to only respond to one or two networks, which would be harder to detect but it would also limit the traffic that it manages to collect.

It depends on if your computer probes out for it or not. It might not depending on OS, hardware, signal strength.

Do a field test and let us know? I don't have the spare time :P

Mr-Protocol @ irc.hak5.org #hak5
Mr-Protocol @ chat.freenode.org #hak5
 
https://wifipineapple.com/
 
Im just watching a bad dream I never wake up from. -Spike Spiegel
DerbyCon


#9 Mr-Protocol

Mr-Protocol

    Hak.5 Packet Ninja

  • Administrators
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,449 posts
  • Gender:Male

Posted 14 January 2011 - 11:16 AM

Jasager attacks are great, cause its really hard to detect when someone is using jasager.

I think that in some ep was a tool, which was made to protect windows user for jasager, or was it artspoofing. Can't remember. Anyway that tool checked Real APs MAC and then pops up if that APs mac address has changed. It just doesnt work if you connect directly to jasager.

I think that tool is to detect ARP spoofing for MITM if my memory serves me correctly. It watches if your gateway MAC is changed or changed since you connected. That is a way the ARP spoof MITM attack can be detected.

Edited by Mr-Protocol, 14 January 2011 - 11:17 AM.

Mr-Protocol @ irc.hak5.org #hak5
Mr-Protocol @ chat.freenode.org #hak5
 
https://wifipineapple.com/
 
Im just watching a bad dream I never wake up from. -Spike Spiegel
DerbyCon


#10 Jason Cooper

Jason Cooper

    Hak5 Pirate

  • Active Members
  • PipPipPipPipPipPip
  • 461 posts
  • Gender:Male
  • Location:Great Britain
  • Interests:Cards,
    Computers,
    Cryptography,
    Hacking,
    Lock Picking,
    Programming,
    And many more

Posted 14 January 2011 - 11:39 AM

It depends on if your computer probes out for it or not. It might not depending on OS, hardware, signal strength.

Do a field test and let us know? I don't have the spare time :P


I know that linux on my netbook (DebianEeePC) is set up so that it looks for a network of pineapple as the highest priority and that it probes for the networks. I have also got it set up so that if it connects a network called pineapple it breaks my interfaces IP details so that I won't be able to send and receive packets. Which is a fairly good way to stop it. I don't know if windows can be set up in a similar way so it would be interesting to hear from anyone who has.

#11 x942

x942

    Hak5 Ninja

  • Active Members
  • PipPipPipPipPipPipPip
  • 571 posts
  • Gender:Male
  • Location:Canada

Posted 14 January 2011 - 02:13 PM

I know that linux on my netbook (DebianEeePC) is set up so that it looks for a network of pineapple as the highest priority and that it probes for the networks. I have also got it set up so that if it connects a network called pineapple it breaks my interfaces IP details so that I won't be able to send and receive packets. Which is a fairly good way to stop it. I don't know if windows can be set up in a similar way so it would be interesting to hear from anyone who has.


I do something similar on Linux but I have a shell script execute and disable wifi all together followed by blocking everything in ip tables with ufw.

As for the windows tool I believe you guys are thinking of irongeeks decafinateID which earns you of MITM attacks and rouge APs

#12 x942

x942

    Hak5 Ninja

  • Active Members
  • PipPipPipPipPipPipPip
  • 571 posts
  • Gender:Male
  • Location:Canada

Posted 14 January 2011 - 02:14 PM

I know that linux on my netbook (DebianEeePC) is set up so that it looks for a network of pineapple as the highest priority and that it probes for the networks. I have also got it set up so that if it connects a network called pineapple it breaks my interfaces IP details so that I won't be able to send and receive packets. Which is a fairly good way to stop it. I don't know if windows can be set up in a similar way so it would be interesting to hear from anyone who has.


I do something similar on Linux but I have a shell script execute and disable wifi all together followed by blocking everything in ip tables with ufw.

As for the windows tool I believe you guys are thinking of irongeeks decafinateID which earns you of MITM attacks and rouge APs




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users