Darren Kitchen

I don't understand why yours would be different. Disabling the firewall should do the trick. Have you SSH'd in and tried turning it off manually? We'll have a firmware update by Monday including a fix for this as well as a few new features (OTA updates, macchanger, sniffer page). What does the output of "cat /etc/config/dhcp" and "route" look like?

I'm evaluating a bunch of USB console cables and once I find one I'm happy with we'll have it cheap in the HakShop. "Wish I had it at launch" is something I'm getting used to saying.

Here's a quick flashing guide for the MK4 via serial: Connect a USB TTL Serial console cable to the pin headers next to the USB port. Set your com program (hyperterminal, minicom, screen, gcom) to use these settings: 115200, 8, N, 1, no hardware flow control, no software flow control minicom -s Connect ethernet between the PC and the Pineapple's WAN/LAN port. Set a static IP on the PC of 192.168.2.11 / 255.255.255.0 ifconfig eth0 192.168.2.11 netmask 255.255.255.0 up Configure a TFTP server (Windows: http://tftpd32.jounin.net/ Linux: http://code.google.com/p/tftpgui/) Download the factory firmware from http://wifipineapple.com/mk4/factory/kernel.bin and http://wifipineapple.com/mk4/factory/rootfs.bin wget http://wifipineapple.com/mk4/factory/kernel.bin; wget http://wifipineapple.com/mk4/factory/rootfs.bin Move the two bin files in your tftproot directory Power on the pineapple. In your com program you will see: U-Boot 1.1.4 (Sep 29 2011 - 16:39:41) AP121-8MB (ar9331) U-boot DRAM: 32 MB Top of RAM usable for U-Boot at: 82000000 Reserving 248k for U-Boot at: 81fc0000 Reserving 192k for malloc() at: 81f90000 Reserving 44 Bytes for Board Info at: 81f8ffd4 Reserving 36 Bytes for Global Data at: 81f8ffb0 Reserving 128k for boot params() at: 81f6ffb0 Stack Pointer at: 81f6ff98 Now running in RAM - U-Boot at: 81fc0000 id read 0x100000ff flash size 8388608, sector count = 128 Flash: 8 MB In: serial Out: serial Err: serial Net: ag7240_enet_initialize... Fetching MAC Address from 0x81feb688 Fetching MAC Address from 0x81feb688 : cfg1 0x5 cfg2 0x7114 eth0: 00:c0:ca:5f:6b:5d eth0 up : cfg1 0xf cfg2 0x7214 eth1: 00:c0:ca:5f:6b:5e athrs26_reg_init_lan ATHRS26: resetting s26 ATHRS26: s26 reset done eth1 up eth0, eth1 Please choose the operation: 1: Entr boot command line interface. 2: Load system code then write to Flash via TFTP. 3: Boot system code via Flash (default). Press 1 to enter the U-Boot CLI At the ar7240> prompt issue these commands: setenv bootargs "board=ALFA console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd" saveenv tftp 0x80600000 kernel.bin erase 0x9f650000 +0x190000 cp.b 0x80600000 0x9f650000 d695a tftp 0x80600000 rootfs.bin erase 0x9f050000 +0x600000 cp.b 0x80600000 0x9f050000 23d004 bootm 0x9f650000 Once OpenWRT finishes booting press ENTER to active the console. Issue passwd and set a root password. Next start the ssh service /etc/init.d/dropbear start Move the Ethernet cable from the WAN/LAN port to the PoE LAN port. From the PC ping 192.168.2.1 to verify a connection. From here you'll need to SCP over the latest MK4 update from http://wifipineapple.com/mk4/firmware SCP the latest firmware .bin file to the Pineapple's /tmp/ directory (windows: http://winscp.net/eng/index.php linux: you already have scp) scp firmware.bin root@192.168.2.1:/tmp/ Once the firmware has been copied to the pineapple's /tmp/ directory you're ready to update the factory firmware to the latest version of the Jasager suite. On the pineapple issue: sysupgrade -n -v /tmp/firmware.bin The upgrade process takes 2-3 minutes. When complete the Pineapple will reboot and all will be happy again in the land of the pineapple. Continue with normal usage (ie: change your PC's ethernet interface back to DHCP or static it to 172.16.42.42)

That cable looks like it'll do the trick. We have some on the way to the hakshop with right-angle plugs so they'll fit in pelican cases more snugly. As long as it has a 5.5mm outer diameter and 2.1mm inner with center positive you're all good.

Firmware over the weekend. Still toying with the best way to implement ettercap. You can try it yourself. SSH in and: opkg update opkg install ettercap-ng # Package might also just be called "ettercap" also might want to run "df -h" to see if you have enough room on /, otherwise format a USB drive in EXT4, plug it in (shouldn't have to reboot) and you'll notice all that room available in /usb (run df -h to verify) Installing packages to usb is done by adding --dest usb in the opkg command, as defined in the /etc/opkg.conf

I had "awe yea" face on until I got to your last two sentences. Then I bust out laughing. Cheers!

Yeah, really sorry about that. It should have worked right out of the box. Well, it does if you try 3G first. *Grumble* We'll have a 1.0.1 out soon with macchanger, sniffer page, this fix and a few other odds and ends probably over the weekend or Monday. Stay tuned.

Yep, http://forums.hak5.org/index.php?showtopic=25668 URLSnarf log is no longer on status page - that's for clients only. A sniffer page is coming -- it'll be a painless update very soon. Will wrap up the code this weekend. Until then you can cat the log from advanced or ssh in. Sorry - had to put my foot down and call it 1.0 at some point else we'd never have released it. Could code features for this things until the cows come home. Closed.

ngrep is still on there but not in the web UI. We're working on a revised web UI for sniffing which should bring together the power of urlsnarf, ngrep and *ettercap* :) Very excited about that last one. You can still use ngrep, urlsnarf from the command line for now. Reaver is included, just SSH in and type reaver. Yep - I'm very happy with the thermal properties of the mk4. I ran one the other night with a battery pack in a pelican case at an RSA party for over 4 hours with over 100 clients associated and it wasn't even warm. I hadn't even drilled vent holes in the case yet! Even I'm amazed. Reaver wasn't on the shmoocon edition - it was too new then. We'll have a firmware update out for the shmoo folks in a hot sec. Hang tight.

I tested amperage the other day in various configurations all using a 5V USB battery pack. Mind you the mk4 will take anywhere between 5V and 12V. If you feed it 5V the A draw will be higher than if you provide 12V -- it's a balance. 5V batteries are easier to come by since USB is so ubiquitous so that's what I'm going with. Except for my monster 24-hour pineapple using a 12V marine battery. We'll talk about that one later. Here are my initial power draw findings: Without WiFi - 5V 1A With WiFi - 5V 1.7A With WiFi & 3G (GSM) - 3.4 - 4.8 A We could have a whole separate thread about batteries, and I'm sure we will, but suffice it to say I've been testing at least a dozen and will have the best performance / value in the shop asap. Any USB battery pack should power it and with a 5000mAh pack the other day I was able to run for over 4 hours with over 100 clients associated. Posted a screenshot to G+ -- it was insane! Thanks RSA :) The kit will be in the shop soon as a separate add-on. We have a bunch of cool accessories coming. It'll be out very shortly. Just need to nail down a few things. Hang tight and thanks for the patience.

Just read the OP. Reserving this spot. Pulling a pineapple off the factory line and testing. Standby. Edit: Just read the rest of the comments. This is weird. In all of my tests I've been using the mk3.sh (now renamed to mk4.sh) on linux and tethering has always worked. First thought: Go to the advanced page in the web UI and in the text area at the bottom type "/etc/init.d/firewall stop" then click Execute Commands. Ok, grabbing a pineapple and looking for a Windows 7 machine now... Edit 2: Issue /etc/init.d/firewall disable; /etc/init.d/firewall stop from the Execute Commands text area a the bottom of the advanced page. Ok I grabbed a pineapple off the shelf, powered it, connected the spiffy little retractable ethernet cable between the pineapple's PoE LAN port and my laptop, booted Ubuntu (My Windows install is on a HDD collecting dust), connected to the WiFi on wlan0 and ran mk4.sh. It pinged 172.16.42.1 no problem. I browsed to http://172.16.42.1/pineapple, logged in, enabled karma. Went to the advanced page and verified that 172.16.42.42 is the default gateway. Entered 8.8.8.8 in the ping box and got replies, so it's online. Entered example.com in the ping box and also got replies, so DNS is working. Entered cat /etc/config/network; cat /etc/conf/dhcp in the execute commands box and everything looked great. Then I put my phone in airplane mode (so it's off the 3G network), enabled wifi, added an SSID called "is_ics_working" and instantly it connected. Tried to pull up example.com in my browser, no dice. Remembered this happening with 3G tethering and how the 3G tether scripts disable the firewall. Of course my testing didn't reveal this bug because I tested 3G first, then tethering... Went to the Advanced page, issued /etc/init.d/firewall disable; /etc/init.d/firewall off using the "Execute Commands" box and refreshed example.com on my phone. It worked. We'll squash this for good in the update coming out shortly. In the mean time run that command, or better yet add it to rc.local -- that's the startup script and you can edit it directly from the Jobs page. Man, I can't believe I missed that one. Ugh. Reminds me of trying to host a Quake 3 server at a LAN party on a Windows XP box with the firewall up. *sigh*

This is my biggest fear with the MK4, and one of the reasons we've taken away the ability to directly edit /etc/config/network from the web UI. 99% of the time the device isn't bricked but simply not on the network. With the previous models this wasn't as big a deal since the bootloader, redboot, would listen for a few seconds at boot for a network connection. From there you could reflash easily - just an Ethernet cable and a few commands. With the MK4 we're using the U-Boot bootloader, which is only accessible via serial. Specifically you'll need a 3.3v USB Serial TTL adapter. I'll post a how-to here shortly and sticky it. There's a cleanup script that runs every 5 minutes on the 1.0 firmware which periodically cleans log files, frees up ram. I was actually considering putting in a line that would replace the /etc/config/network file with a backup if eth0, eth1 or br-lan didn't show up with an IP. Looking at it now it should most definitely be in the 1.0.1 update.

I appreciate the concern and welcome a transparent discussion on pineapple economics, though you should understand first off that the sales do not only fund Hak5. As far as the roles are concerned Telot is on the right track. Robin patches the drivers bringing Karma to life, improving it greatly with every build. Seb packages the firmware, works on features & updates. Since rewriting the UI for the MK3 I've been figuring out manufacturing, dreaming up, discussing and implementing new features, writing documentation, marketing and soon to be holding workshops, doing presentations. Snubs fills orders, handles exchanges when someone bricks one, brings the HakShop to cons. Paul makes us all look good on camera. Mubix & Mr-Protocol provide valuable testing, feedback & community support. Finally Kerby doesn't see what the fuss is about - thinks it should be the WiFi Tuna fish. Hak5 always has and always will embrace DIY. Since the first fon based MK1 to where we are now, the project has remained open source and we encourage DIY. In fact, the MK4 lends itself to being the most modable pentesting dropbox or wifi attack platform ever conceived. I can't wait to share with you some of the awesomely inconspicuous enclosures I've been working on for the SXSW panel. As for the hardware, it is starting to make its way into other distributors. The product is so new and Hak5 is the first to market and first to integrate it as a product because we've been working directly with Alfa on the board for the last 10 months. You can bet your bottom dollar though the firmware, soon to be released with the next round of feature updates, will run on one of these regardless of who you buy it from. Same with the Fon's MK1, the Open-Mesh's MK2 and the Alfa's MK3. You can rest assured knowing that feature requests will always be welcomed, DIY will always be supported and updates will continue to come as Robin, Seb & I put even more polish on this project. None of us are doing this for free and you're not pestering us asking for X, Y or Z. This has been the case since the beginning of the project. What we're selling is our hard work, and giving it away for free to boot. I can at least say for myself I've spend hundreds of hours developing this and have a huge sense of pride for the project. I'm sure Robin & Seb do as well -- it's really come a long way and its all of our profit to share. When we first developed the Jasager / Pineapple with Robin back in '08 the project wasn't for sale. It wasn't until a year later with the community knocking down our door for a off-the-shelf unit that we finally started building 'em bespoke - at 160 bucks mind you o.O. We said on the sales page, here's the firmware, go buy this, solder this, flash that, or we'll do it for you and you'll be funding future hacking developments from us. This has held true to this day (except it's nearly half the price now). We probably wouldn't have the MK4 at this price, based on this awesome new hardware, if it wasn't for the support we got from the community with the previous iterations. So thank you for getting us where we are today. This is truly the best community around. I absolutely 100% agree that part of the learning fun is DIY. I can't even begin to tell you how much I've learned developing it. Seriously, I didn't know a bootloader from busybox years ago. We'll actually have DIY kits in the HakShop as part of the third phase of deployment. Right now we're in the first where there's small quantities and we're primarily focused on serving the forum community. Trust me, this thing has so much modding potential and I think you'll agree when we really get the ball rolling that it's not DIY vs HakShop -- they'll go hand in hand. As for forums, they'll always be free and the pineapple will continue fund future hardware developments, the devs & the show. +1 on all your comments. Free love.

Perhaps, I'm working on it. The device shows up as /dev/sg0 and /dev/sg1 at first. Ejecting one of those (the "type 5" or CD-ROM one) will reveal the modem, typically at /dev/ttyUSB0 Exactly. I love the idea of using the MC760 as both a modem and storage. In fact all of the USB Mobile Broadband Modems I've encountered have MicroSD slots. I presume this is so that ISPs can load their crapware dialers. One note on the MC760, if you're looking for one and you fancy the Ting.com service they're currently sponsoring Hak5 and offering viewers $50 off a device. Seeing that the Ting.com Novatel MC760 is $45 you can get one free. Their data plans are a pay-as-you-go and pay-for-what-you-use model, so like 100MB is $3 and it goes up from there at about 2 cents a meg. Sorry if that sounds much like an ad, they are a sponsor, though I actually wrote the Ting support for this modem before I found that out. Rev3 was pretty stoked to hear I'm a fan of the service. It's just cheap enough to not even think about for a constant SSH session. The $50 off URL is http://ting.com/hak5 Possibly. We will for sure have some sort of storage option in the near future. Development focus was primarily on getting essential features up, running and solid like 3G, Karma, SSH, and to pretty it all up. Now that we've hit the 1.0 milestone I'm focusing on accessories. Batteries, cases, storage, modems, "hidden in plain sight enclosures". We'll more than likely have an tar of goodies to be loaded on an EXT4 formatted drive, USB or MicroSD -- either as an upgrade pack or through a module system that's in the works. Imagine a "jasager app store" (except it's all free). Huge shouts to Robin Wood and Sebkinne!!

Basically first step is to find the equivalent of iw station dump for nearby clients, then it's just a matter of checking with Jasager to make sure we don't deauth any of his clients and a simple loop with aireplay-ng.

In the web interface click the 3G page then look at the connection script. You'll find it runs lsusb and pipes the output to awk to find product and vendor ID pairs. This is followed by a switch case. You'll notice that if the PID/VID equal that of, say, the Ting modem it'll use uci to set network config options, then usbmodeswitch to "eject" the cdrom, then rmmod and insmod to add the modem to the system, usually they come up as /dev/ttyUSB0. Finally some iptables mojo is done for routing and the rest is done automatically by pppd. To add a new modem, copy and paste one of the switch cases and replace VID/PID with your values, adjust the modeswitch command, rmmod, insmod, and you should be good to go. For CDMA there isn't really any uci network config stuff to change, the defaults should work. For GSM you'll need to specify the apn and depending on your modem you may also have to specify a pin. I haven't run into this personally, I think it's just for locked devices. OK, that's all from memory. I'm out on my phone now but ill pot the script when I get back to a computer.

Trying to get away from the pc completely. Channel hopping isn't a problem, der neinsager won't be configured as an AP. Wash is a good lead but would rather not have to write something. This must be possible with Kismet, sed, awk, cut, grep, bash, if, echo and at. I mean, those guys rock! ;-)

Here's a brain dump from my Neinsager research. I've only just started the project a few hours ago but for this I figured I'd crowd source and such. With the MK4 I'm adding a feature called "Tango Mode" which basically allows you to take a MK3 or MK4 and turn it into a backpack using a short Ethernet cable from the MK4 Master's LAN port to the MK3/MK4's LAN port. After exchanging SSH key pairs the master pineapple running Jasager can now control the slave pineapple running Neinsager. This should run the same on an AR2315 based MK3 or an AR9331 based MK4. I have the aircrack-ng suite up and running, though I'm getting unpredictable results with airodump-ng. That's not really an issue as I wasn't looking for something that interactive anyway. What I'm currently looking for is a simple way to list nearby *client* BSSIDs. iw wlan0 scan will give me a listing of access points from which I can grep out SSID, but to my knowing not clients. I'm thinking perhaps kismet can, for which there is an openwrt package so I'll investigate that next. The reason for this is that I would like to write a script which will find nearby bssid's in order to feed aireplay-ng for deauth'ing. Obviously I'll implement white and black listing so you don't kill all the clients your Jasager pineapple already has. If you're saying to yourself, "Darren, this already exists, it's called airdrop-ng and you covered it on Hak5 years ago" -- you're right. Unfortunately the airdrop-ng script is Python, which has about a 4MB footprint. Sure the MK4 could handle that with USB storage, but not the MK3 -- and there's a bunch of fons/open-meshes/ap51's that could be put to great use as a Neinsager backpack. The other consideration is that Airdrop-ng requires the old version of lorcon as well as pylorcon, and if you've ever tried to get these running you know it might not even be worth attempting to cross-compile for the AR2315. I dunno, maybe I'm wrong, but I feel like this could easily be re-written as a bash script. Ok, looking forward to collaborative development. Thoughts?

Here's the header of the 3g.sh I've pretty much learned the trick of supporting most GSM and CDMA modems. Both sdparm and usb_modeswitch are included. Usually it's just a matter of "ejecting" the USB CD-ROM so that the modem reveals itself, at which point a bunch of uci network commands set the config, pppd does its thing with chat and comgt. So basically any modem that's supported by usb_modeswitch should work. Here's a reference list of about 200 or so dongles: http://www.draisberghof.de/usb_modeswitch/device_reference.txt Also lemme just say it's freaking robust -- stays alive no matter what. Spent weeks on 3G and keep alive scripts alone and let me tell you it was such a good feeling the first time I got the pineapple completely self contained.

The first dibs is the same as the production release -- we're just giving you, um, first dibs at getting one because we know there's a lot of demand and production hasn't fully ramped up yet. We'll be on top of that by mid March. By that time we should also be offering a kit. The kit is an optional add-on you'll be able to get then. Or roll your own. Basically looking to offer a rechargeable lithium ion battery pack, hak5 branded storage already formatted as ext4, partitioned and configured with a bunch of tools, as well as a case - most likely from Pelican (they rock), high gain directional pancake antenna, an assortment of rp-spa & usb-type-m cables and anything else that'll make this more leet. Still working on it so suggestions welcome.

Internet Connection Sharing through the wp3.sh script has not changed. Ok, I lied, I changed the filename to wp4.sh, hehe. I can't believe I completely forgot about macchanger. Stupid simple to add this feature -- I'll see that it's in 1.0.1. For now you can simply go to the advanced page the from the execute commands text field enter: That'll do the trick. I'll add it to the config page in the next version. As far as cheap 3G/4G dongles are concerned, how does free sound? Full disclosure: they're a sponsor, but Ting.com recently launched as a MVNO on the Sprint network and they're offering Hak5 fans $50 off their devices when you visit www.ting.com/hak5 . I was using Ting before they sponsored and actually added built-in support for their service using the Novatel u760 modem -- which is $45 on their site so essentially it's free. Data rates are about 2 cents a meg but I'm not sure on Canada support. I know they're based in Toronto.

Yes, these orders are shipping Monday. I was recently asked about SSLStrip. No, it doesn't come pre-installed due to space requirements, however it can be installed on a USB drive. That's one of the things we're working on adding as part of a kit down the road. Personally I like to simply have the device start Karma, 3G & SSH Tunnel to my VPS on boot then run all of the sniffing tools and such there. Will post some tutorials soon.

Good call, thanks ill update that. Also stay tuned for a ducky firmware with linux support. Just beta tested a new build, we're close to release.

I took your suggestion and we're doing a first dibs for you guys & a nice little discount to show our thanks to the community. Come mid-March we should have production ramped up enough to put these guys on the homepage but until then here's your opportunity. http://www.hakshop.com/products/markiv-first-dibs Mad props go out to Digininja and Sebkinne and you guys. Together we've put together something I'm so truly proud of. I'm working on enclosure and battery mods now and will have some even more awesome stuff to show after my panel at SXSW. Prepare to be pwned Austin! PS: please don't post this link on the homepage of reddit or anything :) Screenies: (a lot of this is being backported to the MK3) New consolidated status screen with way more robust javascript updater Detailed reports of connected clients. This grabs info from iw, arp, dhcp and combines it into one for at a glance "who am I pwning" Cron jobs and auto-start 3G. It "just works", every time and resets if the connection is broken. Three modems on the supported list now with more to follow. I've learned a lot about GSM and CDMA so adding modems shouldn't be to tricky once we have the right modeswitch codes. SSH. Use it for a reverse tunnel, a relay, however you wish. AutoSSH is on there to maintain a persistent connection with failsafe cron jobs to auto-reconnect. All done with kay pair exchanges for security. Scripts like cleanup to free memory, cleanup logs. SSH and 3G reconnect, plus a user.sh for whatever you like, all within the web UI. Firmware update from web interface. Choose your upgrade.bin, hit upgrade, wait 2 minutes for the install and reboot. Just like that. Soon we're adding OTA updates :)

Sorry just read the whole thread, not trying to step on your resale. Just an fyi though the mk4 compliments the mk3, not replaces. They can be used in tandem. :-)