telot

Many thanks audibleblink! It was absolutely an extra whitespace in the command in /etc/config/autossh. Boom! Connects right away upon boot up. Thank you so much for your assistance! telot

Bruce...Wayne...I've been watching too much batman. Shit. telot

Haha at least he's not so easily social engineered. Take solace in that? Or maybe take it to the next level and social engineer the shit out of him? "Wayne, this is Bruce from Corporate, I'm going to need you to comply with Mr. Sud0nick's requests immediately. He's on a time sensitive project and needs access ASAP! CHOP CHOP WAYNE!". I'm kidding of course, but hopefully the idea of it will cheer you up a bit? If nothing else, theres always pineapples to hack around with :) telot

I know the devs are all hard at work, slamming red bulls, missing sleep and Getting Shit Done. The next time you take a break and come up for air, I'd love your thoughts on this addition to the UI. Field Notes. I'm often times reaching for scratch paper to write down my various MAC's (of my phone, my tablet, etc), so that I know which of the MACs I'm scanning are me and which are potential targets. Being able to copy/paste these macs directly into a "Notes" section would be huge. Also recording general info like "Target last seen at 12:30", "AP Scan of north building completed at 14:20", "Seeing more probes around 8:00am" etc. Having the Notes section persist through reboots would be key (store the content in a simple flat file should be sufficient) At first I was thinking something like: But then I was thinking, having the notes be available across all pages would be pretty dang nice too. Perhaps having it live in the menu bar would be best? What do you guys think? telot

Let's all join hands and summon the almighty WHISTLE MASTER! Ohhmmmm Ohmmmm Ohmmmmm Seriously WM, I'd throw you $10 of btc for this :) Who else is down to throw down? telot

Great stuff Havenbreaker! I can see a module that allows for these kind of "themes" to selectable from a dropdown. Select your theme and off you go! telot

Yep its there - but most unfortunately theres no connection to my vps. root@Pineapple:~# ps | grep ssh 1441 root 3292 S /usr/sbin/sshd -D 1544 root 788 S /usr/sbin/autossh -M 20000 -i /etc/dropbear/id_rsa -N -T -R 2223:localhost:22 -R 1471:localhost:1471 telot@telots.vps -p 2024 1547 root 3268 S /usr/bin/ssh -L 20000:127.0.0.1:20000 -R 20000:127.0.0.1:20001 -i /etc/dropbear/id_rsa -N -T -R 2223:localhost:22 -R 1471:localhost:1471 -p 2024 telot@telots.vps 1739 root 5868 S sshd: root@pts/0 1747 root 1376 S grep ssh Yet theres nothing in nestat on the vps: telot@telots.vps:~$ netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:20001 *:* LISTEN tcp 0 0 *:2024 *:* LISTEN tcp 0 0 *:2222 *:* LISTEN tcp 0 0 *:48371 *:* LISTEN tcp 0 0 *:19999 *:* LISTEN tcp6 0 0 [::]:2024 [::]:* LISTEN raw6 0 0 tropic.urts.i:ipv6-icmp [::]:* 7 Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 483440100 /dev/log unix 2 [ ACC ] STREAM LISTENING 483439704 @/com/ubuntu/upstart (note: my vps is on port 2024. The NANO forwards port 2223 (NOT 2222 as default - my lan turtle already uses that one) Now after I run /etc/init.d/reload manually: root@Pineapple:~# ps | grep ssh 1441 root 3292 S /usr/sbin/sshd -D 1739 root 5880 S sshd: root@pts/0 1768 root 788 S /usr/sbin/autossh -M 20000 -i /etc/dropbear/id_rsa -N -T -R 2223:localhost:22 -R 1471:localhost:1471 telot@telots.vps -p 2024 1769 root 3268 S /usr/bin/ssh -L 20000:127.0.0.1:20000 -R 20000:127.0.0.1:20001 -i /etc/dropbear/id_rsa -N -T -R 2223:localhost:22 -R 1471:localhost:1471 -p 2024 telot@telots.vps 1773 root 1376 S grep ssh and netstat -l: telot@telots.vps:~$ netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:20001 *:* LISTEN tcp 0 0 *:2024 *:* LISTEN tcp 0 0 *:2222 *:* LISTEN tcp 0 0 *:2223 *:* LISTEN tcp 0 0 *:48371 *:* LISTEN tcp 0 0 *:1471 *:* LISTEN tcp 0 0 *:19999 *:* LISTEN tcp 0 0 *:20000 *:* LISTEN tcp6 0 0 [::]:2024 [::]:* LISTEN raw6 0 0 tropic.urts.i:ipv6-icmp [::]:* 7 Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 483440100 /dev/log unix 2 [ ACC ] STREAM LISTENING 483439704 @/com/ubuntu/upstart Bizarre eh? telot

Thanks for the clarification on the LEDs foxtrot - looks like your digging turned out some other cool stuff (green LED? pretty sweet)! And thanks for the pointers on the autossh service audibleblink. I configured it in /etc/config/autossh, and /etc/init.d/autossh enable /etc/init.d/autossh start works - creates the tunnel for both ssh and gui just fine. However, when I try and add it to /etc/rc.local, it won't connect on boot up. I've tried /etc/init.d/autossh start /etc/init.d/autossh enable /etc/init.d/autossh start and /etc/init.d/autossh reload And none of them seem to link up to my vps upon boot up. Any ideas where I can put this so it will connect without me having to ssh in and run the commands manually? Many thanks! telot

Sorry - to clear up: Theres no lan-turtle - merely the functionality of the lan turtle is brought to the NANO with this hack. Being able to drop this on a network, get a shell AND have pineapple powers at your disposal. Sorry for the confusion :S 1. LED on the NANO 2. That could be! I will check into it 3. I'll read up more on autossh. I suspect perhaps it's trying to execute the command before udhcpc is done receiving its address from the router, and therefore fails? Thanks Foxtrot telot

Hey all - I got my Lan Turtle + Wifi Pineapple NANO remix finally (mostly) working. Goal of the project was to incorporate lan turtley goodness into the NANO so I could drop it on a target network and have it have full access to the LAN, ssh relay to my vps (including gui), and do up the PineAP badassness. Heres how I did it: Power up NANO with USB wall wart. Connect to NANO over wifi from computer. Connect usb to ethernet adapter to NANO and the network. ifconfig eth1 up udhcpc -i eth1 ping www.google.com If you're getting ping responses, you've just confirmed all is working well. Make a backup of your network config: cp /etc/config/network /root/network.bkup Then edit the network config file: nano /etc/config/network To make it so that your PineAP will use eth1 for internet access (instead of relying on a PC / eth0), change the following: config interface 'lan' option ifname 'eth1' option type 'bridge' option proto 'dhcp' option dns '8.8.8.8, 8.8.4.4' Then edit the rc.local so your eth1 adapter comes up on boot up and grabs a dhcp address and creates a tunnel for ssh and the GUI: nano /etc/rc.local add in the following above the line: ifconfig eth1 up udhcpc -i eth1 autossh -M 20000 -R 2223:localhost:22 -R 1471:localhost:1471 example.com Then you can ssh into your vps and type: ssh -p 2223 root@localhost for ssh access and go to example.com:1471 for GUI access. SOME ISSUES: **I'm having some issues with this build and I'd love your input.** 1. The LED blinks constantly. No idea why. 2. The "reboot" command via ssh no longer reboots it 3. Sometimes for some reason the autossh doesn't work on boot up. I'm thinking the /etc/config/network modifications aren't ideal - somethings up with that and I'll continue to play with it. Other than that, it works! Drop that Pineapple flavored turtle soup on a network and walk away! Hope you enjoyed telot

Great stuff Seb et al! Thanks a ton! telot

Thanks audioblink! Appending your code to /pineapple/css/main.css worked like a charm. Good stuff! telot

haha I changed the logo.png to a cisco logo for extra fun :) telot

herp derp. was right in /pineapple/index.html line 78. Couldn't be easier. EDIT: Thanks audibleblink! I'll change that too! telot

I noticed the same thing as well IMcPwn. I was going to dig into the html a bit and see if I can't change the logo and "WIFI Pineapple" text to be a bit more...inconspicuous. Not that a layperson would have any idea, but if they googled WIFI Pineapple you'd be busted immediately. I'd prefer it to be a bit more subtle, along the lines of "Router Login Page" or something similar. I'll let you know if I find the location of that field if you're interested in changing it yourself. telot

Great writeup cooper! Thanks for being so verbose with your goals, thought process, hardware and software troubleshooting - everything! Was a good read :D Keep up the great work! telot

Hey guys - quick q regarding the Reset Button. In the specs, you list configurable reset button. How is this best accessed? I poked around /etc and /pineapple, but nothings jumping out at me. I'm playing with making a NANO-Turtle to drop nano-sized shells on a network with the use of a USB to ethernet adapter. I haven't worked out the bridging yet (separate post begging for help coming soon, I'm sure), but I have my /etc/rc.local that will bring up the eth1 interface and grab dhcp. It'd be really cool to have the option of using my NANO in its normal fashion most of the time (connecting it direct to laptop) but having the option of going "turtle mode" by attaching the ethernet adapter, powering the nano from a wall-wart, and just pushing the reset button and walking away. Thoughts? Ideas? telot

Seconded! Mind throwing it up on github? telot

/forgive Sebkinne You've got a lot on your mind, I'm sure of it :) telot

So if i want to get access to computers on the network i could use the meterpreter session and launch attacks to the computers from the turtle and get a new meterpreter into the new computer and work from there? Yep! Can the Turtle which is connected to the network also visit network folders/disks? Let's say there is a computer/Server sharing files and its accessible by anyone on the network. Can the Turtle access these network folders if they are open for the network the Turtle is connected to and transfer these files to the SSH server forexample? Haven't tested this myself, but I don't see why not. You'd mount the remote directories to a folder on the turtle and then cp -r any files you want from there to your sshfs folder. Check here for more info: http://wiki.openwrt.org/doc/howto/cifs.client Hope this helps you out Torkast. What kind of physical testing and assessment do you do? I've always wanted to learn more about that stuff. Good luck friend! telot

You're 100% correct. For the most part this margin of error (~10 meters) is perfectly acceptable. I've thought about going with directional antennas, but talking with some of the other vendors, they have the best luck with omni's. Theres a ton of "gotchas" doing this kind of "origin/destination measurements" as its called. You have be aware of diversion routes (people take an exit off the freeway and never return), filter out outliers (target stops for a cup of coffee - the travel time now jumps from 2 mins to 25 mins), figure out if you want to take the first reading of the mac address as the timestamp of record, the last, or the median timestamp. If theres signalized intersections (stoplights) this is particularly relevant. Also if theres a frontage road running parallel to the freeway you run into even more issues! The hardware/device stuff is pretty easy (like I said, a 1 day hack with the resources from the community/hak5) - the server side stuff is my companies "special sauce" that we've honed over the years to tackle all these other issues - and we still run into edge cases where it breaks down. As my cofounder is fond of saying, if it was easy, everyone would be doing it :D If this stuff interests you, the guys over at Acyclica were the first ITS-specialized wifi-detector manufacturer. They're the ones who sell them for $2-5k. I've heard good reports of their product from agencies doing permanent installs with them. The other player in the market is traficcast.com. They started with bluetooth, but have since broadened their horizons to include wifi with their latest detectors. They recently bought out a good friend of mine's company - he's now their head of global sales. If you want a hookup for a wifi/bt job, send me a PM and I'll give either of them a shout on your behalf. Cheers :) telot

haha Boo51799, you're a peach you know that? You've taken your first step to a wider world of, but the time has come to do some reading and learning. Plaintext passwords will be picked up by tcpdump, which can be installed at the command line with: opkg update opkg install tcpdump Encrypted passwords, not so much. SSLStrip was deprecated with HSTS. You can search these forums for TONS of information about this, or consult your local search engine (might I recommend duckduckgo.com). Read up on tcpdump and pcap files and wireshark for more information. Good luck newfriend! telot telot

Hells yeah Darren! Many thanks! I'll be checking this out this weekend! Well I'm glad you enjoyed :) Sorry if this de-railed the thread a bit (this is so NOT about pen testing lol). You're correct in saying that $1k would be very decent markup, but I'm trying to shake up this industry by pushing the perception of value to the software stack (the performance reports, event alerts, message board logic to save lives, statistics, etc). With the smart phone supply chain in full swing, hardware is so so so cheap. Software is freaking expensive to make man (try hiring a 5 year experience software dev for less than $125k/yr. And I'm in the midwest!). So while charging for the sensor would be profitable, it's a strategic decision to throw them out there for "free" and use them as another data point. If demand spiked and they started taking off, I would of course change my tune however :) Morale of the story is the pineapple is extremely versatile hardware that can do amazing things. I just hate to read posts about "SSLStrip is dead = pineapple is dead. Whats even the point since everyone is on a smartphone now and apps roll their own crypto". It's like, grow an imagination folks! These radios are purpose built for monitor mode and accomplish the goal extremely well! Theres so much you can do with just that, let alone all the other amazing features. If you want to read more about technology in work zones, civil engineering stuff, and the smart phone supply chain you can head over to https://blog.slndrtech.com to read more :) telot

I did the whole "pineapple in a birdhouse" method...though I didn't have the benefit of having Seb's C code (which he apparently lost! I forgive you Seb, because you're too beautiful to be mad at. But DK, if you have a copy laying around somewhere, please share!). Heres a long explainer, so indulge if you want. TL;DR version: I record the macs from beacon frames and know where two pineapples are. From there I can determine travel time and avg speed of vehicles. Some background if you care: I work in the ITS industry (Intelligent Transportation Systems - think of the big pole mounted cameras you see on the freeway and the red/yellow/green traffic data you see on google maps - a lot of that is from state-deployed permanent inductive loop sensors in the roads). I take ITS and bring it into road construction work zones. So we do travel times, queue warning systems, and traffic control performance monitoring for Departments of Transportation in order to make work zones safer for motorists and workers. One of the metrics agencies most often want to see is a mobility rating (trip reliability, Buffer Time Index, 95th percentile weighted by volume averages...in case theres any civil engineers in the audience). One way of establishing a historical record of travel times is to have a sensor that can detect some kind of RF unique identifier from a vehicle at a known (via GPS) location and another sensor down the road a mile or more that can detect the same unique ID. If you know the time a mac address passed sensor 1 and the time it passed sensor 2 and you know the distance (again, via GPS or mile post markers) you can determine the average speed and travel time. A bunch of companies track this stuff using bluetooth, but you can only get a unique identifier from devices in DISCOVER mode. Think old-ass blackberries and shitty Tom toms, etc. Those are very popular, but as a lifelong friend of the hacking community like myself, I've dug into their internals and they are all smoke and mirrors. WIFI detectors hit the scene a couple years ago (recording mac addresses from probe requests, basically what the Jasegar portion of the pineapple says "YES!" to) and they work a lot better due to so many more targets. Targets = you with your wifi left on on your smart phone driving by. This industry is quite a small niche, so its a very low-volume sales model. They sell their sensors for ~2-5K to make up for the low volume, even though its basically an atheros chip inside with some storage and a cell modem (~$180-250 actual cost of hardware). My company does the software side of things (reporting, data crunching, posting messages to portable message boards) so I frankly don't give two fucks about the plight of the low-volume/high margin hardware folks. I use my trusty markVs in little NEMA boxes with off the shelf cellular routers and a small solar/12V battery setup. I do a custom tcpdump to pcap on a sshfs to a VPS, then use Vivek's pcap to XML converter (which only runs on windows...WTF Vivek!?!) that I learned about from you Darren. My software pulls in the XML like we do so many other XML feeds and it goes to the database for number crunching. Easy mode. It's not a central "core" offering of my company, but it's a nice value add. And you'll be happy to know that I (unlike all the other vendors), salt and hash the mac addresses in memory before they hit disk or the net so your privacy is (at least somewhat) protected. I also only transmit it via ssh like I mentioned - others send them in plaintext over the web. I bet I could do better on this front and I sincerely would like to, but it was a 1 day hack to throw it all together. So yeah, I sure am sad the MarkV is EOL - because it was so ideal for this use case...but such is life. I have a lead on some old Alfa AP121U's (markIV hardware) I might use instead if another project calls for this type of data, we'll see. If you guys want specifics and code I'll provide it, because I love this community and all that I've learned from the pineapple with the help of all the regulars here on this forum. So please feel free to send me a PM if you want to know more. Cheers :) telot

Can you provide a bit more info? Which adapter are you using for internet connection? Can you provide an ifconfig output before and after you plug in the NANO and let it boot? Also, what do you mean by "cannot use the wp6.sh script"? I suspect the latter answer will be most valuable... telot