telot
-
Posts
803 -
Joined
-
Last visited
-
Days Won
12
Posts posted by telot
-
-
I would like this project to pump out a new model and be revived but ideally it all comes down to time. People now a days are becoming more and more busy and these projects are done as a side project for fun.
I may be sounding like a broken record here, but raspberrypi could be hacked to work for this. You'd need a USB to wifi and USB to ethernet adapter, but then you're set. It'd be waaaaaay more powerful than the fon+, as its 700mhz ARM and 256MB of ram smokes the pants off any puny fon. Plus with the expandable SD storage, or even a USB hdd, you've got a butt ton of storage available. Not to mention you could hack POE for it...Hmmm....its looking more and more likely that I'm going to be buying 5 or more of these PI's when they finally come out.
telot
-
Excellent! Thanks misfitman
-
The USB cable can be as long as you want. I was referring to the external mounted antenna (the link I posted above) wire that leads in to your alfa. Its the alfa that is receiving the wifi signal, not your computer, so the cable can be as long as usb cables can be (anyone know how long that is?)
telot
-
I joined the hak5 community in the last few months, and have never noticed much activity down here in the Interceptor forums. Whats the deal? Did it not really work all that well? Too many hack arounds needed to get it going properly (too complex)? Or has the pineapple taken everyones attention away from it? The concept sure seems sound. I'm sourcing a Fon+ right now to give it a try myself, just wondering why its so dead around here...
telot
-
I believe those usb cables for HDDs are for increasing the current, not the voltage. I could absolutely be wrong of course...Must seek out CE...
Thanks for the input guys!
telot
-
Well thanks again for making me understand and learning something new. I notice that they have different dBi on them. Would you recomend the higher the better? Plus is there any cons on going higher?
No cons whatsoever! Higher the better. 12dBi should be plenty. If you go with one of the external mounts, just keep in mind the signal degrades over the length of the line, so use high quality wire and keep it as short as possible.
telot
-
If it truly is just a straight wire with no coils on either end (top or bottom loaded) then it is a simple quarter or half wave monopole. So for a custom job make your own out of a 30mm(1/4wave) or 60mm(1/2 wave) piece of solid copper wire soldered to the central contact of an SMA connector. Just seen wiki has a decent article http://en.wikipedia.org/wiki/Monopole_antenna
As its so low power impedance matching which is the hard part in designing antennae is less of an issue.
Manouche is exactly right. Antenna design is a world unto itself - the company I work for spent tens of thousands of dollars engineering a single antenna solution for one of its products. Its insane. To save yourself your sanity, take the copper wire out of your black plastic antenna and use that :) Be very careful not to hurt it (dont bend it or cut it for gods sake!) when removing it from the plastic. And please post build pics of your finished product! I'd love to see it!
telot
-
Rofl! Lovin' the hate! I was a bit harsh, and perhaps a bit selfish too. Fine then, I hereby volunteer to be the dev's filter, to keep them doing what they're doing (making the mark3 better and better with new firmware releases), and at the same time satiate the need for help with these juicy lil pineapples we are all gobbling up like hotcakes (sold out again in the hakshop!? grats to hak5!).
So lets get to your problem. What exactly are you trying to do Tank? What information are you seeking that would normally be supplied in a user manual that can't be found on the forums or the quickstart guide? Though I'm far from expert, I've used the mark3 extensively for the last month, changed every setting on the thing, and reflashed the firmware on it a dozen times. Hopefully I can answer your questions.
telot
-
I'm a far cry from an electrical engineer, but I do work with 12v systems (solar/batts) on a daily basis. We wire 6V batteries in a series to get 12V. For an example of the concept, see this picture:
http://www.otherpower.com/images/series_wiring_diag.jpg
I'm wondering if I can do this same thing with USB power. I run my wifipineapple, which requires 5V, from a hacked USB cable no problem. Heres my deal, I have a 9-30V cellular router at my disposal that I'd like to use with my wifi pineapple in a mobile setup, completely contained with no power supply needed other than from the laptop. I have two USB ports available on the laptop - can I wire two hacked USB cables in series to produce 10V's reliably and without hurting the laptop? I'm 95% sure it'll be fine, but I just don't want to fry 2 out of the 3 USB ports...any EE's or CE's out there that can assure me I'll be just fine? Thanks very much!
telot
-
I've found that offering to do tech support help for friends family will automatically make you top of the list for when they wish to get rid of any computers. The VM thing is great, if you've got the ram to rock it - but its totally unnecessary and not really optimal for a pentest lab imho. To *truly* simulate a pentesting enviroment, you want the attacker on separate hardware. Of course its not totally necessary, but it makes life a lot easier to be running exploits on "bare metal" (did I use that phrase right? lol). In your situation, I would put Backtrack on a live disk, run it on your main machine and load XP on your crap machine as your victim. Problem solved!
telot
-
Jeebus...am I wrong in thinking that the Jasegar is a tool for IT/pentesting professionals? I've never thought of it as a noob friendly "plug and play and pwn all your friends" sort of device...It requires an intimate knowledge of 802.11 and a good working knowledge of networking principals. The thing is a work in progress, hacked together by Robin Wood/Seb et al, not a polished final product from a "real" company. I think demanding a user guide is asking too much, and in fact hurts the project, as it takes the dev's away from coding the next firmware in order to write a how-to guide...especially when you've already been given everything you need to know! After you've read most of this forum and the wifipineapple.com wiki, feel free to ask questions on here if you don't understand something. Reflash the firmware and at least TRY it, don't be all "zomg I haz no manual, I'm lost". Sorry to sound mean, but dude, I want my next firmware with the DeAuth fix! Haha
TL;DR Nut up and read the forums
telot
-
Thank you very much for helping me understand all this stuff. Thanks @Vodmya for the link. I was able to find one I think is good but I would need your advice to make sure I'm getting a good one. From reading your post I think I am based on how much ghz is has. If you could look at it and see if its good. I plan on war driving later on down the road but for now I'm working at home understand all this and seeing how my neighberhood has there network hahahah
Here's what I think might be good.
http://www.data-alliance.net/-strse-531/Antenna-12dbi-Alfa-RP-dsh-SMA/Detail.bok
or what about this one.
http://www.amazon.com/10-dBi-2-4GHz-WIFI-Antenna/dp/B000SEQGT2/ref=pd_rhf_se_p_t_2
Both are excellent choices when on a budget (I am as well). When you're ready to upgrade to the big leagues, and don't mind your car getting some funny looks, I know a guy who has one of these mounted outside his car for even better reception. http://www.google.com/products/catalog?q=12+dbi+gain+omni&hl=en&rlz=1C1CHFX_enUS436US436&prmd=imvns&um=1&ie=UTF-8&tbm=shop&cid=14723059388463375015&sa=X&ei=DjTzTuGqGcPg0QGM49CsAg&ved=0CGwQ8wIwAA
good luck on your drive!
telot
-
ssh in to your juicy lil pineapple and nano /etc/hostapd/karma.conf - ssid is right there. Enjoy!
-
Biggest thing with antennas is to match up the mhz/ghz to what you're doing with them. 2.4ghz is b/g wifi and is probably what you're looking for.
With any RF signal, the most important aspects in regards to range is transmit power and receive sensitivity. I'm assuming you're trying to sniff some packets on an open wifi hotspot, so Tx (transmit) power is out of your control. The Rx (receive) sensitivity is measured in dBm - every 6 dBm doubles your range in an open enviroment, every 12 dBm doubles your range in indoor/urban enviroments. Theres two main types of antennas - omni directional and Yagi. Omni's are great for war driving, as they work 360 degrees around the antenna - so driving down a street, you'll pickup wifi hotspots on both sides of the road. Think of Yagi antennas as a focused beam, not unlike a laser. They shoot out in whatever direction you point them in very well, and do very poorly for omni directional stuff. The other big thing to consider is crap in the way. What I mean by this is, the higher the frequency (2.4ghz is the frequency of most wifi and is quite high - 5ghz wifi is worse) the more the signal is going to be degraded by studs, sheetrock, concrete, metal, doors, any physical barrier really. So removing as many obstacles in your way as possible will greatly help your cause. Hope this helps!
telot
-
I too am in your boat Grant. The thing I've found most useful, is setting up a proper pen testing environment. You don't need enterprise level servers to learn this stuff. I did it on the super cheap even. Get a couple spare computers from friends/family (nothing fancy - p4 with 1 or 2 GB of ram is plenty) and NAT them off from your real network (just in case...) with an old router such as a wrt54G with openWRT, and just try some stuff out. I built my own ethernet tap (similiar to the lanstar in the hakshop) for 5 bucks. One of the laptops I got happened to be able to be put into monitor mode and now I'm sniffing ethernet and wireless simultaneously. I'm DeAuthing my family at will. I'm working on making an automated jasegar box with a raspberrypi (25 dollar computer - raspberrypi.org) right now. Not to mention ARP poisoning your parents is FREE!
I'd stay away from pentesting your school, at least until you're out. Schools hate hackers, trust me.
Man the world is your oyster if you've got the time and are able to teach yourself. Luckily you're in highschool still, with college in front of you - you've got nothing but time. Use it well, as in a blink of an eye you'll be working 40-60 hours a week with a house that needs constant maintenance and a wife you've got to keep happy. I'm lucky to get 2 or 3 hours to myself a week in my penshop playing around with this stuff. Most importantly though, document your progress - share the knowledge and how you gained it. Open a blog, grab a pick, post on these forums, hell start a freakin' internet tv show. The community always needs more extroverted hackers that are wanting to learn and willing to teach.
telot
-
I figured out my issue. I am running Windows 7 and had to run the flash program as administrator. That did the trick.
I've found the flashing process to be quick tricky - you have to time the power on EXACTLY right it seems. I was doing it for 10+ minutes before it finally took.
-
I work with K-BAND radar on a daily basis. The way we test these is with tuning forks. Doppler radar works by sending out sin waves and waiting for them to bounce back to it. The forks mimic the sin waves bouncing off a moving metal object like a car. The forks I have at my disposal (hundreds of them...) are for 33.3mph and 40.3mph. We use them to ensure the accuracy of the radars. If you want a cheap solution, get one of these tuning forks attached to the hood of your car and rig up something to hit it with, such as a long metal pole. I'm kidding of course.
The trouble with the k-bands, and why the cops don't use them much anymore, is the fact that they will trigger off any moving object - such as rain, brush or trees blowing the wind, snow, etc...there have been a number of court cases where people dispute the radars ability to distinguish cars from rain/trees...trouble with that is rain falls at roughly 9mph - not 100+! But a tree snapping back into place after being blown a certain direction by a powerful wind could move pretty quick...
More than you ever wanted to know about radars I'm sure...
telot
-
Do they have fully assembled raspberry pi available? I only see the unfinished PCB boards? I have a few stealth pineapples but adding Rpi would be awesome!
Not yet itsm0ld, but they are expecting to ship the fully populated PCB's (they don't come with cases...at least yet) by end of year. I read on the forums that the first run of 100 or so (I could be off on that number...can't remember) might be auctioned off with a limit 1 per customer, to help support their charity. The next run of 10,000 will be the standard $25/$35 price :) I'm crossing my fingers to have them in hand by end of January '12
telot
-
Is it possible to get airdrop-ng on the pineapple as well then? Otherwise, I would need the original HW setup in the first post of this thread (A), and airdrop-ng off the ALFA USB.
Heres the deal as I understand it Diggler - at current time, you can't deauth as you want to using the Pineapple. The *best* way to do it with current firmware is to have an alfa usb attached to your computer to do the deauths in addition to the pineapple running that will then offer up karma'd AP's to the kicked off victims. However, this all could change with Seb's mysterious new firmware - Seb, do you have an ETA on delivery of your new firmware? You rock man, can't wait to see what you have in store for us...maybe a little preview/changelog? :)
Hope this helps
telot
-
Great Seb! How exactly will it be implemented? Target the access point and nothing specific (-a but no -c)? Will it airmon-ng stop mon.wlan0 before hand, so you can bring monitor mode on wlan0 back up with a user-inputed channel? Or is there a workaround where you can avoid this step?
wcs: Ha! Glad you enjoyed...I try to make my long winded 'wall of text' posts at least mildly entertaining :)
telot
-
This is right up my alley. I too want the "deauth everything around me then karma everyone to me and allow for remote gui/terminal access by me" process via scripting - but I wat it done automatically at boot up. What I'm looking for the perfect Svartkast/dropbox (see http://www.irongeek.com/i.php?page=videos/derbycon1/adrian-crenshaw-building-a-svartkast-cheap-hardware-to-leave-behind-on-someone-elses-network for terminology and the basic premise).
My noob brain encounters this problem: If you iwconfig a stock pineapple, you'll see mon.wlan0 - this is locked on channel 11 by default, thereby removing your ability to deauth people on any channel but 11 without bringing down this interface (airmon-ng stop mon.wlan0). So if you want to do the whole "deauth everyone around me", at bootup you'd have to either stop mon.wlan0 (no idea what this actually does/haven't figured it out yet) everytime, or somehow prevent it from starting at bootup, then start airmon-ng on wlan0, do an airodump-ng that pipes all the BSSIDs and channels in range into your startup script, then airmon-ng stop mon0, restart it on those channels and deauth the BSSIDs one channel/bssid at a time. After everyones deauth'd, you then bring mon.wlan0 back up (assuming Jasagar somehow needs it) and startup karma. Then begin tcpdump/wireshark capturing for later consumption via scp.
I plan to accomplish this with a Raspberrypi (raspberrypi.org) but need to first confront the major issue of - by the time it deauths any and all AP's around it, won't people have rejoined their network? The deauth tests I've run against my crappy netgear router work only if I deauth with an external (not on pineapple) monitor mode enabled wifi adapter. When I deauth with the pineapple, it takes too long for the pineapple to get mon.wlan0 back up and running - my test laptop has already reconnected to my crap netgear. More tests with different routers need to be done for my results to be conclusive, and I need to find out what mon.wlan0 is all about...but the idea of a small box I can drop anywhere that houses a credit card sized computer and a pineapple that in total costs $70 is too amazing to pass up.
-
Anything with a cpu thats pentium4 or newer and a gig+ of ram will make a very overpowered awesome router/fileserver. I use a 5 year old athlon dual core with 2gb ram to run Untangled and it works great. Kind of a kilowatt/hour drain, but the feature set and customizability is amazing. DIY wireless routers are tricky - getting the right chipset can be a pain, as even the same model number by the same manufacturer can have different chipsets thrown in there at the drop of a hat it seems. Unless you can confirm the chipset for a wifi card you're looking to buy (or built in adapter on your mobo) before purchase, I'd go with something USB external that runs linux that you know plays nice (see alfa AP51 for a great b/g option that can also double as a wifi pineapple). I'd imagine you'd have to bridge your lan nic (NOT wan) to your wireless nic (e.g. wlan0 in master mode) with iptables. I've never tried to incorporate wireless into my DIY router - anyone whose done this care to chime in?
telot
-
Yes, this is similar to the previous thread on DeAuth via web interface not working started by hfam. This is different though. Basically the issue with my DeAuth (and I assume others), is that it is coded incorrectly in /www/pineapple/deauth.php. Also, the current implentation of airmon-ng start script doesn’t allow for different channels to be selected, as mon.wlan0 is already up on channel 11. So even if the deauth.php script worked, it’d still only deauth those on channel 11. Lets delve into the guts and figure this out shall we?
Using wifi analyzer on my android, or airodunp-ng via my realtek alfa, I get the BSSID of the target router I want to deauth. In this case, its a spare router I have lying around to test with. I activate airmon-ng via the web interface on the mark3, then I put in the BSSID of 00:12:01:68:70:40. I tell it to deauth 30 times, as I want this lil bastard dead. I have a spare laptop and my phone connected via wifi to this router to ensure the deauths work. Note that I have Karma and all other features off prior to turning on airmon. Here is the output on the Wifi Pineapple Mark3:
Deauth Host: 00:C0:CA:32:AF:AF
Deauth Target: 00:12:01:68:70:40
Deauth Times: 30
Executing: aireplay-ng -0 30 -a 00:C0:CA:32:AF:AF -c 00:12:01:68:70:40 --ignore-negative-one mon0
00:01:46 Waiting for beacon frame (BSSID: 00:C0:CA:32:AF:AF) on channel 11
00:01:56 No such BSSID available.
Please specify an ESSID (-e).
Alrighty. The number next to Deauth Host is one digit off from what is the printed mac address on the back of my Pineapple...I didn't change it above manually or anything, thats what it outputs. Why it puts this number into the -a slot, I have no idea. The deauth.php script is pulling this number from ifconfig wlan0 and piping it into grep and filting for HWaddr, as seen here:
$bssid = exec("ifconfig wlan0 | grep HWaddr | awk {'print $5'}");
The MAC printed on the back of my Pineapple is 00:C0:CA:32:AF:AE...But more importantly, why it is thinking I want to specify a target on my own network instead of another router that has tender juicy potential pineapple victims?
The only thing I can think of it that this is a liability thing...which seems odd as the whole concept of a wifi pineapple is completely against the law if ever used outside of pen testing.
So, the deauth.php is broken, at least in the way (I think!) we all would want to use it.
For it to work as we all want it to, you'd have to first set the channel when activating airmon-ng (i.e. airmon-ng start wlan0 1...1 being the channel of the router I want to deauth). I know, I know, the --ignore-negative-one is supposed to eliminate that need, but it doesn't on this device. How do I know this? Well!
Lets try leaving the router as is (with airmon-ng running via the web interface without any other services (karma, ngrep, etc) running. I ssh into him (yes, the pineapples a guy) and try to correct the problematic deauth.php by correcting the command:
root@Pineapple:~# aireplay-ng -0 30 -a 00:12:01:68:70:40 --ignore-negative-one mon0
00:12:54 Waiting for beacon frame (BSSID: 00:12:01:68:70:40) on channel 11
00:13:04 No such BSSID available.
Please specify an ESSID (-e).
It appears to be stuck on channel 11...which in Minnesota is a shitty ass NBC channel - NOT the channel we want to be on. With or without --ignore-negative-one - the results are the same. Please specify ESSID with -e...which does nothing either. As seen below:
root@Pineapple:~# aireplay-ng -0 30 -a 00:12:01:68:70:40 -e "TestWIFI" --ignore-negative-one mon0
00:19:59 Waiting for beacon frame (BSSID: 00:12:01:68:70:40) on channel 11
00:20:09 No such BSSID available.
Now lets try and correct the problem by manually issuing the correct commands. I turn off airmon-ng via the web interface, as we'll need the mon0 to be on the correct channel (1 in this case).
First I find with iwconfig:
root@Pineapple:~# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
br-lan no wireless extensions.
wlan0 IEEE 802.11bg Mode:Master Frequency:2.462 GHz Tx-Power=27 dBm
RTS thr:off Fragment thr:off
Power Management:off
mon.wlan0 IEEE 802.11bg Mode:Monitor Frequency:2.462 GHz Tx-Power=27 dBm
RTS thr:off Fragment thr:off
Power Management:on
mon1 IEEE 802.11bg Mode:Monitor Frequency:2.462 GHz Tx-Power=27 dBm
RTS thr:off Fragment thr:off
Power Management:on
Hmm...airmon-ng is deactivated on the web interface, yet there is still an airmon-ng created mon1...and how'd it get to be mon1?! It seems airmon-ng stop script may have some problems as well...I'm abandoning the web interface for now, we can correct airmonstop.sh later...Ok - power cycle this pineapple and lets start from scratch...CONSOLE STYLE BITCHES. Screw Epic Mealtime! This is Epic Haktime!
Ok, now I'm power cycled. I ssh into my little bundle of joy and iwconfig shows whats expected:
root@Pineapple:~# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
br-lan no wireless extensions.
wlan0 IEEE 802.11bg Mode:Master Frequency:2.462 GHz Tx-Power=27 dBm
RTS thr:off Fragment thr:off
Power Management:off
mon.wlan0 IEEE 802.11bg Mode:Monitor Frequency:2.462 GHz Tx-Power=27 dBm
RTS thr:off Fragment thr:off
Power Management:on
Now what is that mon.wlan0 all about? I have no bloody idea...but spoiler alert: if you leave it up, aireplay-ng -0 doesn't work. Heres what happens:
root@Pineapple:~# airmon-ng start wlan0 1
Interface Chipset Driver
wlan0 Unknown ar231x-wmac - [phy0]
(monitor mode enabled on mon0)
mon.wlan0 Unknown ar231x-wmac - [phy0]
IEEE Unknown Unknown (MONITOR MODE NOT SUPPORTED)
802.11bg Unknown Unknown (MONITOR MODE NOT SUPPORTED)
Mode:Monitor Unknown Unknown (MONITOR MODE NOT SUPPORTED)
Frequency:2.462 Unknown Unknown (MONITOR MODE NOT SUPPORTED)
GHz Unknown Unknown (MONITOR MODE NOT SUPPORTED)
Tx-Power=27 Unknown Unknown (MONITOR MODE NOT SUPPORTED)
dBm Unknown Unknown (MONITOR MODE NOT SUPPORTED)
HA! Its trying to put GHz into monitor mode! I don't think anyone has drivers for that. Despite this oddness, lets try an aireplay-ng -0 anyways. We won't use Frequency:2.462 for an interface though (lol), we'll use regular old mon0 as does the deauth.php...heres what happens:
root@Pineapple:~# aireplay-ng -0 30 -a 00:12:01:68:70:40 mon0
00:02:25 Waiting for beacon frame (BSSID: 00:12:01:68:70:40) on channel 11
00:02:35 No such BSSID available.
Please specify an ESSID (-e).
Its still on channel 11!! DAMN U NBC! Again, adding the -e TestWIfi still does nothing. It seems we have to takedown mon.wlan0 for this to work - for some reason unbeknownst to this noob. Which, when done on the pineapple, means that when you do finally get them deauth'd, you'll have to scramble to get things back running. Again, I have no idea what mon.wlan0 is or does...so I just power cylce the pineapple after I deauth the right way.
In order to get it to work properly, we airmon-ng stop mon.wlan0, airmon-ng stop mon0, then start it up again with a handy 1 (i.e. airmon-ng start wlan0 1) and bobs your uncle's dog, it works beautifully! Instant deauth to my phone and spare laptop, brought to you by our favorite little router, the wifi pineapple.
root@Pineapple:~# aireplay-ng -0 30 -a 00:12:01:68:70:40 mon0
00:21:53 Waiting for beacon frame (BSSID: 00:12:01:68:70:40) on channel 1
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
00:21:54 Sending DeAuth to broadcast -- BSSID: [00:12:01:68:70:40]
00:21:54 Sending DeAuth to broadcast -- BSSID: [00:12:01:68:70:40]
00:21:55 Sending DeAuth to broadcast -- BSSID: [00:12:01:68:70:40]
00:21:55 Sending DeAuth to broadcast -- BSSID: [00:12:01:68:70:40]
00:21:56 Sending DeAuth to broadcast -- BSSID: [00:12:01:68:70:40]
00:21:56 Sending DeAuth to broadcast -- BSSID: [00:12:01:68:70:40]
Insta awesomeness. Yes, -c is useful, but for the purposes of deauth'ing people around you in order for them to connect to your pineapple, its not really ideal.
Heres my proposal: We add an additional input box on the web interface, have one called "BSSID of Target Router" which would go after the -a command. The other (optional) box could have "Specify target currently connected to Target Router" or something simliar - this would go after the -c command. In addition, we should also have an optional box next to the airmon-ng Start buttons that allows you to input a channel number. Which means that will also have to stop mon.wlan0 before airmon-ng starting the wlan0 on our chosen channel. I'm extremely poor at coding, but I will begin this effort as soon as possible - but if one of you gurus (Darren?) care to step up and pwn this thing, I'm sure we'd all be very appreciative.
I love this little device - all the creators of Jaseger and the hakshop's wifi pineapple deserve massive praise for its usefullness. None of the bugs outlined here effect the Pineapple from pwning noobs who willy-nilly connect to any old open wifi. It does its job great. Now lets get together and stamp out the bugs the little extra features have and get this thing tuned up!
telot
-
What are your guys's plans with the PCBs? Just curious - my thought is, since I'm already building a case out of lexan for my raspberrypi, and I plan to use my r-pi to run wireshark for the pineapple, why not combine the two PCBs together into one case?
FYI to those not in the know, Raspberrypi.org is a UK charity setup to provide low cost computers for educational purposes. They also sell them for $25-$35. For a measley 35 bucks you get a 700mhz arm proc, 256MB of ram, 3 usb, eth port, hdmi out, SD card, etc etc etc - amazing bargain and perfect for hacks. Enjoy!
Pineapple Markiii User Guide
in WiFi Pineapples Mark I, II, III
Posted
crickets?
telot