Vulture

The intent is not to need a PC/laptop for the field work. The script captures the necessary information to perform offsite cracking of the IVS and handshake. You likely aren't going to crack a handshake in the field anyways. Think of it almost as war-harvesting in a sense.

Go to the stickied post titled "Mk4 Firmware" (If you have an MK4) and reflash that, that will ensure you restore everything to defaults. You can also download the /www/ on github but I do not know if the repository is current on 1.1.1

I completely agree with the last part on outputting to the file, however this script is meant to integrate with Site Survey in the next few version. Essentially it is primed to display this log in Site Survey so the user never needs to go into a bash session :) Wifite in my option, at least version 68 does a pretty bang up job on IVS gathering and handshake acquiring. For WPA handshakes the script deauths the AP, then adds each client to its deauth list and continues to deauth a client every 3 seconds. There are still issues with the script I am working out and will post them, but this wasn't really meant to be a clean code job, just a get it working without issues job. B) I would encourage anyone out there that wants to enhance this, or publish a script of their own to do so. It will only assist further with Site Survey down the road.

I know most of the programming communities have recommended regex over a "find" style command. I am not sure if it really makes a bid difference here since most of the reads are done in a polling style with seconds between them. I noticed after I posted that there was a much newer version on the google code site that looks coded much cleaner, however I just wanted functionality and thought I would share. I know this script works well on both WEP and WPA (without reaver) attacks and was easily producing 50000 IVS in about 5 minutes. Handshakes are also captured quite quickly without much user interaction and running a single instance has never locked my pineapple. Let me know if you notice any difference using regex but I usually see loads around 2.0 when both this script and Site Survey's capture is running

With the recent update to Site Survey the pineapple is now morphing into an AP based attack platform instead of just focusing on clients (KARMA). I believe the flagship of projects that highlights AP based attacks is Aircrack-ng once you have become knowledgeable with the ins and outs, a python script named Wifite which automates much of the process. I have taken the Wifite r68 version and modified it slightly for the pineapple. What this script does: Any capture you are making via Site Survey can have this script run against it. It will execute a series of attacks based on the type of AP, WEP/WPA. WPA attacks will attempt to deauth then capture a quality handshake, then strip the excess capture data out of the resulting file. WEP attacks follow a multiple stage attack that is better covered on the Wifite support page. Both methods will hide your MAC. What this script does not do: This script does not crack WEP or WPA captures, it simply produces the capture files for offsite processing. Using any attack method is very taxing on the pineapple and tends to lock it up in my experience. Prerequisites: Pineapple IV 1.1.1 USB Drive Installed Modules: OPKG, Site Survey OPKG Packages to USB: pyrit, sslstrip (This will also ensure you have all python libraries) 1) Download the script: http://www.2shared.com/file/zusD0Q7S/wifite.html 2) Download http://scapy.net/ 2.0 file and unzip, then transfer to your USB drive on your pineapple 3) Through SSH terminal execute "python setup.py install" in the directory you transferred the scapy directory into. 4) Open the web interface for the pineapple and go to the Site Survey module, make sure captures are installed to USB if not this won't work. 4) Execute the script via "python wifite.py --file {CAPTURE FILE NAME} --ivs {#}" see notes below {CAPTURE FILE NAME} - Name of the capture file in /usb/captures this will be something like capture_####.cap you only need the capture_#### part NOT THE EXTENSION. Directory is assumed to be /usb/captures/ {#} - The number of IVS to capture before stopping only applicable for WEP APs -Vulture

Another great addition to Site Survey! Our little pineapples are growing up Great job WM!

Doesn't reddit use ssl? You will require sslstrip running which will function in the next release as stated by Seb

You can deauth clients using the site survey module however if you are trying to deauth clients and run karma you are out of luck until we get USB wifi support. You can also use the ssh terminal to run any air attacks.

thestudent, if you click refresh clients do you see any results?

I already have a pineapple from hak5 shop but was looking to do some additional development and need a spare. I already have the alfa serial cable so my question is, is the mark Iv built on the ap51 board or the newer http://www.data-alliance.net/-strse-640/Alfa-Hornet-dsh-UB-Atheros-AR9331/Detail.bok board? It looks to be the newer board.

thestudent, When you are flashing via the web-ui are you entering the md5 hash from the downloads page for 1.1.1? I know the first time I flashed I didn't know why it wasn't taking until I realized the md5 hash field is required not optional.

What do the lights look like? Have you tried holding the reset button for 8 seconds? Search the forum for reset pineapple I am sure there is a bunch here. Never had to do it myself.

While I usually wouldn't contradict what an Admin especially Mr-Protocol is saying, I would think that using the hash from the download page would be the best method. If you were to MD5 hash the file on your local machine it would only be checking the file consistency between the pineapple and your PC. Using the hash from the downloads page ensures there is no corruption between the Server and the PC as well. I believe Mr-Protocol is saying do not JUST use the MD5 hash on the downloads site, you can also verify it on your PC side prior to risking the upload if the pineapple lets it pass. Entering the hash in the space provided below the upload ensures that the file you are uploading is in fact the file that the original poster uploaded. When dealing with firmwares like this even an extra bit on the header or footer of the file would mean a bricked router.

What exactly do you want to change? Are you trying to make it more secure? Create tunnels? Sorry I haven't watched the episode yet so I am not certain on the details covered.

WM, Not sure if anyone else is running into this, but I found that you must "chmod u+x /www/pineapples/modules/nmap/nmap.sh" in order for it to execute. Once the permissions are set, you don't need to ever set them again. May want to add this into your init section to set the permissions on the file. Using it now, so far I really love the saved scans, wondering if you would consider adding naming functionality for the scans?

Do you have the mc760 directly connected or is there a USB hub you have connected. I found mine was very difficult to work with prior to using the powered hub.

This should allow you to plug into an existing LAN and share the internet connection with wireless clients. Use the WAN port for this as the LAN/POE port is designated for the backtrack bridge. From my tests dhcp client is enabled on eth1 which is why this script will work. This is intended to execute anytime the if up flag is done on eth1 -------------BEGIN SCRIPT--------------- #!/bin/bash IP=$(/sbin/ifconfig eth1| grep 'inet addr:'| cut -d: -f2|awk '{print $1}') MASK=${IP%.*}.0 echo '1' > /proc/sys/net/ipv4/ip_forward iptables -I FORWARD -s $MASK/255.255.255.0 -j DROP iptables -A FORWARD -i eth1 -o wlan0 -s $MASK/24 -m state --state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE -------------END SCRIPT---------------

I will check my logs when I get home but that looks like a good connection right up until the alarm is thrown, I have not seen that before. Which network are you on, t-mobile? Also try booting your device and let it settle for 5 min then plug your mc760 in and execute the /www/pineapple/3g/3g.sh manually. I have issues with the mc760 working properly if booted with the device plugged in. This is a known issue by the rom developer and will be addressed after some of the more immediate items.

Just an update the MC760 with micro-sd is working amazingly now that I have it: 1) Plugged into a powered USB port 2) Applied the latest github patches which will be in the next firmware release but are detailed in this post. If you do not use a powered USB hub, the connection will drop anywhere from 5 min to 30 min, quicker if there are more read/write events to the sdcard.

I don't believe it will make sense to build into karma unless we can get multi WLAN support since the wlan0/mon.wlan0 must be bound to channel 11 to handle the incoming clients.

Sebkinne, That is amazing news, if you wouldn't mind after you release the details to explain why it didn't work WM and myself have been working on this with no progress or understanding of why it does not seem to function, and I found little on other sites detailing the issue.

I doubt the kernel drivers are available on the pineapple and would have to be added. However the pineapple runs a 2.x kernel and the opkg kernel modules are for 3.x. What does the log file state when you plug the Bluetooth dongle in? Also just out of curiosity, why? Are you going to be using a battery source? You would be better off using a laptop and bridge to your phone or another wireless network. Just a lot of devices here for something not to work properly and a lot of power drain.

WM, Got another idea I will try tonight and update you on the progress. I believe we are very close and it may actually be the built of ettercap we are using.

Whistle Master, what is your opinion on adding auto refresh to clients and possibly an auto deauth with a whitelist? If we can get the AWUS036H USB wifi adapter working we could be running karma on the primary adapter and auto deauthing via the secondary adapter. Once I have everything documented on this I am going to send the kernel module request to Seb. Since hack shop sells this adapter I think it is a pretty good chance we can get it added.

Damn, Go Whistle Master, do you sleep?