dustbyter

Stanly, Just keep in mind that sometimes the question has to be pretty specific because just asking how i can do a MITM is vague. Once you have your pineapple deployed and people connect to your network, well you have MITM'ed them. You own the network, thus you can then perform any activity you wish. The infusions are tools that can be used now that you are in the middle. Also, remember the OSI Model and layers. If your testing scope includes compromising an SSL connection, well this is a MITM at a different layer in the OSI model than just the attack you are performing on the network itself. Hope this helps, but specifically if your goal is to get your testing devices to connect to your device, then this can be accomplished using the techniques that bytedeez talked about.

Hey WM, I was able to reproduce the following today as well. The rule was removed, but it wasn't. Let me explain below.... 1. I dumped my info from iptables prior to starting sslstrip infusion. Everything looks ok. root@Pineapple:~# iptables -t nat --line-numbers -n -L Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 delegate_prerouting all -- 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 MASQUERADE all -- 172.16.42.0/24 0.0.0.0/0 2 delegate_postrouting all -- 0.0.0.0/0 0.0.0.0/0 Chain delegate_postrouting (1 references) num target prot opt source destination 1 postrouting_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */ 2 zone_lan_postrouting all -- 0.0.0.0/0 0.0.0.0/0 3 zone_wan_postrouting all -- 0.0.0.0/0 0.0.0.0/0 4 zone_usb_postrouting all -- 0.0.0.0/0 0.0.0.0/0 5 zone_wan2_postrouting all -- 0.0.0.0/0 0.0.0.0/0 Chain delegate_prerouting (1 references) num target prot opt source destination 1 prerouting_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */ 2 zone_lan_prerouting all -- 0.0.0.0/0 0.0.0.0/0 3 zone_wan_prerouting all -- 0.0.0.0/0 0.0.0.0/0 4 zone_usb_prerouting all -- 0.0.0.0/0 0.0.0.0/0 5 zone_wan2_prerouting all -- 0.0.0.0/0 0.0.0.0/0 Chain postrouting_lan_rule (1 references) num target prot opt source destination Chain postrouting_rule (1 references) num target prot opt source destination Chain postrouting_usb_rule (1 references) num target prot opt source destination Chain postrouting_wan2_rule (1 references) num target prot opt source destination Chain postrouting_wan_rule (1 references) num target prot opt source destination Chain prerouting_lan_rule (1 references) num target prot opt source destination Chain prerouting_rule (1 references) num target prot opt source destination Chain prerouting_usb_rule (1 references) num target prot opt source destination Chain prerouting_wan2_rule (1 references) num target prot opt source destination Chain prerouting_wan_rule (1 references) num target prot opt source destination Chain zone_lan_postrouting (1 references) num target prot opt source destination 1 postrouting_lan_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */ Chain zone_lan_prerouting (1 references) num target prot opt source destination 1 prerouting_lan_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */ Chain zone_usb_postrouting (1 references) num target prot opt source destination 1 postrouting_usb_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */ 2 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain zone_usb_prerouting (1 references) num target prot opt source destination 1 prerouting_usb_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */ Chain zone_wan2_postrouting (1 references) num target prot opt source destination 1 postrouting_wan2_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */ 2 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain zone_wan2_prerouting (1 references) num target prot opt source destination 1 prerouting_wan2_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */ Chain zone_wan_postrouting (1 references) num target prot opt source destination 1 postrouting_wan_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */ 2 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain zone_wan_prerouting (1 references) num target prot opt source destination 1 prerouting_wan_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */ 2. I start sslstrip and then check the iptables again. We can see the redirect added by sslstript. root@Pineapple:~# iptables -t nat --line-numbers -n -L | grep 80 2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 10000 3. I clicked stop through the infusion, it should have removed all redirects of tcp port 80 to 10000. But it has not. Instead the number has just changed to 1 from 2. root@Pineapple:~# iptables -t nat --line-numbers -n -L | grep 80 1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 10000 4. I had to run in command line "root@Pineapple:~# iptables -t nat -D PREROUTING 1" to remove the record. Hope this helps for you to figure out the issue.

You currently can't set up two ports to be forward through the interface. You can either open a port on the wan side or set up another autossh portforward using command line.

Sweet! Glad to see the .NET framework going open source!

newbi3 - what changes were made to the infusion?

Did you try to return to default factory flash using the instructions here? https://wifipineapple.com/?flashing

Nice work! No longer have to SSH in and vi the changes! ;) What is Optimus

I tried mine the other day again to make sure it works and it does! Comcast can't control what occurs on those pages as they are hosted on your own device. Let me know what info you guys need if you require any details.

Yes, if you launch the command prompt console to execute your commands, this will come up on the screen. You can always try to use the keyboard commands and move it down on the screen so that it is out of the view.

Sweet! Well done!

I've seen many of these types of tools for routers in Europe. Where they can derive a key based on the router model or information broadcast by the router.

Hey newbi3, I'll have to start up that pineapple. I'll try to get it to you in the next day or so. You just need the nodogsplash.conf file, because there is the actual splash screen that goes in the nodogsplash install directory and then the site you get redirected after in the /www/x/ directory.

I experimented a bit with this and was able to get it to work. Didn't have to really change much. I did have some settings updated in the nodogsplash conf also. I would have to check on what they were exactly. The only issue i really saw was that on the initial screen that said click here to connect... the image being loaded did not display correctly.

The site is down in the US as well.

manlyhak, I haven't checked facebook and others, but my guess is that they are now using HSTS to set the HTTP Strict Transport Security, this tells the browser to ensure that all the links to it are over HTTPS. I think SSL-SPLIT was created to alleviate some of this, but it would have a warning popup on the browser because of the invalid certificate, regarding SSLSTRIP, I think at Defcon sensepost modified it to work with hsts. We will have to see what those changes are and when they will be available on the pineapple's version of sslstrip.

I was looking for a PDF of the presentation it self. Not interested so much in the video as i was there in person.

Do you have the link for the one that was posted?

Hey Darren, Any chance to have the presentation from Defcon wifi village posted online? Thanks!

Had the battery pack plugged in for 3 days. It doesn't look to be fully charging. The lights that are on are: Red, Green, Green. The 3rd Green LED is dark.

Missed this presentation while at Defcon, but reading through the presentation, slide 25 seems to be describing the PineAP functionality... rebroadcasting the probed requests.

I think looking into the modified sslstrip may be a good start.

This would not be something that can be done easily. It would require modifying the firmware for how the phone responds when hooked up to a pc. It has been done as a research project I believe by a university.

Thanks guys! I have it in, i think it takes more than 10 hours to charge. I'll check back on it tonight! I ended up finding some information about the battery in the MK5 manual i had. http://wifipineapple.com/mk5/booklet.pdf

Got a hold of a 6800 juice. Trying to figure out if the battery is good or not. When I got it, it was about 75% full. Used if for several hours and am now trying to charge it. The switch is "on" and it is plugged in to charge. Is the LED on the side with the on/off switch always RED? Should it change color when charging? Hoping a manual exists for this battery.

That is odd that the device did this...definitely good to add to the wiki for debugging steps.