shutin

I'm not expert but I think I can help you guys out a little... There's basicaly 3 types of networks. Open, WEP, and WPA/WPA2. With open networks, you can sniff the traffic easily, without ever authenticating. You'll want to make sure you are locked onto a particular SSID's channel or you'll miss data when you are hopping. you do that with "airmon-ng start wlan0 6" or whatever channel you want. 1,6,and 11 are the main ones. 6 is the default for most routers. One thing you need to consider is that most netowrks these days are running N, which means you aren't going to get all the data being transmitted. This is why packet (not "package") captures can seem to suck and not contain anything useful these days. They are running on some channel way outside of 1-11. capturing shit in linux on N networks is still a pain in the ass and not easy to do. I've spoken to the author of kismet and he just kinda shrugs about it. I asked him what card I should buy to capture N traffic and he just says "I donno man, N support in linux is spotty". He is what I consider a guru on these sorts of things so if he can't recommend a card I donno who can. Next, "iwconfig" isn't going to connect you to a WPA netowrk. It's for WEP. With WEP, you can capture encrypted traffic and later decode it if you get the key (Which is totally trivial, takes about 10 minutes and is a little fun). Or, of course, you can just join the network and sniff the traffic if you already have teh key. The thing about WEP is that all the traffic is encoded with the same shitty key. Unlike WPA. Now, please correct me if I'm wrong here but from what Ive read WPA/WPA2 uses a different encryption scheme for each client, even though the key is the same, so you can't just decode the traffic if you have the key. To properly capture ALL the traffic flowing through a WPA network, you'd need to join it and then start ARP poisioning so you can MITM the whole lot and pretend to be the router. Otherwise you'll just be capturing frames going to yourself and some broadcast bullshit you dont care much about. Sure, youll see announceents for some services and whatever but you arent going to be grabbing passwords unless you are running something to arpspoof. Woo that was long but I hope it cleared up some stuff for you guys. Hopefully I am not talking out of my ass here. I could be wrong but I have read quite a bit on this subject. Please correct me if I am wrong. Have fun.

I instaled the beta and things seem to be running smoothly but I haven't really tried anything :) I set up my network in NetworkManager but I never got the additional link to "get an ip" or whatever it was. I did before (when I was getting the error). Now after I hit save and commit nothing at all happens. I realize this isn't the best place to share these issues, I should submit a bug report but I'm waiting to get a little more meat to it. I agree, the script sounds sick. Those of us with without aircard modems or androids need something to connect to on the fly. My dream script would: a) search for any open wifi with a signal above X dbm and connect. It would verify it actually connects, pulls an IP and can possibly do a speed test to check connectivity. b) if no open networks are available, starts brute forcing local WPA networks by trying passwords 1) ssid name 2) "password" 3) a provided list in a text file c) if that doesn't work fires up reaver and attempts to check for WPS mode and cracking PINS d) if no WPS, starts deauthing and grabbing WPA handshakes e) simply run airodump collecting packets for later analysis or f) connect to local android phone wifi hotspot Pretty decent failover plan, right? Can't wait to see the script! y It's funny, the more obstacles I face getting this thing working, the more determined I am to see it through. So many other things are taking a backseat to just getting a nice little pocket router I can carry around and collect data with. TIP: for anyone trying to install the beta without a ICS setup, remember, you can always just connect to the open network ("pineapple xx:Xx") your pineapple sets up and upload the .bin file via the web interface if you have the .bin on your laptop. I know that sounds kind of obvious to most people but this thread is about my personal journey trying to get this thing working and I want to document every step!

Oh really? The Network Manager part? I signed up for the beta test program but felt like I should understand things a little better first before I tried testing. I think I will take a chance and go for the install now. Good to hear! thanks!

That is one badass way to do it!

For me, in Kali, I could connect to my AP using wireless, then run wp4.sh (Without having connected the pineapple) and get no errors. As soon asI plug the pineapple in, it takes over as my gateway and I lose all connectivity through wifi. If I try connecting wifi and the pineapple and running wp4, it errors out at the end with IOCTRL No route to host errors. I can't win. I will read the post you guys referenced though and see if there's anything I'm missing.

telot, thank you very much for your long reply to my uber long post. I can't wait to try some of the tips out. It's especially important that now I know running urlsnarf + others may not work. Unfortunately I had a terrible night last night with my pineapple. I tried for hours but I couldn't get anything working, espcially NetworkManager. It would detect my alfa but never fully connect to my AP. It would authenticate but then deauth itself (reason code 3(?)). I then tried a series of factory resets where I would start from scratch, install only sslstrip or a single similar infusion and give that a go, without even using karma. Nothing would capture. In the end, I had sslstrip somehow delete itself from the usb drive! I'm a bit burned out on fighting with the thing for now, I'm going to wait a few days to build my interest level back up and in the meantime play around with my Ubertooth. :) As I figure things out I do plan on updating this post with things I discover when I hopefully get it working.

Thanks kpoeticg, I was going crazy trying to figure out why Kali 1.0.2 wasn't working as my ICS laptop! I went back to windows 7 and bam it works fine. This is probably the first time I had to say "Well it doesn't work in linux". I know you say Kali works but it sure isn't for me! It's running NetworkManager. There has to be a work around, I mean, what distro were they using when they developed the wp4.sh script??

Hi all, I've been trying to get the pineapple running on my own but there's a lot of things that I could not find on the boards here. Hopefully some of you guys could answer a few of my questions or direct me to resources where I can find the info. I'm a big supporter of OpenWRT but there isn't a nice solid manual for the dang system. There are bits and pieces on the wiki but many things seem to be only known by those with advanced linux networking knowledge or experience compiling the system themselves. I realize these are a lot of questions but I don't expect them all to be answered. I'm trying for a shotgun approach here. My setup: MkIV running 2.8.0 firmware. I connect the pineapple to a laptop running either linux or win7 ICS. I have a Mac but I'm reluctant to change either the pineapple or my Mac's built in sharing config files in order to change to the needed IP range. (Mac is set up to only share using the 192.168.2.x range, so pineapples 172.42.42.x doesn't work). I then connect my laptop to my home router via wifi so the pineapple can have a passthrough to the internet. I install all my infusions to USB because I don't want to run out of space and I want the logs to stick around. My desired config: Get rid of the intermediary laptop and have the pineapple connect to some preset APs or any open AP in range. Possibly connect using a cheap usb aircard. Obviously I'd need a wifi card + usb hub for the former. To capture all traffic flowing through the pineapple, preferably in a semi-formatted report rather than just a .pcap file I need to parse out. My motivation: To have a solid understanding of these tools so that I can protect myself and be aware of how exactly they "look" when being run. I'm a programmer by trade, security is my hobby and passion. I'd like to be able to demonstrate some of these things to my bosses, who do not take security as seriously as I do. But I don't want to look like a dumbass when I do it either. LOGGING This is a big topic for me. WHERE ARE THE LOGS?! :) I want to ssh in and tail -f a bunch of stuff. 1) Where can I find the same information that is displayed on the Status screen of the pineapples homepage? Specifically I want to see the karma probe request details and "who is connected" status. I'm guessing that the latter is in /var/dhcp.leases ? What does the * mean after the client in those? 2) But just because a client connected doesn't mean they still ARE connected. Is there a way to see an active display of who is connected and sending data. Would something like tcptrack would work? 3) Is there a way to see client disconnects and tell if they did a hard disconnect (likek "oh crap, this is the wrong ap! disconnect!) or they simply went out of range. 4) infusion logs. Most important to me are the sslstrip, tcpdump, and urlsnarf logs. It's not totally clear where these are. On one hand, you have /pineapple/logs which contains a urlsnarf.log but for me it's always empty. Is this the place where non-usb installed infusions are supposed to keep their logs? Because we also have /usb/infusions/urlsnarf/log, which for me has some files, one empty and one that successfully captured traffic once. INFUSIONS This is where I really need some help. I am very thankful for the community provider infusions but they aren't exactly self-explanatory. Are you only supposed to run one at a time or what? I typically run tcpdump, urlsnarf and sslstrip at the same time. This might not be a good idea (since tcpdump should capture EVERYTHING, right?) but sslstrip might be providing a better, more verbose capture than tcpdump and tcpdump is uncessary if I'm running that. Let's start with tcpdump. I'll enable it (tcpdump -i eth0 -vv) but I never see any output in the screen. I have managed to capture a couple logs once, but nothing ever showed in the screen. It also seems to just stop working without being told to. Is eth0 the interface I want to be running it on since my path to the internet goes through a cat5 cable to my laptop? Seems like it. If I was connecting to the internet using another usb dongle, it would make sense to capture wlan0 then. SSLstrip. This is the infusion I'm most interested in because I want to see (in a controlled environment!) just which sites that I use are vulnerable to this attack. I want to see how it appears. So far it's just been a lot of... timeouts. Finding the password that I entered isn't very easy, being embedded in a query string that is embedded in a ton of output text. Does anyone have any configuration tips they can share? SYSTEM ISSUES * Timestamps! I have a big problem with my logs all starting at 1970 so it's very tough to tell which one is which. Does the pineapple not have ntp set up or am I missing a setting somewhere for getting a correct system time on boot? * Memory. The status infusion shows my Used memory at 96% and my swap at 98% free. Is this normal? (I did set up a swap partition on my usb drive) * MAC Address - For some reason, My pineapple has a MAC of an Alfa card! Is this intentional or bad luck on my part? How can I set a new random mac for my pineapple on boot or preferably, in a config file somewhere? I'm familar with using macchanger, but I'd rather this process happened automatically. I know there must be a config file somewhere holding this weird alfa MAC. * Switching from a flash drive plugged in to the pineapple to a usb hub plugged in with the flash drive, and a wifi dongle.. Will this work or does the order of things plugged in mess with what the mount script is looking for? * Default channel. Where do I change this from 11 to something better? NETWORKING * Tethering with an android. Is USB tethering possible or does the proprietary-ness of androids' method not work? I haven't seen anything posted about this. I assume you could always do wifi tether, but I don't want the wifi signals fighting with each other. * SSH to the pineapple from my local network. Of course I can SSH from the laptop doing the ICS, but I would really like to SSH from a different computer on my LAN. I'm guessing that the fact the pineapple is on a different subnet causes this to fail. How does the autossh supposed to work then? Is it expected that this is going out to a computer on the internet itself somewhere, not a LAN address? I suppose the only workaround is to connect to the pineapple's wifi AP and ssh there. RANDOM TIPS Does anyone have any tips for usage they can share? One thing I was thinking of the other night is it would be nice to read some actual stories about how people use the pineapple in production. You always hear about the hardware setup and maybe "I have metasploit serving up false logins for the company intranet" but you never hear about the results or issues that were discovered during the process. I'd love to read about that sort of thing. Finally... KARMA It's my understanding that KARMA only works for open APs because you can't fake having the correct WPA key. Why then is it trying to impersonate my WPA2 router and seemingly working (since leases are being handed out)? Thank you very my in advance for any help you can provide! I want to contribute and sign on to be a beta tester for the new firmware but I feel like I need to get a better grasp of things before I can provide any real help.

Which services exactly did you disable? If you turned off anything necessary like boot_wait there could be a serious problem. It sounds like you need to focus on getting into failsafe mode instead holding out any hope you will get into the pineapple's interface again. I've never heard of failsafe mode not working unless you ddi something like unplug during a flash. I'm not all that familiar with the failsafe mode procedure for this model, but usually it goes something like, power on the device. Wait for some light to come on, hold down a button, some LED starts flashing. Then you can telnet in (hopefully you didn't disable the telnet service!). You say you were switching around power supplies. That seems like a red flag to me too. Perhaps you gave it too much juice and fried it? Your problem could also be a bad cable (happened to me more than once!) or power supply, so try swapping those out with identical units. Just trying to help..

Jesus Christ. After hours of trying I discovered the solution. Turn your pineapple on, hold down reset for A MERE FIVE SECONDS TOPS. None of this 10 second crap. You should see the LEDS turn off and back on and then check your wifi to see a default pineapple broadcasting. I can't believe I was holding the damn reset button for 10 seconds and that was what kept making it fail. I was ready to buy another one.

So I forgot my root password after changing it from the default. How can I get back to the factory defaults? I've tried: 1) holding down reset for 10 seconds, then ssh'ing in. default password does not work 2) holding reset for 10 seconds, waiting 5 minutes, sshing in, default password does not work. 3) holding reset for 10 seconds while powering on, etc, etc Does the reset button do ANYTHING? Am I stuck having to buy a UART cable and go through all the clean flash steps in order to get this thing back to stock? Is there a way to boot into failsafe mode (it is openwrt after all) and flash an image? firmware 2.8.0 able to ssh, load web interface (with login prompt, etc) Thanks for any help.

Well I now realize that people were simply looking for additional functionality to utilize in the pineapple. I thought they were just trying to use it to run airodump-ng and thought "Well jeez that's kinda a waste of all the added features present in the device!""

This kind of brings up an interesting point though. Let's say I am at home experimenting with my pineapple. I set it up so Karma is disabled and it's just got an open wifi point. My moocher neighbors connect to it hoping for free internet access. Isn't connecting to an AP that you don't have permission to access a legally grey area? More so that me simply monitoring the activity that flows through that AP? Do I need to set up MAC filtering to only permit my personal devices to connect? Mind you, I am not planning on running phishing pages or DNS spoofing. But I still feel that whatever flows through my personal AP I have a right to monitor. I'm sure these laws very from state to state.. I'm in CA.

Well.. I wrote a script using these basic techniques and it exported just fine since my user was as admin. I think the vast majority of people on windows are single users running with admin so it's actually pretty rare to find someone smart enough to add a local regular user. My problem was I couldn't get wmic to find the DUCKY label and output to my sd card. I will try this script and see if it does the magic.

Guess I spoke too soon. I just found some payloads. Doh. The other day there was nothing, I swear!

Really excited to see this. Does it require admin rights?

I just got my ducky a week ago and dear lord it isn't easy to find any payloads! I mean I've searched for a simple downloader type script and come up empty. There's nothing in the FAQ. The barrier to entry on this thing is kind of steep. I would love to see any one of MadKat's ideas brought to these forums. Antivirus disabler? ok, post it! password cracker that works "95% of the time", ok, let's see it! If I could just get some brief samples of code to work with I know I could come up with something. So to respond to the poll, yes, obviously we'd all like to see a password stealer. Who wouldn't?

wat.

How about a plastic shopping bag. They are cheap, waterproof and no one notices a discarded shopping bag except hippies.

You got it all mixed up. Why the f are you trying to airodump on a pineapple? You could just do that on your laptop with the built in wifi card. You are making it too complicated. The pineapple is for MITM'ing people, not using as a super complicated passive sniffer.

java.

Please don't use your $100 pineapple as a $25 alfa dongle. If you want to sniff networks, get a nice linux compatible wifi dongle like an alfa and sniff using airodump-ng or kismet or whatever. Lock the channel to the network's channel to maxmize packet capture. The pineapple is precision-engineered for MITM. It acts as the path between the client and the internet. That way you are guaranteed to capture EVERYTHING that passes between the two, not just lucky grabs from the air. Sniffing open networks is a grab bag of broken crap. You are wasting the capability of the pineapple if you use it that way.

Totally. That is how I'd figure things out. I mean, if you are connecting to a open wifi point and even moderately interested in computer security, you'd probably goto www.wimi.com (what is my ip.com) and then reverse scan the AP just to see what else is open. Then boom, you have the person's external, paid-for IP which you could submit to abuse-* and get them busted. How could you avoid this as the pineappler? Have the pineapple VPN'd to china where they don't care? Is there a cheaper option?

Adding the 1741 to the end solved all my problems, sounds like it solved OPs too...

Personally I think the Ubertooth is sexy naked. Plus you can see the LEDs which is useful for determining what state it is in. I'd prefer a clear plexiglass case.