ScottHelme
-
Posts
61 -
Joined
-
Last visited
-
Days Won
2
Posts posted by ScottHelme
-
-
You're combining two problems of which only 1 got harder because of this. I am indeed assuming that the transmission by which a phone seeks its AP contains all known APs to that device. I think it's fair to assume then that the list of APs identifies a device as uniquely as its MAC would.
The issue of directionality of the transmission to triangulate, a hot topic in the Hacks & Mods section, is separate and, given the assumptions mentioned first, unchanged.
The phone doesn't transmit the entire list in one go though. Each SSID is probed for using it's own probe request. If you're searching for 10 SSIDs, you send out 10, separate, probe requests. Each of these probe requests would contain a unique MAC address, so how would you know they all came from the same device? If 2 devices are sat next to each other and send a set of probes, without some prior knowledge or some serious work, you can't identify the devices uniquely. This also becomes more difficult as more devices are present.
When I say tracking I'm not talking about triangulation. It is still just as possible to triangulate a broadcast, it's just a lot harder to tie each broadcast together as you no longer have the unique identifier present in each frame, the MAC address.
-
Not easy (or foolproof) by any means, but I guess you could do statistical analysis based on SSID names, timing, signal strength, etc so even if MAC address is random per probe you can work out to a reasonable probability over time which devices are around. I guess a single device is going to constantly probe for same SSIDs repeatedly - so over time if you can infer certain things.
For general wifi tracking though, like that one on the streets of London (http://www.theregister.co.uk/2013/08/12/spy_bins_scrapped_from_london_streets/), do you think anything like that would be possible? With such a mass of devices coming through, even with half of them being iOS, the amount of data being pumped out would make it near impossible, surely?
The signal strength could be useful, but form experience, it's not nearly accurate enough to pin down a device in a dynamic environment like that. All it takes is one small shift of an object like a bus to completely alter signal strength for a huge swathe of devices.
I guess time is the biggest factor here, but you generally don't have very prolonged periods where the devices you want to track are in range.
-
I'm assuming that only you will have your home router in the set. The remainder will identify your device from the others in your household.
I'm sorry, I'm not sure I follow. With a random MAC address per probe, how would you know where any probe request came from, or even how many devices were sending the probes that you see? Are we talking about just general device identification here?
-
Your MAC address was a perfect unique identifier. The next best thing is the list of APs you're broadcasting for. That's likely to be unique for at least your household which ought to be sufficient for most purposes.
With a randomised MAC address per probe, how would you know that any given set of SSIDs came from a specific client though?
-
I can't see how the changes will affect the current operation of the Pineapple, things like Karma will still work just fine. The AP responds to the probe using the supplied (spoofed) MAC and then the client connects with it's own genuine MAC. The changes are intended to have no effect on the normal operation of WiFi.
-
But I will still have to capture all the associated traffic?
-
Use airodump-ng. It's already on the pineapple.
Thanks for the reply. I did think about airodump, but can it be configured to just record the MAC addresses of devices and not any packet data?
-
I'm looking for a way to record MAC addresses that the Pineapple can see and wondering what the easiest/best approach would be.
I notice that Karma normally logs the MAC of a device when enabled, but I don't want to have any effect on devices. I put it in white list mode and left the list empty and it doesn't seem that it logs the beacons.
I assume it's possible to get kismet on there, though after a brief search, not much turned up.
Is there anything someone can point me to in the way of a guide or some information on how best to achieve this?
Cheers.
-
If you're so angry just toss it out and write it off as an unfortunate loss. Next time, don't throw the box away.
You could also try asking for help on the forums and providing details on your issues. I've had a cursory search around and I can't seem to find any thread asking for help.
Have you tried a factory reset? Have you upgraded to the latest firmware? What steps have you tried so far to resolve your problems?
I'm sure there's plenty of people here willing to help if you provide some details.
Scott.
P.S. You can also try some of the WiFi Pineapple threads on my blog if you need some help getting setup and started.
-
On my PC at the moment.
-
Yeah at the minute. There may be a better way of doing what I want to do, so please do tell me if there is!
Normally for decrypting SSL traffic I'd just point it at Fiddler but the device I'm looking at right now doesn't have proxy settings. The setup:
<PC > -- LAN --- < Pineapple > --- WiFi ---- < Target Device >
I just want to route any and all WiFi traffic from the Pineapple through the proxy. So far I've tried various configs but I either lose connectivity on the target device, or, it can still browse the web and the proxy sees nothing...
-
Hey guys,
I'm trying to get Fiddler or Burp Suite in front of an embedded device that isn't proxy aware. I have it connected to the WiFi on the MkV and I would like to push all the traffic to port 8080 on my PC which is connected to the LAN port of the pineapple.
I've found a few tutorials and guides on Google, one specifically related to the Mk4 actually, but I've not had any luck. The device has internet connectivity when connected to the pineapple wifi network, I'd just like to push all traffic through 8080.
Any hints or tips?
Cheers,
Scott.
-
I've been working towards this myself but had to put it aside for other projects. I will try and pick it up again this weekend and see where I get.
-
Hey guys,
Thought I'd share my latest blog about hacking the router provided to me by my new ISP. To say the security is shocking would be a bit of an understatement. Feedback greatly welcome!
https://scotthelme.co.uk/ee-brightbox-router-hacked/
Regards,
Scott.
-
Hello,
Thank you all for your answers.
@Scott: your articles were very useful by the way. Thanks.
Guys, shortly, what is Karma exactly (excuse my beginner question)?
Thanks,
Elias
Thanks, I'm glad they helped.
A basic explanation of Karma: A wifi device walks around shouting out for networks it remembers to try and find them, these are called beacon frames. Normally your device says "Hey, is Starbuck's Wifi here?" and the AP will say "No, I'm Costa Coffe Wifi". What Karma does is respond with "Yes, of course, I'm Starbuck's Wifi, please connect to me" and off your device goes connecting to the access point.
-
Karma can't spoof WPA/WPA2 protected networks, only open networks.
If you wish to test Karma, simply test it without ICS and you can try to get your devices to connect without exposing anything like your internet connection.
If you wish to test other features of the pineapple, disable Karma and put a password on the AP.
This way you can test Karma in isolation without exposing any of your network and you can also test other features in a secure fashion. After that just combine them and take it out in the wild.
Scott.
-
The person asking about VPNs is advertising a VPN service in his sig... *suspicious face*
-
To my knowledge the LAN interface has a statically assigned IP address and will not obtain an address from a DHCP server.
-
You can find a link to my blog in my signature, there are a few tutorials on there that should get you going. If you have any questions, feel free to ask :-)
Scott.
-
Just caught this on my RSS. I hate how it doesn't give the full thing on Feedly. Anyway, great post. I always like how simple yet informational they are :)
Thanks for the feedback! I've been working hard on the posts to make them nice and clear. I will take a look at Feedly, I've not heard of it, and see if there is anything I can do for compatibility.
Scott.
-
Hey guys,
I've just covered HTTP Strict Transport Security (HSTS) and how it helps to improve web security. Any feedback on the blog or input anyone has would be much welcomed. Check it out here: http://scotthel.me/hsts
Scott.
-
The warning icon means that the network is not secure and is an open network. You simply need to create a password for your WiFi network and it will no longer show the warning icon.
-
You will have to provide a lot more info that that.
What device is this on? What are you connected to? Does the network have Internet access? Is this even anything to do with a Pineapple?!?! We have no idea :-)
Please help us to help you and provide enough information for someone to actually troubleshoot your issue.
Scott.
-
When I run
opkg list-upgradable
I get no output. Does anyone have the same issue? I was wondering if I could somehow combine the list of upgradable packages with the upgrade command and just magic them all up to date in one go. Any tips? Too optimistic?
Scott.
iOS 8 Update
in WiFi Pineapple Mark V
Posted
Yeah, it will always have to use the real MAC when connecting, otherwise there would be all sorts of issues. The MAC address in each probe though, which is generally what's used to track you, can be anything and it doesn't really matter.