wolfdale

Hi guys,I hope someone can clarify this for me or point out if I'm wrong I've made a packet capture to understand this better. This is what I'm seeing with a client pc running windows 8.1 and a router (SSID: dd-wrt) and the pineapple with Pineap enabled: 1)Client sends a probe request with SSID=broadcast 2)Access point responds with a probe response with the SSID (dd-wrt in the example) 3)The Client sends a probe request for the specific SSID it saw from the probe response (dd-wrt in the example) 4)The pineapple sees the SSID dd-wrt and saves it with the harvester and then probes it out. The problem is that this way I don't know whats on the PNL (preferred network list) of the client, i only know he's probing for dd-wrt but that only because the real dd-wrt is around... If the real dd-wrt doesn't respond (number 2 on my list) with the ssid the client doesn't send any probe for that network directly. In fact during this test I had an open network saved on the client pc but even when I deauth the client he just probes for broadcast UNTIL the real network appears and responds back with the SSID. In attachment my capture with the various steps marked. TLDR; is this normal behaviour? :P

Ops, sorry for the late reply. Apparently my configurations don't work with 2.0.4 (I was testing with 2.0.2). I solved it by adding the option masq 1 for the lan zone. You have to edit /etc/config firewall and add masquerading: config zone option name lan option network 'lan' option input ACCEPT option output ACCEPT option forward ACCEPT option masq '1' You also have to add forwarding from wifi to wan (append it in /etc/config firewall) config forwarding option src wifi option dest wan This works again for me. If you have any problem post your issue here, I'll check this thread more often, I promise :P

I edited my main post with the steps I did to get my setup working. Hope it helps.

Good idea! You could also use one Alfa awus036nh from the hackshop to get that fast wifi connection, and save yourself one pineapple for another deployment. At the moment i'm using a dd-wrt router in client mode to supply internet via ethernet cable to the pineapple, as I found out it was faster than client-mode with the pineapple alone (of course :P)

Some more Google foo solved my problem ! I followed this guide http://wiki.openwrt.org/doc/recipes/routedap but if anyone needs some help I can help you now.

Hi guys, i'm struggling with this for the past few days. I want to supply internet to the wifi pineapple via an ethernet cord connected to my router. I'm using dhcp on my router with the standard addresses 192.168.0.X. Darren in one thread recommended setting proto dhcp for the lan interface on the pineapple. The bad news is that i'm no longer man in the middle with the pineapple, because the main router is now providing addresses and acting as DHCP server. I've no idea if this is possible, but I want to use the pineapple dhcp for the wireless interface (wlan0) and use the router dhcp for the ethernet interface to provide internet. I've tried looking at openwrt documentation, but I need help on this one. If anyone is doing something like this already, maybe can help me shed some light on this matter. Thanks in advance ! Edit should have posted the guide earlier, sorry here it is: So here is how I did it. First you have to unbridge wireless and ethernet interfaces. This is because the wireless interface (the one on wlan0, with the access point) must have its own DHCP server to be able to sniff packets, otherwise the DHCP server on the main router will do all the work and you won't be Man in the middle (which is what we want!) Edit /etc/config/wireless and modify only the config regarding radio0, only the line "option network lan" has to be changed. config wifi-iface option device radio0 option network wifi option mode ap option ssid Pineapple5_08B7 option encryption none Now to create that network you have to edit /etc/config/network add: config interface wifi option proto static option ipaddr 172.16.42.1 option netmask 255.255.255.0 and modify 'lan' interface as follows: config interface lan option ifname eth0 option proto dhcp This means that eth0 will get dhcp from the main router, but the wifi will use the usual pineapple static IP. Now to add DHCP to our wifi edit /etc/config/dhcp and add config 'dhcp' 'wifi' option 'interface' 'wifi' option 'start' '100' option 'limit' '150' option 'leasetime' '12h' to the file. Now the most important part, the firewall ! Edit /etc/config/firewall add: To allow traffic from the wireless interface to flow to the main router. config zone option name wifi list network 'wifi' option input ACCEPT option output ACCEPT option forward ACCEPT Now this part is not on the guide, but I did some research. I did not want clients on the pineapple to be able to access my main LAN. So I added the following rule: config rule option src wifi option dest lan option dest_ip 192.168.2.0/24 option target REJECT Now all traffic except ping is not allowed to my LAN (as you can see i'm using the following IP for the main router, 192.168.2.0, change it accordingly to the IP you are using). To block PING also you have to block ICMP traffic. I have not tested it, but this should work config rule option src wifi option dest lan option proto icmp option icmp_type echo-request option target REJECT

Hi there, version 1.4.0 may have broken compatibility with this infusion. It's not injecting anymore for me. I'm trying with the simple pop-up: <script>alert("It worked!!");</script> Edit: sorry for the late edit, I was able to make it work by launching manually sslstrip instead of using the tile.

Thanks for the script. I actually haven't had much time this weekend but i'm pretty sure it's sslstrip that kills it. It works just fine with ettercap+urlsnarf+karma. I'll look into it in a few days.

Little update on the topic. I know it's probably not neeed but I added a little RAM heatsink on the chip, and now it's not even warm to the touch! Now it looks really cool :D http://it.tinypic.com/r/dcgbyo/5

I'm running sslstrip and karma, nothing else enabled, and I'm providing internet with the RTL8187 in client mode to my router. I just logged in now, and it says 30 min uptime. Yesterday It did the same the 2-3 times i've checked it. Anyone else has had any problem related to stability and sslstrip? Is it too CPU intensive for the pineapple? P.s. where does the pineapple save system logs? Maybe it can shed some light :P

I'm also having the same problem. Urlsnarf works alone, but as soon as i start sslstrip it stop logging the url's i visit.

Ssltrip now works perfectly, but doesn't let me log in. It justs harvest the passwords and doesn't do the authentication. Can we specificy also the -k parameter in sslstrip (kill session) in any way? So if a user has a session open with the site it closes it and asks for username and password again.

Yeah i specified dBm. I used to do these same steps on my alfa I get can't find dhclient. I even did a reset of the pineapple today, and still nothing. I'm on firmware version 1.0.1, maybe thats the cause? Thanks thats a bit reassuring :)

I followed your steps but "iwconfig wlan1 txpower 20dBm" doesn't do anything (txpower stays at 27). It works on your pineapple?

Yeah, I made sure they were :)

Got it working. ifconfig wlan1 down iw reg set IT ifconfig wlan1 up Since Italy allows only 20 dbm transmit power, when the interface comes back up its at 20 dbm. I'll test temps now. Edit: temps are 5 degrees cooler (45) but wash doesn't seem to work correctly with the new regulatory domain.. airodump works fine though. Maybe Seb or Darren want to hop in and tell us what they think about these temps :)

Yep, still nothing.

It shipped with txpower set at 27 dbm. I never messed with it :P My alfa with RTL8187L does get warm also, so maybe its just a hot chip. Not working :/

Didn't touch the txpower. I'll check right now how high it is set by default. Edit: ouch 27 dbm. I tried lowering it but iwconfig wlan1 txpower 20 isn't working :/

I was using reaver today for about an hour and the pineapple had a burn smell to it. I measured temperatures (with the case off) with my IR thermometer and the heat seems to come from the RTL8187 chipset (about 50 degrees celsius) and I couldn't keep my finger on it for more than 2 seconds... I then measured idle temps (i gave ifconfig wlan1 down command) and it was 40 degrees. Measurements were taken with the case off so the temperatures would get higher with the case. Whats the operational temperature of the chip? Should i be concerned ( plastic burn smell..) about the temperatures? Thanks in advance.

The switch must be on the ON position for it to charge!

Finally got the bypass_uac working (although not in memory). Had to recompile it to avoid AV. This is fine by me for now. Metasploit was insisting to upload his unencrypted payload for the reverse shell when i was using bypass_uac module. Used yours and obviously everything went fine and dandy. I'm an happy man :D

I've got another question, is there a way to execute in memory bypass_uac as well?

I have a very specific target which uses python 64 bit, so i wanted a python script that could work with python 2.7.5 64 bit. I have never used ctypes library so i have no idea where to start. Don't worry too much about it you have helped me enough already :P I'll study more the matter when I have sometime free from Uni.

It works GREAT, both on windows 7 32 and 64 bit. Should work on w8 too right? I'll try it later. Now, i need to include this into a python script which will be ran with python 64 bit version on windows 7. In this case it doesn't work. It works only if 32 bit version of python is installed. I printed the exception, its a memory access violation. Obviously the cause is this function here def run_sc(shellcode): I'm poking around looking for a solution, any input will be appreciated :) If i may add a suggestion : now that the reverse shell is stable (damn if it is stable :P), you could add the .exe to startup with windows, instead of adding a schtask. Alot of notepad.exe are gonna look suspicious. Now testing the payload in windows 8. I'll let you know. Edit: payload working fine on windows 8.