[Got PineAP(not pineapple) questions? Let me answer them!]

Hi guys,I hope someone can clarify this for me or point out if I'm wrong

I've made a packet capture to understand this better. This is what I'm seeing with a client pc running windows 8.1 and a router (SSID: dd-wrt) and the pineapple with Pineap enabled:

1)Client sends a probe request with SSID=broadcast

2)Access point responds with a probe response with the SSID (dd-wrt in the example)

3)The Client sends a probe request for the specific SSID it saw from the probe response (dd-wrt in the example)

4)The pineapple sees the SSID dd-wrt and saves it with the harvester and then probes it out.

The problem is that this way I don't know whats on the PNL (preferred network list) of the client, i only know he's probing for dd-wrt but that only because the real dd-wrt is around...

If the real dd-wrt doesn't respond (number 2 on my list) with the ssid the client doesn't send any probe for that network directly.

In fact during this test I had an open network saved on the client pc but even when I deauth the client he just probes for broadcast UNTIL the real network appears and responds back with the SSID.

In attachment my capture with the various steps marked.

TLDR; is this normal behaviour? :P

[Using Eth0 connected to a router (with dhcp) to supply internet]

Ops, sorry for the late reply. Apparently my configurations don't work with 2.0.4 (I was testing with 2.0.2).

I solved it by adding the option masq 1 for the lan zone.

You have to edit /etc/config firewall and add masquerading:

config zone
        option name             lan
        option network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT
        option masq '1'

You also have to add forwarding from wifi to wan (append it in /etc/config firewall)

config forwarding
        option src wifi
        option dest wan

This works again for me. If you have any problem post your issue here, I'll check this thread more often, I promise :P

[Using Eth0 connected to a router (with dhcp) to supply internet]

I edited my main post with the steps I did to get my setup working. Hope it helps.

[Using Eth0 connected to a router (with dhcp) to supply internet]

Good idea! You could also use one Alfa awus036nh from the hackshop to get that fast wifi connection, and save yourself one pineapple for another deployment.

At the moment i'm using a dd-wrt router in client mode to supply internet via ethernet cable to the pineapple, as I found out it was faster than client-mode with the pineapple alone (of course :P)

[Using Eth0 connected to a router (with dhcp) to supply internet]

Some more Google foo solved my problem ! I followed this guide

http://wiki.openwrt.org/doc/recipes/routedap

but if anyone needs some help I can help you now.

[Using Eth0 connected to a router (with dhcp) to supply internet]

Hi guys, i'm struggling with this for the past few days. I want to supply internet to the wifi pineapple via an ethernet cord connected to my router. I'm using dhcp on my router with the standard addresses 192.168.0.X. Darren in one thread recommended setting proto dhcp for the lan interface on the pineapple. The bad news is that i'm no longer man in the middle with the pineapple, because the main router is now providing addresses and acting as DHCP server.

I've no idea if this is possible, but I want to use the pineapple dhcp for the wireless interface (wlan0) and use the router dhcp for the ethernet interface to provide internet.

I've tried looking at openwrt documentation, but I need help on this one.

If anyone is doing something like this already, maybe can help me shed some light on this matter.

Thanks in advance !

Edit should have posted the guide earlier, sorry here it is:

So here is how I did it. First you have to unbridge wireless and ethernet interfaces. This is because the wireless interface (the one on wlan0, with the access point) must have its own DHCP server to be able to sniff packets, otherwise the DHCP server on the main router will do all the work and you won't be Man in the middle (which is what we want!)

Edit /etc/config/wireless and modify only the config regarding radio0, only the line "option network lan" has to be changed.

config wifi-iface
    option device   radio0
    option network  wifi
    option mode     ap
    option ssid     Pineapple5_08B7
    option encryption none

Now to create that network you have to edit /etc/config/network

add:

config interface wifi
    option proto static
    option ipaddr 172.16.42.1
    option netmask 255.255.255.0

and modify 'lan' interface as follows:

config interface lan
    option ifname    eth0
    option proto    dhcp

This means that eth0 will get dhcp from the main router, but the wifi will use the usual pineapple static IP.

Now to add DHCP to our wifi edit /etc/config/dhcp and add

config 'dhcp' 'wifi'
     option 'interface' 'wifi'
     option 'start' '100'
     option 'limit' '150'
     option 'leasetime' '12h'

to the file.

Now the most important part, the firewall ! Edit /etc/config/firewall

add:

To allow traffic from the wireless interface to flow to the main router.

config zone
     option name wifi
     list network 'wifi'
     option input ACCEPT
     option output ACCEPT
     option forward ACCEPT

Now this part is not on the guide, but I did some research. I did not want clients on the pineapple to be able to access my main LAN. So I added the following rule:

config rule
    option src wifi
    option dest lan
    option dest_ip 192.168.2.0/24
    option target REJECT

Now all traffic except ping is not allowed to my LAN (as you can see i'm using the following IP for the main router, 192.168.2.0, change it accordingly to the IP you are using). To block PING also you have to block ICMP traffic.

I have not tested it, but this should work

config rule 
     option src wifi
     option dest lan
     option proto icmp
     option icmp_type echo-request
     option target REJECT

[[Support] strip-n-inject]

Hi there, version 1.4.0 may have broken compatibility with this infusion. It's not injecting anymore for me. I'm trying with the simple pop-up:

<script>alert("It worked!!");</script>

Edit: sorry for the late edit, I was able to make it work by launching manually sslstrip instead of using the tile.

[Pineapple crashing 2-3 times a day]

Thanks for the script. I actually haven't had much time this weekend but i'm pretty sure it's sslstrip that kills it. It works just fine with ettercap+urlsnarf+karma.

I'll look into it in a few days.

[Pineapple RTL8187 temperatures]

Little update on the topic. I know it's probably not neeed but I added a little RAM heatsink on the chip, and now it's not even warm to the touch!

Now it looks really cool :D

http://it.tinypic.com/r/dcgbyo/5

[Pineapple crashing 2-3 times a day]

I'm running sslstrip and karma, nothing else enabled, and I'm providing internet with the RTL8187 in client mode to my router.

I just logged in now, and it says 30 min uptime. Yesterday It did the same the 2-3 times i've checked it.

Anyone else has had any problem related to stability and sslstrip? Is it too CPU intensive for the pineapple?

P.s. where does the pineapple save system logs? Maybe it can shed some light :P

[[Support] urlsnarf]

I'm also having the same problem. Urlsnarf works alone, but as soon as i start sslstrip it stop logging the url's i visit.

[[Release] 1.0.4 - Codename: Stablesaurus]

Ssltrip now works perfectly, but doesn't let me log in. It justs harvest the passwords and doesn't do the authentication.

Can we specificy also the -k parameter in sslstrip (kill session) in any way? So if a user has a session open with the site it closes it and asks for username and password again.

[Pineapple RTL8187 temperatures]

Question are you using

iwconfig wlan1 txpower 20

or

iwconfig wlan1 txpower 20dBm

the dBm part is important...

Yeah i specified dBm. I used to do these same steps on my alfa

Yes, those are the exact steps that I take on my Mk V, and I never have any issues. Not sure why you're having a problem. Make sure wlan1 isn't associated with any access points.

ifconfig wlan1 down
dhclient -r wlan1 

Then complete the steps I gave you above.

I get can't find dhclient. I even did a reset of the pineapple today, and still nothing. I'm on firmware version 1.0.1, maybe thats the cause?

Yes, the rtl does get very hot. But it's rated fine for even higher temperatures, so nothing to worry about.

Thanks thats a bit reassuring :)

[Pineapple RTL8187 temperatures]

I followed your steps but "iwconfig wlan1 txpower 20dBm" doesn't do anything (txpower stays at 27). It works on your pineapple?

[Pineapple RTL8187 temperatures]

Yeah, I made sure they were :)

[Pineapple RTL8187 temperatures]

Got it working.

ifconfig wlan1 down

iw reg set IT

ifconfig wlan1 up

Since Italy allows only 20 dbm transmit power, when the interface comes back up its at 20 dbm. I'll test temps now.

Edit: temps are 5 degrees cooler (45) but wash doesn't seem to work correctly with the new regulatory domain.. airodump works fine though.

Maybe Seb or Darren want to hop in and tell us what they think about these temps :)

[Pineapple RTL8187 temperatures]

Yep, still nothing.

[Pineapple RTL8187 temperatures]

It shipped with txpower set at 27 dbm. I never messed with it :P My alfa with RTL8187L does get warm also, so maybe its just a hot chip.

Try

iwconfig wlan1 txpower 20dBm

Not working :/

[Pineapple RTL8187 temperatures]

Didn't touch the txpower. I'll check right now how high it is set by default.

Edit: ouch 27 dbm. I tried lowering it but iwconfig wlan1 txpower 20 isn't working :/

[Pineapple RTL8187 temperatures]

I was using reaver today for about an hour and the pineapple had a burn smell to it. I measured temperatures (with the case off) with my IR thermometer and the heat seems to come from the RTL8187 chipset (about 50 degrees celsius) and I couldn't keep my finger on it for more than 2 seconds... I then measured idle temps (i gave ifconfig wlan1 down command) and it was 40 degrees. Measurements were taken with the case off so the temperatures would get higher with the case.

Whats the operational temperature of the chip? Should i be concerned ( plastic burn smell..) about the temperatures?

Thanks in advance.

[Pineapple Battery Dead?]

The switch must be on the ON position for it to charge!

[[Script] JasagerPwn 2.0 - Reborn]

Finally got the bypass_uac working (although not in memory). Had to recompile it to avoid AV. This is fine by me for now.

Metasploit was insisting to upload his unencrypted payload for the reverse shell when i was using bypass_uac module. Used yours and obviously everything went fine and dandy.

I'm an happy man :D

[[Script] JasagerPwn 2.0 - Reborn]

I've got another question, is there a way to execute in memory bypass_uac as well?

[[Script] JasagerPwn 2.0 - Reborn]

I have a very specific target which uses python 64 bit, so i wanted a python script that could work with python 2.7.5 64 bit.

I have never used ctypes library so i have no idea where to start.

Don't worry too much about it you have helped me enough already :P I'll study more the matter when I have sometime free from Uni.

[[Script] JasagerPwn 2.0 - Reborn]

It works GREAT, both on windows 7 32 and 64 bit. Should work on w8 too right? I'll try it later.

Now, i need to include this into a python script which will be ran with python 64 bit version on windows 7. In this case it doesn't work. It works only if 32 bit version of python is installed. I printed the exception, its a memory access violation.

Obviously the cause is this function here

def run_sc(shellcode):

I'm poking around looking for a solution, any input will be appreciated :)

If i may add a suggestion : now that the reverse shell is stable (damn if it is stable :P), you could add the .exe to startup with windows, instead of adding a schtask. Alot of notepad.exe are gonna look suspicious.

Now testing the payload in windows 8. I'll let you know.

Edit: payload working fine on windows 8.