Jump to content
Hak5 Forums


Active Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


About Skinny

  • Rank
    Hak5 Fan ++

Contact Methods

  • Website URL

Profile Information

  • Gender
  • Location
    Huntsville, AL

Recent Profile Visitors

913 profile views
  1. I'm not sure I follow what you mean by daisy chaining a second non-PoE switch. The laptop isn't taking any power from the PoE switch, but it is most definitely causing an imbalance on the line. The connection from switch to phone it extremely fragile in this case. If I disturb the line at all by plugging into the Tx or Rx side of the passive tap, the phone momentarily drops off the network. When stability returns to the line and the phone recovers, the capturing laptop has problems and will not see the traffic or will only see it sporadically. The new design places some blocking capacitors on the tapped conductors in an effort to keep any inadvertent DC draw occurring due to the presence of the laptop. So far this solution has worked.There are a few more cases I'd like to test to make sure the solution is as robust as I hope. To replicate the problem I'm seeing, try to capture traffic using the Throwing Star LAN tap with a gigabit VoIP phone connected to a gigabit PoE switch.
  2. Solved it! Had to build out the tap circuit a little more to take care of the PoE power. I think the phone and switch was having a bit of a loading issue with the capture laptop being on the line. I'll be conducting some stability tests to make sure this solution sticks.
  3. Has anyone used a passive network tap (i.e. throwing star tap or diy) to capture traffic while connected to a gigabit PoE switch? I'm targeting a VoIP phone and am getting spotty results. Here are the details: Phone: Grandstream GXP2130 Switch: Netgear GS108PE Tap: Similar schematic to the throwing star tap The phone boots just fine using PoE with the tap in line and negotiates a stable 10/100 Mbps connection as expected. When plugging into the receive side of the tap, the phone drops the network connection momentarily but recovers. It's inconsistent but sometimes I can capture a small amount of traffic in Wireshark. On the transmit side, I get absolutely nothing. If I disconnect the phone from the PoE ports and plug it into the regular gigabit ports, I have more success. Both transmit and receive can be captured, but the phone has be powered from a normal wall power outlet for this to occur. I'm curious if anyone else has had the same experience? I would really like to be able to capture traffic while the phone is plugged into the PoE port. Also, if you have a PoE switch that is not gigabit, do you have similar issues? Thanks for any help at all! -Skinny
  4. Skinny

    Just a Few Questions

    Thanks @Sebkinne! I saw in the video there was a label that said "Rat" box. Any plans to support catching custom payloads/beacons/callbacks in future versions?
  5. Skinny

    Just a Few Questions

    @m40295 Thanks for the help. Any idea is there is a recovery mechanism if the C2 server crashes?
  6. Skinny

    Just a Few Questions

    Hi Guys, Great job on putting together another interesting product. I've just finished watching the recorded livestream and have not tested the software yet, but I do have some questions before I walk into a meeting tomorrow where this platform is bound to be discussed. Can you adjust how often the devices callback to the C2 server? If not, how often does this transaction occur? I noticed that http and https is a supported callback protocol when Darren was setting up the server in the video. Is there also support for DNS? I thought I might have heard Seb mention it. What happens if the C2 server crashes? Must all the devices be reloaded with a new config file or is there a recovery mechanism? Asking for those cases where it may or may not be possible to re-enter the target location? If I'm thinking about everything above in an erroneous fashion, please forgive my ignorance. Thanks for any help you can provide.
  7. Skinny

    SSIDs not going to the Pool

    @Merlintime & @Sebkinne thanks for the help. I was unaware that the defaults had changed. My applications are so niche and none of them entail me trying to filter. After I read both of your posts, I had to read the wiki Filters paragraph 3 times to wrap my head around how they work. Maybe I've been living in Alabama too long ?? If I'm reading this correctly, when just collecting SSIDs to the pool, I want to use Deny in Client Filtering because this filter only denies interaction with the clients listed. If no clients are listed, then I can interact with any client, thus allowing me to collect SSIDs. Conversely, if I place the filter in Allow, I can only interact with those clients listed. If no clients are listeds, I can interact with no clients. With SSID filtering, when in Deny mode, clients are denied interaction with those SSIDs listed in the filter, however if no SSIDs are listed then clients can interact with any SSID in the pineapple pool. In Allow mode, clients can only interact with those SSIDs listed in the filter. If no SSIDs are listed, then no interactions can occur. Thanks again for pointing me in the right direction guys.
  8. Skinny

    SSIDs not going to the Pool

    @Just_a_User I do have Log PineAP Events checked. @Sebkinne Hi Seb! The filters are set to the default mode. Allow for Client Filtering and Deny for SSID filtering. I was under the impression that these only really mattered when trying to get someone to associate to the Pineapple, not when just collecting SSIDs.
  9. Skinny

    SSIDs not going to the Pool

    @Just_a_User I did as you suggested and performed a firmware recovery on the Pineapple. Then I upgraded to 2.3.2. It still would not put SSIDs in the pool. Just to make sure it was not a hardware issue, I unpacked a second Nano that was still in the box and updated to the latest firmware. Still there is was no SSID capture. I finally did another firmware recovery but this time did not upgrade to 2.3.2. I left it at 2.0.2. The Pineapple is acting like its old self again with no problems. All I can conclude is that something is not right with 2.3.2. Your thoughts?
  10. Hi Everyone, I recently upgraded my firmware to 2.3.2 and ran some tests using PineAP. I checked every box except Allow Associations and enabled the daemon. I did some typical device checks and found that my Pineapple was not capturing SSIDs to the pool. I know that many devices don't share their PNL easily, so I spun up the laptop with Wireshark, put the Pineapple on a battery, and went for a drive. Although there were many SSIDs being revealed through devices' probe requests, the Pineapple did not capture a single one to its pool. Has anyone else had a similar issue? Any help would be greatly appreciated. Thanks!
  11. Skinny

    [BETA RELEASE] HTML Duck Encoder

    Fantastic! This encoder just saved me a ton of time. I had a massive script and the java encoder was taking forever. This worked so much better.
  12. Skinny

    Clients React to the WiFi Pineapple

    It's been a slow month for devices but here is the latest update: Nook Color (BNRV200) Apple iPhone 5s (ME305LL/A) The Nook's behavior was unexpected. After associating with the Pineapple, it sent a deauthentication packet to kick itself off the Pineapple after not finding a way to reach a particular Barnes & Noble website. It couldn't find the website because I normally use the Pineapple in a manner that doesn't not let the client have an outside connection. You can find the updated spreadsheet here: https://docs.google.com/spreadsheets/d/1VO0VSm6n79BndK2KMqmokSVlPaOMQQAH0vkEyQRZIxY/edit?usp=sharing
  13. Be careful in your assumptions. Not every bad actor cares about the encrypted traffic. Some of them do not care for banking information, the latest Facebook update, or the last email received. The information and capabilities that the Pineapple can provide can be leveraged to devastating effect in malicious hands. Not all sites of interest have SSL encryption. Someone's browsing habits can help establish a pattern of life. Not to mention can be fantastic fodder for blackmail. If an attacker gets a room in a hotel next to a the room of a prominent politician and said politician happens to have a certain taste in sexually deviant websites, associating his or her MAC address with salacious photos can cripple a career. If you give this presentation to an audience, ask them if they would approve of their significant other knowing their browsing history for the past 2 weeks. In addition, a MAC address associated with an individual's name makes for a great tracking mechanism. Retail stores have toyed with targeted advertising to your phone based on the MAC address that walks in to an establishment. With a handful of pineapples, I could keep track of when you leave home, when you arrive at work, when you arrive at the gym, or when you visit your mistress. If I set them up correctly and place them well enough, I might be able to get your phone to associate through the pineapple before you arrive at any of these places thus following your browsing habits at these places. Another interesting fact is that you can use the Pineapple to force newer phones to give up the SSIDs they've associated with (older phones would do this automatically). If you tell me you've never been to "X" establishment / city / country and the Pineapple makes your phone spit out SSIDs from a particular region or area, you're busted. The great thing is I can do this without letting you connect to the Pineapple at all. I use the Pineapple on a daily basis and depend on people walking out the door and not shutting off WiFi before they leave their house. For my specific application, I just want the device to talk. I don't care what the client device sends, as long as it stays connected and makes packets. The Pineapple enables this activity. If I can achieve this, I win. Know that there are many edge cases. 95% of the Pineapple's use falls neatly into the infosec / pentest arena it was meant for, but there are plenty of other esoteric ways of leveraging this device that can have serious consequences for a victim. Good luck with your presentation.
  14. Skinny

    Clients React to the WiFi Pineapple

    Three more models to update the list: LG G Watch R Apple iPhone 5s Apple iWatch The LG G Watch R has a fairly interesting past. When initial consumers bought the product, it didn't have WiFi. An update enabled the capability later. Some people are still unaware of the capability. The device I came across had never been connected to an access point before, so the Pineapple had nothing to entice it with. The iWatch was interesting because it deauthenticated from the Pineapple after being connected for about 30 seconds. By deauthenticated I mean it actually sent a deauthentication packet to the Pineapple. I've seen this on a number of iOS 10 devices. It appears that in order to keep it connected, you must make sure the Pineapple is providing an Internet connection. After the device can reach out over the Internet, it has no problem remaining connected. https://docs.google.com/spreadsheets/d/1VO0VSm6n79BndK2KMqmokSVlPaOMQQAH0vkEyQRZIxY/edit?usp=sharing
  15. Skinny

    Clients React to the WiFi Pineapple

    The following models have been added to the list. Apple iPod 4th Generation LG G4 Samsung Galaxy S7 In addition, I've added the OUI for each device. I'm not giving the full address for reasons of privacy. I'm including the OUI because sometimes you might want to know what device you're chasing. The OUI will certainly tell you the manufacturer, but specific matching OUIs can let you know the model as well. For instance, an OUI may tell you that a device is an Apple from a simple Internet search, but I've been able to look back over my own records to tell that a specific OUI belongs not only to Apple but that it belongs to iWatches. Once again, here's the link: https://docs.google.com/spreadsheets/d/1VO0VSm6n79BndK2KMqmokSVlPaOMQQAH0vkEyQRZIxY/edit?usp=sharing