Jump to content

Skinny

Active Members
  • Posts

    150
  • Joined

  • Last visited

  • Days Won

    17

3 Followers

Contact Methods

  • Website URL
    http://skinnyrd.com

Profile Information

  • Gender
    Male
  • Location
    Huntsville, AL

Recent Profile Visitors

3,774 profile views

Skinny's Achievements

  1. I'm not sure I follow what you mean by daisy chaining a second non-PoE switch. The laptop isn't taking any power from the PoE switch, but it is most definitely causing an imbalance on the line. The connection from switch to phone it extremely fragile in this case. If I disturb the line at all by plugging into the Tx or Rx side of the passive tap, the phone momentarily drops off the network. When stability returns to the line and the phone recovers, the capturing laptop has problems and will not see the traffic or will only see it sporadically. The new design places some blocking capacitors on the tapped conductors in an effort to keep any inadvertent DC draw occurring due to the presence of the laptop. So far this solution has worked.There are a few more cases I'd like to test to make sure the solution is as robust as I hope. To replicate the problem I'm seeing, try to capture traffic using the Throwing Star LAN tap with a gigabit VoIP phone connected to a gigabit PoE switch.
  2. Solved it! Had to build out the tap circuit a little more to take care of the PoE power. I think the phone and switch was having a bit of a loading issue with the capture laptop being on the line. I'll be conducting some stability tests to make sure this solution sticks.
  3. Has anyone used a passive network tap (i.e. throwing star tap or diy) to capture traffic while connected to a gigabit PoE switch? I'm targeting a VoIP phone and am getting spotty results. Here are the details: Phone: Grandstream GXP2130 Switch: Netgear GS108PE Tap: Similar schematic to the throwing star tap The phone boots just fine using PoE with the tap in line and negotiates a stable 10/100 Mbps connection as expected. When plugging into the receive side of the tap, the phone drops the network connection momentarily but recovers. It's inconsistent but sometimes I can capture a small amount of traffic in Wireshark. On the transmit side, I get absolutely nothing. If I disconnect the phone from the PoE ports and plug it into the regular gigabit ports, I have more success. Both transmit and receive can be captured, but the phone has be powered from a normal wall power outlet for this to occur. I'm curious if anyone else has had the same experience? I would really like to be able to capture traffic while the phone is plugged into the PoE port. Also, if you have a PoE switch that is not gigabit, do you have similar issues? Thanks for any help at all! -Skinny
  4. Fantastic! This encoder just saved me a ton of time. I had a massive script and the java encoder was taking forever. This worked so much better.
  5. It's been a slow month for devices but here is the latest update: Nook Color (BNRV200) Apple iPhone 5s (ME305LL/A) The Nook's behavior was unexpected. After associating with the Pineapple, it sent a deauthentication packet to kick itself off the Pineapple after not finding a way to reach a particular Barnes & Noble website. It couldn't find the website because I normally use the Pineapple in a manner that doesn't not let the client have an outside connection. You can find the updated spreadsheet here: https://docs.google.com/spreadsheets/d/1VO0VSm6n79BndK2KMqmokSVlPaOMQQAH0vkEyQRZIxY/edit?usp=sharing
  6. Hi Guys, A friend of mine just started a physical security business and his first line of products are lockpicks. Each pick is made of spring steal and is hand polished. He's even got a set where the handles are hand wrapped in paracord. He's been putting a lot of hard work into these things. If your interested you can see his stuff at http://darkmetalfabrication.com/ If you'd just like to tell him they look cool, check him out on twitter: @darkmetalfab
  7. Be careful in your assumptions. Not every bad actor cares about the encrypted traffic. Some of them do not care for banking information, the latest Facebook update, or the last email received. The information and capabilities that the Pineapple can provide can be leveraged to devastating effect in malicious hands. Not all sites of interest have SSL encryption. Someone's browsing habits can help establish a pattern of life. Not to mention can be fantastic fodder for blackmail. If an attacker gets a room in a hotel next to a the room of a prominent politician and said politician happens to have a certain taste in sexually deviant websites, associating his or her MAC address with salacious photos can cripple a career. If you give this presentation to an audience, ask them if they would approve of their significant other knowing their browsing history for the past 2 weeks. In addition, a MAC address associated with an individual's name makes for a great tracking mechanism. Retail stores have toyed with targeted advertising to your phone based on the MAC address that walks in to an establishment. With a handful of pineapples, I could keep track of when you leave home, when you arrive at work, when you arrive at the gym, or when you visit your mistress. If I set them up correctly and place them well enough, I might be able to get your phone to associate through the pineapple before you arrive at any of these places thus following your browsing habits at these places. Another interesting fact is that you can use the Pineapple to force newer phones to give up the SSIDs they've associated with (older phones would do this automatically). If you tell me you've never been to "X" establishment / city / country and the Pineapple makes your phone spit out SSIDs from a particular region or area, you're busted. The great thing is I can do this without letting you connect to the Pineapple at all. I use the Pineapple on a daily basis and depend on people walking out the door and not shutting off WiFi before they leave their house. For my specific application, I just want the device to talk. I don't care what the client device sends, as long as it stays connected and makes packets. The Pineapple enables this activity. If I can achieve this, I win. Know that there are many edge cases. 95% of the Pineapple's use falls neatly into the infosec / pentest arena it was meant for, but there are plenty of other esoteric ways of leveraging this device that can have serious consequences for a victim. Good luck with your presentation.
  8. Three more models to update the list: LG G Watch R Apple iPhone 5s Apple iWatch The LG G Watch R has a fairly interesting past. When initial consumers bought the product, it didn't have WiFi. An update enabled the capability later. Some people are still unaware of the capability. The device I came across had never been connected to an access point before, so the Pineapple had nothing to entice it with. The iWatch was interesting because it deauthenticated from the Pineapple after being connected for about 30 seconds. By deauthenticated I mean it actually sent a deauthentication packet to the Pineapple. I've seen this on a number of iOS 10 devices. It appears that in order to keep it connected, you must make sure the Pineapple is providing an Internet connection. After the device can reach out over the Internet, it has no problem remaining connected. https://docs.google.com/spreadsheets/d/1VO0VSm6n79BndK2KMqmokSVlPaOMQQAH0vkEyQRZIxY/edit?usp=sharing
  9. The following models have been added to the list. Apple iPod 4th Generation LG G4 Samsung Galaxy S7 In addition, I've added the OUI for each device. I'm not giving the full address for reasons of privacy. I'm including the OUI because sometimes you might want to know what device you're chasing. The OUI will certainly tell you the manufacturer, but specific matching OUIs can let you know the model as well. For instance, an OUI may tell you that a device is an Apple from a simple Internet search, but I've been able to look back over my own records to tell that a specific OUI belongs not only to Apple but that it belongs to iWatches. Once again, here's the link: https://docs.google.com/spreadsheets/d/1VO0VSm6n79BndK2KMqmokSVlPaOMQQAH0vkEyQRZIxY/edit?usp=sharing
  10. Had an interesting time today with a LG cellphone. Perhaps some of you are familiar with this phenomenon but it was new to me. The owner of the LG had disabled WiFi on the phone but had his location services (gps positioning) services set to high. The location service overrode his WiFi settings and began sending out probe request broadcast packets to help with its location efforts. When you checked the WiFi settings, they clearly showed the service was off. We solved this mystery with Wireshark. As soon as he put his location service on a less aggressive setting or completely off, the probe requests stopped. So, if you don't want your MAC address to be broadcast, be sure to tone done the positioning system on your mobile device.
  11. Thanks. I've updated the spreadsheet with a new device, an Asus Zenphone. I'll be adding new devices as they come across my path and I'll try to make sure to post a list on this thread on a monthly or bi-weekly basis.
  12. I run into quite a few WiFi clients throughout the week and each one reacts differently to the Pineapple's strategies of ensnaring clients. I've started to record these differences by characterizing the mobile device and the options needed for the Pineapple to be successful. The fruition of those efforts can be found here: http://skinnyrd.com/clients-react-to-the-wifi-pineapple/ This article explains my process and results. However, if you just want to see the results, they are here: https://docs.google.com/spreadsheets/d/1VO0VSm6n79BndK2KMqmokSVlPaOMQQAH0vkEyQRZIxY/edit?usp=sharing This document will continually be updated with mobile devices, so check back occasionally to get updates. My most recent update to the document, iPhone 6s, didn't make the article.
  13. Just a follow up on this. It turns out that the device in question had a profile pushed to it that made it aware of the WPA2 encrypted AP, but that push never gave the device any credentials to authenticate with the AP. So as far as the device knew, it thought that SSID was genuinely an open access point to begin with. Once I gave the device the opportunity to connect with the same SSID, it grabbed it right away. After looking at the packet capture, this explanation totally lines up with what I was seeing. The device never attempted the four-way handshake. It went straight into open authentication. The Moral of the Story: If your company controls mobile devices from a cloud based system and they push preferred network lists to the mobile devices with the name of secure APs, they also need to give those phones the credentials for those APs for mutual, secure authentication. Otherwise the device may assume the APs on the list are open and will fall for a tricky pineapple.
  14. I plan on taking a capture as I have a small window of opportunity with the device, however sadly I can't reveal what the device is. Which also means I can't give out the pcap, but I will let everyone know in general terms what is happening in the packet capture. Sorry, but its the best I can do in this situation.
  15. I had a unique experience today targeting a mobile device. The Pineapple was setup with all the options running on PineAP. The mobile device beaconed out an SSID that happened to be the SSID of an AP that has WPA2 encryption. The Pineapple then very dutifully captured the SSID and replayed it. To my utter surprise the mobile device connected to the Pineapple. This unique association was verified with 2 other pieces of equipment to make sure we were seeing things correctly. In general, this doesn't happen, at least, this is the first time I've seen it happen. The WPA2 4-way handshake process is there to ensure that both the client and the AP mutually recognize each other. The process is just as much to show the client that the AP is the correct AP as much as it is for the AP to find out if the client is a legitimate client. I've heard @Darren Kitchen and @Sebkinne say on several videos that WiFi can be implemented differently from vendor to vendor; it was just interesting to see that in action today. Just know that some devices will respond positively to the Pineapple even if the SSID you are spoofing normally uses WPA2. It's always worth a shot. You might get lucky.
×
×
  • Create New...