Jump to content

Skinny

Active Members
  • Posts

    150
  • Joined

  • Last visited

  • Days Won

    17

Posts posted by Skinny

  1. The antennas that are on it are pretty decent quality, however if you are looking for something different, be sure to buy antennas that have an RP-SMA Male connector.

    I'm not sure but the current antennas look like the have anywhere from a 3 to 5dBi gain. If you want something more, you could go with something like this:

    https://www.digikey.com/en/products/detail/rf-solutions/ANT-2WHIP9-SMARP/9555705

    For more gain than that, you would probably want to have some sort of active antenna setup, or go with a directional antenna.

  2. I'm with @Darren Kitchen on this one. Things work. I got what I paid for. It's hard to buy 3 good wifi dongles for the price of this 3 radio device. I sell hardware from time to time and I honestly don't know how they turn of profit. As far as modules, if I want a module, I'll either write it or pay someone to do it. 

    The platform is good agnostic hardware. My use cases are highly niche and change from week to week. The Pineapple has not forced me into a corner by being over bent towards a particular type of pentest. For the price, I cannot match the capability.

    • Upvote 1
  3. 15 hours ago, Murderfalcon said:

    I think I have it figured out but will need to test it. The "real" AP the clients were originally connected to in my test environment was WPA2. It seems that it won't connect to an open AP of the same name. From other posts in this forum it seems that may be why the clients aren't connecting to the pineapple after deauth.

    That seems to be what I'm reading here...at the very least I'm not the only one having issues...

    @Murderfalcon I'm not sure if this is your specific problem, but it might be related.

    Each client has a PNL (Preferred Network List). This list is built when a client connects to an access point. It's how your phone knows to connect to a network automatically. If that access point was WPA2 encrypted when the client originally connected to it, then the client will expect that WPA2 encryption to still be in place.

    WPA2 is a mutual authentication. The AP expects the client to have the correct credentials, but the client also expects the AP to have the same. If the client tries to authenticate to the AP and the AP does not respond correctly (ie it's authentication has been changed to Open), then the client will see that AP as not being the AP it originally connected to. 

    The Pineapple is not able to attract clients using an SSID of an AP that uses WPA2 for this reason. It's not really a problem with the Pineapple, it's just because of the way WiFi works.

    To remediate the issue, clear the PNL list from the client device then reconnect to that AP when it is open. Also, know that attracting mobile devices to the Pineapple has it's own set of hurdles depending on the manufacturer. Make sure the mobile client device doesn't go into sleep mode as many devices disconnect from APs in order to save power.

     

  4. It's good to be back messing with the Pineapple again after being away from it for so long.

    I'm just starting to kick the tires on the Mark VII and was curious if there is a way to pull the PineAP activity log? In the Tetra and Nano, if I recall correctly, there was a download button or you could pull the info from /tmp/pineap.log. 

    Speaking of downloading logs, I like the json format you can pull down in the recon portion. To the devs, thanks for putting that in. Also, really like the new, slick GUI overall.

    Thanks for any help you guys can provide.

  5. IT'S FIXED!!! This took a stupid amount of time to figure out for such a simple work around. Before heading down the path outlined below, be absolutely certain there is not some other issue keeping the Crab from connecting to C2.

    Problem:

    After initially connecting to C2 and running perfectly over WiFi, subsequent attempts to connect to the same AP using the same Screen Crab prove fruitless and do not work. This is due to wlan0 on the Screencrab not being up when C2 is invoked at boot.

    Solution:

    1. Take the case off of the screen crab.
    2. Connect to the screen crab's headers (see above) using a TTL-232R-3V3 USB to TTL serial cable. You will need two male to female extension wires to make this possible with the cable specified.
    3. (I'm using Windows) Use Putty to connect to the crab. Baud rate is 115200.
    4. With a microSD card fully configured and inserted into the Crab, power on the crab. If you setup everything correctly, you will see the boot sequence scrolling past in the putty window.
    5. After about 22 seconds, the boot sequence will cease. Press Enter to get a prompt: 
      root@kylin32:/ #
    6. Remount the system folder to allow editing of the crab framework file. 
      mount -o remount,rw '/system'
    7. Edit the crab file using vi. 
      busybox vi /system/bin/crab
    8. If you are unfamiliar with vi, like I was, press "i" to edit the file.
    9. Curser down to the enable_wifi function and edit it to appear as follows:
      enable_wifi () {
        blink 2 1 cyan led_off
        sync
        wpa_supplicant -iwlan0 -Dnl80211 -c/data/misc/wifi/wpa_supplicant.conf
        svc wifi enable
        sleep 2
        if ifconfig wlan0 | grep inet; then
          echo WiFi connected
        else
          ifconfig wlan0 down
          sleep 4
        fi
      }

      The "ifconfig wlan0 down" part will, strangely enough, turn on the wlan0 interface if it hasn't come one yet. This is the primary problem with my screen crabs not connecting.

    10. After you are finished editing, press Escape, then type :w and press Enter. This will save the file.

    11. Type :q! and press Enter. This will exit you out of vi.

    12. Press the button on the side of the Crab to disengage the microSD card and then shut the Crab.

    13. Restart the Crab. 

    If your network setup isn't too complicated, you can expect the Crab to reconnect about 10 to 15 seconds after the crab LED lights Blue.

    --------------------

    Remaining Problems:

    The crab seems to have an issue when changing from one wireless AP to another. The first time you connect to a new AP (and have taken care to put new settings in the config.txt file and have downloaded a new device.config), the crab will remain connected to the old AP if it is still within range. After rolling power a once or twice, it will finally connect to its intended AP. I think this could be fixed by playing around with the crab framework a little more.

    --------------------

    Upgrade Thoughts:

    Once I find the C2 mechanism, I would like for the screen crab to reinvoke C2 if it ever looses connection. Right now if the crab looses connection to the AP (for instance the AP gets powered down for a minute or two), it will not reacquire the AP and re-invoke C2. 

    • Like 2
  6. I changed some things today and it seemed to be working for awhile. Jumping back into this project a few days ago, I screwed up the c2 setup. When I started c2, for hostname I put the hostname of the computer and not the IP address of the computer. If you look at the last post: 

    POST:	 C2 POST ERROR: java.net.UnknownHostException: Unable to resolve host Chippunk: No address associated with hostname|

    This got me thinking as to why it would give me that error. After correcting the mistake, it worked great on two different networks.

    After putting the case back together and restarting the crab, I was back to square one. It is once again refusing to connect even with the correct c2 setup. 

    I did learn a few additional things today. There is a way to edit files. You can not natively just type vi, vim, or nano and edit things, but you can invoke busybox. If you type the following, you'll get an editor.

    busybox vi

    Also, at boot, there are some lines that are killing bluetooth. I suspect it's part of the radio chip because many wifi chips come with bluetooth already embedded.

    Lastly, the crab is booting using an android system. There is an init program that loads a ton of init files in the main directory. With the ability to edit, you could probably play with the boot sequence and move over your own scripts on the SD card. 

  7. For anyone interested, once connected to the serial port, there is a bash file in /system/bin called crab. It has loads of function in there you can play around with like changing LED colors, wifi functions, and other helpful things. To run the function type:

    source crab

    After that just type the name of the function you want to run. To find out the functions just cat out the file.

    cat /system/bin/crab

    Looking through logs a little more today, I see the problem that is occurring:

    C2Run:	 C2 Thread starting|
    C2Device:	 C2 STARTUP SYNC|
    Util:	 exec [cat /proc/uptime | busybox awk {print ;} 2>/dev/null]|
    Util:	 C2DeviceUpdateexit value: 0|
    Util:	 C2DeviceUpdateshell output : 40.80|
    Util:	 exec [cat /sys/class/net/wlan0/statistics/rx_bytes]|
    Util:	 C2DeviceUpdateexit value: 0|
    Util:	 C2DeviceUpdateshell output : 0|
    Util:	 exec [cat /sys/class/net/wlan0/statistics/tx_bytes]|
    Util:	 C2DeviceUpdateexit value: 0|
    Util:	 C2DeviceUpdateshell output : 0|
    Util:	 exec [ifconfig wlan0 | grep inet addr | cut -d: -f2 | busybox awk {print ;}]|
    Util:	 C2DeviceUpdateexit value: 0|
    Util:	 C2DeviceUpdateshell output : |
    C2Run:	 C2 error error getting updated ip|
    C2Device:	 SEND C2 UPTIME|
    C2Device:	 SEND C2 MINIMAL|
    C2Device:	 SEND C2 NOTIFICATIONS|
    POST:	 C2 POST ERROR: java.net.UnknownHostException: Unable to resolve host Chippunk: No address associated with hostname|
    C2Run:	 C2 error startup sync post failed|
    C2Run:	 C2 RETRYING STARTUP SYNC|

    The "error getting updated ip" towards the bottom is a result of the Screen Crab not connecting to the AP that is available. Once the C2 instance in invoked, it doesn't seem to try again. After the boot sequence, I can force a connection to the AP by typing "ip link set wlan0 down" but by then, the C2 steps have already past. I know it's legitimately connect to the AP because I can ping the c2 server from the crab. At the moment I'm looking for a way to invoke the c2 instance after I manually get the crab to connect to the AP.

  8. @trunner It doesn't seem to make a difference whether it's plugged into battery or into a wall outlet through a transformer, the result is the same.

    @phrogg After it booted, I just pressed Enter and the prompt popped up. I'm using Windows with Putty. The prompt I get is pasted below after the last few lines of the boot sequence.

    [   22.793488] init: avc:  denied  { set } for property=tmp.exec_ubus scontext=u:r:system_app:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
    [   22.930341] init: avc:  denied  { set } for property=tmp.exec_ubus scontext=u:r:realtek:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
    
    root@kylin32:/ #
    root@kylin32:/ #

     

  9. I am curious if anyone has gotten the Inject Raw Frames feature at the bottom of the PineAP page to work. I have tried several different frame types and attempted to receive the transmission from several different boxes (Mint Linux running on a VM and Pentoo running on my laptop). I have PineAP running with no other options on and a fresh firmware load.

    I am attempting to send an RTS frame. I copied the hex from Wireshark as it appears below.

    000012002e48000000308f09c000e7010000b400a20084fcac5ac95f3c37866ef748

    The Inject Raw Frame module then said to take out the radio header information, which I did.

    b400a20084fcac5ac95f3c37866ef748

    The frame breaks out as follows:

    b4 = Type/Subtype
    a200 = Duration
    84fcacffffff = Recv MAC address
    3c3786ffffff = Transmitting MAC Address

    Every time I click Inject Frame, I see nothing on either receiving unit. I see plenty of traffic, just not these frames. I have these receiving hosts set to the same channel and they are both in promiscuous mode.

    If anyone can pick out what I'm doing wrong, I'd love to know, or If you have an example that has worked for you, I'd love to see that as well. Thanks for your help.

  10. I've finally got it working! But it's an unusable solution for the field. I opened it up and used the serial connection header to connect to check the wireless interface. I fully connected the device with the micoSD card inserted and plugged through an HDMI connection.

    The results of looking at the network interfaces were as follows after a full boot:

    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN qlen 1000
        link/ether 00:10:20:30:40:50 brd ff:ff:ff:ff:ff:ff
    3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN
        link/gre 0.0.0.0 brd 0.0.0.0
    4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN qlen 1000
        link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
    5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
        link/ether 74:ee:2a:a9:16:9e brd ff:ff:ff:ff:ff:ff
    6: p2p0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
        link/ether 76:ee:2a:a9:16:9e brd ff:ff:ff:ff:ff:ff

    wlan0 wasn't coming up. Right now the microSD card in the crab has a config file that is only programmed to setup the wireless capability. The device.config file is present as well.

    The strange thing is that if you run 'ip link set wlan0 up,' nothing happens, but if you run 'ip link set wlan0 down', the interface springs to life and connects to the AP. Unfortunately, whatever script that was supposed to trigger the c2 functionality had already passed.

    So I rebooted the device and waited until this spot where the booting process slows down:

    [   20.840703] audit: auditd disappeared
    [   21.304272] init: avc:  denied  { set } for property=tmp.exec_ubus scontext=u:r:system_app:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
    [   21.424438] init: avc:  denied  { set } for property=tmp.exec_ubus scontext=u:r:realtek:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service

    At this point I typed in 'ip link set wlan0 down' quite quickly. A couple seconds later, cloudc2 picked up the callback and all was well.  So it works, but only on my lab bench top as it is impractical to have the device open in the field for installation.

    I don't know much about OpenWRT right now, but I suspect some kind of boot file needs to be re-written. The unfortunate thing is I can't seem to get vi, vim, or nano to run in order to edit anything yet and I'm about to run out of time to work on this for awhile. Hopefully someone can look into this oddity and beat me to fixing it.

  11. The battle continues. I now have 3 screen crabs that all have the same issue. After running them for the 1st time, they never seem to connect consistently again. I have tried many different avenues to get consistent behavior, but the fact remains that the screen crab does not connect to the AP. I've tried 2 separate APs with similar results. Here is what is happening over the air.

    screencrab2-scaled.jpg

    The screen crab will send out a Wildcard probe request, the AP will respond, and that's about all that happens. After that, the crab just starts sending out probe requests again. This sequence repeats all throughout the packet capture.

  12. Meanwhile, I'm still having trouble with the WiFi radio. I now have 3 screen crabs in my possession. I grabbed a brand new one and placed an SD card inside of it with a config file, containing just the WIFI SSID and password, and the device.config file from c2. The screen crab worked great. It connected to the AP and called back to C2 perfectly. After letting it grab a few screenshots over the course of several minutes, I pressed the button and let the light go green. I removed the microSD letting the light go red. I disconnected power from the crab.

    Next, I placed the microSD back into the screen crab and connected power. The crab came on, the light went blue, but it never connected to the AP and therefore never connected to c2. I cycled power again, but still no connection.

    I then repeated everything above with another mint condition screen crab. It did the exact same thing. Now I have 3 screen crabs that are in the same situation. Just by cycling power after the first run, it will not reconnect to the AP. 

    Unfortunately, I can't find a reliable setup or course of action to get consistent behavior. 

  13. On 5/18/2020 at 7:00 PM, Th4ntis said:

    I'm having some issues getting mine to connect to my WiFi it seems. I put a blank MicroSD card in so it generates the config.txt, edited it to add my WiFi SSID and Password with quotes at @Skinny suggested.

    Instead of editing it, erase everything in the file except for the WiFi SSID and Password. The only reason I say this is because of the line under #3 on the screen crab instructional page: https://docs.hak5.org/hc/en-us/articles/360033503594-Configuring-Screen-Crab-for-Cloud-C2

    See if it makes a difference.

    Also, after you change it, let it fully reboot, press the button, let the LED turn green, unplug power, and then boot it again. I've found that sometimes it takes 2 boots before things start working. I'm not sure why. 

  14. @zenn1999 Mine also gets very warm. It started out working two days ago when I set it up for another infrastructure, and then stopped working yesterday. I went into the office and grabbed two more. I'll test them Monday to see if they are having the same problem and get back to you.

  15. Here's what I did: 

     

    The problem is that it doesn't work all the time, but it's worth a try. I'm beginning to think it might be a hardware issue, but I'm not sure. I'm about to get my hands on another unit to see if it behaves differently.

  16. 22 hours ago, Foxtrot said:

    You can try with --force-depends for kernel modules. We do the same thing on the Pineapple automatically.

    Thanks for the response. I gave it a shot and it looked promising but still failed out at the end.

    Configuring kmod-libphy.
    Configuring kmod-mii.
    Configuring kmod-usb-net.
    Configuring kmod-usb-net-asix-ax88179.
    Collected errors:
     * satisfy_dependencies_for: Cannot satisfy the following dependencies for kmod-usb-net-asix-ax88179:
     *      kernel (= 4.14.176-1-342af9e4f67b3447c53216ab8e3b12a1)

    I was trying to install a driver for an Ethernet adapter I was working with. Looks like it was going well for the dependencies but then failed to actually load what I wanted.

    <<<UPDATE>>>

    Strangely, I rebooted the Owl and went back in to try the process again. This time is says there was a successful installation:

    opkg install kmod-usb-net-asix-ax88179 --force-depends
    Package kmod-usb-net-asix-ax88179 (4.14.176-1) installed in root is up to date.

    Now I just need to figure out how to bring up an Ethernet interface as it appears that does not happen automatically. Looks like it's not as simple as ifconfig eth0 up.

×
×
  • Create New...