Skinny
-
Posts
150 -
Joined
-
Last visited
-
Days Won
17
Posts posted by Skinny
-
-
I had no Idea that the apples rolled that way. I have the new 6s, my mac is always the same via the nano gui but that's when I'm usually on it. When you say a user can manually change the settings. Which settings are you referring to?
I can't speak to newer Apple devices but just as an example my old iPod has a setting that says "Ask to Join Networks". With this enabled even if everything is in my favor per my previous post, the user has to take a specific action to join the Nano. If they are at work and all the sudden their phone asks them if they want to connected to the McDonalds access point, I doubt my day will be successful.
-
Hmmm...unless the client is spoofing than the mac address should be the one hard coded to the system.
Not so with Apple. Newer Apple devices roll their MAC address every minute or so if they are not associated with an AP. It makes it a bit more difficult to track a phone based on just its MAC address. When it associates, it's true MAC is revealed.
This is not the hardest part about getting an unassociated Apple to connect with the pineapple. When most of these devices are in idle/sleep mode, they beacon out using these random MAC addresses, however they never beacon out any SSIDs for which they are searching. So you need to have the SSID it wants already in your PineAP pool or make sure to have Beacon Response activiated in PineAP.
In addition, if you do have the correct SSID in the pool, it will not connect to the pineapple or any AP until it awakes from sleep mode. In fact, it's been my experience that you will get no response what-so-ever from the device until it is awakened.
Finally, everything I've said so far goes out the window if the user manually changes the settings making it less or more secure. I am sometimes happily surprised when I'm able to grab a newer apple product. I suspect it's because the user played with the settings or awakened the device at some point during my activities.
-
1
-
-
If the apple client associates with the pineapple (aka it becomes a client), then it will do so with the real MAC address. If you are running recon and just looking to see what's out there, you will more than likely get the random MAC addresses.
-
Yes, the pineapple can let you know the devices in the area according to their MAC address without using the internet.
-
This is a known issue that should be corrected with the next firmware update. This generally happens to me when there is no client or AP to be detected in an area, but others have had other reasons.
-
1
-
-
I modified it a little bit, is this more like what you wanted to do?
$ cat pineap.log | cut -c34- | sort | uniq | cut -c20- | sort | uniq -c | sort -r -n
Great job fugu! Checked out the results from both this morning and this one-liner has the exact functionality as the python script.
The python script produces two files. The first is just like you've made here. It shows the rankings. The second is the same as the first, it eliminates the ranking and just has the list of SSIDs. This second file is what gets put in /etc/pineapple/ for the PineAP pool. I believe you're just one cut command from having that file as well.
Thanks for posting this. I've learned a few things about formatting output from you. Seeing your one line of commands made me feel like an idiot after building a script in python for 6 hours. If you don't mind, I might contact you later in regards to some ubertooth-rx output I've been trying to shape.
Have a great day and thanks again!
-
Thanks fugu. It's getting late, so I'll give it a try tomorrow.
-
One technique that might not be looked upon kindly is to wait until you are in the lead, then jam the whole 2.4GHz band bringing everything to its knees. You can get jammers from china, turn on a couple microwave ovens, or just buy several really cheap RF video transmitters that operate in the 2.4GHz band.
This probably isn't helpful. I'm sorry. Sometimes I just like to watch the world burn.
-
Im not sure how to do that in python, but in bash you can do
$ cat pineap.log | cut -c34- | sort | uniq -c | sort -n -r | head -100
If you just want the ssid's you can do$ cat pineap.log | cut -c53- | sort | uniq -c | sort -n -r | head -100
Nice work! I like the approach. There is a minor hitch for me with the second command but it just depends on what kind of list you're trying to build. For the ssid cat command, all the SSIDs are counted in the file regardless of how many times a single mac address may have beaconed it out. The python code above will not count an SSID as having a higher rank if that SSID has been beaconed for by the same mac address over and over.
For instance, in one of my pineap.log files there is an SSID called FiOS-4Z7UY. With the above cat command this SSID ranks second overall with a count of 19, but when you manually look through the log file you only see 2 mac addresses beaconing for that SSID over and over. By repeatedly beaconing the SSID, the ranking for that SSID becomes artificially inflated. The python script on the other hand puts the SSID much further down the list with a count of 2. The count is 2 because only two unique mac addresses beaconed for it. What I need out of an SSID pool is for that list to be filled with SSIDs with a high count from multiple devices to have the highest likelihood of grabbing the attention of a random, unassociated client. That's why the script is written in this manner.
-
Whistle Master,
As far as a dream module using the script above, being able to take the produced SSID file, trim it to a specific number of top SSIDs, and then manage those produced files would be helpful. With a way to manage the files, you could load or withdraw specific, high ranking SSID pools depending on what geographic location you find yourself.
A simpler module would just be a button that you click. With one click it would take a look at the pineap.log file, run it through the script above, and allow the user to download the resulting file for editing.
I'm a bit of an idiot when it comes to coding and have never used the languages required to write a module. I'm stepping through the video Darren and Seb made but I think it's going to take a few iterations and time I don't have. If you decide to pursue this as a project, let me know if there is a way I can assist and I'll help where I can.
-
Hi Guys,
I've been working on a python script to help organize the pineapple's SSID pool. Most of the work I do with the pineapple has to do with attracting unassociated clients. As such it's sometimes undesirable to have an extremely large SSID pool. For instance, if I'm trying to grab a client and it's looking for an SSID that's 2250 on the list, but the pineapple rolling through SSIDs at number 5 on the list, I might miss my opportunity.
To help combat this, I generally use an SSID list that is smaller in number, but the SSIDs on that list are SSIDs that many people use (Ex: attwifi, panera, CableWifi). Up until now I've just been looking at multiple lists trying to pick out ones I think clients will be broadcasting.
The script makes use of pineapple's pineap.log file. You can find this file by going to the Logging system module and clicking the Download button after you've used Pineap to log some probe requests. You can also find it on the pineapple in the /tmp/ directory. This file starts anew after each restart.
If you place pineap.log in the same directory as the script and run the script, the script will:
- harvest of the SSIDs and the mac addresses that probed for them
- eliminate all duplicate requests
- assign each SSID a rank based on the number of times a unique device requested that SSID
- sort the SSID with the highest rank to the top with each successive rank behind
- write the results to two files. The first file, SSIDlist.log, has just SSIDs listed in their appropriate rank order. The second file, finalRanking.log, has the same but each SSID has it's rank next to it.
What I then do is edit SSIDlist.log, erase all but the top 100 SSIDs, rename the file to ssid_file, and place it in the pineapple's /etc/pineapple/ directory. (More on that here: https://forums.hak5.org/index.php?/topic/38060-ssid-pool-management/?p=275753) Now my standard pool of SSIDs are the top 100 SSIDs used in my part of the world.
Just to give you an example of how I'm using this on the ground. Yesterday I took my pineapple to a large target area. I needed to know what SSIDs would most likely ensnare the devices and the employees' personal devices on that campus. I spent over an hour walking the grounds and ended up with over 450 SSIDs. Using this script, I'll cut that 450 down to 100 or even 50 to increase the speed and efficiency of grabbing a client.
The example files that are with the script are from me driving around Tampa yesterday with the pineapple in the back of my car. Just for the record, war driving is a terrible way to collect probe requests for an area. You're better off walking.
You might be asking, why isn't this a module? First, I've never used javascript or php. I'm attempting to learn, but I'm not even close. So if anyone finds this helpful enough and wants to make it a module, be my guest.
Finally, I'd like to make a suggestion. If you use this script for a particular area and you don't mind sharing, I would like to make a repository of Top 100's on regions all over the world. I have webspace at skinnyrd.com and can post them all there in an organized fashion. The more distinct the region, like neighborhoods or industrial parks in cities vs entire metro areas, the better. If you live in a small town, that's welcome to. If you'd really rather not share, no big deal.
If you have any questions just let me know. Have a great day!
-
2
-
-
Thanks for response. I'm doing this in my company so it's possible the AP is stronger - -but my phone/tab/iphone is within a couple of feet with the nano. Let me ask you this, so I don't keep wasting time - - 'should' they be connecting automatically even if the real AP is password protected/encrypted wpa?.. When I attempted to connect to pineapple manually connect I get a message about it being unsecure - could that obstacle be the reason it doesn't connect automatically on the deauth?.
The short answer is that is depends on the phone and the settings of that device. For a longer answer read on.
With some devices they will always ask you about an unsecure connection if the settings are configured to ask.
The fact that a device is not automatically connecting to a pineapple could be for a myriad of reasons. For instance, if the phone has never seen any of the access points the pineapple is offering, then the phone will likely not connect automatically. One advantage with using the Nano is that PineAP can persuade wireless devices to give up the SSIDs that device is searching for but there are times when even this can be problematic.
In the case of an iOS device, many will not connect if they go into sleep mode even if they are broadcasting wireless packets. Once someone wakes the phone, it will then connect but only if it's seen the broadcasted SSID before and only if the device's settings are configured to allow the automatic connection.
If a device is already connected to an AP, then you have to fight the other AP for the device's attention. Sometimes you lose that battle.
Because there are so many different wireless devices all with different settings, its hard to say the what your particular issue is. Only by reviewing your devices settings and knowing how it operates when associated and unassociated to an access point will you gain full understanding into the matter.
This may sound elementary and you may have already tried this but, I would suggest this course of action:
1. Associate your devices to your company's AP
2. Ensure that your company's AP is in PineAP's SSID list
3. Get far away from your place of employment (and preferably anyone else) bringing your devices and the pineapple.
4. Turn on the pineapple running PineAP fully weaponized and power on all your devices to see if they connect automatically or if they ask for user input.
It might even be a good idea to turn on all your devices first, allow the screens to go idle (dark), and then power on the pineapple. This way you will know if you can get them to connect even if they are "sleeping".
I have hooked devices that usually beat me 90% of the time and have struggled to connect instruments that should have been trivial. Your mileage may very.
-
1
-
-
Sweet! Excited about the next update. Thanks again.
-
This is a bug I have fixed and will release an update for very soon with lots of other improvements.
Best Regards,
Sebkinne
Seb,
You might already know about this, but after some further experiments, it seems there is a more nuanced issue. When the recon scan is set to 'AP & Client', it will only show results if an AP is nearby. If an AP is not detected, then any results of unassociated clients are not reported.
Since I am in an stark WiFi environment, I powered up two client devices and just allowed them to probe. When a recon scan was executed looking for AP & Clients over a 5 minute window, no results were returned. Next, I plugged in an AP an re-ran the scan over a 5 minute period. The scan reported the AP and the two unassociated clients.
I've repeated this experiment several times and get the same results each time. Firmware 1.0.5 does not have the same issue.
Just wanted to make you aware if it wasn't something already being examined.
Thanks again for all your hard work!
-
I use this in my home and for my classes: http://www.amazon.com/TP-LINK-TL-WA901ND-Wireless-300Mbps-Repeater/dp/B002YETVXC/ref=sr_1_5?ie=UTF8&qid=1460740863&sr=8-5&keywords=tplink+wireless+bridge
For a wireless bridge, it gets the job done pretty well.
-
Range and power has a bit to do with it. I don't know if this is your problem, but make sure your phone is seeing the Pineapple as the stronger of the two APs. If it is not, phone will go right back to the original access point. Given two APs with the same SSID, most devices will go for the stronger of the two.
-
1
-
-
Cool case! Have you noticed any heat issues and how long have you run it continuously in that case?
-
This is a bug I have fixed and will release an update for very soon with lots of other improvements.
Best Regards,
Sebkinne
Thanks Seb! I wanted to make sure I wasn't screwing something up and getting crazy results.
-
Hi Guys,
I was just playing around with two different Nanos and noticed something odd. Recon mode has two separate responses if it cannot find WiFi in an area. With both units I separately attached each with a Y-adapter cable to a laptop running Ubuntu. The only difference is that one had the 1.0.5 firmware and the second had 1.0.6 firmware.
When the 1.0.5 firmware unit completes a recon scan, it operates as one would expect. After the progress bar has reached 100% or is finished, the screen returns "No scan results" and the Scan Settings return to normal.
When the 1.0.6 firmware unit's recon scan runs and there is nothing in the area to find, it tends to hang at 100% indefinitely. If there is a WiFi signal in the area it operates just as the 1.0.5 firmware does.
As a matter of setup, both Nanos were given a reset so that modules and other screw-ups I might have caused would not manipulate the results.
So I'm curious if anyone else out there can reproduce my results. I know for a few of you finding a place with no WiFi might be difficult but I'm curious if this is a thing or if something else is causing the difference between both of these units.
Thanks!
Skinny
-
Miracle of miracles, something fixed itself. Recon is working again. From the time of my last post, here is everything I did. I don't know what fixed it.
1. After a factory reset, I restarted the nano and recon was still not working. It would hang at 100%. I tried directly connected with a laptop and through wireless management.
2. I took the Nano apart to smell and see if any component had fried. Everything looked good. (As a side note the board says "MKV nono Rev8")
3. I booted the board without the case and without the memory card. Recon still did not work through the wireless management. Shut the Nano down and left it for several hours.
4. Replaced the memory card and rebooted this time with my android phone tethered to the Nano.
5. Checked for a firmware upgrade (there wasn't one).
6. Noticed that when I selected Modules from the menu, none of my modules were present. I clicked manage modules. They were all listed. Went to the dashboard. Looked at the menu again and then all my modules appeared under the Modules heading.
7. Ran Recon and everything worked.
I have tried to think about the last action I took before Recon stopped working. I think I had just tried to install the dependencies for the tcpdump module. After I installed them, I got an error when I tried to turn tcpdump on. It was late so I left it alone. I have no idea if this would affect Recon. If anyone else is still having this problem, I'd love to hear how you got it in that state and if you found a solution. Good luck!
-
It looks as though my Nano just lapsed into the very same condition. Just today recon will start, register 100%, and then freeze indefinitely. I've reset the Nano to factory default to no avail. When I get home I will try to reload the firmware. Also, I took some current measurements in different states before it started behaving in this manner. I'll check those numbers vs what it draws now to see if it's potentially a hardware issue.
Judging from past posts this seems to be a reoccurring problem. If I see a solution or a cause, I'll report back.
-
Hi mdbill,
What you want to do is possible but it will take an investment. Ubiquiti is a company that makes some pretty good gear when it comes to these types of applications. I once was able to extend a network connection through 1/2 a mile of thick forest. I used their AirMax product line. If I remember correctly, we purchased a radio for each end and a directional antenna for each. That was several years ago and they appear to have even better stuff now.
https://www.ubnt.com/products/
Assuming that you do the research or hire someone to put together a solution for you, you'll have two challenges using this equipment. The first is elevation. If there is any roll in the earth between your house and office, you'll need to elevate your directional antennas on both sides. Putting it on the roof of both places might be enough but it will depend on the geography over the five miles. The second challenge will be those trees. You'll need to get out a compass or something similar and make sure you have both antennas pointing towards each other without the luxury of having eyes on target. Also, if the forest is thick and wide enough, it could easily kill your signal.
If you decide to go this route, by sure to keep your receipt and make sure the distributor has a decent return policy.
-
The reason I was asking so many power related questions is because if the Tetra doesn't get enough power it will freeze or reboot under certain conditions. I was thinking the Nano might exhibit the same behavior. With the USB charger you are using, you have over 10W to work with. When I have my Android phone tethered to the Nano while running PineAP and Recon mode, I'm only starting to approach 5W. In order for power to be your problem, that USB range extender would have to have a usb hub at the end with multiple devices attached. It also looks like a lot of your power is coming from wall plugs. That's all I could think of but it looks like that's not your problem. Good luck!
-
Ok, I'm an idiot. It's never a good idea to do your setup in a lab with Aruba wireless gear with the IDS turned on.
Yeah, the Aruba stuff was doing its job and shooting down connections to anything on the network that was not one of it's AP's. Disable/whitelist the pineapples and things are working fine.
I think I owe Seb and Darren a drink for this one.
RenderMan,
I was curious about your Aruba system. When does the system step in to disassociate the client? Does it only perform this action when the pineapple is trying to be part of the Aruba network or will it try to disassociate any cleint/AP relationship within range of the sensor?
Thanks!
Retrieve the generated MAC address from pineAP to my application
in WiFi Pineapple NANO
Posted
Hi venu413,
There is an option to download the list in PineAP. Navigate to the PineAP module. Scroll down to the SSID Pool portion. Next to the SSID Pool title is a drop-down arrow. Click the arrow. Select Download SSID Pool.
If you are looking to interface it with an app, then you might want to SSH in and look in the /etc/pineapple/ directory. There you will find a file called ssid_file. It contains the list.