Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Everything posted by esa

  1. Strange behaviour, it works for me when Allow Associations is turned off. Can i check whether NetworkingPlus -> "Hide Client AP" is disabled. Anyway with Allow Association turned on, you will need to use Filter module -> SSID filter -> Allow Mode to achieve minimal visual cue. Else your targeted device will see that previously associated SSID are available in the Wifi list.
  2. You might want to look into femtocell https://www.weboost.com/news/blog/cell-phone-signal-booster-or-femtocell/ https://www.digitaltrends.com/mobile/femtocell-verizon-hack/
  3. There is a help section under Pineapple Nano GUI: On the topic of creating a fake AP to minimise visual cues, i am not certain if the PineAP can accomplish that. If i am not mistaken, PineAP/Karma will response to any Wifi probe request with valid SSID. Thus devices with Wifi turned on should be able to see that all previously connected SSID are available. You could try https://github.com/esa101/NetworkingPlus this module for precise creation of a fake AP. Under the PineAP module, Turn off "Allow Associations", and keep PineAP Daemon: Disabled. Do reply with your results.
  4. If i get the issue, in your case using the web interface (GUI) will result in frequent shutdown of nano? Some options: 1) Verify that there is enough power for the nano. Try different ways to power your device and see if that improves the stability 2) Reset to factory default ==> you have tried that but it didnt work out 3) Recover the firmware to original then perform firmware upgrading. Another advise, treat the OS as fragile. For each module that you install, ensure that the key features of nano still works before installing another module. Do use the shutdown button if possible.
  5. So you SSH into WiFi Pineapple, ran ifconfig and did not find any adapter matching wlan1 or wlan1mon? Can you post a screenshot of the results of ifconfig & iwconfig & iwlist.
  6. Try to deauth for a longer duration. This will act as a DDOS and force the device to search for alternatives. My advise is to use the console mode to do it. Wifi Pineapple wlan0 is your default AP, you should use wlan1 to perform the deauth. After you ssh into Wifi Pineapple: run code (1) to check whether wlan1 or wlan1mon exist. If wlan1 exist, run (2) else run (3). Code (2) merely enables monitoring mode for wlan1, it also renames it to wlan1mon. Code (3) merely dumps out whatever wlan1mon can receive from WiFi, so you should see some APs and etc. Next run (4) to perform deauth. You will need to configure the command accordingly to which MAC you are going to deauth. Use aireplay-ng -h to list the help. parameter -a & -c might be wrong do verify. 1) ifconfig 2) airmon-ng start wlan1 3) airodump-ng wlan1mon 4) aireplay-ng -0 0 -a xxxxxx -c xxxxx wlan1mon https://www.aircrack-ng.org/doku.php?id=deauthentication
  7. I do face occasional issues when using the GUI and it usually can be solve either by a power reset or factory reset. Sometimes Recon scan will hang at 100%, other times PineAP will not work as intended. Generally SSH into the device will offer a more reliable experience. Furthermore with the console mode you are able to debug what exactly is wrong. Also when you are facing too many issues it could be that the firmware wasnt updated properly, thus a firmware recovery might come handy.
  8. https://vidlox.tv/003o08meqxds Looks safe to watch. Perform your own scan at virustotal or scanurl. http://www.urlvoid.com/scan/vidlox.tv/ https://www.virustotal.com/en/url/17e7e97152632ac94790fc58cec48efd52aa304c519c6411a69aba5e2c526c0b/analysis/1494506372/ https://scanurl.net/u/vidlox-tv-003o08meqxds
  9. Added SSID tracking. Could just use this module. https://github.com/esa101/ReconPlus-nano/tree/version3.0
  10. It is not a complete solution but it should work on a portion of your targets. Yes ssid probe request is based on previous connected ssid and it works even when the real AP is not nearby. You should get an iPhone and a cheap android phone to experiment with. Do share your script if you have it.
  11. MAC address should change to a spoofed one as soon as it is disconnected from the real Wi-Fi network. On the timing of the change, it seems randomised, there is no fixed interval that i observed. More info. There are also some articles which suggest that iOS MAC randomization could be defeated. But the catch is that you need to know his real MAC to begin with. https://arxiv.org/pdf/1703.02874v1.pdf
  12. Btw is the 2 x 7dBi Panel Antennas worth it ? Thinking of a upgrade too. How effective is it for you ?
  13. I am using a default Nano setup. 1) Interference caused by external environment at time of scan is beyond our control. http://packetworks.net/blog/common-causes-of-wifi-interference 3) On iOS, tx probe changes very frequently within mins (no exact value). The only time it reveals it actual MAC is when it is connected to a AP. 4) Once again i do not have the stats, but you should expect to see this behaviour on most modern phones. Try it on Nexus or iPhone another i forgotten to mention, I am also not certain if phones tx at consistence power. Too many factors.
  14. Please experiment, maybe you have better luck than me. My conclusion is that relying on WiFi probes from client device is not reliable and does not work for all cases. Some challenges would be: 1) interference in signal resulting is fluctuating signal strength 2) Wifi probe times differs between devices & OS, the target might be long gone before his/her device tx again 3) IOS mac address randomisation & some Android OS/Phones 4) Power saving mode which turns off Wifi tx when screen is off 5) We are assuming the Wifi module is turned on
  15. #!/usr/bin/python import os import time import datetime import argparse import netaddr import sys import logging from scapy.all import * from pprint import pprint from logging.handlers import RotatingFileHandler from collections import OrderedDict NAME = 'probemon' DESCRIPTION = "a command line tool for logging 802.11 probe request frames" DEBUG = False myDict = {} def packet_callback(packet): if not packet.haslayer(Dot11): return # we are looking for management frames with a probe subtype # if neither match we are done here if packet.type != 0 or packet.subtype != 0x04: return # list of output fields fields = [] # append the mac address itself fields.append(packet.addr2) # parse mac address and look up the organization from the vendor octets #if mac_info: # try: # parsed_mac = netaddr.EUI(packet.addr2) # fields.append(parsed_mac.oui.registration().org) # except netaddr.core.NotRegisteredError, e: # fields.append('UNKNOWN') # include the SSID in the probe frame #if ssid: fields.append(packet.info) delimiter='\t' textkey = delimiter.join(fields) #if rssi: rssi_val = -(256-ord(packet.notdecoded[-2:-1])) fields.append(str(rssi_val)) # determine preferred time format log_time = str(int(time.time())) #if time_fmt == 'iso': log_time = datetime.datetime.now().isoformat() fields.append(log_time) # logger.info(delimiter.join(fields)) clear = lambda : os.system('tput reset') clear() myDict[textkey] = rssi_val, datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S'), int(ord(packet[Dot11Elt:3].info)) mySortedDict = OrderedDict(sorted(myDict.items(), key=lambda t: t[0])) for i in mySortedDict: print myDict[i][0], myDict[i][1], myDict[i][2], i #sys.stdout.write('%s\n' % textkey) #sys.stdout.flush() def main(): parser = argparse.ArgumentParser(description=DESCRIPTION) parser.add_argument('-i', '--interface', help="capture interface") parser.add_argument('-t', '--time', default='iso', help="output time format (unix, iso)") parser.add_argument('-o', '--output', default='probemon.log', help="logging output location") parser.add_argument('-b', '--max-bytes', default=5000000, help="maximum log size in bytes before rotating") parser.add_argument('-c', '--max-backups', default=99999, help="maximum number of log files to keep") parser.add_argument('-d', '--delimiter', default='\t', help="output field delimiter") parser.add_argument('-f', '--mac-info', action='store_true', help="include MAC address manufacturer") parser.add_argument('-s', '--ssid', action='store_true', help="include probe SSID in output") parser.add_argument('-r', '--rssi', action='store_true', help="include rssi in output") parser.add_argument('-D', '--debug', action='store_true', help="enable debug output") parser.add_argument('-l', '--log', action='store_true', help="enable scrolling live view of the logfile") args = parser.parse_args() if not args.interface: print "error: capture interface not given, try --help" sys.exit(-1) DEBUG = args.debug # setup our rotating logger logger = logging.getLogger(NAME) logger.setLevel(logging.INFO) handler = RotatingFileHandler(args.output, maxBytes=args.max_bytes, backupCount=args.max_backups) logger.addHandler(handler) if args.log: logger.addHandler(logging.StreamHandler(sys.stdout)) #while True: # for channel in range(1, 14, 1): # os.system("iwconfig " + args.interface + " channel " + str(channel)) # print "[+] Sniffing on channel " + str(channel) sniff(iface=args.interface, prn=packet_callback, store=0) if __name__ == '__main__': main() might be useful.
  16. Thanks this is definitely a better way to differential between NANO and Tetra. Updated to use this code instead. https://github.com/esa101/NetworkingPlus
  17. Experimental version which should work on both a Nano or Tetra. Once again w/o a Tetra to test with, i will need the community to help test this out. If this "combined" module doesnt work, the easier solution would be to create separate NetworkingPlus modules for Nano & Tetra. https://github.com/esa101/NetworkingPlus/tree/version-1.5 Technique used to differential between a Nano & Tetra By observing the diff results. It seems that Nano uses "wan" whereas Tetra uses "wwan" My guess is that Tetra's firewall rule should have wwan interface configured. So basically i check if /etc/config/firewall contains any info related to wwan, if it exist then this must be a tetra else it must be a nano.
  18. esa


    Just a minor change between the base Recon module code on Tetra & Nano. Thus i believe this should work for Tetra users. As i do not have a Tetra, i gotta rely on those who have it to help try it. https://github.com/esa101/ReconPlus-Tetra Have also updated the first post to include separate links to modules for Nano & Tetra.
  19. esa


    Thanks for helping to upload this and also helping to diff the network module in the other thread.
  20. Hi i just assumed Tetra & Nano are sharing the same module. As i do not have a Tetra, is it possible to upload the Tetra's default Networking module. I will do a code comparison and would likely be able to "fix" it if the changes is not too significant.
  21. esa


    Hi i just assumed Tetra & Nano are sharing the same module. As i do not have a Tetra, is it possible to upload the Tetra's default Recon module. I will do a code comparison and would likely be able to "fix" it if the changes is not too significant.
  22. https://github.com/esa101/NetworkingPlus/blob/version-1.4 Updated the module to set the maximum number of clients that can connect to our AP. This is a very useful feature when you are creating a popular SSID to spoof as. PineAP cannot support too many clients connecting to it, when there are alot of clients using PineAP, the internet service becomes unusable. Please share your experience on the maximum number of clients that could be connected to your spoofed AP w/o making the internet unusable. Further info on my findings that could help: On the number clients that can be supported, i couldnt find an official answer but 8 could be the magic max number. From: https://wifipineapple.com/pages/nano, we know that nano is using Atheros AR9331 + Atheros AR9271 chipsets. By default wlan0 is responsible for creating the spoofed AP. Running "ethtool -i wlan0" on nano, we can tell that wlan0 is the one using AR9331. From https://wikidevi.com/wiki/Atheros_AR9331 we know that TP-Link WR741ND also uses Atheros AR9331 chipset. From a 2yrs old discussion on http://forum.tp-link.com/showthread.php?75905-TL-WR741ND-max-wireless-users, someone suggested the magic number 8. You might wonder whether it would help to use wlan1 to create the spoofed AP? From https://wikidevi.com/wiki/Atheros_AR9271 we know that TP-LINK TL-WN722N is also using the Atheros AR9271 chipsets. From https://wikidevi.com/wiki/TP-LINK_TL-WN722N "This device supports a maximum of 2 simultaneous AP and 7 clients" So the performances will roughly be similar.
  23. Try wget http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/base/Packages.gz And report ur observations
  24. Thanks will give sublime text a try after my Jetbrain trial expires this weekend.
  25. Yet another minor update. This time i enabled more variety of WPA/WPA2 (TKIP or CCMP or both) networks that can be created. https://github.com/esa101/NetworkingPlus/tree/version-1.3 On what is TKIP or CCMP, please read the article i linked below. https://www.acrylicwifi.com/en/blog/about-wpa-psk-tkip-ccmp-wi-fi-security-information/ So why not just a generic WPA, WPA2 network. Earlier on i mentioned that this mod is to make my life easier when performing Evil Twin against clients on WPA2/WPA protected APs. For Evil Twin to work, you will need to create a AP with the same SSID and Encryption type (MAC address spoofing is not necessary).
  • Create New...