Jump to content

yonomas

Active Members
  • Posts

    50
  • Joined

  • Last visited

Posts posted by yonomas

  1. is it possible to get a step-by-step guide  about the installation and how to use it?


     

    15 minutes ago, Zylla said:

    You are correct. This is only done over a terminal.
    I do have plans to make a Module, to make it more user-friendly. But i do not have an ETA on when that will be done.

    I will keep this thread updated if any changes occur. 

     

     

  2. 51 minutes ago, Zylla said:

    Update:

    Patches added to hostapd. (Remove rfkill message, etc.)
    Python files are now added to install-file. (Need to add --force-overwrite argument when installing)
    SSLstrip2 works!
    Startup script updated. Now it works like on Kali Linux.

    More changes are in development as we speak!  This was just a small patch.

     

    A-W-E-S-O-M-E!!!!

     

  3. 36 minutes ago, bored369 said:

    A. You'll need to be careful doing this and make sure you post disclaimers that they may be involved in demonstrations and to turn off their wifi if they don't want to participate as well as announcing it prior to starting the presentation and then again when you are about to start/show off the demonstration.  Remember what you are showing them (even for educational purposes) is very illegal in most jurisdictions.

    B. Search for the MANA attack on the forum, someone has been working on implementing that on the pineapple and seem to be getting good results.

    C. I think the point he brings up are actually more important than what you are going for in terms of shock value, a good presentation gives listeners a point of view they may have never thought of before and the fact that their devices could be used to track them plays well into the surveillance state of the world today imo.

    D. i might would focus on the fact it's not just using public wifi that is the problem and that having their wifi on when they are not using it in general is the largest concern.  I've had several demonstrations where I said "hey could "yourName iphone" check your wireless and let me know what you are connected to?"  Then when they realize pulling their phone out of their pocket which they haven't touched during the talk but yet they've been compromised and by name even their face says it all at that point.

     
     

    You are right,  the company who manage these talks is in charge of the disclaimers, but i'll double check with them, thanks for the advice.

    I was thinking in capture the email address of facebook/twitter/Instagram  accounts, put them  in a file  and run a script to search the public profile image of those accounts  and show them on the screen at the end of the presentation,

    But so far there is no way to get something like that from the phone apps or the browser ( btw no one uses the browser for facebook/twitter/Instagram). 

    I saw the post about MANA, but is kinda complicated to make it work right know, is there any module from pineapple able to gather more relevant info that just the mac address or device ID ?
     

     

  4. 11 hours ago, Skinny said:

    Be careful in your assumptions. Not every bad actor cares about the encrypted traffic. Some of them do not care for banking information, the latest Facebook update, or the last email received. The information and capabilities that the Pineapple can provide can be leveraged to devastating effect in malicious hands.

    Not all sites of interest have SSL encryption. Someone's browsing habits can help establish a pattern of life. Not to mention can be fantastic fodder for blackmail. If an attacker gets a room in a hotel next to a the room of a prominent politician and said politician happens to have a certain taste in sexually deviant websites, associating his or her MAC address with salacious photos can cripple a career. If you give this presentation to an audience, ask them if they would approve of their significant other knowing their browsing history for the past 2 weeks.

    In addition, a MAC address associated with an individual's name makes for a great tracking mechanism. Retail stores have toyed with targeted advertising to your phone based on the MAC address that walks in to an establishment. With a handful of pineapples, I could keep track of when you leave home, when you arrive at work, when you arrive at the gym, or when you visit your mistress. If I set them up correctly and place them well enough, I might be able to get your phone to associate through the pineapple before you arrive at any of these places thus following your browsing habits at these places.

    Another interesting fact is that you can use the Pineapple to force newer phones to give up the SSIDs they've associated with (older phones would do this automatically). If you tell me you've never been to "X" establishment / city / country and the Pineapple makes your phone spit out SSIDs from a particular region or area, you're busted. The great thing is I can do this without letting you connect to the Pineapple at all.

    I use the Pineapple on a daily basis and depend on people walking out the door and not shutting off WiFi before they leave their house. For my specific application, I just want the device to talk. I don't care what the client device sends, as long as it stays connected and makes packets. The Pineapple enables this activity. If I can achieve this, I win.

    Know that there are many edge cases. 95% of the Pineapple's use falls neatly into the infosec / pentest arena it was meant for, but there are plenty of other esoteric ways of leveraging this device that can have serious consequences for a victim.

    Good luck with your presentation.

     

    Thanks for the suggestion, those are interesting ideas, however, the presentation is about 30 to 40 mins, what you mentioned will take a lot more than that.
    I just need something simple but meaningful for them and with MAC address only.... it won't work

    I can explain for hours about how dangerous could it be, but it's much more effective if I show them something like

    "Hey guys these are the emails/text/facebook id  etc etc that I captured while YOU were here " 

    You get the idea?

  5. 2 minutes ago, Zylla said:

    I've been pretty occupied the last month, both with work and private life. That's why i haven't gotten that much work done on this.
    My idea was to use two install files. One for the Nano, and one for the Tetra.
    Then i need to work on launching Mana quite easy. Perhaps a pineapple module that gives the user easy access.
    And also a launch-script, that lets you chose between seperate attacks. (NAT/no-upstream/etc). (Like the wp6.sh script, with options)
    I'm open to suggestions! :)

    I hope to get some work done on this project this week, maybe even tomorrow.
    Shouldn't take more than a few hours of testing and writing some lines of code.

    I also hope that the out-dated python libraries gets updated soon, so we can run ssltrip+ without all the hassle i had to go though to get it working.
    That would also make the one-click install part  a lot easier. But i digress.. . :)

     

    I wish I could help you, but I'm still learning the basic of python.  If is there something I can do, please let me know. 

  6. 31 minutes ago, Zylla said:

    Rather wait til i get up a one-click install type of install.

    Just remember to install to the SD card when using the nano. The install is quite big, and the nano have limited internal storage.

    2

    This is the tool that might help to my presentation in a few weeks,
    but I have no experience installing  these things,  how much time until we get up a one-click install type of install?

  7. I was planning to do a presentation about 
    The Hidden Dangers of Public Wi-FI

    So I bought the nano and set everything so I can proof the point


    BUT

    Unless you come up with something practical,  it was just a waste of time and money.

    - Browsers alert about issues with SSLstrip, so… no credentials from any social media website or email sites

    - No data from phone apps, since most of then use SSL. And nobody use the browser to use facebook from the phone


    Besides of getting the mac address, what other information can you get from the clients connected to the nano? using what module? 

    Something practical, something that makes the user aware that join to unknown wifi routers could be dangerous…. just providing the mac address is worthless for the regular user, they just don’t care

    BTW 99% of the time  the clients doesn’t have internet i reset the nano 10000 times, change with a different usb wlan, etc etc

     

  8. Sun Oct 23 23:28:04 2016 daemon.notice netifd: Network device 'wlan2' link is up
    Sun Oct 23 23:28:04 2016 daemon.notice netifd: Interface 'wan' has link connectivity
    Sun Oct 23 23:28:04 2016 daemon.notice netifd: Interface 'wan' is setting up now
    Sun Oct 23 23:28:04 2016 kern.info kernel: [  119.320000] wlan2: associated
    Sun Oct 23 23:28:04 2016 daemon.notice netifd: wan (2512): udhcpc (v1.23.2) started
    Sun Oct 23 23:28:05 2016 daemon.notice netifd: wan (2512): Sending discover...
    Sun Oct 23 23:28:08 2016 daemon.notice netifd: wan (2512): Sending discover...
    Sun Oct 23 23:28:11 2016 daemon.notice netifd: wan (2512): Sending discover...
    Sun Oct 23 23:28:12 2016 daemon.notice netifd: Network device 'wlan2' link is down
    Sun Oct 23 23:28:12 2016 kern.info kernel: [  127.380000] wlan2: deauthenticated from 00:26:68:be:5b:20 (Reason: 15=4WAY_HANDSHAKE_TIMEOUT)
    Sun Oct 23 23:28:12 2016 daemon.notice netifd: Interface 'wan' has link connectivity loss
    Sun Oct 23 23:28:13 2016 daemon.notice netifd: wan (2512): Received SIGTERM

     

    WHAT IS THAT????

  9. I  can access to  172.16.42.1:1471   when i connect to the nano using the nano's accesspoint and i get internet though it  (sometimes)

     

    Sometimes....I can connect to the admin page , as long as i'm on the same wifi network ( nano and pc sharing the same wifi router)  
    but only sometimes, the first minute after turning on the nano, after that, there is no way to access to the admin page if i'm not connected to nano's accesspoint.




    My questions

     

    Where do I set to have internet  (logged as root) using the nano access point?  But not affected by sslsplit or any other module

    Where do I set to be able to connect to nano when we share the same wifi router? Without using the nano's access point?
     

     

  10. I mean

    Not getting stuck while scanning wifi networks. 
    With clients not losing connectivity all the time
    SD Card reads all the time
    Broadcast SSID Pool all the time not just a few minutes

    Or it's just me?? I already reset, format, reboot many times, checked all the instructions, I'm pretty sure is not an user problem

    I wished i read the post from this forum before i bought the nano elite, it seems like many users have the same problem, so far is just an expensive brick.


     

×
×
  • Create New...