Jump to content

Mark3 Bug: Why Deauth Doesn't Work And How To Fix It


telot
 Share

Recommended Posts

Yes, this is similar to the previous thread on DeAuth via web interface not working started by hfam. This is different though. Basically the issue with my DeAuth (and I assume others), is that it is coded incorrectly in /www/pineapple/deauth.php. Also, the current implentation of airmon-ng start script doesn’t allow for different channels to be selected, as mon.wlan0 is already up on channel 11. So even if the deauth.php script worked, it’d still only deauth those on channel 11. Lets delve into the guts and figure this out shall we?

Using wifi analyzer on my android, or airodunp-ng via my realtek alfa, I get the BSSID of the target router I want to deauth. In this case, its a spare router I have lying around to test with. I activate airmon-ng via the web interface on the mark3, then I put in the BSSID of 00:12:01:68:70:40. I tell it to deauth 30 times, as I want this lil bastard dead. I have a spare laptop and my phone connected via wifi to this router to ensure the deauths work. Note that I have Karma and all other features off prior to turning on airmon. Here is the output on the Wifi Pineapple Mark3:

Deauth Host: 00:C0:CA:32:AF:AF

Deauth Target: 00:12:01:68:70:40

Deauth Times: 30

Executing: aireplay-ng -0 30 -a 00:C0:CA:32:AF:AF -c 00:12:01:68:70:40 --ignore-negative-one mon0

00:01:46 Waiting for beacon frame (BSSID: 00:C0:CA:32:AF:AF) on channel 11

00:01:56 No such BSSID available.

Please specify an ESSID (-e).

Alrighty. The number next to Deauth Host is one digit off from what is the printed mac address on the back of my Pineapple...I didn't change it above manually or anything, thats what it outputs. Why it puts this number into the -a slot, I have no idea. The deauth.php script is pulling this number from ifconfig wlan0 and piping it into grep and filting for HWaddr, as seen here:

$bssid = exec("ifconfig wlan0 | grep HWaddr | awk {'print $5'}");

The MAC printed on the back of my Pineapple is 00:C0:CA:32:AF:AE...But more importantly, why it is thinking I want to specify a target on my own network instead of another router that has tender juicy potential pineapple victims?

The only thing I can think of it that this is a liability thing...which seems odd as the whole concept of a wifi pineapple is completely against the law if ever used outside of pen testing.

So, the deauth.php is broken, at least in the way (I think!) we all would want to use it.

For it to work as we all want it to, you'd have to first set the channel when activating airmon-ng (i.e. airmon-ng start wlan0 1...1 being the channel of the router I want to deauth). I know, I know, the --ignore-negative-one is supposed to eliminate that need, but it doesn't on this device. How do I know this? Well!

Lets try leaving the router as is (with airmon-ng running via the web interface without any other services (karma, ngrep, etc) running. I ssh into him (yes, the pineapples a guy) and try to correct the problematic deauth.php by correcting the command:

root@Pineapple:~# aireplay-ng -0 30 -a 00:12:01:68:70:40 --ignore-negative-one mon0

00:12:54 Waiting for beacon frame (BSSID: 00:12:01:68:70:40) on channel 11

00:13:04 No such BSSID available.

Please specify an ESSID (-e).

It appears to be stuck on channel 11...which in Minnesota is a shitty ass NBC channel - NOT the channel we want to be on. With or without --ignore-negative-one - the results are the same. Please specify ESSID with -e...which does nothing either. As seen below:

root@Pineapple:~# aireplay-ng -0 30 -a 00:12:01:68:70:40 -e "TestWIFI" --ignore-negative-one mon0

00:19:59 Waiting for beacon frame (BSSID: 00:12:01:68:70:40) on channel 11

00:20:09 No such BSSID available.

Now lets try and correct the problem by manually issuing the correct commands. I turn off airmon-ng via the web interface, as we'll need the mon0 to be on the correct channel (1 in this case).

First I find with iwconfig:

root@Pineapple:~# iwconfig

lo no wireless extensions.

eth0 no wireless extensions.

br-lan no wireless extensions.

wlan0 IEEE 802.11bg Mode:Master Frequency:2.462 GHz Tx-Power=27 dBm

RTS thr:off Fragment thr:off

Power Management:off

mon.wlan0 IEEE 802.11bg Mode:Monitor Frequency:2.462 GHz Tx-Power=27 dBm

RTS thr:off Fragment thr:off

Power Management:on

mon1 IEEE 802.11bg Mode:Monitor Frequency:2.462 GHz Tx-Power=27 dBm

RTS thr:off Fragment thr:off

Power Management:on

Hmm...airmon-ng is deactivated on the web interface, yet there is still an airmon-ng created mon1...and how'd it get to be mon1?! It seems airmon-ng stop script may have some problems as well...I'm abandoning the web interface for now, we can correct airmonstop.sh later...Ok - power cycle this pineapple and lets start from scratch...CONSOLE STYLE BITCHES. Screw Epic Mealtime! This is Epic Haktime!

Ok, now I'm power cycled. I ssh into my little bundle of joy and iwconfig shows whats expected:

root@Pineapple:~# iwconfig

lo no wireless extensions.

eth0 no wireless extensions.

br-lan no wireless extensions.

wlan0 IEEE 802.11bg Mode:Master Frequency:2.462 GHz Tx-Power=27 dBm

RTS thr:off Fragment thr:off

Power Management:off

mon.wlan0 IEEE 802.11bg Mode:Monitor Frequency:2.462 GHz Tx-Power=27 dBm

RTS thr:off Fragment thr:off

Power Management:on

Now what is that mon.wlan0 all about? I have no bloody idea...but spoiler alert: if you leave it up, aireplay-ng -0 doesn't work. Heres what happens:

root@Pineapple:~# airmon-ng start wlan0 1

Interface Chipset Driver

wlan0 Unknown ar231x-wmac - [phy0]

(monitor mode enabled on mon0)

mon.wlan0 Unknown ar231x-wmac - [phy0]

IEEE Unknown Unknown (MONITOR MODE NOT SUPPORTED)

802.11bg Unknown Unknown (MONITOR MODE NOT SUPPORTED)

Mode:Monitor Unknown Unknown (MONITOR MODE NOT SUPPORTED)

Frequency:2.462 Unknown Unknown (MONITOR MODE NOT SUPPORTED)

GHz Unknown Unknown (MONITOR MODE NOT SUPPORTED)

Tx-Power=27 Unknown Unknown (MONITOR MODE NOT SUPPORTED)

dBm Unknown Unknown (MONITOR MODE NOT SUPPORTED)

HA! Its trying to put GHz into monitor mode! I don't think anyone has drivers for that. Despite this oddness, lets try an aireplay-ng -0 anyways. We won't use Frequency:2.462 for an interface though (lol), we'll use regular old mon0 as does the deauth.php...heres what happens:

root@Pineapple:~# aireplay-ng -0 30 -a 00:12:01:68:70:40 mon0

00:02:25 Waiting for beacon frame (BSSID: 00:12:01:68:70:40) on channel 11

00:02:35 No such BSSID available.

Please specify an ESSID (-e).

Its still on channel 11!! DAMN U NBC! Again, adding the -e TestWIfi still does nothing. It seems we have to takedown mon.wlan0 for this to work - for some reason unbeknownst to this noob. Which, when done on the pineapple, means that when you do finally get them deauth'd, you'll have to scramble to get things back running. Again, I have no idea what mon.wlan0 is or does...so I just power cylce the pineapple after I deauth the right way.

In order to get it to work properly, we airmon-ng stop mon.wlan0, airmon-ng stop mon0, then start it up again with a handy 1 (i.e. airmon-ng start wlan0 1) and bobs your uncle's dog, it works beautifully! Instant deauth to my phone and spare laptop, brought to you by our favorite little router, the wifi pineapple.

root@Pineapple:~# aireplay-ng -0 30 -a 00:12:01:68:70:40 mon0

00:21:53 Waiting for beacon frame (BSSID: 00:12:01:68:70:40) on channel 1

NB: this attack is more effective when targeting

a connected wireless client (-c <client's mac>).

00:21:54 Sending DeAuth to broadcast -- BSSID: [00:12:01:68:70:40]

00:21:54 Sending DeAuth to broadcast -- BSSID: [00:12:01:68:70:40]

00:21:55 Sending DeAuth to broadcast -- BSSID: [00:12:01:68:70:40]

00:21:55 Sending DeAuth to broadcast -- BSSID: [00:12:01:68:70:40]

00:21:56 Sending DeAuth to broadcast -- BSSID: [00:12:01:68:70:40]

00:21:56 Sending DeAuth to broadcast -- BSSID: [00:12:01:68:70:40]

Insta awesomeness. Yes, -c is useful, but for the purposes of deauth'ing people around you in order for them to connect to your pineapple, its not really ideal.

Heres my proposal: We add an additional input box on the web interface, have one called "BSSID of Target Router" which would go after the -a command. The other (optional) box could have "Specify target currently connected to Target Router" or something simliar - this would go after the -c command. In addition, we should also have an optional box next to the airmon-ng Start buttons that allows you to input a channel number. Which means that will also have to stop mon.wlan0 before airmon-ng starting the wlan0 on our chosen channel. I'm extremely poor at coding, but I will begin this effort as soon as possible - but if one of you gurus (Darren?) care to step up and pwn this thing, I'm sure we'd all be very appreciative.

I love this little device - all the creators of Jaseger and the hakshop's wifi pineapple deserve massive praise for its usefullness. None of the bugs outlined here effect the Pineapple from pwning noobs who willy-nilly connect to any old open wifi. It does its job great. Now lets get together and stamp out the bugs the little extra features have and get this thing tuned up!

telot

Link to comment
Share on other sites

Great Seb! How exactly will it be implemented? Target the access point and nothing specific (-a but no -c)? Will it airmon-ng stop mon.wlan0 before hand, so you can bring monitor mode on wlan0 back up with a user-inputed channel? Or is there a workaround where you can avoid this step?

wcs: Ha! Glad you enjoyed...I try to make my long winded 'wall of text' posts at least mildly entertaining :)

telot

Link to comment
Share on other sites

Telot, awesome post...

Unless we are interested in being laser focused (/me queues the sharks with freakin' laser beams attached to their heads) with aireplay, why not add airdrop-ng to the WEB-GUI so we can just use our death stars tractor beam and bring in everything thats around...

Snippet of code from Darren:

touch deauth.conf

nano deauth.conf

a/00:00:00:00:00:00|any <-- mac of our AP51 AP

d/any|any

airdrop-ng -i mon0 -t cap-01.csv -r deauth.conf

My question still remains, from another thread, how can the pineapple keep providing internet to existing clients that you are p0wning, if you start deauthing from the web-gui and the pineapples wireless adapter? Isn't a better solution, so that timing and preventing exisiting clients from being disconnected, to use an ALFA USB and a tool running on our laptop?

Unless the answer to my question, is that you can have clients connect plus do mass deauth all from the pineapple without interruptions then I think it's best to have a 2nd wireless adapter for deauthing,

Great Seb! How exactly will it be implemented? Target the access point and nothing specific (-a but no -c)? Will it airmon-ng stop mon.wlan0 before hand, so you can bring monitor mode on wlan0 back up with a user-inputed channel? Or is there a workaround where you can avoid this step?

wcs: Ha! Glad you enjoyed...I try to make my long winded 'wall of text' posts at least mildly entertaining :)

telot

Edited by diggler
Link to comment
Share on other sites

  • 3 weeks later...

Telot, awesome post...

Unless we are interested in being laser focused (/me queues the sharks with freakin' laser beams attached to their heads) with aireplay, why not add airdrop-ng to the WEB-GUI so we can just use our death stars tractor beam and bring in everything thats around...

Snippet of code from Darren:

touch deauth.conf

nano deauth.conf

a/00:00:00:00:00:00|any <-- mac of our AP51 AP

d/any|any

airdrop-ng -i mon0 -t cap-01.csv -r deauth.conf

My question still remains, from another thread, how can the pineapple keep providing internet to existing clients that you are p0wning, if you start deauthing from the web-gui and the pineapples wireless adapter? Isn't a better solution, so that timing and preventing exisiting clients from being disconnected, to use an ALFA USB and a tool running on our laptop?

Unless the answer to my question, is that you can have clients connect plus do mass deauth all from the pineapple without interruptions then I think it's best to have a 2nd wireless adapter for deauthing,

I'm trying to find that out right now Diggler! I've been hoping Seb or someone would chime in with a definitive answer, but we'll/I'll just have to test it out ourselves! First things first is what function mon.wlan0 is performing to the Jasegar portion of the pineapple - and can you use that already-in-monitor-mode adapter to airodump and deauth all while still serving up karma to your victims...I'll report back here with my findings.

telot

Link to comment
Share on other sites

I said it a couple of times.

It works simultaneously, but deauth webui is broken.

I am just waiting for something special and will then release v2. 0.

Best,

Sebkinne

Woo! Can you elaborate on the relationship between wlan1 in master mode and mon.wlan0 in monitor mode in regards to karma? Is the mon.wlan0 what scans for probe requests and tells the wlan0 (master) what to reply back with? In order to deauth, do I need to airmon-ng start wlan0, thereby creating a second monitor mode adapter (mon1)?

Waiting for something special hmm? Like a kiss from a prince? MMMmwwwaa! There ya go Seb, now how bout that release! All kidding aside, what kind of problems are you running into? Anything we could help with? I'm so curious as to your relationship with the Mark3 - do you get a portion of profits from the hakshop? Did you and Darren work together on the mark3, his ideas and your coding? Like I mentioned once before, if you set up a "Donate" button, I would happily throw some cash your way for all the hard work in making my favorite embedded system even better. Thanks Seb

telot

Link to comment
Share on other sites

Waiting for something special hmm? Like a kiss from a prince? MMMmwwwaa! There ya go Seb, now how bout that release! All kidding aside, what kind of problems are you running into? Anything we could help with? I'm so curious as to your relationship with the Mark3 - do you get a portion of profits from the hakshop? Did you and Darren work together on the mark3, his ideas and your coding? Like I mentioned once before, if you set up a "Donate" button, I would happily throw some cash your way for all the hard work in making my favorite embedded system even better. Thanks Seb

telot

Not exactly a kiss, but something nice. I'll try to hurry up but I am just a bit busy.

I am not really running into any problems, it is just something I need to wait for / get around to do.

My relationship to the MK3 is that I had built the original firmware with the patched hostapd (Thanks to Digininja for Karma) which Darren then used to create the original MK3 firmware.

Now, I am working with Darren and Digininja on the pineapple.

No, I do not get any profits and I am happy to continue doing this work without donations.

The only thing I might accept is if someone wants a firmware for a board which is not supported to contact me and potentially donate that board or beta test the firmware bearing the risks of bricking.

For now just stay tuned for the next release ;)

Happy new year!

Seb

Link to comment
Share on other sites

Seb...you' rock mann

Agreed!

Thanks for sharing with us Seb!

telot

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...