Jump to content

Neinsager Backpack


Darren Kitchen

Recommended Posts

Here's a brain dump from my Neinsager research. I've only just started the project a few hours ago but for this I figured I'd crowd source and such.

With the MK4 I'm adding a feature called "Tango Mode" which basically allows you to take a MK3 or MK4 and turn it into a backpack using a short Ethernet cable from the MK4 Master's LAN port to the MK3/MK4's LAN port. After exchanging SSH key pairs the master pineapple running Jasager can now control the slave pineapple running Neinsager.

This should run the same on an AR2315 based MK3 or an AR9331 based MK4.

I have the aircrack-ng suite up and running, though I'm getting unpredictable results with airodump-ng. That's not really an issue as I wasn't looking for something that interactive anyway. What I'm currently looking for is a simple way to list nearby *client* BSSIDs. iw wlan0 scan will give me a listing of access points from which I can grep out SSID, but to my knowing not clients.

I'm thinking perhaps kismet can, for which there is an openwrt package so I'll investigate that next.

The reason for this is that I would like to write a script which will find nearby bssid's in order to feed aireplay-ng for deauth'ing. Obviously I'll implement white and black listing so you don't kill all the clients your Jasager pineapple already has.

If you're saying to yourself, "Darren, this already exists, it's called airdrop-ng and you covered it on Hak5 years ago" -- you're right. Unfortunately the airdrop-ng script is Python, which has about a 4MB footprint. Sure the MK4 could handle that with USB storage, but not the MK3 -- and there's a bunch of fons/open-meshes/ap51's that could be put to great use as a Neinsager backpack.

The other consideration is that Airdrop-ng requires the old version of lorcon as well as pylorcon, and if you've ever tried to get these running you know it might not even be worth attempting to cross-compile for the AR2315. I dunno, maybe I'm wrong, but I feel like this could easily be re-written as a bash script.

Ok, looking forward to collaborative development. Thoughts?

Link to comment
Share on other sites

When I was playing with airodump-ng for the mark3 I could not get it to scan channels that were out of the rang that the pineapple ssid was set to, even deauth I had to set the mon.wlan0 to what channel the bssid was on for deauthing.

maybe if you disable the wlan0 from acting as an access point? or maybe your way more on top and I'm being a noob.

Link to comment
Share on other sites

Trying to get away from the pc completely. Channel hopping isn't a problem, der neinsager won't be configured as an AP. Wash is a good lead but would rather not have to write something. This must be possible with Kismet, sed, awk, cut, grep, bash, if, echo and at. I mean, those guys rock! ;-)

Link to comment
Share on other sites

I played with a script a while ago that changes the pineapples (mk3) channel and does an airodump-ng mon0 --channel 1 --write CH1capfile. I'll look around for it. Once grep'd out, you could have a whole new list on the status page of nearby AP's that people might be connected to and a list of potential targets.

That way you're seeing your competition (legit APs), seeing your "customers" (targets), and which customers are being stubborn at coming over to your place of business...which is selling fresh pineapples right? :) That way you can do some digging (market research if you want to continue the metaphor...) and find out why they're not attached to you. It would give you a fuller picture of whats happening in the air all around you and the tools to alter it in real time.

Hope this helps and FYI, if you need someone to beta test... :)

telot

Link to comment
Share on other sites

iwlist will only get you the ESSIDs and not the clients. I wrote a similar script about a year ago and used kismet to do it. I take the Kismet XML log and parse it to pull out the clients and APs.

A problem you will have is that the log file is only written out periodically, I was running I on a Fon originally so had very limited storage so set the log file to write out every few minutes. The shorter period the more frequently you can use it but the less data it will have.

Link to comment
Share on other sites

iwlist will only get you the ESSIDs and not the clients. I wrote a similar script about a year ago and used kismet to do it. I take the Kismet XML log and parse it to pull out the clients and APs.

A problem you will have is that the log file is only written out periodically, I was running I on a Fon originally so had very limited storage so set the log file to write out every few minutes. The shorter period the more frequently you can use it but the less data it will have.

I my self wouldn't want a deauth running for too long or frequent, how about running kismet for a minute then run aireplay-ng on the parsed out xml file?

or maybe keep kismet running full time and after every minute parse out the relevant data to a different file then clear out the kismet xml file.

then when deauthing loop through all the MACs while checking them against pineapple connected MACs.

Thank you Robin for your work(s) :)

Link to comment
Share on other sites

Renderman has a script on his site, whenever it comes back up, that was for running kismet drone on wrt54g's. It would make it so the access point would hop channels. I'll post it up here as soon as I find it. I'm sure I have it somewhere....

Found it on beakmyn's site.

root@OpenWrt:~# vi /etc/init.d/S70JW_scan

#!/bin/sh
while : ; do
 wl channel 1 ; sleep 1
 wl channel 6 ; sleep 1
 wl channel 11 ; sleep 1
 wl channel 2 ; sleep 1
 wl channel 7 ; sleep 1
 wl channel 3 ; sleep 1
 wl channel 8 ; sleep 1
 wl channel 4 ; sleep 1
 wl channel 9 ; sleep 1
 wl channel 5 ; sleep 1
 wl channel 10 ; sleep 1
done

Edited by barry99705
Link to comment
Share on other sites

Is it not possible for the MK4 to share the WiFi device on the MK3 such that the MK4 is the one controlling the WiFI on the MK3?

I remember reading something about everything in linux being treated as a file.

Alternatively setup some form of fileshare between the MK4 and MK3 :) that should dodge the limitations in the MK3.

Also I'm not quite sure I understand what you mean by "backpack" :(

Link to comment
Share on other sites

"Naysayers"? Why the name i'm curious?

Concept looks great but assume for a second that you hooked up another wireless interface via the USB on mk4... Why not use that as the radio to do the same thing?

Jasager says yes to everything to lure them in, Neinsager says no to all connections to kick users off other APs.

The two devices would be connected via ethernet, the MK4 has two wired NICs so one is connected between the two devices.

Link to comment
Share on other sites

I have been playing with similar ideas in attempts of making a simple wifi toolkit based in Python and bash (first one).

For what I was doing the subprocess in Python worked for executing programs and poping their output into other modules (like running airodump, ID'ing client mac's, then piping info into aireplay-ng, etc).

This tutorial helped a lot. It's mostly about Python but explains modules used to accomplish some of the same concepts in bash.

http://jimmyg.org/blog/2009/working-with-python-subprocess.html

Link to comment
Share on other sites

Been busy with prep for SXSW but will get back to this as soon as that's over. This is kind of a pet project and I'd like to see it blossom. Though the more I research the more I realize with kmod-rtl8187 an alfa awus036h could do the trick over usb, which is a less expensive (both money and battery) option that may work.

Link to comment
Share on other sites

  • 4 weeks later...

Been busy with prep for SXSW but will get back to this as soon as that's over. This is kind of a pet project and I'd like to see it blossom. Though the more I research the more I realize with kmod-rtl8187 an alfa awus036h could do the trick over usb, which is a less expensive (both money and battery) option that may work.

Darren is this still coming soon?

I like the idea of using another mark 4 because I could use that as a deauther/reaver/another thing like this, but right now the mark 4 is not setup to connect to another mark 4, plus a needed way to control the second from the first, maybe a UI implementation?

the idea of using the awus036h is great as well and would be awesome to get in the next release?

also alfa has an updated awus036nh the awus036nhA

It uses an atheros ar9271 chipset and I thought maybe it could be used as the karma interface seeing that it has the potential for more power output, just a thought

keep up the great work, thanks again

Edited by petertfm
Link to comment
Share on other sites

  • 1 month later...

Yes, it is on my agenda. I have time freeing up in the next few weeks and will make this a priority. Might need some beta testers. Stay tuned :)

Sounds awesome :)

If you need help/programmers with bash/python scripting and piping send me a message. I am particularly good with piping ;D. Unfortunately I only have one pineapple MK4 so I won't be able to test the whole thing...yet...

Edited by SilverExploit
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...