Darren Kitchen Posted February 26, 2012 Share Posted February 26, 2012 Here's a brain dump from my Neinsager research. I've only just started the project a few hours ago but for this I figured I'd crowd source and such. With the MK4 I'm adding a feature called "Tango Mode" which basically allows you to take a MK3 or MK4 and turn it into a backpack using a short Ethernet cable from the MK4 Master's LAN port to the MK3/MK4's LAN port. After exchanging SSH key pairs the master pineapple running Jasager can now control the slave pineapple running Neinsager. This should run the same on an AR2315 based MK3 or an AR9331 based MK4. I have the aircrack-ng suite up and running, though I'm getting unpredictable results with airodump-ng. That's not really an issue as I wasn't looking for something that interactive anyway. What I'm currently looking for is a simple way to list nearby *client* BSSIDs. iw wlan0 scan will give me a listing of access points from which I can grep out SSID, but to my knowing not clients. I'm thinking perhaps kismet can, for which there is an openwrt package so I'll investigate that next. The reason for this is that I would like to write a script which will find nearby bssid's in order to feed aireplay-ng for deauth'ing. Obviously I'll implement white and black listing so you don't kill all the clients your Jasager pineapple already has. If you're saying to yourself, "Darren, this already exists, it's called airdrop-ng and you covered it on Hak5 years ago" -- you're right. Unfortunately the airdrop-ng script is Python, which has about a 4MB footprint. Sure the MK4 could handle that with USB storage, but not the MK3 -- and there's a bunch of fons/open-meshes/ap51's that could be put to great use as a Neinsager backpack. The other consideration is that Airdrop-ng requires the old version of lorcon as well as pylorcon, and if you've ever tried to get these running you know it might not even be worth attempting to cross-compile for the AR2315. I dunno, maybe I'm wrong, but I feel like this could easily be re-written as a bash script. Ok, looking forward to collaborative development. Thoughts? Quote Link to comment Share on other sites More sharing options...
PineDominator Posted February 26, 2012 Share Posted February 26, 2012 When I was playing with airodump-ng for the mark3 I could not get it to scan channels that were out of the rang that the pineapple ssid was set to, even deauth I had to set the mon.wlan0 to what channel the bssid was on for deauthing. maybe if you disable the wlan0 from acting as an access point? or maybe your way more on top and I'm being a noob. Quote Link to comment Share on other sites More sharing options...
diggler Posted February 26, 2012 Share Posted February 26, 2012 (edited) . Edited February 26, 2012 by diggler Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted February 26, 2012 Author Share Posted February 26, 2012 Trying to get away from the pc completely. Channel hopping isn't a problem, der neinsager won't be configured as an AP. Wash is a good lead but would rather not have to write something. This must be possible with Kismet, sed, awk, cut, grep, bash, if, echo and at. I mean, those guys rock! ;-) Quote Link to comment Share on other sites More sharing options...
hfam Posted February 26, 2012 Share Posted February 26, 2012 This is AWESOME!!! Ok, ok...I just grabbed another MK4, there's no damn WAY I'm gonna miss out on Neinsager from the git go!! Sehr gut, Herr Kitchen!!! Danke schön!! ;) Quote Link to comment Share on other sites More sharing options...
PineDominator Posted February 26, 2012 Share Posted February 26, 2012 I am not that great with bash/grep/piping the data to another program. but not sure if tcpdump could be given some thought? tcpdump -i mon0 --ADD OPTIONS HERE TO FURTHER PIN IT TO CLIENTS AND AP's Quote Link to comment Share on other sites More sharing options...
telot Posted February 26, 2012 Share Posted February 26, 2012 I played with a script a while ago that changes the pineapples (mk3) channel and does an airodump-ng mon0 --channel 1 --write CH1capfile. I'll look around for it. Once grep'd out, you could have a whole new list on the status page of nearby AP's that people might be connected to and a list of potential targets. That way you're seeing your competition (legit APs), seeing your "customers" (targets), and which customers are being stubborn at coming over to your place of business...which is selling fresh pineapples right? :) That way you can do some digging (market research if you want to continue the metaphor...) and find out why they're not attached to you. It would give you a fuller picture of whats happening in the air all around you and the tools to alter it in real time. Hope this helps and FYI, if you need someone to beta test... :) telot Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted February 26, 2012 Author Share Posted February 26, 2012 Basically first step is to find the equivalent of iw station dump for nearby clients, then it's just a matter of checking with Jasager to make sure we don't deauth any of his clients and a simple loop with aireplay-ng. Quote Link to comment Share on other sites More sharing options...
digininja Posted February 26, 2012 Share Posted February 26, 2012 iwlist will only get you the ESSIDs and not the clients. I wrote a similar script about a year ago and used kismet to do it. I take the Kismet XML log and parse it to pull out the clients and APs. A problem you will have is that the log file is only written out periodically, I was running I on a Fon originally so had very limited storage so set the log file to write out every few minutes. The shorter period the more frequently you can use it but the less data it will have. Quote Link to comment Share on other sites More sharing options...
PineDominator Posted February 27, 2012 Share Posted February 27, 2012 iwlist will only get you the ESSIDs and not the clients. I wrote a similar script about a year ago and used kismet to do it. I take the Kismet XML log and parse it to pull out the clients and APs. A problem you will have is that the log file is only written out periodically, I was running I on a Fon originally so had very limited storage so set the log file to write out every few minutes. The shorter period the more frequently you can use it but the less data it will have. I my self wouldn't want a deauth running for too long or frequent, how about running kismet for a minute then run aireplay-ng on the parsed out xml file? or maybe keep kismet running full time and after every minute parse out the relevant data to a different file then clear out the kismet xml file. then when deauthing loop through all the MACs while checking them against pineapple connected MACs. Thank you Robin for your work(s) :) Quote Link to comment Share on other sites More sharing options...
barry99705 Posted February 28, 2012 Share Posted February 28, 2012 (edited) Renderman has a script on his site, whenever it comes back up, that was for running kismet drone on wrt54g's. It would make it so the access point would hop channels. I'll post it up here as soon as I find it. I'm sure I have it somewhere.... Found it on beakmyn's site. root@OpenWrt:~# vi /etc/init.d/S70JW_scan #!/bin/sh while : ; do wl channel 1 ; sleep 1 wl channel 6 ; sleep 1 wl channel 11 ; sleep 1 wl channel 2 ; sleep 1 wl channel 7 ; sleep 1 wl channel 3 ; sleep 1 wl channel 8 ; sleep 1 wl channel 4 ; sleep 1 wl channel 9 ; sleep 1 wl channel 5 ; sleep 1 wl channel 10 ; sleep 1 done Edited February 28, 2012 by barry99705 Quote Link to comment Share on other sites More sharing options...
Dioxin Posted February 28, 2012 Share Posted February 28, 2012 Is it not possible for the MK4 to share the WiFi device on the MK3 such that the MK4 is the one controlling the WiFI on the MK3? I remember reading something about everything in linux being treated as a file. Alternatively setup some form of fileshare between the MK4 and MK3 :) that should dodge the limitations in the MK3. Also I'm not quite sure I understand what you mean by "backpack" :( Quote Link to comment Share on other sites More sharing options...
barry99705 Posted February 28, 2012 Share Posted February 28, 2012 Also I'm not quite sure I understand what you mean by "backpack" :( Think of it as a router sandwich. ;) They are directly connected by an ethernet cable, and the mkIV is running the show. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted February 28, 2012 Share Posted February 28, 2012 "Naysayers"? Why the name i'm curious? Concept looks great but assume for a second that you hooked up another wireless interface via the USB on mk4... Why not use that as the radio to do the same thing? You're reading it wrong. It's Neinsager, or roughly translated "No Man". Quote Link to comment Share on other sites More sharing options...
digininja Posted February 28, 2012 Share Posted February 28, 2012 "Naysayers"? Why the name i'm curious? Concept looks great but assume for a second that you hooked up another wireless interface via the USB on mk4... Why not use that as the radio to do the same thing? Jasager says yes to everything to lure them in, Neinsager says no to all connections to kick users off other APs. The two devices would be connected via ethernet, the MK4 has two wired NICs so one is connected between the two devices. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted February 29, 2012 Share Posted February 29, 2012 I have been playing with similar ideas in attempts of making a simple wifi toolkit based in Python and bash (first one). For what I was doing the subprocess in Python worked for executing programs and poping their output into other modules (like running airodump, ID'ing client mac's, then piping info into aireplay-ng, etc). This tutorial helped a lot. It's mostly about Python but explains modules used to accomplish some of the same concepts in bash. http://jimmyg.org/blog/2009/working-with-python-subprocess.html Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted March 7, 2012 Share Posted March 7, 2012 Any news Darren regarding this lovely feature :) ? Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted March 7, 2012 Share Posted March 7, 2012 Whistel Master, The feature is in the works and should be included in the next major upgrade. Best, Sebkinne Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted March 7, 2012 Author Share Posted March 7, 2012 Been busy with prep for SXSW but will get back to this as soon as that's over. This is kind of a pet project and I'd like to see it blossom. Though the more I research the more I realize with kmod-rtl8187 an alfa awus036h could do the trick over usb, which is a less expensive (both money and battery) option that may work. Quote Link to comment Share on other sites More sharing options...
PineDominator Posted April 2, 2012 Share Posted April 2, 2012 (edited) Been busy with prep for SXSW but will get back to this as soon as that's over. This is kind of a pet project and I'd like to see it blossom. Though the more I research the more I realize with kmod-rtl8187 an alfa awus036h could do the trick over usb, which is a less expensive (both money and battery) option that may work. Darren is this still coming soon? I like the idea of using another mark 4 because I could use that as a deauther/reaver/another thing like this, but right now the mark 4 is not setup to connect to another mark 4, plus a needed way to control the second from the first, maybe a UI implementation? the idea of using the awus036h is great as well and would be awesome to get in the next release? also alfa has an updated awus036nh the awus036nhA It uses an atheros ar9271 chipset and I thought maybe it could be used as the karma interface seeing that it has the potential for more power output, just a thought keep up the great work, thanks again Edited April 2, 2012 by petertfm Quote Link to comment Share on other sites More sharing options...
gamephreaker Posted May 9, 2012 Share Posted May 9, 2012 Do you mean next Major update after 2.0.0. I can't wait to try Tango Mode/ Neinsager Backpack. It would be kinda cool if we could use either MkIII or the Alfa whatever the user chooses. I strongly look forward to seeing this. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted May 9, 2012 Author Share Posted May 9, 2012 Yes, it is on my agenda. I have time freeing up in the next few weeks and will make this a priority. Might need some beta testers. Stay tuned :) Quote Link to comment Share on other sites More sharing options...
SilverExploit Posted May 9, 2012 Share Posted May 9, 2012 (edited) Yes, it is on my agenda. I have time freeing up in the next few weeks and will make this a priority. Might need some beta testers. Stay tuned :) Sounds awesome :) If you need help/programmers with bash/python scripting and piping send me a message. I am particularly good with piping ;D. Unfortunately I only have one pineapple MK4 so I won't be able to test the whole thing...yet... Edited May 9, 2012 by SilverExploit Quote Link to comment Share on other sites More sharing options...
barry99705 Posted May 9, 2012 Share Posted May 9, 2012 I can beta. I've got one MK4 and two MK3's. Quote Link to comment Share on other sites More sharing options...
PineDominator Posted May 9, 2012 Share Posted May 9, 2012 (edited) +1 2 Hornet-UB mk4 1 AP51 mk3 1 OpenMesh mk3 and a few alfa wifi cards Edited May 9, 2012 by petertfm Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.