Jonathan Frias Posted April 6, 2012 Share Posted April 6, 2012 I haven't seen anything about this yet, but I just wanted to know if there is anything that'll capture the wifi network credentials. Are they encrypted? We're already the man-in-the-middle, so would this be difficult? Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted April 6, 2012 Share Posted April 6, 2012 They are encrypted/hashed/salted. Quote Link to comment Share on other sites More sharing options...
niggizito Posted April 6, 2012 Share Posted April 6, 2012 I haven't seen anything about this yet, but I just wanted to know if there is anything that'll capture the wifi network credentials. Are they encrypted? We're already the man-in-the-middle, so would this be difficult? Hi Jonathan, If you're asking to capture the shared passphrases used to authenticate users against an AP (WEP, WPA, etc..) then I don't think it's possible at all. Since you can "impersonate" those SSID, it really doesn't matter what encryption/authentication that SSID is using. Because you're actually saying: Yes, I'm that SSID!. So, people will connect to you automatically. Hope I answered your question. Cheers! Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted April 6, 2012 Share Posted April 6, 2012 If their OS decides to "fall back" to open, non-encrypted connection, that is true. But it is rare for OS now a days to do so. They would need an open, non-encrypted network saved to their device and then it would connect to the pineapple if set to auto-connect. You cannot impersonate a secure network due to how the handshaking works and validating the password in the handshaking process. Quote Link to comment Share on other sites More sharing options...
Vulture Posted April 6, 2012 Share Posted April 6, 2012 This shouldn't be too difficult though. Basically aircrack provides this capability for WEP networks and the ability to capture the handshakes of WPA/WPA2 networks. What I would see is a module for capturing IVs (WEP) and Handshakes (WPA)then sending them to a remote host for processing. You then have Reaver which exploits a vulnerability is WPS for WPA/WPA2 networks which is very effective just time consuming. You should read over the documentation for aircrack and reaver to get a full understanding of what they are doing. Reaver from my understanding is installed on the Pineapple but does not function yet. I can not confirm the working status but I know it is installed. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted April 6, 2012 Share Posted April 6, 2012 This shouldn't be too difficult though. Basically aircrack provides this capability for WEP networks and the ability to capture the handshakes of WPA/WPA2 networks. What I would see is a module for capturing IVs (WEP) and Handshakes (WPA)then sending them to a remote host for processing. You then have Reaver which exploits a vulnerability is WPS for WPA/WPA2 networks which is very effective just time consuming. You should read over the documentation for aircrack and reaver to get a full understanding of what they are doing. Reaver from my understanding is installed on the Pineapple but does not function yet. I can not confirm the working status but I know it is installed. I think reaver is ssh/cli only currently. No fancy GUI for it yet. Quote Link to comment Share on other sites More sharing options...
niggizito Posted April 6, 2012 Share Posted April 6, 2012 (edited) If their OS decides to "fall back" to open, non-encrypted connection, that is true. But it is rare for OS now a days to do so. They would need an open, non-encrypted network saved to their device and then it would connect to the pineapple if set to auto-connect. You cannot impersonate a secure network due to how the handshaking works and validating the password in the handshaking process. Hmmm, I was at the Motorola AirDefence demo showing how easy it was to "impersonate" ANY wirelsess networks. The guy was using one of the first version of Fonera router/AP. I found myself connected to our 802.1x network SSID (WPA2 Enterprise/AES) at that very place. Edited April 6, 2012 by niggizito Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted April 6, 2012 Share Posted April 6, 2012 The Fonera or any pineapple/jasager for that matter cannot emulate WPA/WEP/Encryption without knowing the actual password, even then I'm not sure Jasager has an option for it. Quote Link to comment Share on other sites More sharing options...
digininja Posted April 6, 2012 Share Posted April 6, 2012 Hmmm, I was at the Motorola AirDefence demo showing how easy it was to "impersonate" ANY wirelsess networks. The guy was using one of the first version of Fonera router/AP. I found myself connected to our 802.1x network SSID (WPA2 Enterprise/AES) at that very place. The closest you could get would be to use Freedradius-wpe http://www.willhackforsushi.com/FreeRADIUS_WPE.html which runs a RADIUS server which automatically accepts any authentication offered it. You may be technically authenticated but you won't actually be able to send any traffic as the server won't know the actual credentials so won't be able to encrypt/decrypt the traffic. Quote Link to comment Share on other sites More sharing options...
RebelCork Posted April 6, 2012 Share Posted April 6, 2012 I have been thinking of one Social Engineering hack using the pineapple to gain the user creds of wifi networks. My "theoretical" hack is: Here, where I live, the cable company offers really cheap TV/internet packages, and I live in a student area of my town, so almost every wifi ssid is a variation of "***123456" with the cable company's name as part of the SSID. I have created a fake landing page with their logo, and a simple "Enter your wireless password in this field" - type box. Then using mdk3/aireplay-ng, i deauth all clients on the network I want the password for, hopefully the computer connects to the pineapple, as I am now the available signal. Using the phishing scripts, I would be able to get passwords of other users. Social Engineering 101 with a little pineapple as garnish Quote Link to comment Share on other sites More sharing options...
Jonathan Frias Posted April 8, 2012 Author Share Posted April 8, 2012 Interesting.. Thanks guys! :) Quote Link to comment Share on other sites More sharing options...
niggizito Posted April 9, 2012 Share Posted April 9, 2012 The closest you could get would be to use Freedradius-wpe http://www.willhackforsushi.com/FreeRADIUS_WPE.html which runs a RADIUS server which automatically accepts any authentication offered it. You may be technically authenticated but you won't actually be able to send any traffic as the server won't know the actual credentials so won't be able to encrypt/decrypt the traffic. Hmm, yes, I found myself connected to our enterprise SSID. But I was so astonished so I didn't check the possibility to browse. So I can't say anything. And I do remember the guy showed us the FREERADIUS patch from Josh Wright. Well, I thought that Mark iv exploits management packets. Looks like I was wrong...or maybe partially :-) Anyway, good discussion. Quote Link to comment Share on other sites More sharing options...
digininja Posted April 9, 2012 Share Posted April 9, 2012 The 'exploit' we use is that the client probe for us (management packets) and tell us what they are looking for, we just say yes, we are here, in the probe responses (also management packets). As we don't know any credentials we can reply to requests for encrypted networks of any kind so the association phase completes successfully but then when the authentication starts things fail as we don't know the keys so can't understand what the other side is saying. If you had a really fast machine, and a client who was sticking around, then you could potentially collect credentials using Josh's app and crack them then feed them back into the server so you could talk to the client. Possible, but not on a pineapple. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted April 9, 2012 Share Posted April 9, 2012 The 'exploit' we use is that the client probe for us (management packets) and tell us what they are looking for, we just say yes, we are here, in the probe responses (also management packets). As we don't know any credentials we can reply to requests for encrypted networks of any kind so the association phase completes successfully but then when the authentication starts things fail as we don't know the keys so can't understand what the other side is saying. If you had a really fast machine, and a client who was sticking around, then you could potentially collect credentials using Josh's app and crack them then feed them back into the server so you could talk to the client. Possible, but not on a pineapple. I don't think anyone has a machine that fast! Quote Link to comment Share on other sites More sharing options...
digininja Posted April 9, 2012 Share Posted April 9, 2012 It depends on how strong the password is and how long you have. If someone is on a flight and leaves their wifi on then you could have a few hours, that is plenty of time to crack it. Quote Link to comment Share on other sites More sharing options...
niggizito Posted April 9, 2012 Share Posted April 9, 2012 It depends on how strong the password is and how long you have. If someone is on a flight and leaves their wifi on then you could have a few hours, that is plenty of time to crack it. Very good clarification! Thx a bunch! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.