Vulture Posted April 24, 2012 Share Posted April 24, 2012 With the recent update to Site Survey the pineapple is now morphing into an AP based attack platform instead of just focusing on clients (KARMA). I believe the flagship of projects that highlights AP based attacks is Aircrack-ng once you have become knowledgeable with the ins and outs, a python script named Wifite which automates much of the process. I have taken the Wifite r68 version and modified it slightly for the pineapple. What this script does: Any capture you are making via Site Survey can have this script run against it. It will execute a series of attacks based on the type of AP, WEP/WPA. WPA attacks will attempt to deauth then capture a quality handshake, then strip the excess capture data out of the resulting file. WEP attacks follow a multiple stage attack that is better covered on the Wifite support page. Both methods will hide your MAC. What this script does not do: This script does not crack WEP or WPA captures, it simply produces the capture files for offsite processing. Using any attack method is very taxing on the pineapple and tends to lock it up in my experience. Prerequisites: Pineapple IV 1.1.1 USB Drive Installed Modules: OPKG, Site Survey OPKG Packages to USB: pyrit, sslstrip (This will also ensure you have all python libraries) 1) Download the script: http://www.2shared.com/file/zusD0Q7S/wifite.html 2) Download http://scapy.net/ 2.0 file and unzip, then transfer to your USB drive on your pineapple 3) Through SSH terminal execute "python setup.py install" in the directory you transferred the scapy directory into. 4) Open the web interface for the pineapple and go to the Site Survey module, make sure captures are installed to USB if not this won't work. 4) Execute the script via "python wifite.py --file {CAPTURE FILE NAME} --ivs {#}" see notes below {CAPTURE FILE NAME} - Name of the capture file in /usb/captures this will be something like capture_####.cap you only need the capture_#### part NOT THE EXTENSION. Directory is assumed to be /usb/captures/ {#} - The number of IVS to capture before stopping only applicable for WEP APs -Vulture Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted April 24, 2012 Share Posted April 24, 2012 I've been doing a lot of stuff similar to this lately. Sitwon was nice enough to give me some advice in a thread I made in the application forums. It appears that this script is heavily reliant on "find" which I have been advised not to use. I rewrote one of the functions to use regex which will allow much more versatility when parsing info. I'll have to time it to verify but I think it's faster also. def getmac(): proc=subprocess.Popen(['whatever command u want to run'], stdout=subprocess.PIPE) #executes process vis=proc.communicate()[0] #communicates w/generator object readable = vis.split('\n') #divides into tupples searchmac_string = '([a-fA-F0-9]{2}[:|\-]){5}[a-fA-F0-9]{2}'#searches for 6 consecutive pairs of hexdecimal characters for x in readable: # iterates through generator object a = re.compile(searchmac_string).search(x)#compiles search string if a: #if search string is found, will append it to list and print out for humans to read print(x[a.start():a.end()]) TARGETS.append(a) Quote Link to comment Share on other sites More sharing options...
Vulture Posted April 24, 2012 Author Share Posted April 24, 2012 I've been doing a lot of stuff similar to this lately. Sitwon was nice enough to give me some advice in a thread I made in the application forums. It appears that this script is heavily reliant on "find" which I have been advised not to use. I rewrote one of the functions to use regex which will allow much more versatility when parsing info. I'll have to time it to verify but I think it's faster also. def getmac(): proc=subprocess.Popen(['whatever command u want to run'], stdout=subprocess.PIPE) #executes process vis=proc.communicate()[0] #communicates w/generator object readable = vis.split('\n') #divides into tupples searchmac_string = '([a-fA-F0-9]{2}[:|\-]){5}[a-fA-F0-9]{2}'#searches for 6 consecutive pairs of hexdecimal characters for x in readable: # iterates through generator object a = re.compile(searchmac_string).search(x)#compiles search string if a: #if search string is found, will append it to list and print out for humans to read print(x[a.start():a.end()]) TARGETS.append(a) I know most of the programming communities have recommended regex over a "find" style command. I am not sure if it really makes a bid difference here since most of the reads are done in a polling style with seconds between them. I noticed after I posted that there was a much newer version on the google code site that looks coded much cleaner, however I just wanted functionality and thought I would share. I know this script works well on both WEP and WPA (without reaver) attacks and was easily producing 50000 IVS in about 5 minutes. Handshakes are also captured quite quickly without much user interaction and running a single instance has never locked my pineapple. Let me know if you notice any difference using regex but I usually see loads around 2.0 when both this script and Site Survey's capture is running Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted April 24, 2012 Share Posted April 24, 2012 First off, I'm still a n00b when it comes to python, well computers in general, so don't mark what I say in stone. To my knowledge, regex is going to be faster because it uses C libraries or is somehow based on C. From what I have read C is always going to run a little faster than Python as it's already compiled (ie - the apache server w/java applet attack is going to be smoother than the python server w/java applet attack as apache is written in c). Regex is also a lot more versatile. Find is only going to match characters where regex is going to match character patterns. I haven't messed with wifite-ng in a few weeks, but from what I remember, it had a little difficulty capturing WPA handshakes because it only sent 3 deauth packets one time then just waited. Perhaps the probability of a successful WPA handshake capture might increase if deauths are sent every minute or more than one time. Another issue that this script has it that it's writing the output of airodump-ng to a file. While this isn't an 'incorrect' way of doing it, there are other ways you can pipe stdout so that you don't have to write to a file (which should also be faster) and it's more of a linuxy way of coding the function. If you look in the thread I made in the applications and coding forum Sitwon gives an explanation of how to code this. Quote Link to comment Share on other sites More sharing options...
PineDominator Posted April 24, 2012 Share Posted April 24, 2012 Another issue that this script has it that it's writing the output of airodump-ng to a file. While this isn't an 'incorrect' way of doing it, there are other ways you can pipe stdout so that you don't have to write to a file (which should also be faster) and it's more of a linuxy way of coding the function. If you look in the thread I made in the applications and coding forum Sitwon gives an explanation of how to code this. the pineapple only has 32MB of ram, keeping the captured data in ram would overload whats leftover quickly. Quote Link to comment Share on other sites More sharing options...
Vulture Posted April 24, 2012 Author Share Posted April 24, 2012 First off, I'm still a n00b when it comes to python, well computers in general, so don't mark what I say in stone. To my knowledge, regex is going to be faster because it uses C libraries or is somehow based on C. From what I have read C is always going to run a little faster than Python as it's already compiled (ie - the apache server w/java applet attack is going to be smoother than the python server w/java applet attack as apache is written in c). Regex is also a lot more versatile. Find is only going to match characters where regex is going to match character patterns. I haven't messed with wifite-ng in a few weeks, but from what I remember, it had a little difficulty capturing WPA handshakes because it only sent 3 deauth packets one time then just waited. Perhaps the probability of a successful WPA handshake capture might increase if deauths are sent every minute or more than one time. Another issue that this script has it that it's writing the output of airodump-ng to a file. While this isn't an 'incorrect' way of doing it, there are other ways you can pipe stdout so that you don't have to write to a file (which should also be faster) and it's more of a linuxy way of coding the function. If you look in the thread I made in the applications and coding forum Sitwon gives an explanation of how to code this. I completely agree with the last part on outputting to the file, however this script is meant to integrate with Site Survey in the next few version. Essentially it is primed to display this log in Site Survey so the user never needs to go into a bash session :) Wifite in my option, at least version 68 does a pretty bang up job on IVS gathering and handshake acquiring. For WPA handshakes the script deauths the AP, then adds each client to its deauth list and continues to deauth a client every 3 seconds. There are still issues with the script I am working out and will post them, but this wasn't really meant to be a clean code job, just a get it working without issues job. B) I would encourage anyone out there that wants to enhance this, or publish a script of their own to do so. It will only assist further with Site Survey down the road. Quote Link to comment Share on other sites More sharing options...
E1337Recon Posted April 25, 2012 Share Posted April 25, 2012 I've looked through the script a bit but I'm still quite confused. How exactly do we work this with Site Survey? I ran the script from an SSH session and it just made a bunch of monitors (mon0-mon9) and then I had to force-quit the session. So either it's a configuration mistake on my part (most likely) or I simply don't know how to utilize this script correctly. Quote Link to comment Share on other sites More sharing options...
PineDominator Posted April 25, 2012 Share Posted April 25, 2012 Vulture, so this script does not find wep keys or crack wpa keys. It's just preparing the captured packets from site survey? why not run this on the computer before you run the full crack? I think I am missing something. Quote Link to comment Share on other sites More sharing options...
Vulture Posted April 25, 2012 Author Share Posted April 25, 2012 Vulture, so this script does not find wep keys or crack wpa keys. It's just preparing the captured packets from site survey? why not run this on the computer before you run the full crack? I think I am missing something. The intent is not to need a PC/laptop for the field work. The script captures the necessary information to perform offsite cracking of the IVS and handshake. You likely aren't going to crack a handshake in the field anyways. Think of it almost as war-harvesting in a sense. Quote Link to comment Share on other sites More sharing options...
Vulture Posted April 25, 2012 Author Share Posted April 25, 2012 I've looked through the script a bit but I'm still quite confused. How exactly do we work this with Site Survey? I ran the script from an SSH session and it just made a bunch of monitors (mon0-mon9) and then I had to force-quit the session. So either it's a configuration mistake on my part (most likely) or I simply don't know how to utilize this script correctly. You probably are not running any current captures with Site Survey, the script is bound to mon0 which is assumed when you are using Site Survey. However, the mon.wan0 is the default if you have not down/up the adapters. If you have, it is very odd because there are no calls to airmon-ng in the script. It does not work directly with Site Survey right now, it requires you to start the capture via Site Survey, then using the terminal execute the script against the captured file. Quote Link to comment Share on other sites More sharing options...
E1337Recon Posted April 25, 2012 Share Posted April 25, 2012 Oh alright, I get it now, the only thing now is how do I change Site Survey to write to /usb/captures? I looked and I can't seem to find anything about that. Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted April 25, 2012 Share Posted April 25, 2012 Oh alright, I get it now, the only thing now is how do I change Site Survey to write to /usb/captures? I looked and I can't seem to find anything about that. For the moment you can't with the v1.3.6 of SIte Survey. I sent v1.4 to Seb. Just wait for it and you will have everything ready to use ;) Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted April 25, 2012 Share Posted April 25, 2012 Last version 1.4 of Site Survey is out ;) Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted April 25, 2012 Share Posted April 25, 2012 v1.5 is on the way with a new feature: execution of custom scripts on selected AP and captured file ;) Quote Link to comment Share on other sites More sharing options...
shadowmmm Posted April 25, 2012 Share Posted April 25, 2012 Thx wm Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted April 29, 2012 Share Posted April 29, 2012 +1 WM & Vulture! A tutorial is in order :) Quote Link to comment Share on other sites More sharing options...
GermanMeat Posted May 15, 2014 Share Posted May 15, 2014 (edited) Did a tutorial ever come of this? I never saw one. Cheers Edited May 15, 2014 by WilsonB Quote Link to comment Share on other sites More sharing options...
Allucard Posted December 3, 2014 Share Posted December 3, 2014 can you revive the link for the wifite.py again??? Quote Link to comment Share on other sites More sharing options...
newbi3 Posted December 3, 2014 Share Posted December 3, 2014 can you revive the link for the wifite.py again??? Its faster to google it than wait for a response but here is the wifite github https://github.com/derv82/wifite Quote Link to comment Share on other sites More sharing options...
Fallen Archangel Posted February 26, 2015 Share Posted February 26, 2015 Any chance of this being revived? I know it hasn't been updated lately, but I'd really like to see this on the MK5. I don't know much python, but I'd try learning it again to help if needed. Quote Link to comment Share on other sites More sharing options...
Vulture Posted April 20, 2015 Author Share Posted April 20, 2015 Yes, I will look into this over the next few days, just got a Mark V to play with so I should be able to transition this into the Mark V infusion. Quote Link to comment Share on other sites More sharing options...
scorpionsting6x3 Posted April 23, 2015 Share Posted April 23, 2015 Thanks for keeping up with this thread Vulture. I would like to see wifite on the pineapple mk v as well Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.