Autoconnect To Pineapple

[C0NFUS3D]

I'm having problems getting devices to "secretly connect" to the pineapple that are probing for a remembered WPA secured network that is in the area. These devices connect to the actual AP, not the pineapple. Is there anything I can do here to get these devices to connect to the pineapple instead??

[telot]

The pineapple only attracts OPEN probe requests - no wpa/wep/radius will be responded to.

telot

[C0NFUS3D]

is there any hope in changing this, so it would answer all requests?

not that I'm necessarily looking for specific instructions, but is this possible to do?

[PineDominator]

if you look in the karma log in /tmp you will see that these wpa/wep requested ssids are happening but fail to fully connect, if there network is not close enough they can continue to ask the pineapple for said networks and fail

Edited August 17, 2012 by petertfm

[Malachai]

I think that's why you have the usb connected with the wordlist to try to crack it ... I remember darren talking about doing this in one of the shows. Having a good word list so you would be able to see if you could get in using the pineapple... That would be a good project to work on.

[digininja]

Short answer, no, nothing you can do.

The reason is that the device doesn't have the keys for either WEP or WPA so can't complete the authentication phase of the connection so the clients won't connect.

If you were able to get the keys for the encryption then you could create a fake access point but at that point you wouldn't need Karma as you could just set up a normal AP with the known keys.

[BrianWGray]

I've been searching for threads that might lead to others that have already configured their Pineapples to accept WPA2-Enterprise connections. I haven't had much success to this point.

My Intention is to configure the Pineapple to authenticate WPA2-Enterprise to War Radius (Freeradius-wpe) over an SSH tunnel. I have had great success with miss-configured corporate phones and workstations accepting false certificates or users blindly accepting a new certificate in the supplicant using standard access points or hostap. I would love to see if it is reasonable to build a package like Joshua Wright's freeradius-wpe (http://www.willhackforsushi.com/?s=freeradius) on the Pineapple which would make the configuration even more useful.

Are there any existing threads that I'm not finding on this or a similar subject?

[korang]

I thought that if you probed for SSID "myhomerouter", Karma would answer, non-dependent of security settings.

[PineDominator]

I thought that if you probed for SSID "myhomerouter", Karma would answer, non-dependent of security settings.

karma does answer, you can see in the latest firmware 2.6.1 that the log now shows all prob responses. but when the client is doing it's encryption thing right after it associats thats where it falls apart, pineapple cant do a thing because it does not know the key, regardles if its wep or wpa.

Very rarely a client will drop to no encryption.

Edited September 1, 2012 by petertfm

[Scale]

Maybe off topic:

My pineapple succesfully impersonated a WEP AP. It even displayed as security type WEP in windows.

[mondrianaire]

Maybe off topic:

My pineapple succesfully impersonated a WEP AP. It even displayed as security type WEP in windows.

Are you sure about this? Verified with IP settings?

[Scale]

Are you sure about this? Verified with IP settings?

I didn't verify IP settings, but no ethernet cable was connected and i could still browse the web interface.

[Sebkinne]

Are you sure about this? Verified with IP settings?

You know, had I not seen this happen myself I would be skeptical too.

Some clients will just swallow it.

[mondrianaire]

That seems crazy to me. Scale - Do you know what the client was running? Any special wifi management software on it?

This whole thing has brought up an idea. I understand that karma responds to probe requests and that the authentication fails on (client) saved networks that are not open. This causes the client to not be able to associate with the pineapple. I also understand that because of the nature of WPA's 4 way handshake it is impossible to spoof authentication because the PSK is never actually exchanged. My question is this though, wouldn't it (theoretically) be possible to, if you know the PSK of a victim AP, set up the pineapple with identical encryption & PSK and then karma would work for that probe.

I understand that this would only work for a single encryption schema at a time (a single AP), but if you are trying to target a single victim, instead of the general 'wander until you find victims', this seems to be the best way. Deauthing a target would then cause them to connect to your pineapple regardless of the security of the target network.

Is this (theoretically) possible? Or is there something that prevents it within 802.11x that I am missing/do not understand?