C0NFUS3D Posted August 17, 2012 Share Posted August 17, 2012 I'm having problems getting devices to "secretly connect" to the pineapple that are probing for a remembered WPA secured network that is in the area. These devices connect to the actual AP, not the pineapple. Is there anything I can do here to get these devices to connect to the pineapple instead?? Quote Link to comment Share on other sites More sharing options...
telot Posted August 17, 2012 Share Posted August 17, 2012 The pineapple only attracts OPEN probe requests - no wpa/wep/radius will be responded to. telot Quote Link to comment Share on other sites More sharing options...
C0NFUS3D Posted August 17, 2012 Author Share Posted August 17, 2012 is there any hope in changing this, so it would answer all requests? not that I'm necessarily looking for specific instructions, but is this possible to do? Quote Link to comment Share on other sites More sharing options...
PineDominator Posted August 17, 2012 Share Posted August 17, 2012 (edited) if you look in the karma log in /tmp you will see that these wpa/wep requested ssids are happening but fail to fully connect, if there network is not close enough they can continue to ask the pineapple for said networks and fail Edited August 17, 2012 by petertfm Quote Link to comment Share on other sites More sharing options...
Malachai Posted August 17, 2012 Share Posted August 17, 2012 I think that's why you have the usb connected with the wordlist to try to crack it ... I remember darren talking about doing this in one of the shows. Having a good word list so you would be able to see if you could get in using the pineapple... That would be a good project to work on. Quote Link to comment Share on other sites More sharing options...
digininja Posted August 17, 2012 Share Posted August 17, 2012 Short answer, no, nothing you can do. The reason is that the device doesn't have the keys for either WEP or WPA so can't complete the authentication phase of the connection so the clients won't connect. If you were able to get the keys for the encryption then you could create a fake access point but at that point you wouldn't need Karma as you could just set up a normal AP with the known keys. Quote Link to comment Share on other sites More sharing options...
BrianWGray Posted August 31, 2012 Share Posted August 31, 2012 I've been searching for threads that might lead to others that have already configured their Pineapples to accept WPA2-Enterprise connections. I haven't had much success to this point. My Intention is to configure the Pineapple to authenticate WPA2-Enterprise to War Radius (Freeradius-wpe) over an SSH tunnel. I have had great success with miss-configured corporate phones and workstations accepting false certificates or users blindly accepting a new certificate in the supplicant using standard access points or hostap. I would love to see if it is reasonable to build a package like Joshua Wright's freeradius-wpe (http://www.willhackforsushi.com/?s=freeradius) on the Pineapple which would make the configuration even more useful. Are there any existing threads that I'm not finding on this or a similar subject? Quote Link to comment Share on other sites More sharing options...
korang Posted September 1, 2012 Share Posted September 1, 2012 I thought that if you probed for SSID "myhomerouter", Karma would answer, non-dependent of security settings. Quote Link to comment Share on other sites More sharing options...
PineDominator Posted September 1, 2012 Share Posted September 1, 2012 (edited) I thought that if you probed for SSID "myhomerouter", Karma would answer, non-dependent of security settings. karma does answer, you can see in the latest firmware 2.6.1 that the log now shows all prob responses. but when the client is doing it's encryption thing right after it associats thats where it falls apart, pineapple cant do a thing because it does not know the key, regardles if its wep or wpa. Very rarely a client will drop to no encryption. Edited September 1, 2012 by petertfm Quote Link to comment Share on other sites More sharing options...
Scale Posted September 1, 2012 Share Posted September 1, 2012 Maybe off topic: My pineapple succesfully impersonated a WEP AP. It even displayed as security type WEP in windows. Quote Link to comment Share on other sites More sharing options...
mondrianaire Posted September 1, 2012 Share Posted September 1, 2012 Maybe off topic: My pineapple succesfully impersonated a WEP AP. It even displayed as security type WEP in windows. Are you sure about this? Verified with IP settings? Quote Link to comment Share on other sites More sharing options...
Scale Posted September 1, 2012 Share Posted September 1, 2012 Are you sure about this? Verified with IP settings? I didn't verify IP settings, but no ethernet cable was connected and i could still browse the web interface. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted September 1, 2012 Share Posted September 1, 2012 Are you sure about this? Verified with IP settings? You know, had I not seen this happen myself I would be skeptical too. Some clients will just swallow it. Quote Link to comment Share on other sites More sharing options...
mondrianaire Posted September 1, 2012 Share Posted September 1, 2012 That seems crazy to me. Scale - Do you know what the client was running? Any special wifi management software on it? This whole thing has brought up an idea. I understand that karma responds to probe requests and that the authentication fails on (client) saved networks that are not open. This causes the client to not be able to associate with the pineapple. I also understand that because of the nature of WPA's 4 way handshake it is impossible to spoof authentication because the PSK is never actually exchanged. My question is this though, wouldn't it (theoretically) be possible to, if you know the PSK of a victim AP, set up the pineapple with identical encryption & PSK and then karma would work for that probe. I understand that this would only work for a single encryption schema at a time (a single AP), but if you are trying to target a single victim, instead of the general 'wander until you find victims', this seems to be the best way. Deauthing a target would then cause them to connect to your pineapple regardless of the security of the target network. Is this (theoretically) possible? Or is there something that prevents it within 802.11x that I am missing/do not understand? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.