Spicy Chilli Pineapple

[madhak]

Hi Guys,

I should receive my pineapple tomorrow and I been reading the entire forum , wiki, and manual but besides some similarity with WM and Digininja interceptor project, I think this one is a bit different.

I want to put Coovachilli or Chillispot on the pineapple, since its already supported on open-wrt, I assume Its should be an easy task... Unless some of you already tried and can share their success? I know how to configure it and install it on centos and ubuntu but the limited resource on the pineapple may bring some challenge.

I also want to put tinyproxy and privoxy in order to inject content into passing traffic. I have limited experience with those and I'm currently getting it to work on centos. but that's just for a proof of concept, my main goal is the captive portal.

I consider myself as experienced with captive portal and I want to see how deep down the hole I can go on such a limited device.

The goal of this experience is to simulate the following scenario that I think is happening in an Hotel where I manage the network...

-Hacker power on his pineapple in Jasager + NAT mode

-Hacker copy the splash page and store it in pineapple web server for future use

-Client roam close to the Hacker and autojoin the pineapple

-Client is presented the legit splash page to enter his credential

-Client authorise the pineapple not his device (because of NAT) to use internet on the network

-Hacker have free internet now, but that doesn’t stop there alto it could in theory... that's where I want to dig deeper

-Hacker turn on his own captive portal and redirect the splash to the pineapple web server where a copy of the legit splash page is stored.

-An other client roam close the the Hacker and autojoin.

-Client2 enter his credential and the pineapple captive portal is set to accept any.

-On top of that hacker insert key logger in client 1 and 2 traffic while they were in range and you know...

-Client get online, but his credential were not used and can be resold to client 3 under the table at discount by hacker (maybe)

-Client 1 and 2 roam away from hacker and can't connect as the legit captive portal say already connected (then I get complain)

-Client 3 is satisfied, he bought the credential at discount and can roam until client 2 complain and the credential get reset.

As you can see, that make a lot of unhappy client they think my network suck, most complain of similar incident were reported by iphone users so far. That doesn’t happened all the time, its been 6 month since the last time one of the hotel network I manage was hacked seriously and we are very serious about security, I can tell on the map where he is spoofing but don't have enough proof to perform physical body inspection, hopefully he's leaving this weekend. We are using Meraki AP and custom centos Layer3/7 gateway/firewall/captive portal with IDS.

By documenting and proving that this is possible, I will be able to reach to my client and explain the situation regarding sporadically unsatisfied user as well as putting in place contingency plan to make my public network a safe place.

Tell me what do you think and any suggestion comment are welcome. maybe a captive portal and captive frame module could emerge from that.

[digininja]

It definitely sounds possible and an interesting scam. I'll have a think about how you could prevent it.

[madhak]

If we focus on the step 1 to 5 of the scenario then its just a matter of detecting and blocking NAT'ed traffic on the LAN, which to my understanding require NAC and/or Layer3 switches and AP. This would prevent the hacker from being able to obtain internet access with someone else login behind the hacker NAT (this also can be done with dd-wrt and such...)

But as soon as he proceed to step 6+, turn on his own captive portal with an identical splash page as the legit one, he doesn't even need to be connected to my network to trick user into revealing his credential. (step 1 to 5 and the rest can be viewed as 2 different and independent issue, but more persuasive when combined) the second issue can also be realized without a captive portal, just with DNS spoofing (still less convincing as client will not gain access after authenticating)...

So what I can see from my network is:

- there is a yes man (heard by my AP when he say yes i'm 'myssidname')

- there is NAT'ed traffic (can see the TTL) but I do not have the ability to stop it without stooping other legit client too and TTL can be spoofed anyway

- I can see credential collision in the radius log, I could allow 2 connection, that would satisfy the hacker and the legitimate user, everybody could be happy but what if he isn't there just for free wifi...

What I'm doing about it:

- Trying to make a module to expose this issue if there is any interest about that and learn about it

- Front desk staff now ask iStuff user to disable autologin when we sell them access - silly but true

- Move toward Radius-WPA Enterprise so I can have an encrypted public network with guess access and different wpa2 pass-phrase for every guest :D

All that because of a fruity little device ;) Next week the guy will have moved on but that really got me tinkering.

EDIT - only step 1 to 5 has been observed, the rest is hypothetical...

Edited February 1, 2013 by madhak

[Whistle Master]

[...]

I also want to put tinyproxy and privoxy in order to inject content into passing traffic. I have limited experience with those and I'm currently getting it to work on centos. but that's just for a proof of concept, my main goal is the captive portal.

[...]

For this point, digininja and myself have been working on the subject :)

At the moment, there is the mitm module which could help you and the work in progress keylogger module, based on digininja proxy.

[telot]

Do you have any spare access points, so that you turn your meraki's AirMarshal mode on to continuous scan? If not, do you have AirMarshal on opportunistic scan? I haven't yet tested my new meraki (I got the free one) with the pineapple, to see if its detected, but that might be one way to bust the culprit.

telot

[madhak]

@Telot yes I've tried air marshal, it does detect it but because it is not spoofing my SSID I can't deauth it. There are few hundred other SSID, we normally ban those that have the word "hotspot" that get rid of people buying 1 internet and share with say 5 friends... but for the pineapple, the malicious user could have spoofed an other SSID that I do not manage and been white-listed...

Guys, Please correct me if I'm wrong, Alto I'm going to be able to test this myself in a few hour (pineapple arrived in town, delivery on scheduled for the end of the day :)) but the pineapple doesn’t broadcast being such and such, it simply answer when someone ask for right? so there is no point trying to deauth it? Its is clearly documented that it does not advertise but just answer yes...

@WM and Dijininja, I'll have a look at the MITM module, also my idea about the logger actually came from reading your post about it ;) but the attacker could inject other less malicious traffic like add from his own affiliate program... For my side, I'm looking at using the proxy I mentioned in the OP to add a persistent information and tool bar on top of my hotspot traffic (the legit use for it)...

So do you use proxi for content injection or did you managed to do something with Ebtables? I know Ebtables is commonly used to redirect traffic to the l7-filter and perform traffic shaping but I didn’t know It can inject content? maybe I got it wrong, read dijininja blog last night and my head was about to explode (TMI man! very nice blog), need to reread it with a fresh mind after my coffee.

Thanks for your comments, I really appreciate that you took time to look at this...

Edited February 1, 2013 by madhak

[digininja]

Because the Pineapple bridges the wifi and wired connections iptables can't get access to the traffic directly. I used ebtables to intercept it and get it far enough up the stack so iptables can kick in modify it.

Glad you like the blog.