Sniffing open networks

[pineappleuser32]

Hi all,

As I understand the WiFi protocols after reading them - I should be able to capture more or less all traffic on a open or WEP/WPA protected network if I have the key.

I have tried doing that with my version 2.8.0 WiFi Pineapple MK IV. What I have done is tried is running:

killall hostapd
ifconfig wlan0 down
ifconfig wlan0 up
iwconfig wlan0 essid OPEN_NETWORK_SSID
airmon-ng start wlan0
tcpdump -i mon0

This gives me some packages, but a lot of packet loss, and it doesn't seem that I get the right packages.

I know it's probably a rookie question, or some basic understanding there is missing - but I can't seem to find the answer googeling it.

Could you please shed some light on this for me?

THANKS!

[JohnnyBoy]

I am able to get that to work:

iwconfig wlan0 key 'xxxxx' mode managed essid 'nameofap' ap 11:11:11:11:11:11 channel 1

For instance. Take down the interface before the above command, bring it up afterwards, then

let airodump-ng go: airodump-ng -w /usb/filename wlan0

When you connect to an encrypted AP you are going to need to get the four way handshake

for decrypting it afterwards. It will be encrypted in your pcap file. Use wireshark on your android/pc/etc

and google wireshark decryption for explicit instructions.

There is good documentation for it. One tip: enable the wifi bar so you don't have to search the

options interface everytime.

On capturing traffic: I am experimenting with this myself. I am finding with a basic 5db or 10db omnidirectional

antenna the results are "meh". My theory is that this is because the APs have much more txpower then

the clients (gaming systems, computers, wifi phones, etc).

I am a little lost as to why doesn't everyone just use the system in monitor mode, why even have jasager/karma,

but the results I have heard from karma are excellent(for instance, in malls, see ars techica article on mobile bugs good

article pimping the pineapple from Dan Kukyendall of NTO Objectives).... versus the results I see from monitor

mode are "meh".

Theoretically, you should be able to get enough bad traffic, if it is not SSL encrypted, if you keep it on open

networks for awhile to say "this network should not be open".

In practice, I am finding that not to be the case, myself, but I am a noob at this. (I am an ancient and professional

sec guy, just have not worked with wifi before much.)

[shutin]

Please don't use your $100 pineapple as a $25 alfa dongle.

If you want to sniff networks, get a nice linux compatible wifi dongle like an alfa and sniff using airodump-ng or kismet or whatever. Lock the channel to the network's channel to maxmize packet capture.

The pineapple is precision-engineered for MITM. It acts as the path between the client and the internet. That way you are guaranteed to capture EVERYTHING that passes between the two, not just lucky grabs from the air.

Sniffing open networks is a grab bag of broken crap. You are wasting the capability of the pineapple if you use it that way.

[Boba Fett]

But the pineapple cant be used for make the MITM and connected to backtrack doing the rest or no?

[shutin]

But the pineapple cant be used for make the MITM and connected to backtrack doing the rest or no?

wat.

[Boba Fett]

I use the pineapple with Backtrack, the pineapple makes the MITM and I make the rest on backtrack. Do you think it´s a good use of the pineapple in this way?

[JohnnyBoy]

Please don't use your $100 pineapple as a $25 alfa dongle.

If you want to sniff networks, get a nice linux compatible wifi dongle like an alfa and sniff using airodump-ng or kismet or whatever. Lock the channel to the network's channel to maxmize packet capture.

The pineapple is precision-engineered for MITM. It acts as the path between the client and the internet. That way you are guaranteed to capture EVERYTHING that passes between the two, not just lucky grabs from the air.

Sniffing open networks is a grab bag of broken crap. You are wasting the capability of the pineapple if you use it that way.

....

The pineapple can do much more then just jasager/karma.

But the pineapple cant be used for make the MITM and connected to backtrack doing the rest or no?

The pineapple clearly can do much more then just jasager (modified karma).

You can do every wifi pen test you need to do from it, and much more then that.

It has a far smaller form factor then your laptop, and will perform a lot better then

your android phone with a usb dongle or modified wifi driver.

Karma/Jasager is one thing you can do with it very well. But you can also run

Karma on your phone. Or take ten seconds to download and run DSploit, if

you can't figure out hacked up wifi drivers or getting backtrack on there.

You should know that karma/jasager is detectable. You do not even need to

spoof legacy SSID's to it. You can just look at your wifi device and see that all

of your legacy SSID's are there are on the network.

Gee whiz, my work AP is here in the neighborhood? How did that happen.

That is, though an useful test system.

I have, as well, the pineapple running for a good ten hours on a single battery

that is very small.

It has some cool UI features, though you should secure that.

[Semtx]

Im interested in this too, i cant seem to find any place on the internet with a proper description on how to do it.

As i see it there are two ways of doing it.

The first one is just to use airodump to dump packages or the specified channel and/or bssid. I've used this and it works okay. I think i miss alot of packages this way, but i also get some usefull output.

The other method is assosiating the wlan first as you do it. Maybe with some other commands, but I haven't even tied that direction yet.

Does anyone know what the best and most robust way of doing it?

[shutin]

I'm not expert but I think I can help you guys out a little...

There's basicaly 3 types of networks. Open, WEP, and WPA/WPA2. With open networks, you can sniff the traffic easily, without ever authenticating. You'll want to make sure you are locked onto a particular SSID's channel or you'll miss data when you are hopping. you do that with "airmon-ng start wlan0 6" or whatever channel you want. 1,6,and 11 are the main ones. 6 is the default for most routers. One thing you need to consider is that most netowrks these days are running N, which means you aren't going to get all the data being transmitted. This is why packet (not "package") captures can seem to suck and not contain anything useful these days. They are running on some channel way outside of 1-11. capturing shit in linux on N networks is still a pain in the ass and not easy to do. I've spoken to the author of kismet and he just kinda shrugs about it. I asked him what card I should buy to capture N traffic and he just says "I donno man, N support in linux is spotty". He is what I consider a guru on these sorts of things so if he can't recommend a card I donno who can.

Next, "iwconfig" isn't going to connect you to a WPA netowrk. It's for WEP. With WEP, you can capture encrypted traffic and later decode it if you get the key (Which is totally trivial, takes about 10 minutes and is a little fun). Or, of course, you can just join the network and sniff the traffic if you already have teh key. The thing about WEP is that all the traffic is encoded with the same shitty key.

Unlike WPA. Now, please correct me if I'm wrong here but from what Ive read WPA/WPA2 uses a different encryption scheme for each client, even though the key is the same, so you can't just decode the traffic if you have the key. To properly capture ALL the traffic flowing through a WPA network, you'd need to join it and then start ARP poisioning so you can MITM the whole lot and pretend to be the router. Otherwise you'll just be capturing frames going to yourself and some broadcast bullshit you dont care much about. Sure, youll see announceents for some services and whatever but you arent going to be grabbing passwords unless you are running something to arpspoof.

Woo that was long but I hope it cleared up some stuff for you guys. Hopefully I am not talking out of my ass here. I could be wrong but I have read quite a bit on this subject. Please correct me if I am wrong. Have fun.

[Semtx]

Thanks, i've found several tutorial about wep and wpa, but not the simple task of just getting everything on an open network.

I didnt know you could lock down the channel already at the airmon command, i did it with the --channel parameter for airodump.

Regarding wep and wpa, im pretty sure you can decrypt both using wireshark:

http://wiki.wireshark.org/HowToDecrypt802.11

Its interesting with N i didnt know it used other frequencies. Btw is the Pinapple internal chipset N by spec?

You would think that the NHA which is spec'ed N in theory should be able to capture N data.