Convert probes to fake networks

[ZeteMkaa]

Hi all,

Bought my first Pineapple about 1 year ago and it has been the love of my life. I’ve had so much epic times playing with the device. Just so much fun to see how far the abilities would stretch and impress everybody around me. The all loved the Pineapple.

But lately I’ve seen some changes in the functions of the Pineapple. In the old days I would plant the Pineapple and see the magic happen. Wireless networks popping
up everywhere and people were stunned by the abilities. Nowadays I have to hope that the Pineapple is functioning well when I demo it at a client.

The story that the Pineapple is responding the every probe and that the network are being spoofed based on these probes is kind of gone. The behaviour of the
Pineapple/Karma isn’t what it used to be and it only spoofs networks that are entered in the device manually and not how it supposed to create networks where devices
connected to in the past. And lately people aren’t entering their networks by hand, the just associate to networks and the settings are being saved on the device.

I’ve tested this behaviour on WinXP, Win7, Android and iPhone but they are all experiencing the same problems. Now my real question, are there changes made to the way
these devices send out probes ? Is it possible that Karma isn’t responding well to these changes ? Are there any other options why the behaviour has changed ?

I hope that some of the developers of Pineapple could give some insights on these problems. Thanks for your time :)

// ZeteMKaa

[ZeteMkaa]

Bump :)

[telot]

Not really sure what you're asking. Does the pineapple still respond to probe requests? Yes of course. Mine is sitting next to me right now and, when I turn on my laptop (osx) boom, theres Toronto Pearson Airport wifi. Let me assure you, I'm far far far away from the Toronto airport right now. So yes, the pineapple still responds to probe requests. I think you asked if devices are sending them out differently - the answer is no. But what OS's do after they send out probe requests does differ and can change (afterall, its software). So like windows7 handles probe responses and insecure wifi much better than XP. I'm trying to remember the nuances right now, it might be that 7 will connect to a secure wifi with lower signal strength if its in range, whereas XP would just connect to the strongest signal no matter what? Something like that, anyways different OS's do absolutely handle probe requests (when they send them out) and probe responses (how they handle it when AP's "say yes"). That said, I don't think there have been any major changes to how any OS's do their probing or handle responses, so thats probably not the issue here. More likely, you had some good luck when you turned it on before, now you don't. I've noticed that good luck getting karma'd victims directly correlates with how target rich the environment is. In order to convince any of us otherwise, you'll have to do some scientific-like testing. Turn on the pineapple and let it bootup with karma autoenabled. Turn on an XP machine with a open ssid saved. Does it connect? How long does it take? Do this with 7, OSX, ubuntu, android, etc. Having a catalog of the behavior of different OS's could be really cool now that I think about it...Anyways, just saying that your pineapple "isn't what it used to be" doesn't give us much to go on by way of troubleshooting.

telot

[Zephyr]

I have to say I really don't really get what the OP is driving at either. A client connect via Android, XP, W7 when deauthed from the AP, will connect to the Pineapple transparently. If a client in a non associated state is booted up or their WiFi switched on in the vicinity of a Pineapple running Karma, it will connect to Pineapple via the first saved public open auth SSID in its PNL provided the signal strength of the Pineapple is sufficient.

[Nerdonite]

I think I understand what he means, and here's a sample.

KARMA: Probe Request from 18:34:51:ee:86:b0 for SSID 'wertyu'

KARMA: Checking SSID for start of association, pass through wertyu

KARMA: Successful association of 18:34:51:ee:86:b0

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'SWISSsus'

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'HG520b'

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'DIGI WIFI 2.4 Web Login'

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'gateway'

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'Papasam'

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'Timisoara'

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'SIMONA-PC_Network'

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'hahahahaha'

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'ramona PC'

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'Ginko Caffe'

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'Hotel North Star Continental'

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'Mezzo'

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'wireless_11g'

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'Toroc49'

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'Chinezesc'

KARMA: Probe Request from 18:e7:f4:f4:5d:c8 for SSID 'Caffe Corso'

KARMA: Probe Request from 00:23:54:48:ac:6a for SSID 'antenaa'

KARMA: Probe Request from 7c:11:be:31:0e:80 for SSID 'Stelica'

The list is longer, but I've stripped it down. So here's the thing:

The only network with which the Pineapple associated was "wertyu". This network was made by me by going to my iPhone and use "Other Network". In that case, it picks it up and says "yes, I am that network" and it connects us.

However, the other probes sent are avoided, as you can see, they don't associate. It's the same with my laptop when I disconnect from my wifi. But once I use "Connect to Hidden Network" it picks me up again.

So the only associations that are done are those done "manually" by specifying a network on the victim device.

Am I doing something wrong? Do I have to add each device that sends probes to my whitelist, in order to associate with them? Or what is the reason they are just avoided, but when I type a fictive network on my phone it works without problems?

[TwistedPacket]

That is exectly right. It will not spoof any AP at least the one I have. I am not sure why that is. What are the steps to get it to spoof other APs? Any AP with a WPA2 key will never connect to the pineapple I have tested 30 diffent configs.

[Lordx18]

I'm pretty sure the wifi pineapple will only spoof the ssid names to known associated open networks. I don't think karma will spoof a network to a ssid of an encrypted one. What I do if I need to spoof an encrypted network is I just change the ssid of pineapple to the one of the network I'm trying to spoof. I could be wrong though, I got mine last week.

[Legomaniac]

I know exactly what Zetemkaa is trying to say here. Clients are not auto connecting to karma. I am having a similar experience. In one of the demonstrations on the show, Darren shows the list of all the SSID's that the pineapple is spoofing. On my windows 7 laptop, and my ipad, and my blackberry, and my android, this does not happen, even though there are many unsecured networks in the config of each of these devices, they will not autoconnect to karma. HOWEVER if I go to the "connect to a hidden network" dialog box and type in gfxufcrx- basically anything. It will send out a probe request and the karma will scoop it up and say yes. So I am wondering, are my devices not sending active probes? Or is my config file wrong?

Config is

enble_karma=1

interface=wlan0

driver=nl80211

ctrl_interface=/var/run/hostapd

ctrl_interface_group=0

SSID=RaspAP

hw_mode=g

channel=11

beacon_int=100

auth_algs=3

wmm_enabled=1

Sorry for the long post. But I wanted to make everything clear as mud

[ZeteMkaa]

I'm glad that there are more people who have this problem, now i hope we can fix it together. :)

The postings above describe the problem perfectly. Manual association yes, auto association no.

And I think that is the real Pineapple magic, make people connect to networks they have been before, not what they manualy entert.

I hope that one of the developer can shine some light on this issue.

[pinepine]

Bought my pineapple recently, having the same problem as above. Is there possibility that karma worked differently in older versions of pineapple firmware?

[canphaz]

Got my pineapple about 6 weeks ago and have been noticing the same behavior, also thought i've been doing something wrong. Thanks for the open discussion guys.

[Nerdonite]

I think this is a 2.8.0 bug. Or are people on 2.8.0 that don't have this problem?

[Sebkinne]

I think this is a 2.8.0 bug. Or are people on 2.8.0 that don't have this problem?

Do me a favor and downgrade (and keep downgrading if you are sure this is firmware related). Then report back in which firmware version this bug was introduced.

I know there is a slight issue with channel hopping / monitor mode in 2.8.0 but we will get that fixed asap.

[Nerdonite]

Unfortunately I don't have the time until Friday night :(

If someone else could try it, I could check the same thing on Friday and see if I get the same result...

[angelburnt]

Yes same issue here, i got my pineapple 1 month ago with the 2.7.0 firmware and now i remember that all my devices connected automatically... them i updated to the 2.8.0 and now i have that issue, i will try to downgrade my firmware tonight just to make sure... but i think thats it guys...

[Legomaniac]

Sebkinne, I'm actually not using a "proper" pineapple. I'm using a raspberry pi with the patched version of hostapd from dijininjas website. I saw on another forum that telot apparently had this working. Hopefully he will weigh in eventually.

[angelburnt]

Hi guys, i just dowgraded to 2.7.7 and now the device can connect automatically to the pineapple, but only if pineapple was previouslly saved on networks list. But for me its already an improvement, since with the 2.8.0 my device didnt connect even if pineapple was in the wireless list. Now i have to wait for you to test it and get some conclusion...

[pinepine]

Hey guys,

I've downgraded from 2.8.0 to 2.6.0 and done some testing:

1. Karma vs. Win7 - very well - On my win7 I used to connect to 4 different secured wifi networks from which I'm far away now. When win7 turned on all 4 were there as pineapple , unsecured, no autoconnect, but it could be set and next restart I was autoconnected to pineapple.

2. Karma vs. Fedora - very good as well - Every open wifi I used to be connected was there as pineapple. No secured networks, but I'm not sure if I ever connected to any secured network from this fedora, so I can't tell.

3. Karma vs. Ubuntu - weak - Maybe on 5th try I managed to get karma on 1 or 2 networks I used to be connected from really a lot of networks I was ever connected from this wlan. Not sure whats the case.

4. Karma vs. Android 4.0.4 on HTC Desire X - very weak - I got karma only when I added network manually (like I wrote ssid sth like "sdfsdfasad") and it connected to pineapple.

5. Karma vs. Backtrack 5 - very weak - practically the same as Android.

So guys this was my testing with 2.6.0. Not sure how it will behave on 2.8.0, maybe tommorow I'll give it try. Basicilly I think this is the right behavior how karma works. If you have some idea why it works better/worse vs. some systems, please share with us. Also if you've done some testing as well, go on, tell us!

Thanks

[angelburnt]

Hi guys i was thinking to my self now and... i dont get it...

If the pineapple dont auto-connect to the devices this is no minor issue, its a huge issue. Whats the meaning of this little black box if this dont auto-connect?

Im a little mad with this because i get the pineapple last month and im no expert-hacker, just an apprentice trying to put this to work... so my question is, if the bad boys (real hackers) cant give a correct aswer to this, who can?

Really, i was happy to put my device to auto-connect with pineapple, but "wait a second, if i saved pineapple as my network before, its supposed to auto-connect" no need to be a genius to get it. Suddenly appears so many guys with the same issue? Im trying this for 4 weeks, many guys here gave me tips and "how to" i did a upgrade, downgrade, reflash, used winSCP, Putty, had my wifi cable connetor broked inside mk4, had problems with v 2.7 cause the leds dont work so well, everything happened to me, but thats good, ive learned so many things with all the issues and obstacles, but now its done! Now i want to put this to work and see some results...

I think we (lammers at least) need a real help from HAK5 here, Darren please throw the buoy!!! (im a little tired with this lol)

sorry for this outflow guys but i really need it...

[LeetCodes]

I recently procured my first pineapple MK4, immediately upgraded to 2.8.0, and I have been experiencing the same behavior. I had a Fon router with jasager back when this project first began, and remember it working much better. Currently, I do get people connecting, but not nearly what should be, it is very hit and miss, I'd say maybe 30% successfully associate, and I've been testing in pretty crowded areas for the most part. I'll try downgrading, because I've got unlimited time on my hands this week :)

[TwistedPacket]

I am seeing the same issues. I have been running the 2.8.0 FW for the past week and no one ever connects. I see ton's of access points on the status screen of the Pineapple however nothing happens. I had Around 80 AP's lastnight night after an antenna upgrade and I have never had one client connect automatically I have even had everyone of my devices connect to the Pineapple then reconnect to my netgear. Deauthed them all and they still refuse to connect to the Pineapple.

-Tp

[Nerdonite]

I've downgraded to 2.7.5 .. still the same.

2.7.0 .. still the same.

I'm going lower :) hopefully this won't break any functionality that is present in 2.8.0

//EDIT:

I think I broke mine :(

I was downgrading to 2.6.0 and without any errors or anything it just stopped, but my router detected it as connected, so I waited for about 15 minutes to finish in case it was working, after which I restarted it. Now I can't access the web interface or ping it, even though my router detects it as connected.

I even tried to hold the reset button for 1, 5, 10 and 15 seconds and it's still not working :(

Guess I'll have to flash it via serial to fix it, but it will take about 1 month to get a serial cable from USA.. hopefully until then the 2.8.0 will be stable :)

Edited April 19, 2013 by Nerdonite

[TwistedPacket]

I wonder if anyone ever has see this work? If so could you please explain how it works an what FW you are using?

Thanks!

-Tp

[TheColonial]

Hi all,

I was initially under the impression that Karma will respond to all probes but would only support connections for open/insecure networks. On a given device there might be any number of networks that it searches for but it will only connect to the Pineapple when it tries an open network without any security.

Am I incorrect in this impression?

Based on what you're saying in this thread, I am incorrect and the devices should connect regardless. If that's the case, then I too am seeing the same behaviour.

Cheers.

OJ

[Nerdonite]

Let's suppose you've connected to an open network at the coffee shop.

In that case you should get the victim to connect to you automatically