Jump to content

Convert probes to fake networks


Recommended Posts

I went out on a field trip today to test a Tablet app I'm building. While I was at it, I took the pineapple with me in the travel case with the USB battery to see what might happen. I didn't have tethering enabled, nor was I packet-capturing, I was only interested in probes and successful connections.

After a couple of hours wandering around the beach, with a brief interlude at a coffee shop, I took a look at what I had.

To summarize: over 550 probe requests. 20 successful associations across 11 unique devices.

So while I was able to get connections coming in, the ratio was quite low. I obviously don't know which of the networks in the probes list were encrypted/protected and which weren't.

Not sure if these stats are useful, but I thought I'd share them anyway.



Link to comment
Share on other sites

My laptop sends out more than 5 probes alone so the probes don't say much. It's because my laptop has a bunch of networks saved that are wpa/wpa2 protected and only like 2 that are open. So it tries to connect to the wpa2 networks but only connects to the open one. Which is what the pineapple is supposed to do.

Link to comment
Share on other sites

Thanks for the heads up guys, and thanks for the info on the firmware Seb. Let's see if we can't get to the bottom of this. While it's true that vendors WiFi implementations will change over the years to combat a Karma attack, the WiFi Pineapple is far from useless. I'd say with the growth we've seen in development on the MK4 and the features we've implemented from the brainstorm list, we're only scratching the surface.

Windows 7 now requires the user the opt-in to a auto-connect checkbox on open networks, though it's interesting to see the results in action:


I was doing tests in the studio yesterday with the latest Win7, iOS and Android and a WiFi Pineapple 2.7.0 - but today I decided to do go on a little field trip to get a sense of real world results.

Now mind you the results will be heavily skewed for iOS, which of the mobile OS's is actually the most resilient to our current MK4 version of Karma. As you can see from this photo:


Also mind you this test was done while driving around Cupertino, so not exactly ideal. I have a feeling the results would be totally skewed another way had I gone to Mountain View -- ya know?

Overall Probe Requests: 1661

Overall Associations: 199
Unique Probe Requests by MAC: 881
Unique Associations by MAC: 161
Unique Probe Request by OUI: 854
Unique Association by OUI: 153

I was really surprised how many OUIs there are, but then again most manufacturers have multiple OUIs - so let's turn to the Wireshark OUI database.

Probe Request Manufacturer Identified: 	570 (of 854)
Based on Wireshark database without variants (ie: Apple, Apple Inc)
	Apple: 		328	58%
	Samsung: 	53	9%
	Intel: 		47	8%
	Motorola: 	26	5%
	HTC: 		15	3%
	Hon Hai: 	13	2%
	LG: 		8	1%
	Murata: 	7	1%
	Z-COM: 		7	1%
	ASUS: 		6	1%
	HP: 		5	<1%
	SparkLAN: 	5	<1%
	Liteon: 	5	<1%
	Ruckus: 	4	<1%
	Rim: 		3	<1%
	Universal: 	3	<1%
	Private: 	3	<1%
	AzureWave: 	3	<1%
	CANON: 		3	<1%
	LEXMARK: 	2	<1%
	D-Link: 	2	<1%
	Huawei: 	2	<1%
	Palm: 		2	<1%
	Gemtek: 	1	<1%
	GIGA-BYTE: 	1	<1%
	Nokia: 		1	<1%
	Nintendo: 	1	<1%
	Silex: 		1	<1%
	Tenda: 		1	<1%
	zte: 		1	<1%
	TP-Link: 	1	<1%
	Phoebe: 	1	<1%

Unfortunately only 66% of OUIs were identified by manufacturer, but it still paints a general picture. Here are the results from associations:

Association Manufacturer Identified:	78 (of 153)
Based on Wireshark database without variants (ie: Apple, Apple Inc)
	Apple:		38	48%
	Samsung:	8	10%
	Motorola:	7	9%
	Intel:		5	6%
	HTC:		3	4%
	LG:		3	4%
	Z-COM:		2	3%
	Universal:	2	3%
	CANON:		2	3%
	D-Link:		1	1%
	Murata:		1	1%
	Rim:		1	1%
	Nokia:		1	1%
	Nintendo:	1	1%

As you can see Cupertino has a heavy Apple bias. Wonder why? ;)

With these two data sets we can analyze the connection rate by manufacturer, though keep in mind this Cupertino field trip isn't an accurate real world scenario to come up with any empirical results. But just for fun:

Association Rate by Manufacturer:
	Manufacturer	Probes	Associations	Rate
	Apple		328	38		12%
	Samsung		53	8		15%
	Motorola	26	7		27%
	Intel		47	5		10%
	HTC		15	3		20%
	LG		8	3		38%
	Z-COM		7	2		29%
	Universal	3	2		67%
	CANON		3	2		67%
	D-Link		2	1		50%
	Murata		7	1		14%
	Rim		3	1		33%
	Nokia		1	1		100%
	Nintendo	1	1		100% WOOHOO! VIDEO GAMES!!!

So what can I gather from this study, this thread, and our continued testing and development?

1. We need better tools for analysis - perhaps a module? This was a serious pain in the ass to compile and the sed, awk, cut, grep and copy/paste wasn't fun. Would be nice to have a baseline for us all to measure.

2. Manufacturers will continue to improve the security of their WiFi implementations, that's just a fact of this cat and mouse game that is hacking.

3. Since inception the WiFi Pineapple has proven a highly capable platform, and really it has only been in the last year of development that this platform has started to mature....and we've only scratched the surface. There are a lot of Karma features that could be implemented to keep up with the ever changing landscape - so this is just an opportunity to innovate.

So let's all get more data (seriously need a standardized way to gather, report, analyze) and brainstorm. MK4 Karma is currently extremely passive, though a lot can be done to make it more aggressive. I've been playing with a few modules currently available like Occupineapple (Beacon) and Jammer (DeAuth) that can help encourage clients.


Link to comment
Share on other sites

Hi Darren,

First of all thanks for the great tool and all the information about it. I had been hearing it for a long time in your shows but only last week had the chance to try it. I think it's a great way of learning a ton about wireless security so I'm planning to dig deeper. I wanted to build it on my own to get more involved and bought a Hornet board and a AP121U. Followed the instructions and flashed the Hornet with the latest firmware. (Also thanks for the openness of everything that made it possible)

As I am a complete noob to this I didn't know what to expect and now I understand all those probe requests should have been responded and clients should have associated with the network they were probing for (hence the name yes-man)

There are talks about a bug in the driver. What I'm confused about is: Is this passiveness you mentioned caused by this bug or implementation changes from the manufacturers or both?

Also, I was wondering if it would be of any help if I flashed my devices to an older firmware and compared the outcome? If it helps to identify when the bug was first introduced please tell me which version do you need to be tested.

Thanks again for everything (to your team as well of course).

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...