TwistedPacket Posted April 23, 2013 Share Posted April 23, 2013 Let's suppose you've connected to an open network at the coffee shop. In that case you should get the victim to connect to you automatically I have never seen that work at all. Tested it 100 different ways. -Tp Quote Link to comment Share on other sites More sharing options...
khaotic57 Posted April 23, 2013 Share Posted April 23, 2013 http://forums.hak5.org/index.php?/topic/25160-problem-with-laptops-connecting-automatically-to-pineapple-please-help/?p=193138 Quote Link to comment Share on other sites More sharing options...
TheColonial Posted April 24, 2013 Share Posted April 24, 2013 I went out on a field trip today to test a Tablet app I'm building. While I was at it, I took the pineapple with me in the travel case with the USB battery to see what might happen. I didn't have tethering enabled, nor was I packet-capturing, I was only interested in probes and successful connections. After a couple of hours wandering around the beach, with a brief interlude at a coffee shop, I took a look at what I had. To summarize: over 550 probe requests. 20 successful associations across 11 unique devices. So while I was able to get connections coming in, the ratio was quite low. I obviously don't know which of the networks in the probes list were encrypted/protected and which weren't. Not sure if these stats are useful, but I thought I'd share them anyway. Cheers. OJ Quote Link to comment Share on other sites More sharing options...
WallE Posted April 24, 2013 Share Posted April 24, 2013 Oh well, 20 on 550 probe request. Not even 5%... That's mean this feature is totally broken and useless. And isn't the main feature of the pineapple? Quote Link to comment Share on other sites More sharing options...
Lordx18 Posted April 24, 2013 Share Posted April 24, 2013 My laptop sends out more than 5 probes alone so the probes don't say much. It's because my laptop has a bunch of networks saved that are wpa/wpa2 protected and only like 2 that are open. So it tries to connect to the wpa2 networks but only connects to the open one. Which is what the pineapple is supposed to do. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted April 27, 2013 Share Posted April 27, 2013 Thanks for the heads up guys, and thanks for the info on the firmware Seb. Let's see if we can't get to the bottom of this. While it's true that vendors WiFi implementations will change over the years to combat a Karma attack, the WiFi Pineapple is far from useless. I'd say with the growth we've seen in development on the MK4 and the features we've implemented from the brainstorm list, we're only scratching the surface. Windows 7 now requires the user the opt-in to a auto-connect checkbox on open networks, though it's interesting to see the results in action: I was doing tests in the studio yesterday with the latest Win7, iOS and Android and a WiFi Pineapple 2.7.0 - but today I decided to do go on a little field trip to get a sense of real world results. Now mind you the results will be heavily skewed for iOS, which of the mobile OS's is actually the most resilient to our current MK4 version of Karma. As you can see from this photo: Also mind you this test was done while driving around Cupertino, so not exactly ideal. I have a feeling the results would be totally skewed another way had I gone to Mountain View -- ya know? Overall Probe Requests: 1661 Overall Associations: 199 Unique Probe Requests by MAC: 881 Unique Associations by MAC: 161 Unique Probe Request by OUI: 854 Unique Association by OUI: 153 I was really surprised how many OUIs there are, but then again most manufacturers have multiple OUIs - so let's turn to the Wireshark OUI database. Probe Request Manufacturer Identified: 570 (of 854) Based on Wireshark database without variants (ie: Apple, Apple Inc) Apple: 328 58% Samsung: 53 9% Intel: 47 8% Motorola: 26 5% HTC: 15 3% Hon Hai: 13 2% LG: 8 1% Murata: 7 1% Z-COM: 7 1% ASUS: 6 1% HP: 5 <1% SparkLAN: 5 <1% Liteon: 5 <1% Ruckus: 4 <1% Rim: 3 <1% Universal: 3 <1% Private: 3 <1% AzureWave: 3 <1% CANON: 3 <1% LEXMARK: 2 <1% D-Link: 2 <1% Huawei: 2 <1% Palm: 2 <1% Gemtek: 1 <1% GIGA-BYTE: 1 <1% Nokia: 1 <1% Nintendo: 1 <1% Silex: 1 <1% Tenda: 1 <1% BARNES&NOBLE: 1 <1% zte: 1 <1% TP-Link: 1 <1% Phoebe: 1 <1% Unfortunately only 66% of OUIs were identified by manufacturer, but it still paints a general picture. Here are the results from associations: Association Manufacturer Identified: 78 (of 153) Based on Wireshark database without variants (ie: Apple, Apple Inc) Apple: 38 48% Samsung: 8 10% Motorola: 7 9% Intel: 5 6% HTC: 3 4% LG: 3 4% Z-COM: 2 3% Universal: 2 3% CANON: 2 3% D-Link: 1 1% Murata: 1 1% Rim: 1 1% Nokia: 1 1% Nintendo: 1 1% As you can see Cupertino has a heavy Apple bias. Wonder why? ;) With these two data sets we can analyze the connection rate by manufacturer, though keep in mind this Cupertino field trip isn't an accurate real world scenario to come up with any empirical results. But just for fun: Association Rate by Manufacturer: Manufacturer Probes Associations Rate -------------------------------------------- Apple 328 38 12% Samsung 53 8 15% Motorola 26 7 27% Intel 47 5 10% HTC 15 3 20% LG 8 3 38% Z-COM 7 2 29% Universal 3 2 67% CANON 3 2 67% D-Link 2 1 50% Murata 7 1 14% Rim 3 1 33% Nokia 1 1 100% Nintendo 1 1 100% WOOHOO! VIDEO GAMES!!! So what can I gather from this study, this thread, and our continued testing and development? 1. We need better tools for analysis - perhaps a module? This was a serious pain in the ass to compile and the sed, awk, cut, grep and copy/paste wasn't fun. Would be nice to have a baseline for us all to measure. 2. Manufacturers will continue to improve the security of their WiFi implementations, that's just a fact of this cat and mouse game that is hacking. 3. Since inception the WiFi Pineapple has proven a highly capable platform, and really it has only been in the last year of development that this platform has started to mature....and we've only scratched the surface. There are a lot of Karma features that could be implemented to keep up with the ever changing landscape - so this is just an opportunity to innovate. So let's all get more data (seriously need a standardized way to gather, report, analyze) and brainstorm. MK4 Karma is currently extremely passive, though a lot can be done to make it more aggressive. I've been playing with a few modules currently available like Occupineapple (Beacon) and Jammer (DeAuth) that can help encourage clients. Thoughts? Quote Link to comment Share on other sites More sharing options...
Johnnie Posted April 27, 2013 Share Posted April 27, 2013 Hi Darren, First of all thanks for the great tool and all the information about it. I had been hearing it for a long time in your shows but only last week had the chance to try it. I think it's a great way of learning a ton about wireless security so I'm planning to dig deeper. I wanted to build it on my own to get more involved and bought a Hornet board and a AP121U. Followed the instructions and flashed the Hornet with the latest firmware. (Also thanks for the openness of everything that made it possible) As I am a complete noob to this I didn't know what to expect and now I understand all those probe requests should have been responded and clients should have associated with the network they were probing for (hence the name yes-man) There are talks about a bug in the driver. What I'm confused about is: Is this passiveness you mentioned caused by this bug or implementation changes from the manufacturers or both? Also, I was wondering if it would be of any help if I flashed my devices to an older firmware and compared the outcome? If it helps to identify when the bug was first introduced please tell me which version do you need to be tested. Thanks again for everything (to your team as well of course). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.