TheColonial Posted April 22, 2013 Share Posted April 22, 2013 Hi everyone, I was wondering if the Pineapple has a feature which allows emulation of WEP/WPA/WPA2 networks in any way? I have a few APs at home with various configurations that I use for testing. They have a mixture of configurations. The one thing that is common is that I know the keys for all of them. What I was wondering was, if I know the keys for the networks, can I configure Karma to use those keys with the appropriate security settings, so that it actually emulates the access point including its security? As a crass "off the top of my head" example, it'd be great to have a configuration which allows me to do this: [network "Wep AP"] security=WEP key=foo [network "Home Network"] security=WPA2 key=bar Or something like that (pick your format -- JSON, XML, whatever). It this kind of thing possible? If it's not currently a feature, what kind of effort would be required to allow this to happen? Thanks for your time. OJ Quote Link to comment Share on other sites More sharing options...
barry99705 Posted April 23, 2013 Share Posted April 23, 2013 It's been answered a couple times before, but no, it can't do that. You'd have to know the password for it to work. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted April 23, 2013 Share Posted April 23, 2013 In its current form, no. Could this be added? Maybe. It's something we've kicked around. The driver *can* emulate a *few* SSIDs in addition to the standard pineapple+mac (or whatever you change it to), so in theory.....maybe. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted April 23, 2013 Share Posted April 23, 2013 If we know the key, we can technically make it happen. Quote Link to comment Share on other sites More sharing options...
no42 Posted April 23, 2013 Share Posted April 23, 2013 (edited) Look for Lorcon. Think it's actually included in Metasploit these days! (Though Metasploit does not appear to work on the pineapple), it may be possible to natively compile Lorcon. Edited April 23, 2013 by midnitesnake Quote Link to comment Share on other sites More sharing options...
Anton Posted April 23, 2013 Share Posted April 23, 2013 Which key? the WPA pass phrase? this is interesting! keep up the good work guys! maybe one day, once someone manages the blow a whole in the side of WPA, like they did with WEP our pineapple could have auto crack and emulating of WPA networks built in XD Quote Link to comment Share on other sites More sharing options...
demonjester Posted April 23, 2013 Share Posted April 23, 2013 (edited) What about this? Someone tried to connect we put our own key but can we record the password they will try to send to the router to try for authentication? IDK just throwing that out there. Edited April 23, 2013 by demonjester Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted April 23, 2013 Share Posted April 23, 2013 What about this? Someone tried to connect we put our own key but can we record the password they will try to send to the router to try for authentication? IDK just throwing that out there. No, we can't collect the key like that - at least not in plain-text. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted April 23, 2013 Share Posted April 23, 2013 What about this? Someone tried to connect we put our own key but can we record the password they will try to send to the router to try for authentication? IDK just throwing that out there. You need the full 4-way handshake which you will not get unless your AP is configured with the key the client is connecting with. Even then the key is encrypted. In other words, you would have the key already to evil twin. Quote Link to comment Share on other sites More sharing options...
demonjester Posted April 23, 2013 Share Posted April 23, 2013 You need the full 4-way handshake which you will not get unless your AP is configured with the key the client is connecting with. Even then the key is encrypted. In other words, you would have the key already to evil twin. I had a feeling 4way handshake would be in play. Quote Link to comment Share on other sites More sharing options...
TheColonial Posted April 24, 2013 Author Share Posted April 24, 2013 It's been answered a couple times before, but no, it can't do that. You'd have to know the password for it to work. Yes, I'm well aware of that. The very basis of the question was founded on the assumption that I knew the passwords. Quote Link to comment Share on other sites More sharing options...
TheColonial Posted April 24, 2013 Author Share Posted April 24, 2013 In its current form, no. Could this be added? Maybe. It's something we've kicked around. The driver *can* emulate a *few* SSIDs in addition to the standard pineapple+mac (or whatever you change it to), so in theory.....maybe. Would you see this as a drastic increase in complexity? What kind of issues would you be facing in attempting to implement this? If it's able to pick the detail from a predetermined configuration, would the complexity be that high? Cheers! Quote Link to comment Share on other sites More sharing options...
Anton Posted July 12, 2013 Share Posted July 12, 2013 I think this is a very interesting point, There must be something in that probe request that can be pulled out / decrypted to emulate a secure wpa / wpa2 network. At the end of the day we are halfway there in the sense we can already spoof non password protected networks. The question would be, what is different about the probe request when its asking, are you my wifi. Or does a password protected probe request not even ask "are you my wifi" maybe the wpa password protected router shouts to the laptop "hey i got what ya need". Duno its all a bit confusing for me would love to learn more about it. Are their any white papers or anything like that out their. Maybe even a detailed overview of how probe requests actually work? i am a total noob when it comes to wireless radio electricity and all that malarkey i just follow tuts and feel good about being about to complete them lol. Tell us more Darren & Seb < presuming seb is a jaeger guy. I get confused to many names. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted July 12, 2013 Share Posted July 12, 2013 I think this is a very interesting point, There must be something in that probe request that can be pulled out / decrypted to emulate a secure wpa / wpa2 network. At the end of the day we are halfway there in the sense we can already spoof non password protected networks. The question would be, what is different about the probe request when its asking, are you my wifi. Or does a password protected probe request not even ask "are you my wifi" maybe the wpa password protected router shouts to the laptop "hey i got what ya need". Duno its all a bit confusing for me would love to learn more about it. Are their any white papers or anything like that out their. Maybe even a detailed overview of how probe requests actually work? i am a total noob when it comes to wireless radio electricity and all that malarkey i just follow tuts and feel good about being about to complete them lol. Tell us more Darren & Seb < presuming seb is a jaeger guy. I get confused to many names. Here's a good overview of how the authentication process works: https://en.wikipedia.org/wiki/IEEE_802.11i-2004#The_Four-Way_Handshake I also advise watching these: http://www.securitytube.net/video/1905 http://www.securitytube.net/video/2562 Cheers, Darren Quote Link to comment Share on other sites More sharing options...
Anton Posted July 12, 2013 Share Posted July 12, 2013 Thank's Darren, ps sorry for twitter spamming you my chrome has been acting a little flaky today since the big 28 update thing. Thanks Again. - Anton. Quote Link to comment Share on other sites More sharing options...
inTheDMZ Posted July 14, 2013 Share Posted July 14, 2013 Hi everyone, I was wondering if the Pineapple has a feature which allows emulation of WEP/WPA/WPA2 networks in any way? I have a few APs at home with various configurations that I use for testing. They have a mixture of configurations. The one thing that is common is that I know the keys for all of them. What I was wondering was, if I know the keys for the networks, can I configure Karma to use those keys with the appropriate security settings, so that it actually emulates the access point including its security? As a crass "off the top of my head" example, it'd be great to have a configuration which allows me to do this: [network "Wep AP"] security=WEP key=foo [network "Home Network"] security=WPA2 key=bar Or something like that (pick your format -- JSON, XML, whatever). It this kind of thing possible? If it's not currently a feature, what kind of effort would be required to allow this to happen? Thanks for your time. OJ personally I'd rather pass this off to another router, like one of the cheap tp-Link WR703N's, install Openwrt and you can emulate the security settings for a known network, if you are close to the original access point then client could roam seamlessly into your evil twin access point without even knowing Quote Link to comment Share on other sites More sharing options...
RebelCork Posted July 15, 2013 Share Posted July 15, 2013 How about a spot of phishing/social engineering. Let's say your target hotspot is 'BigISPxxxx' - it's the way they name it here in Ireland. Set up karma & a MDK3 card. Design a nice simple webpage with your target ISP logo, two little textboxes and a message along the lines of "We here at BigISP are upgrading your router. Please enter in your username and password (or just WPA2 key, hey enter it twice for security :) ) The update process will take approximately 90 seconds, after which, you will need to power cycle your router." Bingo - WPA2 key in hand and the target will connect back to his network none the wiser. Turn off MDK3 and karma - victim seamlessly connects to their own network none the wiser. Quote Link to comment Share on other sites More sharing options...
Anton Posted July 16, 2013 Share Posted July 16, 2013 Hey Rebel Cork, Tiocfaidh ár lá! Does MDK3 actually knock the network off to the point where it is no longer visible in a wifi scan? I know how it works to the point where it de-auths the clients etc's but from what i remember using it with the pineapple any way was that the network would still be available during a wifi scan and there for could still be connected to / would still be the proffered connection to you're identical honey pot. Would be integrated to learn more about this, aint played with my pineapple in a while, might be time to whip it out again. - Anton Quote Link to comment Share on other sites More sharing options...
RebelCork Posted July 16, 2013 Share Posted July 16, 2013 It does AFAIK, but my idea above really is a thought experiment, it just needs a POC. How many people will actually search their own hotspot? End users will automatically think 'Hey, this is supposed to just work, right?' My above example is only meant to be there 60 seconds tops, quick and dirty Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.