Jump to content

Recommended Posts

Hi everyone,

I was wondering if the Pineapple has a feature which allows emulation of WEP/WPA/WPA2 networks in any way?

I have a few APs at home with various configurations that I use for testing. They have a mixture of configurations. The one thing that is common is that I know the keys for all of them. What I was wondering was, if I know the keys for the networks, can I configure Karma to use those keys with the appropriate security settings, so that it actually emulates the access point including its security?

As a crass "off the top of my head" example, it'd be great to have a configuration which allows me to do this:

[network "Wep AP"]
security=WEP
key=foo

[network "Home Network"]
security=WPA2
key=bar

Or something like that (pick your format -- JSON, XML, whatever).

It this kind of thing possible? If it's not currently a feature, what kind of effort would be required to allow this to happen?

Thanks for your time.

OJ

Link to post
Share on other sites

Look for Lorcon.

Think it's actually included in Metasploit these days! (Though Metasploit does not appear to work on the pineapple), it may be possible to natively compile Lorcon.

Edited by midnitesnake
Link to post
Share on other sites

Which key? the WPA pass phrase? this is interesting! keep up the good work guys! maybe one day, once someone manages the blow a whole in the side of WPA, like they did with WEP our pineapple could have auto crack and emulating of WPA networks built in XD

Link to post
Share on other sites

What about this? Someone tried to connect we put our own key but can we record the password they will try to send to the router to try for authentication? IDK just throwing that out there.

No, we can't collect the key like that - at least not in plain-text.

Link to post
Share on other sites

What about this? Someone tried to connect we put our own key but can we record the password they will try to send to the router to try for authentication? IDK just throwing that out there.

You need the full 4-way handshake which you will not get unless your AP is configured with the key the client is connecting with. Even then the key is encrypted. In other words, you would have the key already to evil twin.

Link to post
Share on other sites

You need the full 4-way handshake which you will not get unless your AP is configured with the key the client is connecting with. Even then the key is encrypted. In other words, you would have the key already to evil twin.

I had a feeling 4way handshake would be in play.

Link to post
Share on other sites

In its current form, no. Could this be added? Maybe. It's something we've kicked around. The driver *can* emulate a *few* SSIDs in addition to the standard pineapple+mac (or whatever you change it to), so in theory.....maybe.

Would you see this as a drastic increase in complexity? What kind of issues would you be facing in attempting to implement this? If it's able to pick the detail from a predetermined configuration, would the complexity be that high?

Cheers!

Link to post
Share on other sites
  • 2 months later...

I think this is a very interesting point, There must be something in that probe request that can be pulled out / decrypted to emulate a secure wpa / wpa2 network. At the end of the day we are halfway there in the sense we can already spoof non password protected networks. The question would be, what is different about the probe request when its asking, are you my wifi. Or does a password protected probe request not even ask "are you my wifi" maybe the wpa password protected router shouts to the laptop "hey i got what ya need". Duno its all a bit confusing for me would love to learn more about it. Are their any white papers or anything like that out their. Maybe even a detailed overview of how probe requests actually work? i am a total noob when it comes to wireless radio electricity and all that malarkey i just follow tuts and feel good about being about to complete them lol. Tell us more Darren & Seb < presuming seb is a jaeger guy. I get confused to many names.

Link to post
Share on other sites

I think this is a very interesting point, There must be something in that probe request that can be pulled out / decrypted to emulate a secure wpa / wpa2 network. At the end of the day we are halfway there in the sense we can already spoof non password protected networks. The question would be, what is different about the probe request when its asking, are you my wifi. Or does a password protected probe request not even ask "are you my wifi" maybe the wpa password protected router shouts to the laptop "hey i got what ya need". Duno its all a bit confusing for me would love to learn more about it. Are their any white papers or anything like that out their. Maybe even a detailed overview of how probe requests actually work? i am a total noob when it comes to wireless radio electricity and all that malarkey i just follow tuts and feel good about being about to complete them lol. Tell us more Darren & Seb < presuming seb is a jaeger guy. I get confused to many names.

Here's a good overview of how the authentication process works:

https://en.wikipedia.org/wiki/IEEE_802.11i-2004#The_Four-Way_Handshake

I also advise watching these:

http://www.securitytube.net/video/1905

http://www.securitytube.net/video/2562

Cheers,

Darren

Link to post
Share on other sites

Thank's Darren, ps sorry for twitter spamming you my chrome has been acting a little flaky today since the big 28 update thing.

Thanks Again.

- Anton.

Link to post
Share on other sites

Hi everyone,

I was wondering if the Pineapple has a feature which allows emulation of WEP/WPA/WPA2 networks in any way?

I have a few APs at home with various configurations that I use for testing. They have a mixture of configurations. The one thing that is common is that I know the keys for all of them. What I was wondering was, if I know the keys for the networks, can I configure Karma to use those keys with the appropriate security settings, so that it actually emulates the access point including its security?

As a crass "off the top of my head" example, it'd be great to have a configuration which allows me to do this:

[network "Wep AP"]
security=WEP
key=foo

[network "Home Network"]
security=WPA2
key=bar

Or something like that (pick your format -- JSON, XML, whatever).

It this kind of thing possible? If it's not currently a feature, what kind of effort would be required to allow this to happen?

Thanks for your time.

OJ

personally I'd rather pass this off to another router, like one of the cheap tp-Link WR703N's, install Openwrt and you can emulate the security settings for a known network, if you are close to the original access point then client could roam seamlessly into your evil twin access point without even knowing

Link to post
Share on other sites

How about a spot of phishing/social engineering.

Let's say your target hotspot is 'BigISPxxxx' - it's the way they name it here in Ireland. Set up karma & a MDK3 card.

Design a nice simple webpage with your target ISP logo, two little textboxes and a message along the lines of

"We here at BigISP are upgrading your router.

Please enter in your username and password

(or just WPA2 key, hey enter it twice for security :) )

The update process will take approximately 90 seconds, after which, you will need to power cycle your router."

Bingo - WPA2 key in hand and the target will connect back to his network none the wiser.

Turn off MDK3 and karma - victim seamlessly connects to their own network none the wiser.

Link to post
Share on other sites

Hey Rebel Cork, Tiocfaidh ár lá! Does MDK3 actually knock the network off to the point where it is no longer visible in a wifi scan? I know how it works to the point where it de-auths the clients etc's but from what i remember using it with the pineapple any way was that the network would still be available during a wifi scan and there for could still be connected to / would still be the proffered connection to you're identical honey pot. Would be integrated to learn more about this, aint played with my pineapple in a while, might be time to whip it out again.

- Anton

Link to post
Share on other sites

It does AFAIK, but my idea above really is a thought experiment, it just needs a POC.

How many people will actually search their own hotspot?

End users will automatically think 'Hey, this is supposed to just work, right?'

My above example is only meant to be there 60 seconds tops, quick and dirty

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...