Jump to content

Recommended Posts

Posted

Hello all,

I'm giving a presentation about social engineering over a couple of weeks and I planned a little pineapple demo.

Almost everyone there will have a smartphone with wifi and a remembered open network.

My demo consists of running karma to catch the clients, but then what? RandomRoll page, tcpdump to show whats being send, etc.This is were I'm asking you all for advice. (Mind that I don't have internet availability at the presentation location)

My goal is to create awareness among the attendees, not to blindly thrust and their smartphone in particular.

I'm curious about your ideas :D

Posted

Well if you don't have internet, you're best bet would surely be randomrolls. Perhaps do some tests before hand with androids and iphones, as I recall one of the rolls (could be rick?) doesn't work very well on iphone - no sound.

If you're trying to have an impact on these people, it would be ideal to bring a 3G/4G dongle with you. I mean, Rick Rolling someone does prove to the educated person the power of the pineapple, but to laymen, its just a party trick. To really drive your point about security, showing them their tcp traffic is a powerful message. Filter out POSTs in wireshark, run sslstrip and create a wall of sheep, thats the stuff that turns heads. If you really want to freak them out, show them the injection stuff (evil java, keylogger) thats being worked on.

Good luck WatskeBart - let us know how you do!

telot

Posted (edited)

randomroll, or urlsnarf are what I usually demo.

Edit: randomroll will work on android and iPhone (already tested :) ) , cant remember sound working on the iPhone, but sound definitely worked on android.

Edited by midnitesnake
Posted

Thanks for your input :)

I was thinking about a randomroll page, but I want to make sure it also work on iPhones (don't have one). I could use my own phone as a 3G gateway, but I have bad 3G reception at my location.

Are there RRoll pages that do have sound on a iPhone?

Posted

It's to bad that a Rubber Ducky is to expensive to ship, so as a backup demo i'm thinking about using my Teensy 2.0++ :D

A Rubber Ducky would be nicer because it will relate more to social engineering, but Karma looks more awesome IMHO because it will affect the attendees directly.

Posted

Have you created a script of your conversation/presentation to the audience? I would ensure you have a way to display the contents of a laptop from a projector. The laptop can be running whatever OS but ensure you can access the pineapples control page. Introduce yourself with the pineapple control page minimized and have a Power Point slide presentation up on the screen. Tell them who you are and that the point of the presentation is going to be about "computer security". At this point the Pineapple should have been running for several minutes with Karma going and ideally giving them normal internet (if not ohh well it'll work regardless, if you want to get fancy at that point you could have a Simple landing page that doesn't Phish but announces your name and Presentation details)... Kill the Presentation for a minute (or better yet use the WPS button script program) to turn on the Random Roll module. Then ask your audience to help you out by getting out their phones and tablets and compters and ask all of them to Google something for you... Make it WiFi Pineapple just for fun. At this point all hell should be breaking loose as people get Rolled. Ask people to raise their hand if they are seeing whatever Roll you've chosen. You've now set the hook for those people... You have their attention now matter what you say from that point on. Now to get the other folks... Bring up the control page and show the active Karma log with the list of Access Point names devices have responded with. Explain as you scoll through the list that if an audience member see's a home Access Point (or one they recognize they've been to) in the list they should raise their hand. You should now have more people hooked. Even if they didn't see a Roll page they know their device responded to the Pinapple. Proceed to tell them all about the nasty things you can do with that. Give them different scenarios that build upon each other or a core concept of how the pineapple works. Don't forget to channel your inner Steve Jobs and make a show of it... At least that's how I'd do it.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...