Jump to content

Whole bunch of questions about Mark IV and proper operation


shutin
 Share

Recommended Posts

Hi all,

I've been trying to get the pineapple running on my own but there's a lot of things that I could not find on the boards here. Hopefully some of you guys could answer a few of my questions or direct me to resources where I can find the info. I'm a big supporter of OpenWRT but there isn't a nice solid manual for the dang system. There are bits and pieces on the wiki but many things seem to be only known by those with advanced linux networking knowledge or experience compiling the system themselves. I realize these are a lot of questions but I don't expect them all to be answered. I'm trying for a shotgun approach here.

My setup: MkIV running 2.8.0 firmware. I connect the pineapple to a laptop running either linux or win7 ICS. I have a Mac but I'm reluctant to change either the pineapple or my Mac's built in sharing config files in order to change to the needed IP range. (Mac is set up to only share using the 192.168.2.x range, so pineapples 172.42.42.x doesn't work). I then connect my laptop to my home router via wifi so the pineapple can have a passthrough to the internet. I install all my infusions to USB because I don't want to run out of space and I want the logs to stick around.

My desired config: Get rid of the intermediary laptop and have the pineapple connect to some preset APs or any open AP in range. Possibly connect using a cheap usb aircard. Obviously I'd need a wifi card + usb hub for the former. To capture all traffic flowing through the pineapple, preferably in a semi-formatted report rather than just a .pcap file I need to parse out.

My motivation: To have a solid understanding of these tools so that I can protect myself and be aware of how exactly they "look" when being run. I'm a programmer by trade, security is my hobby and passion. I'd like to be able to demonstrate some of these things to my bosses, who do not take security as seriously as I do. But I don't want to look like a dumbass when I do it either.

LOGGING

This is a big topic for me. WHERE ARE THE LOGS?! :) I want to ssh in and tail -f a bunch of stuff.

1) Where can I find the same information that is displayed on the Status screen of the pineapples homepage? Specifically I want to see the karma probe request details and "who is connected" status. I'm guessing that the latter is in /var/dhcp.leases ? What does the * mean after the client in those?

2) But just because a client connected doesn't mean they still ARE connected. Is there a way to see an active display of who is connected and sending data. Would something like tcptrack would work?

3) Is there a way to see client disconnects and tell if they did a hard disconnect (likek "oh crap, this is the wrong ap! disconnect!) or they simply went out of range.

4) infusion logs. Most important to me are the sslstrip, tcpdump, and urlsnarf logs. It's not totally clear where these are. On one hand, you have /pineapple/logs which contains a urlsnarf.log but for me it's always empty. Is this the place where non-usb installed infusions are supposed to keep their logs? Because we also have /usb/infusions/urlsnarf/log, which for me has some files, one empty and one that successfully captured traffic once.

INFUSIONS

This is where I really need some help. I am very thankful for the community provider infusions but they aren't exactly self-explanatory. Are you only supposed to run one at a time or what? I typically run tcpdump, urlsnarf and sslstrip at the same time. This might not be a good idea (since tcpdump should capture EVERYTHING, right?) but sslstrip might be providing a better, more verbose capture than tcpdump and tcpdump is uncessary if I'm running that.

Let's start with tcpdump. I'll enable it (tcpdump -i eth0 -vv) but I never see any output in the screen. I have managed to capture a couple logs once, but nothing ever showed in the screen. It also seems to just stop working without being told to. Is eth0 the interface I want to be running it on since my path to the internet goes through a cat5 cable to my laptop? Seems like it. If I was connecting to the internet using another usb dongle, it would make sense to capture wlan0 then.

SSLstrip. This is the infusion I'm most interested in because I want to see (in a controlled environment!) just which sites that I use are vulnerable to this attack. I want to see how it appears. So far it's just been a lot of... timeouts. Finding the password that I entered isn't very easy, being embedded in a query string that is embedded in a ton of output text. Does anyone have any configuration tips they can share?

SYSTEM ISSUES

* Timestamps! I have a big problem with my logs all starting at 1970 so it's very tough to tell which one is which. Does the pineapple not have ntp set up or am I missing a setting somewhere for getting a correct system time on boot?

* Memory. The status infusion shows my Used memory at 96% and my swap at 98% free. Is this normal? (I did set up a swap partition on my usb drive)

* MAC Address - For some reason, My pineapple has a MAC of an Alfa card! Is this intentional or bad luck on my part? How can I set a new random mac for my pineapple on boot or preferably, in a config file somewhere? I'm familar with using macchanger, but I'd rather this process happened automatically. I know there must be a config file somewhere holding this weird alfa MAC.

* Switching from a flash drive plugged in to the pineapple to a usb hub plugged in with the flash drive, and a wifi dongle.. Will this work or does the order of things plugged in mess with what the mount script is looking for?

* Default channel. Where do I change this from 11 to something better?

NETWORKING

* Tethering with an android. Is USB tethering possible or does the proprietary-ness of androids' method not work? I haven't seen anything posted about this. I assume you could always do wifi tether, but I don't want the wifi signals fighting with each other.

* SSH to the pineapple from my local network. Of course I can SSH from the laptop doing the ICS, but I would really like to SSH from a different computer on my LAN. I'm guessing that the fact the pineapple is on a different subnet causes this to fail. How does the autossh supposed to work then? Is it expected that this is going out to a computer on the internet itself somewhere, not a LAN address? I suppose the only workaround is to connect to the pineapple's wifi AP and ssh there.

RANDOM TIPS

Does anyone have any tips for usage they can share? One thing I was thinking of the other night is it would be nice to read some actual stories about how people use the pineapple in production. You always hear about the hardware setup and maybe "I have metasploit serving up false logins for the company intranet" but you never hear about the results or issues that were discovered during the process. I'd love to read about that sort of thing.

Finally...

KARMA

It's my understanding that KARMA only works for open APs because you can't fake having the correct WPA key. Why then is it trying to impersonate my WPA2 router and seemingly working (since leases are being handed out)?

Thank you very my in advance for any help you can provide! I want to contribute and sign on to be a beta tester for the new firmware but I feel like I need to get a better grasp of things before I can provide any real help.

Link to comment
Share on other sites

Holy hannah. Monster post came to clobber us all haha! First and foremost welcome to the community! It's always great to have another programmer-by-trade member among our ranks. I'll just start at the top and do my best, and I'm sure others will comment in and add stuff too.

My desired config: Get rid of the intermediary laptop and have the pineapple connect to some preset APs or any open AP in range. Possibly connect using a cheap usb aircard. Obviously I'd need a wifi card + usb hub for the former. To capture all traffic flowing through the pineapple, preferably in a semi-formatted report rather than just a .pcap file I need to parse out.

This is all totally possible, but not "off the shelf". Removing the laptop/ICS out of the equation can be done via the network manager module or scripts quite easily. Foxtrot is working on a module that will automate this kind of thing, but right now if you want ICS through wifi or 3G, you'll have to script it yourself (and hopefully share with us!) or do it manually each time. Remember that to use most aircards and external wifi modules (e.g. alfa's) you'll need a <b>powered</b> usb hub. As for the semi-formatted report, I have a very poorly formatted report emailed to me automatically from my pineapple (and by very poorly, I mean its just a list of the logs).

1) Where can I find the same information that is displayed on the Status screen of the pineapples homepage? Specifically I want to see the karma probe request details and "who is connected" status. I'm guessing that the latter is in /var/dhcp.leases ? What does the * mean after the client in those?
cat /tmp/dhcp.leases; echo '\n'; cat /proc/net/arp; echo '\n'; grep KARMA /tmp/karma.log | grep -v -e enabled | grep -v -e malloc | grep -v -e CTRL_IFACE | grep -v -e KARMA_STATE | grep -v -e Request >> /usb/emailreport.log
Above you'll see a snippet of how I see "who is connected". This snippet is taken directly from the pineapple index.php and put in my emaillog.sh. I'd guess you can find similar bash-fu for the probe request details in the source of index.php. Not sure on the star.
2) But just because a client connected doesn't mean they still ARE connected. Is there a way to see an active display of who is connected and sending data. Would something like tcptrack would work?

Maybe cat'ing the arp table?

3) Is there a way to see client disconnects and tell if they did a hard disconnect (likek "oh crap, this is the wrong ap! disconnect!) or they simply went out of range.

A disconnect frame is a disconnect frame. You might be able to hack something together to see if you received a disconnect frame from a client who is no longer connected or not, but currently it is not possible.

4) infusion logs. Most important to me are the sslstrip, tcpdump, and urlsnarf logs. It's not totally clear where these are. On one hand, you have /pineapple/logs which contains a urlsnarf.log but for me it's always empty. Is this the place where non-usb installed infusions are supposed to keep their logs? Because we also have /usb/infusions/urlsnarf/log, which for me has some files, one empty and one that successfully captured traffic once.

Not sure on this one. I use sslstrip and tcpdump via ssh and/or scripts only. I'm sure someone else knows though!

INFUSIONS

This is where I really need some help. I am very thankful for the community provider infusions but they aren't exactly self-explanatory. Are you only supposed to run one at a time or what? I typically run tcpdump, urlsnarf and sslstrip at the same time.

I don't ever run urlsnarf and tcpdump at the same time, and I think it might not work (both are redirecting port 80 I believe?). I always run tcpdump and sslstrip at the same time though.

This might not be a good idea (since tcpdump should capture EVERYTHING, right?) but sslstrip might be providing a better, more verbose capture than tcpdump and tcpdump is uncessary if I'm running that.

You need to read up on your tools. sslstrip is by no means a packet capturing tool - its a pure man in the middle sslstripper. It will only output stripped ssl info. tcpdump is what you want for the full picture of whats going on, and sslstrip to remove their ability to hide from that "full picture". Both must be used in conjunction.

Your next questions about sslstrip and tcpdump, please see my posts/wiki pages on it. If you still have questions, by all means ask them.
For timestamps, google or search the forums. The answer is, yes you can correct the date on your pineapple (I've just forgotten how lol).
Memory: I'm not sure about the infusion, but what all do you have running when you take those readings? With sslstrip and tcpdump running, I'm at 1088 free on a "free -m" check.
Mac Address: Thats because it is made by alfa. Run macchanger as part of your scripts.
Order of usb things plugged in at bootup don't matter as far as I know. I recall a post about this though...something about an external alfa becoming wlan0 instead of the internal? I may be imagining things though. Search the forums.
Default Channel: We here at the Wifi Pineapple Community take things to 11. Thats why its at 11.
You can tether with android via usb. Search forums.
Ssh on lan: Connect your local lan to the lan port and have at it. Autossh is totally different, but also may be applicable for you. Its for reverse-ssh tunneling awesomeness. The pineapple connects to a server (vps or whatever) and you dial into that server to access the pineapple. See hak5's series on ssh for a full (and amazing) explanation. Autossh is just a keep alive for that ssh connection.
I'm exhausted. I'll continue editing this post, but man, you really went all out! I applaud your enthusiasm! I'm sure all my efforts here will be rewarded when you whip up some sick new module right? Haha, again, welcome to the community shutin!
telot
Edited by telot
Link to comment
Share on other sites

telot, thank you very much for your long reply to my uber long post. I can't wait to try some of the tips out. It's especially important that now I know running urlsnarf + others may not work.

Unfortunately I had a terrible night last night with my pineapple. I tried for hours but I couldn't get anything working, espcially NetworkManager. It would detect my alfa but never fully connect to my AP. It would authenticate but then deauth itself (reason code 3(?)). I then tried a series of factory resets where I would start from scratch, install only sslstrip or a single similar infusion and give that a go, without even using karma. Nothing would capture. In the end, I had sslstrip somehow delete itself from the usb drive! I'm a bit burned out on fighting with the thing for now, I'm going to wait a few days to build my interest level back up and in the meantime play around with my Ubertooth. :) As I figure things out I do plan on updating this post with things I discover when I hopefully get it working.

Link to comment
Share on other sites

telot, thank you very much for your long reply to my uber long post. I can't wait to try some of the tips out. It's especially important that now I know running urlsnarf + others may not work.

Unfortunately I had a terrible night last night with my pineapple. I tried for hours but I couldn't get anything working, espcially NetworkManager. It would detect my alfa but never fully connect to my AP. It would authenticate but then deauth itself (reason code 3(?)). I then tried a series of factory resets where I would start from scratch, install only sslstrip or a single similar infusion and give that a go, without even using karma. Nothing would capture. In the end, I had sslstrip somehow delete itself from the usb drive! I'm a bit burned out on fighting with the thing for now, I'm going to wait a few days to build my interest level back up and in the meantime play around with my Ubertooth. :) As I figure things out I do plan on updating this post with things I discover when I hopefully get it working.

The issue you are facing is due to a bug I the firmware. We are currently testing a fix in our beta program if you re interested. It has been confirmed working.

Best regards,

Sebkinne

Link to comment
Share on other sites

I am really interested in getting rid of the laptop too.

My desired config: Get rid of the intermediary laptop and have the pineapple connect to some preset APs or any open AP in range. Possibly connect using a cheap usb aircard. Obviously I'd need a wifi card + usb hub for the former. To capture all traffic flowing through the pineapple, preferably in a semi-formatted report rather than just a .pcap file I need to parse out.

I really just need help with setting up my alfa adapter so that I am able to connect to an AP and use Karma. I having my adapter connected and is broadcasting as openwrt .

I would really appreciate any help with doing this!

Link to comment
Share on other sites

The issue you are facing is due to a bug I the firmware. We are currently testing a fix in our beta program if you re interested. It has been confirmed working.

Best regards,

Sebkinne

Oh really? The Network Manager part? I signed up for the beta test program but felt like I should understand things a little better first before I tried testing. I think I will take a chance and go for the install now. Good to hear! thanks!

Link to comment
Share on other sites

My desired config: Get rid of the intermediary laptop and have the pineapple connect to some preset APs or any open AP in range.

I am currently working on just this! I have a script mostly complete and an infusion is in the works. It connects to the strongest open wifi when you press the wps button! Also I can confirm that 2.8.1 beta 2 fixes the deauth reason 3 error.

Link to comment
Share on other sites

I am currently working on just this! I have a script mostly complete and an infusion is in the works. It connects to the strongest open wifi when you press the wps button! Also I can confirm that 2.8.1 beta 2 fixes the deauth reason 3 error.

I instaled the beta and things seem to be running smoothly but I haven't really tried anything :) I set up my network in NetworkManager but I never got the additional link to "get an ip" or whatever it was. I did before (when I was getting the error). Now after I hit save and commit nothing at all happens. I realize this isn't the best place to share these issues, I should submit a bug report but I'm waiting to get a little more meat to it.

I agree, the script sounds sick. Those of us with without aircard modems or androids need something to connect to on the fly. My dream script would:

a) search for any open wifi with a signal above X dbm and connect. It would verify it actually connects, pulls an IP and can possibly do a speed test to check connectivity.

b) if no open networks are available, starts brute forcing local WPA networks by trying passwords 1) ssid name 2) "password" 3) a provided list in a text file

c) if that doesn't work fires up reaver and attempts to check for WPS mode and cracking PINS

d) if no WPS, starts deauthing and grabbing WPA handshakes

e) simply run airodump collecting packets for later analysis

or

f) connect to local android phone wifi hotspot

Pretty decent failover plan, right? Can't wait to see the script!

y

It's funny, the more obstacles I face getting this thing working, the more determined I am to see it through. So many other things are taking a backseat to just getting a nice little pocket router I can carry around and collect data with.

TIP: for anyone trying to install the beta without a ICS setup, remember, you can always just connect to the open network ("pineapple xx:Xx") your pineapple sets up and upload the .bin file via the web interface if you have the .bin on your laptop. I know that sounds kind of obvious to most people but this thread is about my personal journey trying to get this thing working and I want to document every step!

Link to comment
Share on other sites

In network manager, make sure you set lan to wan and access point to client.

I am almost ready to release my script, just a few more details to work out. My plan is to have support for encrypted access points in the future, but it may not make it into the initial release. I will be making a thread detailing the features and future plans.

I don't currently have plans to automate attacks although, Foxtrot is working on an infusion called automator which will do just that!

Link to comment
Share on other sites

In network manager, make sure you set lan to wan and access point to client.

I am almost ready to release my script, just a few more details to work out. My plan is to have support for encrypted access points in the future, but it may not make it into the initial release. I will be making a thread detailing the features and future plans.

I don't currently have plans to automate attacks although, Foxtrot is working on an infusion called automator which will do just that!

I didn't have it set to WAN, but I went and tried changing it and still, I don't get a "get an ip" link next to radio1 :(

I should probably move these problems to the Network Manager infusion page and try to get some help there.

Link to comment
Share on other sites

Im not getting the dhcp request link on radio 0 in network manager. I haven't had a problem with radio 1. But once you set up the interface in network manager you can manually request an IP address by executing "udhcpc -i wlan1" for radio 1 or "udhcpc -i wlan0" for radio 0. Hope this helps

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...