Jump to content

[Discussion] Mark V Infusions


Oli
 Share

Recommended Posts

So, I'm a little confused about the concept of infusions...

  • There are four infusion developers and over 75% of infusions are written by one contributor - whistlemaster.
  • All infusions seem to be pretty central to the core concept of a "WiFi Pineapple" pentest platform. None of the infusions are so bespoke (or so large in size) that most people wouldn't feasibly be able to find a use for them.
  • The MKV hardware doesn't have the same storage limitations as the previous hardware generations (now with a 2GB SD card out of the box).
  • Hak5 (whilst awesome!) is not Apple or Microsoft with the need for "App Stores". They don't have to support a plethora of users and purposes.
  • All infusions are (essentially) wrappers around relatively basic Linux commands.
  • 'Infusions' are limited in terms of functionality due to the API that they must conform to.
  • Overhead and developer cycles are currently going into providing the 'infusion' infrastructure and bandwidth w.r.t. hosting on the wifiepinapple.com site.
  • "Real" pentesters would typically just use the command line where an entire infusion could be replicated in just a few lines of code.
  • If I was a 'script kiddie' I would be really mad! Say what!!!! The traditional main selling point ot the pineapple (Karma) is broken and the successor is vapourware!!!! What is the USP of the pineapple? And I can't client mode connect to my access point!

As per https://forums.hak5....munity-project/ why isn't the web interface open and why aren't people contributing to the core product? I would rather just pull head revs from (e.g.) github and have the latest functionality than deal with the infusion/bar paradigm?

I have some ideas (that I genuinely think would enhance the product) which I would like to code up and share but I am struggling to work out why to conform with the current paradigms rather than spawn a completely different web interface project that includes all existing infusions functionality as "first class citizens"... If we are not careful the MKV landscape will become fragmented like the USB Rubber Ducky.

I'd understand if the core web interface was full featured and robust, but I am a software engineer / web developer and (from experience) the core web interface is ignoring many "best practice" principles (robust code, error handling, input validation, cross-browser compatibility, support for browsers without javascript, asynchronous jquery approach, proper test scripts, etc)

I apologize if I sound negative - I'm not - Hak5 are doing an amazing job with the limited budget/size and the hardware has great potential, but I'm struggling to understand why they are not fully embracing community involvement?

Why aren't we enhancing the pineapple together and for the benefit of Hak5 and the wider community? The software is free and the money is spent in support of the show and on the hardware rather than the software... If we all enhance the software together then it is a win-win situation for everybody - we all get an awesome experience out-of-the-box and Hak5 has the de facto pentest hardware that it sells, advertises and markets - after all, the hardware is unparalleled in terms of features/price/potential.

There is so much 'low hanging fruit' that we are failing to take advantage of.

Seriously, $99 is an amazing pricepoint. The hardware is really something to be proud of. But, as an IT professional I feel that the USP is currently lacking. I believe that the infusion community has the answer.

Am I missing something?

Edited by Oli
Link to comment
Share on other sites

I'll try and reason with some of the bullet points that I can do.

So, I'm a little confused about the concept of infusions...

  • There are four infusion developers and over 75% of infusions are written by one contributor - whistlemaster.
  • All infusions seem to be pretty central to the core concept of a "WiFi Pineapple" pentest platform. None of the infusions are so bespoke (or so large in size) that most people wouldn't feasibly be able to find a use for them.
  • The MKV hardware doesn't have the same storage limitations as the previous hardware generations (now with a 2GB SD card out of the box).
  • Hak5 (whilst awesome!) is not Apple or Microsoft with the need for "App Stores". They don't have to support a plethora of users and purposes.
  • All infusions are (essentially) wrappers around relatively basic Linux commands.
  • 'Infusions' are limited in terms of functionality due to the API that they must conform to.
  • Overhead and developer cycles are currently going into providing the 'infusion' infrastructure and bandwidth w.r.t. hosting on the wifiepinapple.com site.
  • "Real" pentesters would typically just use the command line where an entire infusion could be replicated in just a few lines of code.
  • If I was a 'script kiddie' I would be really mad! Say what!!!! The traditional main selling point ot the pineapple (Karma) is broken and the successor is vapourware!!!! What is the USP of the pineapple? And I can't client mode connect to my access point
  • We (As in the community) encourage more people to develop more infusions all the time, the reason you see the most infusions developed by Whistle Master is because he made the same infusions with some different text and commands, thats all.
  • You mean like RandomRoll? Or am I missing something here?
  • This again should help encourage more people to make awesome infusions! I know that I am in the middle of incorporating a graphical Dip Switch 'assigner' to my System Control module, and that 'Notepad' is now usable because you can save text to internal storage if need be.
  • Well, they kind of do. The WiFi Pineapple is used by Pro pentesters and Educational Institutes and learners and hackers (by real definition.) and hobbyists and, well you get the idea. The Infusion Bar enables these many types of users to have the ability to use the WiFi Pineapple in different contexts.
  • Some people like the Web UI more than the CLI...
  • Didn't get that one.
  • I don't think anyone ever is in the position to define a 'real' pentester. People have different methods of doing things, I may have mine, and you may have yours, but we might be on the same job. I think you are getting pentesting mixed up with hacker movies.

and the best one for last I see..

  • Karma is NOT broken. If you are expecting Karma to work for every device that will ever be made, You are an idiot. The reason most people are not getting desired results is because of the way Android has realised this vulnerability and made a move to fix it. As has been said many times before now, Its a game, they patch it, we break it, they patch it, we break it, and again and again and again.

-Foxtrot

Edited by Foxtrot
Link to comment
Share on other sites

As has been said many times before now, Its a game, they patch it, we break it, they patch it, we break it, and again and again and again.

Gotta love the security industry

Link to comment
Share on other sites

Foxtrot, your infusions sound really useful but they illustrate my point:

All MK V hardware is the same - why do I need your infusion to further configure something so basic to the platform as the DIP switches (the same goes for infusions for LEDs, the radios, etc)? Why do I need your notepad infusion? The bigger picture is that it would be hugely advantageous for the entire community if the MK V supported editing of plain text files on the filesystem. This way you can have notepad functionality but also the ability to edit, say, the config files. These are basic things that everybody needs and should be core and not an infusion.

I think that the best use-case for infusions is for things that are so bespoke that only a few people would need them. Things so core should be rolled into the mainline.

I really like the ability to execute arbitrary shell commands from the UI. It has some quick win enhancents that could be easily coded (say remembering previous command, stderr support with colorizing, etc). I could make an infusion for the community but would it not be better to be able the pull the code, make the enhancements and then submit a pull request.

I didn't make myself clear w.r.t. Karma and 'real' pentesters so please don't insult me. The point I was trying to make is that the historical selling point of the pineapple was Karma - this was the focus of the pineapple site until recently and heavily promoted in the Hak5 videos. If I had bought the pineapple for this purpose then I would be dissapointed as it is 'broken' due to the landscape changing. The pineapple offers so much more and the real value-add propositions of the platform as a honeypot/dropbox are not being fully exploited by the UI. As it stands there is so much 'friction' that it is easier to just ssh in than to use the web interface which is a shame.

Link to comment
Share on other sites

It is ok to disagree but don't be disagreeable.

The pineapple was made to accomidate everyone that is interested in learning. From Noob /Skiddy to pro set the pineapple up how you want and let others do the same. If you don't like how it is then make your own custom version of the software and submit it here to be voted on.

Simple.

:D

Edited by mreidiv
Link to comment
Share on other sites

All infusions are (essentially) wrappers around relatively basic Linux commands.
'Infusions' are limited in terms of functionality due to the API that they must conform to.

No. A lot of them are but they do not have to be. Think of an infusions as a webapp.

Kinda, You can use a mix of php, shell scripts, python, perl, ruby and maby even a few others although all infusions have to be approved before they are released such that you can't create say "The porn infusion" or "Step by step clicky guide to own old apache installs".

Link to comment
Share on other sites

Computerchris, I totally understand and you hit it right on the head. That's why I create my own infusions for my own pentesting that I know would not likely get approved. Not to mention that most, if not all, infusions that I create really only apply to specific pentests and likely in a use once scenario. All the pineapples are great for this though I still love running Rickrolls at parties. :)

Link to comment
Share on other sites

We (As in the community) encourage more people to develop more infusions all the time, the reason you see the most infusions developed by Whistle Master is because he made the same infusions with some different text and commands, thats all.

Well, it's a bit simplistic... My infusions are a bit more than just simple UI to commands: Site Survey or WiFi Manager just to mention some of them ;)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...