Patriot Posted October 30, 2013 Share Posted October 30, 2013 (edited) PROBLEM Smart system administrators can setup their IPS/IDS to detect, block and/or alert them at the precense of a pineapple within the area by simply setting up a rule to alert them when a pineapple mac address pops up anywhere on their network. WORKAROUND I have wrote a very clunky script that changes the hostname and mac address automatically on boot to but it's somewhat buggy at the moment and doesn't work every time. SOLUTION There are people here that are much smarter than myself and can do a much better job at writing scripts. Can someone here help the community out and write a simple script/infusion for the pineapple that automatically changes the hostname and mac address (macchanger) at every boot on the pineapple. Much appreciated. Edited October 30, 2013 by Patriot Quote Link to comment Share on other sites More sharing options...
chriswhat Posted October 31, 2013 Share Posted October 31, 2013 Umm... here's a script. #!/bin/sh ifconfig wlan0 down ifconfig wlan1 down macchanger -A wlan0 macchanger -A wlan1 ifconfig wlan0 up ifconfig wlan1 up Quote Link to comment Share on other sites More sharing options...
Patriot Posted October 31, 2013 Author Share Posted October 31, 2013 ^ That's very similar to the script I am using but that only gives it a random mac address. We still have to: - randomize the hostname - execute both macchanger and hostname changer scripts at startup of the pineapple In other words an ideal script would randomize both the mac address and hostname at startup of the pineapple so when it's booted up it's random every single time. Quote Link to comment Share on other sites More sharing options...
soap Posted October 31, 2013 Share Posted October 31, 2013 I actually thought about this today when I was playing with various tools and I saw in my dhclient list on my router my pentesting linux box and the pineapple. Quote Link to comment Share on other sites More sharing options...
chriswhat Posted October 31, 2013 Share Posted October 31, 2013 ^ That's very similar to the script I am using but that only gives it a random mac address. We still have to: - randomize the hostname - execute both macchanger and hostname changer scripts at startup of the pineapple In other words an ideal script would randomize both the mac address and hostname at startup of the pineapple so when it's booted up it's random every single time. Instead of using a script, why not use your DIP switches to execute the MAC changer commands? To make sure I understand... you want to change your hostname from Pineapple to something random? Depending on the type of hostname you want, you may need a dictionary file that contains the list of hostnames. Quote Link to comment Share on other sites More sharing options...
anode Posted October 31, 2013 Share Posted October 31, 2013 Instead of using a script, why not use your DIP switches to execute the MAC changer commands? To make sure I understand... you want to change your hostname from Pineapple to something random? Depending on the type of hostname you want, you may need a dictionary file that contains the list of hostnames. wouldn't a dip switch use a script anyways? A random mac @ boot saves that limited dip switch for other uses, I'd think. Quote Link to comment Share on other sites More sharing options...
chriswhat Posted November 1, 2013 Share Posted November 1, 2013 Anode, Well, the DIPs have to be used for something... so why not use them to change the MACs? Also, macchanger doesn't need to be issued by a script. You could always write your own infusion that executes on boot. Quote Link to comment Share on other sites More sharing options...
cillian Posted November 1, 2013 Share Posted November 1, 2013 (edited) Hey Anode, The following will do the job [although chriswhat's DIP switch/infusiion suggestion is interesting, must play around with those sometime soon] This comes from a similar script I use in kali with a few mods. create /etc/init.d/randhostnamemac #!/bin/bash ### BEGIN INIT INFO # Provides: randhostnamemac # Randomises hostname and MAC # placed in /etc/init.d. ### END INIT INFO #create hosts.old if not there if [ ! -a /etc/hosts.old ]; then cp /etc/hosts /etc/hosts.old fi #assign the variable newhn a random value as defined below newhn=$(cat /dev/urandom | tr -dc 'A-Za-z' | head -c8) #update hostname and hosts with new value echo $newhn > /etc/hostname echo "127.0.1.1 $newhn" > /etc/hosts cat /etc/hosts.old >> /etc/hosts #update uci uci set system.@system[0].hostname=$newhn uci commit system echo $(uci get system.@system[0].hostname) > /proc/sys/kernel/hostname #randomise MAC for wlan0 and wlan1 ifconfig wlan0 down ifconfig wlan1 down macchanger -A wlan0 macchanger -A wlan1 ifconfig wlan0 up ifconfig wlan1 up exit Then simply set it up to run on boot chmod +x /etc/init.d/randhostnamemac ln -s /etc/init.d/newhostname /etc/rc.d/S27randhostnamemac S27 will put it running after the network starts @ S20 Tested on a MK5 and seems fine . Edited November 1, 2013 by cillian Quote Link to comment Share on other sites More sharing options...
newbi3 Posted November 1, 2013 Share Posted November 1, 2013 Why is a script needed? Just put it in the /etc/rc.local file Quote Link to comment Share on other sites More sharing options...
jjd Posted November 1, 2013 Share Posted November 1, 2013 anyone get this working? Ive tried but when I use macchanger in a dip switch it does not bring up the pineapple ssid after Quote Link to comment Share on other sites More sharing options...
chriswhat Posted November 1, 2013 Share Posted November 1, 2013 anyone get this working? Ive tried but when I use macchanger in a dip switch it does not bring up the pineapple ssid after Same issue since performing factory reset. After enabling wlan0 with ifconfig wlan0 up, it reflects that it's up but it doesn't broadcast. I have to use the network tile to enable it. Quote Link to comment Share on other sites More sharing options...
thesugarat Posted November 1, 2013 Share Posted November 1, 2013 cillian, After running that script does the Mk5 setup br-lan correctly? And does it still set the management port to whatever is called out in the Configuration Tab? I can't think of any infusion that would be impacted by doing this. And it's a great idea overall for obfuscation. Quote Link to comment Share on other sites More sharing options...
cillian Posted November 1, 2013 Share Posted November 1, 2013 (edited) Hi thesugarat, no problems with anything network I have noticed, never had any issues doing it this way on other Linux based sys, Hi newbi3 having it in a separate script fits in my trouble shooting process, hadn't thought about rc.local if I'm honest. :) I like having blocks that do a certain thing so I can disable if I think their causing trouble, this way its a one liner to disable rather then an edit of a larger file. In other sys I would tend to have quite a few custom scripts run at boot and require them to process in a certain order to function properly, I suppose that's the habit part. On that note chriswhat whats the command/s being run from the dip switch? Is it something like ifconfig wlan0 down; ifconfig wlan1 down; macchanger -A wlan0; macchanger -A wlan1; ifconfig wlan0 up; ifconfig wlan1 up I can't seem to find where they run in the boot order, though I must admit I haven't looked very hard, so maybe that's the issue. From the samples I've seen they seem to be executed quite late in the boot process. Why not associate a script with a dip switch, I have not played with the dip switches but would that not ensure a graceful interface reset with changes? It also means you can add ts lines to write out to a file and see what's happening... [sorry will have to try it myself later as work calls] Edited November 1, 2013 by cillian Quote Link to comment Share on other sites More sharing options...
no42 Posted November 1, 2013 Share Posted November 1, 2013 Mac Address Identification Default Pineapple_XXXX SSID Identification Solution : use the macchanger package (scripted using 'DIP switch' or /etc/rc.local) Change the default SSID (under "Configuration") Why I don't bother with the hostname... they would have to be connected to one of the pineapples interfaces, at this point they've connected to an AP their not really authorised to connect to? If they are connecting - surely they already think its a rogue AP. Simple. Quote Link to comment Share on other sites More sharing options...
Some Guy Posted November 1, 2013 Share Posted November 1, 2013 (edited) Why I don't bother with the hostname... they would have to be connected to one of the pineapples interfaces, at this point they've connected to an AP their not really authorised to connect to? Um... no. Anyone can listen to unencrypted traffic that's in the air. An IPS could conceivably watch unencrypted traffic in the air for signs of a Pineapple. No need to connect - just watch others who are connected. And, of course, you do realize that the Pineapple can be used as more than just an AP? If you use client mode, then its hostname will show up at the DHCP server you get a lease from. As well as to anyone who listens in on that. Edited November 1, 2013 by Some Guy Quote Link to comment Share on other sites More sharing options...
bionicrocky Posted November 1, 2013 Share Posted November 1, 2013 (edited) I work for a company that makes WIPS and have competitors gear around too. I will test these scripts to see how well they do at evasion! Edited November 1, 2013 by bionicrocky Quote Link to comment Share on other sites More sharing options...
no42 Posted November 1, 2013 Share Posted November 1, 2013 Um... no. Anyone can listen to unencrypted traffic that's in the air. An IPS could conceivably watch unencrypted traffic in the air for signs of a Pineapple. No need to connect - just watch others who are connected. And, of course, you do realize that the Pineapple can be used as more than just an AP? If you use client mode, then its hostname will show up at the DHCP server you get a lease from. As well as to anyone who listens in on that. Guess it all depends on your TEST system. Remember the Disclaimer! Quote Link to comment Share on other sites More sharing options...
Some Guy Posted November 2, 2013 Share Posted November 2, 2013 (edited) Guess it all depends on your TEST system. Remember the Disclaimer! We are discussing ways to avoid a third-party sniffing the air to detect that I have a Pineapple. Why would the behaviour of the third-party's IPS system "depend" on whether or not I'm using my Pineapple responsibly? My detectability remains the same regardless of my intentions. I could be doing nothing but giving out free Internet from a 4G dongle, but an IPS could still sniff the air and see that I have a Pineapple, even without connecting to it. Edited November 2, 2013 by Some Guy Quote Link to comment Share on other sites More sharing options...
jjd Posted November 2, 2013 Share Posted November 2, 2013 On that note chriswhat whats the command/s being run from the dip switch? Is it something like ifconfig wlan0 down; ifconfig wlan1 down; macchanger -A wlan0; macchanger -A wlan1; ifconfig wlan0 up; ifconfig wlan1 up I can't seem to find where they run in the boot order, though I must admit I haven't looked very hard, so maybe that's the issue. From the samples I've seen they seem to be executed quite late in the boot process. Why not associate a script with a dip switch, I have not played with the dip switches but would that not ensure a graceful interface reset with changes? It also means you can add ts lines to write out to a file and see what's happening... [sorry will have to try it myself later as work calls] I am running a script from my dip switch: ifconfig wlan0 down ifconfig wlan1 down macchanger -A wlan0 macchanger -A wlan1 ifconfig wlan0 up ifconfig wlan1 up I am guessing the issue is that dip switches run very late in boot order though and thats the problem with using dip switches to change your mac if you are not connecting with ethernet Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted November 2, 2013 Share Posted November 2, 2013 I am running a script from my dip switch: ifconfig wlan0 down ifconfig wlan1 down macchanger -A wlan0 macchanger -A wlan1 ifconfig wlan0 up ifconfig wlan1 up I am guessing the issue is that dip switches run very late in boot order though and thats the problem with using dip switches to change your mac if you are not connecting with ethernet you will need to execute the wifi command so that the changed MAC actually holds. Quote Link to comment Share on other sites More sharing options...
jjd Posted November 2, 2013 Share Posted November 2, 2013 you will need to execute the wifi command so that the changed MAC actually holds.Thanks Seb,Any chance u can tell me how that should look? Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted November 2, 2013 Share Posted November 2, 2013 Thanks Seb, Any chance u can tell me how that should look? ifconfig wlan0 down ifconfig wlan1 down macchanger -A wlan0 macchanger -A wlan1 wifi That should do it. Quote Link to comment Share on other sites More sharing options...
jjd Posted November 2, 2013 Share Posted November 2, 2013 ifconfig wlan0 down ifconfig wlan1 down macchanger -A wlan0 macchanger -A wlan1 wifi That should do it. So I put that in a script for a dip switch and the pineapple ssid now comes back up but when I look at wifi manager both radios have their stock macs :-S Quote Link to comment Share on other sites More sharing options...
Guest Posted November 3, 2013 Share Posted November 3, 2013 (edited) So I put that in a script for a dip switch and the pineapple ssid now comes back up but when I look at wifi manager both radios have their stock macs :-S Yup. This was an issue with the previous pineapple, and appartently its a "bug". If this "bug" is fixed that would enable people to run the pineapple completly anonymously, we cant have that :P Edited November 3, 2013 by tone Quote Link to comment Share on other sites More sharing options...
tom564 Posted November 5, 2013 Share Posted November 5, 2013 Has anyone came up with a working solution yet? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.