Detection of the pineapple in the wild & evasion methods

[Patriot]

PROBLEM

Smart system administrators can setup their IPS/IDS to detect, block and/or alert them at the precense of a pineapple within the area by simply setting up a rule to alert them when a pineapple mac address pops up anywhere on their network.

WORKAROUND

I have wrote a very clunky script that changes the hostname and mac address automatically on boot to but it's somewhat buggy at the moment and doesn't work every time.

SOLUTION

There are people here that are much smarter than myself and can do a much better job at writing scripts. Can someone here help the community out and write a simple script/infusion for the pineapple that automatically changes the hostname and mac address (macchanger) at every boot on the pineapple. Much appreciated.

Edited October 30, 2013 by Patriot

[chriswhat]

Umm... here's a script.

#!/bin/sh

ifconfig wlan0 down

ifconfig wlan1 down

macchanger -A wlan0

macchanger -A wlan1

ifconfig wlan0 up

ifconfig wlan1 up

[Patriot]

^ That's very similar to the script I am using but that only gives it a random mac address.

We still have to:

- randomize the hostname

- execute both macchanger and hostname changer scripts at startup of the pineapple

In other words an ideal script would randomize both the mac address and hostname at startup of the pineapple so when it's booted up it's random every single time.

[soap]

I actually thought about this today when I was playing with various tools and I saw in my dhclient list on my router my pentesting linux box and the pineapple.

[chriswhat]

^ That's very similar to the script I am using but that only gives it a random mac address.

We still have to:

- randomize the hostname

- execute both macchanger and hostname changer scripts at startup of the pineapple

In other words an ideal script would randomize both the mac address and hostname at startup of the pineapple so when it's booted up it's random every single time.

Instead of using a script, why not use your DIP switches to execute the MAC changer commands?

To make sure I understand... you want to change your hostname from Pineapple to something random? Depending on the type of hostname you want, you may need a dictionary file that contains the list of hostnames.

[anode]

Instead of using a script, why not use your DIP switches to execute the MAC changer commands?

To make sure I understand... you want to change your hostname from Pineapple to something random? Depending on the type of hostname you want, you may need a dictionary file that contains the list of hostnames.

wouldn't a dip switch use a script anyways? A random mac @ boot saves that limited dip switch for other uses, I'd think.

[chriswhat]

Anode,

Well, the DIPs have to be used for something... so why not use them to change the MACs?

Also, macchanger doesn't need to be issued by a script.

You could always write your own infusion that executes on boot.

[cillian]

Hey Anode,

The following will do the job [although chriswhat's DIP switch/infusiion suggestion is interesting, must play around with those sometime soon]

This comes from a similar script I use in kali with a few mods.

create /etc/init.d/randhostnamemac

#!/bin/bash

### BEGIN INIT INFO

# Provides: randhostnamemac

# Randomises hostname and MAC

# placed in /etc/init.d.

### END INIT INFO

#create hosts.old if not there

if [ ! -a /etc/hosts.old ]; then

cp /etc/hosts /etc/hosts.old

fi

#assign the variable newhn a random value as defined below

newhn=$(cat /dev/urandom | tr -dc 'A-Za-z' | head -c8)

#update hostname and hosts with new value

echo $newhn > /etc/hostname

echo "127.0.1.1 $newhn" > /etc/hosts

cat /etc/hosts.old >> /etc/hosts

#update uci

uci set system.@system[0].hostname=$newhn

uci commit system

echo $(uci get system.@system[0].hostname) > /proc/sys/kernel/hostname

#randomise MAC for wlan0 and wlan1

ifconfig wlan0 down

ifconfig wlan1 down

macchanger -A wlan0

macchanger -A wlan1

ifconfig wlan0 up

ifconfig wlan1 up

exit

Then simply set it up to run on boot

chmod +x /etc/init.d/randhostnamemac

ln -s /etc/init.d/newhostname /etc/rc.d/S27randhostnamemac

S27 will put it running after the network starts @ S20

Tested on a MK5 and seems fine .

Edited November 1, 2013 by cillian

[newbi3]

Why is a script needed? Just put it in the /etc/rc.local file

[jjd]

anyone get this working? Ive tried but when I use macchanger in a dip switch it does not bring up the pineapple ssid after

[chriswhat]

anyone get this working? Ive tried but when I use macchanger in a dip switch it does not bring up the pineapple ssid after

Same issue since performing factory reset. After enabling wlan0 with ifconfig wlan0 up, it reflects that it's up but it doesn't broadcast. I have to use the network tile to enable it.

[thesugarat]

cillian,

After running that script does the Mk5 setup br-lan correctly? And does it still set the management port to whatever is called out in the Configuration Tab? I can't think of any infusion that would be impacted by doing this. And it's a great idea overall for obfuscation.

[cillian]

Hi thesugarat,

no problems with anything network I have noticed, never had any issues doing it this way on other Linux based sys,

Hi newbi3 having it in a separate script fits in my trouble shooting process, hadn't thought about rc.local if I'm honest. :)

I like having blocks that do a certain thing so I can disable if I think their causing trouble, this way its a one liner to disable rather then an edit of a larger file.

In other sys I would tend to have quite a few custom scripts run at boot and require them to process in a certain order to function properly, I suppose that's the habit part.

On that note chriswhat whats the command/s being run from the dip switch? Is it something like

ifconfig wlan0 down; ifconfig wlan1 down; macchanger -A wlan0; macchanger -A wlan1; ifconfig wlan0 up; ifconfig wlan1 up

I can't seem to find where they run in the boot order, though I must admit I haven't looked very hard, so maybe that's the issue. From the samples I've seen they seem to be executed quite late in the boot process.

Why not associate a script with a dip switch, I have not played with the dip switches but would that not ensure a graceful interface reset with changes? It also means you can add ts lines to write out to a file and see what's happening...

[sorry will have to try it myself later as work calls]

Edited November 1, 2013 by cillian

[no42]

1. Mac Address Identification
2. Default Pineapple_XXXX SSID Identification

Solution :

1. use the macchanger package (scripted using 'DIP switch' or /etc/rc.local)
2. Change the default SSID (under "Configuration")

Why I don't bother with the hostname... they would have to be connected to one of the pineapples interfaces, at this point they've connected to an AP their not really authorised to connect to? If they are connecting - surely they already think its a rogue AP.

Simple.

[Some Guy]

Why I don't bother with the hostname... they would have to be connected to one of the pineapples interfaces, at this point they've connected to an AP their not really authorised to connect to?

Um... no. Anyone can listen to unencrypted traffic that's in the air. An IPS could conceivably watch unencrypted traffic in the air for signs of a Pineapple. No need to connect - just watch others who are connected.

And, of course, you do realize that the Pineapple can be used as more than just an AP? If you use client mode, then its hostname will show up at the DHCP server you get a lease from. As well as to anyone who listens in on that.

Edited November 1, 2013 by Some Guy

[bionicrocky]

I work for a company that makes WIPS and have competitors gear around too. I will test these scripts to see how well they do at evasion!

Edited November 1, 2013 by bionicrocky

[no42]

Um... no. Anyone can listen to unencrypted traffic that's in the air. An IPS could conceivably watch unencrypted traffic in the air for signs of a Pineapple. No need to connect - just watch others who are connected.

And, of course, you do realize that the Pineapple can be used as more than just an AP? If you use client mode, then its hostname will show up at the DHCP server you get a lease from. As well as to anyone who listens in on that.

Guess it all depends on your TEST system.

Remember the Disclaimer!

[Some Guy]

Guess it all depends on your TEST system.

Remember the Disclaimer!

We are discussing ways to avoid a third-party sniffing the air to detect that I have a Pineapple. Why would the behaviour of the third-party's IPS system "depend" on whether or not I'm using my Pineapple responsibly? My detectability remains the same regardless of my intentions.

I could be doing nothing but giving out free Internet from a 4G dongle, but an IPS could still sniff the air and see that I have a Pineapple, even without connecting to it.

Edited November 2, 2013 by Some Guy

[jjd]

On that note chriswhat whats the command/s being run from the dip switch? Is it something like

ifconfig wlan0 down; ifconfig wlan1 down; macchanger -A wlan0; macchanger -A wlan1; ifconfig wlan0 up; ifconfig wlan1 up

I can't seem to find where they run in the boot order, though I must admit I haven't looked very hard, so maybe that's the issue. From the samples I've seen they seem to be executed quite late in the boot process.

Why not associate a script with a dip switch, I have not played with the dip switches but would that not ensure a graceful interface reset with changes? It also means you can add ts lines to write out to a file and see what's happening...

[sorry will have to try it myself later as work calls]

I am running a script from my dip switch:

ifconfig wlan0 down
ifconfig wlan1 down
macchanger -A wlan0
macchanger -A wlan1
ifconfig wlan0 up
ifconfig wlan1 up

I am guessing the issue is that dip switches run very late in boot order though and thats the problem with using dip switches to change your mac if you are not connecting with ethernet

[Sebkinne]

I am running a script from my dip switch:

ifconfig wlan0 down
ifconfig wlan1 down
macchanger -A wlan0
macchanger -A wlan1
ifconfig wlan0 up
ifconfig wlan1 up

I am guessing the issue is that dip switches run very late in boot order though and thats the problem with using dip switches to change your mac if you are not connecting with ethernet

you will need to execute the wifi command so that the changed MAC actually holds.

[jjd]

you will need to execute the wifi command so that the changed MAC actually holds.

Thanks Seb,

Any chance u can tell me how that should look?

[Sebkinne]

Thanks Seb,

Any chance u can tell me how that should look?

ifconfig wlan0 down
ifconfig wlan1 down
macchanger -A wlan0
macchanger -A wlan1
wifi

That should do it.

[jjd]

ifconfig wlan0 down
ifconfig wlan1 down
macchanger -A wlan0
macchanger -A wlan1
wifi

That should do it.

So I put that in a script for a dip switch and the pineapple ssid now comes back up but when I look at wifi manager both radios have their stock macs :-S

[Geoff0ne]

So I put that in a script for a dip switch and the pineapple ssid now comes back up but when I look at wifi manager both radios have their stock macs :-S

Yup. This was an issue with the previous pineapple, and appartently its a "bug".

If this "bug" is fixed that would enable people to run the pineapple completly anonymously, we cant have that :P

Edited November 3, 2013 by tone

[tom564]

Has anyone came up with a working solution yet?