altjx Posted December 18, 2013 Share Posted December 18, 2013 (edited) Still learning more about the pineapple and loving this device so far. I'm also still learning quite a bit about assessing wireless networks too, and I hope this isn't the wrong place to post my question. To my knowledge, Karma on the wifi pineapple doesn't bring up a rogue AP as long as the probe request is for a wireless network that uses encryption, correct? That being said, I ran across an article that referred to bringing up a rogue AP and making someone connect to his instead of their original one. The confusing part for me is that the victim's original wireless AP is encrypted with WEP, so how does bumping him off his force him to connect to their rogue AP, despite the signal being stronger? Is it possible to bring up a rogue AP with encryption (and trick clients into connecting to it), but just not supported by Karma? I thought the reason Karma didn't bring up rogue APs that use encryption was because clients wouldn't connect to it. Here's an exerpt from the article: Note that we once again used his BSSID in the aireplay-ng command. If our signal is stronger than his own AP, he will automatically reconnect to our evil twin Edited December 18, 2013 by altjx Quote Link to comment Share on other sites More sharing options...
JesseIZ Posted December 18, 2013 Share Posted December 18, 2013 Still learning more about the pineapple and loving this device so far. I'm also still learning quite a bit about assessing wireless networks too, and I hope this isn't the wrong place to post my question. To my knowledge, Karma on the wifi pineapple doesn't bring up a rogue AP as long as the probe request is for a wireless network that uses encryption, correct? That being said, I ran across an article that referred to bringing up a rogue AP and making someone connect to his instead of their original one. The confusing part for me is that the victim's original wireless AP is encrypted with WEP, so how does bumping him off his force him to connect to their rogue AP, despite the signal being stronger? Is it possible to bring up a rogue AP with encryption (and trick clients into connecting to it), but just not supported by Karma? I thought the reason Karma didn't bring up rogue APs that use encryption was because clients wouldn't connect to it. Here's an exerpt from the article: Rogue AP with encryption doesnt work right now (maybe later) because the BSSID has to be changed and with open networks only the SSID has to be changed if i am correct. - jesse Quote Link to comment Share on other sites More sharing options...
altjx Posted December 18, 2013 Author Share Posted December 18, 2013 Rogue AP with encryption doesnt work right now (maybe later) because the BSSID has to be changed and with open networks only the SSID has to be changed if i am correct. - jesse Is this referring to just Karma? Or bringing up a rogue AP in general? Also, in the probe request, the BSSID of the networks the client is reaching for shows, correct? Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted December 18, 2013 Share Posted December 18, 2013 Karma will not work on encrypted APs because it has no way of acquiring the handshake for the real AP... This has been answered atleast twice now :P Quote Link to comment Share on other sites More sharing options...
altjx Posted December 18, 2013 Author Share Posted December 18, 2013 Karma will not work on encrypted APs because it has no way of acquiring the handshake for the real AP... This has been answered atleast twice now :P Thanks. So I'm guessing airbase should work for something like this since Karma doesn't right? Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted December 18, 2013 Share Posted December 18, 2013 I'm not quite grasping what you mean, sorry. Can you elaborate please :) Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 18, 2013 Share Posted December 18, 2013 What if you used alternate methods to gain the targets WIFI password? Would this be unfeasible then? Quote Link to comment Share on other sites More sharing options...
tom564 Posted December 18, 2013 Share Posted December 18, 2013 Thanks. So I'm guessing airbase should work for something like this since Karma doesn't right? If you have the key i believe it may be possible Quote Link to comment Share on other sites More sharing options...
altjx Posted December 18, 2013 Author Share Posted December 18, 2013 I'm not quite grasping what you mean, sorry. Can you elaborate please :) Well, so Karma will not bring up a rogue AP using encryption because of what you stated. What about this other article that referred to bringing up a rogue AP using WEP, deauthing the victim and having the victim connect to his rogue WEP-enabled AP? I guess I'm trying to figure out if this is a limitation with Karma itself, or if this just can't happen in general. Sorry for any confusion. Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted December 18, 2013 Share Posted December 18, 2013 If you did have the password beforehand, then I think it would be capable of adding _all_ of the keys information to a file, and supplying that to karma. Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted December 18, 2013 Share Posted December 18, 2013 (edited) Well, so Karma will not bring up a rogue AP using encryption because of what you stated. What about this other article that referred to bringing up a rogue AP using WEP, deauthing the victim and having the victim connect to his rogue WEP-enabled AP? I guess I'm trying to figure out if this is a limitation with Karma itself, or if this just can't happen in general. Sorry for any confusion. Currently, Karma only works on open APs. Having a WEP enabled Evil AP would defeat the whole purpose of Karma at the moment. Edited December 18, 2013 by Foxtrot Quote Link to comment Share on other sites More sharing options...
altjx Posted December 18, 2013 Author Share Posted December 18, 2013 So to clarify, you can bring up a rogue AP and have others seamlessly connect to it (by deauthing them, etc) while using encryption -- just not using Karma. Correct? Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted December 18, 2013 Share Posted December 18, 2013 Well, theoretically speaking (As I havn't tried) if its possible to clone the Real AP by having the same MAC, SSID, BSSID and whatever not. Possibly. Quote Link to comment Share on other sites More sharing options...
altjx Posted December 18, 2013 Author Share Posted December 18, 2013 Well, theoretically speaking (As I havn't tried) if its possible to clone the Real AP by having the same MAC, SSID, BSSID and whatever not. Possibly. Gotcha. Thanks man! Think I have all the answers I needed then. :) Much appreciated. Quote Link to comment Share on other sites More sharing options...
Boosted240 Posted December 18, 2013 Share Posted December 18, 2013 So to clarify, you can bring up a rogue AP and have others seamlessly connect to it (by deauthing them, etc) while using encryption -- just not using Karma. Correct? I have done this with Kali and the Pineapple. With the Pineapple using wlan0 to "clone" the network, and wlan1 for internet connection/access. Wlan2 can then be used for deauth. I honestly don't really do much with Karma. Example. At a friends house, living room. Cloned his network, and connected with wlan1. Within about 20 minutes, most of his devices were running through the Pineapple, with no deauth needed. (guessing because his router is in the basement) Quote Link to comment Share on other sites More sharing options...
altjx Posted December 18, 2013 Author Share Posted December 18, 2013 (edited) I have done this with Kali and the Pineapple. With the Pineapple using wlan0 to "clone" the network, and wlan1 for internet connection/access. Wlan2 can then be used for deauth. I honestly don't really do much with Karma. Example. At a friends house, living room. Cloned his network, and connected with wlan1. Within about 20 minutes, most of his devices were running through the Pineapple, with no deauth needed. (guessing because his router is in the basement) Very interesting. This is exactly what I'm trying to figure out how to do. I highly doubt it, but you wouldn't happen to have posted a guide on your process doing this would you? What encryption did he use? He DID have to enter in a key right when connected to yours? Edited December 18, 2013 by altjx Quote Link to comment Share on other sites More sharing options...
Boosted240 Posted December 18, 2013 Share Posted December 18, 2013 What encryption did he use? He DID have to enter in a key right when connected to yours? No, it's all automatic. It's the exact same way it works if you have two routers at home, or at work, the mall, Starbucks, etc, with several APs. Your device will connect to the strongest signal. Example, I have two routers at home. Both setup exactly the same. Someone who doesn't know any better only sees one network, and the device will choose the best AP. I setup the Pineapple exactly the same as well, I then have three APs. At the "coffee shop" you clone the network exactly, the guy beside you will connect to the Pineapple, as it's sitting right next to him. I know there are a lot more variables at play, but this is the basic idea. I've included a screen shot of my company wifi, and you can see all the APs that are setup exactly the same to cover a large area. Theoretically, any of these *could* be a Pineapple. https://www.dropbox.com/s/xg7k3yllmefgvjb/Screenshot_2013-12-18-17-49-01.png Quote Link to comment Share on other sites More sharing options...
altjx Posted December 18, 2013 Author Share Posted December 18, 2013 No, it's all automatic. It's the exact same way it works if you have two routers at home, or at work, the mall, Starbucks, etc, with several APs. Your device will connect to the strongest signal. Example, I have two routers at home. Both setup exactly the same. Someone who doesn't know any better only sees one network, and the device will choose the best AP. I setup the Pineapple exactly the same as well, I then have three APs. At the "coffee shop" you clone the network exactly, the guy beside you will connect to the Pineapple, as it's sitting right next to him. I know there are a lot more variables at play, but this is the basic idea. I've included a screen shot of my company wifi, and you can see all the APs that are setup exactly the same to cover a large area. Theoretically, any of these *could* be a Pineapple. https://www.dropbox.com/s/xg7k3yllmefgvjb/Screenshot_2013-12-18-17-49-01.png Gotcha, so despite his network using a different key, it still connects to yours, and your AP accepts whatever he gives it it sounds like. I'm in the process now of giving this a shot on the pineapple. For some reason, I can't connect to any of the APs I create with airbase-ng. >_< Quote Link to comment Share on other sites More sharing options...
Boosted240 Posted December 18, 2013 Share Posted December 18, 2013 (edited) Gotcha, so despite his network using a different key, it still connects to yours, and your AP accepts whatever he gives it it sounds like. < No, the security and key have to match exactly for this to work. If "his" network is WPA2 with "suckithard" as the key, then that's how your Pineapple needs to be setup. Edited December 18, 2013 by Boosted240 Quote Link to comment Share on other sites More sharing options...
barry99705 Posted December 18, 2013 Share Posted December 18, 2013 Hmm, so technically you can't bring up a rogue AP, disconnect him from his, and have him connect to yours unless you have his key, which would be obtained only after a successful cracking attempt eh? Well I guess that just ruined my whole plan. Thought I could somehow clone a network, deauth systems from that network and have them connect to mine. But if I don't have the key they use, then I'm pretty much screwed in that case eh? Correct, if it's not the same key, it's not the same network. Quote Link to comment Share on other sites More sharing options...
Boosted240 Posted December 18, 2013 Share Posted December 18, 2013 Hmm, so technically you can't bring up a rogue AP, disconnect him from his, and have him connect to yours unless you have his key, which would be obtained only after a successful cracking attempt eh? Well I guess that just ruined my whole plan. Thought I could somehow clone a network, deauth systems from that network and have them connect to mine. But if I don't have the key they use, then I'm pretty much screwed in that case eh? Uhhhh, pretty much yeah. Unless you know of another network they have on their devices that's open or you DO have the key for. Then you can set that up, and lure them onto the Pineapple with better signal, deauth, etc. (this is sorta how Karma works with open networks) Example, you know all of these devices have been on an open wifi at one point, such as "attwifi" So you set that up. Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 19, 2013 Share Posted December 19, 2013 So I suppose the next question is what kinds of techniques are open to a penetration tester to finding out this information. I am new to the pineapple community, so I am still learning. I am guessing that WEP cracking tools would be used to crack WEP, I don't know of any, and WPA would be cracked by reaver type attack, whether it be 'bully' or the reaver it's self. Quote Link to comment Share on other sites More sharing options...
Boosted240 Posted December 19, 2013 Share Posted December 19, 2013 So I suppose the next question is what kinds of techniques are open to a penetration tester to finding out this information. I am new to the pineapple community, so I am still learning. I am guessing that WEP cracking tools would be used to crack WEP, I don't know of any, and WPA would be cracked by reaver type attack, whether it be 'bully' or the reaver it's self. I haven't done too much wifi cracking with the Pineapple, but Reaver and Bully do work. (both are very slow for me) and I can't seem to get Wash to work. For WEP you can use aircrack-ng, which also works. For me, its still faster and easier to use Kali (on a laptop or Raspberry Pi) then you have tools like wifite, fern, reaver, bully, wash, dictionary attacks, etc. It looks like the Site Survey infusion has "capture" built in, I'm guessing that's for getting the 4-way handshake, so then you can use something like hashcat to bruteforce. Quote Link to comment Share on other sites More sharing options...
altjx Posted December 19, 2013 Author Share Posted December 19, 2013 (edited) The problem that I struggled with during my hours of research is that many articles failed to mentioned that Evil Twin requires you to not only have the same ESSID and MAC, but also the same WEP/WPA/WPA2 key that clients use to connect to the legitimate APs. Unless I'm still wrong on this? Isn't this one of the most important steps in creating an evil twin that uses encryption? Edited December 19, 2013 by altjx Quote Link to comment Share on other sites More sharing options...
Boosted240 Posted December 19, 2013 Share Posted December 19, 2013 The problem that I struggled with during my hours of research is that many articles failed to mentioned that Evil Twin requires you to not only have the same ESSID and MAC, but also the same WEP/WPA/WPA2 key that clients use to connect to the legitimate APs. Unless I'm still wrong on this? Isn't this one of the most important steps in creating an evil twin that uses encryption? You're not wrong. Just like @barry99705 said, "if it's not the same key, it's not the same network" In my experience the MAC isn't as important. Again, two routers in my house, each one with different MACs, but my devices will go between the two seamlessly. I'm sure in a more complex situation, cloning the MAC would be necessary. What is it exactly that you're trying to do? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.