Jump to content

Rogue AP


altjx
 Share

Recommended Posts

Still learning more about the pineapple and loving this device so far. I'm also still learning quite a bit about assessing wireless networks too, and I hope this isn't the wrong place to post my question.

To my knowledge, Karma on the wifi pineapple doesn't bring up a rogue AP as long as the probe request is for a wireless network that uses encryption, correct?

That being said, I ran across an article that referred to bringing up a rogue AP and making someone connect to his instead of their original one. The confusing part for me is that the victim's original wireless AP is encrypted with WEP, so how does bumping him off his force him to connect to their rogue AP, despite the signal being stronger? Is it possible to bring up a rogue AP with encryption (and trick clients into connecting to it), but just not supported by Karma? I thought the reason Karma didn't bring up rogue APs that use encryption was because clients wouldn't connect to it.

Here's an exerpt from the article:

Note that we once again used his BSSID in the aireplay-ng command. If our signal is stronger than his own AP, he will automatically reconnect to our evil twin

Edited by altjx
Link to comment
Share on other sites

Still learning more about the pineapple and loving this device so far. I'm also still learning quite a bit about assessing wireless networks too, and I hope this isn't the wrong place to post my question.

To my knowledge, Karma on the wifi pineapple doesn't bring up a rogue AP as long as the probe request is for a wireless network that uses encryption, correct?

That being said, I ran across an article that referred to bringing up a rogue AP and making someone connect to his instead of their original one. The confusing part for me is that the victim's original wireless AP is encrypted with WEP, so how does bumping him off his force him to connect to their rogue AP, despite the signal being stronger? Is it possible to bring up a rogue AP with encryption (and trick clients into connecting to it), but just not supported by Karma? I thought the reason Karma didn't bring up rogue APs that use encryption was because clients wouldn't connect to it.

Here's an exerpt from the article:

Rogue AP with encryption doesnt work right now (maybe later) because the BSSID has to be changed and with open networks only the SSID has to be changed if i am correct.

- jesse

Link to comment
Share on other sites

Rogue AP with encryption doesnt work right now (maybe later) because the BSSID has to be changed and with open networks only the SSID has to be changed if i am correct.

- jesse

Is this referring to just Karma? Or bringing up a rogue AP in general?

Also, in the probe request, the BSSID of the networks the client is reaching for shows, correct?

Link to comment
Share on other sites

Karma will not work on encrypted APs because it has no way of acquiring the handshake for the real AP...

This has been answered atleast twice now :P

Thanks. So I'm guessing airbase should work for something like this since Karma doesn't right?

Link to comment
Share on other sites

I'm not quite grasping what you mean, sorry. Can you elaborate please :)

Well, so Karma will not bring up a rogue AP using encryption because of what you stated. What about this other article that referred to bringing up a rogue AP using WEP, deauthing the victim and having the victim connect to his rogue WEP-enabled AP?

I guess I'm trying to figure out if this is a limitation with Karma itself, or if this just can't happen in general. Sorry for any confusion.

Link to comment
Share on other sites

Well, so Karma will not bring up a rogue AP using encryption because of what you stated. What about this other article that referred to bringing up a rogue AP using WEP, deauthing the victim and having the victim connect to his rogue WEP-enabled AP?

I guess I'm trying to figure out if this is a limitation with Karma itself, or if this just can't happen in general. Sorry for any confusion.

Currently, Karma only works on open APs. Having a WEP enabled Evil AP would defeat the whole purpose of Karma at the moment.

Edited by Foxtrot
Link to comment
Share on other sites

So to clarify, you can bring up a rogue AP and have others seamlessly connect to it (by deauthing them, etc) while using encryption -- just not using Karma. Correct?

I have done this with Kali and the Pineapple. With the Pineapple using wlan0 to "clone" the network, and wlan1 for internet connection/access. Wlan2 can then be used for deauth. I honestly don't really do much with Karma.

Example. At a friends house, living room. Cloned his network, and connected with wlan1. Within about 20 minutes, most of his devices were running through the Pineapple, with no deauth needed. (guessing because his router is in the basement)

Link to comment
Share on other sites

I have done this with Kali and the Pineapple. With the Pineapple using wlan0 to "clone" the network, and wlan1 for internet connection/access. Wlan2 can then be used for deauth. I honestly don't really do much with Karma.

Example. At a friends house, living room. Cloned his network, and connected with wlan1. Within about 20 minutes, most of his devices were running through the Pineapple, with no deauth needed. (guessing because his router is in the basement)

Very interesting. This is exactly what I'm trying to figure out how to do. I highly doubt it, but you wouldn't happen to have posted a guide on your process doing this would you?

What encryption did he use? He DID have to enter in a key right when connected to yours?

Edited by altjx
Link to comment
Share on other sites

What encryption did he use? He DID have to enter in a key right when connected to yours?

No, it's all automatic. It's the exact same way it works if you have two routers at home, or at work, the mall, Starbucks, etc, with several APs. Your device will connect to the strongest signal.

Example, I have two routers at home. Both setup exactly the same. Someone who doesn't know any better only sees one network, and the device will choose the best AP. I setup the Pineapple exactly the same as well, I then have three APs.

At the "coffee shop" you clone the network exactly, the guy beside you will connect to the Pineapple, as it's sitting right next to him.

I know there are a lot more variables at play, but this is the basic idea.

I've included a screen shot of my company wifi, and you can see all the APs that are setup exactly the same to cover a large area. Theoretically, any of these *could* be a Pineapple.

https://www.dropbox.com/s/xg7k3yllmefgvjb/Screenshot_2013-12-18-17-49-01.png

Link to comment
Share on other sites

No, it's all automatic. It's the exact same way it works if you have two routers at home, or at work, the mall, Starbucks, etc, with several APs. Your device will connect to the strongest signal.

Example, I have two routers at home. Both setup exactly the same. Someone who doesn't know any better only sees one network, and the device will choose the best AP. I setup the Pineapple exactly the same as well, I then have three APs.

At the "coffee shop" you clone the network exactly, the guy beside you will connect to the Pineapple, as it's sitting right next to him.

I know there are a lot more variables at play, but this is the basic idea.

I've included a screen shot of my company wifi, and you can see all the APs that are setup exactly the same to cover a large area. Theoretically, any of these *could* be a Pineapple.

https://www.dropbox.com/s/xg7k3yllmefgvjb/Screenshot_2013-12-18-17-49-01.png

Gotcha, so despite his network using a different key, it still connects to yours, and your AP accepts whatever he gives it it sounds like.

I'm in the process now of giving this a shot on the pineapple. For some reason, I can't connect to any of the APs I create with airbase-ng. >_<

Link to comment
Share on other sites

Gotcha, so despite his network using a different key, it still connects to yours, and your AP accepts whatever he gives it it sounds like.

<

No, the security and key have to match exactly for this to work.

If "his" network is WPA2 with "suckithard" as the key, then that's how your Pineapple needs to be setup.

Edited by Boosted240
Link to comment
Share on other sites

Hmm, so technically you can't bring up a rogue AP, disconnect him from his, and have him connect to yours unless you have his key, which would be obtained only after a successful cracking attempt eh? Well I guess that just ruined my whole plan.

Thought I could somehow clone a network, deauth systems from that network and have them connect to mine. But if I don't have the key they use, then I'm pretty much screwed in that case eh?

Correct, if it's not the same key, it's not the same network.

Link to comment
Share on other sites

Hmm, so technically you can't bring up a rogue AP, disconnect him from his, and have him connect to yours unless you have his key, which would be obtained only after a successful cracking attempt eh? Well I guess that just ruined my whole plan.

Thought I could somehow clone a network, deauth systems from that network and have them connect to mine. But if I don't have the key they use, then I'm pretty much screwed in that case eh?

Uhhhh, pretty much yeah. Unless you know of another network they have on their devices that's open or you DO have the key for. Then you can set that up, and lure them onto the Pineapple with better signal, deauth, etc. (this is sorta how Karma works with open networks)

Example, you know all of these devices have been on an open wifi at one point, such as "attwifi" So you set that up.

Link to comment
Share on other sites

So I suppose the next question is what kinds of techniques are open to a penetration tester to finding out this information. I am new to the pineapple community, so I am still learning. I am guessing that WEP cracking tools would be used to crack WEP, I don't know of any, and WPA would be cracked by reaver type attack, whether it be 'bully' or the reaver it's self.

Link to comment
Share on other sites

So I suppose the next question is what kinds of techniques are open to a penetration tester to finding out this information. I am new to the pineapple community, so I am still learning. I am guessing that WEP cracking tools would be used to crack WEP, I don't know of any, and WPA would be cracked by reaver type attack, whether it be 'bully' or the reaver it's self.

I haven't done too much wifi cracking with the Pineapple, but Reaver and Bully do work. (both are very slow for me) and I can't seem to get Wash to work. For WEP you can use aircrack-ng, which also works. For me, its still faster and easier to use Kali (on a laptop or Raspberry Pi) then you have tools like wifite, fern, reaver, bully, wash, dictionary attacks, etc.

It looks like the Site Survey infusion has "capture" built in, I'm guessing that's for getting the 4-way handshake, so then you can use something like hashcat to bruteforce.

Link to comment
Share on other sites

The problem that I struggled with during my hours of research is that many articles failed to mentioned that Evil Twin requires you to not only have the same ESSID and MAC, but also the same WEP/WPA/WPA2 key that clients use to connect to the legitimate APs. Unless I'm still wrong on this?

Isn't this one of the most important steps in creating an evil twin that uses encryption?

Edited by altjx
Link to comment
Share on other sites

The problem that I struggled with during my hours of research is that many articles failed to mentioned that Evil Twin requires you to not only have the same ESSID and MAC, but also the same WEP/WPA/WPA2 key that clients use to connect to the legitimate APs. Unless I'm still wrong on this?

Isn't this one of the most important steps in creating an evil twin that uses encryption?

You're not wrong. Just like @barry99705 said, "if it's not the same key, it's not the same network"

In my experience the MAC isn't as important. Again, two routers in my house, each one with different MACs, but my devices will go between the two seamlessly. I'm sure in a more complex situation, cloning the MAC would be necessary.

What is it exactly that you're trying to do?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...