Jump to content

Karma fixed yet?


Recommended Posts

I've been holding off buying the pineapple cause back when they were introducing it they said it wasn't working just curious to know if karma is working now cause its kinda useless if devices won't auto connect to the pineapple.

Link to comment
Share on other sites

So has anything been done to correct that yet? It's been months since i looked into the pineapple last time i heard anything was back when it was introduced last year.

Link to comment
Share on other sites

It's not an issue with Karma, so there's nothing to fix. Karma exploits a weakness in how some WiFi-enabled devices probe for networks to connect to. It appears that some manufacturers have since improved their probe implementation and that's what we want, a continuous improvement over current technologies.

Link to comment
Share on other sites

Darren post back in October sums it up well:

Posted by Darren Kitchen on 24 October 2013 - 10:38 AM

Karma is one piece of the puzzle, and it's true some vendors have adapted. Taking a step back and looking at the greater picture however, Karma is only a single component of a much larger concept: Hot-Spot Honey-Pot. Since the introduction of the WiFi Pineapple this has been a primary goal - to capture clients for man-in-the-middle attacks, as well as more recently as a pen-test pivot box.

Karma in its current form is highly effective against a majority of devices. Right now this is done by taking advantage of a trust relationship in only one of the thirteen 802.11 management frames - probes.

Now while 802.11 is a standard, the way in which it's implemented is not - it varies by vendor. Most recently two high profile vendors have changed the way they implement the spec: Google relying less heavily on probes while Apple relying more so. In the case of the former also keep in mind Android is its own hot mess with various vendors implementing the OS in different forms (I'm looking at you Sammy).

What does this mean for the WiFi Pineapple and the wireless hot-spot honey-pot? Quite simply, we adapt. In the game of cat-and-mouse that is hacking, tools and techniques evolve as the ever changing landscape shifts. Build a better mouse, build a better mousetrap.

The core concept of Karma in its current form relies on a rather limited approach to client harvesting. With the next version, or the next tool in our honey-pot arsenal, we'll implement additional approaches as appropriate and as the bare metal as our disposal allows.

We already have some interesting new attacks in testing that have proven quite successful as well as more on the drawing board for later, when it's time to respond again. Once everything is stable and to our liking we'll roll out an update that improves the overall effectiveness of the platform.

It appears they have been experimenting with new attacks back in October. Hopefully some turned out to work well and we will see them rolled into future updates.

Link to comment
Share on other sites

So i missunderstood the whole problem i guess i didn't realize it had to do with the the other devices.

Should be interesting to see what the next step does now days not many people have out dated devices most of the people get their phones replaced just about ever couple months.

I mainly see people down here using Mac Book Pro computers just it just means for now it will require a little more to get victims to connect to the honey pot then rather then having them auto connect to it.

Link to comment
Share on other sites


Darren said "Google relying less heavily on probes while Apple relying more so." That part about Apple is important... it means that Apple devices are now more vulnerable to Karma than ever! And Karma is not the only reason to own a pineapple. yabasoya is correct. You can simply go "fishing" by naming your Pineapple's AP to something like Free WiFi. Or Starbucks WiFi or whatever and let people choose to connect. With the right captive portal (nodog splash) and dnsspoof with some phishing pages it is well worth your time. Even just using sslstrip would be useful. Or have fun and RandomRoll people. Personally I like the Pineapple Surprise page as I'm more about educating folks than "hacking" them.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...