Jump to content

Recommended Posts

  • Replies 217
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

hey all!
I have a D-Link antenna ANT24-1400 14 dB 2.4 GHz. and an adapter to SMA. wlan0 or wlan1 on the pineapple should I put it to get the most out of PinaAP?

or explain what the different antennas do (collaborates together)?

// Masler77

Edited by masler77
Link to post
Share on other sites

hey all!

I have a D-Link antenna ANT24-1400 14 dB 2.4 GHz. and an adapter to SMA. wlan0 or wlan1 on the pineapple should I put it to get the most out of PinaAP?

or explain what the different antennas do (collaborates together)?

// Masler77

Wlan0 pulls in the clients. This is the radio that clients connect to.

Wlan1 does beacon responses, beacons, deauth and the likes.

The idea is that wlan1 helps wlan0 be more effective.

So to answer your question, which one should you boost? probably wlan0 as if wlan0 is out of range for a client, it cannot connect. Wlan1 is already a little more powerful, so I'd go with wlan0. But it depends on your scenario.

Best Regards,

Sebkinne

Link to post
Share on other sites

Can you explain What Beacon Reponse is for and what is the purpose of it i never under stood that from your steam you guys did that day im sure when you guys get the guide and documents out it might shed better light on this feature i get that Dogema basically broadcast your set SSID's under SSID Management but im confused on Beacon Response was and its purpose.

Link to post
Share on other sites

Can you explain What Beacon Reponse is for and what is the purpose of it i never under stood that from your steam you guys did that day im sure when you guys get the guide and documents out it might shed better light on this feature i get that Dogema basically broadcast your set SSID's under SSID Management but im confused on Beacon Response was and its purpose.

Sure thing!

The WiFi landscape has changed, and not everything is vulnerable to just karma anymore. To fix some of this, we send targeted beacons to the devices probing for a network. Say a device is probing for it's corporate network. Karma will respond as it usually does, but this time PineAP will also respond and send a few (more than a few actually) beacons to the device. When the device checks if the AP is actually sending out active beacons, it sees these and stays connected.

The beacon responder is basically something which increases the effectiveness of karma.

Best Regards,

Sebkinne

Link to post
Share on other sites

Yes! I haz a questions.

I must have missed the part where everyone discuss this new tile. Prehaps you might be able to link me to that?

Or if you can summary of the new tile & features here. - I know what Karma does, but the new tab PineAP has this Source & target boxes. what goes here? and how is this tied to Karma.

There is also this Dogma which only has a option to turn on/off in little tile no tab - i gather its to assist Karma connecting to devices?

Last one. Whats the Auto Harvest? does this just run a script that uses dogma, pineAP & karma all at once? with no input from say me?

Appreciate you edumucations.

Link to post
Share on other sites

koolkarnt, I am still playing with PineAP myself, but I think I can answer some of your questions. I have not played with the Source/Target section yet, Dogma seems to actually broadcast the AP's listed in the PineAP SSID Management section, and Auto Harvest will automatically add SSID's that devices are currently looking for to the SSID Management section.

I have a simple question that I'm too lazy to search for myself. Where is the file for the SSID Management stored? My list became quite long during testing, and I would like to copy it to another file before deleting all of the collected AP's. When I enable Dogma, the list is so large that it takes several minutes for "most" of the names to be viewed by any device. I've even seen a device or two that quit trying all together after 10-20 AP's populated.

Link to post
Share on other sites

Yes! I haz a questions.

I must have missed the part where everyone discuss this new tile. Prehaps you might be able to link me to that?

Or if you can summary of the new tile & features here. - I know what Karma does, but the new tab PineAP has this Source & target boxes. what goes here? and how is this tied to Karma.

There is also this Dogma which only has a option to turn on/off in little tile no tab - i gather its to assist Karma connecting to devices?

Last one. Whats the Auto Harvest? does this just run a script that uses dogma, pineAP & karma all at once? with no input from say me?

Appreciate you edumucations.

I'll elaborate on what jmelody said to help answer your question. The source and target fields are part of Dogma.

What does Dogma do? Dogma allows you to focus your KARMA attack towards a specific device. It also allows you to specify a list of access points to broadcast.

Source field - This is where you specify your access point's MAC address. You can enter your Pineapple's MAC address (default) or a spoofed MAC address.

Target field - This is where you specify the MAC address of your target. You can leave it blank (default) to target all devices or you can enter a specific device's MAC address to only target that device.

SSID Management - This is where you can specify a list of access points that you'd like to broadcast. These access points will be broadcasted to your target(s) when Dogma is enabled. You can manually add access points to the list or you can add them from the Reconnoissance scan results (by clicking the access point name).

Here's an example scenario:

Let's say that there are 10 devices sending out probe requests in search of familiar access points but you only want to target one of those devices. After enabling PineAP and Dogma, you can enter the MAC address of the device that you want to target in the "Target" field. When the target device is searching for a wireless access point, it will see the list of access points stored in the SSID Management area. The access points from the SSID Management area will not be broadcasted to the remaining 9 devices or any other devices that come within range. If you don't specify a target, the access points from the SSID Management area will be broadcasted to everyone within range.

NOTE: You can use Reconnaissance to discover the MAC addresses of devices.

Link to post
Share on other sites

I'll elaborate on what jmelody said to help answer your question. The source and target fields are part of Dogma.

What does Dogma do? Dogma allows you to focus your KARMA attack towards a specific device. It also allows you to specify a list of access points to broadcast.

Source field - This is where you specify your access point's MAC address. You can enter your Pineapple's MAC address (default) or a spoofed MAC address.

Target field - This is where you specify the MAC address of your target. You can leave it blank (default) to target all devices or you can enter a specific device's MAC address to only target that device.

SSID Management - This is where you can specify a list of access points that you'd like to broadcast. These access points will be broadcasted to your target(s) when Dogma is enabled. You can manually add access points to the list or you can add them from the Reconnoissance scan results (by clicking the access point name).

Here's an example scenario:

Let's say that there are 10 devices sending out probe requests in search of familiar access points but you only want to target one of those devices. After enabling PineAP and Dogma, you can enter the MAC address of the device that you want to target in the "Target" field. When the target device is searching for a wireless access point, it will see the list of access points stored in the SSID Management area. The access points from the SSID Management area will not be broadcasted to the remaining 9 devices or any other devices that come within range. If you don't specify a target, the access points from the SSID Management area will be broadcasted to everyone within range.

NOTE: You can use Reconnaissance to discover the MAC addresses of devices.

Life is like a giant puzzle and everyday you work to add another piece to the inevitable masterpiece.

For what it's worth - everytime I read a post from you or watch a video of yours, I feel like another piece of this massive puzzle has been placed.

Thanks your writeups, your examples, your scenarios, and your simplified breakdown on how, where, when, what, and why things do what they do.

Forever Greatful,

Urieal.

Link to post
Share on other sites

Just think of the Wireless DDoS to a device, from a consultant, that has been traveling and using hundreds of APs a year stumbles upon a PineAP that suddenly lights it up with Beacons and management frames for every AP it has ever connected to. I was demonstrating the Pineapple with just Karma a few months ago, before our auditors conducted a wireless pentest. Should have seen their faces when their laptops and phones connected within seconds, let just say they will never look at hotel wireless the same again. Dogma looks like it might also conserve your pineapple and the airwaves a bit, as it will focus on just the target device or device type.

koolkarnt, I am still playing with PineAP myself, but I think I can answer some of your questions. I have not played with the Source/Target section yet, Dogma seems to actually broadcast the AP's listed in the PineAP SSID Management section, and Auto Harvest will automatically add SSID's that devices are currently looking for to the SSID Management section.

I have a simple question that I'm too lazy to search for myself. Where is the file for the SSID Management stored? My list became quite long during testing, and I would like to copy it to another file before deleting all of the collected AP's. When I enable Dogma, the list is so large that it takes several minutes for "most" of the names to be viewed by any device. I've even seen a device or two that quit trying all together after 10-20 AP's populated.

Link to post
Share on other sites

Life is like a giant puzzle and everyday you work to add another piece to the inevitable masterpiece.

For what it's worth - everytime I read a post from you or watch a video of yours, I feel like another piece of this massive puzzle has been placed.

Thanks your writeups, your examples, your scenarios, and your simplified breakdown on how, where, when, what, and why things do what they do.

Forever Greatful,

Urieal.

I'm glad that I was able to help you out. The puzzle will never be complete. Each piece of the puzzle is a puzzle in itself... and the puzzle as a whole never stops expanding and evolving. Not to sound too philosophical. This is just one of the many reasons I enjoy security. There are too many challenges to face alone and, therefore, it never gets old or boring.

Link to post
Share on other sites

Target field - This is where you specify the MAC address of your target. You can leave it blank (default) to target all devices or you can enter a specific device's MAC address to only target that device.

I could be wrong but I believe you have to have ff:ff:ff:ff:ff:ff in the target field to target all devices.

Link to post
Share on other sites

I could be wrong but I believe you have to have ff:ff:ff:ff:ff:ff in the target field to target all devices.

Yes, ff:ff:ff:ff:ff:ff is used to target all devices. If you leave the target field blank, it will automatically populate with ff:ff:ff:ff:ff:ff.

Here's some bogus math:

Default = Blank

Blank = ff:ff:ff:ff:ff:ff

ff:ff:ff:ff:ff:ff = Target all devices

Target all devices = Default

Therefore, Blank = Target all devices

Link to post
Share on other sites

A few quick questions...

Does Karna need to be started/running before running PinAp, dogma, etc? is there a startup order for all of these modules?

Do both WLAN 0 and 1 need to be manually enabled before running karma, PinAP, etc? What state should both radios be in before starting the Karna/PinAP modules?

Link to post
Share on other sites
I'm not sure if I have got this right?
Karma: Sends out probe responses to everyone ? (and works like an AP to this?)
PineAP: Works like an AP. It sends beacons out of an SSID list.
Dogma: does targeted beacon response or broadcast responses depending on settigs? (which is the pineap tab in the pineap infusion?)
Harvester: Collects all probed SSID's and puts it in a list for PineAP to broadcast.
Wlan0 is used for clients to connect to. (is both karma and pineap using this interface at the same time?)
Wlan1 is used by dogma and other tools.

Tools like urlsnarf and ssl_strip and such should run on wlan0?
Please correct me if I am wrong.
Link to post
Share on other sites

A few quick questions...

Does Karna need to be started/running before running PinAp, dogma, etc? is there a startup order for all of these modules?

Do both WLAN 0 and 1 need to be manually enabled before running karma, PinAP, etc? What state should both radios be in before starting the Karna/PinAP modules?

To use any features of PineAP, you must first start that. PineAP is independent of karma running or not.

Dogma can also be run without karma being turned on.

Beacon responder and Harvester however do require karma to be turned on.

What are the command line arguments for PineAP?

Currently, there isn't an easy way to manage PineAP over the command line for the end user. That is going to change in the next feature firmware release.

I'm not sure if I have got this right?
Karma: Sends out probe responses to everyone ? (and works like an AP to this?)
PineAP: Works like an AP. It sends beacons out of an SSID list.
Dogma: does targeted beacon response or broadcast responses depending on settigs? (which is the pineap tab in the pineap infusion?)
Harvester: Collects all probed SSID's and puts it in a list for PineAP to broadcast.
Wlan0 is used for clients to connect to. (is both karma and pineap using this interface at the same time?)

Wlan1 is used by dogma and other tools.

Tools like urlsnarf and ssl_strip and such should run on wlan0?

Please correct me if I am wrong.

You are mostly correct.

PineAP however does not work like an AP. It is a suite of tools.

Dogma is responsible for sending out the beacons in your SSID list (targeted or to broadcast).

Beacon Response will follow up any probe request with a number of beacons.

Harvester collects all SSIDs which can then be used for Dogma.

Tools like urlsnarf or ssl_strip should be run on the bridge interface ("br-lan") and not wlan0.

Best Regards,

Sebkinne

Link to post
Share on other sites

You are mostly correct.

PineAP however does not work like an AP. It is a suite of tools.

Dogma is responsible for sending out the beacons in your SSID list (targeted or to broadcast).

Beacon Response will follow up any probe request with a number of beacons.

Harvester collects all SSIDs which can then be used for Dogma.

Tools like urlsnarf or ssl_strip should be run on the bridge interface ("br-lan") and not wlan0.

Best Regards,

Sebkinne

Thank you for the response.

However i am still a bit confused.

You can turn on and off the PineAP which you say is a suite off tools. What tools is that and how does it affect the other ones like dogma and beacon response?

Can you not run urlsnarf and sslstrip on a wlan interface? I mean if i use wlan1 in client mode to connect to a network and wlan0 as the "AP" interface.

Or should i always leave Wlan0 and Wlan1 active to the PineAP and karma tools and have a Wlan2 as client mode?

Regards

Link to post
Share on other sites

Choose Reconnaissance from the Drop down menu in top left.

Enable scan of AP and Clients.

********

No clients show up. Yes, I have three APs showing up and I have clients attached to all of them.

As an aside, how do we access all the additional functionality reconnaissance offers that I've read about but can't seem to find?

Link to post
Share on other sites

So I have been at least trying to test everything on my mkv. Its been bumpy so far. Anyways I tried PineAP once and had the problem where I couldn't get it to start. I would just click on enable and my web interface would freeze up for 5-8 secs and then become responsive again but PineAP would stay disabled. I found that each time i do this it makes a new mon interface on wlan1. So after a few tries i have mon0, mon1, mon2. So it seemed like it was doing something but not starting. I killed off all the mon interfaces and found a fix here. Which was basically to go into my network big tile -> advanced -> reset wireless config. And I got PineAP to work well and its great once you get it started.

So after that I was messing around with ettercap and ettercap just kept refusing to start on any interface, even br-lan. many reboots later I still could not get it to start. I had the same issue with urlsnarf only it would start and run for like 3-5 sec (there was actual output in the textbox) then stop itself (This was on br-lan). So I went to change my ssid settings in the network tile and every time i saved them it would say wireless restarting, but nothing would happen. I thought this was strange so I tried to change mac addresses and that too was acting like it all went ok, but there was ultimately no change to my mac address. I tried pressing the reset wireless config and that reset it all. Then ettercap started working properly, but I had to use urlsnarf over ssh. Now I wanted to change my ssid off of the default pinapple ssid for my AP........ doesnt change. Now none of the settings would change in the network tile. I tried litterally everything I could think of, hostapd.conf ect and nothing would change my ssid for my AP.

At this point I decided to flash it.

Fresh Flash. I change my ssid successfully, get ettercap running successfully, and I still have to use urlsnarf over ssh, seems to be issues with that infusion. Anyways everything works great. I closed it all down and rebooted. Now when it boots back up, my mac addresses are still spoofed and my ssid is still the same I set it to. I try to start PineAP up again, but I am having the same issue as mentioned above and it just wont start. So I went to change my mac addresses back..... nothing happens. Press the reset wifi config button....... asks me to restart wifi ect...... nothing happens. I try to change my ssid....... nothing happens. I can ssh in and change my mac addresses manually, but when i click reset wifi config button... it sets them back to the spoofed ones. So pretty much nothing in the network tile is working, or at least working properly. I have rebooted several times and tried pretty much everything, and changing settings manually over ssh. Nothing is doing what it is supposed to or keeping any changes. PineAP still wont start.

I am about to reflash.

Hopefully there is some sort of useful information here or any1 can point out something I missed or something to try. I seem to be replicating this same weirdness with the network tile somehow.

anyways let me know what you guys think.

P.s. forgot to mention that in the log tile, I cant see anything. When i click between syslog and dmesg and custom tabs, they flash for a slit second then dissapear again behind what looks like the main web interface with a nav bar at the top but no tiles. its just black. but its contained under the tabs and in the big tile like a jframe or canvas

Edited by mel0n
Link to post
Share on other sites

Haven't read/watched too much about PineAP but decided to turn on the pineapple and upgrade its firmware. One thing I'm noticing though is that, earlier today, I was able to connect to the APs that I have in the SSID Management page. However, I can't now for some reason -- I just get a "Can't connect" error on my laptop and mobile device. I'm guessing there's something small that I'm missing.

Any help with this would be greatly appreciated.

Edited by altjx
Link to post
Share on other sites

Couple Questions:

  • How do I go about auto starting all PineAP modules or what would be the dip switch command line look like to do the same?
  • In the previous version I was able to specify pass-code which prevented associations under karma. How can I prevent associations with this current versions. All I want to do is collect probes/beacons and re-broadcast them for demonstration purposes?
Link to post
Share on other sites

I'm curious to know if Seb has any plans to include the harvesting of both BSSID's & corresponding ESSID's in order to be able to automatically spoof both together for a given target AP/AP's

I think this would be a useful counter measure against client devices that check for a matching sets of E/B SSID's before association to the AP's in its PNL. Although this isn't yet a common feature in most devices. I think this will become more of an issue in the future as more and more vendors play catch the mouse (or is that cat? Depending on your stance ?)

Also,

In the case of using multiple MKV's, in multiple locations on an engagement, the ability to remotely connect to a central file storage or database containing all harvested data would be very useful. Has this been thought of already anywhere else in the community?

Peace ?,

3mrgnc3.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.


×
×
  • Create New...