Jump to content

Sebkinne
 Share

Recommended Posts

Hi everyone,

I'm trying to create a rogue AP with PineAP feature to get the most of my Wifi Pineapple.

After tying a source mac (a spoofed MAC) and a target mac (my tablet's one) on PineAP Configuration infusion, then I click on "Start Now" and my Wifi Pineapple seems to not work properly: red led goes off, and sometimes led green remains the only one... Access to Pineapple is missed and I need to turn it off and on again.

Am I missing some important steps?

Any help will be very welcome

Try without spoofing the MAC. Another thing you can try is changing the MAC after you start PineAP.

Link to comment
Share on other sites

  • Replies 217
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

I am trying to find a video tutorial on PineAP. I found just a couple of them, which are ok but not entirely what I am looking for.

I seem to remember I found one very good here few days ago on the forum but I cant'find it anywhere now.

Any suggestions on where PineAP demo tutorials can be found?

Thank you

stefano

Link to comment
Share on other sites

I have one question regarding PineAP and Harvester.

I want to only use Harvester to passively collect network names from clients probeing near me.

I have wlan0 ticked on, wlan1 ticked off.

I turned PineAP tick on and then Harvester tick on. (MD5 Karma, Beacon Response, Dogma are ticked off )

Problem i have is i am not seeing any SSIDs being entered in SSID Management.

Am i doing something wrong?

I have latest firmware.

Link to comment
Share on other sites

Hi all.

I have bin reading and reading this forum and I'm still a bit confused.

Is it or is it not possible to spoof a WPA ap, ddos the original ap and make a client to connect to the rouge ap?

Would really appriciate an answer..

Best regards

Sure, you can spoof wpa ssids all day long. The clients won't connect though. Most client software is smart enough to not connect if the configuration is different from what they know. I run into this all the time at work even when I know the password. Setting up a replacement access point when the old one goes tits up, and set the encryption to tkip when the old one was aes. The clients won't connect because the encryption scheme is different from what they have saved.

So once again, you can't spoof an encrypted ssid with an unencrypted one.

Link to comment
Share on other sites

Sure, you can spoof wpa ssids all day long. The clients won't connect though. Most client software is smart enough to not connect if the configuration is different from what they know. I run into this all the time at work even when I know the password. Setting up a replacement access point when the old one goes tits up, and set the encryption to tkip when the old one was aes. The clients won't connect because the encryption scheme is different from what they have saved.

So once again, you can't spoof an encrypted ssid with an unencrypted one.

+1 To this, @notchener you can however get the victim to connect to a fake AP that has been created by the pineAP and that is only if the device you are trying to get onto your fake AP has a stored NONE unencrypted profile on there device so you basically ddos the client from the encrypted AP then the device the client is connected to will move onto the next probe thats in there list and if it is a none secured AP in the list it should connect to the fake AP created by the pineAP does this make sense

Think of it this way two profiles on your mobile phone (1) HOME WIFI SECURED (2) FREE WIFI IN TOWN when you are at home and your mobile is connected to your home WiFi with a password as soon as you go out of range of the AP you are unable to connect if you go into your local shopping center and you have connected to profile (2) before your mobile will auto connect to that AP this is how you would achieve getting the secured client onto the unsecured AP you just keep death until it gives up and connects to the next one in the list as far as the client device is concerned when you are stopping it access from the secured AP it just thinks it is out of range then moves on.

to test this yourself create a WiFi profile on your phone with no encryption connect to it then connect back to your home WiFi start PineAp suite then turn of your home router and watch your phone disconnect from your home network and connect to the unencrypted WiFi profile you have just created

Edited by MadDog86
Link to comment
Share on other sites

Thank you both for very informative info.

So if I understand this correctly, in terms of real security issues there isn't much to worry about regarding evil twin type of attacks, since open AP is 99.99% dead, at least in country where I live.
Getting a bunch of smartphones connect to your ap on a crowded place isn't what shady individuals are mostly looking for.

Of course u can use a rouge ap to do other things, But that's not what we are talking about here.


I assume that same goes for this EAP attack as well?

http://securitysynapse.blogspot.se/2014/03/wireless-pentesting-on-cheap-kali-WPAEntPartII.html

With all this in mind I realy don't understand what the fus is all about in terms of corporate rouge ap securiy.


:-)

Link to comment
Share on other sites

Thank you both for very informative info.

So if I understand this correctly, in terms of real security issues there isn't much to worry about regarding evil twin type of attacks, since open AP is 99.99% dead, at least in country where I live.

Getting a bunch of smartphones connect to your ap on a crowded place isn't what shady individuals are mostly looking for.

Of course u can use a rouge ap to do other things, But that's not what we are talking about here.

I assume that same goes for this EAP attack as well?

http://securitysynapse.blogspot.se/2014/03/wireless-pentesting-on-cheap-kali-WPAEntPartII.html

With all this in mind I realy don't understand what the fus is all about in terms of corporate rouge ap securiy.

:-)

I still see a crapton of open access points, not necessarily in businesses, but at coffee shops and fast food places. Most people have to eat, so you just get them to connect to your fake ap there. Once they're connected, you attack their wireless device, maybe you can pull the stored wifi credentials from their machine, now you have access to the corp wifi. Just throwing that out there. I also still see wep encrypted networks all the time. Mostly at manufacturing places. They have hardware/software that only runs on old ass operating systems that can only do wep. They figure some encryption is better than no encryption, so they use wep.

Link to comment
Share on other sites

That is certanly a way to a aproach this for sure.

But still, in my view as it is now evil twin attacks are geting kinda outdated more more...

cheers

I see that as a good thing. MS08-67 is (almost entirely) a thing of the past, but it's still the best demo vulnerability of all time (IMHO). In IS, you discover the vulnerabilities and demonstrate the exploits so that we can have a safer world. It's amazing that so many devices' default settings are still so insecure. We have to go after that.

Anyway, we hope that security improves and in fact, we see that it does. So many things that the pineapple exploited trivially just a few years ago are mostly cleaned up. So hooray for our side! It's still a great tool and can and will be useful for many more (as of yet unknown) attacks in the future. So hooray for the pineapple!

Link to comment
Share on other sites

When I started war driving back in 01 or 02, most access points were open. A few had wep enabled. Most folks just had the ap hide the said and they thought they were secure. There was also the ones that did Mac authentication. Then aircrack-ng made it stupid simple to crack a wep key. I even did it once on a sharp zaurus PDA. So WPA came out, and that worked well for a couple years, then cowpatty came out and made it crackable in hours to a couple days. So they made wpa2, which so far is working pretty well. Then the vendors decided it was too hard for grandma to type in a password so they made wps. That turned out to be a bad idea, so it's slowly going away.

Exploits come and go. The nice thing about the pineapple is it's really just a small computer with a couple decent WiFi radios. We just have to adapt to what's available to exploit.

Link to comment
Share on other sites

Is PineAP supposed to (or able to) use the Karma SSID/Client Black/White lists when harvesting SSIDs?

I'm using my WiFi Pineapple at work and have it connected to my works WiFi connection. I don't want PineAP to harvest and then spoof the works WiFi SSID.

Is there any way to prevent this? I've put the SSID in the Karma Black List and it still appears in the PineAP SSID Management window.

Edited by lunokhod
Link to comment
Share on other sites

  • 2 weeks later...

I have a question.... In Recon Mode, if I select "AP & Clients," the red light (client mode radio) turns off after 15 seconds. If I select "AP Only," I don't lose client mode. I use ssh (autossh) to port forward the pineapple services through a "relay server" to connect remotely, so losing the radio while scanning kind of messes things up.

Is this expected behavior? If so, why? Is the only workaround to use a third radio?

Link to comment
Share on other sites

  • 2 weeks later...

Ok have got a issue need helping with. Have set up my new pineapple, updated, launched PineAP can see probe requests from devices on my network from several devices, i then go the recon mode and deauth them from network but this dont seem to switch them to the rouge network.

How do i knock off one of the deives off my network and swith it to the fake roughe AP

thanks is advance

Link to comment
Share on other sites

Hi guys,I hope someone can clarify this for me or point out if I'm wrong

I've made a packet capture to understand this better. This is what I'm seeing with a client pc running windows 8.1 and a router (SSID: dd-wrt) and the pineapple with Pineap enabled:

1)Client sends a probe request with SSID=broadcast

2)Access point responds with a probe response with the SSID (dd-wrt in the example)

3)The Client sends a probe request for the specific SSID it saw from the probe response (dd-wrt in the example)

4)The pineapple sees the SSID dd-wrt and saves it with the harvester and then probes it out.

The problem is that this way I don't know whats on the PNL (preferred network list) of the client, i only know he's probing for dd-wrt but that only because the real dd-wrt is around...

If the real dd-wrt doesn't respond (number 2 on my list) with the ssid the client doesn't send any probe for that network directly.

In fact during this test I had an open network saved on the client pc but even when I deauth the client he just probes for broadcast UNTIL the real network appears and responds back with the SSID.

In attachment my capture with the various steps marked.

TLDR; is this normal behaviour? :P

post-45350-0-58434900-1432765996_thumb.p

Link to comment
Share on other sites

  • 2 weeks later...

Hi,

I just received my MarkV and I'm playing around with PineAP. The way I have it set up is that I have Wlan0, Wlan1, and Wlan2 on where Wlan2 provides the MarkV with internet access.

Now when I turn on Karma and PineAP with all the options everything works as far as collecting SSID's etc. The only thing is that the clients can't connect to the SSID's, for example my phone can see all the SSID's being broadcasted but can't connect to any of them.

Am I missing something?

Link to comment
Share on other sites

How do you allow clients who access a PineAP access point to get internet access? I have PineAP running and it is putting up a lot of AP's but when I test them out I cannot connect to them because they do not have internet access.

I have attached a USB wifi adapter and it (WLAN2) is set in client mode. The laptop I am accessing the MkV with (using eth0) has internet access via the WLAN2 connection but I want to be able to allow the clients to get that access in order to do MiTM. I have WLAN2 connected to my personal router.

What am I missing? I am guessing a lot but if someone could guide me in the right direction I would appreciate it.

Thanks,

Link to comment
Share on other sites

I have a few questions, I tried searching so if I touch on something a like would be welcomed.

I have PineAP set to auto harvest SSID's, Associations, and Probe Requests. Surprisingly that data alone can be very revealing.

1) how can I insure that every single association, SSID, and probe request get saved into the log file? I thought they automatically did but it seems my pineapple only recorded a few lines during a one hour trip.

2) how can I record GPS data and associate it with the MAC, SSID probe data collected?

Background: I live in Fairfax,VA and it's well known they abuse the stingray technology. Plus with as many people we have around here the data is juice to say the least. I just realized last night that whenever I get a red alert from my IMSI catcher in a specific area that there are two SSIDS' being broad case that indicate police are actively scanning with a stingray. How can I start collecting GPS data along with the Associations and probe requests?

1) I've been running AIMSICD on my phone to let me know when I'm in a Stingray attach area. I do this out of protest that technology. The problem with this app is that it doesn't geotag where the event happens very well.

2) in the last few weeks I've been also taking my pineapple out with me near where I got a red alert on a stingray and when I checked PineAP's logs I saw in that location two SSIDS "Stingray-2020" and "ffx_NARC_UNIT1" - SSIDs can be very revealing, but I still can't believe they name their wifi after a covert unit. What idiots!

3) I want to start collecting GPS data along with the IMSI catcher detector info

Link to comment
Share on other sites

hallo,

i have the following question.

if i start the client mode on wlan1 and connect with my home AP oder Mobilphone AP to get internet on my wifipineapple and after that it try to start PineAp Daemon, wlan1 turns off and i lose my client mode. The same proble i get if i allready started the PineAP Daemon with Karma and all options und now i try to start the client mode on wlan1 i lose all PineAP Daemon hotspots.

Can you say me where is the problem, i allready tried to finde something in this forum and another one, but i faild.

Link to comment
Share on other sites

PineAP is using both wlan0 and wlan1 when active, you will need to connect another wireless card (wlan2) or connect your pineapple through the Ethernet if you want to provide internet to the pineapple when using PineAP.

Link to comment
Share on other sites

According to the lastest firmware 2.3.0, it is not required to use wlan2 for Internet.

Wlan1 can be used for providing Internet access while running PineAP. (https://forums.hak5.org/index.php?/topic/35117-release-23x-codename-logasaurus/)

Under Network using wlan1 scan and connect to your SSID.

Start PineAP and Karma.

I have had sometime where the red light (wlan1) goes out after starting PineAP. Blue light for wlan0. Both blue and red lights should be on.

Reboot with PineAP and Karma autostarting if your red light goes out. Wlan1 should automatically connect to your SSID as previously selected.

I do not get an Internet IP on the Network tile when I select "Show". Not sure why this is but it is connected to the Internet.

If you ssh to your MKV, see if you can ping 8.8.8.8.

If your successful then you have Internet.

Another tile that doesn't appear to work correctly in this setting is pineapple bar. Also unknown why.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...