Jump to content

Open Access Point vs. Secure Access Point


pabo2uk

Recommended Posts

Ive seen a couple of entries with this very subject, I have a question also, but didn't want to jump in, mid conversation to the other Topics.

Although this seems like a great addition of having a secure AP on the Pineapple, but, what advantage (if any) does this serve? If a client connects to the Open AP and a client connects to the Secure AP, are they not connecting to he same AP!? I am very interested in the addition of the Secure AP, but would am missing the point of what service this provides?

The only thing I can think of, is that if I have my own Client Say a laptop connected to the Pineapple using the Secure method, no one can sniff/hack my traffic. (maybe if they had a Pineapple)!!

Thanks

Link to comment
Share on other sites

If a client connects to the Open AP and a client connects to the Secure AP, are they not connecting to he same AP!?

by default, the ethernet, the open SSID and the secure SSID are all bridged, so they all end up in the same subnet and can communicate with one another. I can connect one machine to the secure SSID and one to the open SSID and ping/browse shares/etc on the machines connected to the secure wireless network from the open network.

I have built a new network named MNG and moved my secure interface/SSID to it(also, reconfigured dhcp to server both networks, reconfigured the firewall to allow the new MNG traffic to flow). I'm going to try to setup some firewall rules to restrict traffic from the open network to the management network, then I'm going to see if I can get ssh/httpd/etc configured to only bind to the IP address on the secure network.... I'm sure it's going to break all kinds of stuff, though. but, I'll have a routed and filtered management network that won't let people connect from the open network to my secure machines.

Link to comment
Share on other sites

We noticed a lot of people manage their WiFi Pineapples over WiFi rather than Ethernet. It is quote convenient, however open WiFi is usually a bad idea (irony anyone?). To facilitate secure management of your WiFi Pineapple over WiFi, we've included a WPA2 interface by default. You're welcome to turn it off from /etc/config/wireless if you wish.

Link to comment
Share on other sites

the actual WPA2 wifi network is secure. however, the issue is that eth0, wifi0(open wireless network) and wifi0-1(secure wireless network) are all part of in the bridge group br-lan. they all have layer 2 connectivity, they all receive ip addresses in the 172.16.42.0/24 subnet when they connect, and clients in all three networks can freely communicate with each other, since packet filtering and firewalling happen at layer 3.

so, if you have allow communication freely between clients connected via the secure wireless network, the open wireless network and through the ethernet adapter via the bridge br-lan, then you are at still at risk of attacks, port scans, connection attempts and whatever nasty malware on clients connected through your secure wlan and ethernet interface by clients in your open wireless network. the security risk is worse than normal, since you might want to entice people to connect at times, and then there's the always on by default open network with full access to your machines via the bridge and the only security on it is a hidden ssid with a predictable range of the default SSID (Pineapple5_$VAR). oh, the open wifi also get to communicate through client mode connestions, too.

try it yourself, connect to the open network with one machine, connect to the secure network with another, then try communicating to the secure network. ping/portscan/remote desktop/whatever.

Link to comment
Share on other sites

the actual WPA2 wifi network is secure. however, the issue is that eth0, wifi0(open wireless network) and wifi0-1(secure wireless network) are all part of in the bridge group br-lan. they all have layer 2 connectivity, they all receive ip addresses in the 172.16.42.0/24 subnet when they connect, and clients in all three networks can freely communicate with each other, since packet filtering and firewalling happen at layer 3.

so, if you have allow communication freely between clients connected via the secure wireless network, the open wireless network and through the ethernet adapter via the bridge br-lan, then you are at still at risk of attacks, port scans, connection attempts and whatever nasty malware on clients connected through your secure wlan and ethernet interface by clients in your open wireless network. the security risk is worse than normal, since you might want to entice people to connect at times, and then there's the always on by default open network with full access to your machines via the bridge and the only security on it is a hidden ssid with a predictable range of the default SSID (Pineapple5_$VAR). oh, the open wifi also get to communicate through client mode connestions, too.

try it yourself, connect to the open network with one machine, connect to the secure network with another, then try communicating to the secure network. ping/portscan/remote desktop/whatever.

I think you are missing the point of the secure AP. It is for configuration. Not to browse the internet through your Pineapple while conducting attacks. Obviously, since the interfaces are bridged other machines can ping/port scan/etc across them. By configuring your Pineapple through the secure AP your data is encrypted so if anyone in the area is using Wireshark and capturing your packets they won't be able to see the username and password, or any other data, that is intended for your Pineapple.

Link to comment
Share on other sites

My summary about it..

I'm not a ninja wifi user and perhaps it's not totally TRUE but I've been reading some artical about wireless security. Especially WPA-AES-PSK

To redirect the subject about the Pineapple & her-self security ->

"Offensive (open access point)"

  • WLAN0
  • No security inside (no WPA no WPA2 no AES, no TKIP etc...) -> this network are not encrypted (if you are not under HTTPS) then you can sniff packets easily (turn on Wireshark TCPDUMP etc..)
  • It's working like a charm with Karma method (auto connect on unsecure accesPoint) (the basic sense!)
  • Pineapple Management are listening under 1471 and everybody can go here (you (read next under line) & clients) (you need your unix credits to connect & manage) so don't connect with your admin password!
  • Like sud0nick said you shouldn't (mark admin) navigate (on www) on this open access point because all clients with Wireshark CAN sniff your web-surfing... (hacker hacked? sad story..)

"Management (secured access point) "

  • WLAN0-1
  • Built-in security WPA2 ->This network are " fully " encrypted (TKIP - AES) and it's almost impossible to sniff data frames. Why almost ? because in wireshark you can decrypt by applying the passphrase : Edit -> Preferences -> Protocol -> IEEE 802.11 -> Enable Decryption” checkbox. Then click on Edit “Decryption Keys” section & add your PSK by click “New“. You have to select Key-type as “wpa-pwd” when you enter the PSK in plaintext.
  • Password (Passphrase) on this network mean "No KARMA | NO CLIENTS" here. Just you the admin. And you are the only one person to know the passphrase.
  • Pineapple Management are listening under 1471 and everybody only the admin can go here (passphrase)
Edited by Armaal
Link to comment
Share on other sites

I think you are missing the point of the secure AP. It is for configuration. Not to browse the internet through your Pineapple while conducting attacks. Obviously, since the interfaces are bridged other machines can ping/port scan/etc across them. By configuring your Pineapple through the secure AP your data is encrypted so if anyone in the area is using Wireshark and capturing your packets they won't be able to see the username and password, or any other data, that is intended for your Pineapple.

I don't think it really matters if your machine is connected and surfing the net or connected and configuring the device, your machine is still vulnerable for no reason if all you're really trying to do is connect to via ssh and http.

---------

edit: no, you're right. don't really see myself connected long enough for it to really matter.

Edited by TitaniumRat
Link to comment
Share on other sites

I think you are missing the point of the secure AP. It is for configuration. Not to browse the internet through your Pineapple while conducting attacks. Obviously, since the interfaces are bridged other machines can ping/port scan/etc across them. By configuring your Pineapple through the secure AP your data is encrypted so if anyone in the area is using Wireshark and capturing your packets they won't be able to see the username and password, or any other data, that is intended for your Pineapple.

If an attacker wants to capture your configuration session traffic they can't now just passively sniff the channel near by if you use WPA2.

BUT!

If they are first connected to the open AP on the pineapple and start sniffing all traffic on the subnet, and then YOU login to the management interface you could get pwned!

Solutions to this could be...

⭐ Setup SSL on the management interface to make it https. (My personal choice)

⭐ Use SSH with CLI terminal for configuration

⭐ Use SSH and tunnel the http management interface through it

⭐ Configure segmented subnets for each AP type

⭐ Use reverse SSH to a VPS via a mobile modem then tunnel the http/https interface through the intertubes so that when you remote into the VPS with your laptop/fondleslab you get the pretty Web interface (this is my personal favourite but I haven't got it set up right now coz I'm too busy (ahem lazy ?) ?

Merry Christmas.

Link to comment
Share on other sites

  • 7 months later...

Is it possible to create two subnets, one for wlan0 and one for wlan0-1 specifically?

Ideally, I would like to have clients connected to wlan0 through PineAP / Karma and secure users connected to wlan0-1 to be separated in some way, such that they cannot ping each other without some sort of temporary bridge.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...