raptcha Posted February 10, 2015 Share Posted February 10, 2015 Hi All I recently purchased a pineapple to use in some upcoming red team assessments and have spent the day setting up and exploring. I have ICS working with OS X and the latest firmware but i'm a little confused about a few things. Its probably best I start by explaining what exactly I would like to do! Aim: to demonstrate to clients that they shouldn't enable wifi on devices as its easy to impersonate a legitimate access point and start intercepting even SSL traffic I believe to impersonate a legitimate access point I would use PineAP + Karma + Harvester. Question 1: is the above correct and if so, will the client devices not complain that the AP they are connecting to are unprotected instead of WPA2? Assuming they are now connected to my AP... Question 2: How can I understand who is connected? I see a client count in the web interface top right corner but don't see how I can find out anymore info? Also, I have found that after installing and enabling SSLStrip, I am not getting any output at all. It seems to be started but not stripping anything Question 3: Why after turning on SSLStrip and visiting a https page on my laptop connected to the fake AP am I not being stripped and nothing is showing in the logs? I think I once read about an infusion that would actually show you a list of the access points and the clients connected to each of these access points. I can't seem to find this again, the closest I have found is Site Survey Question 4: How can I find a list of which clients are connected to which AP's Finally, i notice that there is also a WLAN 1, which isn't started. Question 5: What is that typically used for? ICS without using the ethernet cable? Thanks in advance Mike Quote Link to comment Share on other sites More sharing options...
sud0nick Posted February 10, 2015 Share Posted February 10, 2015 Question 1: is the above correct and if so, will the client devices not complain that the AP they are connecting to are unprotected instead of WPA2? Yes, use PineAP. Some devices will complain. When testing this on my home network my computers would come up with a message saying the last time it was connected to the AP it was secure and now it isn't. You may not find this in all devices so it's still worth a shot. Assuming they are now connected to my AP... Question 2: How can I understand who is connected? I see a client count in the web interface top right corner but don't see how I can find out anymore info? You can use the connected clients infusion. I've used it but it doesn't refresh well. A lot of times I'll have a client off the Pineapple for over an hour, I'll manually refresh the interface, and it still tells me the client is connected. It give you their IP, MAC address, and hostname though. Also, I have found that after installing and enabling SSLStrip, I am not getting any output at all. It seems to be started but not stripping anything Question 3: Why after turning on SSLStrip and visiting a https page on my laptop connected to the fake AP am I not being stripped and nothing is showing in the logs? HSTS is your enemy and the reason why you aren't able to successfully strip the SSL data. Almost all modern browsers support HSTS. I think I once read about an infusion that would actually show you a list of the access points and the clients connected to each of these access points. I can't seem to find this again, the closest I have found is Site Survey Question 4: How can I find a list of which clients are connected to which AP's You may be thinking of the built in scanner on the Pineapple. Go to the top left in the interface and click infusions. You should see Recon mode there. You can scan for both AP and clients. Finally, i notice that there is also a WLAN 1, which isn't started. Question 5: What is that typically used for? ICS without using the ethernet cable? Wlan1 is used to connect to another AP in client mode. This way you can provide internet access to all the users that connect to your Pineapple. You will be a man-in-the-middle without needing to share the internet connection from your Mac. Quote Link to comment Share on other sites More sharing options...
raptcha Posted February 10, 2015 Author Share Posted February 10, 2015 Wow, thats some really useful answers thank you sud0Nick Question 3: i understand that only Internet Explorer doesn't support HSTS, so will give this a shot. Question 5: Is there a short guide I can read to set this up? or a few simple pointers would be helpful Quote Link to comment Share on other sites More sharing options...
sud0nick Posted February 10, 2015 Share Posted February 10, 2015 Question 3: i understand that only Internet Explorer doesn't support HSTS, so will give this a shot. I don't know about that. I would research it first because I think all modern browsers support HSTS but I could be wrong. Question 5: Is there a short guide I can read to set this up? or a few simple pointers would be helpful Just go to the Network infusion. Click on the Client Mode tab and connect to an AP. It's just like setting up a computer on an AP. Quote Link to comment Share on other sites More sharing options...
raptcha Posted February 10, 2015 Author Share Posted February 10, 2015 Assuming that all browsers now support HSTS, what would be an alternative? How about DNS spoofing to a fake login page, would that work? I only want to educate them, so I don't really want to actually spy on them. Quote Link to comment Share on other sites More sharing options...
sud0nick Posted February 10, 2015 Share Posted February 10, 2015 DNSSpoof won't help you in stripping SSL data. You can look into this project: sslstrip-hsts. I haven't tried it nor have I seen an implementation of it on the Pineapple but it may work for you. DNSSpoof can definitely help you in your pentest just don't expect to strip SSL data with it. If the company uses a captive portal you can look into my infusion Portal Auth for cloning and authenticating the Pineapple with it and Evil Portal II to display the captive portal yourself. It's one extra step to trick the users into thinking they are on the actual access point. Quote Link to comment Share on other sites More sharing options...
raptcha Posted February 10, 2015 Author Share Posted February 10, 2015 Thanks, I hope this is made as an add-on soon. I have setup my Pineapple's Wlan1 in client mode and connected fine. However as soon as I enable PineAP (on Wlan0), Wlan1 disconnects and won't reconnect. Is this a common problem? Quote Link to comment Share on other sites More sharing options...
sud0nick Posted February 10, 2015 Share Posted February 10, 2015 Sorry, I thought I mentioned this earlier (and I did just in a different thread). PineAP uses Wlan1 for monitoring. You will need to use another network card as a client (wlan2, wlan3...) Quote Link to comment Share on other sites More sharing options...
raptcha Posted February 10, 2015 Author Share Posted February 10, 2015 Oh, so when using PineAP with Karma etc, I need to use ICS via the ethernet? Also, I have a USB wifi, I notice that there is a USB port on my device, does this mean I can use this for an extra wlan I can use in client mode ? Quote Link to comment Share on other sites More sharing options...
sud0nick Posted February 10, 2015 Share Posted February 10, 2015 Yes. Either one of those options is fine. My recommendation is to use the USB device (wlan2) so your Pineapple isn't relying on your Macbook. Quote Link to comment Share on other sites More sharing options...
johnjdoe Posted February 11, 2015 Share Posted February 11, 2015 Yes. Either one of those options is fine. My recommendation is to use the USB device (wlan2) so your Pineapple isn't relying on your Macbook. I thought this too but as I told/asked in https://forums.hak5.org/index.php?/topic/33488-got-pineapnot-pineapple-questions-let-me-answer-them/page-5#entry256968 , it seems that there's a problem or even a bug: When I connect an external USB WIFI (what I bought at Hak5 with my Pineapple) it appears in the GUI as WLAN2. I enable WLAN0, WLAN1 and WLAN2 and put WLAN2 in client mode. After connecting it, WLAN1 and WLAN2 are disabled and the client connection is established with WLAN0! Do you have perhaps other (more promising) experiences with an external wlan2? Quote Link to comment Share on other sites More sharing options...
sud0nick Posted February 11, 2015 Share Posted February 11, 2015 Those are some weird problems. I always use a USB antenna. I've got wlan0 as the AP, wlan1 is off unless I'm using PineAP, and wlan2 is my client. I use this configuration every day and haven't had any problems. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.