Preventing Client Association

[Betab051]

***WARNING I HAVE HAD TOO MANY CUPS OF COFFEE TODAY IF THIS DOESN'T MAKE SENSE TELL ME****

For a university project, I am attempting to harvest the various AP Beacon frames given off by devices. I set up my Pineapple last night so that when it boots up it starts PineAP, Harvester, and the secure Wi-Fi Ap. I tested it last night, and due to my router having something really wrong with it (Randomly the 5gh and 2.4gh radios will just stop transmitting, which requires me to reboot my router) I checked to make sure that ONLY my cell or my laptop is able to connect to it.

Well this morning I am in class, logged into the pineapple and there were ten clients connected to it.... Insert expletives here. I shut it down, and started looking around on how to prevent other devices from connecting to it. In the past the configuration where all my pineapple does was look and not respond worked, now that's not the case. I can't figure out what changed between now and a month and a half ago.

Anyone have an idea on what settings I should use to prevent devices from associating with the pineapple?

Before you ask, why are doing this on a university campus? IF I can get the data I would like I will post it here.

[DataHead]

Does the user infusion "connected clients" ( I think it's called ), have options to prevent clients from connecting? if I remember correctly, it does.

[DataHead]

If all else fails, check out http://wiki.openwrt.org/doc/uci/wireless

Specifically the options, macfilter and maclist

[Betab051]

Does the user infusion "connected clients" ( I think it's called ), have options to prevent clients from connecting? if I remember correctly, it does.

It does but its a blacklist. It would need the ability to whitelist one client and then blacklist any other client.

[Sebkinne]

You can use Karma MAC / SSID filters (works like usual MAC filtering) to accomplish this.

Best Regards,

Sebkinne

[telot]

So you're just trying to log the beacon frames you sniff? Seb, were you able to find that C program you wrote for the pineapple birdhouse project? I know you lost it...but it sure would help the cause :) Not just betab051, but also for me :D

I too am doing this, but for totally different reasons. My pineapple is at work, so I'll have to give you clues just from my notes...I will try to correct these with an edit tomorrow. For the meantime, this should get you going.

First off, TURN OFF all pineAP, karma, harvester, all that stuff. Turn it all off. That is why clients are connecting to you (duh..sorry, but thats what all those things are meant to do!). Reboot to make sure (I do it for superstition I guess).

Then just ssh in and airmon-ng start wlan1

After that its a simple tcpdump away!

tcpdump -i wlan1mon -e -s 256 type mgt subtype probe-resp or subtype probe-req -w /sd/probes.pcap

NOTE: because I'm not at my pineapple, this may be incorrect. Will fix tomorrow with an edit.

That will use the monitor mode of wlan1 to mostly just capture probe requests to the pcap. This saves a TON of space on your SD, as long as you're only interested in getting the probes. Then you can use Vivek's pcap2xml from the latest Pineapple Birdhouse episode (securitytube.net) to presto-chango it into a sql database for easy analysis. Thanks be to Darren for the SQL-fu

SELECT DISTINCT addr FROM MACHeaders WHERE type = 0 AND subtype = 4

Easy mode.

So betab051, now that I've hopefully helped you out, tell us about your project?

telot

[Betab051]

I got PineAP to work, by only leaving PineAP on and that's it. BUT I am running into power problems amongst other problems.

When I started this project I looked to my Raspberry Pi 2 to harvest all the SSIDs, although I could not get it to work. After research today, I figured out that I can in fact use a Raspberry Pi to just capture packets and how to do it, thanks to your comment about using tcpdump. I didn't make the connection in my head that wireshark is the graphical version of tcpdump. The problem is most of the how to's are not up to date so I am guessing/ leaning on my prior knowledge of linux to figure it out. Like right now I am trying to write a bash script that on boot the raspberry pi will check for the right wifi card, if its not there wait for it to come on, place the card into monitor mode, then run TcpDump and change the file name to the date.

Essentially I am trying to pull all the SSID requests devices make throughout the day and display it in a more digestible way. I haven't really sat down and started thinking about what i want to pull out from the data.

[telot]

Sorry, I didn't get a chance to check my pineapple for the exact script. I'll try again tomorrow :S

Should be easy enough to script on the pi. Let me know if you run into any issues!

telot

[barry99705]

MrProtocol did this at this year's Derbycon with his pineapple. He was running pineap with harvester.

https://github.com/Mr-Protocol/DerbyCon_WarWalking

[Betab051]

Sorry, I didn't get a chance to check my pineapple for the exact script. I'll try again tomorrow :S

Should be easy enough to script on the pi. Let me know if you run into any issues!

I ended up using your Tcpdump settings and wow, i mean wow it worked. I am still working on a way to have the pi just boot up and start doing the tcp dump, after checking if the wifi card is connected and if its monitor mode. Yay bash .....not going to lie I am lost when it comes to bash so I am still working on that part.

I got the same amount of data but now I need to filter it down.....Ill post the project when I am done and what I ended up doing to get it to work.

Again thank you all who posted/Answered.