Jump to content

Pentester - what are your thoughts?

dre2007

By dre2007
in WiFi Pineapple NANO

 Share

Recommended Posts

dre2007 Newbie

dre2007

Posted
Posted

Hello everyone

I recently purchased the pineapple nano because I think it can be good for a pentester.
In August 2015 I became CEH certified and I did a lot of research of what a good pentester would be.

However, just as with everything else, a community always has other intresting thoughts so for this reason I reach out to you.

My question to you all is, what is your ultimate goal with the pineapple?

Is it hacking wifi, deassociate wifi clients, etc..

I am really curiouse of your goals and interests.

Please post your interests, thanks :)

Link to comment
Share on other sites
korang Newbie

korang

Posted
Posted

As a pentester myself for a financial organization. We have used the pineapple to prove how susceptible our own internal devices were to a simple MITM attack. This helped us to get changes made at the desktop level in order to help prevent this. It also showed out network engineers we could set up "rouge" access points in the environment. We know have measures in place to detect these "rogue" access points and send de-auths against them when detected.

It can also come in handy to see what devices are calling out to so you can replicate this SSID and perform MITM type attacks.

Link to comment
Share on other sites
dre2007 Newbie

dre2007

Posted
  • Author
Posted

Hi Korang,

Your answer is simple but very interesting.

I am often overthinking the use of a pineapple but you made a valid point as to prove the MITM attack in organizations, I think I will setup a case like this :)

If anyone else has some good experience please share :)

Link to comment
Share on other sites
Fallen Archangel Newbie

Fallen Archangel

Posted
Posted (edited)

I use mine mostly for wardriving/walking/biking, (I'm just a first year student who's only taken Porgramming I, Hardware, OSes, and Networking I. My chances of getting a real job that would make use of a pineapple are pretty slim for now.)

Sure I could use my phone, but I also want to have a battery that lasts more then an hour.

Edited by Fallen Archangel
Link to comment
Share on other sites
telot Newbie

telot

Posted
Posted (edited)

I use it to play pranks on my wife, friends, and guests to my house. Rick rolling, etc.

Inside my house, the airwaves belong to ME!

Kidding aside, I've used the pineapples for calculating historical travel times of vehicles on major interstates for road construction projects. It's not pen testing related, but it works like a charm and is much better than paying $2-5k+ for purpose-built hardware to do the exact same thing. I built up two pineapples that do this in about a days time and saved my company thousands of dollars. Nice bonus for telot that year, thanks to the Pineapple.

telot

Edited by telot
Link to comment
Share on other sites
sud0nick Newbie

sud0nick

Posted
Posted

I've used the pineapples for calculating historical travel times of vehicles on major interstates for road construction projects

If there is nothing barring you from releasing the information to the public I would love to see a thread on how you did this. It sounds really interesting.

Link to comment
Share on other sites
telot Newbie

telot

Posted
Posted

I did the whole "pineapple in a birdhouse" method...though I didn't have the benefit of having Seb's C code (which he apparently lost! I forgive you Seb, because you're too beautiful to be mad at. But DK, if you have a copy laying around somewhere, please share!). Heres a long explainer, so indulge if you want. TL;DR version: I record the macs from beacon frames and know where two pineapples are. From there I can determine travel time and avg speed of vehicles.

Some background if you care: I work in the ITS industry (Intelligent Transportation Systems - think of the big pole mounted cameras you see on the freeway and the red/yellow/green traffic data you see on google maps - a lot of that is from state-deployed permanent inductive loop sensors in the roads). I take ITS and bring it into road construction work zones. So we do travel times, queue warning systems, and traffic control performance monitoring for Departments of Transportation in order to make work zones safer for motorists and workers. One of the metrics agencies most often want to see is a mobility rating (trip reliability, Buffer Time Index, 95th percentile weighted by volume averages...in case theres any civil engineers in the audience).

One way of establishing a historical record of travel times is to have a sensor that can detect some kind of RF unique identifier from a vehicle at a known (via GPS) location and another sensor down the road a mile or more that can detect the same unique ID. If you know the time a mac address passed sensor 1 and the time it passed sensor 2 and you know the distance (again, via GPS or mile post markers) you can determine the average speed and travel time. A bunch of companies track this stuff using bluetooth, but you can only get a unique identifier from devices in DISCOVER mode. Think old-ass blackberries and shitty Tom toms, etc. Those are very popular, but as a lifelong friend of the hacking community like myself, I've dug into their internals and they are all smoke and mirrors. WIFI detectors hit the scene a couple years ago (recording mac addresses from probe requests, basically what the Jasegar portion of the pineapple says "YES!" to) and they work a lot better due to so many more targets. Targets = you with your wifi left on on your smart phone driving by. This industry is quite a small niche, so its a very low-volume sales model. They sell their sensors for ~2-5K to make up for the low volume, even though its basically an atheros chip inside with some storage and a cell modem (~$180-250 actual cost of hardware).

My company does the software side of things (reporting, data crunching, posting messages to portable message boards) so I frankly don't give two fucks about the plight of the low-volume/high margin hardware folks. I use my trusty markVs in little NEMA boxes with off the shelf cellular routers and a small solar/12V battery setup. I do a custom tcpdump to pcap on a sshfs to a VPS, then use Vivek's pcap to XML converter (which only runs on windows...WTF Vivek!?!) that I learned about from you Darren. My software pulls in the XML like we do so many other XML feeds and it goes to the database for number crunching. Easy mode.

It's not a central "core" offering of my company, but it's a nice value add. And you'll be happy to know that I (unlike all the other vendors), salt and hash the mac addresses in memory before they hit disk or the net so your privacy is (at least somewhat) protected. I also only transmit it via ssh like I mentioned - others send them in plaintext over the web. I bet I could do better on this front and I sincerely would like to, but it was a 1 day hack to throw it all together.

So yeah, I sure am sad the MarkV is EOL - because it was so ideal for this use case...but such is life. I have a lead on some old Alfa AP121U's (markIV hardware) I might use instead if another project calls for this type of data, we'll see. If you guys want specifics and code I'll provide it, because I love this community and all that I've learned from the pineapple with the help of all the regulars here on this forum. So please feel free to send me a PM if you want to know more. Cheers :)

telot

  • Upvote 5
Link to comment
Share on other sites
Darren Kitchen Grand Master

Darren Kitchen

Posted
Posted

Telot -

I'm in love with your birdhouse. Thanks for reminding me of this! Going to have to revisit that now that we have even smaller hardware :)

Here's the "experiment8021104" app.

https://drive.google.com/file/d/0B1kHHuoTR841cENJUEZJYXQwNE42bkpRa3YwLWVWQm9JSFI0/view?usp=sharing

It'll install on the nano the usual way. It only takes one parameter -- a monitor interface. By default that'll be wlan1mon on the nano.

Outputs two columns -- unix epoch timestamp and MAC. Pipe it to whatever. Works extremely well.

Link to comment
Share on other sites
bolus Newbie

bolus

Posted
Posted

They sell their sensors for ~2-5K to make up for the low volume, even though its basically an atheros chip inside with some storage and a cell modem (~$180-250 actual cost of hardware).

My company does the software side of things (reporting, data crunching, posting messages to portable message boards) so I frankly don't give two fucks about the plight of the low-volume/high margin hardware folks.

telot

That's awesome and really interesting to read - ever thought of making some money on the side? $1k boxes still gives you an amazing mark up and undercuts the vendors. Guess it depends if you can be bothered with the hassle of supporting it once it's out there in the hands of consumers.

Link to comment
Share on other sites
telot Newbie

telot

Posted
Posted (edited)

Telot -

I'm in love with your birdhouse. Thanks for reminding me of this! Going to have to revisit that now that we have even smaller hardware :)

Here's the "experiment8021104" app.

https://drive.google.com/file/d/0B1kHHuoTR841cENJUEZJYXQwNE42bkpRa3YwLWVWQm9JSFI0/view?usp=sharing

It'll install on the nano the usual way. It only takes one parameter -- a monitor interface. By default that'll be wlan1mon on the nano.

Outputs two columns -- unix epoch timestamp and MAC. Pipe it to whatever. Works extremely well.

Hells yeah Darren! Many thanks! I'll be checking this out this weekend!

That's awesome and really interesting to read - ever thought of making some money on the side? $1k boxes still gives you an amazing mark up and undercuts the vendors. Guess it depends if you can be bothered with the hassle of supporting it once it's out there in the hands of consumers.

Well I'm glad you enjoyed :) Sorry if this de-railed the thread a bit (this is so NOT about pen testing lol). You're correct in saying that $1k would be very decent markup, but I'm trying to shake up this industry by pushing the perception of value to the software stack (the performance reports, event alerts, message board logic to save lives, statistics, etc). With the smart phone supply chain in full swing, hardware is so so so cheap. Software is freaking expensive to make man (try hiring a 5 year experience software dev for less than $125k/yr. And I'm in the midwest!). So while charging for the sensor would be profitable, it's a strategic decision to throw them out there for "free" and use them as another data point. If demand spiked and they started taking off, I would of course change my tune however :)

Morale of the story is the pineapple is extremely versatile hardware that can do amazing things. I just hate to read posts about "SSLStrip is dead = pineapple is dead. Whats even the point since everyone is on a smartphone now and apps roll their own crypto". It's like, grow an imagination folks! These radios are purpose built for monitor mode and accomplish the goal extremely well! Theres so much you can do with just that, let alone all the other amazing features.

If you want to read more about technology in work zones, civil engineering stuff, and the smart phone supply chain you can head over to https://blog.slndrtech.com to read more :)

telot

Edited by telot
  • Upvote 1
Link to comment
Share on other sites
sud0nick Newbie

sud0nick

Posted
Posted

Telot, that is really cool. I can see how you would get an idea of, maybe, miles between the two Pineapples but if you needed something more precise were you worried about the accuracy? For example, the range of the Pineapple would spread over more than a few meters and you can't know where within that range the phone was when the beacon was sent so you could definitely have an idea of the distance +/- a few meters but you couldn't know a precise distance. Is this statement correct?

Link to comment
Share on other sites
telot Newbie

telot

Posted
Posted (edited)

Telot, that is really cool. I can see how you would get an idea of, maybe, miles between the two Pineapples but if you needed something more precise were you worried about the accuracy? For example, the range of the Pineapple would spread over more than a few meters and you can't know where within that range the phone was when the beacon was sent so you could definitely have an idea of the distance +/- a few meters but you couldn't know a precise distance. Is this statement correct?

You're 100% correct. For the most part this margin of error (~10 meters) is perfectly acceptable. I've thought about going with directional antennas, but talking with some of the other vendors, they have the best luck with omni's. Theres a ton of "gotchas" doing this kind of "origin/destination measurements" as its called. You have be aware of diversion routes (people take an exit off the freeway and never return), filter out outliers (target stops for a cup of coffee - the travel time now jumps from 2 mins to 25 mins), figure out if you want to take the first reading of the mac address as the timestamp of record, the last, or the median timestamp. If theres signalized intersections (stoplights) this is particularly relevant. Also if theres a frontage road running parallel to the freeway you run into even more issues! The hardware/device stuff is pretty easy (like I said, a 1 day hack with the resources from the community/hak5) - the server side stuff is my companies "special sauce" that we've honed over the years to tackle all these other issues - and we still run into edge cases where it breaks down. As my cofounder is fond of saying, if it was easy, everyone would be doing it :D

If this stuff interests you, the guys over at Acyclica were the first ITS-specialized wifi-detector manufacturer. They're the ones who sell them for $2-5k. I've heard good reports of their product from agencies doing permanent installs with them. The other player in the market is traficcast.com. They started with bluetooth, but have since broadened their horizons to include wifi with their latest detectors. They recently bought out a good friend of mine's company - he's now their head of global sales. If you want a hookup for a wifi/bt job, send me a PM and I'll give either of them a shout on your behalf. Cheers :)

telot

Edited by telot
Link to comment
Share on other sites
telot Newbie

telot

Posted
Posted

/forgive Sebkinne

You've got a lot on your mind, I'm sure of it :)

telot

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...