Jump to content
Ruck

Cybersecurity / Pentest demonstration with the NANO

Recommended Posts

As mentioned in my (first) other topic I am quite new in using the NANO, using Linux and other pentesting tooling/stuff.

Currently my manager has also asked me (since I told I bought the fruit) to give a demonstration on our next customer meeting (a meeting for financial controllers of our clients) regarding Cybersecurity.

I am limited to a timebox presentation of 15 minutes, but can setup the wifi nano about 90 minutes in advance during other presentations and the walk in.

I am not allowed from a legal perspective to break, steal or entering mobile devices, so I am thinking what would be a great demonstration for this purpose to create awareness, but without crossing privacy and legal.

1) I was thinking to set up an unprotected/free AP with the similar name of the locations AP or with the name of the Event and see who will log on to it.

2) same as 1, but with WPA2 key, provided at entrance of the meeting

3) Only recon scanning and log probes to see where attendees have been (so profiling the attendees in general)

3a) In this case is there a method to spot probes for open SSID's of devices, without having them connecting to the PineAP? So far I haven't found this yet. This would indicate devices vulnerable for the PineAP daemon right? WPA/2 protected SSID are not vulnerable to this, since the probe is with authentication, so the SSID Pool will only send the rogue SSID, but the device will not connect to it?

4) For option 1 and 2, what are nice tools/scans to perform on connected AP's to find information on the attendees which can be shared publicly...

I know these are a lot of questions to ask for a newbie, but if you don't ask....

Any advice on where to start/learn are welcome....

Share this post


Link to post
Share on other sites

As mentioned in my (first) other topic I am quite new in using the NANO, using Linux and other pentesting tooling/stuff.

Currently my manager has also asked me (since I told I bought the fruit) to give a demonstration on our next customer meeting (a meeting for financial controllers of our clients) regarding Cybersecurity.

I am limited to a timebox presentation of 15 minutes, but can setup the wifi nano about 90 minutes in advance during other presentations and the walk in.

I am not allowed from a legal perspective to break, steal or entering mobile devices, so I am thinking what would be a great demonstration for this purpose to create awareness, but without crossing privacy and legal.

1) I was thinking to set up an unprotected/free AP with the similar name of the locations AP or with the name of the Event and see who will log on to it.

2) same as 1, but with WPA2 key, provided at entrance of the meeting

3) Only recon scanning and log probes to see where attendees have been (so profiling the attendees in general)

3a) In this case is there a method to spot probes for open SSID's of devices, without having them connecting to the PineAP? So far I haven't found this yet. This would indicate devices vulnerable for the PineAP daemon right? WPA/2 protected SSID are not vulnerable to this, since the probe is with authentication, so the SSID Pool will only send the rogue SSID, but the device will not connect to it?

4) For option 1 and 2, what are nice tools/scans to perform on connected AP's to find information on the attendees which can be shared publicly...

I know these are a lot of questions to ask for a newbie, but if you don't ask....

Any advice on where to start/learn are welcome....

Nice ideas but why not use PineAP and allow association? That will show them what really can be done and that they don't actively have to "choose" the right network SSID :P And that it can happen to them anywhere.. At the office premises, at the restaurant, at the pub, at the train etc.

They should always pay attention to networks they are connecting to and don't allow their devices to automatically connect to known wireless networks etc..

Just my 2 cents.

/crashie

Share this post


Link to post
Share on other sites

If you've got time to prepare whilst other presentations are on, why not run a recon as close to the clients as you can get, and try to identify their devices. Then you can log probes that their devices are making, and set up PineAP with some of their SSIDs, and omit any other probes - that way you keep it targeted to the client and show them that they can be singled out pretty easily. Might be worth finding out if there are any legal issues with this before you embark

Share this post


Link to post
Share on other sites

You could use the get module to show how you can get information from a browser of a device and profile it.

If you enable get and navigate to it using the url 172.16.42.1, the module is just pulling information about the devices browser.

It should fit your criteria of not stealing information or breaking into the device, as you can show how this can be linked with DNSSpoof to route users to the get module, where you can profile the devices and further attack them later.

But really, it depends on what your trying to accomplish with the demo.. show what can occur once one is connected, or how you can get users to connect.

Share this post


Link to post
Share on other sites

Thanks for your response so far, you have already helped me in my thinking proces with the Nano.

What I try to accomplish with the demo is a very low/basis awareness and provide a demostration of possible attack vectors.

The crowd consists of financial controllers (so non-techies), which have heard of cybersecurity, hackers and all that scary stuff. The first part of the meeting will go into regulatory requirements, the need of information security policy (company wide, organisational, procedural and technical). The second part we would like to demonstrate some very (unskillfull) attack vectors, to entertain the crowd, make them aware of how easy attack vectors can be (since I am not a hacker, but with very easy to use tools already can perform basic attacks).

So I want my WifiPineapple demonstration to get the crowds attention as much as possible, so providing as much personal information as possible, but without crossing the line of privacy and legal.

Based on your response I think I would go for a setup like:

Wifipineapple attached to the presenter laptop (for internetconnection), but stealthy placed ofcourse

Activate PineAP with all but broadcasting SSID Pool (since this is more stealthy, right?)

Hopefully some crowd members will have open SSID's and will connect (due to beacon response?!)

This way I can show/tell the crowd:

1) Look I have found all these SSID's (eg McDonalds, Home, hotspots) so I can track/profile you by MAC address (and maybe mention: luckily these are not open SSID's and will not connect directly)

2) Look I have created X association with the PineAP, so I could monitor your networktraffic

The last remark about get and DNSSpoof already goes beyond my current knowledge and skills, but thanks for the direction (I am going to look into this ;))

Another thing I am thinking is to set up my own AP with a weak password (eg Password123456 since it is considered strong with most password restrictions), connect with a device, capture and crack the handshake with Wifite.

Thanks for your support, I quite like the activity of this forum!

Any thought are still welcome ofcourse

Share this post


Link to post
Share on other sites

Nice ideas but why not use PineAP and allow association? That will show them what really can be done and that they don't actively have to "choose" the right network SSID :P And that it can happen to them anywhere.. At the office premises, at the restaurant, at the pub, at the train etc.

They should always pay attention to networks they are connecting to and don't allow their devices to automatically connect to known wireless networks etc..

Just my 2 cents.

/crashie

Ahh, no. Don't do this, unless you really like talking to lawyers, and orange is your color.

As mentioned in my (first) other topic I am quite new in using the NANO, using Linux and other pentesting tooling/stuff.

Currently my manager has also asked me (since I told I bought the fruit) to give a demonstration on our next customer meeting (a meeting for financial controllers of our clients) regarding Cybersecurity.

I am limited to a timebox presentation of 15 minutes, but can setup the wifi nano about 90 minutes in advance during other presentations and the walk in.

I am not allowed from a legal perspective to break, steal or entering mobile devices, so I am thinking what would be a great demonstration for this purpose to create awareness, but without crossing privacy and legal.

1) I was thinking to set up an unprotected/free AP with the similar name of the locations AP or with the name of the Event and see who will log on to it.

2) same as 1, but with WPA2 key, provided at entrance of the meeting

3) Only recon scanning and log probes to see where attendees have been (so profiling the attendees in general)

3a) In this case is there a method to spot probes for open SSID's of devices, without having them connecting to the PineAP? So far I haven't found this yet. This would indicate devices vulnerable for the PineAP daemon right? WPA/2 protected SSID are not vulnerable to this, since the probe is with authentication, so the SSID Pool will only send the rogue SSID, but the device will not connect to it?

4) For option 1 and 2, what are nice tools/scans to perform on connected AP's to find information on the attendees which can be shared publicly...

I know these are a lot of questions to ask for a newbie, but if you don't ask....

Any advice on where to start/learn are welcome....

Since you're new to this stuff, tell you boss "NO!" Tell him you need to figure out the pineapple, and how it works before showing off. Just ask anybody that has done a hardware/software demo at any convention, the demo gods are very unforgiving. Even the pros have bad days. Watching a newb fumble around on stage is just awful to watch. Know your limits, stretch your limits, just not in front of the folks that sign the paychecks.

Edited by barry99705
  • Upvote 2

Share this post


Link to post
Share on other sites

I have another (newb :S) question.

I am currently experimenting with the (basic) possibilities of the Wifi for my demonstration. (Barry for your critical response, but I feel confident enough to be able to pull this one off. I am experienced in giving presentations in the setting and I know I am the one-eyed in the land of the blind). I won't go into sniffing and/or tampering, so probably only SSID recon and connecting my iDevice for demonstration.

Nevertheless I am wondering about the following:

When I start the PineApp for logging probes, associations and capturing SSID to pools, I am able to see SSID and MAC's around the Pineapple.

Now I have my iphone 6 and worklaptop Lenovo T-??? nearby and I know they remember (closed) Wifinetworks (eg. my work and home WLAN).

When I do a recon I can see their association with my work SSID, but I do not find any other probes from these devices in the logging (eg. probing my home WLAN)?

Any suggestions about this?

Share this post


Link to post
Share on other sites

How about make a video of the demo to use just in case your live stuff does south on you. It would be good practice and you will have something to show if things don't work out in the live demo.

  • Upvote 1

Share this post


Link to post
Share on other sites

Recording is indeed a good idea for back-up, thanks for the suggestion.

Try removing your work wifi from them.

I tried 'forgetting' my work network from my iDevices (ipad and iphone) and log probes again.

Still I cannot find my iDevices probing for my home network 'SSID: Home'.

Also I have set up the PineAP to add SSID to the pool at my office. The pineapple only find/records 5 SSID's, which I find scarely low since there are about 5 employees with mobile devices in a 5 meter proximity and 30+ in a 10 meter proximity.

I would expect a lot more probes for a lot more SSID's from 10+ devices (laptops, phones, tables) in the vincinity, correct?

Any thoughts?

Edited by Ruck

Share this post


Link to post
Share on other sites

I have attached my Wifi Pineapple today again at the office and done a recon:


I find 7 with SSID associated clients and 30 non associated clients.



With PineAP running enabled for 1 hour, including all options accept broadcasting SSID pool and only 'find' 3 SSID's.



This seems quite low regarding the amount of clients!



Any help would be appreciated.....


Share this post


Link to post
Share on other sites

....I do not find any other probes from these devices in the logging (eg. probing my home WLAN)?

Any suggestions about this?

I know a lot of devices will stop probing for other networks if they are already connected to one.

Share this post


Link to post
Share on other sites

I know a lot of devices will stop probing for other networks if they are already connected to one.

That doesn't explain the numbers/stats I see:

I see two networks in reach: WORK and WORK-mobile (fictive names). 15 clients are associated with WORK-mobile. But I also see 36 unassociated clients.

Which means the 36 are not connected to a wireless network right?

After running the PineAP for 1 hour straight I find a merely 13 SSID's.

The fact I am finding SSID's suggests that the Pineapple is working, but the devices are not probing?

One of the devices is my own iphone, which isn't connected to any wireless network and should auto-connect to my HOME wifi. So I would at least expect one probe for HOME (after an hour?!).

Am I thinking in the wrong direction?

Share this post


Link to post
Share on other sites

Am I thinking in the wrong direction?

A few things I've noticed from testing are:

Phones seem to probe far more than laptops/desktops

Phones seem to probe when they are actually using mobile data and not on wifi (like really using it, not just background data or a webpage or two)

Laptops seem to probe when they first start up, from there it's hit or miss unless you open up panel to try to connect to a wifi or force a fresh scan

For the unassociated clients, it seems more like the pineapple is not able to get enough data from the device either due to distance or lack of communication during the recon scanning time period.

Note that all of this is just my very little understanding of any of the actual underlying technology or details. It's just what I've noticed while I've been playing around with my Pineapple in different situations and areas.

Share this post


Link to post
Share on other sites

When I got my first Pineapple (the Mark V) I was chosen to give a presentation at a local conference for developers and other non-infosec types. As part of my presentation I had the Pineapple running during the presentation prior to mine capturing and logging probes. Just showing a list of AP probes will get the audiences attention as they will see their home AP names, various businesses they visit etc. In my presentation I wanted to show the audience the way that the Pineapple was capable of capturing their devices connection and how I could MiTM their information. To ensure there were no legal ramifications I put a simple sign on the door that warned potential attendees that their wireless connection may be modified and if they did not want to participate to please turn off WiFi on all of your devices. This gave everyone warning, then to further cover my @$$ DNS redirect was on and there was no internet connection, doing this along with the "RandomRoll" infusion allowed me to ask everyone in the audience with WiFi turned on to pull out their devices and attempt to navigate to Google. Since I had chosen the dancing banana GIF it was very successful as more than a hundred devices all started playing Peanut Butter Jelly Time (it was classic). This covered me legally (at least at the conference) I also showed the audience my deleting any AP or other info that was captured.

The presentation went over REALLY well and I have given the same or similar talk at local OWASP, ISACA, and other local meeting and conferences.

  • Upvote 1

Share this post


Link to post
Share on other sites

I have a question regarding the RandomRoll you used:

- When I try this with my iphone it only trolls using http sites, no https sites, is that expected behavior? If so, what causes this?

Other questions I have:

- Is it possible to log probes indicating wheter or not these are probes for open or closed networks?

- Is it possible to log disassociation of devices (when I check logging after a day of Pineappling, I see several associations, but cannot say how long they have been associated and whether or not I could have used modules for sniffing or other 'fun' stuff?

Share this post


Link to post
Share on other sites

I have a question regarding the RandomRoll you used:

- When I try this with my iphone it only trolls using http sites, no https sites, is that expected behavior? If so, what causes this?

Other questions I have:

- Is it possible to log probes indicating wheter or not these are probes for open or closed networks?

- Is it possible to log disassociation of devices (when I check logging after a day of Pineappling, I see several associations, but cannot say how long they have been associated and whether or not I could have used modules for sniffing or other 'fun' stuff?

Correct, because the https sites are looking for that ssl cert that says they're legit. When they don't get it, the browser says screw you and won't load anything.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...