Jump to content

New to the Nano? New to Kali/Linux/CLI? New to pentesting/sec auditing/openwrt? I am, so here are some links

Recommended Posts

I'm creating this thread for myself and others that are newish to the Pineapple, Openwrt, CLI and linux. Please apply salt as this will probably be an ongoing thread. I tend to jump the gun with garishly heavy hands, often accompanied with moith feet. 

I come from a background of outsourcing, photography and color correction. None of which speak Linux or networking and nary a command line. (I did create a batch file once that deletes massive Lightroom catalogs in minutes; doesn't count though). I learn quickly but it's been slightly more than hairy.

here are some of the Linux tools that the nano can utilize. The links go to the tool via kali.org tool page.

  1. PineAP - PineAP is a highly effective rogue access point suite for the WiFi Pineapple.
  2. Nmap - Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing.
  3. p0f - P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way
  4. responder - This tool is first an LLMNR and NBT-NS responder, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix.
  5. SSLsplit - SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections.
  6. SSLstrip - sslstrip is a tool that transparently hijacks HTTP traffic on a network, watch for HTTPS links and redirects, and then map those links into look-alike HTTP links or homograph-similar HTTPS links. | Not in the module list but will be soon (https://forums.hak5.org/index.php?/topic/37077-sslstrip/)
  7. Aircrack-ng - Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured.
  8. wifite - To attack multiple WEP, WPA, and WPS encrypted networks in a row.
  9. BeEF - Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors | Not a module but possible to use for the landing page. I just installed it and will play with it some. Not really sure of the extent of it's abilities..
  10. PixieWPS - Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack). | Not available yet, but will be ported over soon.

This is all I know of so far. For more information about your modules, check out the Nano/tetra modules thread here. I'll try to keep this updated if my focus stays focused. There are a ton of great videos in these forums so use the search and as always, Keep Practe.

Edited by Spoonish
Updated my intent with this thread.
  • Like 1
  • Upvote 2
Link to post
Share on other sites

thanks for sharing, im sure this will help lots of people, as long as your focus is focused :tongue:

how would someone go about installing / using these when on the Pineapple, without a module? any pointers in that regard would probably be helpful.

Link to post
Share on other sites

Curious to know if they plan to add in https://github.com/aanarchyy/bullyit's supposed to work with devices that run OpenWRT I've had a little luck with it over normal reaver I still feel wps is kinda dead I mean people are making stuff for wps but still nothing for wep?

Link to post
Share on other sites

For those that are unaware or aware of something along these lines:

7 wireless modes for your nifty NIC (Network Interface Controller/wifi card/dongle)

1. Monitor - captures packets without having to associate with an AP or ad-hoc network
2. Master - Access Point or Base Station
3. Managed - devices connected to an access point. Infrastructure Mode, clients
4. Ad-hoc (peer-to-peer) - devices connect to one another without AP
5. Mesh (ad-hoc cloud) - nodes can communicate with at least one common connection
6. Repeater - repeats rge signal and extends the range of a single AP
7. Promiscuous - can use on wired and wireless. gives all frames to CPU instead of just ones needed
  • Upvote 1
Link to post
Share on other sites

While bouncing between NMAP target specifications and this awesome writeup on TCPdump by Daniel Miessler I came across this site offering some examples for tcmpdump. That last one is nice for me as I work well when I can deconstruct something to learn about it's innards.

Also Daniel Miessler has some great study guides.

Some recent pages that I've bookmarked and will rummage through in the early AM

TCPdump Documentations

ngrep(8) - Linux man page

Kismet Wireless Documentation (I believe that Kismet is installed along with the Module SiteSurvey)
  • Upvote 1
Link to post
Share on other sites
  • 2 weeks later...

Here is a list of TCP and UDP ports from Wikipedia, some of which some people might have forgotten about in case they need to sniff them out; ie

17 TCP UDP Quote Of The Day

oh yes, I'm never losing sight of my strength, my rock, quotes of the day.

Also some information on IP tables for the uninformed like me.

IP Tables Tutorial by Oskar Andreasson

Here's a look at the table 'o contents:

Table of Contents About the author How to read Prerequisites Conventions used in this document 1. Introduction 1.1. Why this document was written 1.2. How it was written 1.3. Terms used in this document 2. Preparations 2.1. Where to get iptables 2.2. Kernel setup 2.3. User-land setup 2.3.1. Compiling the user-land applications 2.3.2. Installation on Red Hat 7.1 3. Traversing of tables and chains 3.1. General 3.2. mangle table 3.3. nat table 3.4. Filter table 4. The state machine 4.1. Introduction 4.2. The conntrack entries 4.3. User-land states 4.4. TCP connections 4.5. UDP connections 4.6. ICMP connections 4.7. Default connections 4.8. Complex protocols and connection tracking 5. Saving and restoring large rule-sets 5.1. Speed considerations 5.2. Drawbacks with restore 5.3. iptables-save 5.4. iptables-restore 6. How a rule is built 6.1. Basics 6.2. Tables 6.3. Commands 6.4. Matches 6.4.1. Generic matches 6.4.2. Implicit matches 6.4.3. Explicit matches 6.4.4. Unclean match 6.5. Targets/Jumps 6.5.1. ACCEPT target 6.5.2. DNAT target 6.5.3. DROP target 6.5.4. LOG target 6.5.5. MARK target 6.5.6. MASQUERADE target 6.5.7. MIRROR target 6.5.8. QUEUE target 6.5.9. REDIRECT target 6.5.10. REJECT target 6.5.11. RETURN target 6.5.12. SNAT target 6.5.13. TOS target 6.5.14. TTL target 6.5.15. ULOG target 7. rc.firewall file 7.1. example rc.firewall 7.2. explanation of rc.firewall 7.2.1. Configuration options 7.2.2. Initial loading of extra modules 7.2.3. proc set up 7.2.4. Displacement of rules to different chains 7.2.5. Setting up default policies 7.2.6. Setting up user specified chains in the filter table 7.2.7. INPUT chain 7.2.8. FORWARD chain 7.2.9. OUTPUT chain 7.2.10. PREROUTING chain of the nat table 7.2.11. Starting SNAT and the POSTROUTING chain 8. Example scripts 8.1. rc.firewall.txt script structure 8.1.1. The structure 8.2. rc.firewall.txt 8.3. rc.DMZ.firewall.txt 8.4. rc.DHCP.firewall.txt 8.5. rc.UTIN.firewall.txt 8.6. rc.test-iptables.txt 8.7. rc.flush-iptables.txt 8.8. Limit-match.txt 8.9. Pid-owner.txt 8.10. Sid-owner.txt 8.11. Ttl-inc.txt 8.12. Iptables-save ruleset A. Detailed explanations of special commands A.1. Listing your active rule-set A.2. Updating and flushing your tables B. Common problems and questions B.1. Problems loading modules B.2. State NEW packets but no SYN bit set B.3. SYN/ACK and NEW packets B.4. Internet Service Providers who use assigned IP addresses B.5. Letting DHCP requests through iptables B.6. mIRC DCC problems C. ICMP types D. Other resources and links E. Acknowledgments F. History G. GNU Free Documentation License 0. PREAMBLE 1. APPLICABILITY AND DEFINITIONS 2. VERBATIM COPYING 3. COPYING IN QUANTITY 4. MODIFICATIONS 5. COMBINING DOCUMENTS 6. COLLECTIONS OF DOCUMENTS 7. AGGREGATION WITH INDEPENDENT WORKS 8. TRANSLATION 9. TERMINATION 10. FUTURE REVISIONS OF THIS LICENSE How to use this License for your documents H. GNU General Public License 0. Preamble 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 2. How to Apply These Terms to Your New Programs I. Example scripts code-base I.1. Example rc.firewall script I.2. Example rc.DMZ.firewall script I.3. Example rc.UTIN.firewall script I.4. Example rc.DHCP.firewall script I.5. Example rc.flush-iptables script I.6. Example rc.test-iptables script

Link to post
Share on other sites
  • 1 year later...

Good thread with pineapple mark6 powering info. Darren comments a few times with pertinent information like barrel specs needed for the tetra( needs to be 5.5mm OD / 2.1mm ID, center positive.)


Link to post
Share on other sites

Openwrt guide by Matt Ventura




Matt Ventura's blog


I’ve attempted to write a complete OpenWRT setup tutorial, since many out there lack certain parts. This will cover the basics and the more advanced things you can do with OpenWRT. Read more for the tutorial.

I will be adding more to this later, so stay tuned. You can also subscribe to my RSS feed or follow me on Twitter (@mattventura.)

First, this assumes that you already have OpenWRT installed. If you don’t have it installed, you find the proper firmware file from openwrt.org, log into your router, and use the “firmware update” page to install the new firmware. Also, some of the advanced things assume that you have a Linksys WRT54G series router. It also assumes you have some computer skills.

Also, this was written using 7.09, then editied with another person who uses 8.09, so some of this may be outdated, but should be mostly relevant.

If you have already done any of these steps, just skip it.

First of all, OpenWRT has a web interface, a telnet interface, and an ssh interface. This tutorial covers the telnet/ssh interface, since if you installed OpenWRT, you apparently already know how to use a web interface.

The OpenWRT web interface isn’t quite self explanatory, and knowing how to use a CLI is an extremely useful skill. If you don’t figure out the web interface, just follow our CLI instructions.

The initial password doesn’t exist, so please, change your password by going to System > Admin Password.

First, you need to connect to the router. By default, on 8.09 wireless should be enabled, but it will be disabled for earlier versions. So if you don’t see a wifi network called “OpenWrt,” grab an Ethernet cable and connect to your router. Open up a command line and run ‘telnet’. You will get in without a password if you have not set one. You should really set one by running ‘passwd’ on the router and typing a password, if you don’t set one, by default, outside attackers can’t hit either the router’s Web UI (for 8.09+) or SSH. Now, close your telnet session and make sure you have an SSH client. For windows, you can use PuTTY, available at http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe. Log into the router ( using username ‘root’ and the password you set in the telnet session or in the web interface. You should now be logged in. Now, if you know how to use a unix text editor (vi is the only one that comes standard on OpenWRT, see the ‘installing software’ section if you don’t like vi) you can use one. If you don’t, I recommend downloading WinSCP (available at http://winscp.net/download/winscp419.exe), which will let you browse and edit files and folders with a commander-style GUI, and will make many parts of this much easier if you aren’t familiar with traditional Unix text editors since it has a built in text editor. WinSCP connects to your router through SSH, so just connect to with username ‘root’ and the password you set. You will see your computer’s files on the left and the router’s files on the right. You can change it from commander-style to explorer style if you are more comfortable

First Step: Configure Wifi

Start by opening the file /etc/config/wireless. If you need to enable wifi, you should see something about deleting a line to enable wifi. Just delete the line it says you should delete. Now, you can change the SSID by editing the ‘option ssid’ line. To get encryption, change the bottom part of the file to follow this example:

config wifi-iface
option device wl0
option network lan
option mode ap
option ssid openwrt
option encryption wep
option key abcd12345678901234567890ef

The ‘key’ setting should be a 10 or 26 digit hexadecimal number (only 0-9 and a-f). Be sure to include the ‘option encryption wep’ line. You can reboot to apply the changes (use the ‘reboot’ command) or run ‘/etc/init.d/network restart’. If you want to use WPA, you can use the ‘nas’ package or wpa_supplicant if you are more proficient.

Step 2: Change DNS servers (optional)

Right now, your OpenWRT router is using your ISP’s DNS servers, which probably aren’t the best out there. This step is optional, but can speed up web browsing by a significant amount, depending on how bad your ISP’s DNS servers are. First, edit /etc/dnsmasq.conf and find the ‘resolv-file’ line. Change that line to ‘resolv-file=/etc/resolv.conf’. Now, exit your editor and run ‘rm /etc/resolv.conf’. Now, run ‘touch /etc/resolv.conf’ which will recreate the file. Edit the file again, and put this in it:


See Appendix A for other DNS servers you can use.

Reboot to apply the changes and check for an increase in speed. If you can connect to your network, but a web browser says that the server cannot be found, your ISP may block outside DNS queries. Simply revert to your ISP’s servers by running ‘rm /etc/resolv.conf’ and then ‘ln -s /tmp/resolv.conf.auto /etc/resolv.conf’, or if you know them, simply replace and with your ISP’s servers. Then proceed to call your ISP and complain about the fact that you can’t use other DNS servers. Threaten to cancel your service, because that is very effective.

Step 3: Change your IP and/or Expand your subnet (optional)

You can use the entire 192.168/16 RFC1918 range if you have more than 254 devices on your network. Do not do this step if you have another NAT router somewhere in your network that you cannot configure, as it often causes problems. This will also mess with devices such as the Vonage V-Portal, which will need to be reconfigured in order to be able to make calls. Simply reconfigure it’s LAN IP to be in a different private subnet.

If you still want to use as the router’s IP, edit the file /etc/config/network and local the ‘LAN configuration’ section. Find the ‘option netmask’ line in the LAN configuration section. Change this from to Now you can have 65534 devices on your network instead of only 254. You will need to reconfigure DHCP to get that many DHCP clients though.

The other RFC1918 ranges are 10/8 and 176.16/12 (

Your basic OpenWRT setup is now complete. Now for the fun stuff.

Older versions of OpenWRT use the ipkg package management, whereas never versions use okpg. Opkg is used the same way as ipkg, so if you see an ipkg command, and you have okpg, simply replace the i with an o.

The three most useful commands are ipkg update, which will update your package list, ipkg list, which will list all of the available packages and can be used with grep to locate specific packages, and ipkg install to install a package. You should run ipkg update before installing anything. If ipkg update gives you error 404s, try looking in /etc/ipkg.conf to see if your sources are correct. Mine are:

src release http://downloads.openwrt.org/kamikaze/7.09/brcm-2.4/packages
src packages http://downloads.openwrt.org/kamikaze/7.09/packages/mipsel

Replace 7.09 with your version. It will tell you the version when you log in. If you don’t want to log in again, run ‘cat /etc/banner’.

For example, to install ‘nano’, run ‘ipkg install nano’.

Now for more fun.


If you look at your router’s front panel, you’ll undoubtedly see lots of lights. You may also have a button or two–try pressing the Cisco logo on the front. ‘cd’ into /proc/diag/led. Now run ‘ls’ to see what you have for programmable leds. A WRT54G > hardware v3 (the hardware version is on the bottom of the device) or a WRT54GL will have dmz, power, wlan, and will have a orange and a white LED behind the SES button (the Cisco logo). You can input ‘1’ to turn the LED on or ‘0’ to turn the LED off. Try it with the ses_white LED. Don’t try to program the wlan LED, as it blinks when there is wifi traffic, so it won’t stay on or off for long. Also, don’t try to program the power LED, as that is already used for special purposes. So you can use dmz (a small green LED) if you have it, or the two SES LEDS. They can both be on at the same time, producing a mostly white color, but it is generally better to only have the orange or white on at any time if you are using it for indication.


If you have a front-panel button, you can use it to run a script, for example, to toggle Wifi on or off. First, go to /etc/hotplug.d (cd /etc/hotplug.d) and make a directory called ‘button’ (mkdir button). Now, make a file in that folder for your script. It should look like this:

if [ "$BUTTON" = "ses" ] ; then
if [ "$ACTION" = "pressed" ] ; then
#Your stuff goes here.
#It will be run when the SES button is pressed.

Now, make the file executable (chmod a+x ), You can google around for example scripts. The most common is a wifi on-off toggle, which can be done with:

WIFI_RADIOSTATUS=$(uci show wireless.wl0.disabled | cut -d = -f 2)
uci set wireless.wl0.disabled=0
echo 1 > /proc/diag/led/ses_white ;;
uci set wireless.wl0.disabled=1
echo 0 > /proc/diag/led/ses_white

(script from OpenWrt wiki)

First of all, let me say that port forwarding ONLY affects incoming connections. Here is a quick workaround: let’s say your site is mysite.com and incoming connections should be forwarded to Add ‘ mysite.com’ to /etc/hosts. Now when mysite.com is looked up, they will be sent directly to the server.

Now for the actual forwarding. Edit the file /etc/firewall.user and you can add and delete firewall rules. A forwarding rule looks like this

iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 555 -j DNAT --to
iptables -A forwarding_rule -i $WAN -p tcp --dport 555 -d -j ACCEPT

555 is the TCP port to be forwarded, is the address to forward it to. To forward all ports not handled already:

iptables -t nat -A prerouting_rule -i $WAN --jump DNAT --to
iptables -A forwarding_rule -i $WAN -d --jump ACCEPT

Where is the address to forward to. All traffic not already handled by other rules will be caught by this one. Make sure it is the last forwarding rule in /etc/firewall.user.

To drop all outgoing traffic to a specific port:

iptables -A input_rule -p tcp --dport 666 -j DROP

This example will drop all traffic to TCP. To make the router answer ssh connections, even from the internet (which should only be done with a strong password):

iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
iptables -A input_wan -p tcp --dport 22 -j ACCEPT

After adding or removing firewall rules, run /etc/init.d/firewall restart to apply the new rules.

Now, if you want to be able to access it through a traditional hostname, see part two of this tutorial.

Set the Hostname

To set the hostname of the router, edit /etc/config/hostname.
You should reboot your router after this, using the aforementioned ‘reboot’ command.

See What’s Connected

Here is a shell script that will read your DHCP lease table and check for associated wifi clients and give you a summary of all of them. Be sure to have the wl package installed.


for macaddr in `cat /tmp/dhcp.leases|awk ‘{print $2}’`; do
entry=`cat /tmp/dhcp.leases | grep $macaddr|cut -f 2-5 -d ‘ ‘;`
if wl assoclist | grep `echo “$entry” | awk ‘{x=toupper($1);print x}’|awk ‘{print $1}’` > /dev/null; then
mac=`echo “$entry” | awk ‘{print $1}’`
strength=`wl rssi $mac`; else
entry=$entry” “”Wifi: “$strength
echo “$entry”

There are a few things you may have heard of that people told you could be done in OpenWRT. The most common is increasing transmit power. This doesn’t actually increase range. It only makes it seem like it increases range. The best way to increase range is to buy a better antenna, buy better wifi cards for your computers that connect via wifi or build a parabolic reflector that will focus the radio signal broadcast by your router to whichever direction you choose.

Someone may have also told you to overclock your router. This is an easy way to brick it, requiring a JTAG cable to de-brick it. There are only a couple safe clock values (depending on your model), the others will leave you with a brick or a dead CPU (due to overheating.)

Normal DNS servers

You should use at least 2 DNS servers in /etc/resolv.conf. Here is a list of standards-compliant caching DNS servers that return NXDOMAINs for non-existent domains. These are fast and reliable.

Level3 DNS Servers:



OKS has a public, caching, standards-compliant DNS server:

Abnormal DNS servers (guides)

Comcast and Other ISPs

Comcast recently introduced the Comcast Guide, which is where if a domain doesn’t exist, you will be redirected to a guide that will run a search. In order to use Comcast’s DNS servers without the Comcast Guide, you have to provide your modem’s MAC address, account number and other crap that is not fun to provide. For this reason and others (speed, vulnerabilities), we recommend not using Comcast’s DNS servers, or the servers of any other ISP that does this.


OpenDNS, a San Fransico based company offers the OpenDNS Guide which is easily turned off via a settings dashboard. Settings are set per IP or IP block. OpenDNS offers several other services such as domain blocking, category blocking and even exceptions to the OpenDNS Guide (e.g, VPN reasons) in which case a regular NXDOMAIN will be returned for a nonexistent domain. For example, Boeing employees could add boeing.com as a VPN exception to allow access to in-VPN stuff such as Exchange, Mainframes, file shares, TotalAccess and Software Express.

The OpenDNS name servers are


Fixing Bogus NXDOMAIN queries

In the case that you must use your ISP’s DNS servers, or you find that they are sufficiently fast, but they return web pages when you browse to a nonexistent page, you can use dnsmasq.conf to block the bogus page. (Please make sure that it is not software on your computer causing this.)

In /etc/dnsmasq.conf, add a line like this:
Replace with the IP that is being returned for nonexistent domains. To find this, just run ‘nslookup fhdsahfahdsucnmcnch.com’ or something of the likes. Restart dnsmasq. (/etc/init.d/dnsmasq restart)



Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...