PineAp Allow Associations

[venu413]

I had checked "Allow Associations" in PineAP mode

Both Client Filtering and SSID Filtering are enabled.

When I started a scan through Recon, I am not able to see my phone MAC address in the scan. (My phone is not connected  to any SSID(wifi is on))

I am assuming it should show MAC address of my phone because when my phone tries to connect a already known SSID(Saved SSID list in my phone), then allow association should be able to spoof as the same and should capture the MAC address and show it in Unassociated clients,as my phone tries to connect it.

Does Allow Association works in the same way. If it does not then is it possible to do it in any other way.  

[Skinny]

Allow association does allow phones to automatically connect to the Pineapple but there are many things at play.

In order to see your phone beaconing for an SSID, it is not neccesary to have Allow Associations activated. Your phone will send out beacons as long as WiFi is enabled. A phone will generally send out a beacon every 30 seconds to 4 minutes. When running Recon mode to find a phone, make sure to use a time interval that will guarantee a capture of the beacon.

Secondly, if you have an iPhone, the MAC address that is beaconed out may not be the MAC address of the device. Newer Apple products randomly roll their MAC addresses for security purposes. If this type of phone is unassociated, then you will rarely see the true MAC.

Also, if just using Recon mode to find devices in an area, filtering doesn't really matter. Filtering only matters when targeting a specific MAC or SSID to allow or disallow a device. If you are just sniffing for unassociated clients, don't worry about it.

Just a note about Allow Association; Allow Association allows a device to connect to your Pineapple's open AP. In the networking module, that AP is named something. As soon as you Allow Association, any device can connect using that APs real name. When you fully enable PineAP, you then have the ability to push out SSIDs (multiple AP names) that are apart of the pool you collected or manually inputted. When trying to get a device to latch onto the Pineapple, you'll want to be beaconing out some attractive SSIDs as well as having Allow Associations on. 

When everything is turned on in the PineAP module, then things can get interesting. Your phone could beacon out it's MAC address and the SSIDs it is looking for. The Pineapple will collect those SSIDs or trick the phone into giving them up. The Pineapple will then store those SSIDs in the pool. The next time your phone beacons, the Pineapple will replay those SSIDs in the pool order to tempt your phone in automatically connecting. At that point the phone is no longer unassociated.

[Captain]

21 minutes ago, Skinny said:

Allow association does allow phones to automatically connect to the Pineapple but there are many things at play.

In order to see your phone beaconing for an SSID, it is not neccesary to have Allow Associations activated. Your phone will send out beacons as long as WiFi is enabled. A phone will generally send out a beacon every 30 seconds to 4 minutes. When running Recon mode to find a phone, make sure to use a time interval that will guarantee a capture of the beacon.

Secondly, if you have an iPhone, the MAC address that is beaconed out may not be the MAC address of the device. Newer Apple products randomly roll their MAC addresses for security purposes. If this type of phone is unassociated, then you will rarely see the true MAC.

Also, if just using Recon mode to find devices in an area, filtering doesn't really matter. Filtering only matters when targeting a specific MAC or SSID to allow or disallow a device. If you are just sniffing for unassociated clients, don't worry about it.

Just a note about Allow Association; Allow Association allows a device to connect to your Pineapple's open AP. In the networking module, that AP is named something. As soon as you Allow Association, any device can connect using that APs real name. When you fully enable PineAP, you then have the ability to push out SSIDs (multiple AP names) that are apart of the pool you collected or manually inputted. When trying to get a device to latch onto the Pineapple, you'll want to be beaconing out some attractive SSIDs as well as having Allow Associations on. 

When everything is turned on in the PineAP module, then things can get interesting. Your phone could beacon out it's MAC address and the SSIDs it is looking for. The Pineapple will collect those SSIDs or trick the phone into giving them up. The Pineapple will then store those SSIDs in the pool. The next time your phone beacons, the Pineapple will replay those SSIDs in the pool order to tempt your phone in automatically connecting. At that point the phone is no longer unassociated.

This is a great write up. 

This is exactly what I have discovered with my testing. Phones sometimes beacon very slowly (part of battery conversation efforts) so you want to ensure your running recon for a long period. 

The allow associations may not show an SSID if PineAP daemon is off AND your open SSID is set to hidden. 

[Captain]

Another thing I just thought of (don't ask me why I was thinking about this . . . ) 

Is your phone broadcasting on the 5Ghz range? The NANO only has 2.4GHz radios. I ran into this one late at night thinking I was crazy . . . .I'm only half crazy. Switch over to tetra if you want the full PineAP experience on the 5Ghz range.

 

 

[venu413]

3 hours ago, Captain said:

Another thing I just thought of (don't ask me why I was thinking about this . . . ) 

Is your phone broadcasting on the 5Ghz range? The NANO only has 2.4GHz radios. I ran into this one late at night thinking I was crazy . . . .I'm only half crazy. Switch over to tetra if you want the full PineAP experience on the 5Ghz range.

 

 

I am using Tetra right now.

[venu413]

17 hours ago, Skinny said:

Allow association does allow phones to automatically connect to the Pineapple but there are many things at play.

In order to see your phone beaconing for an SSID, it is not neccesary to have Allow Associations activated. Your phone will send out beacons as long as WiFi is enabled. A phone will generally send out a beacon every 30 seconds to 4 minutes. When running Recon mode to find a phone, make sure to use a time interval that will guarantee a capture of the beacon.

Secondly, if you have an iPhone, the MAC address that is beaconed out may not be the MAC address of the device. Newer Apple products randomly roll their MAC addresses for security purposes. If this type of phone is unassociated, then you will rarely see the true MAC.

Also, if just using Recon mode to find devices in an area, filtering doesn't really matter. Filtering only matters when targeting a specific MAC or SSID to allow or disallow a device. If you are just sniffing for unassociated clients, don't worry about it.

Just a note about Allow Association; Allow Association allows a device to connect to your Pineapple's open AP. In the networking module, that AP is named something. As soon as you Allow Association, any device can connect using that APs real name. When you fully enable PineAP, you then have the ability to push out SSIDs (multiple AP names) that are apart of the pool you collected or manually inputted. When trying to get a device to latch onto the Pineapple, you'll want to be beaconing out some attractive SSIDs as well as having Allow Associations on. 

When everything is turned on in the PineAP module, then things can get interesting. Your phone could beacon out it's MAC address and the SSIDs it is looking for. The Pineapple will collect those SSIDs or trick the phone into giving them up. The Pineapple will then store those SSIDs in the pool. The next time your phone beacons, the Pineapple will replay those SSIDs in the pool order to tempt your phone in automatically connecting. At that point the phone is no longer unassociated.

Thanks for a detailed description.

I am using iphone with latest version of OS.

I am trying in different ways so that I can retrieve my real MAC when my phone is not connected to any AP.

When everything is turned on in the PineAP module, I am not able to see the SSID's which are in my preferred network list when I run recon mode but I able to see few SSID(might be they are the near by Access points). So I manually entered the SSID which is in my preferred network list to the SSID pool.

In this scenario, when my phone tries to connect the mock SSID, it should show up its real MAC then pineapple should showing the real MAC when I run in Recon mode. But still I am not able see my real MAC address.

Please let me know why this scenario fails and any other possible ways to retrieve my phone real MAC address when it is not connected any AP.

[Captain]

On your phone try going to: settings -> general -> about 

 

I believe your MACs will be listed there. These may roll randomly, but it's a start. 

[venu413]

25 minutes ago, Captain said:

On your phone try going to: settings -> general -> about 

 

I believe your MACs will be listed there. These may roll randomly, but it's a start. 

Yes I can see my real MAC from my phone, but I am trying to retrive that through pineapple.

[Captain]

I fired up a few devices along with my NANO to test it out. Very curious.

My iPad (4th generation) shows as an unassociated client and is showing the "correct" MAC address (IE: the unassociated MAC matches the MAC found in settings)

My iPhone 6 plus however shows a different MAC address than what is listed in the settings. I am guessing there was a change to the chip that allows for MAC rolling, or maybe even some type of virtualized MAC system.

At first glance it would appear that you likely cant pull the MAC just from scanning on these newer devices. 

 

[venu413]

26 minutes ago, Captain said:

I fired up a few devices along with my NANO to test it out. Very curious.

My iPad (4th generation) shows as an unassociated client and is showing the "correct" MAC address (IE: the unassociated MAC matches the MAC found in settings)

My iPhone 6 plus however shows a different MAC address than what is listed in the settings. I am guessing there was a change to the chip that allows for MAC rolling, or maybe even some type of virtualized MAC system.

At first glance it would appear that you likely cant pull the MAC just from scanning on these newer devices. 

 

Yeah I am using iphone 6s, even I am not able to see my real MAC.

But if we are allowing the associations then it should try to connect the mock SSID and then it should show up the real one. During my testing I found that whenever a phone tries to connect it will show up the real one but when it searches for the AP it uses the random one.

I need  to figure a way such that I can see real MAC when my phone is not associated to any AP.

Also are you able to see all the mock SSID from the pool list of pineapple in your phone.

Yesterday I was able see that but today I am not able see the mock SSID's in my phone. No idea of which settings I have to change. Could you please let me know if you have any clue on that

 

[Captain]

2 minutes ago, venu413 said:

Yeah I am using iphone 6s, even I am not able to see my real MAC.

But if we are allowing the associations then it should try to connect the mock SSID and then it should show up the real one. During my testing I found that whenever a phone tries to connect it will show up the real one but when it searches for the AP it uses the random one.

I need  to figure a way such that I can see real MAC when my phone is not associated to any AP.

Also are you able to see all the mock SSID from the pool list of pineapple in your phone.

Yesterday I was able see that but today I am not able see the mock SSID's in my phone. No idea of which settings I have to change. Could you please let me know if you have any clue on that

 

I'll a couple scenarios through my lab and let you know what I find out.

[venu413]

7 minutes ago, Captain said:

I'll a couple scenarios through my lab and let you know what I find out.

Thanks a lot

[Skinny]

5 hours ago, venu413 said:

Yeah I am using iphone 6s, even I am not able to see my real MAC.

But if we are allowing the associations then it should try to connect the mock SSID and then it should show up the real one. During my testing I found that whenever a phone tries to connect it will show up the real one but when it searches for the AP it uses the random one.

I need  to figure a way such that I can see real MAC when my phone is not associated to any AP.

Also are you able to see all the mock SSID from the pool list of pineapple in your phone.

Yesterday I was able see that but today I am not able see the mock SSID's in my phone. No idea of which settings I have to change. Could you please let me know if you have any clue on that

 

When it comes to seeing the real MAC address of an unassociated, modern Apple device, it's really difficult. Every now and then I come across an Apple device that will beacon out it's true MAC for one rare beacon, then it will return to rolling its address. In those rare cases it often beacons out a few SSIDs at the same time. I suspect this might be an attempted associated with the pineapple. The problem is that is you're in a rich WiFi environment, it's hard to ferret out the MAC you are looking for from all of the other beacons in the environment. 

You might be wondering how to determine when a true MAC displays itself. If the MAC address is AA:BB:CC:12:34:56, AA:BB:CC denotes the manufacturer of the device. When the apple is rolling, I've never seen it roll in such a way to randomly display an Apple MAC address. It always resolves to nothing or to another manufacturer. When the true MAC appears, it always resolves to Apple. You can check those first 6 MAC digits here to check: http://aruljohn.com/mac.pl

The only way I've found to collect the true MAC is to have the device associate with the Pineapple. Once the device is associated, it always uses it's true MAC. You can get that MAC from the client list or from the Logging module. Never forget the logging module. If you setup PineAP to log probes and associations, Logging will keep track of all the MAC addresses that are probing and the SSIDs they are probing for.

As for why you might not being seeing the SSID list; sometimes when you do a great deal of adjustments to the Pineapple in a single session, things can get muddled. You will tell it to beacon out SSIDs, but it won't. If you find the Pineapple performing this way, simply give it a reboot. It happened to me not 15 minutes ago. After a quick restart, my phone was once again overloaded with APs to choose from.

[venu413]

14 hours ago, Skinny said:

When it comes to seeing the real MAC address of an unassociated, modern Apple device, it's really difficult. Every now and then I come across an Apple device that will beacon out it's true MAC for one rare beacon, then it will return to rolling its address. In those rare cases it often beacons out a few SSIDs at the same time. I suspect this might be an attempted associated with the pineapple. The problem is that is you're in a rich WiFi environment, it's hard to ferret out the MAC you are looking for from all of the other beacons in the environment. 

You might be wondering how to determine when a true MAC displays itself. If the MAC address is AA:BB:CC:12:34:56, AA:BB:CC denotes the manufacturer of the device. When the apple is rolling, I've never seen it roll in such a way to randomly display an Apple MAC address. It always resolves to nothing or to another manufacturer. When the true MAC appears, it always resolves to Apple. You can check those first 6 MAC digits here to check: http://aruljohn.com/mac.pl

The only way I've found to collect the true MAC is to have the device associate with the Pineapple. Once the device is associated, it always uses it's true MAC. You can get that MAC from the client list or from the Logging module. Never forget the logging module. If you setup PineAP to log probes and associations, Logging will keep track of all the MAC addresses that are probing and the SSIDs they are probing for.

As for why you might not being seeing the SSID list; sometimes when you do a great deal of adjustments to the Pineapple in a single session, things can get muddled. You will tell it to beacon out SSIDs, but it won't. If you find the Pineapple performing this way, simply give it a reboot. It happened to me not 15 minutes ago. After a quick restart, my phone was once again overloaded with APs to choose from.

Thanks for your time and great writing. 

To obtain original MAC, I am following the below steps. Please let me know where my understandings or if any of the process cannot be fulfilled through pineapple

Lets say my iphone is not connected to any AP.

When pineapple is turned on, as my phone searches for the AP in preferred network list, does pineapple takes all the SSID's in my preferred network list(PNL) and save it to SSID pool list.

If it is able to take all the SSID or atleast one one from my PNL then it will start working as mock AP with the same name AP name in PNL.

Once pineapple starts working as mock AP with same name in my phone PNL then my phone will try to connect to that mock AP. Even if it does not connect as it sees the same AP in PNL then it will use its own MAC. (Showing original MAC is true in this case because I had tested the same scenario with Alpha network adapter by giving the same AP name in virtual wifi and checked the network through wireshark, I can see my original MAC).

I am wondering why it is not happening through pineapple. Through Alpha network adapter I can make only one mock AP but through pineapple we can make it as many as we need.

[Skinny]

So there are a few things that are different in a modern Apple device when associating.

Most new Apple devices will not probe using the name of the SSIDs in the PNL. It instead will send out a probe request that will demand the APs in the area to send a response. Once the APs respond, the device then knows if there are any available networks that match its PNL. Apple is not the only company doing this. Because of this behavior it is often a good idea to have a list of regional based APs already in your Pineapple that have a high likelihood of attracting a devices.

Now let's assume the Pineapple already has an SSID in its list that matches the devices PNL. Although I don't think you're having any of these issues, look out for these. Some phones have a setting that requires the user to manually accept any association even to a known AP. Also, some apple devices will not associate with an AP when it is idle (the screen is blacked out & locked). I have an iPod that will not associate with any AP when its idle even though it will continue to push out probe requests. As soon as the screen is unlocked, then it will auto connect. I've noticed some Samsung phone with similar functionality.

One other piece that could be a problem is APs that have WPA2 activated. If there is an SSID in both the device's PNL and the Pineapple SSID broadcast list and the device has it marked in the PNL as a WPA2 encrypted AP, then the Pineapple will likely fail at attracting that device. WPA2 requires a 4-way handshake where both participants (AP and device) must prove their legitimacy to each other. The phone will realize that the AP is not legitimate and the association will likely fail.

You mentioned that "even if it does not connect as it sees the same AP in PNL then it will use its own MAC." I don't doubt this is the case although I've never tested it as you have. I think the problem is that the Pineapple is setup to show you the MAC addresses of things that are genuinely connected to itself or probing for something else. If the device does not connect to the Pineapple but uses it's real MAC address in the attempt, there might not be a good way to pick up on that attempt via the GUI. The logging module just shows probe requests and successful associations. An attempted association is neither of those. There might be a way to see it in Recon mode, but I doubt it. I suspect, but am not sure, that recon mode is just using probe requests to enumerate the clients in an area and other packet types.

[venu413]

On 6/2/2016 at 3:36 PM, Captain said:

I'll a couple scenarios through my lab and let you know what I find out.

Did you get a chance to look on this. Your feedback would be so helpful

[Captain]

On June 6, 2016 at 3:02 PM, venu413 said:

Did you get a chance to look on this. Your feedback would be so helpful

It seems that newer Apple devices act in the same way as mentioned above. 

Its only after making a connection to an AP am I able to see the MAC. However they don't always match what is displayed in the settings.