hostapd-mana MANA Attack, for the Pineapple.

[l1ghtman]

Thanks a lot! ?

[display-names]

16 hours ago, Zylla said:

If you plan on attacking ONLY a specific SSID, you also have to edit the hostapd-mana,conf to enable the ssid-filtering. Because it's disabled by default.
Let's say i only want to attack my own network. Then i open hostapd-mana.conf and edit this line: (Just remove the # sign in the beginnign to enable it)

#mana_ssid_filter_file=/etc/mana-toolkit/hostapd.ssid_filter

Aferwards i open up /etc/mana-toolkit/hostapd.ssid_filter and add the name of the networks i plan to attack on a separate line.
So hostapd.ssid_filter might end up looking like this:

Zylla
Zylla-5GHz
MyCorporateWifi

 

you are a hero, and i must have been way too tired, thank you:) i spent days setting up the mana toolkit, running into i think almost every singel error on this forum, so i guess i ran out of focuss. I used the hostapd.ssid_filter file, but i added a MAC-adress, not an SSID, bc i was working with MAC-adresses all day. Anyway, thanks for the quick response.

[display-names]

1 minute ago, display-names said:

you are a hero, and i must have been way too tired, thank you:) i spent days setting up the mana toolkit, running into i think almost every singel error on this forum, so i guess i ran out of focuss. I used the hostapd.ssid_filter file, but i added a MAC-adress, not an SSID, bc i was working with MAC-adresses all day. Anyway, thanks for the quick response.

*single

[Zylla]

4 hours ago, display-names said:

you are a hero, and i must have been way too tired, thank you:) i spent days setting up the mana toolkit, running into i think almost every singel error on this forum, so i guess i ran out of focuss. I used the hostapd.ssid_filter file, but i added a MAC-adress, not an SSID, bc i was working with MAC-adresses all day. Anyway, thanks for the quick response.

Totally understandable. No worries, i'm here for support.
My goal is to make this as easy as possible to use.

[openkiwi]

First, thank you Zylla for all your work on porting mana to the Pineapples ! However, I cannot get it to work and was hoping you could help.

Here is what I did so far:

• I am running the latest firmware 2.2.0
• I am facing the SD card bug, so I am using an SD card reader on the USB port
• I did not use a USB hub to connect both the SD card reader and additional radio yet
• I am using your /etc/profile to fix the missing $PATH
• I installed the mana-toolkit using your INSTALL.sh
• I installed the dependencies using install-mana-depends

However, here is the output of launch-mana:

root@Pineapple:~# launch-mana 
Mana Toolkit - Pineapple Edition!

Device seems to be: ONLINE.
RTNETLINK answers: File exists
Configuration file: /sd/etc/mana-toolkit/hostapd-mana.conf
Using interface wlan1 with hwaddr 00:c0:ca:90:b1:29 and ssid "MANA"
wlan1: interface state UNINITIALIZED->ENABLED
wlan1: AP-ENABLED 
RTNETLINK answers: Invalid argument

hostapd-mana  is running with pid: 5194

DHCP Server  is running with pid: 5219

Exiting! (Error code: 5)
SSLstrip+ was not launched correctly.

Mana Toolkit  has been shutdown.

I checked the launch-mana script and tried to launch SSLStrip+ manually for debugging purposes:

root@Pineapple:~# python /sd/usr/share/mana-toolkit/sslstrip-hsts/sslstrip2/sslstrip.py -l 10000 -a -w /sd
/tmp/sslstrip.log
Could not find platform independent libraries <prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
ImportError: No module named site

So it seems that the INSTALL.sh script broke python as I have the same error whatever I am trying to run with python:

root@Pineapple:~# python -c 'print "Hello Python?"'
Could not find platform independent libraries <prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
ImportError: No module named site

Taking a look at your INSTALL.sh, I noticed the following lines that might cause the issue.

rm -r /usr/lib/python2.7
mkdir -p /sd/usr/lib/python2.7
ln -s /sd/usr/lib/python2.7 /usr/lib/python2.7

Shouldn't we copy /usr/lib/python2.7 into /sd/usr/lib/python2.7 before creating the symlink? I will try the whole process again doing so and keep you updated. However, I would highly appreciate your help on this if you have any idea how to solve this issue

[Zylla]

5 minutes ago, openkiwi said:

First, thank you Zylla for all your work on porting mana to the Pineapples ! However, I cannot get it to work and was hoping you could help.

Here is what I did so far:

• I am running the latest firmware 2.2.0
• I am facing the SD card bug, so I am using an SD card reader on the USB port
• I did not use a USB hub to connect both the SD card reader and additional radio yet
• I am using your /etc/profile to fix the missing $PATH
• I installed the mana-toolkit using your INSTALL.sh
• I installed the dependencies using install-mana-depends

However, here is the output of launch-mana:

root@Pineapple:~# launch-mana 
Mana Toolkit - Pineapple Edition!

Device seems to be: ONLINE.
RTNETLINK answers: File exists
Configuration file: /sd/etc/mana-toolkit/hostapd-mana.conf
Using interface wlan1 with hwaddr 00:c0:ca:90:b1:29 and ssid "MANA"
wlan1: interface state UNINITIALIZED->ENABLED
wlan1: AP-ENABLED 
RTNETLINK answers: Invalid argument

hostapd-mana  is running with pid: 5194

DHCP Server  is running with pid: 5219

Exiting! (Error code: 5)
SSLstrip+ was not launched correctly.

Mana Toolkit  has been shutdown.

I checked the launch-mana script and tried to launch SSLStrip+ manually for debugging purposes:

root@Pineapple:~# python /sd/usr/share/mana-toolkit/sslstrip-hsts/sslstrip2/sslstrip.py -l 10000 -a -w /sd
/tmp/sslstrip.log
Could not find platform independent libraries <prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
ImportError: No module named site

So it seems that the INSTALL.sh script broke python as I have the same error whatever I am trying to run with python:

root@Pineapple:~# python -c 'print "Hello Python?"'
Could not find platform independent libraries <prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
ImportError: No module named site

Taking a look at your INSTALL.sh, I noticed the following lines that might cause the issue.

rm -r /usr/lib/python2.7
mkdir -p /sd/usr/lib/python2.7
ln -s /sd/usr/lib/python2.7 /usr/lib/python2.7

Shouldn't we copy /usr/lib/python2.7 into /sd/usr/lib/python2.7 before creating the symlink? I will try the whole process again doing so and keep you updated. However, I would highly appreciate your help on this if you have any idea how to solve this issue

Shit. Thanks for reminding me about this.
I've been debugging evyerthing on on my Tetra, so i forgot that the INSTALL script actually wipes out your python-dir on the Nano! (the older one then copied over and used my python-lib)

I'll fix it right away.

[Zylla]

But still strange... As it actually installs the needed python stuff after deleting those dirs. Hmmm. Might need further debugging. I'll get it fixed today.

[Zylla]

I've updated the install script, let me know if there's any errors. I don't have time atm to test on my Nano before in a couple of hr's.
Should maybe reset the nano first, to default settings.

[openkiwi]

19 minutes ago, Zylla said:

I've updated the install script, let me know if there's any errors. I don't have time atm to test on my Nano before in a couple of hr's.
Should maybe reset the nano first, to default settings.

Wow, huge thanks for the ultra fast response  ! It works fine now, I am able to launch-mana without any more issue.

I am only starting with the mana-toolkit so it is possible that my following question is not relevant: is it possible to use the original run-mana scripts? I find nothing inside the /sd/usr/share/mana-toolkit/run-mana/ directory. From the official mana-toolkit repo:

start-nat-full.sh - Will fire up MANA in NAT mode (you'll need an upstream link) with all the MitM bells and whistles.
start-nat-simple.sh - Will fire up MANA in NAT mode, but without any of the firelamb, sslstrip, sslsplit etc.
start-noupstream.sh - Will start MANA in a "fake Internet" mode. Useful for places where people leave their wifi on, but there is no upstream Internet. Also contains the captive portal.
start-noupstream-eap.sh - Will start MANA with the EAP attack and noupstream mode.

 

[Zylla]

50 minutes ago, openkiwi said:

Wow, huge thanks for the ultra fast response  ! It works fine now, I am able to launch-mana without any more issue.

I am only starting with the mana-toolkit so it is possible that my following question is not relevant: is it possible to use the original run-mana scripts? I find nothing inside the /sd/usr/share/mana-toolkit/run-mana/ directory. From the official mana-toolkit repo:

start-nat-full.sh - Will fire up MANA in NAT mode (you'll need an upstream link) with all the MitM bells and whistles.
start-nat-simple.sh - Will fire up MANA in NAT mode, but without any of the firelamb, sslstrip, sslsplit etc.
start-noupstream.sh - Will start MANA in a "fake Internet" mode. Useful for places where people leave their wifi on, but there is no upstream Internet. Also contains the captive portal.
start-noupstream-eap.sh - Will start MANA with the EAP attack and noupstream mode.

 

No problem. Glad it works ?
Well. Yes, Maybe, and No. You would definitely need to tweak some of them.
For example the ones trying to launch the Metasploit Console (msfconsole). As that doesn't even exist on the Pineapples.
But getting EAP captures is totally possible with some tweaking. Even cracking them on the Pineapples is possible thanks to aslEAP. However, it's insanely slow ?
So if you want it fast, i would recommend cracking captured hashes on a desktop.

I highly recommend you test the scripts, and customize them to your needs. :)

[openkiwi]

6 hours ago, Zylla said:

I've updated the install script, let me know if there's any errors. I don't have time atm to test on my Nano before in a couple of hr's.
Should maybe reset the nano first, to default settings.

I found the same error in the dependencies.sh script of the ManaToolkit module:

...
if [ -d /sd ]; then
        # sym-linking is only needed on the pineapple NANO.
        rm -r /usr/lib/python2.7
        mkdir -p /sd/usr/lib/python2.7
        ln -s /sd/usr/lib/python2.7 /usr/lib/python2.7
fi
...

It also break the python environment if you don't remove this snippet before running it .

 

5 hours ago, Zylla said:

No problem. Glad it works ?
Well. Yes, Maybe, and No. You would definitely need to tweak some of them.
For example the ones trying to launch the Metasploit Console (msfconsole). As that doesn't even exist on the Pineapples.
But getting EAP captures is totally possible with some tweaking. Even cracking them on the Pineapples is possible thanks to aslEAP. However, it's insanely slow ?
So if you want it fast, i would recommend cracking captured hashes on a desktop.

I highly recommend you test the scripts, and customize them to your needs. :)

Well thanks, I started digging into the mana toolkit and completely agree with what you just said. I guess I still have a little bit of work since I am mostly interested in the EAP captures .

On another topic, the microSD controller bug feels completely insane to me... Can you use the NANO for real workload while having this issue? I am not even talking about using the mana toolkit but standard PineAP workloads here.

[Zylla]

18 hours ago, openkiwi said:

I found the same error in the dependencies.sh script of the ManaToolkit module:

...
if [ -d /sd ]; then
        # sym-linking is only needed on the pineapple NANO.
        rm -r /usr/lib/python2.7
        mkdir -p /sd/usr/lib/python2.7
        ln -s /sd/usr/lib/python2.7 /usr/lib/python2.7
fi
...

It also break the python environment if you don't remove this snippet before running it .

 

Well thanks, I started digging into the mana toolkit and completely agree with what you just said. I guess I still have a little bit of work since I am mostly interested in the EAP captures .

On another topic, the microSD controller bug feels completely insane to me... Can you use the NANO for real workload while having this issue? I am not even talking about using the mana toolkit but standard PineAP workloads here.

Wow, thanks. I completely forgot about that script also messing with the python-dirs. Should be fixed now!  ?

About the SD-card bug, i  actually first noticed it when i was trying to run wifite on my Nano.
It would often crash when reading/writing to the sd-card. So it's not just limited to my toolkit, but everything... :S
It's just that this crash, and re-naming of the device happens so "fast", so some stuff don't notice it happening. But the kernel would most surely notice it.
And i think it's a shame tbh. that this bug hasn't been taken more seriously, considering how many people it's affecting, and some people aren't even aware of it.
I've reported everything i've found regarding it to the bug-report site.

Some ppl. on Raspberry Pi having the same kernel-version: 3.18.x was having the exact same issue, where they suspected it came from to little power to the device in question.
So, i'm wondering if the SD-card is receiving enough juice. If not, then it HAS to be a kernel issue. And i would love to see a jump from 3.18.x to 4.x.
I haven't tried installing the 4.x kernel on my devices, even though i've compiled em. But i'm so tempted, just to see if it would fix the problem.

[openkiwi]

18 minutes ago, Zylla said:

Wow, thanks. I completely forgot about that script also messing with the python-dirs. Should be fixed now!  :)

No worries ! I worked on this the all day and fixed a few other things here and there. I now have the nat-simple, nat-full and eaponly attacks implemented. Just so that you know, I forked both your hostapd-mana and ManaToolkit repos to keep track of my modifications. All changes are only local on my laptop for the moment but I will keep you updated once it is online. Maybe you will be interested to have a look on the multiple attack scripts.

Again, thanks a lot for the heavy lifting work!

[Zylla]

19 hours ago, openkiwi said:

No worries ! I worked on this the all day and fixed a few other things here and there. I now have the nat-simple, nat-full and eaponly attacks implemented. Just so that you know, I forked both your hostapd-mana and ManaToolkit repos to keep track of my modifications. All changes are only local on my laptop for the moment but I will keep you updated once it is online. Maybe you will be interested to have a look on the multiple attack scripts.

Again, thanks a lot for the heavy lifting work!

I'd be super happy if people forked it. I know alot can be done with this, and alot of ideas in my head, especially regarding the Pineapple module.
Imagine a slimmer version of the IPK (i uploaded one to github btw) which only contains hostapd-mana. And then a module using it in conjunction with the other tools we have for the Pineapple. Like the EvilPortal stuff, and EAP attacks. That's what i really hope to create.
Because all of the SSL stuff is insanely demanding on the Pineapples. Just having one client connected takes up alot of resources!

It'd be awesome to see a module working together with your laptop. Let's say the module routes traffic to your laptop, which then launches Bettercap on the laptop to take care of the SSL stuff. That would be really cool to see. And it's totally feasible.

[b0N3z]

@Zylla I know how to whitelist ssid for the Manatoolkit, which by the way I just installed for the first time in a while to see how progress has been going and the install was very quick on the tetra and has been working very well!! Great work.   Is there a way to blacklist ssid kinda like whitelisting? 

[Zylla]

3 hours ago, b0N3z said:

@Zylla I know how to whitelist ssid for the Manatoolkit, which by the way I just installed for the first time in a while to see how progress has been going and the install was very quick on the tetra and has been working very well!! Great work.   Is there a way to blacklist ssid kinda like whitelisting? 

If mana_ssid_filter_file is enabled in the config it will only operate in a "whitelist" mode. But having a blacklist-mode is not a dumb idea.
I'll take a look into the source, too see if this is something i can add myself. If not, i'll be suggesting it to Singe, the creator of hostapd-mana. ?

EDIT: Just brought this up with Singe @ Sensepost (The creator of the hostapd-mana patches). And he actually already have plans for this, but has some other more critical fixes that needs to be looked into, as he's heading to defcon soon. He gave me some advice if i was to do the work. So i'll be taking a deeeep dive into the source tonight, and hopefully i can manage to create this blacklist-mode, and send a PR to Sensepost. ?

[b0N3z]

2 hours ago, Zylla said:

If mana_ssid_filter_file is enabled in the config it will only operate in a "whitelist" mode. But having a blacklist-mode is not a dumb idea.
I'll take a look into the source, too see if this is something i can add myself. If not, i'll be suggesting it to Singe, the creator of hostapd-mana. ?

EDIT: Just brought this up with Singe @ Sensepost (The creator of the hostapd-mana patches). And he actually already have plans for this, but has some other more critical fixes that needs to be looked into, as he's heading to defcon soon. He gave me some advice if i was to do the work. So i'll be taking a deeeep dive into the source tonight, and hopefully i can manage to create this blacklist-mode, and send a PR to Sensepost. ?

Thats awesome, Your the man @Zylla cant wait to see what the future brings!!!

[openkiwi]

@Zylla, do you think it is feasible to compile a more recent version of openssl to package with the manatoolkit? I have an EAP attack working but only on devices that does not require TLS 1.2. Unfortunately, the last version of Windows 10 requires TLSv1.2 and won't perform the challenge-response to the rogue AP. I confirmed this is the issue by removing this requirement on a test device (one registry edit) but I don't have any idea how I could solve this on the Pineapple side

[Zylla]

On 7/30/2018 at 3:29 PM, openkiwi said:

@Zylla, do you think it is feasible to compile a more recent version of openssl to package with the manatoolkit? I have an EAP attack working but only on devices that does not require TLS 1.2. Unfortunately, the last version of Windows 10 requires TLSv1.2 and won't perform the challenge-response to the rogue AP. I confirmed this is the issue by removing this requirement on a test device (one registry edit) but I don't have any idea how I could solve this on the Pineapple side

Intriguing! If you could elaborate on this a bit, i would love to hear it.
You want me to compile hostapd-mana with a more recent version of openssl? I reckon you mean 1.1.0?
Also, you confirmed it by removing exctly what? TLS1.2? Did you forefully downgrade the Windows client TLS version?
I'm just trying to see if i got everything correctly.

I'll see if i can get a version compiled in a couple of minutes after writing this, this peaked my interest. ?

[Zylla]

On 7/30/2018 at 3:29 PM, openkiwi said:

@Zylla, do you think it is feasible to compile a more recent version of openssl to package with the manatoolkit? I have an EAP attack working but only on devices that does not require TLS 1.2. Unfortunately, the last version of Windows 10 requires TLSv1.2 and won't perform the challenge-response to the rogue AP. I confirmed this is the issue by removing this requirement on a test device (one registry edit) but I don't have any idea how I could solve this on the Pineapple side

Ok. As you requested i've compiled hostapd-mana for the Pineapples, with openssl-1.1.0h.
There's a few other dependencies as well that you will need to install. Not only the hostapd-mana IPK.
So, to make this easier for you i've created a directory within my "favourite tools" repo. for OpenWRT. (You need to install them all)
Link https://github.com/adde88/openwrt-useful-tools/tree/master/MANA/TESTING

I haven't tested this myself. But i would love for you to elaborate on what you are attempting to do. Pm me if you don't want it public, and i'll do my best to help you ?

[b0N3z]

@Zylla can the manatoolkit be started via shell command?  I have only installed the module, just looking to make a button script to turn off pineap and turn on mana

[Zylla]

32 minutes ago, b0N3z said:

@Zylla can the manatoolkit be started via shell command?  I have only installed the module, just looking to make a button script to turn off pineap and turn on mana

Sure!

After completing installation, Mana Toolkit can be started by typing: launch-mana and killed by typing kill-mana.

launch-mana also supports an argument. An interface, capable of AP/master mode, which is not in use.
So you can launch it by issuing launch-mana wlan4
If no argument is provided wlan1 willl be used, as it's normally in-active. If not in monitor mode.

EDIT:
If you start Mana Toolkit like this, it will be the same as pressing start in the module.
So, if you browse to the module while it's active, or afterwards, you can watch the live output, and read the log-files.

Output from hostapd-mana will be displayed in the terminal while in a "daemonized mode" (so you can do other stuff at the same time), and it will log output as well.

[Jehu4u]

Looks like i have 3 pinapples with bad USB power issues.

12v cord works so now i can try this.

when launching Mana it will go after all clients in range.

is is designed to use pinapple filters?
1. run recon and set filters on MAC's you want to target

2.run mana on just those MACS?

or will it go after everything and everyone it can?

[Zylla]

4 minutes ago, Jehu4u said:

Looks like i have 3 pinapples with bad USB power issues.

12v cord works so now i can try this.

when launching Mana it will go after all clients in range.

is is designed to use pinapple filters?
1. run recon and set filters on MAC's you want to target

2.run mana on just those MACS?

or will it go after everything and everyone it can?

The MAC filters, and other "crucial settings" are specified within /etc/mana-toolkit/hostapd-mana.conf
Which you can edit within the module.
It's not connected in any way with Recon or Pineap,as of yet.
The default config will attack anything and anyone in range.
BUT It's running in "blacklist" mode, so you can add MAC's you want to avoid to /etc/mana-toolkit/hostapd.deny

[Jehu4u]

Strange too how if it crashes ill then get (after rebooting tetra)

cannot start Mana via GUI wlan1 or wlan0, & terminal will say wlan1 not found, or device is offline