Jump to content
yonomas

wifi pineapple - practical uses to get clients info

Recommended Posts

I was planning to do a presentation about 
The Hidden Dangers of Public Wi-FI

So I bought the nano and set everything so I can proof the point


BUT

Unless you come up with something practical,  it was just a waste of time and money.

- Browsers alert about issues with SSLstrip, so… no credentials from any social media website or email sites

- No data from phone apps, since most of then use SSL. And nobody use the browser to use facebook from the phone


Besides of getting the mac address, what other information can you get from the clients connected to the nano? using what module? 

Something practical, something that makes the user aware that join to unknown wifi routers could be dangerous…. just providing the mac address is worthless for the regular user, they just don’t care

BTW 99% of the time  the clients doesn’t have internet i reset the nano 10000 times, change with a different usb wlan, etc etc

 

Edited by yonomas
me

Share this post


Link to post
Share on other sites

Be careful in your assumptions. Not every bad actor cares about the encrypted traffic. Some of them do not care for banking information, the latest Facebook update, or the last email received. The information and capabilities that the Pineapple can provide can be leveraged to devastating effect in malicious hands.

Not all sites of interest have SSL encryption. Someone's browsing habits can help establish a pattern of life. Not to mention can be fantastic fodder for blackmail. If an attacker gets a room in a hotel next to a the room of a prominent politician and said politician happens to have a certain taste in sexually deviant websites, associating his or her MAC address with salacious photos can cripple a career. If you give this presentation to an audience, ask them if they would approve of their significant other knowing their browsing history for the past 2 weeks.

In addition, a MAC address associated with an individual's name makes for a great tracking mechanism. Retail stores have toyed with targeted advertising to your phone based on the MAC address that walks in to an establishment. With a handful of pineapples, I could keep track of when you leave home, when you arrive at work, when you arrive at the gym, or when you visit your mistress. If I set them up correctly and place them well enough, I might be able to get your phone to associate through the pineapple before you arrive at any of these places thus following your browsing habits at these places.

Another interesting fact is that you can use the Pineapple to force newer phones to give up the SSIDs they've associated with (older phones would do this automatically). If you tell me you've never been to "X" establishment / city / country and the Pineapple makes your phone spit out SSIDs from a particular region or area, you're busted. The great thing is I can do this without letting you connect to the Pineapple at all.

I use the Pineapple on a daily basis and depend on people walking out the door and not shutting off WiFi before they leave their house. For my specific application, I just want the device to talk. I don't care what the client device sends, as long as it stays connected and makes packets. The Pineapple enables this activity. If I can achieve this, I win.

Know that there are many edge cases. 95% of the Pineapple's use falls neatly into the infosec / pentest arena it was meant for, but there are plenty of other esoteric ways of leveraging this device that can have serious consequences for a victim.

Good luck with your presentation.

Share this post


Link to post
Share on other sites
11 hours ago, Skinny said:

Be careful in your assumptions. Not every bad actor cares about the encrypted traffic. Some of them do not care for banking information, the latest Facebook update, or the last email received. The information and capabilities that the Pineapple can provide can be leveraged to devastating effect in malicious hands.

Not all sites of interest have SSL encryption. Someone's browsing habits can help establish a pattern of life. Not to mention can be fantastic fodder for blackmail. If an attacker gets a room in a hotel next to a the room of a prominent politician and said politician happens to have a certain taste in sexually deviant websites, associating his or her MAC address with salacious photos can cripple a career. If you give this presentation to an audience, ask them if they would approve of their significant other knowing their browsing history for the past 2 weeks.

In addition, a MAC address associated with an individual's name makes for a great tracking mechanism. Retail stores have toyed with targeted advertising to your phone based on the MAC address that walks in to an establishment. With a handful of pineapples, I could keep track of when you leave home, when you arrive at work, when you arrive at the gym, or when you visit your mistress. If I set them up correctly and place them well enough, I might be able to get your phone to associate through the pineapple before you arrive at any of these places thus following your browsing habits at these places.

Another interesting fact is that you can use the Pineapple to force newer phones to give up the SSIDs they've associated with (older phones would do this automatically). If you tell me you've never been to "X" establishment / city / country and the Pineapple makes your phone spit out SSIDs from a particular region or area, you're busted. The great thing is I can do this without letting you connect to the Pineapple at all.

I use the Pineapple on a daily basis and depend on people walking out the door and not shutting off WiFi before they leave their house. For my specific application, I just want the device to talk. I don't care what the client device sends, as long as it stays connected and makes packets. The Pineapple enables this activity. If I can achieve this, I win.

Know that there are many edge cases. 95% of the Pineapple's use falls neatly into the infosec / pentest arena it was meant for, but there are plenty of other esoteric ways of leveraging this device that can have serious consequences for a victim.

Good luck with your presentation.

 

Thanks for the suggestion, those are interesting ideas, however, the presentation is about 30 to 40 mins, what you mentioned will take a lot more than that.
I just need something simple but meaningful for them and with MAC address only.... it won't work

I can explain for hours about how dangerous could it be, but it's much more effective if I show them something like

"Hey guys these are the emails/text/facebook id  etc etc that I captured while YOU were here " 

You get the idea?

Share this post


Link to post
Share on other sites
2 minutes ago, yonomas said:

Thanks for the suggestion, those are interesting ideas, however, the presentation is about 30 to 40 mins, what you mentioned will take a lot more than that.
I just need something simple but meaningful for them and with MAC address only.... it won't work

I can explain for hours about how dangerous could it be, but it's much more effective if I show them something like

"Hey guys these are the emails/text/facebook id  etc etc that I captured while YOU were here " 

You get the idea?

A. You'll need to be careful doing this and make sure you post disclaimers that they may be involved in demonstrations and to turn off their wifi if they don't want to participate as well as announcing it prior to starting the presentation and then again when you are about to start/show off the demonstration.  Remember what you are showing them (even for educational purposes) is very illegal in most jurisdictions.

B. Search for the MANA attack on the forum, someone has been working on implementing that on the pineapple and seem to be getting good results.

C. I think the point he brings up are actually more important than what you are going for in terms of shock value, a good presentation gives listeners a point of view they may have never thought of before and the fact that their devices could be used to track them plays well into the surveillance state of the world today imo.

D. i might would focus on the fact it's not just using public wifi that is the problem and that having their wifi on when they are not using it in general is the largest concern.  I've had several demonstrations where I said "hey could "yourName iphone" check your wireless and let me know what you are connected to?"  Then when they realize pulling their phone out of their pocket which they haven't touched during the talk but yet they've been compromised and by name even their face says it all at that point.

Share this post


Link to post
Share on other sites
36 minutes ago, bored369 said:

A. You'll need to be careful doing this and make sure you post disclaimers that they may be involved in demonstrations and to turn off their wifi if they don't want to participate as well as announcing it prior to starting the presentation and then again when you are about to start/show off the demonstration.  Remember what you are showing them (even for educational purposes) is very illegal in most jurisdictions.

B. Search for the MANA attack on the forum, someone has been working on implementing that on the pineapple and seem to be getting good results.

C. I think the point he brings up are actually more important than what you are going for in terms of shock value, a good presentation gives listeners a point of view they may have never thought of before and the fact that their devices could be used to track them plays well into the surveillance state of the world today imo.

D. i might would focus on the fact it's not just using public wifi that is the problem and that having their wifi on when they are not using it in general is the largest concern.  I've had several demonstrations where I said "hey could "yourName iphone" check your wireless and let me know what you are connected to?"  Then when they realize pulling their phone out of their pocket which they haven't touched during the talk but yet they've been compromised and by name even their face says it all at that point.

 
 

You are right,  the company who manage these talks is in charge of the disclaimers, but i'll double check with them, thanks for the advice.

I was thinking in capture the email address of facebook/twitter/Instagram  accounts, put them  in a file  and run a script to search the public profile image of those accounts  and show them on the screen at the end of the presentation,

But so far there is no way to get something like that from the phone apps or the browser ( btw no one uses the browser for facebook/twitter/Instagram). 

I saw the post about MANA, but is kinda complicated to make it work right know, is there any module from pineapple able to gather more relevant info that just the mac address or device ID ?
 

 

Edited by yonomas
me

Share this post


Link to post
Share on other sites

It's a Catch 22: If hacking were easy, more thing would be secure.  

It's why WEP has been replaced by WPA2, even further replacing default router open SSIDs with randomized SSIDs w/ randomized WPA2 passphrases.  It's why HTTP was replaced with HTTPS and even further sites that implemented HTST and/or apps with secured communications built in.  It's why keyfobs have implemented rolling codes and time-based tokens.  etc, etc...

All of those are good things and as penetration testers what we want to see from the industry when vulnerabilities are discovered and exploited.

You want to do things that have already largely been addressed and secured (at least more-so than before).  The real current danger that people don't think about is the metadata trails they are leaving and posting publicly.  Just having data going through the pineapple you are able to link a device to certain activity and if you know your target able to connect them to things they may want to keep under the radar or private.  DNS queries are all still open and available to review (which is why you would want to encourage VPN usage on public wifi or questionable security APs) This states where you are going and what you are doing and surprising provides a lot of data on your interests and habits.  There's also still a lot of things that don't go over encrypted channels and the fact that a large majority still use the same passwords for all of their logins can have devastating effects.

I didn't even have to show my uncle that I could do anything, just tell him about the possibilities that could be done and he goes on to tell my mom that I maybe reading his emails right now.  But the point was that I made him aware of the dangers he never thought of and at least now thinks about security more than just haphazardly connecting and focusing on what he wants to do.  He now turns his wifi off if he's not using it on his phone (even at home), he will us mobile data even if there is an available wifi nearby, he uses different passwords for different sites.  Awareness is what you really are going for and anyway you can make more people understand that their security needs to be in their own hands and minds is a win over trusting others to take care of it for them.

Share this post


Link to post
Share on other sites

I need something visual,  even if i show them i got their bank account number won't get the same impact as  "I hack your facebook account".

 

So my goal so far is access to their public photo profile in social media, is that possible? From the app, any social media app fb/tw/inst etc etc

Share this post


Link to post
Share on other sites
2 hours ago, yonomas said:

I need something visual,  even if i show them i got their bank account number won't get the same impact as  "I hack your facebook account".

 

So my goal so far is access to their public photo profile in social media, is that possible? From the app, any social media app fb/tw/inst etc etc

Probably not.

 

Most "My $OnlinePhotoBackup account got hacked and now my photos of me banging $SomeRandomNeighbor got released to the public!!!!" stories aren't from $OnlinePhotoBackup's bad security.  Most of them are from users being stupid with passwords.  They're using the same password for their My Little Pony meme creator web login as their iAccount or Google account.  So like Skinny said, it's not just secure sites you need to be worried about.  99% of the time, you're not going to spoof an https site and get away with it.  There's still a few out there, but most are switching to hsts, so that's going away really fast.  Hopefully within a couple years all internet traffic will be through https.  Our job is to make it so we no longer have a job, or at least less of a job.

  • Upvote 1

Share this post


Link to post
Share on other sites

I like the suggestion above.  Routing them to a page you've created instead of where they wanted to go.  Great point.

 

You could also illustrate poor WPA2 passwords by using the pineapple to capture a handshake and using aircrack to break the captured hash.

  • Upvote 1

Share this post


Link to post
Share on other sites

One cannot buy something like the pineapple and expect all methods to work like day one. Security flaws are meant to be patched.

For a brief demonstration, you can configure an AP with weak security just to show a scenario. 

There are plenty of methods to gain access with a pineapple. The easy ones like pixie are not going to beat an advanced method in terms of overall effectiveness. If you want to talk about the real threats, they are probably at least 50% or more a social engineering technique that would give up info from anyone that is a victim of their bias blindspots. 

So if you want a good cyber security presentation, incorporate the social hacking. That part is not going to change anytime soon. 

Advanced wireless password cracking may not even be needed to gain access. Its a facepalm situation if your drilling the backdoor of the vault when the side patio door is open.

The side patio door is always going to be an easier access, especially if the target believes the front of the vault is strong enough. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...