samd12 Posted July 16, 2017 Share Posted July 16, 2017 I am in IT for a school and have a question about the functionality of a pineapple. If there is a forgotten password when on a chrome book or phone to access a google account or some other app but the password is saved so you just hit enter on the app can the pineapple intercept the traffic to get the info? This is not really my forte maintaining a large network of many devices can get crazy. Also we have kids putting up hotspots to bypass our network and get out without going through the filter server, can I grab that information to try to mitigate that from happening? Thx, hopefully not too much of a noob question but like I said this is not really my thing Thx Quote Link to comment Share on other sites More sharing options...
samd12 Posted July 16, 2017 Author Share Posted July 16, 2017 Also what if the kids use hidden ssids on their hotspots? Quote Link to comment Share on other sites More sharing options...
Lord_KamOS Posted July 16, 2017 Share Posted July 16, 2017 (edited) 40 minutes ago, samd12 said: I am in IT for a school I doubt that. 40 minutes ago, samd12 said: intercept the traffic to get the info The pineapple is literally made for intercepting traffic, so yes it can perform MITM attack, but the traffic you are talking about is encrypted and i doubt anything on the pineapple can decrypt it, so no you cant steal their creds that way. 40 minutes ago, samd12 said: can I grab that information to try to mitigate that from happening Yes you can grab the information and "track down" the AP, or deauth people from it, but (or tell them) The best thing to do here is to put restrictions on the computer,(or just let them use the internet freely) 25 minutes ago, samd12 said: Also what if the kids use hidden ssids on their hotspots? You cant hide radio waves, you will still be able to see the BSSID (MAC of the AP) Edited July 16, 2017 by Lord_KamOS Quote Link to comment Share on other sites More sharing options...
samd12 Posted July 16, 2017 Author Share Posted July 16, 2017 14 minutes ago, Lord_KamOS said: I doubt that. Oooook.... I get that The pineapple is literally made for intercepting traffic, so yes it can perform MITM attack, but the traffic you are talking about is encrypted and i doubt anything on the pineapple can decrypt it, so no you cant steal their creds that way. Not looking to steal creds, if they are using our network which is payed for by public dollars I have the right and the authority to do what is needed to protect it and filter it. Actually by law since all equipment is payed for by public dollars it must be filtered at some level by law not even a choice. Yes you can grab the information and "track down" the AP, or deauth people from it, but (or tell them) The best thing to do here is to put restrictions on the computer,(or just let them use the internet freely) Can't do. It is my job to keep them filtered. I am just an IT guy who does not specialize in this stuff and being in a public school don't have the funds or resources to do half of what we do. When the kids are bypassing things and it disrupts instruction they look to me to find a solution, thats all. When you have a bunch of teenagers (MS is worse than HS) that want to do something and you have limited resources you do what you can. We just had another local district where the kids were able to get a key logger onto media center machines and got into the SIS system. They are unable to do that because we have things locked down but we are moving more towards chrome books away from PC's and my experience comes from dealing in AD to lock down things. I am still learning the chrome and dealing with the nightmare ipads which suck when it comes to network accountability. You cant hide radio waves, you will still be able to see the BSSID (MAC of the AP) Thanks I do appreciate the feedback. I am not embarrassed to say that this kind of stuff is not my thing but I am being led down that road whether i like it or not. I do very much thank you for any information that will help. I get how people that are not in the know are "looked down" upon in forums like this but any feedback is welcome. 2 Quote Link to comment Share on other sites More sharing options...
Lord_KamOS Posted July 16, 2017 Share Posted July 16, 2017 1 hour ago, samd12 said: I have the right and the authority to do what is needed to protect it and filter it I do not see how intercepting passwords help you filter and protect the network but ok. 1 hour ago, samd12 said: I do appreciate the feedback. No problem. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted July 16, 2017 Share Posted July 16, 2017 It's not that we're looking down on newbs, but at times the questions asked are kind of suspect. You don't need their account info to filter the internet, that's done at the firewall. The pineapple won't help you track down rogue access points. You use a laptop and kismet to do that. Having worked at a K-12 school district, I feel your pain. The best way to find your way past a network filter is to ask a middle schooler. They can get through damn near anything... 1 Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 16, 2017 Share Posted July 16, 2017 You can't really block a 3G/4G hotspot connection. Sounds like you have your solution soon anyway - Chromebooks. I'm pretty sure you can completely lock down Chromebooks to only a select few websites. Not 100% sure but Chromebooks can get so locked down I just steer clear of them. They are completely managed by a cloud and I find I can't do anything with them except use Microsoft Word..I hate 'em, however, they are useful for your situation. It means you can lock down the internet even if the MS peeps use their phone to bypass the WiFi. Also, when you say the MS peeps use their phone's hotspot to bypass the WiFi filter do you mean they hotspot YOUR connection or hotspot a 3G/4G connection (in which they would be using their own data from a phone plan)? If they are using your connection you need to filter all requests at the router, not at the APs. Remember, they may connect to the APs but it still has to go through the router to get to the internet, so setup your router to block those websites, not the APs, as they can setup a fake AP to bypass this. Quote Link to comment Share on other sites More sharing options...
samd12 Posted July 17, 2017 Author Share Posted July 17, 2017 2 hours ago, barry99705 said: It's not that we're looking down on newbs, but at times the questions asked are kind of suspect. You don't need their account info to filter the internet, that's done at the firewall. The pineapple won't help you track down rogue access points. You use a laptop and kismet to do that. Having worked at a K-12 school district, I feel your pain. The best way to find your way past a network filter is to ask a middle schooler. They can get through damn near anything... We have a filter, the kids are putting up hot spots and they attach to that. Would love to have a way to track them down I will take a look at kismet. It is funny how MS is worse than HS. I guess the HS kids have better things to do.lol Quote Link to comment Share on other sites More sharing options...
samd12 Posted July 17, 2017 Author Share Posted July 17, 2017 43 minutes ago, Dave-ee Jones said: You can't really block a 3G/4G hotspot connection. Sounds like you have your solution soon anyway - Chromebooks. I'm pretty sure you can completely lock down Chromebooks to only a select few websites. Not 100% sure but Chromebooks can get so locked down I just steer clear of them. They are completely managed by a cloud and I find I can't do anything with them except use Microsoft Word..I hate 'em, however, they are useful for your situation. It means you can lock down the internet even if the MS peeps use their phone to bypass the WiFi. Also, when you say the MS peeps use their phone's hotspot to bypass the WiFi filter do you mean they hotspot YOUR connection or hotspot a 3G/4G connection (in which they would be using their own data from a phone plan)? If they are using your connection you need to filter all requests at the router, not at the APs. Remember, they may connect to the APs but it still has to go through the router to get to the internet, so setup your router to block those websites, not the APs, as they can setup a fake AP to bypass this. You can't lock them down that far, it becomes counter productive. The people who come across my network get a default filter if the filter does not know who they are. When they broadcast their ssid friends attach to it. I want to somehow get a grasp on that. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted July 17, 2017 Share Posted July 17, 2017 37 minutes ago, samd12 said: You can't lock them down that far, it becomes counter productive. The people who come across my network get a default filter if the filter does not know who they are. When they broadcast their ssid friends attach to it. I want to somehow get a grasp on that. Okay so when you say they setup a hotspot you mean they turn their phone into an AP that acts as a bridge of your network? Meaning it basically relays your WiFi from the phone? That's called a rogue/fake AP. One of the strongest ways to infiltrate a network's security, but as I said, block it from the router, applying the filter to all underneath that based on the IP they get. If it's an unknown IP, give em a hard filter. You could maybe slow the internet down for those APs? Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted July 17, 2017 Share Posted July 17, 2017 Google i very secured against mitm with stripping. Your only way of getting that info, and it will be a session cookie not the password, would be to https proxy and accept the bad cert to install the root from your mitm proxy and https proxy to get it. If hotspots mean a student's hotspot on their cellular network they are using with their own devices, you cannot tamper with them directly. I think that is illegal since you are messing with a service not owned by you. If they are using your machines to access the hotspot then filter like someone else mentioned and lock down from adding access points to your machines. A bit of hd encryption will keep them from using bootdisks to modify to the contents of the disk to gain admin rights too. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted July 17, 2017 Share Posted July 17, 2017 (edited) 5 hours ago, PoSHMagiC0de said: Google i very secured against mitm with stripping. Your only way of getting that info, and it will be a session cookie not the password, would be to https proxy and accept the bad cert to install the root from your mitm proxy and https proxy to get it. If hotspots mean a student's hotspot on their cellular network they are using with their own devices, you cannot tamper with them directly. I think that is illegal since you are messing with a service not owned by you. If they are using your machines to access the hotspot then filter like someone else mentioned and lock down from adding access points to your machines. A bit of hd encryption will keep them from using bootdisks to modify to the contents of the disk to gain admin rights too. Bingo! If it's their own device's network, you can't legally do a thing to them. Let them eat up their parent's data. If they're using school chromebooks, then you can still put restrictions on them. Our district would do the detention, suspension, complete removal of school tech access, for any computer hackery. Chromebooks didn't exist at the time, but we did have a test program going. Every middle school student was issued a Macbook. We had a few thousand macbooks floating around, and for the most part it worked pretty well. One of the guys programed up a phone home program that would check in with one of our public facing servers. If the laptop's mac address was on a file, it would return as much network info it could. It helped there were only two places you could get a Mac worked on in town, so theft wasn't really a big deal. We'd usually get them back within a couple months. It helped the next "big" town was an 8 hour drive away. Edited July 17, 2017 by barry99705 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.