Tetra experiments at home.

[Struthian]

In order to get better acquainted with my Tetra, I have been trying to hack my own computers.  Things are different than what I expected.

I have two SSID's.  As it happens, one is for 2.5 ghz and the other is 5ghz.  I have a variety of different wireless devices but I focused on one which is a laptop running windows 10 with only 2.5 ghz client capability.  Naturally it is securely connected to the 2.5 ghz AP.

More or less following the wifi pineappling book - I did recon.  I initially added the two SSID's to the "Profiling filters" and also to the Filters "SSID Allow mode".  I also added all the Clients to the "Client Allow mode".   (I live in a 33 unit wood frame condo.  Restricting my trial engagement really is important as Recon turned up most of the households in the condo complex - Kudos for that. )

I then experimented with Deauth the client I was focused on.  This did not affect the normal connection.  However, in the first run of these trials, the 5ghz AP SSID showed up on the AP list of the laptop as "Open" rather than secured.  As it properly was not an SSID to see on a laptop that was not a 5ghz client, this looked weird.  A curious thing happened during these experiments - My motorola cell phone would not connect to the 5ghz access point as it previously did.  This continued even when the Pineapple was shut down.   I probably ran Deauth on the access point at some time too.  I also did connect to the fake SSID and the Pineapple duly noted the client.

After fiddling around with this set up, I removed the 5ghz access point from the Allow lists.  I also restarted the access points and the Pineapple.  I restarted the test laptop too.  I then repeated the "Deauth".  Again, the Laptop was not affected but an SSID with the same name as the proper one showed up on the list of possible connections for the laptop. It was augmented on the laptop with a 2 after it's normal name, and the list showed it as not secured.  The laptop then showed up in the client list.  Two identical SSID's showed up in reports. One was the correct one and they other was the spoof one going to the pineapple.

I have to say, if someone else was penetrating my laptop with this - I would not have been fooled. I might not have even noticed they were trying.

My questions are:

1) Is there a way to spoof a target client into thinking the Pineapple is a secured access point, working with the credentials for the real one that it's spoofing?

2) Is there a way to make sure the spoof SSID is the same name on the client as the real one was (or similar) - instead of choosing another SSID (in this case the 5ghz one) as the spoof one. - this even if exploiting multiple SSID's.  

3) How come my laptop didn't just automatically connect to the spoofed SSID? (possibly that it didn't match the real one for security?)  Is there a way that I can set up my experiments to be "more vulnerable?   Google sign in realized that something was amiss and signed my out.  So there were things that would indicate to an attentive user of the client that something was amiss.  Are there better practices for spoofing - that might not be detected.  

I should add, I'm having fun with this product. I just want to use it as effectively and knowledgeably  as possible.  Any explanations for my observations or hints for a better result with the same setup would be really great.

 

[PixL]

1. Search these forums for the NetworkingPlus module, and with known PSK credentials you can spoof a secured SSID.

2. I generally run PineAP with the SSID hidden to not draw attention to myself.  The PineAP KARMA setup will respond to beacon requests saying it is the right SSID for anything!

3. Your laptop will prefer the secure SSID and the one with the best signal.  If however you connect once to the Pineapple it will then reconnect more often as it will be expecting an unsecured network.

You can also use the mdk3 command from ssh to more effectively deauth but please do your reading first or you could illegally deauth all your neighbours!

[Struthian]

Thank you PixL.   That's helpful.  I did reading first - hopefully enough. No torches and pitch forks yet.  I live in a very dense neighborhood of mostly wood frame homes, so it's a collateral damage rich environment for sure.  aaannnd, my work area is about 40'  above the ground.   You made me think of one factor in all this, the Pineapple, experimental targets, and AP are within a foot or two of one another.   Yes,  I have PineAP with the SSID hidden which I think is the default.   I'll look into NetworkingPlus - that sounds like just the thing.  Since I wrote what I did before, I've made a bit of progress but not there yet.  I'm having a lot of fun with this stuff.