I found a Pineapple in landlord's utility closet

[trex5000]

Hi guys,

Need some newbie help here. I spotted a Pineapple Tetra in the utility room at the apartment my girlfriend is renting. The owner of the house has always kept that room locked, but last time I was there, I glanced inside while he was fixing the water heater and saw an odd looking unmarked black box with four antennas. After Googling images, it has led me here, to this forum, to me making this post.

I'm an engineer, but not the networking kind so my knowledge is pretty limited. From browsing around this forum, sounds like you can do some pretty nefarious things with it. Without confronting the landlord and making blind accusations, how can I find out what he's using it for?

[Just_a_User]

55 minutes ago, trex5000 said:

Without confronting the landlord and making blind accusations, how can I find out what he's using it for?

Not really, there are tools that may give you some general idea of basic pineapple activity and even try to defend against some of it. But even using those tools his box could be used for passive monitoring (usually legal) or it could not even be that device but a neighbors that the software detects. It may also not be a wifi pineapple but something looking very similar.

I would ask him outright, maybe even ask to see it. Then he knows your aware and should either reassure you or palm you off giving you further clues about his intentions.

Edited August 22, 2018 by Just_a_User

[Bigbiz]

Sounds like you say nefarious. Watch what you connect to for sure!!! If you moniter what you do should be ok.

[trex5000]

If I were able to get my hands on it, is there a way to take an image of it? I tried going to the default IP address of the Tetra, but it doesn't return anything.

[Just_a_User]

21 minutes ago, trex5000 said:

If I were able to get my hands on it, is there a way to take an image of it? I tried going to the default IP address of the Tetra, but it doesn't return anything.

You have a web UI or ssh both protected by password, maybe via serial but I don't recall if that's password protected or not. even then there is no total system imaging tool  that im aware of. A lot of it is run in ram /tmp/ so is lost on a reboot.

Also I would want to be 100% sure it is a pineapple before attempting B&E on your landlords utility room.

The main attack would be spoofing open wifi networks. So use your own WPA2 wifi (or use a vpn) and remove all open networks from your devices known networks and you should be good. Its not 100% protection but better than none.

 

[theUNK0WN]

15 hours ago, trex5000 said:

unmarked black box with four antennas

I'm curious as to what images were shown. What did you search initially? Because when I searched "unmarked black wifi router with four antennas", nothing relating to the Tetra or nano pops up.

[dustbyter]

If the device is broadcasting, you can try to capture its MAC address and then cross reference it with those that pineapples use. That should get you to confirm it is really a pineapple and not another device. 

 

I've seen other devices black with 4 antennas that are not pinnaples.

[Bigbiz]

A recon with a nethunter device. 

[ThatchersHeritage]

Surely the easiest and quickest way for someone not very technical to see if this is a problem requiring more investigation or not would be for them to stand outside the closet and see what WiFi networks are present in the area?

A tell tale sign this might a live pineapple would be a very strong open network (possibly hidden) and quite likely a second very strong signal secured network (probably hidden). Windows 10 laptops show the presence of hidden networks reasonably easily. 

[Dave-ee Jones]

On 8/29/2018 at 9:33 AM, ThatchersHeritage said:

Surely the easiest and quickest way for someone not very technical to see if this is a problem requiring more investigation or not would be for them to stand outside the closet and see what WiFi networks are present in the area?

A tell tale sign this might a live pineapple would be a very strong open network (possibly hidden) and quite likely a second very strong signal secured network (probably hidden). Windows 10 laptops show the presence of hidden networks reasonably easily. 

Agreed (although I personally wouldn't stand outside the closet, just anywhere within 1-20m or so with a WiFi analyser to check channels and signal strengths).

Edited August 30, 2018 by Dave-ee Jones

[Just_a_User]

5 hours ago, ThatchersHeritage said:

Surely the easiest and quickest way for someone not very technical to see if this is a problem requiring more investigation or not would be for them to stand outside the closet and see what WiFi networks are present in the area?

A tell tale sign this might a live pineapple would be a very strong open network (possibly hidden) and quite likely a second very strong signal secured network (probably hidden). Windows 10 laptops show the presence of hidden networks reasonably easily. 

Although its worth a shot, it could easily be that the landlord is using remote access to the tetra from his own home (quite likely if he does not live on site), PineAP might not be riunning 24/7 and there are other attacks that can me made without using PineAP. The open network may not be hidden, the management network may be disabled. he may be using wlan0 for something else all together.

Maybe he just uses it to monitor for MAC while reviewing  security camera footage to see who is entering/leaving building. maybe you have had packages being stolen from the lobby and he thinks he is  trying to track down the culprit or rule out tenants. Maybe hes using this to know when he can enter your apartment illegally and obtain your wifi SSID , password and disable your routers wifi and make an EVIL twin on his tetra...

if it 100% is a tetra as OP is going by a glance at a black box with 4 antenna...

I would still confront him and watch his face/reaction.

Edited August 29, 2018 by Just_a_User

[Dave-ee Jones]

20 hours ago, Just_a_User said:

Although its worth a shot, it could easily be that the landlord is using remote access to the tetra from his own home 

Could do that without a Tetra (TeamViewer, for example, which is free). Hardware-wise, could be anything.

20 hours ago, Just_a_User said:

Maybe he just uses it to monitor for MAC while reviewing  security camera footage to see who is entering/leaving building.

Most modern routers can track MACs for you anyway. And a lot of phones automatically scramble the MAC whenever they connect to a new SSID, so it's usefulness is meh.

20 hours ago, Just_a_User said:

Maybe hes using this to know when he can enter your apartment illegally and obtain your wifi SSID , password and disable your routers wifi and make an EVIL twin on his tetra...

Not sure what you mean about this one..it's not really viable.

20 hours ago, Just_a_User said:

if it 100% is a tetra as OP is going by a glance at a black box with 4 antenna...

Yep. Yep. Yep. Very true. Although, what legit routers are black with 4 antennas..Maybe old D-Links? Even if it wasn't a PineAP could be a modified RPi which could be worse.

20 hours ago, Just_a_User said:

I would still confront him and watch his face/reaction.

Yee...eh...no...nah. A possibility. I prefer not to deliberately aggravate people when possible..

[Just_a_User]

13 hours ago, Dave-ee Jones said:

I prefer not to deliberately aggravate people when possible..

Really? lolol ?

|I'm not going to go through the above. My answer is viable and has valid points.your highlights and comments amuse me some.

Im out of this thread, the OP has more than enough info and advice to go on.

Edited August 30, 2018 by Just_a_User

[digininja]

A different way to look at this, call the device X.

Is X the main AP for the building? Easy way to tell, look for an alternative AP, if there is, turn it off and see if you still get wifi. If X is the main AP, then bad things could be happening.

If X isn't the main AP, try connecting to an open network that doesn't exist, if you can, then something is running that shouldn't. If you can't, then it is unlikely X is spoofing APs.

If X isn't the main AP and isn't spoofing things, is it on the network? Turn off all other devices, except the main AP, and then do a network scan. See what is left, if there is a Linux box with 22 and maybe 80 or 1471 open then browse to it and see what you get. If it isn't on the network then it could just be doing passive things and there is nothing you can do to detect that.

With whatever normal access you have, try connecting to a HTTPS site you've never connected to before which doesn't do HTTPS preloading (google it all), my site would be one. If you get a valid certificate then it is unlikely that there is any odd SSL man-in-the-middle attacks going on.

Try a traceroute to the main AP and to external sites, see if you get an unexpected additional hop before the AP or directly after it.

If the room it is in has a door going to the floor, pick up a cheap ring and roll it under the door then call the landlord and ask him to come and open the door so you can retrieve it, while doing it, get a proper look at the device.

My guess would be that it isn't a Pineapple and that nothing odd is going on as that is the most usual way things work out.

[aethernaut]

This could look a bit "Tetra-like" if you only got a quick glance...

[Dave-ee Jones]

17 hours ago, Just_a_User said:

Really? lolol ?

your highlights and comments amuse me some.

That's what they're there for.

Musing alternatives, casual banter and constructive criticism. ? 

[Dave-ee Jones]

6 hours ago, aethernaut said:

This could look a bit "Tetra-like" if you only got a quick glance...

That would be one super quick glance.

[PixL]

...confirm the MAC for the blackbox, deauth it and see what happens. ?

[Dave-ee Jones]

12 hours ago, PixL said:

...confirm the MAC for the blackbox..

If he's a genius he'll change the MAC to look like a router that we showed pics of above, to trick knowledgeable people, but not other geniuses.

Like me ?.

Joking, of course.

But I'm not wrong. ?

Edited September 4, 2018 by Dave-ee Jones

[ThatchersHeritage]

It's gone very quiet and I really want to know if it is a pineapple or if it is something else, even just an old router left by a previous tennant) ?