Zajt Posted January 24, 2019 Share Posted January 24, 2019 Hey! I am running "tcpdump -w output.pcap -i wlan1" on my WiFi Pineapple, then "ping -s 1000 8.8.8.8" from my phone which is connected to the same WiFi as wlan1 is from the Pineapple dashboard. But I don't see any ICMP requests with large size in wireshark. Before I run the tcpdump command on the WiFi pineapple after ssh:ing into it, I set it to promiscuous mode with "ifconfig wlan1 promisc" This is the output of "ifconfig wlan1" wlan1 Link encap:Ethernet HWaddr 00:C0:CA:A5:C9:59 UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Anyone know why I don't see any ICMP requests after opening output.pcap in Wireshark? Thanks in advance! Link to comment Share on other sites More sharing options...
Just_a_User Posted January 25, 2019 Share Posted January 25, 2019 On 1/24/2019 at 7:59 AM, Zajt said: Anyone know why I don't see any ICMP requests after opening output.pcap in Wireshark? dump from the br-lan interface and seewhat you get Link to comment Share on other sites More sharing options...
Zajt Posted January 27, 2019 Author Share Posted January 27, 2019 On 1/25/2019 at 11:36 AM, Just_a_User said: dump from the br-lan interface and seewhat you get But br-lan is USB for ethernet to host, so if we ping there we will see it, but this will only work if we ping from the host computer. We wanna ping from other devices, like my phone connected to the same WiFi and then receive it and see the requests in Wireshark after we have run tcpdump. Is this possible? Link to comment Share on other sites More sharing options...
Just_a_User Posted January 28, 2019 Share Posted January 28, 2019 20 hours ago, Zajt said: But br-lan is USB for ethernet to host, so if we ping there we will see it, but this will only work if we ping from the host computer. We wanna ping from other devices, like my phone connected to the same WiFi and then receive it and see the requests in Wireshark after we have run tcpdump. Is this possible? Did you try it? I just had a quick play with tcpdump on my tetra. Using tcpdump capturing br-lan i was seeing pings from a phone on the open wifi of the pineapple. I dont have a second device easily to hand at the moment so cant test between two wifi devices. But when doing that i do see pings from my test phone (172.16.42.224) going to 172.16.42.1 (tetra), 172.16.42.42 (my laptop as gateway) and to 8.8.8.8 (google). All can be captured to file for reviewing later on wireshark. Another option (and my preferance where possible) to run wireshark on the pineapples gateway device at 172.16.42.42 and capture all packets live and filter out what you like. Link to comment Share on other sites More sharing options...
Zajt Posted January 28, 2019 Author Share Posted January 28, 2019 1 hour ago, Just_a_User said: Did you try it? I just had a quick play with tcpdump on my tetra. Using tcpdump capturing br-lan i was seeing pings from a phone on the open wifi of the pineapple. I dont have a second device easily to hand at the moment so cant test between two wifi devices. But when doing that i do see pings from my test phone (172.16.42.224) going to 172.16.42.1 (tetra), 172.16.42.42 (my laptop as gateway) and to 8.8.8.8 (google). All can be captured to file for reviewing later on wireshark. Another option (and my preferance where possible) to run wireshark on the pineapples gateway device at 172.16.42.42 and capture all packets live and filter out what you like. 12 We tried with br-lan now so first we set br-lan to be in promisc mode. Then we run: tcpdump -w output.pcap -i br-lan , and then on WiFi pineapple we are conneted to our WiFi-hotspot. Then I connect to the same hotspot from my phone, then send ping requests from a terminal app on my phone. But we do not see these ICMP requests in the pcap. It seems like there is only packets from the host(the computer where we ssh into the Pineapple and run the tcpdump command) Link to comment Share on other sites More sharing options...
Just_a_User Posted January 28, 2019 Share Posted January 28, 2019 5 minutes ago, Zajt said: We tried with br-lan now so first we set br-lan to be in promisc mode. Then we run: tcpdump -w output.pcap -i br-lan , and then on WiFi pineapple we are conneted to our WiFi-hotspot. Then I connect to the same hotspot from my phone, then send ping requests from a terminal app on my phone. But we do not see these ICMP requests in the pcap. It seems like there is only packets from the host(the computer where we ssh into the Pineapple and run the tcpdump command) OK now i think I understand what you are attempting to do. My previous posts were on the basis of the pineapple being the AP, but, if I understand you correct your using the pineapple as a client on the target AP and want to use the pineapple to sniff the target AP traffic? Link to comment Share on other sites More sharing options...
Zajt Posted January 28, 2019 Author Share Posted January 28, 2019 Just now, Just_a_User said: OK now i think I understand what you are attempting to do. My previous posts were on the basis of the pineapple being the AP, but, if I understand you correct your using the pineapple as a client on the target AP and want to use the pineapple to sniff the target AP traffic? Yes exactly! Link to comment Share on other sites More sharing options...
Just_a_User Posted January 28, 2019 Share Posted January 28, 2019 6 minutes ago, Zajt said: Yes exactly! I have not tried a pineapple like this myself. I would imagine some ARP magic may be required... It may be more useful, if you have the AP password, to use wireshark to decryt the captured wireless traffic. https://wiki.wireshark.org/HowToDecrypt802.11 But even then some clients may not be heard by your interface so its not guaranteed to get all traffic on the AP network. Link to comment Share on other sites More sharing options...
Zajt Posted January 28, 2019 Author Share Posted January 28, 2019 7 minutes ago, Just_a_User said: I have not tried a pineapple like this myself. I would imagine some ARP magic may be required... It may be more useful, if you have the AP password, to use wireshark to decryt the captured wireless traffic. https://wiki.wireshark.org/HowToDecrypt802.11 But even then some clients may not be heard by your interface so its not guaranteed to get all traffic on the AP network. Why could it not be heard? Is it because they are on different WiFi channels? Link to comment Share on other sites More sharing options...
Just_a_User Posted January 28, 2019 Share Posted January 28, 2019 3 hours ago, Zajt said: Why could it not be heard? Is it because they are on different WiFi channels? From what i understand (I am often wrong) not all APs are built the same. Some can direct the RF beam in a much more focused way to reach long range clients. Therefore, although you may be sniffing the same channel, you may not be able to see all of the traffic. I think it depends on other clients range, interferance, antenna gains, TX power etc. e.g. - Say you are 50m away from AP, and another client is also 50m away from AP but is 100m away from you. What you might capture is the AP talking to the other client but not the clients responses. Link to comment Share on other sites More sharing options...
Zajt Posted January 29, 2019 Author Share Posted January 29, 2019 Update: We tried the setup where the pineapple is acting "target AP" and running monitor mode on our laptop while generating traffic on a mobile phone, connected to the pineapple AP, and the pineapple being connected to another phone's hotspot. With this setup we could see the ICMP requests and responses both in an open hotspot and WPA2 configuration. However, the problem arises when we let the mobile device be the target AP and set the Pineapple in monitor mode. Then we are not able to see almost any data at all, at least not originating from the mobile device running ping on 8.8.8.8 Link to comment Share on other sites More sharing options...
Just_a_User Posted January 29, 2019 Share Posted January 29, 2019 1 hour ago, Zajt said: However, the problem arises when we let the mobile device be the target AP and set the Pineapple in monitor mode. Then we are not able to see almost any data at all, at least not originating from the mobile device running ping on 8.8.8.8 As per our conversation on discord, I ran this setup and got ICMP packets. Phone 1 as Wifi hotspot, OPEN channel 11 @2.4ghz Phone 2 as client on phone 1's hotspot running pings to 1.1.1.1 TETRA using wlan1 in monitor mode locked to channel 11 running TCP dump with filter to pcap. tcpdump -i wlan1mon -v 'icmp' -w pingtest.pcap Once collected, I copy file over to pc running wireshark This should also work with WPA2 if decrypting with wireshark by entering the key. Link to comment Share on other sites More sharing options...
Just_a_User Posted January 29, 2019 Share Posted January 29, 2019 @Sebkinne@Foxtrot The above test works for me on my tetra, but the exact same test on a nano does not. The nano is capturing some packets but not ICMP (possibly others, I only tested icmp) this seems repeatable with with @Zajt also. Can you also repeat it? and is this normal due to hardware differences or should they both be acting the same? after spending some time on this im really interested in whats going on. Any suggestions very welcome. Link to comment Share on other sites More sharing options...
Just_a_User Posted February 1, 2019 Share Posted February 1, 2019 @Foxtrot it seems i was wrong (no surprise i guess :)), pings do show up but are delayed at first. I see ICMP packets on my nano after about 20-40 pings inconsistantly. Once they start showing up i can stop pings on test device, then when starting pinging again they start showing immediately. Sorry for wasting any time. I will try to get OP sorted cheers. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.