Jen Henennsen Posted July 1, 2021 Posted July 1, 2021 A toy. Oversold and under-engineered. A Useless POS. Underpowered SoC. Unstable, buggy UI. If you are an actual pentester auditing wifi networks you will pull your hair out trying to find a way to make this thing do what is is advertised to do. Why you should not buy the new WiFi Pineapple Mark VII | by Carlos Cilleruelo | InfoSec Write-ups (infosecwriteups.com) Kali - Free Bettercap - Free The computer you already own - paid for MediaTEK Dual band adapter - $40 Cost to build your own - $40
chrizree Posted July 1, 2021 Posted July 1, 2021 It seems as if you have made a wise decision, the Mk7 isn't your cup of tea.
Jen Henennsen Posted July 5, 2021 Author Posted July 5, 2021 On 7/1/2021 at 4:48 PM, chrizree said: It seems as if you have made a wise decision, the Mk7 isn't your cup of tea. never mind. this thing is a useless POS. There is nothing that I can use this for other than parlor tricks and pranks. Maybe some poor kid from the third world can use it learn how to be a hacker and do all the hacking.
chrizree Posted July 5, 2021 Posted July 5, 2021 Just so that you don't feel alone in all of this; you're not the only one with 30+ years of experience around here.
Irukandji Posted July 5, 2021 Posted July 5, 2021 Oof. I was probably 2 years old when you started. I'm 32 now.
Jen Henennsen Posted July 5, 2021 Author Posted July 5, 2021 4 hours ago, chrizree said: Just so that you don't feel alone in all of this; you're not the only one with 30+ years of experience around here. Interesting how you never address any of the points that I've made. Y'all bros must have been really high when you invented this. And that Darren, wow! he's a real secret agent traveling the world on his 'engagements'
Jen Henennsen Posted July 5, 2021 Author Posted July 5, 2021 7 hours ago, Jtyle6 said: Oof. I was probably 2 years old when you started. I'm 32 now. Please look at Documentation page. I have read every effing bit of the 'documentation'. And I watched that BS 'workflow' video by Mr. Kitchens. That is a demo of clicking on things in a browser. None of that meets even the most rudimentary standards for documentation. That is the minimum amount of text that could be phoned in by someone who has never actually written tech docs.
terraformer Posted July 7, 2021 Posted July 7, 2021 I share the impression of the OP. The WiFi Pineapple exposes little to no technical information about what its doing. What channels are being monitored? What the dwell time for each channel? What does the "capture wpa handshake" button actually do? Does it simply camp on the associated channel of the network and wait for handshake data for that particular SSID or does it cover all networks for that given channel? When deauthing, how many frames are sent? What reject code is being used? The WiFi pineapple software gives you answers. Its a device for people who have no clue what 802.11 is and how it works imo.
DeusExMachina Posted July 7, 2021 Posted July 7, 2021 2 minutes ago, terraformer said: I share the impression of the OP. The WiFi Pineapple exposes little to no technical information about what its doing. What channels are being monitored? What the dwell time for each channel? What does the "capture wpa handshake" button actually do? Does it simply camp on the associated channel of the network and wait for handshake data for that particular SSID or does it cover all networks for that given channel? When deauthing, how many frames are sent? What reject code is being used? The WiFi pineapple software gives you answers. Its a device for people who have no clue what 802.11 is and how it works imo. I have searched high and low for anything in the trade press that pentesters, red-teamers, or any other infosec professionals actually use this in the field to conduct wifi pentests or audits - nothing. Maybe my Google Fu is weak and someone will show how us how they use it to discover and exploit vulnerabilities. Maybe they will demonstrate their workflow. Maybe the pros over at Hak5 will put together a demo of real-world use. I'm not holding my breath - and, at this point, I don't really care any more. Additionally, there is no capability to find and exploit vulns against WPA3 like KRAK and Dragonblood. This appears - at least from the demo-ware videos - to be marketed toward the youngs who want to do the haxing. Many of the settings and features don't work consistently - or appear to at all, in some cases. The SoC CPU is way underpowered for all that this thing is trying to do - it's basically a cheap router that can be bought in lots of 1000 from China for ~$5-10. Not a serious tool. CommView for Windows, Bettercap, and the Kali suite are tried and true are what we have used and will continue to use. Our two devices have been set on a shelf. The only thing we have really successfully executed is to prank our 4th of July party host that her business wifi had followed her home and we could connect to her wifi captive portal that we duplicated, replete with styling and logo. She was discomfited that this could be done, but in the end we all had a good laugh.
terraformer Posted July 7, 2021 Posted July 7, 2021 17 minutes ago, DeusExMachina said: I have searched high and low for anything in the trade press that pentesters, red-teamers, or any other infosec professionals actually use this in the field to conduct wifi pentests or audits - nothing. Maybe my Google Fu is weak and someone will show how us how they use it to discover and exploit vulnerabilities. Maybe they will demonstrate their workflow. Maybe the pros over at Hak5 will put together a demo of real-world use. I'm not holding my breath - and, at this point, I don't really care any more. Additionally, there is no capability to find and exploit vulns against WPA3 like KRAK and Dragonblood. This appears - at least from the demo-ware videos - to be marketed toward the youngs who want to do the haxing. Many of the settings and features don't work consistently - or appear to at all, in some cases. The SoC CPU is way underpowered for all that this thing is trying to do - it's basically a cheap router that can be bought in lots of 1000 from China for ~$5-10. Not a serious tool. CommView for Windows, Bettercap, and the Kali suite are tried and true are what we have used and will continue to use. Our two devices have been set on a shelf. The only thing we have really successfully executed is to prank our 4th of July party host that her business wifi had followed her home and we could connect to her wifi captive portal that we duplicated, replete with styling and logo. She was discomfited that this could be done, but in the end we all had a good laugh. Nobody uses it for pen tests because it doesn’t really have any pen testing features. I don’t really understand what the intended audience is to be honest. There is zero technical documentation available and all we have are very simple video demos. The web interface abstracts away any technical aspect of 802.11 related operations. Kismet is an open source tool that is miles better in terms of passive collection and the tools you mentioned work well for active stuff.
DeusExMachina Posted July 7, 2021 Posted July 7, 2021 1 minute ago, terraformer said: Nobody uses it for pen tests because it doesn’t really have any pen testing features. I don’t really understand what the intended audience is to be honest. There is zero technical documentation available and all we have are very simple video demos. The web interface abstracts away any technical aspect of 802.11 related operations. Kismet is an open source tool that is miles better in terms of passive collection and the tools you mentioned work well for active stuff. I know the open source fans don't want to hear this, but CommView for Windows is the gold standard - at least for us. You can set the number of deauth packets, the interval in ms, target the specific AP or connected devices or broadcast. Grab the handshake and export in a number of formats. Bettercap has a browser-based UI, but you don't really need it because it does such a good job of rendering well-formatted rows and columns in the terminal. And the docs are first rate. :: bettercap
DeusExMachina Posted July 7, 2021 Posted July 7, 2021 Here is some excellent Bettercap exploits Media Tweets by DroidKali (@jiyilide) / Twitter
chrizree Posted July 8, 2021 Posted July 8, 2021 I find it interesting when a user creates multiple online identities to impersonate a "crowd of united opinions"...
Irukandji Posted July 8, 2021 Posted July 8, 2021 1 hour ago, chrizree said: I find it interesting when a user creates multiple online identities to impersonate a "crowd of united opinions"... We'll I'm not one of them.
DeusExMachina Posted July 8, 2021 Posted July 8, 2021 4 hours ago, chrizree said: I find it interesting when a user creates multiple online identities to impersonate a "crowd of united opinions"... No, I forgot my password and I didn't get the reset email or however the process is supposed to work, so I just made a new account. Just the two accounts, not a 'crowd'. Nothing nefarious going on here. It's all me. And I stand behind every word. Let me just lay it all out, them I'm done. So here it is: this is a toy for skiddies. Period. I bought a bill of goods. It is not a serious tool. The pitchman. Mr. Kitchen, made a demo of clicking on things in a browser and I bought it. I gave him the benefit of the doubt. And if you want to get downright effing legal about it, in my opinion, Mr. Kitchen made materially and demonstrably false representations as to the capabilities of this product. Statements that I would consider deceptive. Actually, my partner tried to talk me out of it. He saw through this for what it is. I guess it appealed to my inner skiddie. I honestly cannot find a way to use this as a productivity tool (which is why I thought it would be useful). Campaigns? Ha! As to you... what I find interesting is that you have not addressed any of the points I've ever made. You've posted over 500 times, but you've never provided any advice or suggestions for how to integrate this into the testing workflow. If I'm going to go in the field and take clients' money, and make sure that I am giving them the best picture of their security posture vis a vis their wireless network, this tool is just plain is useless. Having said that, if anyone can demonstrate how professionals in the field use this to pentest wireless networks (and Hak5 can address its deficiencies honestly), I'm all ears and I'll stand corrected. What is the roadmap for WiFi 6 and WPA3? Why use a SoC that has half the power of a Raspberry Pi? Why would you build something that doesn't have dual-band on board?. Those questions are, of course, rhetorical: because $$. I remember being a hardware hacker back in the day. In 1987 I built a breadboarded 6502 CPU computer with 8K ROM and 8K RAM, 7400 TTL logic, 2 16 segment LED displays. The keyboard was a standard 88 key with all the keys plucked off except for A-F, 0-9 and the Enter key (maybe a couple others, I can't remember). And I programmed it in hex. I got a passing grade for that. But that was then. I have to earn a living, now. Out.
Foxtrot Posted July 8, 2021 Posted July 8, 2021 I'm really sorry to hear that you're not impressed with your Pineapple. It's obvious to me that you've made your mind up already about how much you dislike the device, but I don't think creating multiple accounts on the forums to hate-post is the right way to share your opinion, and is overall not very genuine. That being said, we're always striving to improve the feature-set and reliability even further with each upgrade (as I hope is apparent by looking at the changelog). Even though there aren't exact descriptions of why you're not happy (I see other vague posts about instability), we appreciate the feedback and use it to make the product better each release.
DeusExMachina Posted July 8, 2021 Posted July 8, 2021 1 minute ago, Foxtrot said: I'm really sorry to hear that you're not impressed with your Pineapple. It's obvious to me that you've made your mind up already about how much you dislike the device, but I don't think creating multiple accounts on the forums to hate-post is the right way to share your opinion, and is overall not very genuine. That being said, we're always striving to improve the feature-set and reliability even further with each upgrade (as I hope is apparent by looking at the changelog). Even though there aren't exact descriptions of why you're not happy (I see other vague posts about instability), we appreciate the feedback and use it to make the product better each release. I explained what happened and owned the accounts. I did not create them to hate-post. I came to reply to others that it is probably a waste of time to mess about with this thing, and to warn off others who might be inclined to purchase based on, as I have said, materially and demonstrably false representations of the product's capabilities. Representations made by Mr. Kitchens in his videos. These are statements that, as a reasonable person, I took to be honest and true. I did not consider them to be complete sales hyperbole. Let's get real, pal, I've been around the block when it comes to developing and supporting software, so I'm fairly certain that you know as well as anyone that this product comes nowhere close to delivering as advertised (just go back and actually READ the forum posts from your paying customers). And not to put too fine a point on it... but when you say things that can be demonstrated to be untrue (the demonstrably false part), and then you take money over the phone or internet, well, there is a legal term for that. Mr. Kitchen, in advertising this product, and speaking about it in such a way as to to influence someone to make a decision to purchase (the materially false part), is walking a fine line. Or perhaps not too fine a line. That gray area would be for the law to decide. But not to worry, I won't complain to the FTC. The fact remains: it DOES NOT work as advertised, and you all know it. As I told Chriz Ree, I'm done here. This one's on me. I got suckered by a fast-talking (and I DO mean fast) pitch man. This device has no practical use for professional red-teamers or pentesters. This is too bad, because you all might just have the resources and talent to develop something useful, even awesome. But you have to decide: do you want to make videos of guys running around playing secret agent, or do you want to be a real tech firm that ships quality, useful products. BTW: In this day of CI/CD, why are we waiting for updates that take months...? It's not like you're building nuclear power plant control software. It's a glorified, underpowered router, for Christ's sake. You should be knocking out these bugs and pushing daily. And to you, Mr. Foxtrot, I say, out and good day, Sir.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.