general questions about WiFi hacking and rogue access point (pineAP)

[Don Joe]

Hello all,

I actually have solid knowledge about networks and WiFi, which is why I don't understand one basic thing about the Pineapp. The following is an example using an encrypted WiFi network.

ESSID: example-net
BSSID: 00:11:22:33:44:55
Enc/Cipher: WPA2/CCMP/TKIP

A mobile device (AA:BB:CC:DD:EE:FF) is connected to this network, the credentials are stored in the smartphone and "automatically connect" is enabled as usual. Of course I can get this client (=mobile device) to disconnect using DEAUTH packets, but it will automatically reconnect with its known ESSID shortly after.

Now with a Pineapple if I now fake this "example-net" under pineAP configuration with all the appropriate MAC/ESSID filters set, then my fake access point exists and sends the directed packets to the client (= mobile device) but the fake network is an OPEN so unencrypted network. Thus if the mobile device is disconnected from the real AP -no matter if manually or by deauth packets- then it will not connect to the fake open unencrypted example-net, but to the encrypted example-net.

The mobile device user will see two networks in his smart phone under "Available WiFi Networks" and they are "Example-Net (with encryption)" and "Example-Net (open, unencrypted)". His smartphone will always automatically connect to the encrypted, stored network "example-net WPA2/CCMP" unless he manually clicks on the "example-net open/unencrypted", which he obviously would never do because that would be stupid.

So how the heck is the client supposed to be persuaded to connect to the fake AP, how is that supposed to work?

The only thing I can think of would be: you would need to know the credentials of the encrypted real "example-net" to create an imitated fake AP with the same data. This fake AP would in turn have to be stronger from the signal so that the client would automatically choose it as the preferred connection path. If this were the case, then nothing could be achieved with the pineAP and the alleged WiFi attack. So why all the effort?

And out of curiosity I would have been interested: where do you set an encrypted fake wifi network on the pineapple? Under PineAp you can't enter passphrases and encryption ciphers. And under "Networking" I can't find any options other than "Management AP" and "Open AP".

Can someone please enlighten me about this simple basic problem? thanks to all in advance.

[Don Joe]

noone ??

[digininja]

You don't try to go for encrypted APs you go for unencrypted ones, most people have connected to at least one unencrypted AP in the past which is now stored in their favourites list.

Think the free one at McDonalds or the hotel they stayed at.

There was a bug at one point with a very small number of supplicants where they would happily downgrade to cleartext if the AP they expected to be encrypted wasn't, but doubt there are many of those around any more.

[Don Joe]

that makes sense. So the pineapple is only tailored for "OPEN/unenecrypted" WiFi networks and pretty much useless for everything else. Despite of other attacks like WPS or simple site surveys etc.

thanks for your reply.

[digininja]

The pineapple can do all sorts of other things, the bit you are focused on is getting someone to connect to your rogue AP. Checkout all the available modules.

Site Survey is built in.