[RELEASE][BETA] WiFi Pineapple Mark 7 2.0.0 Beta Firmware

[Foxtrot]

Hello all!

This 2.0.0 Beta release offers new features, bug fixes and general improvements to all aspects of the WiFi Pineapple experience. As always, the feedback provided by members of the community has been invaluable, and continues to be used internally to build out new additions and improvements.

We hope that you enjoy the new changes, and invite you to join us on Discord and here on the forums.

To get the Beta update, simply switch to the Beta Update Channel and check for new updates. You will then be prompted with a choice to upgrade.

To see some sneak peeks of the firmware before upgrading, check the second reply to this thread.

Release Notes:

• This update changes the LED trigger to be more active on wlan0 activity. We're currently trialing this change. It may appear that your WiFi Pineapple is still booting, but is actually already booted fully and is now showing wlan0 activity. 
• Since Beta 2, wireless interfaces are not destroyed by PineAP starting, instead, they are disabled and mirrored in monitor mode with the new monitor_vif tool. This prevents interface name confusion when a new wireless card is inserted into the WiFi Pineapple, while wlan1 is already in monitor mode.

Beta 2 Change Log:

• In addition to Beta 1;
• General
  • Include OpenWRT 21.02 community feeds and Hak5 2.0.0 feeds
• Setup
  • Correctly load EULA and Terms of Service even when network state changes
• UI
  • Display interface base names (wlanX) instead of multiple instances of the same interface (wlanX, wlanXmon) for recon
• PineAPd
  • Log zero-length IE tags properly
  • Use new monitor_vif script to bring up interfaces in monitor mode while retaining original VIFs for system consistency
  • Fix several possible deadlock situations in logging
• Recon
  • Show relative times for detected networks even when the Pineapple system time is not set correctly, by comparing time offsets with the browser.
  • Increase overall performance and stability of Recon backend
  • Use consistent interface naming for MK7AC module adapters (wlan3)

Beta 1 Change Log:

Welcome to the 2.0.0 Beta! This firmware contains significant bug fixes and feature releases
for the WiFi Pineapple Mark VII.

• General
  • Updated to OpenWRT 21.02.1
  • Updated from kernel 4.14.180 to 5.4.154
  • Updated the Python Pineapple API
  • Updated HostAPd
  • Updated the OUI database
  • General UI stability improvements
• Dashboard
  • Fix an issue where the MK7AC wizard would not close when clicking the 'Configure' button
• Setup
  • Improved the dynamic layout of the Setup wizard
• Campaigns
  • Fixed a silent error when no reports are available
• PineAP
  • Fixed numerous crashes
  • Improved handling for Handshakes
  • Changed the default location for Log and Recon databases to /root/
  • Added a README to the default handshakes location (/root/handshakes)
  • Improved the bring-up time for the Management, Open, and Evil WPA Access Points
  • Management Access Point no longer requires the password to change the SSID and Hidden/Disabled toggles
  • Evil WPA Access Point now has the "Confirm Password" field auto populated
• Recon
  • Add detection for WPA3 Access Points
  • Add detection for newer 802.11 authentication suites
  • Add a new tagged parameter view for Access Points
    • View the tagged parameters and their hexadecimal values for a given Access Point.
  • Add a column for MFP (Management Frame Protection) state
  • Simplified the Security column
  • Add a security summary dialog for Access Points
  • Fixed a rare error where the Recon database couldn't be opened
  • Performance improvements when fetching Recon data
  • Implement an Auto Handshake Capture mode
    • When enabled, WPA Handshakes will be captured whenever they are seen, regardless of whether a handshake capture is running
  • Overhauled the Handshakes View
    • Handshake listings now show the Client MAC, and also show the messages that were captured
  • Improved handling of deauthentication attacks
  • Improved the dynamic layout of the Recon page
  • Fixed an issue where some channels in the Channel Distribution chart would have a grey colour
  • Improved the Channel Distribution chart axis ticks
  • Add an icon to table rows to further distinguish Clients from their associated Access Point
  • A spinner is now shown when a deauthentication attack has been started
  • Show an informative message for Access Points or Clients with MFP enabled when trying to perform deauthentication attacks against them
  • Show the associated SSID for a selected Client in it's sidebar
  • Show the OUI vendor name for the selected Client in it's sidebar
• Logging
  • Fixed an issue where the wrong database would be accessed if the Logging location was changed
• Settings
  • Network keys are now redacted from a generated debug log

 

We will be paying close attention to the thread and the Discord channel (#wifi-pineapple) for the duration of the Beta, so please share any feedback or reports in those places, thanks!

[Foxtrot]

Improved Handshake Handling & Auto Handshake Capture

With this release, vast improvements have been made both internal to the system and external to the user to make capturing of handshakes more efficient, reliable and generally easier. On the user facing side, this begins with a redesigned Handshakes tab in Recon, which now shows you which specific EAPOL messages and Beacons have been captured, as well as the Client MAC for a given Handshake.

As well as this change and improved behind-the-scenes handling, a new mode toggle for Recon has been added to capture Handshakes whenever they are seen in the air while channel hopping. This is in contrast to the "Capture WPA Handshakes" button that appears when you select an Access Point.

The "Capture WPA Handshakes" button has been kept, however, for targeted captures of Access Points on specific channels.

 

Improved Security Parsing

With this release, there has also been improvements to the security parsing of Recon results, and now detects WPA3 SAE, OWE and Enterprise networks. There is also a new dialog for detailing an Access Point's security, down to the detected cipher suites and authentication schemes.

In addition to the parsing of the new security suites, detection has been added for Suite B, SHA256/SHA384 and more. You can now also view the Management Frame Protection (802.11w) state of a discovered Access Point.

(You may turn the MFP column on by clicking the Settings wheel and sliding the "Show MFP" toggle on).

Tagged Parameters

As the WiFi-savvy among you may know, 802.11 Management Frames can contain a variety of Tagged Parameters that contain information such as the SSID, Channel, and more. In this release, you can now view each tag for a given Access Point and it's associated data.

These new dialogs can be accessed by clicking on any AP in Recon, and using the new buttons on side bar, under the "More Details" banner.

[Foxtrot]

2.0.0 Beta 2 was just release to the channel, with some bug fixes and general improvements. Change log is attached to the OP 🙂

[cluckomatic]

Looking forward to testing the beta.. Thanks.

[jholbrookftl]

A few observations after a very brief session with the new firmware. 3 packages will not install MACinfo, MDK4, and Locate. Scanning both bands with the hak5 5G module seems to be very sporatic, sometimes I get the expected results, most of the time I do not get any 5G APs or only get a partial listing. I had to increase the scanning time to 5 minutes, up from 2, to get results that made sense more often. I keep getting logged out at random, this happens frequently. Though I did not try for very long, I was not able to capture any handshakes, this is possibly not an issue as I only spent about 5 minutes trying, the AP I was deauthing (I own it) was showing fairly low signal and may have been too far away for reliable results.

 

I will do some more testing tomorrow. I have reinstalled the firmware and had the same results before and after.

[jholbrookftl]

some more observations from this morning's testing

Will not capture handshakes while connected to an AP for uplink

 

Will not capture handshakes unless actively scanning

 

Starting scan sometimes provides old results, ex. I removed the 5Ghz module, rebooted the device, started a scan, and was given results showing 5G access points. This should not be possible using only the 3 internal radios which are 2.4ghz only.

 

Reconfirming wlan1 for the recon interface then starting a new scan seems to have cleared the incorrect AP results. Stopping then restarting the scan causes the incorrect results to return.

[jholbrookftl]

The handshake capture seems to be very unreliable in this version, I had to put the pineapple into a very controlled environment to capture a handshake. I had to position the pineapple between the client and AP and manually disconnect then reconnect the client to capture a handshake. I cleared the capture then tried deauthing the same client in the same configuration and was not able to get the client to drop or to capture a handshake. it is as if it is not actually deauthing. I will try again shortly with a device that has wireshark on it to see if it is actually transmitting the deauth frames.

[jholbrookftl]

Some more additional testing. I am able to confirm it is broadcasting deauth frames, however it seems to send numerous frames 25+ for each client, this seems excessive. I was able to take Kali and capture a handshake using wifite in passive mode, however the pineapple was not able to capture it setting beside the laptop. I have reinstalled 1.1.1 on the same hardware and was able to deauth and capture the handshake from the same AP. This is a remote AP that I set up at the edge of my property to test with.

[Sgt.Foose]

Mmm normal handshakes seem no problem with 2.0.0. for me, but it might take a while and I also discovered that when you log-out and back in, stuff is visible all sudden, so give that a try!

Anyway, here is video of version 1.1.1 which does capture but where it didn't show me data (see around 2.50 minutes) because my connection dropped:

 

[jholbrookftl]

9 hours ago, Sgt.Foose said:

Mmm normal handshakes seem no problem with 2.0.0. for me, but it might take a while and I also discovered that when you log-out and back in, stuff is visible all sudden, so give that a try!

Anyway, here is video of version 1.1.1 which does capture but where it didn't show me data (see around 2.50 minutes) because my connection dropped:

 

I've let it run for hours with handshake capture on only to get one or 2. I've also actively deauthed clients with no success. I plan to mess it with some more this weekend, however I have run it beside one of my other pineapples and the difference in capture performance is daylight and dark.

[Sgt.Foose]

6 hours ago, jholbrookftl said:

I've let it run for hours with handshake capture on only to get one or 2. I've also actively deauthed clients with no success. I plan to mess it with some more this weekend, however I have run it beside one of my other pineapples and the difference in capture performance is daylight and dark.

Yeah, it's not like your going to catch like 15 handshakes in one hour or so. I have like 5 usable handshakes after one night. I think the reason is because not every wifi has clients connected and if they do, they might simply be out of range for your Pineapple to man-in-the-middle. Even if you do capture allot (which my Kali machine does sometimes), you will most likely not be able to crack them. For instance a 12 character password with smalls, caps, digits and special characters, would take 600 years to crack, even with a fast GPU using Hashcat for windows. It's better to trick them using an Evil Portal I guess. 

 

 

[jholbrookftl]

26 minutes ago, Sgt.Foose said:

Yeah, it's not like your going to catch like 15 handshakes in one hour or so. I have like 5 usable handshakes after one night. I think the reason is because not every wifi has clients connected and if they do, they might simply be out of range for your Pineapple to man-in-the-middle. Even if you do capture allot (which my Kali machine does sometimes), you will most likely not be able to crack them. For instance a 12 character password with smalls, caps, digits and special characters, would take 600 years to crack, even with a fast GPU using Hashcat for windows. It's better to trick them using an Evil Portal I guess. 

 

 

I should when I am actively deauthing clients in a controlled test. Whether I can crack them or not is irrelevant to the discussion at hand. I have multiple pineapples, I have the beta on one of them and latest release on another and place them close together. I run the same series of tests on each one and the beta has almost no handshake captures where the release has numerous. You are also talking about using them passively, I am talking about using them actively, I am not simply putting it out there and waiting, I am performing a simulated active attack rather than passive.

[unamed]

If there is someone who can help me in the new beta (already posted), I would be grateful. I'm facing with same issues as mentioned above:

• Quote

  The handshake capture seems to be very unreliable in this version

  Confirm - it's very difficult for me as well

• Quote

  Will not capture handshakes unless actively scanning

  Correct, I was able to capture handshakes once in 8hr of work with MK7 just when scan was set to continuous

• Quote

  Starting scan sometimes provides old results

  True, steps to reproduce are smth like:

  • turn on continuous scan

  • capture handshakes from victim's AP

  • turn off scan

  • turn off capturing

  • turn on scan again

 

 

 

[unamed]

Need to mention that Evil Portals downloaded from Github doesn't work as well neither with PineAP (Advanced) Settings nor with Open Access Point. Have you faced with same issue?

[jholbrookftl]

On 3/25/2022 at 8:33 AM, unamed said:

Need to mention that Evil Portals downloaded from Github doesn't work as well neither with PineAP (Advanced) Settings nor with Open Access Point. Have you faced with same issue?

I have not tried, share the link to the ones you are using and I'll try on my device, though I have to admit I do not use these typically and will have to mess around with it to figure it out.

[unamed]

These classic one's: https://github.com/kleo/evilportals 

It may be confusing on the beginning, what is the proper path do upload them, after that it's easy.

They worked on 1.1.1. but didn't work on 2.0.0 beta.

[jholbrookftl]

thank you, I will download them and give them a shot. I left my pineapple that I have been testing beta on in my office at the school but I have another 1 or 2 laying around here that I can test with.

[jholbrookftl]

well, I would love to help test, however, I cannot get the pineapple to download the dependencies.

[Sgt.Foose]

13 minutes ago, jholbrookftl said:

well, I would love to help test, however, I cannot get the pineapple to download the dependencies.

Do opkg update in the console and see if you can ping example.com. I just reinstalled my Pineapple with 2.0.0. Beta and it worked. Be aware 2.0.0. Still has an issue with the EP. Version 1.0.2 works 100% (check my videos) 

[jholbrookftl]

This is the error I get when trying to install dependencies in any module. I ran opgk update, same result.

[Sgt.Foose]

7 minutes ago, jholbrookftl said:

Hit firmware update and hit update or reinstall current FW. If that does not help, do a full recovery 

[jholbrookftl]

Have done both, same result after each. The only thing I cannot do is try another pineapple, all the rest are in my office at school.

 

[jholbrookftl]

Found the issue, it appears they are now being hosted in a country that was in my GeoIP filter list. I turned it off, updated, and back on and now it loads.

[jholbrookftl]

4 hours ago, unamed said:

These classic one's: https://github.com/kleo/evilportals 

It may be confusing on the beginning, what is the proper path do upload them, after that it's easy.

They worked on 1.1.1. but didn't work on 2.0.0 beta.

You are indeed correct, they do not work on 2.x

[dark_pyrro]

Check this post and see if it solves things, it did for me when I dug into it to find the issue a while ago