Pineapple Mark 7 (MKVII) Impossible to force clients to connect to cloned / mimic access point

[unamed]

Hello! Can't find anything related with my question, some sources says that it's not possible to connect client to cloned AP from protected WIFI, some sources says it's possible when all necessary credentials ect are provided.

Need to get final answer whether is possible or not. I will try to describe an issue as good as possible.

Preconditions: controlled environment

• Pineapple Mark VII
• version 1.1.1
• Some router with WPA/2 encryption - acts as a victim's WIFI with SSID (eg): WiFi_Audit
• Some phone 
• Evil Portal module is installed and WEB SERVER in already turned ON with some evil portal (eg. FB)

FIRST ISSUE: Steps to reproduce:

• I'm doing a recon
  • recon finds WiFi_Audit with 1 client connected
  • I'm clicking on that network and picking option: Add SSID to PineAP Pool
• I'm going to PineAP bookmark -> PineAP Settings
  • Choosing Active / Advanced option - most options are ON without Capture SSIDs to Pool - I don't need other SSID's
  • thus trying to clone the victim's SSID
    • SSID is cloned, it's visible in the WiFi networks
  • I'm Deauthenticate Client 
    • I'm trying to make client connect to my fake'd / cloned SSID 
• ISSUE
  • Victim is not reconnecting to fake / cloned SSID
    • For testing purposes I'm disconnecting router / turning it off (we can assume, that victim is in the room where there is worse signal strength to original router)
      • Victim is still not reconnecting to fake / cloned SSID
      • Victim have to click on this SSID and then Evil Portal appears
  • In this attack it is a stroke of luck that the victim does not realize that he has to manually connect to "it's" network, which is not secured
• QUESTION
  • Should victim connects automatically to this cloned SSID, eg. victim is checking some website, then suddenly is reconnected and evil portal pop-ups?
  • If it should connect automatically, why it doesn't work?

 

SECOND ISSUE: Steps to reproduce:

• I'm doing a recon
  • recon finds WiFi_Audit with 1 client connected
  • I'm clicking on that network and picking option: Capture WPA Handshakes
  • Capturing handshake is successful and I'm also successfully cracking password with hashcat
  • I'm clicking on that network again and picking option: Clone WPA/2 AP
• Clone WiFi_Audit? pop-up appears
  • One thing I have to fill in is cracked password - I'm writing it in
  • Since Recon shows Security I'm choosing correct Encryption
  • Clicking Clone
    • SSID is cloned, it's visible in the WiFi networks
  • I'm Deauthenticate Client 
    • I'm trying to make client connect to my fake'd / cloned SSID 
• ISSUE
  • Victim is not reconnecting to fake / cloned SSID
    • For testing purposes I'm disconnecting router / turning it off (we can assume, that victim is in the room where there is worse signal strength to original router)
      • Victim is connecting and reconnecting again and again - nothing else
• QUESTION
  • Should victim connects automatically to this cloned SSID, eg. victim is checking some website, then suddenly is reconnected and evil portal pop-ups?
  • If it should connect automatically, why it doesn't work?

 

What I can admit, that capturing handshakes and Open Access Point options works. But since there are also other options why they are not working? Am I doing something wrong?

There is lack of information in the internet, and lack of any (proper) tutorials about MK7 - can you provide some really good source of knowledge how to use all of these functions?

[Darren Kitchen]

I would begin by looking at your filter configuration and make sure the target is not being blocked. 

I also recommend updating to the latest version 2.0.0 from the beta channel as many features have been greatly improved with regards to handshake captures and AP cloning. 

You may also consider attempting this with a few different client devices, as each vendor implements the spec differently so results will vary from device to device. 

[unamed]

12 hours ago, Darren Kitchen said:

I would begin by looking at your filter configuration and make sure the target is not being blocked. 

Forgot to mention - my filters are both on deny and I don't have any MAC / SSID's added.

@Darren Kitchen You didn't say anything if it is / is not possible 🙂

Maybe you can provide some devices I can specifically check? I would like to make a presentation in the company, and need some clue. I was checking that attacks with iPhone XS Max but also I have access to some old devices. For me iOS is a must since I'm working on macOS and it's easy to show phone screen on the Macbook screen.

Would see some nice video tutorial how to proceed with it - what to do step by step, as nice as you did it on factory reset.

12 hours ago, Darren Kitchen said:

I also recommend updating to the latest version 2.0.0

I will try but hopefully it wont broke MK7 since:

Quote

Beta and Nightly releases may be unstable and come AS-IS with NO WARRANTY.

 

[unamed]

I don't know what happened, but since last conversation, MK7 just stopped normally and gracefully capturing handshakes. To make it easier, I've connect to poorly secured router with old mobile with iOS and... MK7 does not even see it. Once it see it, it's not capturing handshakes.

I've updated Pineapple to 2.0.0 beta but had the same.

Issues:

• I was trying in different ways to capture handshake and in 8hr of working with it I was able with a dose of luck capture handshake just once (!)
• when performing "Capture WPA handshakes" from Recon, PineAP, Advanced settings becomes set up (with Enable PineAP on) - not sure if this is ok
• I can't revert MK7 back to 1.1.1. stable version...
• Open Access Point is still visible even though hidden option is on
• factory reset doesn't work - I had 3 times time out...

 

[dark_pyrro]

Reverting back to 1.1.1 shouldn't be a problem at all. What issues are you experiencing regarding that?

 

[unamed]

Steps to reproduce:

1. Settings -> Advanced -> Alternative Updates -> Setting up Stable Channel 
2. Settings -> Software Update -> Checking updates -> Updating to 1.1.1

I'm getting information The page will automatically refresh when the update is complete with loading spinner. Surprisingly pineapple does not lose connection.

After 10 minutes waiting, loading spinner is still visible.

Is it ok to make faktory reset with these steps?

[unamed]

Need to mention that Evil Portals downloaded from Github doesn't work as well neither with PineAP (Advanced) Settings nor with Open Access Point.

[jholbrookftl]

On 3/19/2022 at 6:37 PM, Darren Kitchen said:

I would begin by looking at your filter configuration and make sure the target is not being blocked. 

I also recommend updating to the latest version 2.0.0 from the beta channel as many features have been greatly improved with regards to handshake captures and AP cloning. 

You may also consider attempting this with a few different client devices, as each vendor implements the spec differently so results will vary from device to device. 

Hello Darren, you might want to take a look at the feedback thread for the 2.x beta. At least 2 of us are having incredible difficulty capturing handshakes with the beta.

[jholbrookftl]

On 3/25/2022 at 5:41 AM, unamed said:

Steps to reproduce:

1. Settings -> Advanced -> Alternative Updates -> Setting up Stable Channel 
2. Settings -> Software Update -> Checking updates -> Updating to 1.1.1

I'm getting information The page will automatically refresh when the update is complete with loading spinner. Surprisingly pineapple does not lose connection.

After 10 minutes waiting, loading spinner is still visible.

Is it ok to make faktory reset with these steps?

I too can confirm that the downgrade from within the update section of beta 2.x did not work for me. I had to use the downloaded firmware and manually downgrade through SSH as my results were exactly the same as unamed. My pineapple would never downgrade to 1.1.1, I left it running overnight (not specifically on purpose) and it never finished.

[unamed]

On 3/25/2022 at 10:41 AM, unamed said:

Is it ok to make faktory reset with these steps?

I didn't get answer on that, but I know already that I was able to revert to 1.1.1 by going with these steps (above) but instead of recovery version, I've uploaded 1.1.1 version.

[dark_pyrro]

That (the linked page) is how I do it. Make a factory reset using the recovery image, then upgrade to the latest stable (1.1.1) which should be a part of the setup process that the user is greeted with on first setup after recovery.

[SKiZZ]

On 3/25/2022 at 7:32 AM, unamed said:

Need to mention that Evil Portals downloaded from Github doesn't work as well neither with PineAP (Advanced) Settings nor with Open Access Point.

I believe in the Discord it was mentioned all evil portals will need rewritten for 2.0

[dark_pyrro]

I don't think so. They work for me on the beta, at least the ones provided by Kleo (that is often referred to here in the forums and on Discord). It's some misconfiguration of nginx that results in SSL issues. If configuring nginx to use another config file, the portals work. It's of course possible to change the config file that nginx defaults to, but it's easier to change what config file nginx is using. My guess is that this has nothing to do with the Pineapple beta or the portals. It's because of what OpenWrt have chosen as default config in the upstream package of nginx. See this post and see if it solves things, it does for me at least.