Jump to content

Evil WPA Access Point...


olympus_mons
 Share

Recommended Posts

Hi all,

I am getting very confused with terminology.

When I click PineAP > Access Points, I see three options, they are as follows...

- Management Access Point

- Open Access Point

- Evil WPA Access Point

I have kind of got the Evil Portal module working but I am wondering what the Evil WPA Access Point is for.

The Open Access Point is used with the Evil Portal module but what is the Evil WPA Access Point used for?

Also, what is the purpose of the Management Access Point? I thought this was for managing the Pineapple but I notice management can be done via the Open Access Point.

I am really struggling and the book that came with the Pineapple really does not help.

Thanks in advance,

Link to comment
Share on other sites

The Evil WPA AP is used to try to capture handshakes from STA/clients that are making connect attempts to that AP/ESSID. You won't get the psk/password for the true AP, but you might be able to obtain handshakes that can be used later on to try to crack it and get the plain text psk for that network.

One way of "demoing" it

- Set up an AP using (for example) WPA2-PSK CCMP
- Connect a STA/client to that AP (only set up this specific AP on that device just to make the test/demo a bit easier)
- Do a recon scan using the Pineapple (if you don't want to add the information needed to the Evil AP manually)
- Click on the AP in the recon scan results
- Click "Clone WPA/2 AP" (disable the Evil AP at this point)
- Shutdown the "true" AP
- Enable the Evil AP on the Pineapple (that now should be set up to emulate the "true" AP)
- Try to connect to the Evil AP using the same device that previously was connected to the "true" AP
- See if any handshakes are captured on the Pineapple
- Download the capture files to some PC with Hashcat and/or aircrack-ng (running Kali Linux for example)
- Since you know the psk for this test/demo setup, try to crack it using hashcat (or aircrack-ng) and a wordlist containing the psk in order to verify that the captured handshake is valid

Link to comment
Share on other sites

Many thanks for this, I will give this a go 👍

Sure I saw a video somewhere that showed the pineapple catching the encrypted WPA key and then comparing that captured WPA key to the WPA key manually entered into a captive portal by the user, then if the encrypted WPA keys matched, the user would be redirected back to the actual AP. Or am I talking rubbish?

Link to comment
Share on other sites

Not sure what you refer to when saying "WPA key". If you mean the handshake, it should not be possible to reuse/replay. You need to get hold of the actual psk. But if you can do that in some way, then it's possible to verify if anything obtained from social engineered users is the actual passphrase.

Regarding the management AP, this should be possible to control more in detail with the upcoming 2.0.0 firmware. It's still in beta and the feature to control access to the management interface is experimental.

  • Thanks 1
Link to comment
Share on other sites

12 hours ago, olympus_mons said:

Many thanks for this, I will give this a go 👍

Sure I saw a video somewhere that showed the pineapple catching the encrypted WPA key and then comparing that captured WPA key to the WPA key manually entered into a captive portal by the user, then if the encrypted WPA keys matched, the user would be redirected back to the actual AP. Or am I talking rubbish?

I recently did a video on the Enterprise option in case your interested. I was waiting for a better Beta to do a video on Evil WPA in combination with the Evil Portal. This video will be uploaded within a week.

 

 

Link to comment
Share on other sites

  • 2 weeks later...
On 3/31/2022 at 10:35 PM, dark_pyrro said:

Not sure what you refer to when saying "WPA key". If you mean the handshake, it should not be possible to reuse/replay. You need to get hold of the actual psk. But if you can do that in some way, then it's possible to verify if anything obtained from social engineered users is the actual passphrase.

Regarding the management AP, this should be possible to control more in detail with the upcoming 2.0.0 firmware. It's still in beta and the feature to control access to the management interface is experimental.

apologies for the delayed response and for the poor use of terminology, when I say WPA key I mean the pre shared key users use to connect to the AP.

I am sure I watched a video showing the Pineapple blocking access to the legitimate AP until the user entered the proper / actual pre shared key. The way in which the Pineapple knew the pre shared key being entered was the proper / actual pre shared key was by comparing the pre shared key captured in the handshake with the pre shared key entered by the user. The Pineapple compared the two encrypted values meaning the captured pre shared key still needed to be cracked with aircrack or hashcat etc.

Does this sound familiar?

I think airgeddon can do this, its an Evil Twin AP as opposed to an Evil Portal. I am just not sure how useful and Evil Portal will be during a pentest, however, I feel an Evil AP / Rogue AP will be very useful...

Edited by olympus_mons
more detail added
Link to comment
Share on other sites

Every tool has its purpose. In any way, you have to refer to that video to be able to see it all in its context and get the full picture of the methodology used. I have seen a lot of videos over the years about the Pineapple, but can't recall anything that is similar to what you are describing. That doesn't mean it's not out there though, I may have missed watching some or just don't remember. The only thing that vaguely rings a bell is that Kody did some video (Null Byte), but that didn't involve a Pineapple as I remember it off the top of my head.

  • Thanks 1
Link to comment
Share on other sites

2 hours ago, dark_pyrro said:

Every tool has its purpose. In any way, you have to refer to that video to be able to see it all in its context and get the full picture of the methodology used. I have seen a lot of videos over the years about the Pineapple, but can't recall anything that is similar to what you are describing. That doesn't mean it's not out there though, I may have missed watching some or just don't remember. The only thing that vaguely rings a bell is that Kody did some video (Null Byte), but that didn't involve a Pineapple as I remember it off the top of my head.

which video are you referring to please? I do not have the enterprise pineapple, I just have the normal mark 7, will the content of the video still apply?

Link to comment
Share on other sites

No one else, except Hak5, have access to the Pineapple Enterprise since it's not released to market yet.

I haven't got any link to a specific video. I just seem to remember that I've seen something that is similar to what you describe, although it's not exactly the same since what you are trying to describe shouldn't work without additional actions.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...