Jump to content

Remote Access to Pineapple unit itself


Anteros

Recommended Posts

That doesn't say anything specific about what chipset it is (other than from that Windows driver numbering, and some imagination, could link it to being a RTL8153 based adapter). There is a Corechip SR9900 though (not SR990) that is a 10/100 adapter and seems to be based on RTL 8152. What is the output of the lsusb command when you have the adapter plugged in to the Pineapple?

Link to comment
Share on other sites

Posted (edited)
31 minutes ago, dark_pyrro said:

That doesn't say anything specific about what chipset it is (other than from that Windows driver numbering, and some imagination, could link it to being a RTL8153 based adapter). There is a Corechip SR9900 though (not SR990) that is a 10/100 adapter and seems to be based on RTL 8152. What is the output of the lsusb command when you have the adapter plugged in to the Pineapple?

RTL8153 chipset.

 

image.png.72b57a4586d774e089cdcc8bddcd7689.png

 

image.thumb.png.a204b23d94a1c5dd5b5f363bfe2dd5fd.png

Edited by Anteros
Link to comment
Share on other sites

Posted (edited)

Yeah, the wifi management portal came back, so I guess it's a bit flaky.

"lsusb -v" yields verbose info...

Bus 001 Device 006 is the USB->Ethernet adapter:

 

Quote

Bus 001 Device 006: ID 0bda:8153 Realtek USB 10/100/1000 LAN
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.10
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x0bda 
  idProduct          0x8153 
  bcdDevice           30.00
  iManufacturer           1 Realtek
  iProduct                2 USB 10/100/1000 LAN
  iSerial                 6 000001
  bNumConfigurations      2
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0027
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower              350mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass       255 
      bInterfaceSubClass    255 
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0002  1x 2 bytes
        bInterval               8
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0050
    bNumInterfaces          2
    bConfigurationValue     2
    iConfiguration          0 
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower              350mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         2 
      bInterfaceSubClass      6 
      bInterfaceProtocol      0 
      iInterface              5 CDC Communications Control
      CDC Header:
        bcdCDC               1.10
      CDC Union:
        bMasterInterface        0
        bSlaveInterface         1 
      CDC Ethernet:
        iMacAddress                      3 00E04C6836A2
        bmEthernetStatistics    0x00000000
        wMaxSegmentSize               1514
        wNumberMCFilters            0x0000
        bNumberPowerFilters              0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0010  1x 16 bytes
        bInterval               8
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           0
      bInterfaceClass        10 
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              0 
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       1
      bNumEndpoints           2
      bInterfaceClass        10 
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              4 Ethernet Data
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
Binary Object Store Descriptor:
  bLength                 5
  bDescriptorType        15
  wTotalLength       0x000c
  bNumDeviceCaps          1
  USB 2.0 Extension Device Capability:
    bLength                 7
    bDescriptorType        16
    bDevCapabilityType      2
    bmAttributes   0x00000006
      BESL Link Power Management (LPM) Supported
can't get debug descriptor: Resource temporarily unavailable
Device Status:     0x0000
  (Bus Powered)

 

Edited by Anteros
Link to comment
Share on other sites

39 minutes ago, dark_pyrro said:

If it's RTL8153 based, it should be possible to connect the Pineapple as a client to a network using that adapter.

As stated here: https://docs.hak5.org/wifi-pineapple/faq/establishing-an-internet-connection/configuring-a-usb-ethernet-adapter

So it looks like it should just be "on" when plugged in. I have the ethernet adaptor with a USB-A -> USB-C adapter going into the USB-A socket of the pineapple, and with an ethernet cable plugged into a switch, and the router, but this is on the 192.1168.1.* internal LAN, not using a 172.16.24.* address as seems to be required by the Pineapple.. The ethernet lights come on, but no wired connection seems to be available.

Link to comment
Share on other sites

The Pineapple will obtain an address from the network to which you connect the Pineapple (using the Type A port and a USB Ethernet adapter), just like it does when you connect it to a wireless network as a client using the wlan2 interface of the Pineapple. If you haven't got any DHCP daemon running on the network, you need to set a static IP address for the USB adapter that is within the IP range of the network to which the Pineapple is connected.

Link to comment
Share on other sites

2 hours ago, dark_pyrro said:

The Pineapple will obtain an address from the network to which you connect the Pineapple (using the Type A port and a USB Ethernet adapter), just like it does when you connect it to a wireless network as a client using the wlan2 interface of the Pineapple. If you haven't got any DHCP daemon running on the network, you need to set a static IP address for the USB adapter that is within the IP range of the network to which the Pineapple is connected.

The wired connection does connect, but as with the wifi, it's a bit flaky, as if the unit itself or the GUI at least, seizes up, and eventually comes back. Doesn't seem to be the connection, although I found that by moving antennae i could see the management SSID. I have an ESSID running, but it doesn't seem to work properly - doesn't forward to the portal, or even connect usually.

Link to comment
Share on other sites

21 minutes ago, dark_pyrro said:

What AP? The open one? When saying "portal", are you referring to the evil portal module?

The portal means the fake portal that is activated in the evil portal module.

On laptop, it went to msftconnect, then to msn rather than the portal; on smartphone once only it displayed a page with "evil portal" and information about the phone on it. Since then, I haven't been able to connect to it successfully. 

Link to comment
Share on other sites

26 minutes ago, dark_pyrro said:

So, this isn't on the "not working" list any longer. Good to know to not needing to spend time on things that works...

Correct, but, it gets a DHCP address, and when inside the box you can see it seeming to come and go, and then I lost connection and haven't been able to reconnect via ethernet since, and even after a couple of reboots. I made connection with wifi once, then connection lost again, and it's right next to the laptop. Not sure how helpful moving antennae is. The laptop is a new-ish one.

Link to comment
Share on other sites

1 hour ago, Anteros said:

it displayed a page with "evil portal" and information about the phone on it

From that input, I assume you have made some portal yourself, not downloaded any pre-made portals (such as the Kleo ones). If the Evil Portal module is started with an activated portal, the module should force the connected client to the portal page since it shouldn't be able to go anywhere else based on iptables rules that is added when the Evil Portal is enabled/running. If the connected client hasn't been added (the IP), the selected portal should be presented to the client if connected to the correct AP.

1 hour ago, Anteros said:

I made connection with wifi once, then connection lost again, and it's right next to the laptop.

Don't position a wireless client too close to an AP. It won't do things better, rather the opposite in most cases.

Link to comment
Share on other sites

On 8/27/2024 at 3:01 PM, dark_pyrro said:

From that input, I assume you have made some portal yourself, not downloaded any pre-made portals (such as the Kleo ones). If the Evil Portal module is started with an activated portal, the module should force the connected client to the portal page since it shouldn't be able to go anywhere else based on iptables rules that is added when the Evil Portal is enabled/running. If the connected client hasn't been added (the IP), the selected portal should be presented to the client if connected to the correct AP.

Don't position a wireless client too close to an AP. It won't do things better, rather the opposite in most cases.

No the portals are from a couple of github sources, including the kleo ones.

I am now in a hotel in a different country completely, and I have the pineapple with me... I still can only connect via USB. 

I moved the pineapple across the room, but unable to log in. Both the laptop and the pineapple seem to retaining AP info from the previous country.

I will keep adjusting things methodically until I get reliable access. I brought the same usb-ethernet adapter to try that out when i find a wired socket i can use.

Link to comment
Share on other sites

2 hours ago, Anteros said:

the pineapple seem to retaining AP info from the previous country

Not exactly sure what you mean when saying that, but if you see the APs in the air that are the same as the ones you had in your previous location, then it sounds like you are capturing ESSIDs to pool and actively broadcasting that pool wherever the Pineapple is located (since it seems highly unlikely that the same APs/ESSIDs would be active in two different locations in two different countries even). If so, I'd suggest turning off ESSID pool broadcasting/impersonation until you get the other issues sorted. The Pineapple isn't a "turn on everything" device. It should ideally be focused on one (1) task at a time based on the engagement at hand.

Link to comment
Share on other sites

Posted (edited)
On 8/29/2024 at 10:53 AM, dark_pyrro said:

Not exactly sure what you mean when saying that, but if you see the APs in the air that are the same as the ones you had in your previous location, then it sounds like you are capturing ESSIDs to pool and actively broadcasting that pool wherever the Pineapple is located (since it seems highly unlikely that the same APs/ESSIDs would be active in two different locations in two different countries even). If so, I'd suggest turning off ESSID pool broadcasting/impersonation until you get the other issues sorted. The Pineapple isn't a "turn on everything" device. It should ideally be focused on one (1) task at a time based on the engagement at hand.

Yes it was that.

Another lingering problem is that with the Pineapple powered on, I can see the WiFi management SSID with an android phone, but I can't see it with the laptop.

The unit is without the 5G add on at the moment, so it's only 2.4GHz, and I would expect the laptop to be more likely to see it, and have no trouble logging in.

After a few minutes I could finally see the management code.

I am now in yet another geographical location, that is isolated from most signals. The impersonation is turned off. I still see SSIDs from the previous two countries.

 

Then it appears, and I can't get in.

image.png.a1abc376443b0260becbc6c0868ee160.png

but I bet I can via the USB cable direct to a laptop... so what is that all about? it seems to be very difficult to connect to the pineapple by wifi and impossible to get internet into it via wired connection.

 

Alright, there was some impersonation of captured SSIDs on, so I've turned that off, with the pineapple connected via USB. 

Just combing through it turning anything off that looks like it might be an issue, before trying to log in again via WiFi.

 

Update...

I think I solved the problem... it's that the management wifi SSID has to be added to the filter allow page... at least that seems to be most likely of all the things I changed... I did a scan, and added it from there.

not sure about the wired ethernet connection yet, but I have no suitable access for that now (or usually), so less of a priority.

Edited by Anteros
Link to comment
Share on other sites

On 8/30/2024 at 3:15 PM, Anteros said:

Update...

I think I solved the problem... it's that the management wifi SSID has to be added to the filter allow page... at least that seems to be most likely of all the things I changed... I did a scan, and added it from there.

That's crazy.

Link to comment
Share on other sites

15 minutes ago, DramaKing said:

That's crazy.

it's what happened... what's supposed to happen? i could log into it before a couple of times, very flaky, lost access soon after, and nothing since... then i did a scan, saw my own management SSID and added it to the allow filter, and bang, i can get in every time, like flicking a switch... [shrug]

The implication at the moment is that if I want to put the pineapple somewhere, and remote into it, I should probably have it plugged into a small computer like a NUC or Pi, and maybe have a router connected too, like a triangle of devices, and plug into the wall in a building, or if outside, with a maybe a tiny UPS or battery or an adapter to connect to a car power source like for USB phone chargers, all in a small pelicase (with some glands for antennas and cables) pehaps, then it should be quite robust, in terms of having more than one way into it.

Edited by Anteros
Link to comment
Share on other sites

If you have an Open AP, and you set MAC address allow list filtering... is the MAC address of the device you connect with, visible through the ISP gateway at some point?

I found that randomised MAC addresses just don't get through, even when you list them, I assume it just generates a new one each time, so you would need a stable spoofed MAC if you wanted to not have to put the real MAC on the allow list.

Link to comment
Share on other sites

2 hours ago, Anteros said:

If you have an Open AP, and you set MAC address allow list filtering... is the MAC address of the device you connect with, visible through the ISP gateway at some point?

I found that randomised MAC addresses just don't get through, even when you list them, I assume it just generates a new one each time, so you would need a stable spoofed MAC if you wanted to not have to put the real MAC on the allow list.

If you're using allow list filtering, you need to disable randomized MAC addresses. Routers strip out Layer 2 headers and re-encapsulate each packet in a new frame with new source and destination MAC addresses. Are you worried that you're device's MAC address would be visible on the Internet if not randomized?

Link to comment
Share on other sites

31 minutes ago, DramaKing said:

If you're using allow list filtering, you need to disable randomized MAC addresses. Routers strip out Layer 2 headers and re-encapsulate each packet in a new frame with new source and destination MAC addresses. Are you worried that you're device's MAC address would be visible on the Internet if not randomized?

Not the internet. The question is really...

"if you connect the pineapple to someone else's switch that is connected to someone else's internet, and set the OpenAP to allow only a fixed range of MAC addresses, can those MAC addresses be seen by the someone else (whose internet connection it is) as they connect to the internet, in the same way that the pineapple (and other tools) can scan around and see the MAC addresses and other bits of device information for devices using the internet connection?"

The reason for using MAC randomisation is to mitigate against this, and if you can't do it with the pineapple, using it like a wifi dongle, then that is useful to know.

If it were possible to spoof your MAC all the way through, and get access to the internet in that way, then that's also useful to know.

Link to comment
Share on other sites

52 minutes ago, Anteros said:

Not the internet. The question is really...

"if you connect the pineapple to someone else's switch that is connected to someone else's internet, and set the OpenAP to allow only a fixed range of MAC addresses, can those MAC addresses be seen by the someone else (whose internet connection it is) as they connect to the internet, in the same way that the pineapple (and other tools) can scan around and see the MAC addresses and other bits of device information for devices using the internet connection?"

The reason for using MAC randomisation is to mitigate against this, and if you can't do it with the pineapple, using it like a wifi dongle, then that is useful to know.

If it were possible to spoof your MAC all the way through, and get access to the internet in that way, then that's also useful to know.

I'm going to say no, and the reason for that is that the WiFi Pineapple is not a simple range extender or repeater. It's a router. The Open AP uses a separate subnet, much different from a USB dongle. The only MAC address that will come from the Pineapple on the client's LAN is the Pineapple's client address. In fact, the 802.11 only allows for one MAC address per session. I actually don't know how a range extender relays frames from clients without using its own MAC address.

Link to comment
Share on other sites

I think the pineapple might be visible in some way, if it's not broadcasting its MAC address or loads of collected SSIDs, it might show up as a spike in traffic.

Is there a way to:

a. make the Pineapple behave like a USB WiFi dongle

b. change the MAC address that is broadcast by the Open AP? It looks like you could just enter another one in the BSSID field, so if you found a device you wanted to mimic, in case of MAC whitelisting, you can enter a MAC of another device.

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...