top of page
Writer's pictureDiv0 Blog Editor

WiFi Pineapple — First Impression

Here is the review of the WiFi pineapple. Because there are simply too many awesome avenues to explore on the WiFi Pineapple I will touch on just 3 items.

First look at the WiFi Pineapple

  • Built on the Atheros AR9331 SoC running at 400 MHz (2x speed of previous models)

  • 802.11 b/g/n 150 Mbps wireless

  • 2x Ethernet, one with PoE (Power-Over-Ethernet)

  • USB 2.0 for expanded storage, WiFi Interfaces and Mobile Broadband

  • Fast Linux Kernel 3.2-based Jasager firmware (built on OpenWRT).

The 3 "Features" covered in this post are:

  1. Karma

  2. Tethering with Android Cellphone

  3. SSL Strip

Powering it up

The 1st thing you have to do is to connect the Pineapple to a power source. There are 5 supported types of source. You can hook this up to a wall AC adapter socket, USB to PC, PPoE, solar panels or you could (simply) hook this up via a USB rechargeable battery pack. Yes, essentially this WiFi pineapple is meant to be mobile. Making yourself a moving target.

It can be done using a battery pack. For the connector, I used a 2.5 inch Ext HDD Twin Head USB connector.


Note: This setup is called a "Back feed" and it is not recommended, so please don't try this at home. You are supposed to use a USB to DC 5.5mm barrel connector available at the HakShop but I recommend you save the money and solder one yourself ...

It takes only about half a minute for the thing to load, after which you should be able to find a network named "pineapple".

Phone Home

After connecting to the unsecured pineapple network. You are given the option to connect to it via SSH or using a web browser.

This is how it looks like in the web browser after navigating to http://172.16.42.1/pineapple.

Or if you prefer to SSH, you can ssh root@172.16.42.1.

Karma

With "Karma" enabled, a wireless access point (AP) is created and responds to all probe requests from wireless client. So if a probe request for SSID "LOLnetwork" is sent, the WiFi Pineapple AP will respond with "Yes, I am LOLNetwork" and the client will link up with the malicious WiFi Pineapple.

Karma is already installed on your WiFi Pineapple. It is right at the home page. Simply click "enable" to get started.

You will know Karma is running when you see this bunny.

Karma In Action

On my Android phone, I created a probe request by creating a random network called "lolnetwork".

As soon as the connection setup was done, I found myself being connected to the network already (No questions asked).

Sounds interesting? But it has limitations in the real world.


I found that the client must probe for an unsecured wireless network before an automatic connection takes place. Meaning if the client/victim probes for "LOLnetwork" with a WEP passphrase, an automatic connection will not be made. What will happen is that the victim will see an unsecured WiFi network named "LOLnetwork". Hopefully, upon seeing the familiar network and ignoring that it is an unsecured network, he/she connects to it anyway. Sometimes it helps by naming your SSID something meaningful like "Starbucks", even if the victim does not fall into the first trap, he/she might fall into the Starbucks trap.

Disclaimer: I have not tried this out in real life, this is only a theory.

Tethering with Android Cellphone

The most important part of making your WiFi trap like the real deal is to make sure it has Internet Connection. There are many ways to do this. You can do it via Ethernet to PC, WiFi to PC, Android USB Tethering, Mobile Broadband and WiFi relay. However, I will only be doing an Android USB Tethering demo. Why? Because I find this the most practical and convenient configuration.

Connect your Android phone to your WiFi Pineapple and enable Tethering.

After doing so, return to your WiFi Pineapple web interface. You should see something like this indicating that a USB device is connected.

Note: I have removed my MAC address and IP address where the red boxes were supposed to be.


After this is done, you will need to forward the packets from clients to and from the USB. You will need to use iptables for this.

Because the rules are not persistent, and I hate to type the same commands over and over again. I have written a script to do this. Simply via a script when you are in SSH.

#!/bin/bash
iptables -t nat -A POSTROUTING -s 172.16.42.0/24 -o usb0 -j MASQUERADE
iptables -A FORWARD -s 172.16.42.0/24 -o usb0 -j ACCEPT
iptables -A FORWARD -d 172.16.42.0/24 -m state --state ESTABLISHED,RELATED -i usb0 -j ACCEPT

Note: To use iptables you will need root access, hence you will need to SSH into the WiFi Pineapple via root@172.16.42.1


After this is done, your clients/victims should be able to access the Internet once he/she is connected to your WiFi Pineapple.

SSLStrip

SSLStrip is a module in the Wifi Pineapple. You can simply navigate to "Pineapple Bar" to install this module.

SSLStrip is a tool to hijack HTTP traffic, watch for HTTPS links and redirects, then map those links into either lookalike HTTP links or homograph-similar HTTPS links on a network. It is a tool that is not just available on WiFi Pineapple. You can run it on your computer too.

Get SSL Strip by Moxie Marlinspike: https://github.com/moxie0/sslstrip

"SSL Strip is based around a man-in-the-middle attack, where the system for redirecting people from the insecure to the secure version of a web page is abused. By acting as a man-in-the-middle, the attacker can compromise any information sent between the user and the supposedly secure webpage."

In short, it strips off the HTTPS allowing you to monitor usernames and passwords in plaintext.

The important thing you need to know about installing SSL Strip on your WiFi Pineapple is that you need an external storage. A USB thumb drive should do the trick.

Erm, wait ... my USB slot is already taken up by my Android device, how do I connect another USB thumb drive?

The solution lies in a USB Hub.

But before you plug the USB thumb drive in, make sure you format your thumb drive into an Ext4 format. A FAT32 format does not work with WiFi Pineapple. Just follow the set of instructions given in the Handbook or visit: http://forums.hak5.org/index.php?/topic/25882-how-to-enable-usb-mass-storage-with-swap-partition/

Installing SSL Strip

Installing the SSL Strip module is really simple. I shall not dwell too much on installing it, instead visit the link below. Dan Harper's tutorial: http://hakinthebox.blogspot.sg/2012/06/you-just-cant-trust-wireless-covertly.html

After installing, you should see a page like this from your "http://172.16.42.1/pineapple" control panel webpage. Click on enable and you are ready to go!

Time to Strip

Assuming that you have already installed SSLStrip on your Pineapple device (following the instructions above), it is time for a test drive. Allow a volunteered victim to connect to your fake network and allow him/her to use your Internet connection to check their Facebook, emails, etc.

Dropbox It works!

Do you notice that the HTTPS is no longer there?

Meanwhile on the attacker's machine. Username and Password Revealed!

Yahoo! It works!

Again, do you notice that the HTTPS is no longer there?

Meanwhile on the attacker's machine. Username and Password Revealed!

Gmail It may not work

If you realise, I am using a Chrome Browser for this demo. If I type "gmail.com" into my browser's URL, the browser will force a HTTPS connection. Since, SSL Strip is enabled and does not allow a HTTPS connection to go through. The browser simply will return a blank page.

But if I am using a Firefox browser:

It goes through and the HTTPS is no longer there! Again, the username and password reveal.

Countermeasures

To prevent yourself from being a victim, make sure you always "force" an SSL tunnel especially when you are logging in. Not having the "HTTPS" in your URL means that you are leaving your data transmission in plaintext (very dangerous). I would recommend the use of a VPN especially if you are using a foreign/unsecured/untrusted network. Although a VPN would render such an attack useless, I would still advise WiFi users to stick to networks that they can trust and avoid all unsecured Wireless Networks altogether. Prevention is still better than a cure.


Besides, once you are in an attacker's network you are subjected to a whole range of exploits. Think of it as being ambushed on your enemy's home ground.

This is what happens when you use a VPN with SSL Strip:

The HTTPS will still show up and no password will be revealed on the attacker's machine/WiFi pineapple. However, I realised that I could not maintain a steady connection on a network with SSL Strip with a VPN running. I found myself getting disconnected from the network after a while.

For those who intend to use the WiFi Pineapple for malicious intent. Allow me to do a revision on the Computer Misuse Act.

Computer Misuse Act

Unauthorised access to computer material

3. — (1) Subject to subsection (2), any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a second or subsequent conviction, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both.

(2) If any damage is caused as a result of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 7 years or to both.

(3) For the purposes of this section, it is immaterial that the act in question is not directed at — (a) any particular program or data; (b) a program or data of any kind; or (c) a program or data held in any particular computer.

Unauthorised use or interception of computer service

6. — (1) Subject to subsection (2), any person who knowingly —

(a) secures access without authority to any computer for the purpose of obtaining, directly or indirectly, any computer service;

(b) intercepts or causes to be intercepted without authority, directly or indirectly, any function of a computer by means of an electro-magnetic, acoustic, mechanical or other device; or

(c) uses or causes to be used, directly or indirectly, the computer or any other device for the purpose of committing an offence under paragraph (a) or (b),shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both and, in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both.

(2) If any damage is caused as a result of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 7 years or to both.

(3) For the purposes of this section, it is immaterial that the unauthorised access or interception is not directed at — (a) any particular program or data; (b) a program or data of any kind; or (c) a program or data held in any particular computer.

Conclusion

The WiFi Pineapple is really an awesome tool for WiFi enthusiasts. I would definitely recommend this to anyone who wants to play around with 802.11 security. There is much to explore in this tool and it is relatively inexpensive. You just have to make sure that you do not use it for malicious stuff. The only problem experienced so far is that it hangs/freezes from time to time. Do not expect this "toy" to be as reliable as your enterprise router. To prevent the WiFi Pineapple from overheating, I recommend it placed in a shaded and well-ventilated location.

Until next time, Hack Responsibly.

 

Shared by Andre Ng, First Mate of Div0.

271 views0 comments

Comments


Post: Blog2_Post
bottom of page