Division Zero (Div0). Copyright © 2011-2018

All rights reserved.

WiFi Pineapple - First Impression

19 Aug 2012

Alright, here is the review of the WiFi pineapple. Because there are simply too many awesome avenues to explore on the WiFi Pineapple I will touch on just three items (Sorry folks!). But before I jump into the three topics here are some pics and the specs of the of the Wifi Pineapple.

 

First look at the WiFi Pineapple
  • Built on the Atheros AR9331 SoC running at 400 MHz (2x speed of previous models)

  • 802.11 b/g/n 150 Mbps wireless

  • 2x Ethernet, one with PoE (Power-Over-Ethernet)

  • USB 2.0 for expanded storage, WiFi Interfaces and Mobile Broadband

  • Fast Linux Kernel 3.2-based Jasager firmware (built on OpenWRT).

Yes, it is built on OpenWRT. More information here: https://openwrt.org/

Where can I buy le Pineapple?  - http://hakshop.myshopify.com/products/wifi-pineapple

 

The 3 "Features" covered in this post are:

  1. Karma

  2. Tethering with Android Cellphone

  3. SSL Strip

 

Powering it up

The first thing you will have to do is to connect the pineapple to a power source. There are 5 supported types of source. You can hook this up to a wall AC adapter socket, USB to PC,  PPoE, solar panels or you could (simply) hook this up via a USB  rechargeable battery pack.  Yes, essentially this WiFi pineapple is meant to be mobile. Making yourself a moving target.

 

It can be done using a battery pack. For the connector, I used a 2.5 inch Ext HDD  Twin Head USB connector.


Note: This setup is called a "Back feed" and it is not recommended, so please don't try this at home. You are supposed to use a USB to DC 5.5mm barrel connector available at the HakShop but I recommend you save the money and solder one yourself ...

Sorry guys, it does not support nuclear power yet. But the good news is, it takes only about half a minute for the thing to load, after which you should be able to find a network named "pineapple".

 

Phone Home

After connecting to the unsecured pineapple network. You are given the option to connect to it via SSH or using a web browser.

 

This is how it looks like in the web browser after navigating  to http://172.16.42.1/pineapple.

Or if you prefer to SSH, you can ssh root@172.16.42.1

Karma

Learn more about Karma here: https://www.offensive-security.com/metasploit-unleashed/karmetasploit/

 

With "Karma" enabled, a wireless access point is created and responds to all probe requests from wireless client. So if a probe request for SSID "LOLnetwork" is sent, the WiFi Pineapple AP will respond with "Yes, I am LOLNetwork" and the client will link up with the malicious WiFi Pineapple.

 

Karma is already installed on your WiFi Pineapple. It is right at the home page. Simply click "enable" to get started.

You will know Karma is running when you see this bunny.

Moving back to the Victim - My Android Phone

First I create a probe request by creating a random network called "lolnetwork".

As soon as the connection setup was done, I found myself being connected to the network already (No questions asked).

Sounds interesting? But it has limitations in the real world.


After trying it out, I found that the client must probe for an unsecured wireless network before an automatic connection takes place. Meaning if the client/victim probes for "LOLnetwork" with a WEP passphrase, an automatic connection will not be made. What will happen is that the victim will see an unsecured WiFi network named "LOLnetwork". Hopefully, upon seeing the familiar network and ignoring that it is an unsecured network, he/she connects to it anyway. Sometimes it helps by naming your SSID something meaningful like "Starbucks", even if the victim does not fall into the first trap, he/she might fall into the Starbucks trap.

 

Disclaimer: I have not tried this out in real life, this is only a theory.

 

Tethering with Android Cellphone

The most important part of  making your WiFi trap like the real deal is to make sure it has Internet Connection. There are many way to do this. You can do it via Ethernet to PC, WiFi to PC, Android USB Tethering, Mobile Broadband and WiFi relay. However, I will only be doing an Android USB Tethering demo. Why? Because I find this the most practical and convenient configuration.

 

Connect your Android phone to your WiFi Pineapple and enable Tethering (I am so glad I did not buy an iPhone).

 After doing so, return to your WiFi Pineapple web interface. You should see something like this, indication that a USB device is connected.


Note: I have removed my MAC address and IP address where the red boxes are supposed to be.

After this is done you will need to forward the packets from clients to and from the USB. You will need to use iptables for this.

 

Because the rules are not persistent, and I hate to type the same commands over and over again. I have written a script to do this. Simply via a script when you are in SSH.

 

Note: To use iptables you will need root access, hence you will need to SSH into the WiFi pineapple. - root@172.16.42.1

After this is done, your clients or victim should be able to access the Internet once he/she is connected to your WiFi Pineapple.

 

SSL Strip

Here comes the interesting part. - Stealing passwords using SSL Strip.
Yes! SSLstrip is a valid module in the Wifi Pineapple you can simply navigate to "Pineapple Bar" to download this module.

 

SSLStrip is a tool to hijack HTTP traffic, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links on a network. It is a tool that is not just available on WiFi Pineapple. You can run it on your computer too.

 

Get SSL Strip by Moxie Marlinspike: http://www.thoughtcrime.org/software/sslstrip/

"SSL Strip is based around a man-in-the-middle attack, where the system for redirecting people from the insecure to the secure version of a web page is abused. By acting as a man-in-the-middle, the attacker can compromise any information sent between the user and the supposedly secure webpage."  

- Description taken from: http://www.sindark.com/2009/02/21/the-ssl-strip-exploit/

 

In short - It strips off the HTTPS allowing you to monitor the password and username in clear text.

 

Further Reading

You can download the MITM tool here: http://www.thoughtcrime.org/software/sslstrip/
But I believe the people at Hak5 can explain further in this youtube video: HAK5 SSL Strip

 

Before you Install SSL Strip

The important thing you need to know about installing SSL Strip on your WiFi Pineapple is that you need an external storage. A USB thumb drive like this one below should do the trick.

Erm, wait ... my USB slot is already taken up by my Android device, how do I connect another USB thumb drive?

 

The solution lies in a USB Hub. See Below.

Formatting to Ext4

But before you plug in make sure you format your thumb drive into an Ext4 format. A FAT32 format does not work with WiFi Pineapple. Just follow the set of instructions given in the Handbook or visit: http://forums.hak5.org/index.php?/topic/25882-how-to-enable-usb-mass-storage-with-swap-partition/

 
Installing SSL Strip

Installing the SSL Strip module is really simple. I shall not dwell too much on installing it, instead visit the link below.


The author Dan Harper, has done a decent tutorial here: http://hakinthebox.blogspot.sg/2012/06/you-just-cant-trust-wireless-covertly.html

 

After installing, you should see a page like this from your "http://172.16.42.1/pineapple" control panel webpage. Simply click on enable and you are ready to go!

Time to strip

Assuming that you have already installed SSLStrip on your Pineapple device (following the instructions above), it is time for a test drive. Allow a volunteered victim to connect to your fake network and allow him/her to use your Internet connection to check their Facebook, emails, etc.

 
Drop Box - It works!

Do you notice that the HTTPS is no longer there?

 Meanwhile on the attacker's machine. Username and Password Revealed!

Yahoo! - It works!
Again, do you notice that the HTTPS is no longer there?

Meanwhile on the attacker's machine. Username and Password Revealed!

Gmail - It may not work

If you realise, I am using a Chrome Browser for this demo. If I type "gmail.com" into my browser's URL, the browser will force a HTTPS connection. Since, SSL Strip is enabled and does not allow a HTTPS connection to go through. The browser simply will return a blank page.

 

BUT if I am using a Firefox browser like the one here on my BackTrack 4.

It goes through and the HTTPS is no longer there! Again, the username and password gets stolen. See below.

Countermeasures

To prevent yourself from being a victim make sure you always "force" a SSL tunnel especially when you are logging in. Not having the "HTTPS" in your URL  means that you are leaving your Data transmission in clear text (very dangerous).  I would recommend the use of a VPN especially if you are using a foreign / unsecured / untrusted network. Although a VPN would render such an attack useless, I would still advise WiFi users to stick to networks that they can trust and avoid all unsecured Wireless Networks altogether -  Prevention is still better than a cure.
 

Besides, once you are in an attacker's network you are subjected to a whole range of exploits. Think of it as being ambushed on your enemy's home ground.

 

This is what happens when you use a VPN with SSL Strip.

The HTTPS will still show up and no password will be revealed on the attacker's machine/WiFi pineapple. However, I realised that I could not maintain a steady connection on a network with SSL Strip with a VPN running.  I found myself getting disconnected from the network after awhile.

 

For those who intend to use the WiFi Pineapple for malicious intent. Allow me to do a revision on the Computer Misuse Act.

 

Computer Misuse Act 
(Source: http://statutes.agc.gov.sg)
 
Unauthorised access to computer material

3. —(1) Subject to subsection (2), any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a second or subsequent conviction, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both.

 

(2) If any damage is caused as a result of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 7 years or to both.

 

(3) For the purposes of this section, it is immaterial that the act in question is not directed at —
(a) any particular program or data;
(b) a program or data of any kind; or
(c) a program or data held in any particular computer.

 

Unauthorised use or interception of computer service

6. —(1)  Subject to subsection (2), any person who knowingly —

(a) secures access without authority to any computer for the purpose of obtaining, directly or indirectly, any computer service;

(b) intercepts or causes to be intercepted without authority, directly or indirectly, any function of a computer by means of an electro-magnetic, acoustic, mechanical or other device; or

(c) uses or causes to be used, directly or indirectly, the computer or any other device for the purpose of committing an offence under paragraph (a) or (b),shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both and, in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both.

 

(2)  If any damage is caused as a result of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 7 years or to both.

 

(3)  For the purposes of this section, it is immaterial that the unauthorised access or interception is not directed at —
(a) any particular program or data;
(b) a program or data of any kind; or
(c) a program or data held in any particular computer.

 
Conclusion 

The WiFi pineapple is really an awesome tool for WiFi enthusiasts. I would definitely recommend this to anyone who wants to play around with 802.11 security. There is much to explore in this tool and it is relatively inexpensive. You just have to make sure that you do not using it for malicious stuff. The only problem experienced so far is that it  hangs/freezes from time to time. Do not expect this "toy" to be as reliable as your enterprise router. To prevent the WiFi Pineapple from overheating, I recommend it placed in a shaded and well ventilated location.

 

Until next time, Hack Responsibly.

Share on Facebook
Share on Twitter
Please reload

RECENT POST

September 5, 2017

Please reload

CATEGORIES
Please reload

TAGS
RSS
RSS Feed