WiFi Pineapple Mark V: black box for wireless interception

The information security specialist, in particular the pentester, is faced with the task of effectively solving the puzzles to find and exploit the vulnerabilities of the studied systems. An important element of any work on testing the security of the customer's infrastructure is the verification of wireless networks. Specialized tools will help to significantly improve the effectiveness of such a check, I will tell you about the fifth iteration of one of which today.

Device description

WiFi Pineapple is a product of enterprising Americans who ordered a Wi-Fi router with two wireless interfaces and one wired from the Chinese, wrote OpenWRT-based firmware for it and stuffed it with utilities for hacking / intercepting and analyzing traffic.
')
The device has 3 network interfaces (2 wireless with the ability to work in monitor mode and 1 wired), 1 USB port for a USB flash drive \ 3-4G modem \ GPS tracker and a slot for microSD cards.

Also on the device case there is a set of toggle switches, the combination of which allows launching the device with a package of preassigned commands to the selected combination of commands, which reduces the presetting time if the task is typical and regular.

Opportunities

The range of capabilities of the device is impressive, it has almost everything necessary for auditing wireless networks and intercepting traffic.

The main feature among other important tools is the forced connection to the router of wireless clients: a bunch of utilities Karma and PineAP . It acts as follows:



All wireless devices that are not currently connected to the WiFi network are actively trying to do this by sending inquiries in search of familiar access points to which they previously connected (open the list of networks on your smartphone - surely it is quite long). Karma responds to these requests, pretending to be the access point the client is looking for. This applies only to requests for open networks that are not protected by WEP / WPA / WPA2 encryption, but as a rule, almost everyone on the list has at least one public hotspot to which he has ever connected in a cafe or other public place. At the moment, Karma's performance has decreased, as new devices and OS versions tend to protect users from this vulnerability and PineAP, which operates on the opposite principle, does not wait for the request, instead bombards the client with connection requests using the SSID list. which can be maintained both manually and collected by the utility Autoharvest. The combination of these two methods gives a very high probability of hooking the wireless client to the access point.



The second king of our “pineapple” is SSLStrip , which despite the gradual loss of relevance is still the most important tool for data interception. This MITM module detects the client's attempt to connect via an HTTPS protocol and imposes an HTTP connection on it, in turn establishing an HTTPS connection to the destination. Inattentive client noticing nothing enters their credentials and they immediately go to the log.



WiFi Pineapple is built according to the modular principle - only the basic elements are initially installed in it, and the remaining components can be downloaded directly from the developers' site from the developers site. Among them are such wonderful tools as ethercap, tcpdump, nmap, the deauth tool for silencing other access points (forcibly sending disconnect commands to clients of other people's access points), dnsspoof, urlsnarf, reaver \ bully hacking tools for choosing, and other useful tools . I want to note that it will not be possible to start everything at once - the piece of iron is rather weak and many services cannot be maintained at the same time, leaving for reboot.



The device is controlled via the web interface, although it is also possible remotely via SSH (for remote access to the system installed at the target point, a reverse SSH tunnel is automatically set up when turned on). The web interface is generally good, but it works imperfectly and sometimes too fast and active work with it leads to a device reboot, since all the necessary services can be set to autostart. All components can be updated directly from the interface, new firmware is also installed on the fly.

Contents of delivery

I got into the hands of the Elite version, which, in addition to the router itself, includes a shockproof waterproof case and a 15000 mAh battery, which in total gives an all-weather outdoor system with an autonomy of 12 hours of continuous operation, also comes with a quick setup booklet, charger device, antenna extensions for carrying out the horns for the case body and patch cord.

Primary setup

No matter how simple the setting in the booklet and the numerous how-that looked, we cannot do without a file processing.

a) Mobile Internet

If we make a mobile complex, then we cannot do without autonomous Internet access, that is, we need USB-modem, but out of the box the device is very bad friends with them and as it is, I simply did not work with my Huawei E3372 (Megaphone M150-2) . The modem had to be unlocked, flashed into a HILINK firmware and an extended web interface (it turns it into a standalone USB router, seen by the system as an Eth1 interface and not requiring any additional configuration on the host). Detailed instructions can be found on w3bsit3-dns.com in the topic dedicated to this modem. The funny thing is that after unlocking and flashing the speed of access to the Internet has grown an incredible 3 times, approaching 50 megabits per second. Thus, after all the witchcraft with the modem, we get another Eth1 network interface in the depths of our “pineapple”, through which we allow traffic by changing the / etc / config / network and / etc / config / dhcp parameters. It is important not to forget to turn off the DHCP server on the web-interface of the modem itself (in my case it lived at 192.168.8.1), otherwise all clients will go directly to the Internet, bypassing all your traps.

b) AutoSSH remote access

We also need remote access to the device to control and read logs without waiting for the device to return. To do this, you will have to raise OpenSSH server with Gateway Forwarding enabled, and then everything depends on luck. For example, in my case, the SSH server did not work on the standard port, so connecting to it using the pineapple interface failed, I had to do everything manually.
The order is as follows:

• 1. From the “pineapple” web interface, generate the public key
• 2. Go to “pineapple” via ssh and go with it via ssh to our ssh server with a password, this action will add our server to known_hosts
• 3. from “pineapple” via scp send authorized_keys to our server.
• 4. Through the web interface, run autossh on "pineapple"
• 5. We try to connect from the server to localhost -p <reverse port set on pineapple>

If everything is done correctly, we will get a permanent console access to our device.

c) Logs

The modules can be installed both in the internal memory of the device and on the SD card, however, some modules may not behave properly when installed on a card, for example, the dearly loved SSLStrip. The internal memory of the device is very small, and the modules with intercepted logs are stored in their folders. Therefore, we need to make some folder (for example, banal, logs) in the root of the SD card (/ sd /) and link it to the module logs folder in / pineapple / components / infusions / sslstrip / include / logs

findings

WiFi Pineapple Mark V has proven to be a useful tool in the Pentester’s household to help find the entry point in situations where it seems that the client’s infrastructure is flawless and the staff are extremely responsible and technically savvy. The device is not without flaws - a weak 400MHz processor can hardly cope with the tasks assigned to the device and often goes into reboot when trying to use several modules at once, on the other hand, by understanding its limits, you can distribute tasks in such a way as to optimally use the “pineapple” without work.

The technology of capturing Karma and PineAP wireless clients is not perfect, no one promises that your device will immediately connect to the “pineapple” being within its range, but the likelihood of such an outcome for devices on all popular OS types is extremely high. SSLStrip is gradually dying off, there’s little use to it when capturing mobile device traffic, because most applications are authorized using the OAuth 2.0 method and there’s not much use from intercepted tokens as from pure passwords. However, popular social networking messengers still transmit data in clear text, and access to services via browsers is still done using a login / password combination, which makes the tool still effective in intercepting data.



And do not forget about other features of the "pineapple", such as hacking WPS, DNS substitution and withdrawal of clients on fake pages, the capture of cookies and much more. The device is uniquely interesting and worth the money, and for those who fear hooligans with such devices, I advise you to clean your list of known wireless networks from open networks and not sit down on questionable access points.