A year after debuting the open source eT e eae ten Rl} PD Re eae ica a CCR eee ee Td ee ee en Le) PR eee gee eae Re Te plastic pineapple cup with a battery Perse et A een CLC} REC Rn Ce Eee Pe ae Pe SCAN SUR UE ea rd eR Ct Rea CLR eur ery Le AR aan ae Lica RS RO ta ees advanced wireless penetration testing Ce Sa ee ta OR GE RT a ed PER ee OLA aa ae ~ ’. aWiFi Pineapple The Hot-Spot HoneyPot Darren Kitchen © June, 2012, Hak5, LLC Content Overview Disclaimer Features at a Glance Pineapple Core Getting to know your WiFi Pineapple Hardware Web Interface Karma Modules Management The Story of Alice, Bob and Chuck Connectivity Ethernet to PC WiFi to PC Tethering to Android Mobile Broadband WiFi Relay Standalone Power Considerations AC Adapter USB to PC Rechargeable Battery Packs Power-over-Ethernet Solar Connecting For The First Time Ethernet Tethering with Windows Ethernet Tethering with Linux Web Interface Overview Status Configuration Advanced USB Jobs 3G SSH Scripts Logs Upgrade Resources Management via SSH Logging in, Public Key Authentication Metasploit and Meterpreter Expansion Firmware, Modules, Accessories Support Credits Appendix Specifications, Default settingsDisclaimer The WiFi Pineapple is a wireless penetration testing tool for use in authorized security audits where permitted. Check laws and obtain permission before using. Hak5, LLC. and affiliates claim no responsibility for unauthorized use or damages. Please hack responsibly Features at a glance + Stealth Man-in-the-Middle Access Point + Mobile Broadband Modems and Android Tethering + Manage from afar with persistent SSH tunnels + Relay or Deauth attack with auxiliary WiFi radio + Web-based management simplifies MITM attacks + Easily concealed and battery powered + Expandable with community modules Pineapple Core Most wireless devices including laptops, tablets and smartphones have network software that automatically connects to access points they remember. This convenient feature is what gets you online without effort when you turn on your computer at home, the office, coffee shops or airports you frequent. Simply put, when your computer turns on, the wireless radio sends out probe requests. These requests say “is such-and- such wireless network around?” The WiFi Pineapple Mark IV, powered by Jasager -- German for “The Yes Man’ -- replies to these requests to say “sure, I'm such-and-such wireless access point — let’s get you online!” a eg re] SeeemrnaGetting to know your WiFi Pineapple Hardware + Atheros AR9331 SoC at 400 MHz + 802.11 b/g/n 150 Mbps wireless + 2x Ethernet, one PoE (Power-Over-Ethernet) capable + USB 2.0 for expanded storage, WiFi Interfaces and Mobile Broadband + Fast Linux Kernel 3.2-based Jasager firmware (built on OpenWRT) Web Interface Overview The WiFi Pineapple is a versatile wireless attack platform specifically developed by and for penetration testers. With an emphasis on ease of use and low cost to deploy, the WiFi Pineapple is capable of auditing various 802.11 wireless enabled devices such as notebook computers, tablets and smartphones. Built on the latest OpenWRT Linux distribution and specifically engineered for optimum use of embedded hardware, the WiFi Pineapple provides a fast and effective platform for wireless security audits Karma At its core the WiFi Pineapple is capable of looking to nearby wireless devices, or "targets", as any remembered open wireless access point. To this end the WiFi Pineapple sports a highly customized wireless driver implementing a "Karma" attack, listening for and responding to 802.11 Probe frames with spoofed responses. Modules Once a target has been acquired by the WiFi Pineapple, a host of built-in popular open source man-in-the-middle tools can be employed for monitoring purposes. In addition to the built-in tools, the WiFi Pineapple can be extended with several community-built modules. The modules, installed from the Web Interface, offer many enhancements such as deauthorization attacks, site survey, monitoring and logging Management Simplicity is the key to using the WiFi Pineapple, and as such the Web User Interface has been modeled after consumer wireless routers -- with a bit of old-school hacker BBS charm for good measure. While most functions can be performed through the shell via SSH, the web interface provides toggleable services, reporting functions, logging and monitoring straight to your browser.The story of Alice, Bob and Chuck The WiFi Pineapple is a versatile wireless auditing tool that can be used in various configurations. This document serves as a guide to setting up the WiFi Pineapple in the most common of these -- as a simple Man-In- The-Middle access point. The nature of this configuration can be illustrated as follows: Alright, now imagine you're Chuck, a penetration tester at Bob Co., sitting at the Bob Co., cafeteria (where excellent sandwiches are served). Busy office workers are eating, socializing and using the Internet from their laptops, smart phones and tablets. Alice is sitting at the table across from you having a salad and pulling a tablet from her purse. She intends to connect to the Bob Co. wireless network and surf kitten videos on her lunch hour. The tablet, waking up, transmits WiFi Probe Requests looking for preferred networks. Since Alice has connected to the Bob Co. wireless network from her tablet in the past it remembers the network name (SSID) and looks for it periodically in this fashion. If the Bob Co. network is within range it will receive a Probe Response to its Probe Request. The Probe Response provides Alice’s tablet with the necessary information it needs to associate with the Bob Co. network. Since this process happens automatically for every network Alice frequently connects to, both on her tablet and laptop, she isn’t inconvenienced by choice when getting online at the office, home, cafes or even airplanes! Chuck (that's you!) has a WiFi Pineapple Mark IV in his bag. With Karma enabled the WiFi Pineapple is constantly listening for Probe Requests When it hears the Probe Request for the Bob Co. network from Alice’s tablet it responds with an appropriately crafted Probe Response. This informs Alice's tablet that the WiFi Pineapple is in fact the Bob Co. wireless network Of course this is a lie that Alice's tablet will believe. This simple yet effective lie is responsible for the WiFi Pineapple’s code name “Jasager” -- German for “The Yes Sayer" or “The Yes Man’. It should be understood that when Alice's tablet transmitted the Probe Request for the Bob Co. network, both the Karma-enabled WiFi Pineapple and the real Bob Co. network will respond. In this situation Chuck's WiFi Pineapple will likely win the race condition due to proximity. Moreover if Alice is at a cafe miles from the Bob Co. headquarters the same Probe Request can be expected and the WiFi Pineapple will most definitely win. Once Alice’s tablet receives the Probe Response from Chuck's WiFi Pineapple they begin the process of associating, and within moments her tablet has obtained an IP address from the WiFi Pineapples DHCP server. The WiFi Pineapple’s DHCP server provides Alice's Tablet with not only an IP address, but DNS and routing information necessary to get her online Depending on the configuration of the WiFi Pineapple, Alice’s tablet will use one of two common default gateways to get onlineIf Chuck has the WiFi Pineapple tethered to his Internet-connected Laptop via Ethernet the default gateway used by Alice's tablet will be 172.16.42.42 (the IP address of Chuck's laptop). Chuck can tether the WiFi Pineapple to his laptop via an Ethernet cable simply using the “mk4.sh” script in Linux, or by enabling Internet Connection Sharing in Windows 7. Details on this later in the guide If Chuck has the WiFi Pineapple “dialed up” to the Internet via a pre- configured USB mobile broadband modem (a new feature to the Mark IV) the default gateway used by Alice’s tablet will be 172.16.42.1 (the IP address of the pineapple) Now that Chuck’s Internet enabled WiFi Pineapple has made friends with Alice's tablet she is free to browse the web and he is free to eavesdrop and even change the web she sees. Using some of the built-in Man-in-the- Middle tools, Chuck is able to watch what web sites Alice visits (urisnarf). Since Chuck is particularly mischievous he prefers to change what servers Alice connects to when looking up a web site (dnsspoof) -- thus replacing would be kitten videos with ones of puppies. Oh the horrors! With additional modules run from USB mass-storage (available from WiFiPineapple.com) Chuck is even capable of saving Alice’s browsing session to disk for later analysis (tcpdump), intercept secure communications (sslstrip), or inject malicious code on to websites (ettercap-ng). Alternatively if Chuck chooses not to provide Internet access at all the default gateway will be 172.16.42.1 and the WiFi Pineapple will still be an effective wireless auditing tool. By enabling dnsspoof Chuck is able to redirect Alice's browsing session from legitimate websites to the WiFi Pineapple's built-in web server, which may host a number of phishing sites or malware. Since Chuck can’t stay at the Bob Co. cafeteria all day (no matter how delicious the sandwiches are) he might consider leaving his WiFi Pineapple on site. The WiFi Pineapple can be concealed in a case with a battery pack (available at HakShop.com) or even hidden in plain sight using the building's existing power infrastructure. See the WiFi Pineapple forums for inspiration on creative enclosure mods, such as magnetic electrical outlets, uninterpretable power supplies or out-door utility housings. In this case Chuck is able to remotely manage the WiFi Pineapple a few ways. If no Internet access is being provided Chuck must be within range of the WiFi Pineapple's wireless network in order to connect via the management SSID “pineapple” (configurable). If Internet access is provided Chuck can configure a persistent SSH tunnel. Configuration and help on setting this up is available from the WiFi Pineapple’s web interface With an SSH or VPN tunnel enabled, Internet traffic from the WiFi Pineapple connected client routes through the tunnel endpoint -- typically a Virtual Private Server. From this VPS Chuck may also extend the Man-in- the-Middle attack with additional tools.Connectivity The WiFi Pineapple is essentially a wireless access point and as such may provide clients with networking services such as Internet access. Typically the WiFi Pineapple will operate in one of these modes: en ey ee ee ee ee] Android Tether Co Wey-aey Ethernet to PC ir) PernaEthernet to PC With an Ethernet cable connected to the WiFi Pineapples PoE / LAN port, Internet access can be shared. This is usually done with a notebook computer connected to a nearby, legitimate, wireless access point -- though any form of Internet access, be it Ethernet or Mobile Broadband based can be shared. A simple tethering script is available for Linux hosts while Windows users can follow simple steps to enable Internet Connection Sharing detailed in the Connecting For The First Time section ee ML ee [sudo] password for darren Ore eas ea eee aCe} Pee ae cca ee ees SC ae CEE eres) oon Proce ace eRe Mee Cras Cee Costin) (Amc Csr | WiFi to PC Much like tethering via Ethernet, WiFi can be used as an invisible cable - it makes no difference to the WiFi Pineapple. This gives the user wireless freedom and mobility while still providing the WiFi Pineapple with Internet access, as long as the devices are within range With the connection script it's just a matter of choosing the right interfacesAndroid USB Tethering Since Android version 2.2 (Froyo) three methods for tethering have been supported; bluetooth, portable WiFi hotspot and usb cable. The later can be used with the WiFi Pineapple to provide Internet access to clients Depending on the model of Android device and carrier this feature may be enabled and may incur a usage fee. Check with your carrier and service plan before proceeding. Typically unlocked and rooted devices bypass additional carrier imposed tethering fees. Cyanogenmod is just one example of a ROM that supports tethering via USB. Some applications in the Google Play Store offer USB Tethering capabilities for non-rooted devices. PDANet is one such example. Unfortunately these applications typically require a proprietary application to be installed on the Windows or Mac host computer and cannot be used in conjunction with the WiFi PineappleTethering or hotspot active (©) Tethering and portable hotspot USB tethering Bouton Portable Wi-Fi hotspot Configure portable Wi-Fi hotspot ffffffff WPA PSK portable Wi-Fi hotspot Bluetooth tethering Not sharing this device's Internet connection If your Android device supports USB Tethering it can be used to provide Internet access to the WiFi Pineapple, either sharing the Android's WiFi or Mobile Broadband connection. To enable, connect a USB cable between the Android device and the WiFi Pineapple. With the WiFi Pineapple powered on and a USB cable connected between both devices tethering is now possible Since Android 2.3 (Gingerbread) devices the USB tethering option will be found from the settings menu - typically under Settings > Wireless and networks > Tethering and portable hotspot > USB tethering. In this configuration the WiFi Pineapple will obtain a new interface, usb0, and routing will be automatically adjusted to use the Android device as its default gateway. No configuration is necessary on the WiFi Pineapple. To discontinue use of Android USB Tethering, either disconnect the USB cable or disable tethering on the Android device. The WiFi Pineapple will automatically disable the usb0 interface and reset the routing configuration to defaults.Mobile Broadband The WiFi Pineapple provides out-of-the-box support for a select few 3G and 4G USB mobile broadband modems. The 3G connection script can be found from the 3G tab at the top of the Pineapple Control Center Web Interface and is updated with new modem support at WiFiPineapple.com. The USB Mode Switch and SDPARM utilities have been included to support most modems. Please check the WiFi Pineapple forums and wiki for additional information on these devices.WiFi Relay Since Firmware version 2.3.0 the WiFi Pineapple has supported a limited number of USB WiFi Adapters. Most notably the Atheros chipset-based ALFA AWUSO36NHA. This USB WiFi adapter can be used in conjunction with the WiFi Pineapple as a second wireless radio, enabling "Client Mode" or WiFi Relay and providing Internet access to clients from a nearby access point. While the WiFi Pineapple's built in wireless radio (wlan0) is being used in Master Mode (Access Point) the USB wireless radio (wian1) can be used in Managed Mode (client) to connect to a nearby base station At the time of writing no web interface module has been written to simplify the connection process, however the iwconfig and wpa_supplicant utilities are provided for those familiar with the terminal. Users are advised to check wifipineapple.com for module updates Standalone Being a Linux powered embedded device the WiFi Pineapple can operate in a "standalone" mode, providing clients with web services hosting internally. Using the built-in DNS Spoofing tools, a common technique is to redirect specific web addresses to the internal web server. These pages may offer seemingly identical landing pages for phishing attacks, remote exploit code, social engineering attacks or even a Rick Astley "Never Gonna Give You Up" video.Power Considerations Using a USB battery pack providing 5V we have observed 1 amp draw at idle without WiFi, a 1.5 amp draw with WiFi enabled and 3-5 amp draw with a mobile broadband modems. Some modems may require a powered hub for reliable continuous operation with a 5V supply. While far from conclusive, anecdotal evidence supports that CDMA modems draw more amperage than their GSM counterparts. AC Adapter The provided power adapter supplies a DC output of 12V at 1A. Requiring an AC input of 100-240V with 50/60Hz, the adapter can be easily adapted for foreign use. USB to PC The WiFi Pineapple is capable of operating from a USB power supply, such as from a notebook computer or rechargeable battery pack. A USB to DC barrel cable is available from the hakshop.com. The DC barrel is 5.5mm OD, 2.1mm ID, center positive. Back-feeding power from the USB port is not recommended. Rechargeable Battery Packs With the USB to DC barrel cable a rechargeable battery pack (such as the Pineapple Juice packs from hakshop.com) can be used to power the WiFi Pineapple. Battery packs with 1-2 Amp output (often touted as ‘iPad chargers’) are preferred. On average the WiFi Pineapple will consume between 1000-2000 milliamps per hour. Power-over-Ethernet The WiFi Pineapple Mark IV sports PoE capabilities via the PoE/LAN port, perfect for long-term installations. A PoE injector is available from hakshop.com Solar Our tests have shown that a WiFi Pineapple can be successfully deployed and remotely managed nearly indefinitely using a 5 watt solar panel, a 12V lead acid battery of sufficient capacity and a capable 12V controller. Specific plans and kits may be referenced from wifipineapple.comConnecting for the first time The most basic connection scenario involves an Ethernet cable directly connected between the WiFi Pineapple and PC. Setup for Linux and Windows is provided Linux Ethernet Tethe g We've made using the WiFi Pineapple Mark IV with Linux tethering very simple. By default the WiFi Pineapple has an IP address of 172.16.42.1 and will assign clients IP addresses in the range of 172.16.42.100-150 via DHCP. Its default gateway is set to both 172.16.42.42 and 172.16.42.1 depending on usage (USB Modem vs Tethering) This means the WiFi Pineapple is looking for an Internet connection from the device with the IP address of 172.16.42.42. A simple quick-connect script is provided at http://wifipineapple.com/wp4.sh. Downloading and running the script will walk you through the process of setting up the Ethernet interface and configuring IP Forwarding for Internet Connection Sharing Power the WiFi Pineapple on and directly connect it to the host PC via Ethernet cable using the PoE/LAN port. Download and run the quick- connect script. Example: wget wifipineapple.com/wp4.sh; chmod +x wp4.sh; sudo ./wp4.sh Serr ace eo eet Oe ference erie cae Ce ag ae Gucaca eras Miter ee eae Rc CCE) Interface between PC and Internet [wlano]: etho fins ay [19 : Kuetcn Cac Cw es ae 31.1 - etho | : ° Crary \ eos rea to http://172.16.42.1/pineapple -- Happy Hacking! Enea): silThe connection wizard will ask a few networking questions. For most users the "Interface beween PC and Pineapple" and "Interface between PC and Internet" questions are the most important as the others will usually work out of the box without configuration Once these questions are answered the wizard will configure iptables and the WiFi Pineapple will be ready to use. Access the WiFi Pineapple Web Interface by pointing your web browser to http://172.16.42.1/pineapple and authenticating with the username “root” and default password “pineapplesareyummy.” jeapple Netnask [255.255.255.0] jpplenetnask 11; then Fineapplenetnaske255.255.255.0 #Default netmask for /24 network t icho_-n "Plneapple Network [172-16.42.0/24]: “5 read ptneapplenet ¥ TL Sptneapptenet == *" J]; then vineapplenet=172.16.42.0/24 # Pineapple network. Default ts 172.16.42.0/24 4 icho +n “interface between PC and Pineapple [tho]: "; read pineappletan f [[ Sptneappletan ==" J]: then ‘neapplelansethe # Interface of ethernet cable directly connected to Ptneapple ‘ icho -n “interface between PC and Internet [wlane]: "; read ptneapplewan ¥ TL Spineapplewan == "" J]; then Yineapplewanewlan@ #i.e. wland for wift, ppp® for 3g moden/dialup, eth® for Lan « lenpptineapplegne "netstat -nr | awk "BEGIN {whtle (531="8.0.9. ‘cho +n “Internet Gateway [Stenppineapplegw] TL Sptneapptegu == '' 1]; then Fineapplegne netstat -nr | awk "BEGIN {while ($3!="6.0.6.07) getline; print $2}! sUsuatly correct « *) getline; print $2}! #usually correct read pineapplegu icho +n "IP Address of Host PC [172.16.42.42]: "; read ptneapplehosttp f [CL sptneapplehosttp -- '* J]; then Hineapplehostip=172.16.42.42 IP Address of host computer 1 ‘cho -n "IP Address of Pineapple [172.16.42.1]: "; read ptneappleip £ TL Spineappleip Ti: then ineappletp=172.16.42.1 #Thanks Douglas Adans ‘ ‘Bring up Pineapple-Facing Interface, enable IP forwarding and clear IP Tables chains and rules feonfig Spineapplelan $pineapplehastip netmask Spineapplenetnask up ‘cho "1" > Jproc/sys/net/ipva/ip_formard ptables -x ptables -F ‘setup IP forwarding [ptables. -A FORNARD -1 Spineapplewan -o Spineapplelan -s Sptneapplenet -n state --state NEW -j ACCEPT ptables -A FORUARO -n state --ctat= ESTABLISHED RELATED - ACCEPT tables -A POSTROUTING -t nat -} MASQUERADE ‘Replace default route with new default gateway ‘ute del default ‘ute add default gu Spineapplegu Spineapplenan icho " ccho "Browse to http://Spineappleip/pineapple -- Happy Hacking!” che 10,1 BotWindows Ethernet Tethering While there is currently no quick-connect script for Windows 7 currently, it is fairly simple and straightforward to setup. First we must understand that by default the WiFi Pineapple has an IP address of 172.16.42.1 and like a regular WiFi Router we assign clients IP addresses in the range of 172.16.42.50-250. When tethering a PC via Ethernet or Wireless the WiFi Pineapple will use a default gateway IP address of 172.16.42.42 So if the Windows 7 host's Pineapple-Facing adapter is configured with a static IP address of 172.16.42.42 and the Internet-Facing Adapter (for example from another WiFi network or a USB 3G/4G mobile broadband modem) is configured for Internet Connection Sharing, clients connecting to the WiFi Pineapple will get online through the Windows 7 host's Internet connection. Gor B« na. + Neworc.. » = [44] [Search Network Connections P| Organize + _Disablethis network device >> oH @ =) ) Internet Facing Adapter =i) Pineapple Facing Adapter — Lach "a Intel(R) PRO/1000 MT Deskeg @ Disable IMT Desktop Ad. aaa Diagnose (® Bridge Connections Create Shortcut Delete Rename 8 @ Prophiies Begin by powering on the WiFi Pineapple and directly connecting an Ethernet cable essins/ Se] between it and the host Windows 7 PC. Then click Start, type View Network Ao herman ants cannes ne Connections and press Enter. Right-click moe the Internet-facing adapter and click greens Properties insincere ie CStnenaConeaen ee — Ea) From the Sharing tab check the box labeled Allow other network users to connect through this computer's Internet connection then click OK. Next Right-Click the Pineapple-Facing Adapter and click Properties. et]| [ Search Network Connections Rg @ « Net.. > Network 4 Organize ¥ __Disablethisnetworkdevice > | Interet Facing Adapter 2 Network, Shared Ze Intel(R) PRO/1000 MT Desktop Ad. | (@ Disable Status Diagnose Bridge Connections Create Shortcut Select “Internet Prorotcol Version 4 (TCP/IP)” and click Properties. Networeng Generel cama au can get seingsasigned aunonatcaly yor network spars {he cancbity. Otrervin, eu reed ask your netierkcemnst ater reas) PRO/TOOONT Deskcp Adapter #2 forte acproprate [> sere. (© Obtci an aderesautomataly “The cormedion ze the felownaiers: (@ Us te folonrg P actess: WOE Giaeter reno Neworke P thes: ms 22] subnet ask BS. 0 Defautosteney: (Cota ons serve cree automataly 1 Ln Layr Topcogy Decovery Responder pc ea || | ee vives | (eter) a — Same a wanes Gia ‘across diverse interconnected networks. Sabena Check “Use the following IP address” and specify 172.16.42.42 for the IP address and 255.255.255.0 for subnet. Leave the default gateway blank. Next check “Use the following DNS server addresses” and specify 8.8.8.8 for Preferred DNS server. Click Ok then Close. The WiFI Pineapple-facing and Internet-facing adapters have been configured and Internet Connection Sharing has been enabled. Finally open your web browser and navigate to http://172.16.42.1/pineapple logging in with the username “root”. The default password is “pineapplesareyummy”. The Internet connection can be verified using the ping or traceroute tools found from the Advanced menu.Web Interface Overview Focused on ease-of-use and accessible from any web browser, the WiFi Pineapple's web interface makes launching Man-in-the-Middle attacks as simple as setting up your typical home wireless router. Here we will briefly overview the key components of the WiFi Pineapple web interface Note: The web interface is constantly improving as the firmware evolves and while components and layouts may change the core functionality remains the same.Status From this screen, services, such as DNS Spoof, can be toggled off and on Services include: Wireless - toggle the wireless MK4 Karma - toggle karma driver Autostart - when enabled the MK4 Karma service will start on bootup Cron Jobs - toggle the task scheduler URL Snarf - toggle the urlsnarf utility for watching HTTP traffic DNS Spoof - toggle the dnsspoof utility for DNS poisoning 3G bootup - when enabled the 3G service will start on bootup 3G redial - when enabled ensure reliable mobile broadband SSH - status display and manual toggle of reverse SSH connection Stealth - when enabled ICMP (ping) requests will be ignored Clients Dynamically updating logs of connected clients, their IP addresses, hostnames and "karma'ed” base station (the Access Point the client believes it is connected to) is shown. The log, which updates on 10 second intervals, can be paused or resumed. Associations are shown in reverse chronological order (latest on top) Clicking Generate Detailed Report will provide insight on each connected client, such as duration of connection, last seen, bytes transmitted and received as well as the client's IP address, hostname and Karma SSID. This report is very CPU intensive and may take a moment to run under heavy load, please be patient. The Interfaces menu provides IP information for the LAN, WAN and USB 3G modem interfaces as well as a link to reveal the WiFi Pineapple's public IP address. Clicking this link creates a connection to wifipineapple.com. By default no page on the web interface will make connections out to the Internet without user interaction. pe ete nett rete t ee tras)Configuration Basic configuration changes are made from this menu, including: Change Karma SSID What management SSID to broadcast in addition to spoofed SSIDs. By default the SSID is "pineapple". Checking the Persistent box will make the change stay after a reboot. SSID Black and White Listing This toggleable setting is used to define safe and unsafe devices and networks. By default the WiFi Pineapple is configured in SSID Blacklist mode. SSIDs added to the Blacklist will not be spoofed. To add an SSID, for instance a nearby network for which you do not wish to pose as, enter the SSID name and click Add to list. To remove repeat the process clicking Remove from List. Conversely by whitelisting an SSID the WiFi Pineapple will only pose as the defined access point. (Change SsiD poet Grr) Tae erestr) ‘Add to List J| Remove trom List Client Blacklisting Similar to the above SSID blacklisting, Media Access Control (MAC) addresses added to this list will not be served by the WiFi Pineapple. This is useful if you have nearby equipment of your own which should not be attacked Reset and WPS Button By default the reset button, located at the bottom of the unit, is enabled When pressed and held for 10 seconds the WiFi Pineapple will return to a factory default state, resetting network configuration, SSID and root password. The WPS button, located atop the unit, can be configured to run commands when held for 2-4 seconds. The script provided is executed when such action occurs. This can be useful for automating attacks or toggling services. A more robust button configuration module is available in the pineapple bar.DNS Spoof Config The spoofhost specifies a new destination IP address for source domains With the DNS Spoofing service enabled, this list will be used to forward IP traffic destined to the defined domains. Hosts should be provided one-per- line in the form of destination IP address, followed by a space, then spoofed domain. The asterisk (*) wildcard can be used. For example the spoofhost "172.16.42.1 *.com" will spoof any DNS query destined to a host ending in ".com" with the IP address 172.16.42.1 (the WiFi Pineapple's default). This feature is most useful for phishing and web exploitation. Landing Page When a host is spoofed and the WiFi Pineapple's IP address (172.16.42.1) is provided as the destination the client will load index.php from the WiFi Pineapple's internal web server. This page can be host to a variety of phishing attacks or web exploits. Advanced users can find web assets located in jwww/. CSS Editor This section is provided for the purpose of skinning. Perhaps the default green-on-black hacker theme isn't doing it for you. A more corporate blue- on-white might be less conspicuous in certain scenarios. Maybe you'd like rainbow kittens dancing across the screen. If so, this section is for you Additional skins can be found at wifipineapple.comAdvanced The Advanced page reveals the Kernel IP routing table as well as a few troubleshooting tools and a password change function. A form for updating the routing information is provided for advanced configuration, though in normal circumstances should not be necessary. Ping and traceroute forms are provided for troubleshooting -- mainly to test Internet connectivity. The execute commands form will do just that -- execute each command line by line by the default shell interpreter, busybox. Bash is also included at /bin/bash. Once executed the results will be displayed atop the advanced page Clear Pineapple Cache J Factory Reset i Reboot Peet End Peete ac rises e pecs aoe} oo eae eralUSB The USB page displays currently connected devices with the output of the "Isusb" command, as well as a form to update the /etc/config/fstab file. This configuration script is responsible for managing the file systems table. By default the fstab is configured to mount the first partition of EXT4 formatted USB drives as /usb. po Resse ees faa) The SanDisk Cruzer Fit series offers ample storage with a low-profile design and low power needs. This model has been thoroughly tested with the WiFi Pineapple and is available at HakShop.comSetting up a Two Partition EXT4 Formatted USB Drive Formatting a USB drive for use with the WiFi Pineapple is achieved most simply with a Linux computer, or Gparted live distribution. By formatting with two partitions the second partition can be used as swap space. Here is an example using Ubuntu and a 4GB Sandisk Cruzer Fit. With the USB drive inserted, open Disk Utility and unmount any existing partitions on the USB drive. Eseries ene 1 act conzoer Brecon PR eie sedate serene Create your first partition using the Create Partition button and make the partition take 80% of the available space. The unused space will be used for your swap partition. Make sure to uncheck the box regarding taking ownership and select EXT4 as the filesystem. {incencet MicreatedlRepeat the previous step using the last available space, unchecking the ownership box and selecting EXT4 as the FS. Name the partitions whatever you like. Your drive should look like the below image. Remove the USB drive from your Linux box. Oreo ee i arc canoer Brecon FR estrone snr senerat cemrnueart Configure the WiFi Pineapple to use the swap partition by browsing to the USB page and changing the default "option enabled 0" beneath “config swap" to read "option enabled 1". Click Update Fstab. With the USB drive plugged into the WiFi Pineapple browse to the Advanced page and issue the command "mkswap /dev/sda2" using the Execute Commands form. Finally reboot the WiFi Pineapple and verify the disk space and memory from the Resources page. Modules can now be installed to the USB drive, as well as packages from the opkgmanager module. For manual installation use the "--dest usb" option when issuing the opkg command. For example: “opkg install --dest usb nmap". This destination is configured from /etc/opkg.conf The USB drive will be mounted in /usb/Jobs The Jobs menu provides access to the Cron Table (crontab). Using the jobs menu a task can be scheduled to occur on a regular basis. Coupled with the User Script custom actions can be set for automation and remote managementMobile Broadband crested The 3G/4G Mobile Broadband menu provides configuration scripts for USB Modem setup. If enabled this script executes on boot. It can also be executed from the 3G menu. Mobile Broadband requires a compatible USB 3G / 4G modem. Compatible modems are listed at the top of the script, and additional support and modem script updates can be found from wifipineapple.com. When connected a usb0 entry will be displayed in the Interfaces list and the public IP address can be revealed from the Status page. Under the Hood: The Connection is two phase. First the modem must be activated, then the network configuration sets paramaters used by pppd and gchat. Since most 3G / 4G modems identify as CD-ROM or USB Storage devices an activation script, typically using usb_modeswitch or sdparm, is executed. Activation forces the USB device to reveal its modem component. The modem component is configured as a USB Serial device, typically /dev/ttyUSBO, which is addressed by the network configuration. Network Configuration specifies the interface as WAN2. GSM and CDMA protocols are supported. ifconfig typically shows the interface as 3g-wan2. The pppd is responsible for making the point-to-point connection with the USB Serial device. Configuration in /etc/ppp/options. Comgt is responsible for talking to the modem. EVDO and 3G (GSM) modem commands are specified in /etc/chatscripts/. For the most part neither of these files need modification. Support outside of the listed modems is experimental, though help can be found on the Jasager forums and at wifipineapple.com. Most USB modems share similar configuration. Additionally a 3G-KeepAlive script is available, which periodically checks for Internet connectivity and re-establishes if necessary. This is done by attempting to send three pings to 8.8.8.8. If none are successful "ifup wan" is executed, redialing the modem.SSH The SSH menu provides a front-end to the autossh program, as well as public key and known hosts configurations. Typically this is used to automate and maintain Reverse SSH connections. This may be ideal for remote management. Example Reverse SSH Connection to a Relay Server: Begin by configuring the OpenSSH service on your relay server. This may be a dedicated or Virtual Private server, or even a simple shell depending on permissions. For best results ensure that the following options are set to yes from the sshd configuration file -- typically located in letc/ssh/sshd_config: AllowTcpForwarding, GatewayPorts, RSAAuthentication, PubkeyAuthentication From the WiFi Pineapple generate an RSA key pair. This can be done by clicking the "Generate" button below Public Key on the SSH menu. The key pair files will be stored in /etc/dropbear/. The Private Key is named id_rsa and the public key is id_rsa.pub. Once generated, the Public Key is displayed on the SSH menu. Now the Public Key needs to be copied to the remote server. Copy the Public Key to the clipboard - everything from (and including) "ssh-rsa" to "root@Pineapple”. Connect via SSH to your remote server and append the copied Public Key to the authorized_keys file (typically located in ~/.ssh/)From the WiFi Pineapple, add the remote server's key fingerprint to the ~/.ssh/known_hosts file. This can be achieved most simply first connecting via SSH to the WiFi Pineapple, then from it connecting via SSH to the remote server. On first connection the remote server's Public Key fingerprint will be displayed. Press Y to add it to the known_hosts file With the key pair generated in /etc/dropbear/, the Public Key copied to the remote server's authorized_keys file, and the remote server's Public Key fingerprint added to known_hosts you are now ready to initiate an autossh connection. Autossh is an SSH front-end which monitors the connection and reconnects if necessary. Additionally an autossh keepalive script is provided to maintain autossh in case anything fails. With SSH on boot and SSH Persist enabled the WiFi Pineapple will make a reverse SSH connection to the specified host. Modify the SSH connection command to specify your user and remote host. The "-R 4255:lcoalhost:22" specifies remote port forwarding. This means connecting via SSH to the Relay Server's port 4255 will map locally to 22, which is the port of the WiFi Pineapple's reverse connection Example: ssh root@relayserver -p 4255. If the relay server does not support remote port forwarding you may also achieve a connection by first connecting via SSH to the relay server, then issue "ssh root@localhost -p 4255". Video Tutorial SSH is explained in great detail on Hak5 videos 1108-1119. In particular episode 1112 walks through the above configuration step-by-step. See http://www.hak5.org for episode listings.Scripts From here some of the scripts which maintain the WiFi Pineapple can be edited, including + rc.local - Execute on boot. Be sure to read the comments! cleanup.sh - Maintains log files and memory + ssh-keepalive.sh - Maintains SSH, reconnects if necessary 3g-keepalive.sh - Maintains Mobile Broadband, redialing if necessary + user.sh - provided for customization Logs For the convenience of troubleshooting the System Log can be seen here in reverse chronological order. Upgrade The upgrade menu provides a simple way to update the firmware of your WiFi Pineapple. Clicking Check for Upgrade will initiate a connection to wifipineapple.com. If a new version is available, details including MDS hash and download link will be provided. To upgrade the firmware begin by disabling unnecessary services. This means SSH, 3G and Karma on boot. Shut the WiFi Pineapple down, then boot it back up by powering it via AC adapter (Battery-powered upgrades are not supported). Next connect via Ethernet (WiFi Upgrades are not supported) and navigate to the Upgrade page Verify that at least 2000 K of memory is free. A memory listing is displayed at the bottom of the Upgrade page. Click Check for Upgrade and download the upgrade.bin. If the file is not named upgrade.bin please rename it to be so. Copy the MDS hash into the MDS text area, click Choose File, select the upgrade.bin and click Upgrade. The upgrade.bin will be uploaded to the WiFi Pineapple and the system will be upgraded. Do not click back, forward, stop or refresh in your browser. The WiFi Pineapple will reboot as soon as the upgrade is complete and this page will automatically refresh to display the latest firmware version. This process typically takes 5-10 minutes. Do not unplug the power during this process!Post Upgrade SSH Advice Be advised that once upgraded the WiFi Pineapple's public key fingerprint will have changed. This means that when SSH'ing into the WiFi Pineapple a warning may be displayed. Removing the old entry from the ~/.ssh/known_hosts file will remove the warning and offer the ability to add the new fingerprint. CEC atts re Tec teraee Teas abasic te Cl i Lead a SIBLE THAT SONEONE IS DOING SOMETHING NASTY! See er eet acm OCC Ce Carton Tt is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is Geeeecean ee LIC iesae coe Add correct host key in /hone/darren/.ssh/known_hosts to get rid of this nes: ROW US Cae eS a meted eres es eT eee ee Oa CeCe Cam CT oo Beato (inal Coa Tatg eee eee cra CE hee ies ek we BE Ya nm N wren Cee cist Seen Mcccle Tee eCeC een nticity of host '172.16.42.1 (172.16.42.1 Peace PEE ee Eee eee Pietra ena ero aT (reno Nae Melee ECON OR RCC a ace Ene ee Cee ee Resources The resources page displays free memory, disk usage, connected USB devices and a process list. From here you may free memory by dropping caches. This is an experimental feature and under most circumstances should not be necessary. This procedure is in fact automated by the cleanup script if necessary.Management from SSH The WiFi Pineapple, being an embedded Linux machine, can be easily managed via SSH SSH with Public Keys If necessary generate key pairs on the host by issuing ssh-keygen Copy the SSH public key to the WiFi Pineapple: ssh-copy-id root@172.16.42.1 This will copy your public key to the ~/.ssh/authorized_keys file on the WiFi Pineapple. Since the WiFi Pineapple uses the Dropbear SSH daemon instead of the more common OpenSSHD the /root/.ssh/authorized_keys file must be moved to /etc/dropbear. See the process below: PRR Ue KCOre oe Reuters) fae ee ea mua RUEMetasploit and Meterpreter Meterpreter for the WiFi Pineapple provides an interface to the popular penetration testing platform Metasploit. At time of writing PHP Meterpreter support has been verified and support is being added in an upcoming upgrade. Until then check the WiFi Pineapple modules for a GUI front-end Simply generating a PHP Meterpreter from Metasploit, copying over the PHP file and executing it on the WiFi Pineapple will provide the expected results. crab lett Capnre_Window a = chon wed 1.000M 4) seah_O. nse Pormrsra wre errr) O2raee17 frre parte Set RrRIRT TN 10.73.31.176, 10.73.31.6, cerUR: 5 Cie eo ae reser ee ee oe etc a eer ey Linux host, which allowed us to get Java meterpreter on it, which allowed us to well.+. get Praremaenrenny Peereetwese rere Sor ee eer eet eee cee Sem Ts raftiz> Expansion Since its inception in 2008, the WiFi Pineapple project has been expanded by the community with firmware development, scripts, modules, accessories and even mods. Firmware Official firmware is posted at wifipineapple.com and can be found from the Upgrade page in the WiFi Pineapple web interfaceModules The Pineapple Bar is a repository of community developed modules which add functionality to the WiFi Pineapple. Some highlighted scripts include ddns - Dynamic DNS button - advanced button configuration nmap - zenmap like web front-end to nmap opkgmanager - opkg package manager for easy software installation tcpdump - capture pcap files using this powerful packet analyzer monitor - monitor bandwidth usage by interface, great for 3G sitesurvey - Graphical view of nearby access points and clients ssistrip - front-end to the powerful ssistrip tool jammer - configurable mass deauth attack for use with USB WiFi radio blacklister - Graphical black/white list for MAC addresses and SSIDs Site Survey StatusAccessories WiFi Pineapple accessories, including cases and outdoor housings, USB storage, rechargeable battery packs, power-over-ethernet or power-over- usb adapters, additional WiFi radios and a variety of antennas can be found at HakShop.comSupport Community Software updates, related segments from the Hak5 show, articles from the Hak5 blog, and the WiFi Pineapple / Jasager forums are linked from the WiFiPineapple.com site. Concerns regarding orders can be addressed to shop@hak5.org © & © [OG torums.haks.ora/ & WE ame Ancroid Tetering Howto «seo wing i1Septon We ePincapple MK Battery Optons 5) 3) cttonas2t 75 Rees Ge GHtuaves vocens win APineapéle Ws 2) 3 tims ¢ 42 eeiee 0 nee ese Mater @__[colved) Cant Access Pineapple Web interface Notas 1 ples ais Fimvere 22.0Release weeee 3) 2 oe When posting questions to the WiFi Pineapple forum, please provide: WiFi Pineapple Hardware Version (ex: Mark III, Mark IV, etc.) WiFi Pineapple Software Version (ex: 2.3.0, 2.3.1, etc.) OS used to connect (ex: Windows 7, Ubuntu 12.04) Network layout of how your setup is connected Services and modules running when the issue happened Ping results from computer to pineapple Is the problem repeatable (Yes/No) Steps taken which created the problem Error Messages and log file information Anything else that was attempted to ‘fix’ the problemCredits ROM aC ce RC RUE cmc Oe ted CTT ee PTL Um? Sle rey eee Tat 7 e PPTL CRolae) Xo eee Blase) Our amazing community - wifipineapple.com Open source software is distributed under the GNU General Public License reenact eeu araAppendix Specifications Dimensions: 90mm x 60mm Chipset: Atheros AR9331 Wireless: 802.11 b/g/n Interface: 2x 10/100 Ethernet, 1x USB 2.0, |-PEX with RP-SMA pigtail Power: AC Adapter accepts 100-240V ~ 50/60Hz 0.5A (UK/EU adaptable) Output: DC 12V 1A. Plug: Barrel 5.5mm OD 2.1mm ID center positive Default Settings Username: root Password: pineapplesareyummy SSID: Pineapple IP Address 172.16.42.1 Bricking The WiFi Pineapple Mark IV uses the U-Boot bootloader. Similar to the BIOS on a desktop PC, this special piece of code is executed first and is responsible for loading the operating system. Unless you are specifically in the bootloader (accessible only via serial), or overwriting memory locations by some other means, you are very unlikely to “brick” the unit. Under normal circumstances the WiFi Pineapple will be accessible from the WiFi SSID “Pineapple” (configurable) and the Ethernet (PoE LAN) Interface at 172.16.42.1. We strongly advise you not to change network configurations (accessible only manually via SSH in /etc/config) unless you possess advanced networking knowledge. In the event that network access to the WiFi Pineapple is unachievable a separate recovery process can be found at WiFiPineapple.com. This involves special hardware (a 3.3v Serial TTL adapter), Ethernet cable, COM software and TFTP. If you are unable to follow the recovery flashing guide at WiFiPineapple.com you are advised to contact shop@hak5.org for further assistance.Training, Support, Custom Integrations Need live training for your organization? One-on-one support? Interested in a custom integration? Please visit wifipineapple.com/contactWiFi Pineapple The Hot-Spot Honeypot Pen-Testing Platform Since 2008 the WiFi Pineapple has been a favorite amongst hackers, penetration testers and security enthusiasts. With a talented community of developers this open-source wireless auditing tool brings ease-of-use to man-in-the-middle. Now in its fourth hardware version the WiFi Pineapple boasts unmatched performance, simplicity and value. This booklet outlines basic usage of the WiFi Pineapple including; Connectivity, Power Considerations, Windows and Linux setup, Inside the Web Interface, SSH Management, Meterpreter, Expansion Modules and more. ghND See with a arsenty imped noes) Greener oF ure your own with ‘the mode ceatr,