User Manual

INSTRUCTIONAL MATERIAL’S OVERVIEW
This user's manual provides instructions on how to conduct a penetration test on the
Wireless Local Area Network (WLAN) of the College of Engineering and Architecture
Department. The manual guides users on the devices required for the pen-testing, including
a wireless network adapter, laptop with appropriate tools and software, and a wireless
access point, and how to set them up for pen-testing. The manual also includes step-by-step
procedures for the reconnaissance and infiltration phases of the pen-testing.
Reconnaissance involves scanning the WLAN to identify active hosts, open ports, and
other information that can be used to gain access to the network. Infiltration involves
attempting to gain access to the network using various methods such as exploiting
vulnerabilities or guessing passwords.
MODULE LEARNING OBJECTIVES
When users have completed this guidebook, they should be able to:
1. Set-up all the devices used in pen-testing.
2. Understand what the devices are capable of.
3. Utilize these devices in Reconnaissance and Infiltration phase in Penetration Testing.
4. Perform a pen-test within a network.
186
TABLE OF CONTENTS
Page
USER’s MANUAL OVERVIEW ......................................................................... 186
MODULE LEARNING OBJECTIVES ................................................................ 186
TABLE OF CONTENTS ...................................................................................... 187
LIST OF TABLES ................................................................................................ 191
LIST OF FIGURES .............................................................................................. 191
LEARNING CONTENTS..................................................................................... 197
Introduction to the Alfa AWUS036NHA USB Wi-Fi Adapter
Overview of the Product ................................................................................ 198
Features .................................................................................................... 198
LED Status ............................................................................................... 198
Installation Guide .......................................................................................... 199
Hardware Installation ............................................................................... 199
Software Installation ................................................................................ 199
Reconnaissance Phase Using Alfa AWUS036NHA USB Wi-Fi Adapter
Step-by-Step Procedure of the Reconnaissance Phase ................................ 203
Summary of the Scanned Result in Monitor Mode ..................................... 209
Introduction to the Wi-Fi Pineapple Mark VII + AC Tactical
Connecting and powering the Wi-Fi Pineapple ........................................... 210
Connect the Wi-Fi Antenna .................................................................... 210
Connecting via PC or Laptop .................................................................. 211
Powering from External Adapters .......................................................... 211
Setting-up the Wi-Fi Pineapple ..................................................................... 213
Getting the latest firmware via Over-The-Air .............................................. 214
User Interface Overview of the Wi-Fi Pineapple
Logging In ..................................................................................................... 223
Navigating the User Interface ....................................................................... 225
Notifications .................................................................................................. 226
Informational Messages ................................................................................ 227
Web Terminal ............................................................................................... 227
Sidebar .......................................................................................................... 228
Campaigns ..................................................................................................... 228
Manage .................................................................................................... 228
Review .................................................................................................... 229
PineAP .......................................................................................................... 229
PineAP Settings ...................................................................................... 230
Open SSID .............................................................................................. 231
187
Evil WPA ................................................................................................ 232
Evil Enterprise ........................................................................................ 233
Impersonation ......................................................................................... 234
Clients ..................................................................................................... 235
Filtering ................................................................................................... 235
Reconnaissance ............................................................................................. 236
Scanning .................................................................................................. 236
Security Information ............................................................................... 238
Handshakes ................................................................................................... 239
Automatic Handshake Capture ............................................................... 239
Direct Handshake Capture ...................................................................... 239
Wi-Fi Pineapple Modules ............................................................................. 240
Installed Modules .................................................................................... 240
Available Modules .................................................................................. 241
Packages .................................................................................................. 242
General Setting ........................................................................................ 242
Networking ............................................................................................. 243
Management Network ............................................................................. 243
LED Configuration ................................................................................. 244
Advanced Settings .................................................................................. 245
Help ......................................................................................................... 246
Introduction of the Wi-Fi Pineapple Recon to Gain Access
Reconnaissance in Computer Engineering Department ............................... 248
Scanning .................................................................................................. 248
Capturing Handshakes ............................................................................ 251
Deauthenticating Clients ......................................................................... 251
Downloading the Captured Handshakes ................................................. 252
Reconnaissance in Mechanical Engineering Department ............................. 253
Scanning .................................................................................................. 253
Reconnaissance in Architecture Department ................................................ 257
Scanning .................................................................................................. 257
Reconnaissance in Civil Engineering Department ....................................... 260
Scanning .................................................................................................. 260
188
Reconnaissance in Electrical Engineering Department ................................ 262
Scanning .................................................................................................. 262
Capture Handshakes in College of Engineering and Architecture ............... 264
Fake Access Point Attack
Fake Access Point Attack using Clone WPA/2 ............................................ 264
Configuration of the Fake Access Point ....................................................... 265
Fake Access Point Attack Using Evil WPA ................................................. 266
Manually Entered Configuration of the Fake Access Point .......................... 266
Saving the Configuration .............................................................................. 267
Captured Handshake of the Fake Access Point ............................................ 268
Beacon Flooding
MDK4 Module .............................................................................................. 270
Setting Attack Mode ..................................................................................... 270
Setting Attack Options................................................................................... 271
Output of the Beacon Flooding Attack.......................................................... 271
Client’s POV in Beacon Flooding................................................................. 272
Credential Harvester
Wi-Fi Pineapple’s Module............................................................................. 273
Getting the Available Modules ..................................................................... 274
Installation of Evil Portal Module.................................................................. 275
User Interface of Evil Portal ......................................................................... 275
User Interface of FileZilla.............................................................................. 276
Site Manager in FileZilla............................................................................... 276
Managing the FTP files in Site Manager....................................................... 277
Configuring the FTP Connections ................................................................ 278
Connected to the Remote Server.................................................................... 278
Local Machine and the Remote Server in FileZilla ...................................... 279
Files in the Local Machine............................................................................. 279
Fake Webpages File....................................................................................... 280
Transferring Files from Local Machine to Remote Server............................ 280
Loading of the portals in Portal Library ....................................................... 281
Starting the Web Server................................................................................. 283
Activating a Portal in Portal Library.............................................................. 283
Start the Execution of the Fake Webpage...................................................... 284
Client’s POV in Credential Harvester............................................................ 284
Captured Credentials of the Client................................................................. 286
HTTP Traffic Analysis
HTTPeek Module........................................................................................... 288
189
Enabling the Sniffer....................................................................................... 288
Start the Capturing of HTTP Traffic.............................................................. 289
Client’s POV when Visiting Unsecured Sites............................................... 289
Captured Credentials of the Client................................................................. 291
Deauthentication and Disassociation

MDK4 Module............................................................................................... 293
Choosing the Attack Mode............................................................................ 294
Starting the Attack......................................................................................... 295
Devices that are Disconnected to the Network.............................................. 295
Dictionary Attack
Download the Hashcat-6.2.6 ......................................................................... 296
Accessing of the properties of the Hashcat-6.2.6 ......................................... 297
Command used for the cracking of password using Hashcat ....................... 298
Cracked password of the Network of Computer Engineering
Department .................................................................................................... 298
Brute Force Attack
Command used for the cracking of password using Brute Force ................. 299
Progress of cracking using Brute Force Attack ............................................ 300
BIBLIOGRAPHY .................................................................................................... 301
190
LIST OF TABLES
Table #
1 LED Status of the Wi-Fi Adapter ...................….198
2 Scanned Result in Monitor Mode...................….209
LIST OF FIGURES
Figure #
1 Alfa AWUSO36NHA USB Wi-Fi Adapter.......................................197
2 Update the Device UB91C ...............................................................199
3 Update Drivers..................................................................................200
4 Properties of UB91C.........................................................................200
5 Update Drivers for UB91C...............................................................201
6 Optional Updates...............................................................................201
7 Network Adapters.............................................................................202
8 Plug the Alfa AWUS036NHA into the USB port of Laptop............203
9 Terminal Window in Kali Linux.......................................................203
10 Checking the Wireless Configuration of the Device .......................204
11 Monitoring mode .............................................................................204
12 Checking if the device is in monitoring mode .................................205
13 Scanning process .............................................................................205
14 Monitoring the network of Computer Engineering .........................206
15 Computer Engineering’s network being scanned in
monitor mode .................................................................................206
16 Monitoring the network of Architecture ..........................................206
17 Architecture Department’s network being scanned in
monitor mode .................................................................................207
18 Monitoring the network of Civil Engineering .................................207
19 Civil Engineering’s network being scanned in
monitor mode .................................................................................207
20 Monitoring the network of Electrical Engineering ..........................207
21 Electrical Engineering’s network being scanned in
monitor mode .................................................................................208
22 Monitoring the network of Mechanical Engineering .......................208
23 Mechanical Engineering’s network being scanned in
monitor mode .................................................................................208
24 Connecting the Antennas of the Wi-Fi Pineapple............................210
191
25 Connecting via PC or Laptop...........................................................211
26 Powering from External Adapters ...................................................212
27 Connecting to the SSID of the Access Point....................................213
28 Accessing the Graphical User Interface (GUI)
of Wi-Fi Pineapple............................................................................214
29 Setting-up the Wi-Fi Pineapple over Wi-Fi......................................214
30 Entering the Access Point’s Credential............................................215
31 Connecting to a Wi-Fi Network.......................................................215
32 Downloading and Verifying Firmware.............................................215
33 Updating Firmware .........................................................................216
34 Welcome Page of the Wi-Fi Pineapple.............................................217
35 Verifying your Device......................................................................218
36 Latest Version of the Wi-Fi Pineapple Firmware.............................218
37 General Setup....................................................................................219
38 Networking Setup ......................................................................220
39 Client Filter Setup.............................................................................220
40 SSID Filter Setup .........................................................................221
41 User Interface Theme ......................................................................221
42 Term of Services & License Agreement .........................................222
43 Completing the Setup.......................................................................223
44 Connecting to the Management SSID..............................................223
45 Accessing the Web Interface............................................................224
46 Login Page of the Wi-Fi Pineapple..................................................224
47 Ways on how to connect to the Internet...........................................225
48 Dashboard.........................................................................................226
49 Wi-Fi Pineapple’s Title Bar..............................................................226
50 Notifications .................................................................................226
51 Informational Messages....................................................................227
52 Web Shell ........................................................................................227
53 Sidebar ............................................................................................228
54 Managing the Campaigns.................................................................229
55 Campaign Reports............................................................................229
56 PineAP Settings .........................................................................231
57 Configuration of the Open Access Point..........................................232
58 Evil WPA Configuration..................................................................233
59 Enterprise Certificate Generation.....................................................233
60 SSID Impersonation Pool.................................................................234
61 Connected Clients .........................................................................235
62 Client and SSID Filter......................................................................236
63 Wireless Reconnaissance..................................................................237
192
64 How to Highlight Active Devices.....................................................237
65 Details of the Scanned Access Point................................................238
66 Security Information of a Network...................................................238
67 Handshake Collection Card..............................................................239
68 Capturing Handshake from a Network.............................................240
69 List of Installed Modules..................................................................241
70 Available Modules............................................................................241
71 Package Settings...............................................................................242
72 Configuration of the General Setting of the Wi-Fi Pineapple...........243
73 Network Configuration.....................................................................243
74 Wi-Fi Management Network Configuration....................................244
75 LED Configuration...........................................................................245
76 Advanced Settings............................................................................245
77 Help Tab...........................................................................................246
78 Reconnaissance Page .......................................................................248
79 Amount of Time in Scanning Process..............................................249
80 Scanning the Networks of Pangasinan State University...................249
81 Scanned Network of Computer Engineering....................................250
82 Expanding the Computer Engineering’s Network............................250
83 Computer Engineering’s Network and its Connected Clients..........250
84 Start the Handshake Capture in Computer
Engineering’s Network ....................................................................251
85 Selecting a target client in Computer Engineering’s Network
and Deauthenticate it........................................................................252
86 Notification of the Captured Handshake in
Computer Engineering’s Network....................................................252
87 Download the Captured Handshakes in
Computer Engineering’s Network....................................................252
88 Stop the Handshake Capture in Computer
Engineering’s Network.....................................................................253
89 Scanned Network of Mechanical Engineering.................................254
90 Expanding the Mechanical Engineering’s Network.........................254
91 Mechanical Engineering’s Network and its Connected Clients.......254
92 Start the Handshake Capture in Mechanical
93 Selecting a target client in Mechanical Engineering’s Network
94 Notification of the Captured Handshake in Mechanical
Engineering’s Network....................................................................256
95 Download the Captured Handshakes in Mechanical
193
96 Stop the Handshake Capture in Mechanical
97 Scanned Network of Architecture....................................................257
98 Start the Handshake Capture in Architecture’s Network ................258
99 Selecting a target client in Architecture’s Network
100 Notification of the Captured Handshake in
Architecture’s Network.....................................................................259
101 Download the Captured Handshakes in
Architecture’s Network....................................................................260
102 Stop the Handshake Capture in Architecture’s Network..................260
103 Scanned Network of Civil Engineering............................................261
104 Start the Handshake Capture in Civil Engineering’s Network ........261
105 Scanned Network of Electrical Engineering.....................................262
106 Start the Handshake Capture in Electrical
107 Selecting a target client in Electrical Enginneering’s Network and
Deauthenticate it...............................................................................263
108 Captured Handshakes in College of Engineering
and Architecture ...............................................................................264
109 Fake Access Point Attack Using Clone WPA/2 AP.........................265
110 Configuration of the Fake Access Point...........................................265
111 Fake Access Point Attack
using Evil WPA................................................................................266
112 Manually Entered Configuration of the Fake Access Point.............266
113 Saving the Configuration..................................................................267
114 Notification of Captured Handshake of the Fake
Access Point .....................................................................................268
115 Handshakes Captured ......................................................................268
116 Module Page of the Wi-Fi Pineapple................................................269
117 Home Page of the MDK4 Module....................................................270
118 Setting Attack Mode to the Input and Output Interface...................270
119 Setting Attack Options for Beacon Flooding....................................271
120 Output of the Beacon Flooding Attack.............................................271
121 Result of the Beacon Flooding Attack in Client/s
Point of View....................................................................................272
122 Wi-Fi’s Pineapple Module................................................................273
123 Get Available Modules ....................................................................274
124 Install the Module Evil Portal ..........................................................274
194
125 Evil Portal being Installed................................................................275
126 User Interface of Evil Portal ............................................................275
127 User Interface of FileZilla ...............................................................276
128 Site Manager in FileZilla .................................................................276
129 Managing the FTP files in Site Manager .........................................277
130 Configuring the FTP Connections....................................................278
131 Successfully Connected to the Remote Server.................................278
132 Local Machine and the Remote Server.............................................279
133 Files in the Local Machine...............................................................279
134 Fake Webpages File..........................................................................280
135 Transferring the files from the Local Machine
to the Remote Server........................................................................280
136 Files that are being transferred to the Remote Server.......................281
137 Loading of the portals in the Portal Library ....................................281
138 All the portals containing the Fake Webpages.................................282
139 Starting the Web Server of the Evil Portal.......................................283
140 Activate the PSU-Login Portal.........................................................283
141 Start the Execution of the Fake Webpage.........................................284
142 Client Connecting to the Open Network of Wi-Fi Pineapple...........284
143 Fake Webpage...................................................................................285
144 Log-in Credentials of the Client.......................................................285
145 Notification of the Captured Handshakes in
Credential Harvester.........................................................................286
146 Viewing the Captured Credential of the Client ...............................286
147 Module Page of the Wi-Fi Pineapple................................................288
148 Enabling the Sniffer in HTTPeek ....................................................288
149 Start the Capturing of HTTP Traffic ...............................................289
150 Client is Connecting to the Open Network.......................................289
151 Unsecured Website that the Client Visited.......................................290
152 URL’s of the Website being Captured by the HTTPeek..................290
153 Unsecured Site having a Login Credential.......................................291
154 Captured Credential that Appears in Post Data................................291
155 Wi-Fi Pineapple’s Module................................................................293
156 MDK4 Interface................................................................................293
157 Choosing the Attack Mode and the Input/Output Interface..............294
158 Entering the Necessary Data for the Chosen Attack........................294
159 Starting the Attack............................................................................295
160 Devices that are being disconnected from the network....................295
161 Download the hashcat-6.2.6.............................................................296
162 Copying the hashcat-6.2.6 folder location........................................297
195
163 Command used for the cracking of password
using hashcat.....................................................................................298
164 Cracked password of the CpEDept network.....................................298
165 Command used for the cracking of password
using brute force...............................................................................299
166 Progress of cracking using brute force attack...................................300
196
LEARNING CONTENTS
SETTING-UP AND USING THE ALFA AWUS036HHA USB WI-FI
ADAPTER FOR RECONNAISSANCE
ALFA AWUS036NHA USB WI-FI ADAPTER
There are many tools, and each one is designed to perform a particular test;
nevertheless, there is no tool that can test for everything (Kevin B., 2018) [1]. In this
research study penetration testing for Wireless Local Area Network, the Alfa
AWUS036HHA USB Wi-Fi adapter was selected to use for reconnaissance. The Alfa
AWUS036HHA USB Wi-Fi adapter is one of the best things you can use with Kali Linux
for wireless pen testing (very popular among Kali Linux users). It is different from most
of its predecessors in that it supports all six wireless modes. This is important for
monitoring mode. You can capture a valid WPA2-PSK hash, the WPA 4-way handshake,
a hidden SSID, generate ARP frames for a WEP replay attack, perform man-in-the-
middle (MITM) attacks, and more (Cyberpunk, 2018)[2].
197
Figure 1. Alfa AWUSO36NHA USB Wi-Fi Adapter
OVERVIEW OF THE PRODUCT
The adapter is designed to provide a high-speed and unrivaled wireless
performance for your PC. The AWUS036NHA’s auto-sensing capability allows high
packet transfer rate of up to 150Mbps for maximum throughput. it can also interoperate
with other wireless (802.11b/g) products. The adapter supports WEP, WPA and WPA2
encryption to prevent outside intrusion and protect your personal information from
being exposed.
FEATURES
 IEEE 802.11n, IEEE802.11g, IEEE802.11b standards
 Supports WPA/WPA2 data security, IEEE802.1x authentication, TKIP/
AES encryption, WEP encryption
 Make use of IEEE 802.11n wireless technology to provide a wireless data
rate of up to 150Mbps
 Provides USB interface
 Ease to configure and provides monitoring information
LED STATUS
198
The table below shows the LED Indications of the Wi-Fi Adapter.
Table 1. LED Status of Alfa AWUSO36NHA USB Wi-Fi Adapter
INSTALLATION GUIDE
HARDWARE INSTALLATION
Connect the Adapter and your computer through the USB cable attached in
package. The LED will light up when the Adapter is installed successfully and the PC is
on. Make sure that the device is connected to the virtual machine specifically to the Kali
Linux. If the blue light is blinking, it indicates that the device is connected properly to the
computer. Install AWUS036NHA or Tube-UNA into an open USB port on your
laptop/desktop computer. In most cases, it is simply plug-and-play in Windows 8/10. If
Windows 8/10 not recognized by the Windows device manager, then follow the next step
to install the driver.
SOFTWARE INSTALLATION
199
Step 1: After you plug-in the wireless adapter. Go to Device Manager. On the device
“UB91C”, make a right-click on it and select the “update driver” from the menu.
Figure 2. Update the device UB91C
Step 2: Select Search automatically for drivers to search your computer for the available
driver and install it on your device.
200
Figure 3. Update Drivers for UB91C
Step 3: Right click on your selected driver. Click properties, go to General tab, and click
update driver.
Figure 4. Properties of UB91C
Step 4: If your Windows was unable to install your UB91C, click “Search for updated
drivers on Windows Update.”
201
Figure 5. Update Drivers for UB91C
Step 5: Choose the “Driver Updates” and then select “Download and Install.”
Figure 6. Optional updates
Note: Please make Internet ready with internal wired/wireless network adapter, and select
“Driver updates” in the “Update Drivers” menu. Wait a few seconds, Windows will
install the driver for AWUS036NHA or Tube-UNA.
Step 6: After successful installation, AWUS036NHA or Tube-UNA will be installed as
202
“AR9271 Wireless Network Adapter”, and categorized to “Network
Adapters” in Windows device manager.
Figure 7. Network Adapters
DOCUMENTATION
This documentation is for the Wi-Fi Pineapple Mark VII 2.x series firmware
(User’s Guide AWUS036NHA, n.d.)[3].
STEP-BY-STEP PROCEDURE OF THE RECONNAISSANCE PHASE USING
203
THE ALFA AWUS036NHA USB WI-FI ADAPTER
Step 1. Plug the Alfa AWUS036NHA USB Wi-Fi Adapter into an available USB port on
your laptop or computer.
Figure 8. Plug the Alfa AWUS036NHA into the USB port of Laptop
Step 2: Open a terminal window in Kali Linux by pressing "Ctrl+Alt+T" or searching for
"Terminal" in the applications menu.
Figure 9. Terminal Window in Kali Linux
204
Step 3: Enter the command “iwconfig” to ensure that the adapter is recognized by the
system. The output of this command should show the Alfa adapter as a recognized
wireless interface, typically named "wlan0."
Figure 10. Checking the Wireless configuration of the device
Note: If it doesn't appear, you may need to install additional drivers for the adapter.
Step 4: Next, type the command “airmon-ng start wlan0” to put a wireless network
interface into monitoring mode.
Figure 11. Monitoring mode
Note: If you are not a root user, you need to add “sudo” before the command.
205
Step 5: To check if it is in monitoring mode, the researchers used again the command
“iwconfig”.
Figure 12. Checking if it is in the monitoring mode
Step 6: Once the wireless interface is having a port “wlan0mon” it means that it is now
in monitoring mode. Then, you can start monitoring nearby networks by typing
“airodump-ng wlan0mon”. A list of nearby wireless networks will appear, with
information including MAC address, channel, signal strength, and encryption.
Figure 13. Scanning process
206
To show the clients connected on a specific network, use the command “airodump-ng
wlan0mon -d [BSSID]”. The “-d” indicates displaying the network and replace the
[BSSID] with the BSSID of the network that you want to monitor.
Step 7: For the Department of Computer Engineering, there network is having a BSSID
of “58:D9:D5:52:96:B8”. Figure 14 shows the command for the monitoring of network
in Computer Engineering.
Figure 14. Monitoring the network of Computer Engineering
Figure 15 shows the captured data of the Computer Engineering Department.
Figure 15. Computer Engineering’s network being scanned in monitor mode
Step 8: For the Department of Architecture, there network is having a BSSID of
“00:24:01:E8:12:6A”. Figure 16 shows the command for the monitoring of network in
Architecture Department.
Figure 16. Monitoring the network of Architecture
207
Figure 17 shows the captured data of the Architecture Department.
Figure 17. Architecture’s network being scanned in monitor mode
Step 9: For the Department of Civil Engineering, there network is having a BSSID of
“84:16:F9:CB:69:01”. Figure 18 shows the command for the monitoring of network in
Civil Engineering.
Figure 18. Monitoring the network of Civil Engineering
Figure 19 shows the captured data of the Civil Engineering Department.
Figure 19. Civil Engineering’s network being scanned in monitor mode
Step 10: For the Department of Electrical Engineering, there network is having a BSSID
of “0C:F4:D5:3F:DC:78”. Figure 20 shows the command for the monitoring of network
in Electrical Engineering.
208
Figure 20. Monitoring the network of Electrical Engineering
Figure 21 shows the captured data of the Electrical Engineering Department having the
network of “PSUWifi.”
Figure 21. Electrical Engineering’s network being scanned in monitor mode
Step 11: For the Department of Mechanical Engineering, there network is having a
BSSID of “0C:F4:D5:3F:D9:38”. Figure 22 shows the command for the monitoring of
network in Electrical Engineering.
Figure 22. Monitoring the network of Mechanical Engineering
Figure 23 shows the captured data of the Mechanical Engineering Department having the
network of “PSUWifi2.”
209
Figure 23. Mechanical Engineering’s network being scanned in monitor mode
SUMMARY OF THE SCANNED RESULT IN MONITOR MODE
The table below shows the summary of the scanned result in monitor mode of the
reconnaissance phase. The table shows the College of Engineering and Architecture
Department. The data gathered shows the WLAN security protocol, the SSID also known
as the network name, the MAC address, authentication, the equipment used, or the
routers used of the said WLAN and their location.
Architecture Civil Computer Electrical Mechanical

Department Engineering Engineering Engineering Engineering
WLAN
Security WPA2 WPA2 WPA2 WPA2 WPA2
Protocol
Archi CE CpEDept PSUWi-Fi PSUWi-Fi2
SSID Department Department
MAC 00:24:01:E8: 84:16:F9:CB 58:D9:D5:52 0C:F4:D5:3F 0C:F4:D5:3F

Address 12:6A :69:01 :96:B8 :DC:78 :D9:38
Authenti PSK PSK PSK PSK PSK

ca-
tion
Equipme D-Link TP-Link Tenda F3 TP-Link TP-Link
nt DIR 655 Archer A7 EAP110 EAP110
Location Inside Inside Civil Inside Attached to Attached to
Architecture Engineering Computer the wall in the wall in
Department Department Engineering front of front of
Faculty room faculty room Department ENG’G2-102 ENG’G2-108
at the beside rest faculty room ground floor ground floor
northeast room for beside of of
corner of the girls at the chemistry Engineering Engineering
room. northeast laboratory Buiilding 2. Buiilding 2.
210
corner of the room at the
said room. northwest
corner of the
said room.
Table 2. Scanned Result in Monitor Mode
INTRODUCTION: WI-FI PINEAPPLE MARK VII + AC TACTICAL
The Wi-Fi Pineapple Mark VII is a wireless penetration testing tool that is
designed to help security professionals simulate attacks against Wi-Fi networks. It allows
them to identify vulnerabilities in wireless networks and test the effectiveness of their
security measures. The "AC Tactical" version of the Wi-Fi Pineapple Mark VII refers to a
model that includes upgraded hardware specifications, including support for the 802.11ac
Wi-Fi standard, which offers faster data transfer speeds than previous standards. This
makes it an even more powerful tool for analyzing and exploiting vulnerabilities in Wi-Fi
networks. The basic functions of the Wi-Fi Pineapple Mark VII include creating a rogue
access point, packet capturing and monitoring, man-in-the-middle attacks, and exploiting
vulnerabilities.
CONNECTING AND POWERING THE WI-FI PINEAPPLE
211
Step 1: Connect the Wi-Fi Antenna before turning on your Wi-Fi Pineapple, make sure
the antennas are connected.
Figure 24. Connecting the antennas
Note: When transmitting without an antenna connected, any radio, including the
radios inside the Wi-Fi Pineapple, may be damaged.
Step 2: Connecting via PC or Laptop
The Wi-Fi Pineapple Mark VII is built to be powered from a wide range of today's
computer systems, either directly or through a USB-C to USB-A adaptor. The wired USB
connection is advised for setup since the Wi-Fi Pineapple will show up as an Ethernet
adapter.
212
Figure 25. Connecting via PC or Laptop
Step 3: Powering from external adapters
Use the provided power supply to turn the Wi-Fi Pineapple on. It can be supplied with
electricity from an external power adapter while taking into account the following:
 The power adapter should have a minimum 2-amp rating.
 Some USB-C-PD power adapters might not function due to the difficulties with
USB-C and power supply. We advise attempting a non-USB-C-PD adapter if your
chosen power adapter fails to power the Wi-Fi Pineapple (no LEDs light up).
Figure 26. Powering from External Adapters
Note: Power Considerations
213
Not all power adapters can give the stated power with consistency. If your Wi-Fi
Pineapple starts up and runs for a short while, but then loses power, it's possible that your
USB power adapter is unable to give the necessary power continuously and is shutting
down on its own. If this occurs, it is advised to try a new brand or one with a greater
capacity power adaptor.
Step 4: After you plug it in, your Wi-Fi Pineapple will start to boot up. Check the device's
LEDs to determine whether it is powering on. The lights should start blinking when
the device is initializing. Once the device has finished setting up, the LEDs will stop
flashing and remain on. If the Wi-Fi Pineapple is linked to a monitor or other display
device, the startup process should also be visible on the screen.
SETTING-UP THE WI-FI PINEAPPLE
After the Wi-Fi Pineapple has fully booted up. You need to connect to the SSID of AP
which is Pineapple_XXXX, where the 'XXXX' is the last 4 characters of the devices
214
MAC address. Connect to this network as you would normally from your computer or
phone.
Figure 27. Connecting to the SSID of Access Point
Once you are connected, you can now access the Wi-Fi Pineapple Stager at
http://172.16.42.1:1471.
Figure 28. Accessing the GUI of Wi-Fi Pineapple
Note: Take note of the port in the URL! The Wi-Fi Pineapple uses port 1471 instead of
the default HTTP port, you will need to include this in the URL when you connect!
GETTING THE LATEST FIRMWARE VIA OVER-THE-AIR
To begin, make sure you're close to the Wi-Fi Pineapple. This may be done by pressing
the reset button in one of the ways shown in the image below.
215
Figure 29. Setting up the Wi-Fi Pineapple over Wi-Fi
Connect to an Access Point that you have credentials for. This will connect the Wi-Fi
Pineapple to the internet and automatically download the latest firmware. This access
point might be a traditional Wi-Fi network or your phone's hotspot network.
Figure 30. Entering the AP’s credential Figure 31. Connecting to a Wi-Fi
Network
After you have connected to your Wi-fi Network, it will immediately download and
verify the latest firmware from Hak5.
216
Figure 32. Downloading & Verifying Firmware
The firmware will be downloaded and flashed to your Wi-Fi Pineapple immediately upon
the setting up of a successful connection. You will be able to access the Wi-Fi Pineapple
at http://172.16.42.1:1471 after the update is finished.
Wait for flashing to complete.
It can take 10 to 15 minutes to flash and boot for the first time. As the Wi-Fi Pineapple
installs and verifies the latest firmware, kindly be patient.
Figure 33. Updating Firmware
After
the
217
installation of the firmware, you'll be greeted with the welcome page of the Wi-Fi
Pineapple Mark VII. Then, click “Begin Setup”
Figure 34. Welcome page of Wi- Fi Pineapple
Next, you need to verify your device. You may want to choose wired setup
method if you want to connect your device directly to the Wi-Fi Pineapple using an
Ethernet cable. On the other hand, if you choose the wireless setup method you will need
to connect your device to the Wi-Fi network created by the Wi-Fi Pineapple. Regardless
of which setup method you choose, it is important to verify your device to ensure that
only authorized devices are allowed to connect to your network and to prevent potential
security threats.
218
Figure 35. Verifying your Device
After that, you will be prompted to the welcome page of the Wi-Fi Pineapple version
2.1.3 firmware. Then, click continue.
Figure 36. Latest version of the Wi-Fi Pineapple Firmware
219
For the General Setup, you need to set your root password in your Wi-Fi
Pineapple. It will be use to manage the device via the Web Interface and SSH. And for
the Timezone choose (GMT+8) Beijing, Perth, Singapore, Hongkong because it is the
standard time used in our country.
Figure 37. General Setup
For the Networking Setup, you need to setup both the Management AP and the
Open AP. For the reason that they are useful in different types of security testing
scenarios. Management AP mode is used to create a secure wireless network that requires
users to provide a username and password to connect. Open AP mode, on the other hand,
is used to create an unsecured wireless network that anyone can connect to.
220
Figure 38. Networking Setup
For the Client Filter Setup, select Deny List. This will allow more flexibility and
freedom in managing the network, as it ensures that unwanted or potentially harmful
devices are prevented from connecting.
Figure 39. Client Filter Setup
Same goes for the Setting Up of the SSID Filter, choose the deny list. This will
help to block specific SSIDs from being broadcasted. It allows for more control over the
network and can reduce the risk of unauthorized access to the network.
221
Figure 40. SSID Filter Setup
For the User Interface theme, select a theme that suits your preference. You can choose
whether you want to have a light or dark theme.
Figure 41. User Interface Theme
222
Next, is the Terms of Service & License Agreement, you need to accept both the
Terms of Service and the License Agreement. By accepting these you consent to abide by
the terms and conditions stated by the provider of the product or service by accepting
these agreements. By ensuring that everyone is aware of their rights and duties when
using the good or service, this serves to safeguard both you and the supplier. Then, click
finish.
Figure 42. Terms of Services & License Agreement
And at last, you’ll be greeted with the “Setup Complete” page. You can now
access the management interface of the Wi-Fi Pineapple. Users may access and modify a
variety of functions and settings here, including networking, wireless access points,
security settings, and more. The precise name of the web interface may change based on
the firmware version or user customization that is selected.
223
Figure 43. Completing the Setup
USER INTERFACE OVERVIEW OF THE WI-FI PINEAPPLE
LOGGING IN
First, you must connect to your Management SSID configured during Networking Set
Up.
224
Figure 44. Connecting to the Management SSID
Once you are connected, you can now access the Wi-Fi Pineapple Stager at
http://172.16.42.1:1471.
Figure 45. Accessing the Web Interface of the Wi-Fi Pineapple
Upon redirected to the User Web-based Interface, you'll be greeted with the login page of
the Wi-Fi Pineapple. The default username is root, while the password is the one you set
during Setup.
Figure 46. Login Page of the Wi-Fi Pineapple
225
There are 3 ways you can choose if you want to be connected to the internet.
Whether you want to connect wirelessly, via internet connection sharing, and/or through
USB Ethernet Adapter. If not then click close, if yes click the network settings to
configure.
Figure 47. Ways to connect to the Internet
NAVIGATING THE USER INTERFACE
Once logged in, you will see the Dashboard, which serves as the home page for
the Wi-Fi Pineapple administrative UI and provides easy access to details about the
system and its services. The Wi-Fi Pineapple UI Dashboard gives a fast overview of the
condition of several of the device's parts.
226
Figure 48. Dashboard
The website's title bar, which also includes links to read notifications, view
informational messages, and access the web terminal, is located at the top of the page. It
also displays the firmware version that is in use at the moment. Additional, less frequent
settings can be found in the context menu (three dots).
Figure 49. Wi-Fi Pineapple title bar
NOTIFICATIONS
The system or modules can send notifications to users to alert them to status
changes or other messages. One of five notification levels—Information, Warning, Error,
Success, or Unknown—can be applied to them. The title bar briefly displays a preview of
the messages. To see all messages, click the notification icon.
Figure 50. Wi-Fi Pineapple notifications
227
INFORMATIONAL MESSAGES
Informational messages display possible Wi-Fi Pineapple setting errors and provide
alternative solutions.
Figure 51. Informational Messages
WEB TERMINAL
On the Wi-Fi Pineapple, the Web Terminal provides a fully functional Bash shell
without the need for SSH. It allows you to handle the device entirely, run tools, install
packages, and perform all other operations you would anticipate from a Linux machine.
228
Figure 52. The Wi-Fi Pineapple web shell
SIDEBAR
The Sidebar is located on the left side of the page. This sidebar has quick
connections to system modules, and downloadable modules can be added to it for quick
access. By choosing the Show More button at the bottom, you may expand the sidebar
and see the entire names.
Figure 53. Sidebar
CAMPAIGNS
Campaigns provide automatic setting and report production to streamline an
interaction.
MANAGE
The names, creation dates, and types of the generated campaigns are given in a
table along with their current status. Your campaigns may be edited or deleted by
229
selecting the "..." menu button once you have toggled them on or off using the
Enable/Disable button.
Figure 54. Managing the Campaigns
REVIEW
You may download and remove the reports that your campaigns have produced from the
Reports tab.
Figure 55. Campaign Reports
PINEAP
The Wi-Fi Pineapple's filtering, client management, and rogue access point management
are all handled by PineAP.
PINEAP CAPABILITIES
230
Some of the Wi-Fi Pineapple's essential features are made possible by PineAP:
 Control access with Filters – Limit your engagement by configuring access by
filters. Limit to specific clients or SSIDs, or exclude specific clients or SSIDs.
 Impersonate APs – Explicitly advertise lists of access points to instigate clients
into connecting to previously saved networks.
 Open AP – Serve a basic, unencrypted Open access point, or automatically im-
personate any Open access point requested by a client.
 Evil WPA – Serve a new WPA network, or copy an existing WPA network.
Capture partial handshakes to crack the WPA keys of unknown networks.
 Evil Enterprise – Serve a WPA-Enterprise network with optional key exchange
degradation. Coupled with automatic authorization of all accounts, identify mis-
configured enterprise clients and capture credentials.
PINEAP SETTINGS
PineAP offers three basic operation modes:
1. Passive – Collect information about nearby access points, and add them to the
list of potential APs to advertise. Accept connections to the Open, WPA, and
Enterprise SSIDs (if enabled). Do not advertise other access points, and it will not
answer for other SSIDs.
2. Active – Collect information about nearby access points. Actively advertise all
SSIDs from the Impersonated AP Pool (if enabled). Respond to all client requests
for any network which is permitted by the filters.
231
3. Advanced – All PineAP features can be individually configured; mix and
match the features you need.
Figure 56. PineAP Settings
OPEN SSID
In addition to responding to requests for any SSID that meets the filter
requirements, the Wi-Fi Pineapple may advertise a single Open SSID, whereas the open
AP option creates an unsecured wireless network that is accessible to all connections.
You've previously allocated this one in networking configuration.
232
Figure 57. Wi-Fi Pineapple Open AP Configuration
Note: Any device with the network saved will still discover your Open SSID even
if you switch it from visible to hidden since it will continue to query for the name.
If collection is enabled, don't be surprised if your network appears in the SSID
pool because hidden network SSIDs can still be found when a client connects.
EVIL WPA
A WPA (or WPA2) PSK network is impersonated by the Evil WPA access point.
When the PSK is unknown, it may also be used to gather incomplete handshakes for use
with outside cracking tools.
233
Figure 58. Evil WPA Configuration
Note: Make sure to accept your Evil WPA SSID in your filter settings, or your
clients will be unable to connect.
EVIL ENTERPRISE
You may configure a WPA-EAP Enterprise rogue access point using the
Enterprise tab. Fill out the form to generate the EAP configuration and certificates first.
Enterprise, or EAP, Wi-Fi authentication is commonly used on business networks with
per-user network logins. It is secured by an SSL certificate, which must first be
generated.
234
Figure 59. Enterprise certificate generation
IMPERSONATION
The Wi-Fi Pineapple has a "Impersonation" capability that allows it to resemble
other Wi-Fi networks in order to mislead neighboring devices into joining to it. A "man-
in-the-middle" attack occurs when an attacker intercepts communication between two
parties in order to steal information or execute other destructive acts. The Wi-Fi
Pineapple may use the SSID Impersonation Pool to promote extra SSIDs when
"Impersonate All Networks" is turned on. Make sure "Impersonate All Networks" is
activated and that your filter settings permit connections to SSIDs from the impersonation
pool!
Figure 60. SSID Impersonation Pool
The Wi-Fi Pineapple may automatically compile SSIDs from client probe requests and
recon scan results, or it may add SSIDs manually.
235
CLIENTS
The clients page provides related clients and former clients as separate views for
clients. You may check details about each connected client from the Connected Clients,
including their MAC address, IP address, and the SSID they are linked to, as well as the
option to remove them from the network.
Figure 61. Connected Clients
FILTERING
 You can customize what devices can connect to your Wi-Fi Pineapple using the
filtering page. Combining two filters—the Client Filter and the SSID Filter, each
of which has two modes: Allow or Deny—will enable you to do this.
 By selecting which devices may connect, the client filter allows you to restrict the
range of engagement. Only particular devices should be allowed, or any device
that isn't expressly on the denied list.
 You can choose the fake networks for which the Wi-Fi Pineapple will allow rela-
tionships using the SSID filter. Only SSIDs that are expressly stated may be asso-
ciated, or any SSID not specifically listed.
236
Figure 62. Client and SSID Filter
RECONNAISSANCE
The Wi-Fi Pineapple includes an add-on called Recon for Wi-Fi landscape
scanning.
SCANNING
On the main Recon page, you can obtain a quick summary of the current wireless
environment, including a list of detected APs, all related clients, and all discovered
clients. In the Access Points or Clients cards, click the mobile card button next to the
table symbol to switch to a mobile-friendly view.
237
Figure 63. Wireless Recon
Note: You can change Recon settings, such as scan location and displayed table columns,
by selecting the Settings gear icon on the right side of the Settings card.
Active Access Points and Clients can be highlighted automatically to make them
simpler to discover; click the gear icon to access the Recon Settings and enable
"Highlight Active Devices." Choose an activity time and a highlight color that makes
you happy!
238
Figure 64. Highlighted active devices
When you click on an AP or Client in the list, a side menu will appear on the
right. From here, you may pick device-specific features, such as collecting handshakes or
cloning, or adding MAC addresses to the Filters.
Figure 65. Access Point Details
SECURITY INFORMATION
The security information panel provides a simplified overview of the network's security
choices.
239
Figure 66. Example of a security information
HANDSHAKES
Collecting and using WPA Handshakes.
AUTOMATIC HANDSHAKE CAPTURE
When a client joins or updates a network, handshakes are a standard component
of Wi-Fi communication. The Wi-Fi Pineapple can effortlessly and automatically capture
handshakes that are detected during a recon scan. The Recon panel has the option to
activate automatic handshake capturing.
Figure 67. Handshake collection card
DIRECT HANDSHAKE CAPTURE
By selecting the network, then choosing "Capture Handshakes" from the menu, a
particular network may be selected for handshake capture:
 The Wi-Fi Pineapple stays on the same channel as the target device during di-
rected handshake capture, waiting for handshake packets. The likelihood of
catching a whole handshake improves while you stay on the target channel.
 You can improve your chances of capturing a handshake by utilizing the "Deau-
thenticate All Clients" option or by deauthenticating a single client.
240
Figure 68. Capturing handshake from a network
WI-FI PINEAPPLE MODULES
Wi-Fi Pineapple Modules enable the interface to be expanded to include fresh
features created by the community or to provide front ends for command line utilities.
There is also a big library of packages accessible.
INSTALLED MODULES
The Wi-Fi Pineapple community often contributes modules, which increase the
capabilities of the Wi-Fi Pineapple UI. Modules typically provide existing tools a
graphical user interface.
Note: Check the packages section to see if there is a command-line alternative if you
can't locate a module for the utility you want.
241
Figure 69. A list of installed modules
MODULES
To check updates for installed modules or to see a list of available modules that
you haven't installed, go to the Modules tab. The name, description, version, size, and
creator of the module may all be found here. Click the Install/Update button to install or
update modules.
242
Figure 70. Available Modules
PACKAGES
You may go through a range of Wi-Fi Pineapple drivers and utilities under the
packages area. These packages frequently include a command-line tool that may be used
with SSH or the Web Terminal.
Figure 71. Package Settings
WI-FI PINEAPPLE SETTINGS
You may configure the password, timezone, and button script from the main
Settings page. The presently mounted file systems and attached USB devices are
displayed on the second row of cards. You may update the UI theme, check for software
updates, and set up the device for Hak5 Cloud C2 on the bottom row.
243
Figure 72. Configuring the General Setting of the Wi-Fi Pineapple
NETWORKING
The Networking tab displays simple to use cards for setting up a client connection
to another Access Point, choosing the interface to be used for Recon, listing the present
interfaces, and displaying the routing table.
Figure 73. Network Configuration
 Client Mode
Utilizing client mode networking is the most popular way to connect the Wi-Fi
Pineapple to the Internet. In the same way as a laptop or smartphone would, the
Wi-Fi Pineapple is now able to join to an existing Wi-Fi network as a regular
client.
244
 Recon Interfaces
The Wi-Fi Pineapple uses the recon interface to look for Wi-Fi networks and
clients as well as to deauth networks and clients. The in-built 2.4GHz Wi-Fi radio,
wlan1, serves as the recon interface by default.
MANAGEMENT NETWORK
The Management Network may be reconfigured using the Wi-Fi settings panel.
Figure 74. Wi-Fi Management Network configuration
LED CONFIGURATION
The Wi-Fi Pineapple Mark VII LED can be configured independently for Red, Green,
and Blue.
Each color can be assigned a function:
 Default Off - The LED remains off.
 Default On - The LED is always on.
245
 Heartbeat - The LED pulses regularly. The speed of the heartbeat is tied
to the overall system load - the higher the CPU load of the Pineapple, the
faster the LED will pulse.
 Network device - Packets seen on a network device will cause the LED to
blink.
Figure 75. LED Configuration
ADVANCED SETTINGS
Changes to the current update channel for choosing to use beta firmware versions
are available under the Advanced page. You may also access experimental features from
here, like Censorship (which obscures private data in the user interface) and Cartography
(2D or 3D map of Recon data).
246
Figure 76. Advanced Settings
HELP
There are three sub-pages under the Help tab: Help & Information, Diagnostics,
and Licenses. Links to further sites like this and Hak5 community resources may be
found on the Help & Information page. You may create a handy diagnostics file that can
be used to assist in troubleshooting any problems you might be having with your Wi-Fi
Pineapple using the Diagnostics page.
Figure 77. Help Tab
DOCUMENTATION
This documentation is for the Wi-Fi Pineapple Mark VII 2.x series firmware (Wi-
Fi Pineapple Mark VII, 2022)[4].
247
INTRODUCTION IN RECONNAISSANCE
In today's world, technology has become a fundamental part of our lives. With the
increasing complexity of devices and their features, it's crucial to have proper
documentation that guides users on how to use all of the device's capabilities. Proper
documentation ensures that users can utilize the full potential of the device, reducing the
need for support requests and improving customer satisfaction by giving users the
necessary tools to troubleshoot problems on their own. All of the Wi-Fi Pineapple's
capabilities will be listed in this module. It also includes all of the step-by-step process
for doing it.
RECONNAISANCE: WI-FI PINEAPPLE RECON TO GAIN ACCESS
The first phase in an attack is in which an attacker gathers information about a
target network. This includes the SSID or the name of the network, the BSSID or the
MAC Address of the network, the number of clients connected to the network with their
BSSID of the clients, the type of routers used and the type of devices used by the clients.
Furthermore, the reconnaissance also includes the security protocol used by the network,
the MFP or Management Frame Protection, this is to add more security to the network
which prevents attackers from deauthenticating clients to the network. Next is the WPS
or Wi-Fi Protected Setup. It is a feature of the router that was developed to make the
process of connecting to a secure wireless network from a computer or other device
248
simpler. The signal of the network and last is the time of the recon. To do this, follow the
step-by-step instructions as shown in the figures below.
Here are the general steps to use the Recon page:
A. Scanning
B. Capturing Handshakes
C. Deauthenticating Networks and/or Clients
D. Downloading the Captured Handshakes
Note: All of the aforementioned tasks will be carried out to the College of Engineering
and Architecture which encompasses Computer Engineering, Mechanical Engineering,
Architecture, Civil Engineering, and Electrical Engineering.
RECONNAISSANCE IN COMPUTER ENGINEERING DEPARTMENT
Step 1: Please see the User Interface Overview of the Wi-Fi Pineapple to know how to
Log-in. See Figure 44 to connect to the Management SSID. See Figure 45 to access the
Web Interface of the Wi-Fi Pineapple. And see Figure 46 to Log-In to the Wi-Fi
Pineapple.
SCANNING
249
Step 2. On the left side bar, go to the “Recon” tab.
Figure 78. Reconnaissance Page
Step 3: The "scan" button is located at the bottom of the wireless landscape. You have to
choose how much time you would like to spend in scanning the networks in the vicinity.
Figure 79. Choosing the amount of time in scanning process
Step 4: Next, to begin the scanning process, click the "scan button."
250
Figure 80. Start to Scan the Networks in PSU
Step 5: There are so many networks in PSU that it takes longer for the Wi-Fi Pineapple to
scan your specific target. Your target is the network of Computer Engineering with its
SSID “CpEDept.” In this case, you may search your target’s SSID in the search area
Figure 81. Scanned Network of Computer Engineering
Step 6: Expand the network of the Computer Engineering Department by clicking the
“+” sign before the SSID.
Figure 82. Expanding the network of Computer Engineering Department
251
Step 7: Then, it will appear all the clients that are connected to the network of Computer
Engineering Department.
Figure 83. Computer Engineering Department’s network and its scanned clients
CAPTURING HANDSHAKES
Step 8: After selecting the Department of Computer Engineering's SSID, you will be
presented with a list of available actions. Choose "Capture WPA Handshakes" and then
click "Start Capture" to start recording the handshakes.
252
Figure 84. Start the Handshake Capture
DEAUTHENTICATING CLIENT/S:
Step 9: Choose one client on your target network and deauthenticate it. To do this,
navigate to your intended client and select it. Choose "deauthenticate client" to perform
deauthentication.
1. Selecting the target client
2. Deauthenticate the selected client
Figure 85. Selecting a target client and deauthenticate it
DOWNLOADING THE HANDSHAKES:
Step 10: The captured handshakes will show up on notifications.
Figure 86. Notification of the Captured handshakes
253
Step 11: To download the captured handshakes, go to the “handshakes” tab. Click the
arrow down to download the file in PCAP format.
Figure 87. Download the handshakes in PCAP and Hashcat’s 22000
format
Step 12: After you download the handshakes in Computer Engineering Department, you
can now stop the capturing of the handshakes.
Figure 88. Stop the Handshakes Capture
254
RECONNAISSANCE IN MECHANICAL ENGINEERING DEPARTMENT
SCANNING
scan your specific target. Your target is the network of Mechanical Engineering but they
are using the PSU WLAN having a SSID of “PSUWi-Fi2.” In this case, you may search
your target’s SSID in the search area
Figure 89. Scanned network of Mechanical Engineering
Step 2: Expand the network of the Mechanical Engineering Department by clicking the
“+” sign before the SSID.
Figure 90. Expanding the PSUWi-Fi2 network
Step 3: Then, it will appear all the clients that are connected to the network of
Mechanical Engineering Department.
255
Figure 91. PSUWi-Fi2 network and its scanned clients
Step 4: After selecting the Department of Mechanical Engineering's SSID, you will be
presented with a list of available actions. Instead, choose "Capture WPA Handshakes"
and then click "Start Capture" to start recording the handshakes.
Figure 92. Start the Handshake Capture of Mechanical Engineering’s network
256
DEAUTHENTICATING CLIENT/S
deauthentication.
DOWNLOADING THE HANDSHAKES
257
Figure 95. Download the Handshakes in PCAP and Hashcat’s 22000 format
Step 8: After you download the handshakes in PSUWi-Fi2, you can now stop the
capturing of the handshakes.
RECONNAISSANCE IN ARCHITECTURE DEPARTMENT
SCANNING
scan your specific target. Your target is the network of Architecture having a SSID of
“Archi Department.” In this case, you may search your target’s SSID in the
search area Expand the network of the Architecture Department by clicking the “+” sign
before the SSID. Then, it will appear all the clients that are connected to the network of
Architecture Department.
258
Figure 97. Scanned network of Architecture
Step 2: After selecting the Department of Architecture SSID, you will be presented with a
list of available actions. Instead, choose "Capture WPA Handshakes" and then click
"Start Capture" to start recording the handshakes.
Figure 98. Start the Handshake Capture in Architecture’s Network
259
deauthentication.
Figure 99. Select a target client and deauthenticate it
DOWNLOADING THE HANDSHAKES
260
Figure 101. Download the Handshakes in PCAP and Hashcat’s 22000 format
Step 6: After you download the handshakes in Architecture Department, you can now
stop the capturing of the handshakes.
RECONNAISSANCE IN CIVIL ENGINEERING NETWORK
SCANNING
scan your specific target. Your target is the network of Civil Engineering having a SSID
of “CE Department 5G.” In this case, you may search your target’s SSID in the search
area. Expand the network of the Civil Engineering Department by clicking the “+” sign
261
before the SSID. Then, it will appear all the clients that are connected to the network of
Civil Engineering Department.
Figure 103. Scanned network of Civil Engineering
Step 2: After selecting the Department of Computer Engineering's SSID, you will be
Figure 104. Start the Handshake Capture
262
RECONNAISSANCE IN ELECTRICAL ENGINEERING NETWORK
SCANNING
scan your specific target. Your target is the network of Electrical Engineering but they
are using the PSU WLAN having a SSID of “PSUWi-Fi.” In this case, you may search
your target’s SSID in the search area . Expand the network of the Electrical
Engineering Department by clicking the “+” sign before the SSID. Then, it will appear
all the clients that are connected to the network of Electrical Engineering Department.
Figure 105. Scanned network of Electrical Engineering
Step 2: After selecting the Department of Electrical Engineering's SSID, you will be
263
Figure 106. Start Handshake Capture
navigate to your intended client and select it. You'll come across certain tasks you wish to
complete. Nevertheless, choose "deauthenticate client" to perform deauthentication.
264
All the captured handshakes in College of Engineering and Architecture (CEA).
Figure 108. Captured Handshakes in CEA Dept.
FAKE ACCESS POINT ATTACK
This is also the type of attack that can be done while on the Recon page of
the Wi-Fi Pineapple. Fake access point attack takes place when an attacker sets up a fake
Wi-Fi access point hoping that users will connect to it instead of a legitimate one. This
can be done when the fake access point will be configured as same with the target
network and will set random password. Once the attack enabled, clients will not be able
to connect to the legitimate network unless the attack disabled. To do this, follow the
265
Step 1: Click on the target network. Click on the “Clone WPA/2 AP” shown in Figure
103. It will be redirected to the configuration of the fake access point. It will
automatically copy the SSID and the BSSID of the target network.
Figure 109. Fake Access Point Attack Using Clone WPA/2 AP
Step 2: Enter a random password depending on the encryption of the network.
Figure 110. Configuration of the Fake Access Point
266
Step 3: To start the attack enable the “Capture Handshakes” then click “Clone”.
Note: There is one more way to do the Fake Access Point attack. To do this, follow the
Step 3.1: Go to “PineAP” module of the Wi-Fi Pineapple. It is located just above the
recon module. It will then be redirected to the PineAP page.
Figure 111. Fake Access Point Attack Using Evil WPA

Step 3.2: Click the “Evil WPA” at the upper navigation of the PineAP page. It will then
be redirected to the configuration of the Fake Access Point.
Figure 112. Manually Entered Configuration of the Fake Access Point
267
Figure 113. Saving the Configuration
Step 3.3: Manually enter the SSID, BSSID, the random password and select the
encryption. Click the enable and capture handshakes. Then save the configuration. This is
harder than the first step because you need to input the SSID and the BSSID.
Step 4: The attacker will now deauthenticate client/s. To do this follow the steps in
Deauthentication Attack except for the capturing of handshake. Client/s will then be
disconnected to the network. See Target Client’s POV in Deauthentication Attack.
Step 5: Once client/s are reconnected to the network, the attacker will be notified that the
capturing of handshake was done shown in Figure.
268
Figure 114. Notification of Captured Handshake of the Fake Access Point
Step 6: To view handshake, go to recon tab handshakes tab.
Figure 115. Handshakes Captured
269
BEACON FLOODING
Beacon flooding is a form of attack in which the attacker sends a huge number of
wireless network frames in order to overload the network and interrupt regular operation.
This attack broadcasts multiple networks either open or secured networks having random
SSIDs or one SSID only. This attack is done using the MDK4 module. See Appendix for
the full installation of MDK4 module. To do this attack, follow the step-by-step
instructions as shown in the figures below.
Step 1: Click the “Module” located at the left navigation page of the Wi-Fi Pineapple.
Look for the “MDK4” module shown in Figure. The MDK4 module interface will appear
shown in Figure below.
Figure 116. Module Page of the Wi-Fi Pineapple
270
Figure 117. Home page of the MDK4 Module
Step 2: Click “Attack Mode” then select “Beacon Flooding”. Select “wlan3mon” for both
input and output interface shown in Figure.
Note: While doing this attack, reconnaissance must be continuously scanning so that the
input and output interfaces will be in monitor mode (wlan3mon).
Figure 118. Setting Attack Mode to the Input and Output Interfaces
271
Step 3: For the “Attack Options”, attacker can specify the SSID of the networks shown in
Figure. However, this can also be random SSIDs.
Note: This attack requires one attack option at a time only.
Figure 119. Setting Attack Options for Beacon Flooding

Step 4: Start the attack. See output shown in Figure below.
Figure 120. Output of the Beacon Flooding Attack
272
CLIENT’S POV
Figure 121. Result of the Beacon Flooding Attack in Client/s POV
Multiple fake networks will then appear in Client’s Wi-Fi connectivity setting.
Three networks having two secured networks and one open network. The output
refreshes every five seconds as shown in Figure but still broadcasting same SSID of the
network. They are just fake networks, so clients won’t be able to connect.
273
CREDENTIAL HARVESTER
A Credential Harvester is designed to collect personal data including
usernames and passwords. The aim of a credential harvester is to trick people into
providing their login credentials or other sensitive information on a fake website or login
page that looks just like a legitimate one. Once the user enters their info, the credential
harvester captures it and sends it to the attacker's server. A range of unlawful activities,
such as financial fraud, identity theft, and unauthorized access to online accounts, can
then be carried out using the stolen data. Here are the step-by-step instructions on how to
do gain credential using the Wi-Fi Pineapple.
Step 1: Go to the Wi-Fi Pineapple Modules located at the sidebar.
Figure 122. Wi-Fi Pineapple’s Module
Step 2: Click the modules tab, to view all the Wi-Fi Pineapple available tools. Then, click
“Get Available Modules” to load all the tools that are available.
274
Figure 123. Get Available Modules
Step 3: Find the module “Evil Portal” and click “Install.” A notification will appear if the
installation is complete. Click “Done”.
Figure 124. Install the Module Evil Portal
Step 4: Go to the Installed tab, there you can see all the modules that are installed. Find
the module “Evil Portal” that you installed a while ago and click it to open.
275
Figure 125. Evil Portal being Installed
Step 5: This is the User Interface of the Evil Portal. There is no any portal in the Portal
Library because it is not a built-in.
Figure 126. User Interface of Evil Poral
276
Step 6: The researchers use the “FileZilla” to import the portals containing all their
created fake webpages into the Portal Library in Evil Portal. A FileZilla is a free, open-
source FTP (File Transfer Protocol) client used for transferring files between a local
computer and a remote server over the internet.
Figure 127. User Interface of FileZilla
Step 7: In the upper left side of the page, go to File tab and select Site Manager.
277
Figure 128. Site Manager in FileZilla
Step 8: You can manage your File Transfer Protocol (FTP) files. Using the Site Manager,
you can add, edit, and delete FTP connections, as well as specify various options such as
the protocol to use (FTP or SFTP), the port number, the username and password, and
more.
Figure 129. Managing the FTP files in the Site Manager
Step 9: On the left page of the site manager, create a new site under the folder of “My
Sites.” To do that click the button “New Site” from the option list below. Then, on the
right side under the “General Tab” configure the following:
Protocols: From the drop-down list, select “SFTP – SSH File Transfer Protocol”
Host: 172.16.42.1 (IP Address of the Wi-Fi Pineapple)
Port: 22
Login Type: Normal
278
User: root
Password: Pineapple123 (This is the password that you configured during Set-Up)
Then, after you configure click the “Connect” button.
Figure 130. Configuring the FTP connections in Site Manager
Step 10: At the homepage of the FileZilla, you can now see that it is successfully
connected to the Remote Server.
Figure 131. Successfully Connected to the Remote Server
279
Step 11: On the left-hand panel, it displays your local site or your own computer that you
are using to connect to a remote server. On the right-hand panel, it displays the files and
folders on the remote server that you are connected to.
Figure 132. Local Machine and the Remote Server
Step 12: Go to your Desktop,
and click the folder
“portals.”
280
Figure 133. Files in the Local Machine
Step 13: The folder “portals” contains all the fake webpages that the researchers created.
Figure 134. Fake Webpages File
281
Step 14: Transfer all the files from the folder “portals” in your Local Machine to the
remote server by dragging and dropping them from the left-hand panel to the right-hand
panel.
Figure 135. Transferring the Files from the Local Machine to the Remote Server
Step 15: Now all the files are transferred to the remote server.
282
Figure 136. Files that being transferred to the Remote Server
Step 16: Go back to the “Evil Portal” in Wi-Fi Pineapple. The Portal Library is loading.
Figure 137. Loading of the portals in the Portal Library
Step 17: Then, all the files were here in the Portal Library.
283
Figure 138. All the portals containing the Fake Webpages
Step 18: Start the Web Server so you can activate any portal that are in the library.
Figure 139. Starting the Web Server of the Evil Portal
Step 19: Scroll a little bit and you will see the Library Portal. Then, find and activate the
“PSU-Login” portal.
284
Figure 140. Activate the PSU-Login Portal
Note: You cannot activate a portal if you do not start the Web Server.
Step 20: After you activate the portal, click the “Start” button to execute the attack.
Figure 141. Start the execution of the Fake Webpage
CLIENT’S POV
After clicking the start button. Let us now see the point of view of the target. The
target should be connected to the open network of the Wi-Fi Pineapple.
285
Figure 142. Client connecting to the Open Network of Wi-Fi Pineapple
If the Client is connected, he/she will be redirected to a webpage which asks for
email address, phone number, and a password.
Figure 143. Fake Webpage
As the researchers mentioned earlier all the free wi-fi in PSU has this kind of
requirement before a user can access the internet. Little did the target know that the open
286
Email address:
pyekamoana@gmail.com
Phone number:
09123456789
Password: ************
network that he/she is connected to is a malicious access point. Figure # shows that the
target enters his/her credentials to the fake webpage.
Figure 144. Log-in Credentials of the Client
ATTACKER’S POV
When the target clicks the sign-up button all the information that he/she enters in
the webpage will be captured by the evil portal or the credential harvester. To see that, go
back to the evil portal in Wi-Fi Pineapple. Figure 10 shows that the attacker will be
notified once the target enters his/her credentials.
Figure 145. Notification of the Captured Handshakes in Credential Harvester
Step 21: To see the captured credentials, click “view log.”
287
Figure 146. Viewing the Captured Credential of the Client
HTTP TRAFFIC ANALYSIS
HTTPeek is a module for the Wi-Fi Pineapple, a wireless penetration testing
tool, that allows you to intercept and modify HTTP traffic between clients and servers.
The basic function of HTTPeek is to act as a man-in-the-middle (MITM) proxy server,
intercepting all HTTP requests and responses that pass through the Wi-Fi Pineapple's
network interface. One practical application of HTTPeek is that it can be used to identify
vulnerabilities in web applications. By intercepting the HTTP traffic between a user's
browser and a web server, you can examine the contents of requests and responses,
including cookies, headers, and other data, and look for potential security weaknesses. If
a user accesses an unsafe website, or one that does not employ HTTPS, HTTPeek can
record and show all HTTP traffic in plain text between the user's browser and the
288
website's server. Here are the step-by-step instructions on how to do gain credential using
the Wi-Fi Pineapple.
Step 1: Click the “Module” located at the left navigation page of the Wi-fi Pineapple.
Look for the “HTTPeek” module and open it as shown in Figure.
Figure 147. Module page of the Wi-Fi Pineapple
Step 2: After that you will see the interface of the HTTPeek. Click the “Enable” button to
enable the sniffer. By enabling the Sniffer feature within HTTPeek, an attacker can
collect sensitive information such as usernames, passwords, and session cookies sent over
unencrypted HTTP connections.
289
Figure 148. Enabling the Sniffer in HTTPeek
Step 3: Click the “Start” button to start the capturing of HTTP traffic on the wire and
displays it in real-time.
Figure 149. Start the capturing of HTTP traffic
CLIENT’S POV
The Client should be connected to the open network of the Wi-Fi Pineapple.
Note: The open network should have a SSID that familiar to the target.
Figure 150. The client is connecting to the open network
290
If the client is connected to the open wireless network and he/she accidentally visited an
unsecured site. In this scenario, the client went to http://shippingchina.com/ an example
of unsecured site.
Figure 151. Unsecured Website that the Client Visited

ATTACKER’S POV
The attacker will capture the unsecured URLs, Cookies, Post Data and Images from the
target.
291
Figure 152. URLs of the Website being Captured by the HTTPeek
CLIENT’S POV
The attacker can also gain login credentials if the target carelessly visited
an unsecured site that asks for login credentials.
Figure 153. Unsecured site having a login credentials
ATTACKER’S POV
Credentials entered by the target will appear in Post Data.
292
Figure 154. Captured credentials that appears in Post Data
DEAUTHENTICATION AND DISASSOCIATION
Deauthentication is a process by which an attacker sends forged deauthentication
packets to a wireless client, causing it to disconnect from its current access point.
Disassociation is similar to deauthentication, but instead of forcing the client to
disconnect entirely, it causes the client to disassociate from its current access point
without completely disconnecting. MDK4 is a tool used for Wi-Fi penetration testing and
it has a feature that allows for the deauthentication and disassociation of wireless clients
from access points. A common scenario is when the attacker uses the mdk4 tool on their
Wi-Fi Pineapple to send deauthentication and disassociation frames to the legitimate
access point, causing all connected devices to lose connectivity to the network. See
Appendix for the full installation of mdk4 module. To do this attack, follow the step-by-
step instructions as shown in the figures below.
Step 1: Click the “Module” located at the left navigation page of the Wi-fi Pineapple.
Look for the “mdk4” module shown in Figure.
293
Figure 155. Wi-Fi Pineapple’s Module
Step 2: Click the “mdk4” module and you will see its interface.
Figure 156. MDk4 Interface
294
Step 3: Choose “deauthentication and disassociation” as the attack mode. Select
“wlan3mon” on both input and output interface.
Figure 157. Choosing the attack mode and the input/output interface
Note: Reconnaissance should be turned on while doing this attack.
Step 4: Enter the necessary data for the chosen attack The Attack Options #1 and #2 can
be a client or a network. Number 1 are the unaffected clients or. Attack Option networks
while number 2 are the unaffected clients or networks. These files are saved under the
cabinet module. Please see Appendix # for the configuration of the cabinet module.
Attack options number 4 is the channel of the target network. Please see Appendix # on
how to see the channel of the target network.
295
Figure 158. Entering the Necessary Data for the Chosen Attack
Step 5: Start the attack. Clients will not be able to connect to the network until the attack
stops.
Figure 159. Starting the attack
Step 6: Figure 6 shows the devices that are being disconnected from the network.
Figure 160. Devices that are being disconnected from the network
296
DICTIONARY ATTACK
A dictionary attack is a type of cyber-attack where an attacker uses a list of words
from a pre-existing dictionary or a generated wordlist to try to guess a user's password.
The idea behind the attack is that many people use common words, phrases, or
predictable patterns in their passwords, making it easier for an attacker to guess them by
simply trying a large number of possibilities until they find the correct one. Dictionary
attacks are a popular method of password cracking because they can be automated and
can quickly try many different combinations without requiring much effort on the part of
the attacker. The researchers used the hashcat tool for cracking passwords. Hashcat is a
popular password cracking tool that uses GPU acceleration to perform brute-force attacks
and dictionary attacks on hashed passwords. Take note that this attack was done without
the help of the Wifi Pineapple.
Step 1: Click the https://hashcat.net/hashcat/ to download the hashcat-6.2.6
297
Figure 161. Download the hashcat-6.2.6
Step 2: After you download the hashcat, go to the folder where you save it. Then, to
initiate the cracking process you need to access the properties of the hashcat-6.2.6 and
copy its location.
Figure 162. Copying the hashcat-6.2.6 folder location
298
Once the attacker has accessed the properties of the hashcat-6.2.6 folder and copied its
location, they can start the cracking of passwords using the command prompt. The
researchers are using the captured handshake of the Computer Engineering Department
“CpEDept.22000 handshake” that was captured during the deauthentication attack. The
researchers are using rockyou.txt wordlist which is a common password list used in hash
cracking.
Step 3: The attacker can initiate the password cracking process using the "hashcat -m
22000 CpEDept.22000 rockyou.txt" command shown in Figure 163.
Figure 163. Command used for the cracking of Password using hashcat
Step 4: Figure 164 shows the result of the cracked password of the network of Computer
Engineering Department.
Figure 164. Cracked Password of the CpEDept network
299
BRUTE FORCE ATTACK
A brute force attack is a type of cybersecurity attack that involves attempting
to guess a password or encryption key through trial and error. It is a method that hackers
use to gain access to a system or data by trying every possible combination of passwords
until the correct one is found. Brute force attacks are often automated using software
programs that can try thousands or even millions of passwords per second, depending on
the complexity of the password and the processing power of the attacker's computer.
While such attacks can be successful, they can also be time-consuming and resource
intensive.
This time the researchers used the Architecture Department for this attack. The command
is “hashcat -m 22000 -a 3 ArchiDepartment.22000 ?a?a?a?a?a?d?d?d@#$_^*”
300
shown in Figure below. This command has a combination of five characters with three-
digit numbers and different special characters.
Figure 165. Command used for the cracking of Password using Brute Force
Figure 164 highlights the time required to crack a password with a length of thirteen
possible combinations. It shows that cracking such a password can take up to 50 years
using an ASUS X407U Intel Core i3 7th Gen processor with 8 Gb of RAM.
Figure 166. Progress of Cracking using Brute Force Attack
301
BIBLIOGRAPHY
1 Beaver, K. M. (2018). Hacking. John Wiley & Sons, Inc.
2 CYBERPUNK. (2018, November 27). Alfa AWUS036NHA USB Wireless
Adapter. Retrieved December 23, 2022 from, https://www.cyberpunk.rs/alfa-
awus036nha-usb-wireless-adapter
3 User’s Guide AWUS036NHA 150Mbps Wireless High Gain USB Adapter. (n.d.).
https://files.alfa.com.tw/%5B1%5D%20WiFi%20USB%20adapter/
AWUS036NHA/QIG/UG-AWUS036NHA.pdf
4 WiFi Pineapple Mark VII - WiFi Pineapple Mark VII. (2022). Hak5.org. https://
docs.hak5.org/wifi-pineapple/
302
303

User Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

User Manual

Uploaded by

Copyright:

Available Formats

INSTRUCTIONAL MATERIAL’S OVERVIEW

procedures for the reconnaissance and infiltration phases of the pen-testing.

vulnerabilities or guessing passwords.

MODULE LEARNING OBJECTIVES

1. Set-up all the devices used in pen-testing.

2. Understand what the devices are capable of.

3. Utilize these devices in Reconnaissance and Infiltration phase in Penetration Testing.

4. Perform a pen-test within a network.

Deauthentication and Disassociation

BIBLIOGRAPHY .................................................................................................... 301

SETTING-UP AND USING THE ALFA AWUS036HHA USB WI-FI

ADAPTER FOR RECONNAISSANCE

ALFA AWUS036NHA USB WI-FI ADAPTER

middle (MITM) attacks, and more (Cyberpunk, 2018)[2].

OVERVIEW OF THE PRODUCT

The adapter is designed to provide a high-speed and unrivaled wireless

 IEEE 802.11n, IEEE802.11g, IEEE802.11b standards

 Supports WPA/WPA2 data security, IEEE802.1x authentication, TKIP/

AES encryption, WEP encryption

 Make use of IEEE 802.11n wireless technology to provide a wireless data

 Provides USB interface

 Ease to configure and provides monitoring information

Table 1. LED Status of Alfa AWUSO36NHA USB Wi-Fi Adapter

computer. Install AWUS036NHA or Tube-UNA into an open USB port on your

laptop/desktop computer. In most cases, it is simply plug-and-play in Windows 8/10. If

to install the driver.

Figure 2. Update the device UB91C

driver and install it on your device.

Figure 4. Properties of UB91C

drivers on Windows Update.”

Figure 6. Optional updates

install the driver for AWUS036NHA or Tube-UNA.

Step 6: After successful installation, AWUS036NHA or Tube-UNA will be installed as

Adapters” in Windows device manager.

Figure 7. Network Adapters

(User’s Guide AWUS036NHA, n.d.)[3].

STEP-BY-STEP PROCEDURE OF THE RECONNAISSANCE PHASE USING

your laptop or computer.

"Terminal" in the applications menu.

Figure 9. Terminal Window in Kali Linux

wireless interface, typically named "wlan0."

Figure 10. Checking the Wireless configuration of the device

interface into monitoring mode.

Figure 11. Monitoring mode

Figure 12. Checking if it is in the monitoring mode

“airodump-ng wlan0mon”. A list of nearby wireless networks will appear, with

information including MAC address, channel, signal strength, and encryption.

Figure 13. Scanning process

of “58:D9:D5:52:96:B8”. Figure 14 shows the command for the monitoring of network

Figure 14. Monitoring the network of Computer Engineering

Figure 15 shows the captured data of the Computer Engineering Department.

Figure 15. Computer Engineering’s network being scanned in monitor mode

Step 8: For the Department of Architecture, there network is having a BSSID of

“00:24:01:E8:12:6A”. Figure 16 shows the command for the monitoring of network in

Figure 16. Monitoring the network of Architecture

Figure 17. Architecture’s network being scanned in monitor mode

“84:16:F9:CB:69:01”. Figure 18 shows the command for the monitoring of network in

Figure 18. Monitoring the network of Civil Engineering

Figure 19 shows the captured data of the Civil Engineering Department.

Figure 19. Civil Engineering’s network being scanned in monitor mode

of “0C:F4:D5:3F:DC:78”. Figure 20 shows the command for the monitoring of network

Figure 21. Electrical Engineering’s network being scanned in monitor mode

BSSID of “0C:F4:D5:3F:D9:38”. Figure 22 shows the command for the monitoring of

network in Electrical Engineering.