🔴
Hacking
  • 1. Hacking Infrastructure
    • Infra Planification
      • Infrastructure Diagram & Requirements
    • Infra Configuration
      • Attack Server
      • C2 Server
      • Redirector
      • Payload Server
      • Phishing Server
  • 2. Reconnaissance and Information Gathering
    • OSINT (Open-Source Intelligence)
      • Enviroment
      • Android Virtualization
      • Web Browsers
      • Sock Puppets (Covert Accounts)
      • All-purpose Advanced Tools
      • Search Engines
      • People Search Engines
      • Websites & Domains
      • IP Addresses
      • Users & Emails
      • Social Media
      • Documents
      • Images
      • Videos & Lives
      • Metadata
      • Telephone Numbers
      • Online Maps
      • Virtual Currencies
      • Leaks, Breaches, Logs and Ransomware
      • Government & Business Records
    • Port, Version, Vuln Scanning
      • Nmap
      • Shodan
      • Network Mapping
      • Researching Potential Vulnerabilities
      • Dark Web Scanning
  • 3. Social Engeniering
    • Phising
      • Recycling Domains
      • Header Manipulation
      • Email Creation and Delivery
      • Email Spoofing & Warning Disabling
      • Site Building
      • Evilginx
      • Payload Hosting Obfuscation
      • Diverting the Analysts
      • VBA Macros & RTI
      • HTML Smuggling & HTA Files
      • JS Files
      • Other File Types
    • SMS Spoofing
      • SMSpubli
    • Social Engineering Toolkit (SET)
      • SET Installation
  • 4. Exploitation
    • Password Cracking
      • SetUp
      • Wordlist Building
      • Tools
    • Payloads - File Transfer - Coding - MalDev - ExploitDev
      • Payload Triggering
        • Shell File Transfer
        • PS Execution - Donwload Craddles
      • Normal Shells
        • Reverse Shells vs Bind Shells
        • Direct Reverse Shell Commands
        • Interactive Shell
        • Normal Reverse Shell Tools
        • PHP Webshells
        • ASPX Webshells
        • Kraken Webshell
        • Python Webshells
      • Coding Basics
        • Bash
        • Python
        • C
        • C++
        • C#
        • x86-64 (Intel) Assembly - NASM & MASM
      • Windows MalDev
        • MDLC & Tools
        • Architecture, Memory Management, APIs & Processes
        • PEs & DLLs
        • Malware Binary Signing & Metadata Modification
        • Payload Placement
        • Payload Execution Control
        • Payload Encryption & Obfuscation
        • Malware Optimization: Entropy Reduction & Compile Settings
        • Local Payload Execution
        • Process Enum, Injection & Hollowing
        • Payload Staging
        • Thread Hijacking
        • APC Injection
        • Callback Code Execution
        • Mapping Injection
        • Function Stomping Injection
        • PPID Spoofing
        • Process Argument Spoofing
        • API Hooking
        • String Hashing
        • IAT Hiding, Obfuscation & Camouflage
        • Anti-Debugging
        • Anti-Virtualization
        • Syscalls
        • NTDLL Refreshing
      • Windows ExploitDev
        • Tools
        • x86 Vanilla Stack BOF
      • Linux ExploitDev
        • BOF GNU/Linux 32-bit
    • Active Directory
      • Host and Domain Recon
        • SMB (139,445) Enum
        • RPC (135, 1024-5000) Enum
        • LDAP (389,636,3268,3269) Enum
        • PowerView
        • Other tools / Commands
        • BloodHound
      • Attacks and procedures
        • Password Spraying
        • User Impersonation
        • Lateral Movement
        • Kerberos (88)
        • Certificate Services (AD CS)
        • ACLs/ACEs
        • Group Policy
        • MS SQL Servers
        • LAPS (Local Administrator Password Solution)
        • Microsoft Configuration Manager
        • Domain Dominance
        • Forest & Domain Trusts
        • MiTM & Relaying Attack
    • Cloud
      • Azure
        • Basic Info
        • Initial Access
        • Enumeration
        • Privilege Escalation
        • Lateral Movement
        • Persistence
        • Data Exfiltration
      • AWS
        • Basic Info
        • Initial Access
        • Enumeration
        • Privilege Escalation
        • Lateral Movement
        • Post-Exp & Persistence
        • Data Exfiltration
      • Google Cloud
        • Basic Info
        • Initial Access
        • Enumeration
        • Privilege Escalation & Lateral Movement
        • Credential Access
        • Data Exfiltration
    • Web
      • Fingerprinting
      • Automated Scanners
      • Proxies
        • WAFs & Attack Obfuscation
        • HTTP Request Smuggling
      • CMS's: Content Management Systems
      • Authentication
        • Authentication vulnerabilities
        • OAuth 2.0 Authentication Vulnerabilities
        • Access Control
      • Files
        • File Upload
      • Reflected Values
        • Command Injection
        • HTML & XSS Injection
        • SSRF: Server-Side Request Forgery
        • SSTI: Server-Side Template Injection
        • CRLF Injection
        • CSV Injection
        • Openredirect
        • Prototype Pollution
        • ShellShock Attack
      • Search functionalities
        • LFI - RFI - Path traversal
        • SQL Injection
        • NoSQL injection
        • LDAP Injection
        • XPath Injection
      • Forms, WebSockets and PostMsgs
        • CSRF: Croos-Site Request Forgery
        • WebSocket Attacks
      • HTTP Headers
        • Clickjacking
        • CORS
        • Host Header Injection
      • Structured objects - Specific functionalities
        • XML External Entity (XXE) Injection
        • Deserialization Attacks
        • Padding Oracle Attack
      • Whitebox
        • Source Code Recovery, Analysis & Debugging
        • Python PoC Building
        • File Upload
        • SQL Injection
        • JavaScript Injection
        • SSTI (Server-Side Template Injection)
        • PHP Type Juggling
        • Prototype Pollution
        • Password Reset Attacks
    • Network Services
      • FTP 21
      • SSH 22
      • DNS 53,5353
      • FINGER 79
      • POP3 110,995
      • SNMP 161,162,10161,10162
      • MYSQL 3306
      • VNC 5800,5801,5900,5901
      • Ansible
      • Artifactory (8081)
      • Citrix
    • Wireless Pentesting
      • Wireless Reconnaissance
      • Wifite
      • RogueAP
      • WiFi Pineapple Mark VII
    • Camera Pentesting
      • Identifying Unsecured Web Cams
      • Default Passwords
      • Cameraradar
    • SCADA/ICS
      • Reconnaissance
      • Metasploit Modbus
      • modbus-cli
    • Mobile Pentesting
      • Enviroment SetUp
      • Android Pentest
      • iOS Pentest
  • 5. Privesc and Post-explotation
    • Linux Privilege Escalation
      • Manual Testing Elevation of privileges
      • Enumeration Commands
      • Enumeration Scripts
      • Looting for passwords & Interesting Information
      • Writable Files
      • SUDO
      • SSH Key
      • Scheduled tasks
      • SUID
      • Capbilities
      • NFS Root Squashing (Network File Sharing)
      • Shared Library
      • Docker Breakeout
      • Hijack TMUX session
      • Wildcard
      • Kernel Exploits
    • Linux Post-Explotation
      • SSH Backdoor
      • Manual Backdoors
      • Pillaging/Data Harvesting
    • Windows Privilege Escalation
      • Enumeration Scripts
      • Manual Enumeration
      • Metasploit tools
      • Processes Enumeration and Tasks
      • Incorrect permissions in services
      • Unquoted Service Paths
      • Insecure GUI Apps
      • Autorun
      • AlwaysInstallElevated
      • $PATH Interception
      • Looting for passwords
      • Runas
      • Impersonation Privileges
      • From local administrator to NT SYSTEM
      • Common Vulnerabilities and Exposure (CVE)
      • Kernel Exploitation
      • Named Pipes
      • Vulnerable Drivers
      • Abusing Shadow Copies
    • Windows Post-Explotation
      • Credential Theft
      • RDP Hijacking
      • Session Spying
      • WDigest
      • User backdoor
      • Manual Backdoors
      • SharPersist
      • WMI Event Subscriptions Persistance
      • Hunting for COM Hijacks
      • Mail Harvesting
    • Data Exfiltration
  • 6. Evasion Techniques
    • Linux - Evasion Techniques
    • Windows - Evasion Techniques
      • Detection Mechanisms & Evasion Techniques
      • Microsoft Defender Antivirus
      • AMSI & UAC Bypasses
      • AppLocker and Powershell CLM
      • PowerShell Script Block Logging
      • MDE (Microsoft Defender for Endpoint)
      • Altered scripts & Automations
      • Command Reimplementation C#/C
      • EDR Killing
  • 7. Tunneling
    • Port Forwarding
      • SSH Port Forwarding
      • Chisel Port Forwarding
      • Metasploit SSH Port Forwarding
    • Pivoting
      • Linux Tools & Methedology
      • Windows Tools
      • SSH Pivoting
    • C2 (Command and Control)
      • Cobalt Strike
        • Set Up and Team Server
        • Listeners
        • Payloads
        • Attacks
        • Beacon Commands
        • Session Passing
        • Maleable Profiles
        • Artifact Kit
        • Resource Kit
        • Behavioural Detections
        • Aggressor Scripts
        • Beacon Object Files (BOFs)
        • NTLM Relaying Methodology w/ Cobalt
      • Metasploit
        • Schema Cheat Sheet
        • Staged vs Non-Staged Payloads
        • Metasploit Options
        • Start MSF DB (Kali)
        • Listeners
        • Meterpreter Commands
        • Pivoting
        • Meterpreter Pass a Shell
        • Msfvenom Payloads
        • Meterpreter Pillaging/Data Harvesting
      • Havoc
        • Set Up and Team Server
        • Listeners
        • Payloads
        • Deamon Commands
      • Empire
      • Custom C2s
        • HTTP mini C2
  • 8. Profesional Reports
    • LaTeX
      • Tools
      • Variable Config
      • Template definition & PDF Preview
      • Commands
      • Pentest Report Template
    • Documentation Tools
      • Note-Taking
      • Advanced Text Editors
      • Appendix
      • Quality and Diversity of Sources
      • Document Sanitization
    • Report Anatomy
      • OSINT Report Anatomy
Powered by GitBook
On this page
  • Campaigns
  • Attacks
  • PineAP
  • Open SSID
  • Evil WPA AP
  • Evil Enterprise
  • DNS Spoofing
  • MDK4 Toolkit
  • PMKID Attack
  • Techniques
  • Control access with Filters
  • Recon
  • Sniffing
  • Handshakes
  1. 4. Exploitation
  2. Wireless Pentesting

WiFi Pineapple Mark VII

Set up:

https://docs.hak5.org/wifi-pineapple/setup

Access via web:

http://172.16.42.1:1471/

Campaigns

Automatically perform the following type of campaigns:

- Reconnaissance - Monitor Only

Passively monitor client device and access point activity within a defined region of the WiFi environment.

- Client Device Assessment - Passive

Identify client devices susceptible to basic rogue access points or evil twin attacks. Uses a passive PineAP mode to mimic access points only upon direct request. Depending on filter configuration, client devices may be allowed to associate with the WiFi Pineapple.

- Client Device Assessment - Active

Identify client devices susceptible to advanced rogue access points or evil twin attacks. Uses an active PineAP mode to broadcast an SSID pool, mimicking all access points listed. New access points may be dynamically added to the pool. Depending on filter configuration, client devices may be allowed to associate with the WiFi Pineapple.

Attacks

PineAP

When you desing a campaign, you are telling PineAP how to behave.

Advanced options:

  • Impersonate APs: Explicitly advertise lists of access points to instigate clients into connecting to previously saved networks.

Open SSID

Serve a basic, unencrypted Open access point, or automatically impersonate any Open access point requested by a client.

- Basic Open Access Point

The basic Open access point can be configured as visible or hidden; a hidden access point does not advertise its SSID, but clients which have saved the SSID will still be able to identify it, and some tools may still reveal the SSID.

- Multiple Open Access Points

When "Impersonate All Networks" is enabled, the WiFi Pineapple will answer for all SSIDs which are permitted by the filter configuration!

Filters can be used to tune the responses for your engagement, by either allowing all SSIDs in the filter list, or denying all SSIDs not in the filter list.

- Evil Portal Module

Set up an open AP with a login portal to perform phishing attacks, choose the desired template or upload a custom one.

To set up a custom capative portal, load Google template (https://github.com/kleo/evilportals/tree/master/portals) and use "save web page" extension to save the target page to simulate, then adapt it to the php google template to grab credentials and load it changing index within the pineapple GUI and not loading a new whole folder.

Evil WPA AP

The Evil WPA access point is used to impersonate a WPA (or WPA2) PSK network. It can also be used to collect partial handshakes for use with external cracking tools when the PSK is not known.

Be sure to allow your Evil WPA SSID in your filter configuration, or clients will not be able to connect!

These half-handshakes can be leveraged by hashcat to attack the original passphrase.

Evil Enterprise

Serve a WPA-Enterprise network with optional key exchange degradation. Coupled with automatic authorization of all accounts, identify misconfigured enterprise clients and capture credentials.

It is protected by a SSL certificate, which must be created first.

Properly configured WiFi Enterprise clients will reject unknown certificates, however many devices do not offer proper configuration and may either blindly accept new certificates, or prompt the user to accept the certificate.

There are three authentication types:

- Any

Clients connecting with EAP-GTC will connect as normal and the user login saved, while clients connecting with EAP-MSCHAPv2 will receive an error, but the MSCHAPv2 hash challenge will be captured and logged.

- MSCHAPv2

Most common authentication method for enterprise clients. A MSCHAPv2 client uses a hashed authentication method which does not disclose the password.

A MSCHAPv2 client will not be able to fully connect to the WiFi Pineapple access point, but the challenge hash will be captured and logged.

- GTC

Clients using GTC will disclose the full username and password, and will connect to the WiFi Pineapple as normal. The username and password will be logged.

DNS Spoofing

Once we have clients connected to our malicious AP, we can spoof DNS to redirect victims to our malicious site with the DNSspoff (https://github.com/90N45-d3v/DNSspoof-Pineapple-MK7-Module#preview) module.

MDK4 Toolkit

https://github.com/hak5/pineapple-modules/tree/master/mdk4

PMKID Attack

opkg install ca-bundle ca-certificates

opkg update

opkg install hcxdumptool

hcxdumptool -i wlan1mon -o pmkids-capture.pcapng --enable_status=1

hcxpcapngtool -o pmkids-capture.txt pmkids-capture.pcapng

Techniques

Control access with Filters

Limit your engagement by configuring access by filters. Limit to specific clients or SSIDs, or exclude specific clients or SSIDs.

Recon

- Main recon page

On the main Recon page, click on scan to start scanning.

You can search for Access Points or Clients by SSID, BSSID, or MAC address.

You can expand all clients automatically by going to the Recon Settings via the gear icon, and choosing "Expand all client lists"

Active Access Points and Clients can be automatically highlighted to make finding them easier by clicking on Recon Settings > Highlight Active Devices.

By clicking on an AP or Client in the list, a side menu will slide out, from where you can select options specific to the type of device you selected, such as capturing handshakes or cloning, or adding MAC addresses to the Filters.

- Tagged parameters

Tagged parameters are included in the beacon packets which advertise a WiFi network, and contain information about the encryption, channel selection, surrounding traffic, and more.

- Security Information

Simplified explanation of the security options employed by the network.

Sniffing

Once we have clients connected to our malicious AP, we can sniff their network activity.

- tcpdump Module

Once we have clients conected to our malicious AP, click on clients tab, identify in which interface is the client target listening, then click on the tcpdump tab and start listening in that interface. (br-lan most of the times)

- HTTPeek Module

HTTPeek displays all images, urls, cookies, and post data sent in plaintext by clients connected to the Wifi Pineapple.

Handshakes

We can click on the Automatic Handshake Capture button or target a specific network for handshake capture by selecting the network, then selecting "Capture Handshakes" from the menu.

The Handshakes tab shows any captured handshakes. Handshakes are captured in PCAP and Hashcat's 22000 format.

Handshakes that list Recon Capture as the source show that they were captured during a Recon scan or a Recon handshake capture.

Handshakes captured from the Evil WPA AP show as Evil WPA/2 Twin.

PreviousRogueAPNextCamera Pentesting

Last updated 5 months ago