Field notes on wireless and network offense: WiFi Pineapple tradecraft, DNS spoofing, and RF peripheral hijacking. Migrated over from an old blog I ran under a previous handle.
Everything here is written for authorized penetration testing and security research: networks and devices you own, or that you have explicit written permission to test. Don't be a jackass with it.
๐ก What is the WiFi Pineapple?
๐กWiFi PineappleReconโโโ Beginnerยท 3 min read
TL;DR
A Hak5 device that exploits how devices auto-trust known WiFi networks, using an Evil Twin technique to impersonate them. It's a legit pentest tool that's also dual-use, so intent is everything.
The WiFi Pineapple is a compact, versatile device that has become synonymous with wireless network auditing and penetration testing. Developed by Hak5, the Pineapple simplifies complex tasks related to WiFi security, making it a valuable tool for ethical hackers and security professionals. However, its capabilities have also sparked ethical debates due to its potential misuse.
What Is the WiFi Pineapple?
The WiFi Pineapple is essentially a portable, Linux-powered router equipped with advanced tools for network monitoring, reconnaissance, and exploitation. Unlike standard routers, it comes preloaded with software that allows users to simulate attack scenarios, test wireless network resilience, and analyze vulnerabilities.
How Does It Work?
At its core, the WiFi Pineapple exploits inherent vulnerabilities in wireless communication. Many devices automatically connect to known WiFi networks without verifying their authenticity, a behavior based on "probe requests." The Pineapple can impersonate legitimate networks using a technique known as the Evil Twin Attack, tricking devices into connecting to it instead.
Who Uses the WiFi Pineapple?
๐งโ๐ป
Ethical Hackers
Assess and improve wireless network security.
๐ฌ
Security Researchers
Understand and mitigate WiFi vulnerabilities.
๐ข
IT Professionals
Test company networks for weak spots.
While it is a powerful tool for good, its misuse for malicious purposes like eavesdropping and data theft is a growing concern.
Why Is It Controversial?
The WiFi Pineapple's accessibility and ease of use make it appealing to both professionals and bad actors. This dual-use nature highlights the ethical responsibility tied to its use. When wielded responsibly, it aids in bolstering cybersecurity defenses. When misused, it can compromise privacy and data security.
Conclusion
The WiFi Pineapple is a groundbreaking tool that showcases the balance between advancing technology and ethical responsibility. Whether it's a security professional's ally or a potential threat lies in the intent of the user. With proper regulation and ethical application, the Pineapple has the potential to strengthen wireless security in an increasingly connected world.
๐ฃ Using Evil Portal with the WiFi Pineapple
๐ฃWiFi PineapplePhishingโโโ Intermediateยท 5 min read
TL;DR
Evil Portal turns the Pineapple into a rogue AP that redirects victims to fake login pages to harvest credentials. Setup is a git clone plus a template pick. It needs explicit authorization, since this is illegal without it.
Phishing is one of the most effective and widely used methods for cyber attacks. Among the tools used for phishing, the WiFi Pineapple stands out as a versatile and powerful device designed specifically for security testing and penetration testing. This article explores how the WiFi Pineapple can be utilized in phishing attacks and discusses its key features.
The WiFi Pineapple is capable of executing Man-in-the-Middle (MITM) attacks, one of which is phishing. By impersonating legitimate Wi-Fi networks, the WiFi Pineapple tricks unsuspecting users into connecting to a rogue access point. Once connected, attackers can inject malicious content or steal sensitive data such as login credentials.
How Phishing Works with the WiFi Pineapple
Phishing with the WiFi Pineapple is straightforward. The device acts as a rogue access point, broadcasting fake Wi-Fi networks that appear legitimate.
1
Rogue Access Point Creation
The attacker sets up the WiFi Pineapple to broadcast a fake Wi-Fi network. The SSID can be chosen to resemble a public hotspot or a home network, making it more likely that victims will connect.
2
Client Connection
When a victim connects to the rogue network, the WiFi Pineapple automatically intercepts the connection, providing internet access through its own network.
3
Phishing Pages
Once the victim is connected, the attacker can inject phishing pages into the victim's browser that mimic legitimate login portals.
4
Data Harvesting
The WiFi Pineapple can capture usernames, passwords, and other data users enter into these fraudulent pages.
Key Features for Phishing
๐ถ
Rogue AP Attack
Impersonate legitimate access points to intercept unsuspecting victims.
Causes devices to auto-connect to the Pineapple without user interaction.
๐
Recon Mode
Identifies nearby Wi-Fi networks and connected devices for precise targeting.
๐ฏ
Honeypot Detection
Simulates a honeypot to observe attacker behavior for defensive testing.
Evil Portal Installation and Setup
Once you've fully set up your WiFi Pineapple, follow these steps to configure Evil Portal:
SSH into your WiFi Pineapple:
you@laptop
ssh root@172.16.42.1 # Enter the password set during setup
Install Git (if not already installed):
root@172.16.42.1
opkg update && opkg install git
Clone the Evil Portals template repository into the /root directory:
root@172.16.42.1
git clone https://github.com/kleo/evilportals.git
Navigate to the portals directory to view available portal templates:
root@172.16.42.1
cd evilportals/portals/
Then, from the WiFi Pineapple's web UI, open the Evil Portal module, click Install, activate Evil Portal on Boot, and select a pre-configured phishing template, or build your own.
Legal and Ethical Considerations
Using the WiFi Pineapple for phishing without explicit permission is illegal. Phishing attacks violate privacy laws and can result in severe legal consequences. Always use these techniques for ethical hacking purposes, such as penetration testing with the consent of the target organization.
Conclusion
Phishing with the WiFi Pineapple is an effective technique for testing the security of Wi-Fi networks. By setting up rogue access points and injecting malicious content, attackers can harvest sensitive data from unsuspecting users. However, it is critical to follow ethical hacking practices and obtain explicit permission before using these techniques in a live environment.
๐ WiFi Pineapple: Capturing WiFi Handshakes
๐WiFi PineappleWPA/WPA2โโโ Intermediateยท 5 min read
TL;DR
Deauth a client on a network you're authorized to test, capture the handshake when it reconnects, then crack it offline with Hashcat or John the Ripper.
One of the most common tasks in wireless penetration testing is capturing WiFi handshakes. This is a critical step for cracking WiFi passwords and evaluating the strength of the encryption protocols protecting a network. The WiFi Pineapple mk7 is an incredibly effective tool that simplifies this process.
What is a WiFi Handshake?
A WiFi handshake occurs when a device connects to a WiFi network, and the access point authenticates the device using encryption protocols like WPA2 or WPA3. Capturing this handshake is crucial because it contains information about the network and encrypted credentials that can later be cracked. By capturing a handshake, penetration testers can attempt to crack the WiFi password offline, using techniques like brute-forcing or dictionary attacks.
Why Use WiFi Pineapple to Capture Handshakes?
The WiFi Pineapple is an all-in-one device designed to simplify penetration testing tasks. When capturing handshakes, it's essential to have a tool that can easily perform a deauthentication attack on nearby devices to force them to reconnect to the network, thereby generating a new handshake. The WiFi Pineapple makes this process straightforward, with features that allow targeted attacks while monitoring the WiFi environment.
Step-by-Step Guide
1
Set Up Your WiFi Pineapple
Ensure it's connected to your computer or network. Kali Linux, Parrot Security OS, or any pentest environment works fine via SSH or the web interface.
2
Select the Target Network
Use Recon Mode to scan nearby wireless networks and identify the network you want to target.
3
Enable Deauthentication Attack
Force clients to disconnect and reconnect using the Deauth Attack feature. Sending deauthentication packets causes them to drop and re-establish their connection, generating a new handshake.
4
Capture the Handshake
Once deauthentication succeeds, the client reconnects and the Pineapple captures the handshake.
5
Save the Handshake File
The captured handshake is saved as a .cap or .hccapx file containing the network's encrypted credentials, ready to pass through a password-cracking tool like Hashcat or John the Ripper.
Key Features
๐
Recon Mode
Scans all nearby WiFi networks and devices to help identify the target.
โก
Deauthentication Attack
Sends deauth packets to disconnect clients and trigger the handshake process.
๐ฆ
Packet Capture
Automatically captures and stores the handshake in a readable format.
๐
Automatic Capture
Captures handshakes automatically once conditions are met.
Cracking the Handshake
If the handshake is in .cap format, convert it to .hccapx for Hashcat (e.g. with cap2hccapx), then run a dictionary or brute-force attack:
you@laptop
hashcat -m 2500 -a 0 handshake.hccapx wordlist.txt
If it cracks, you have the WiFi password. If not, try a different wordlist or approach.
Start Pineapple Handshake Capture
Navigate to the Recon tab under the WiFi Pineapple web UI. After a few seconds you should start to see Access Points populate your list, along with your Clients List. Select your controlled target network, one you clearly have permission to test, and once clients populate against it, click Capture WPA Handshakes. This deauthenticates all clients connected to that access point, and once a client reconnects, the handshake pcap is captured and stored for cracking later.
๐ฅ
Clients List
Clients connected to various access points: MAC address, vendor, time seen, and the BSSID they're associated with.
๐ก
Access Points List
Nearby access points: MAC address, vendor, clients connected, WPS protocol, and signal strength.
Ethical Considerations
WiFi Pineapple is an incredibly powerful tool, and with great power comes great responsibility. Only use it for legitimate purposes: testing networks you own, or that you have explicit permission to test. Unauthorized access to WiFi networks is illegal and punishable under laws in many regions. Always ensure you have written consent before conducting any penetration test on a third-party network.
Conclusion
Capturing WiFi handshakes with the WiFi Pineapple is a crucial skill for penetration testers and security professionals. By leveraging its features, you can enhance your penetration testing skills, gain deeper insights into WiFi security, and contribute to making the digital world a safer place. Stay ethical, stay curious, and keep hacking.
๐ DNS Spoofing: Redirecting Traffic with /etc/hosts and dnsmasq
๐DNSRed Teamโโโ Beginnerยท 4 min read
TL;DR
Add a line to /etc/hosts pointing a target domain at your phishing server's IP, restart dnsmasq, and you're done. No remote DNS control needed, since it works purely at the local resolution layer.
DNS spoofing (or DNS cache poisoning) is a potent technique often used in penetration testing to intercept network traffic by redirecting DNS queries. This method allows attackers to manipulate the Domain Name System (DNS) by tricking machines into resolving domain names to incorrect IP addresses.
In this guide, we'll explore how to redirect traffic from a target domain to another machine, such as one running a phishing server, using the /etc/hosts file and dnsmasq. This is an essential tactic for red teaming and penetration testing, helping security professionals understand how attackers might exploit DNS vulnerabilities.
What is DNS Spoofing?
DNS spoofing involves manipulating DNS queries to resolve domain names to malicious IP addresses. This can lead to a variety of attacks, such as phishing, man-in-the-middle (MITM), or malware distribution. In this specific method, we redirect a domain to a different IP address (the phishing server's IP) by modifying the local machine's DNS resolution.
Why Use /etc/hosts for DNS Spoofing?
The /etc/hosts file is a simple configuration file on Unix-like systems used to map domain names to IP addresses. This file takes precedence over DNS queries, allowing you to specify custom IP addresses for specific domains. That's useful in environments where DNS is not centrally managed, or where an attacker has control over the local machine's DNS settings.
Prerequisites
๐ฏ
Target Machine
Somewhere you can modify /etc/hosts: your own machine, or a test target.
๐ฅ๏ธ
Phishing Server
Set up on another machine, listening on a specific IP.
๐งฉ
dnsmasq
Installed and running to handle DNS queries locally.
Step 1: Set Up the Phishing Server
Before proceeding, have a phishing server running. Tools like the Social Engineering Toolkit (SET) or Evilginx2 can set up a server that mimics a login page for a specific site. Make sure it's accessible on a known IP address.
Step 2: Modify the /etc/hosts File
Open the /etc/hosts file on your WiFi Pineapple:
root@pineapple
nano /etc/hosts
Add a line redirecting the target domain to your phishing server's IP. For example, if the phishing server is at 192.168.1.100 and the target domain is memes.com:
/etc/hosts
192.168.1.100 memes.com
Save and exit (CTRL + X, Y, ENTER). The device will now resolve memes.com to your phishing server's IP.
Step 3: Restart dnsmasq
dnsmasq is a lightweight DNS forwarder/DHCP server used to cache and route DNS requests locally. Restart it so the change takes effect:
The request should land on your phishing server. You can also confirm resolution directly:
you@laptop
nslookup memes.com
Key Features of This Approach
๐
Local DNS Resolution
Overriding /etc/hosts redirects traffic for specific domains to any IP, locally.
๐พ
dnsmasq Caching
Restarting it refreshes the local DNS cache so changes apply immediately.
๐
No Root DNS Needed
Doesn't require control over a remote DNS server, which makes it effective for local redirection.
Ethical Considerations
DNS spoofing can be a powerful tool in penetration testing and security research, but use it responsibly: always have explicit permission before performing any penetration testing or DNS spoofing on networks or systems you do not own, and educate users about the dangers of phishing and the importance of DNS security.
Conclusion
DNS spoofing via /etc/hosts and dnsmasq is a simple yet effective way to hijack DNS queries and redirect traffic to a phishing server or malicious IP. It's incredibly useful for penetration testers and red teams, but it must always be performed ethically and with consent. Stay ethical, stay vigilant, and keep learning.
๐ฑ๏ธ Hijacking Wireless Devices: MouseJack
๐ฑ๏ธRadioCVE-2016-10761โโโ Advancedยท 3 min read
TL;DR
Many wireless keyboards and mice use unencrypted, unauthenticated proprietary RF protocols. A USB radio dongle can inject keystrokes into them silently, with no victim interaction needed.
MouseJack is a security vulnerability that allows attackers to intercept and manipulate wireless communications between keyboards, mice, and their USB receivers. This flaw, affecting several popular manufacturers, exposes users to risks such as unauthorized keystroke injection and data exfiltration.
What is MouseJack?
MouseJack was discovered by Bastille Networks, revealing weaknesses in the implementation of wireless communication protocols for certain peripherals. Unlike Bluetooth devices that typically use robust encryption, many wireless keyboards and mice rely on proprietary protocols with inadequate security measures.
Attackers exploiting MouseJack can use a USB radio dongle and a few lines of code to:
Inject malicious keystrokes into the target's computer.
Bypass encryption due to unprotected data transmissions.
Take control of the connected system.
How It Works
MouseJack leverages vulnerabilities in the 2.4GHz wireless spectrum, a frequency range widely used by wireless peripherals:
1
Scanning for Devices
Identifying wireless keyboards and mice operating on vulnerable protocols within range.
2
Packet Injection
Using a USB radio dongle to inject unauthorized packets into the communication stream.
3
Keystroke Injection
Simulating legitimate device behavior to send keystrokes and execute commands.
4
Lack of Authentication
Many affected devices don't authenticate their receivers, letting attackers hijack the link seamlessly.
Affected Devices
MouseJack impacts peripherals from several major manufacturers, including but not limited to Logitech, Dell, HP, and Microsoft. These are devices that often prioritize ease of use over robust security, leaving gaps in encryption and authentication.
Demonstration
A typical MouseJack attack: the attacker connects a USB radio dongle to a laptop, uses an open-source tool such as the MouseJack suite to scan for active wireless devices, and once a target is identified, injects a sequence of keystrokes to open a terminal and download malware. The attack is quick, silent, and requires no interaction from the victim.
Mitigation Strategies
๐ ๏ธ
Firmware Updates
Manufacturers should release patches to address protocol weaknesses.
๐
Encryption
Implement end-to-end encryption for all wireless communications.
๐ค
Authentication
Require pairing verification between devices and receivers.
๐
Firmware Check
Users should regularly update device firmware.
โฌ๏ธ
Upgrade Devices
Use peripherals with modern security standards, like Bluetooth with AES.
๐
Disable Receivers
Unplug wireless receivers when not in use to minimize exposure.
Conclusion
MouseJack underscores the importance of security in wireless technologies. While these peripherals offer convenience, they can introduce significant risks if not properly secured. Both manufacturers and users must take proactive steps to mitigate these vulnerabilities and ensure safer wireless communication.