Wireless Hacking with the Wifi Pineapple ๐Ÿ

Wireless Hacking with the Wifi Pineapple ๐Ÿ

ยท

8 min read

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Wifi Penetration testing was always something I wanted to pick up. I recently got my hands on the hardware for it thanks to a mentor of mine which enabled me to perform a range of wireless attacks in my home lab environment! If you're interested in setting up your own Wifi Pineapple, check out my in-depth guide over on my repo site!


Capturing Wireless Handshake

Like every other penetration test, this starts with recon too! The first step to the attack would be to identify our "target". In this case, I will be attacking my own network.

Recon

Like every other penetration test, this starts with recon too! The first step to the attack would be to identify our "target". In this case, I will be attacking my own network.

Scanning

  • Access the Recon Tab

Wireless Hacking with the Wifi Pineapple ๐Ÿ

  • Setup Scan Settings and Run Scan

Wireless Hacking with the Wifi Pineapple ๐Ÿ

  • Running Scan

Wireless Hacking with the Wifi Pineapple ๐Ÿ


Targetting

Once the scan is left to run for a short period of time, multiple targets should start popping up (As seen below). All these networks are the ones that are in the range of the Wifi ๐Ÿ.

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Target Network

Here's my network which I'm gonna be attacking! (shown below)

Wireless Hacking with the Wifi Pineapple ๐Ÿ

It's evident that one client is currently authenticated with the network. The MAC address of the client is shown right below the router's MAC.

Attacking

Now that we have our target and have verified that there are clients connected to it, we can conduct a deauth attack on the network and listen for handshakes destined to the network. Deauthenticating clients from a network will force them to reconnect to it. While the reconnection is happening, we would be able to sniff and capture the handshake which we can then use to crack :)

Launching Attack

Hit the dropdown on the security tab

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Hit Start Capture

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Hit Deauth

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Successful Capture of handshake

Wireless Hacking with the Wifi Pineapple ๐Ÿ

At this point, we have obtained a capture of the handshake which can then be used to crack the Pre-Shared Key (PSK) of the network with a trusty wordlist.

Live Attack (On client)

This is what the client would witness when the attack is underway. Most of the time we wouldn't even notice this happening when we are out and about, going through our regular day.

Mobile

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Desktop

Wireless Hacking with the Wifi Pineapple ๐Ÿ


Cracking WPA2 Handshake

This section will cover how to crack WPA2 handshakes captured with the previously showcased attack vector

Cracking

We need to convert the captured .pcap file into .hccapx format in order to start cracking with it. There's a tool named cap2hccapx which can help us do this. However, we first need to download and compile it on our unix system.

Compiling cap2hccapx

Downloading Source

wget raw.githubusercontent.com/hashcat/hashcat-u..

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Compiling Tool

gcc -o cap2hccapx cap2hccapx.c

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Testing Tool

./cap2hccapx

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Converting

Now that we have the tool compiled and ready to go, we can convert the file and prep it for cracking!

cap2hccapx E4-6F-13-FA-AD-E0_partial.pcap capture.hccapx

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Cracking with .hccapx

I'll be using Hashcat for the cracking on my host machine. Here's a post where I explain why cracking on the host machine is better ๐Ÿ˜Š!

.\hashcat.exe -m 2500 .\hashes\capture.hccapx .\wordlists\rockyou.txt --force

Wireless Hacking with the Wifi Pineapple ๐Ÿ

e46f13faade0:c6adf262679d:Nee2.4:tinkerbell

tinkerbell is the PSK of the network in question

We were successfully able to crack the handshake and retrieve the password to the lab network!


Modules

This section contains information about community modules that can be used on top of the PineAP Attack

Background

The WiFi Pineapple was created with modularity in mind. The WiFi Pineapple supports community-developed modules in addition to the system modules supplied with the WiFi Pineapple, such as Recon, Clients, and PineAP. The WiFi Pineapple API is used by several community-developed modules to expand functionality. This API can be used by anybody to build modules for the WiFi Pineapple.

Modules

Let's take a look at some of the community-made modules in this section!

Wireless Hacking with the Wifi Pineapple ๐Ÿ

We'll assume we already got our target to connect to our rogue network beforehand


TcpDump

Wireless Hacking with the Wifi Pineapple ๐Ÿ

This module is pretty self-explanatory. It assists us by dumping all network traffic generated by our clients. This module comes in very handy in case when we want to inspect our client's network traffic for some insecure traffic and possibly sniff out some passwords or files that were transferred.

Demo

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Hit start and we'll be running

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Once done, hit stop and download the capture for analysis

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Analysis

We can simply open the capture up with Wireshark and proceed with our analysis.

Wireless Hacking with the Wifi Pineapple ๐Ÿ


DWall

Wireless Hacking with the Wifi Pineapple ๐Ÿ

DWall is similar to TCPdump, but it focuses on web! DWall display's Plaintext HTTP URLs, Cookies, POST DATA, and images from browsing clients. This has a similar issue to TCPdump. We will only be able to see insecure traffic!

Demo

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Hit start listening to start capturing web traffic from clients

Wireless Hacking with the Wifi Pineapple ๐Ÿ

As the Clients browse insecure sites, their data would be relayed to us on this page (as shown below)

Client View

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Wifi ๐Ÿ View

Wireless Hacking with the Wifi Pineapple ๐Ÿ


DNSMasq Spoof

Wireless Hacking with the Wifi Pineapple ๐Ÿ

This module forges replies to arbitrary DNS queries using DNSMasq.

Demo

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Hit Start to run the spoofer

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Add a custom host entry to redirect hosts

Wireless Hacking with the Wifi Pineapple ๐Ÿ

I'll be adding a fake entry for example.com. example.com is an actual site that people can access on the web. The real site looks like the following:

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Now that we have pointed it to a different IP address containing our "evil portal", let's see what happens to the clients connected to our rogue network.

Live DNS Attack

Here we can see one of the rogue network's clients navigating to example.com but its totally different from what the actual website is. This shows that an attacker/man-in-the-middle is able to easily reply falsely to your DNS queries and this is highly likely to end up as a phishing attack.

Wireless Hacking with the Wifi Pineapple ๐Ÿ


PineAP

This section contains information on PineAP and how it can be used

Background

PineAP is a powerful, modular rogue access point suite that helps WiFi auditors collect clients by imitating Preferred Networks. Leveraging PineAP, we are able to see what SSIDs devices are trying to look for. Using that information and PineAP's features, we are able to advertise ourselves as that SSID which the device is looking for.

Example

Let's say you were authenticated to your home network named 4pfHome . Your phone will then try to look for that same SSID when you're outside and have your WIFI on. PineAP will then see this and advertise itself as 4pfHome to your device. If connected, you will be one of Wifi ๐Ÿ's many clients, and that's not good. Let's take a look at how it's done!

Live Attack

Prior to launching the attack, the PineAP first has to be set up to listen.

PineAP Setup

Enabling the following options to be able to capture and rebroadcast SSIDs

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Broadcast Attack

After letting PineAP do its thing for a while, we are able to see a couple of SSIDs in the SSID Pool .

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Now on my devices, I would be able to see these SSIDs being broadcasted and unprotected. (as shown below)

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Now once our "target" connects to our network, we own it :) (kind of)

Client Connect back

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Wireless Hacking with the Wifi Pineapple ๐Ÿ

Clients

Wireless Hacking with the Wifi Pineapple ๐Ÿ

We can see that both the devices are connected to the Wifi ๐Ÿ but they are connected under 2 different SSIDs. My laptop thinks it is connected to AndroidAP68A2 and my phone thinks it is connected to Linksys12765_5GHz .

The connected devices won't realize a thing as the Wifi ๐Ÿ is connected to the internet and acts how any other router would.

Now that we have both devices connected to our bogus network, we can use Modules (which will be covered in the next section) to perform various attacks.

This is how we can make use of PineAP to trick users to connect to us.

From my testing, I wasn't able to get the devices to connect to the endpoints automatically. Thus, this attack still depends on the user to make the final decision to connect.


That was an awesome way to get introduced to wireless hacking! I wish to explore more manual options in the near future ๐Ÿ”ฅ!

ย