Discussion on wireless security auditing equipment WiFi Pineapple Nano series Pineap

Objective:

Previously introduced the foreign wireless security audit equipment The WiFi Pineapple nano sslsplit modules and Ettercap modules and experiments.

In the process of playing WiFi Pineapple nano device, given that the individual has only a few network cards, testing to find that the Nano can support the network card chip has: rtl8187l, RT3070, AR9271, RT5370 ..., Friends in the process of their own testing if you find that the network card is not recognized, please refer to the use of a few chips just mentioned network card.

Today we introduce a main function module of the Pineapple Nano Pineap and several other methods involved in the work of pineap with several modules.

0x01 Recon Module

Currently, there are two main types of tools for wireless scanning classes: Passive (passive) and active (active).

The principle of passive scanning is to follow the communication packets of all the wireless signals in the channel, and to obtain the information of AP and client by analyzing the contents of the packet.

Active scanning is a periodic request packet to the surrounding fire detection class (Probe request), a laptop with a wireless card after the boot network card automatically access to the operating system known AP hotspot process is an example of active scanning. Because the two principles are different, the effect of passive scanning is much better than active scanning.

Let's take a look at the specific features of the Recon module in WiFi Pineapple nano.

First, the recon module uses a passive scanning method, the scanning process will automatically set the network card to listen mode, listening to the different channels around the (client) issued a variety of packets.

Recon can scan the SSID, MAC address, encryption mode, whether the WPS function, channel and signal strength are enabled, and recon can even scan out clients that are not currently connected to any APS.

When performing a scan operation, simply follow the preset scan time (e.g. 15s, 30s, 60s ...). ), click "Scan" to start a button. If you tick "continuous", the scan will continue, that is, constantly probing around and displaying the results.

In the process of using the Recon module, the most likely problem is this situation: after clicking "Scan", "there is an error starting Recon ..." appears.

When this problem occurs, we recommend that you first check the following networking settings under the WiFi Client mode, where the interface name is "Wlan1".

Because the variable name of the default interface is "Wlan1" at the code level of the module, the error occurs if the name of the interface is not the default "Wlan1".

There are two ways to solve this problem:

First, only a piece of external network card default name is automatically wlan1;

The second is to modify the Recon module's variable name to the currently displayed interface name (for example, change to Wlan2, wlan3 ... ）。

In general, the basic functionality of the Recon module is simple and powerful.

0x02 Logging Module

The Pineap module filters the logs in logging, such as deduplication, refresh, delete, download, etc., and also supports filtering based on the SSID or MAC address feature.

System Log for Nano system

In general, WiFi Pineapple Nano logging module is relatively simple, mainly used to filter query Pineap module log.

0x03 Landing Page

Essentially, the landing page feature does not belong to a separate module, but is placed only in the configuration settings of the Pineapple Nano.

Landing page enabled can be all connected to the Pineapple Nano Client, force to navigate to a portal Web page, this web can have our custom, support HTML, JS, PHP language, etc., we will see a about Landing A simple instance usage of the page feature.

0x04 pineap Module

Next introduce our main role in this article: Pineap, mentioned pineap may have some students have not heard its name, but familiar with wireless security testing field of students must have heard karma, Basically pineap is equivalent to karma (and can only work for clients that Zenglian take open mode).

Simply put, Pineap is a fake probe response response package that responds to the surrounding client (perhaps a laptop, cell phone, pad, and so on), letting the client think that there is a wireless AP that has been successfully connected, and is used to trick the client into connecting our pineapple Nano equipment.

(Probe response corresponds to the scan request packet we mentioned above Probe request, for pineap or karma of the function of the classmate, can refer to the freebuf of other related articles)

Let's take a look at several options for pineap in the Web interface. First of all, the PINEAP function needs to click the "Switch" button in the diagram to make it "enable", and then tick the above three options "Allow associations", "Log Probes", "Log Associations", and then check the following " Beacon Response "option, then select the Beacon Response interval mode as" normal or aggressive "and save it at the last minute.

Allow associations: Enable (accept) The detection or connection request of all the surrounding clients, usually with the filters module for filtering time to use, generally we are allowed.

Log probes, log associations: One is to record the client's request log for pineapple Nano, and the other is the connection log of the client and pineapple Nano, which is recorded in the logging module, Convenient for us to inquire.

Beacon Response: When enabled, simulates a real wireless AP in response to those around the pineapple nano that makes probe request requests (in one-to-one, not broadcast mode).

Beacon Response Interval: is used to select the send rate of the Beacon Response response packet, generally normal or aggressive, it is important to note that aggressive mode consumes more CPU resources.

As shown, after clicking Save, the Pineap feature is enabled, and in a few minutes we'll be able to see which clients are around in the logging and where they've been connected to those APs.

After a while, we can see that there are two clients that we have successfully deceived and connected to.

(This can be successfully connected to our Pineapple Nano device and the surrounding client's specific equipment situation and true and false AP signal strength, this article in the experimental process also tried for a long time)

When this time, if we enable the above mentioned landing page feature spoof these clients? These clients will see this when they visit any Web page:

Even on the dashboard panel, we can see how many client browsers have visited the landing page pages we designed.

If we're doing something deeper:

Like this:

More creative page design, left to all interested students to try it yourself.

Discussion on wireless security auditing equipment WiFi Pineapple Nano series Pineap