Wifi Pineapple project uses updated hardware for man-in-the-middle attacks

We’ve seen this small, cheap, and powerful WiFi router before. But this time it’s up to no good. [Andy] used a TP-Link WR703N to build an upgraded WiFi Pineapple hacking tool.

A WiFi Pineapple is a device spawned years ago by the Hak5 team (here’s a clip showing off the device). It uses a WiFi router that will answer to any SSID request. Basically if your computer or smart phone has an AP SSID saved and broadcasts a request to connect the pineapple will pretend to be that device and start the handshake. This provides the chance to sniff all the data passing through in a classic man-in-the-middle attack.

[Andy] is recreating the device but at a rock bottom price. He picked up this router for about $20 and added an $8 USB drive to it. The only other thing you would need is a power source and a way to hide the hardware. The code used in the Hak5 version is available for download and that’s what he worked on after flashing OpenWrt to the device.

[Thanks Midnite]

36 thoughts on “Wifi Pineapple project uses updated hardware for man-in-the-middle attacks

  1. Huh. I think I’m vulnerable to that attack on my phone–if I’m not paying attention, I might assume it’s connecting to the internet via 3G. I guess somebody might get me if they left one outside the window at my house, too, but not as reliably.

    Any suggestions on not being fooled?

      1. You wont always have the SSL option ( I don’t think facebook uses it all the time which is what the whole firesheep cookie stealing debarcle was about). run SSH server at home ( a raspi running raspian will do) open port 23 on your router and direct it to the server.

        From your laptop connect to the server using $ssh -D8000 username@hostname
        Enter your password (or enable key based authentication).

        You now have your own personal SOCKS5 proxy server running on 127.0.0.1:8000 better than a VPN.

          1. Depending on your VPN you could also run it on TCP 443 and, in the case of OpenVPN at least, it’ll look like an HTTPS connection even to transparent http proxies. I know TCP for VPN transport is bad – but it’s better than nothing. SOCKS over SSH is also a good approach, but not every app is SOCKS enabled.

          2. The not every app SOCKS thing annoys me, I wish like a VPN it was possible to tunnel your connection through a SOCKS proxy.

      2. So https then. . . but even so, am I correct in assuming that one is vulnerable in to this kind of attack while the ssl session is being established? (Please pardon my ignorance.)

        1. It depends on how many background services/apps start calling home as soon as they see a network connection. And if they do it cleartext. DNS queries thereof will at the very least tell the attacker what services/sites you use before your secure connection establishes.

          1. Interesting. I know there are quite a lot of background services calling home on my tablet, which is more or less purpose built for cafe internet’n.

        2. SSLStrip can deauth and force reauth, as the man in the middle. From there, the key is known by the MITM so you’re never safe unless you tunnel out or something.

    1. That’s not quite the issue in TFA. This would hijack your home AP, too, if your device sees it as the nearest router. However it don’t see how it would work unless they know the(your) AP’s key, lest your device prompts for a new password because it cant auth with the Pineapple…

        1. If this relies on open AP then there is no reason for it to exist, as any promiscuous WiFi adaptor is cabale of capturing all traffic. As a standalone AP, it surely can hijack your encrypted (home) AP so long as it is configure with the same encryption mechanisms and key, and the client devices aren’t tied to the MAC of the real AP they could connect to this if they see it as a closer/stronger signal.

          1. Sure, but you can do so much more when you’re the man in the middle. This isn’t just about sniffing traffic. It’s about being the internet to the client. With ssl strip you can see what’s supposed to be encrypted. Throw up a couple fake web pages and you can change the news. You can even use it to inject malicious java apps to give yourself a backdoor into the computers connecting.

            Unless you already know the encrypted network password, it can’t spoof that network. Even Windows won’t connect to a network with the same name that should be encrypted that suddenly isn’t. If you already know the password, then you’re right, you don’t need the pineapple.

          2. @Erik Johnson
            You said it yourself: “AP so long as it is configure with the same encryption mechanisms and key”

            “and key”

            If they have your key you’re already hosed. That’s kind of the whole fucking point of the key.

        2. Please correct me if I’m wrong, but AFIK there is nothing stopping a person doing half of the 4-way handshake, get the clients PTK and sending it of to a server rack to crack and then complete the handshake.
          Which means in addition to having an encrypted network you also need a good password.

  2. To reinforce what others have said if the wireless profiles in your device are all secured with at least wep (note: don’t use wep) then the pineapple is null/void. It cannot start a handshake with any wireless device that uses a keyphrase.

    I should also note that while hak5 did have something to do with the pineapple it was 99% about pimping it all over town and making it look “pretty” the real work was done by others and its really just stolen software like karma developed by other open source groups.

      1. “Don’t use open wifi. If you have no open wifi accounts set up on your phone the pineapple won’t work. It can’t spoof encrypted networks.”

        Perhaps from you?

  3. I would use this little guy with a GPS and Kismet installed for wardriving, but couldn’t find this particular version in Poland, neither in the stores, nor at the auction sites. Only the very crippled (memory-wise) TL-WR702N is available :(

    1. You need to ebay it (or dx.com) as it’s not certified for the European or US market. Chinese re-sellers have no problem in shipping them to you, but they cannot sell them from within the country.

    1. Just get MR3020, it’s the same hardware just with FCC/CE stickers, a button and a switch. Just burn apropriate OpenWRT image and everything else will work the same.

  4. Now I have a security reason for turning off my WiFi on my phone outside of home. Used to be for saving battery.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s