Wifi Pineapple Project Uses Updated Hardware For Man-in-the-middle Attacks

We’ve seen this small, cheap, and powerful WiFi router before. But this time it’s up to no good. [Andy] used a TP-Link WR703N to build an upgraded WiFi Pineapple hacking tool.

A WiFi Pineapple is a device spawned years ago by the Hak5 team (here’s a clip showing off the device). It uses a WiFi router that will answer to any SSID request. Basically if your computer or smart phone has an AP SSID saved and broadcasts a request to connect the pineapple will pretend to be that device and start the handshake. This provides the chance to sniff all the data passing through in a classic man-in-the-middle attack.

[Andy] is recreating the device but at a rock bottom price. He picked up this router for about $20 and added an $8 USB drive to it. The only other thing you would need is a power source and a way to hide the hardware. The code used in the Hak5 version is available for download and that’s what he worked on after flashing OpenWrt to the device.

[Thanks Midnite]

38 thoughts on “Wifi Pineapple Project Uses Updated Hardware For Man-in-the-middle Attacks

  1. Huh. I think I’m vulnerable to that attack on my phone–if I’m not paying attention, I might assume it’s connecting to the internet via 3G. I guess somebody might get me if they left one outside the window at my house, too, but not as reliably.

    Any suggestions on not being fooled?

      1. You wont always have the SSL option ( I don’t think facebook uses it all the time which is what the whole firesheep cookie stealing debarcle was about). run SSH server at home ( a raspi running raspian will do) open port 23 on your router and direct it to the server.

        From your laptop connect to the server using $ssh -D8000 username@hostname
        Enter your password (or enable key based authentication).

        You now have your own personal SOCKS5 proxy server running on 127.0.0.1:8000 better than a VPN.

          1. Depending on your VPN you could also run it on TCP 443 and, in the case of OpenVPN at least, it’ll look like an HTTPS connection even to transparent http proxies. I know TCP for VPN transport is bad – but it’s better than nothing. SOCKS over SSH is also a good approach, but not every app is SOCKS enabled.

      2. So https then. . . but even so, am I correct in assuming that one is vulnerable in to this kind of attack while the ssl session is being established? (Please pardon my ignorance.)

        1. It depends on how many background services/apps start calling home as soon as they see a network connection. And if they do it cleartext. DNS queries thereof will at the very least tell the attacker what services/sites you use before your secure connection establishes.

          1. Interesting. I know there are quite a lot of background services calling home on my tablet, which is more or less purpose built for cafe internet’n.

        2. SSLStrip can deauth and force reauth, as the man in the middle. From there, the key is known by the MITM so you’re never safe unless you tunnel out or something.

    1. It’s much simpler, really. Just make sure your phone doesn’t have any non-password protected access points “remembered”. The WiFi Pineapple cannot fool your phone into connecting to a password protected AP in it’s memory.

      This was problematic for iPhone users at one time because the factory iPhone always trusted AT&T open access points which was prime for Pineapple.

      You can connect to open APs (with caution), but I’d suggest not allowing your phone to automatically connect to them, ie “remember”ing them.

    1. That’s not quite the issue in TFA. This would hijack your home AP, too, if your device sees it as the nearest router. However it don’t see how it would work unless they know the(your) AP’s key, lest your device prompts for a new password because it cant auth with the Pineapple…

        1. If this relies on open AP then there is no reason for it to exist, as any promiscuous WiFi adaptor is cabale of capturing all traffic. As a standalone AP, it surely can hijack your encrypted (home) AP so long as it is configure with the same encryption mechanisms and key, and the client devices aren’t tied to the MAC of the real AP they could connect to this if they see it as a closer/stronger signal.

          1. Sure, but you can do so much more when you’re the man in the middle. This isn’t just about sniffing traffic. It’s about being the internet to the client. With ssl strip you can see what’s supposed to be encrypted. Throw up a couple fake web pages and you can change the news. You can even use it to inject malicious java apps to give yourself a backdoor into the computers connecting.

            Unless you already know the encrypted network password, it can’t spoof that network. Even Windows won’t connect to a network with the same name that should be encrypted that suddenly isn’t. If you already know the password, then you’re right, you don’t need the pineapple.

          2. @Erik Johnson
            You said it yourself: “AP so long as it is configure with the same encryption mechanisms and key”

            “and key”

            If they have your key you’re already hosed. That’s kind of the whole fucking point of the key.

        2. Please correct me if I’m wrong, but AFIK there is nothing stopping a person doing half of the 4-way handshake, get the clients PTK and sending it of to a server rack to crack and then complete the handshake.
          Which means in addition to having an encrypted network you also need a good password.

  2. To reinforce what others have said if the wireless profiles in your device are all secured with at least wep (note: don’t use wep) then the pineapple is null/void. It cannot start a handshake with any wireless device that uses a keyphrase.

    I should also note that while hak5 did have something to do with the pineapple it was 99% about pimping it all over town and making it look “pretty” the real work was done by others and its really just stolen software like karma developed by other open source groups.

  3. I would use this little guy with a GPS and Kismet installed for wardriving, but couldn’t find this particular version in Poland, neither in the stores, nor at the auction sites. Only the very crippled (memory-wise) TL-WR702N is available :(

    1. You need to ebay it (or dx.com) as it’s not certified for the European or US market. Chinese re-sellers have no problem in shipping them to you, but they cannot sell them from within the country.

Leave a Reply to Brandon WisteCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.