We’ve seen this small, cheap, and powerful WiFi router before. But this time it’s up to no good. [Andy] used a TP-Link WR703N to build an upgraded WiFi Pineapple hacking tool.
A WiFi Pineapple is a device spawned years ago by the Hak5 team (here’s a clip showing off the device). It uses a WiFi router that will answer to any SSID request. Basically if your computer or smart phone has an AP SSID saved and broadcasts a request to connect the pineapple will pretend to be that device and start the handshake. This provides the chance to sniff all the data passing through in a classic man-in-the-middle attack.
[Andy] is recreating the device but at a rock bottom price. He picked up this router for about $20 and added an $8 USB drive to it. The only other thing you would need is a power source and a way to hide the hardware. The code used in the Hak5 version is available for download and that’s what he worked on after flashing OpenWrt to the device.
38 thoughts on “Wifi Pineapple Project Uses Updated Hardware For Man-in-the-middle Attacks”
Inb4 not a hack. On a different note pretty impressive, would be neat if he made his own image for it.
Huh. I think I’m vulnerable to that attack on my phone–if I’m not paying attention, I might assume it’s connecting to the internet via 3G. I guess somebody might get me if they left one outside the window at my house, too, but not as reliably.
Any suggestions on not being fooled?
You wont always have the SSL option ( I don’t think facebook uses it all the time which is what the whole firesheep cookie stealing debarcle was about). run SSH server at home ( a raspi running raspian will do) open port 23 on your router and direct it to the server.
From your laptop connect to the server using $ssh -D8000 username@hostname
Enter your password (or enable key based authentication).
You now have your own personal SOCKS5 proxy server running on 127.0.0.1:8000 better than a VPN.
This is my fallback when my home VPN is being blocked. For some reason they usually don’t block SSH so I can still circumvent filters…
Depending on your VPN you could also run it on TCP 443 and, in the case of OpenVPN at least, it’ll look like an HTTPS connection even to transparent http proxies. I know TCP for VPN transport is bad – but it’s better than nothing. SOCKS over SSH is also a good approach, but not every app is SOCKS enabled.
The not every app SOCKS thing annoys me, I wish like a VPN it was possible to tunnel your connection through a SOCKS proxy.
So https then. . . but even so, am I correct in assuming that one is vulnerable in to this kind of attack while the ssl session is being established? (Please pardon my ignorance.)
It depends on how many background services/apps start calling home as soon as they see a network connection. And if they do it cleartext. DNS queries thereof will at the very least tell the attacker what services/sites you use before your secure connection establishes.
Interesting. I know there are quite a lot of background services calling home on my tablet, which is more or less purpose built for cafe internet’n.
SSLStrip can deauth and force reauth, as the man in the middle. From there, the key is known by the MITM so you’re never safe unless you tunnel out or something.
Yes but what about SSLstrip?
Don’t use open wifi. If you have no open wifi accounts set up on your phone the pineapple won’t work. It can’t spoof encrypted networks.
Wrong. It most certainly will spoof an encrypted network. When your computer pushes out a “feeler” asking, “XYZ network, are you there?”, the pineapple says, “hell yeah I’m right here!”. Your computer/phone gives no fuqs about the network not matching the settings you used the last time you were there.
You can read more here — http://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html
It’s much simpler, really. Just make sure your phone doesn’t have any non-password protected access points “remembered”. The WiFi Pineapple cannot fool your phone into connecting to a password protected AP in it’s memory.
This was problematic for iPhone users at one time because the factory iPhone always trusted AT&T open access points which was prime for Pineapple.
You can connect to open APs (with caution), but I’d suggest not allowing your phone to automatically connect to them, ie “remember”ing them.
Why you should never do anything sensitive on a public Wi Fi
That’s not quite the issue in TFA. This would hijack your home AP, too, if your device sees it as the nearest router. However it don’t see how it would work unless they know the(your) AP’s key, lest your device prompts for a new password because it cant auth with the Pineapple…
It can’t hijack your home ap unless it’s an open access point.
If this relies on open AP then there is no reason for it to exist, as any promiscuous WiFi adaptor is cabale of capturing all traffic. As a standalone AP, it surely can hijack your encrypted (home) AP so long as it is configure with the same encryption mechanisms and key, and the client devices aren’t tied to the MAC of the real AP they could connect to this if they see it as a closer/stronger signal.
Sure, but you can do so much more when you’re the man in the middle. This isn’t just about sniffing traffic. It’s about being the internet to the client. With ssl strip you can see what’s supposed to be encrypted. Throw up a couple fake web pages and you can change the news. You can even use it to inject malicious java apps to give yourself a backdoor into the computers connecting.
Unless you already know the encrypted network password, it can’t spoof that network. Even Windows won’t connect to a network with the same name that should be encrypted that suddenly isn’t. If you already know the password, then you’re right, you don’t need the pineapple.
You said it yourself: “AP so long as it is configure with the same encryption mechanisms and key”
If they have your key you’re already hosed. That’s kind of the whole fucking point of the key.
Please correct me if I’m wrong, but AFIK there is nothing stopping a person doing half of the 4-way handshake, get the clients PTK and sending it of to a server rack to crack and then complete the handshake.
Which means in addition to having an encrypted network you also need a good password.
I’m pretty sure WPA2 isn’t vulnerable to this attack.
I bought 3 of these last time this was on hackaday:
To reinforce what others have said if the wireless profiles in your device are all secured with at least wep (note: don’t use wep) then the pineapple is null/void. It cannot start a handshake with any wireless device that uses a keyphrase.
I should also note that while hak5 did have something to do with the pineapple it was 99% about pimping it all over town and making it look “pretty” the real work was done by others and its really just stolen software like karma developed by other open source groups.
Wow, where did you get your really wrong information?
“Don’t use open wifi. If you have no open wifi accounts set up on your phone the pineapple won’t work. It can’t spoof encrypted networks.”
Perhaps from you?
I would use this little guy with a GPS and Kismet installed for wardriving, but couldn’t find this particular version in Poland, neither in the stores, nor at the auction sites. Only the very crippled (memory-wise) TL-WR702N is available :(
Ebay is your friend in this case…
I just ordered two from Hong Kong.
You need to ebay it (or dx.com) as it’s not certified for the European or US market. Chinese re-sellers have no problem in shipping them to you, but they cannot sell them from within the country.
Speaking of which, where do you North American get your WR703N?
Just get MR3020, it’s the same hardware just with FCC/CE stickers, a button and a switch. Just burn apropriate OpenWRT image and everything else will work the same.
TL-MR10U , similar to the TL-WR703N but with internal 2600mAh battery!
Now I have a security reason for turning off my WiFi on my phone outside of home. Used to be for saving battery.
Seriously not as good as the actual pineapple itself… Check the hak5 forums and see why…
Reblogged this on Julio Della Flora.
Could a modified battery pack work as a power source?
Please be kind and respectful to help make the comments section excellent. (Comment Policy)