Hacking, Coding and Gaming | @[email protected]

After reading @TroyHunt 's blog post about the (wifi) Pineapple he's been playing with, I got a little jealous and was considering buying one of my own - $100 at HakShop - but didn't really feel like parting with the money or waiting forever for it to arrive. I looked in to how it works, and what software it uses, and what alternatives there are...

In short "airbase-ng" (one of the "aircrack-ng" tools) seems to cover most of the bases. One of the useful things it does is allow you to create fake access points with a name you specify - used properly this provides some great attack vectors, but it's also just fun to push your own text (or lots of it) in to nearby people's wireless access points lists. You do need to run "airmon-ng start " before using it though.

I wanted to create multiple fake access points, which at the time of writing this "airbase-ng" didn't support (I don't think), so had to run the command multiple times. Thinking I may want to do this regularly in the future, I decided to write a simple bash script to simplify the process - having it just take in the name for the access point as a command line option. I noticed that my iPhone only listed 1 faked access point, unless I specified a different mac address for each instance of "airbase-ng" running... so I included some code generate a faked mac address as well (pastebin here: http://pastebin.com/XcMT37T8) :

fakeap01

Nothing overly complicated, but makes it a bit quicker and easier to open a new console and create a new fake access point. As you can see below, each time the script's run (and told to create a fake access point with my domain as it's name) it creates it with a new mac address. My script uses mac addresses starting with "00" due to an error I got from time to time saying the (random) mac address couldn't be set - this way things keeps working, but keep in mind these mac addresses would look obviously suspicious to checking them.

I chose to go with the "-W" option to make my faked access points "WEP encrypted" so they don't show up as adhoc networks in Windows (and also to keep people from randomly selecting them).

fakeap02

So, running the script, and Windows successfully detects the faked access point (and any others, had I been running more) :

fakeap03(You'll need to run a DHCP server, and probably setup some routing, to enable devices to connect to your fake access point(s))

This is literally the tip of the iceberg. The real "Pineapple" power of "airbase-ng" is the "-P" option (which tells it to "respond to all probes, even when specifying ESSIDs") - check out the documentation.

Although not as simple as using a "Pineapple", this can all be done with a basic laptop and wireless dongle - much cheaper and quicker than waiting for hardware to arrive ;) Karmetasploit uses airbase-ng and metasploit, along with some extra scripting, to make all of this much easier and more powerful. There's also PwnSTAR which seems to do a great job. All in all, not a bad alternative.