Hak5 is packed and ready for Def Con 2011! This year, Darren, Paul, and I will be in Las Vegas all weekend- from Wednesday night through Sunday- compiling a delightful Hak5 episode for you to enjoy. We hope to get some good coverage and photos, so show off your Hak5 tshirt! If you see us, make sure to stop by and say hello!

This Def Con also marks Hak5′s first on location vendor table. Make sure to stop by the vendor area and pick up some swag! We will have Wifi Pineapple V 2′s, Ubertooth One’s, Ninja Star’s, and some other odds and ends. We’ll be accepting cash and credit card.

Since the store is going to be on site at Def Con, shipments will be delayed for this week until Monday, August 8th.

DEF CON is one of the oldest continuous running hacker conventions around, and also one of the largest. DEF CON is generally in the last week of July or first week of August in Las Vegas. DEF CON 19 will be held August 4 – August 7 at the Rio Hotel & Casino in Las Vegas. Many people arrive a day early, and many stay a day later.

Shannon Morse is a co-host of Hak5 on Revision3 and she is on the audio podcast Bite Club Show. You can also find her guest hosting various other internet shows now and then. When not geeking out with work, Shannon enjoys video games, anime, manga, traveling, building computers, and spending time with family and friends. Find more info about Shannon here.

WIFI PINEAPPLE VERSION 2 ONLY. THIS WILL NOT WORK WITH THE WIFI PINEAPPLE VERSION 3.

Whether your new to Jasager or you’ve made a configuration change you wish you hadn’t, doing a fresh WiFi Pineapple install is a breeze. This guide walks you through the steps required to flash compatible WiFi Pineapple hardware with the latest version of Robin Wood’s Jasager firmware as well as default configurations and and packages.

Requirements

This guide is written for Windows users and should take about 15-20 minutes to complete. In addition to WiFi Pineapple hardware you’ll need a Telnet, SSH and SCP client (we recommend PuTTY and WinSCP) as well as an Ethernet cable and the following download:

• build-pineapple.zip MD5: C5D90DB48E511F8AEF4FDFBCA7E3CF38

Video Walkthrough

Preparing your computer

Before getting to the actual flashing bit the computer’s network interfaces must be configured. Begin by setting the Ethernet adapter with a static IP address of 192.168.1.100 and a subnet mask of 255.255.255.0. This setting can be found in Windows 7 from the Control Panel under View network status and tasks, and Change adapter settings. Right-click on the Local Area Connection and choose Properties. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.

It is also a good idea to disable any other network adapters that may be present, like a wireless adapter. To do this right-click on the interface and click Disable.

Flashing the Firmware

Plug one side of an Ethernet cable into the Ethernet adapter you set with a static address in the previous step. Plug the other end of the cable into the WiFi Pineapple hardware. Make sure the WiFi Pineapple does not have power, but keep the power cable handy as we’ll need it in just a moment. Using battery power for the flashing process is not advised.

Open the Freifunk AP51 Easy Flash utility. Check the box labeled Use external file under Rootfs, click browse, and select the openwrt-atheros-root.squashfs file. Repeat this step for the section labeled Kernel choosing openwrt-atheros-vmlinux.lzma

Select the Ethernet adapter you had previously setup with a static IP address from the drop-down under Interface.

With the WiFi Pineapple power cable handy click the Go button, wait one second and plug in the power cable. The WiFi Pineapple will light up and the EasyFlash utility will report “No packet” until the device is found. Once the utility is communicating with the device it will report both the computer and WiFi Pineapple‘s IP and MAC addresses then begin flashing. This process takes about 10 minutes. Once the flash is complete the EasyFlash utility will automatically close and the WiFi Pineapple will reboot.

Initial Setup

With the WiFi Pineapple rebooting, open a command prompt (Start, Run, CMD) and issue “ping 192.168.1.1 -t”. This command will continue pinging the WiFi Pineapple. Once replies are reported stop the ping with the CTRL+C keyboard combo. The device is now ready for initial login.

Open PuTTY or your Telnet client of choice and enter the host 192.168.1.1. If using PuTTY make sure Telnet is selected, as well as the default port 23. Click Open.

When greeted with an OpenWRT splash screen type the command “passwd” and press enter. Type a password and press enter twice. When “Password for root changed by root” is reported the WiFi Pineapple is now ready for packages and configuration.

Wireless Configuration

Once again open PuTTY or your SSH client of choice. Enter the host 192.168.1.1. If using PuTTY make sure SSH is selected, as well as the default port 22. Click Open.

When greeted with a security alert, click Yes. Enter “root” for “login as” and the password you had previously configured.

From the WiFi Pineapple command line enter the following command to change the wireless configuration setting.

echo "
config wifi-device  wifi0
option type    atheros
option channel  auto
config wifi-iface
option device wifi0
option network lan
option mode ap
option ssid Pineapple
option encryption none
" > /etc/config/wireless

Leave this SSH session window open as it will be used in the next step to install packages.

Package Install

Various packages can be installed on the WiFi Pineapple. See the openwrt repository at downloads.openwrt.org/kamikaze/8.09.2/atheros/packages. The default package on the WiFi Pineapple is X-WRT, a web based management interface, and its dependency haserl.

Open WinSCP and enter the host name 192.168.1.1. Enter root as the user name and the password chosen. Select SCP from the File protocol drop-down and click Login. If presented with two group errors, click OK — they are safe to ignore.

Select the haserl and webif package files from your hard disk on the left and drag them to the area on the right. The file transfer will begin.

Back in the SSH session enter the command “ls” followed by enter. The package files previously transferred should be reported. Now install both package files with the command “opkg install *.ipk”. This process will take just a minute. Once complete a “SUCCESS!” message will be reported. At this point the WiFi Pineapple has been configured and is ready to be rebooted. Either unplug and replug and power adapter or issue the command “reboot”.

The WiFi Pineapple has now been flashed and configured with factory default settings. This guide can be followed up with this article on logging into the WiFi Pineapple for the first time.

WIFI PINEAPPLE VERSION 2 ONLY. THIS WILL NOT WORK WITH THE WIFI PINEAPPLE VERSION 3.

In this segment Darren talks about Session Hijacking and demonstrates a tool from Errata Security called Hamster and Ferret that, in conjunction with a WiFi Pineapple, an ICS’d 3G connection and Tftpd32 we’re able to “sidejack” with our little man-in-the-middle setup. Lesson learned? Be suspicious of any wifi. Check for signatures of trusted networks and tunnel your traffic.

While the tethering WiFi Pineapple and laptop 3G technique in this segment is still quite valid, Darren now prefers to use BackTrack Linux as documented here.

So you’ve built, borrowed or bought a WiFi Pineapple and you’re new to OpenWRT and Jasager. Hopefully this guide will familiarize you with the many aspects of the the WiFi Pineapple. If you have specific questions please leave a comment or email feedback@hak5.org and we’ll try to keep this page updated.

This article will guide you through connecting to the WiFi Pineapple for the first time. For more in-depth how-to’s involving command line control, modules, using the white and black listing functions, sharing Internet access and more please consult the Jasager board on the Hak5 forums and keep an eye on the WiFi Pineapple category of the Hak5.org blog for future articles on these topics.

First and foremost

The WiFi Pineapple is a customized version of OpenWRT running the latest Jasager software by Robin Wood. Since OpenWRT is a Linux based wireless networking operating system you’ll want to be familiar with basic Linux and networking fundamentals.

Tools you’ll find handy

Right out of the box most everything can be configured with just about any web browser, but you’ll likely also want a tool or two to get a shell and transfer files. If you’re using Linux or Mac you already have the ssh and scp commands at your disposal. If you’re on Windows we recommend using the PuTTY and WinSCP GUI tools or the command-line equivelent Plink.

Battery Powering the Pineapple

The WiFi Pineapple requires 5V and 2A of DC power. If you’re looking to go mobile leave the wall-wart at home. Four AA rechargeable batteries work well at powering this puppy. It’s important to get AA batteries with a high mAh rating. We recommend no less than 2400, so pick up a few meant for digital cameras for best results. If your standard alkalines aren’t doing the trick it’s probably due to a low mAh rating. Check the packaging. Of course we recommend rechargeables over the landfill populating variety.

Connecting for the first time

There are many ways to connect to and configure a WiFi Pineapple. Here are a few:

Via Ethernet

Power up and connect an Ethernet cable between your computer and the router’s. In its stock configuration the WiFi Pineapple is configured with the static IPv4 address of 192.168.1.1. It is also setup to hand out IP addresses in the 192.168.1.0/24 range via DHCP. If your machine is configured to obtain an IP address automatically you should get something like 192.168.1.100 from it momentarily.

Configuring your interface to obtain an IP address from the WiFi Pineapple’s DHCP server

In case your computer is not already setup to obtain an IP address on the Ethernet interface from a DHCP server, here are quick instructions for some common operating systems.

Windows XP

Open Network Connections from the Control Panel. Right-click on the Local Area Connection and choose Properties. From the dialog select Internet Protocol TCP/IP and click Properties. From the General tab choose Obtain an IP address automatically and Obtain DNS server address automatically. Click OK twice.

Windows 7

Click Choose Network Status and Tasks from the Control Panel. Click Change adapter settings. Right click the Local Area Connection and choose Properties. Select Internet Protocol Version 4 and click Properties. Select Obtain and IP address automatically and Obtain DNS server address automatically, then click OK twice.

Linux / Mac

Open a terminal and issue ifconfig eth0 where eth0 is the Ethernet interface connected to the WiFi Pineapple. Check the inet addr reported. If it is not a 192.168.1.x address you’ll want to manually ask for an address from the DHCP server on the pineapple. Depending on your distribution the command to do this may be “dhclient eth0″ or “dhcpcd eth0″.

Via Wireless

By default the SSID of the WiFi Pineapple is either “Pineapple” or “OpenWRT” without encryption. Connect to it as you would to any ordinary wireless access point. The pineapple will assign you an IP address via DHCP. If for some reason your Wireless interface has not been configured to obtain an address automatically please consult the above instructions substituting your wireless interface for the Ethernet interface.

Via Serial

WiFi Pineapples bought or built on Fon 2100 or Accton MR3201A hardware sport shell access through a serial interface. For information on this access method please consult these fine documents:

• Fon Serial Cable at digininja.org
• LaFonera Hardware Serial-Cable-Port on dd-wrt.com

Accessing the Jasager Interface

Once connected via Ethernet or wireless you can point your web browser at the Jasager management interface. Here you can configure the interface, karma, mac address filtering, ssid white/black listing and execute commands on connected clients.

By default the Jasager interface can be found at http://192.168.1.1:1471. It’s important to note the :1471 bit as that specifies the non-standard port number of this http interface. Any modern web browser will work, be it Firefox, Chrome, Safari, Opera or Internet Explorer. I’ve even successfully used it with the text-only browser Lynx! You’ll need to login. By default the username is root and password is “pineapplesareyummy” (sans quotes).

Status / Main Controls

The options in this section allow you to control the wireless card and karma features. The SSID list is a list of SSIDs that the interface will either accept (whitelist mode) or ignore (blacklist mode). One thing to watch out for is that changing from blacklist to whitelist mode, and vise-versa does not reset the SSID list.

Connected Clients

The list of connected clients comes from a merger of wlanconfig output, information in the log file and the ARP cache. A blank IP address may mean the client hasn’t got an IP address or hasn’t used it for a while so it has slipped from the ARP table.
The dropdown list of commands allows you to add the clients SSID to the watch list and kick the MAC address. Kicking is not blocking a MAC, just temporarily disconnecting it, most clients will attempt to reconnect within seconds of being kicked. Kicking can be useful if you blacklist a SSID and need to remove any currently associated clients. I have an idea that this list will grow with useful commands such as blocking MAC addresses and initiating things such as nmap scans. Watch out for new features in version 2.

Log

All activity is logged to /karma/log/status.log which gets dumped out to the log window.

This guide builds on the Auto-Rickroll payload for the WiFi Pineapple. Following this guide you will be able to create a self-contained WiFi Pineapple or similar OpenWRT based wireless access point serving up faux websites to capture login credentials. The purpose of this article is to point out the simplicity of a phishing attack using the dnsmasq technique of the Auto-Rickroll payload, and how you can protect yourself from similar attacks. See the mitigation section at the bottom of the article for defense advice.

Demonstration

Before beginning please follow the instructions outlined in the Auto-Rickrolling WiFi-Pineapple article. Once complete we will:

1. Install PHP and dependencies
2. Configure PHP and HTTPD
3. Testing the PHP installation
4. Write redirection and capture scripts
5. Modify a website to capture credentials

Install PHP and dependencies

The installation of PHP on OpenWRT is pretty straight forward. Considering the size limitations and power of your typically embedded device such as the WiFi Pineapple and what we’re trying to achieve I have opted for the 4x build of PHP, rather than the newer 5x. Feel free to deviate if your needs require the newer features of 5.

Begin by downloading and installing the following packages from downloads.openwrt.org: libopenssl_0.9.8i-3.2_mips.ipk, php4_4.4.7-1_mips.ipk, php4-cgi_4.4.7-1_mips.ipk and zlib_1.2.3-5_mips.ipk

Alternatively, everything required for this hack can be downloaded in this archive.

Copy the package files (*.ipk) to the WiFi Pineapple in /root/ using the scp command in Linux or an SCP utility in Windows like WinSCP or Plink.

Open a shell on the WiFi Pineapple using your ssh client of choice (on Windows I recommend PuTTY) and login as root. You should already be located in /root/ after logging in. Issue the “pwd” command to be sure, or change directory to /root/ with “cd /root/”. Verify that the packages have been copied by issuing the “ls” to list the contents of the directory. You should see the four package files listed. To install them all issue “opkg install *.ipk”

After a few moments each package should be installed. Now it is time to configure PHP and the HTTP server.

Configure PHP and HTTPD

Two changes need to be made in order for the HTTP server to recognize .php files and process them correctly.

First we’ll need to add a line to the httpd.conf file in /etc/ so either open it with your favorite text editor (vi is already installed) or simply issue the command “echo “*.php:/usr/bin/php” >> /etc/httpd.conf”. Verify that the line has been added with “cat /etc/httpd.conf”

Next we’ll need to add a line to the php.ini file in /etc/. Again open the file in an editor or add the line with “echo “cgi.force_redirect 0″ >> /etc/php.ini” and verify with “grep cgi.force_redirect /etc/php.ini”

Now restart the web server either by issuing “/etc/init.d/httpd restart” or simpy rebooting the WiFi Pineapple with the “reboot” command. It’s also safe to simply unplug the power and plug it back in.

Once the HTTPD and PHP configuration files have been modified and the server has restarted we can move on to testing the PHP installation.

Testing the PHP installation

PHP has a handy little function for testing the its installation. If you rebooted your WiFi Pineapple you’ll need to log back into a shell as root. Once situated, change directory to /www/ with the “cd /www/” command. Now we’ll need to create a test.php file so issue “touch test.php”. Next issue “<?php phpinfo(); ?>” > test.php”. Verify that the string has written to the file with the command “cat test.php”.

With the file written we can test the php install by navigating to test.php on the web server. Remember, following the instructions from the Auto-Rickrolling WiFi Pineapple article we’re able to get to the web server from any URL requested. Based on the dnsmasq.conf, there is no difference between example.com and google.com. Pointing your browser to, say, http://example.com/test.php should yield the following results:

Write redirection and capture scripts

Given that the dnsmasq.conf file will send any URL requested to the root of the web server we will need to write a small PHP script to identify the requested URL and present the user with the corresponding page. Once the user logs into the faux page we’ll use an error.php script to capture the credentials and log them in a file.

Unfortunately at the time of writing I have been unable to convince the tiny web server to process php files as indexes. The cheap workaround for now is to write a simple meta redirect index.html file that points to our redirect.php script for the actual processing. Hopefully this step can be removed in the future, but for now you’ll need to open the index.html file in /www/ using your favorite editor and replace the contents with the following:

<html> <head> <meta http-equiv="REFRESH" content="0;url=redirect.php">

Now for the fun page. Create a redirect.php file with the command “touch redirect.php” and open it with a text editor, for example “vi redirect.php”.

Note: If you’re new to vi here’s a bare-minimum introduction: There are two modes to vi, command mode and insert mode. By default you’ll be in command mode. Press “i” to enter insert mode allowing you to type into the file. Press ESC to get back to command mode. The command “:x” saves and quits. Learn more about using vi.

Here’s an example redirect.php script. Modify as you see necessary. We’ll break it down line by line.

<?php
$ref = $_SERVER['HTTP_REFERER'];

if (strpos($ref, "facebook")) { header('Location: facebook.html'); }

require('peets.html');

?>

The first line tells PHP to start processing the following lines of code.

The second sets the value of the variable “ref” as the HTTP_REFERER. This variable is obtained from “_SERVER” and basically tells us what URL the client is coming from. Since dnsmasq.conf is set to send any website to the root of our web server this could be anything.

The third line uses the srtpos function to look inside the “ref” variable that we just set and see if the word “facebook” is somewhere inside. This means that both “http://facebook.com” and “http://www.facebook.com” would return true. Note: Same goes for facebooksucks.com or any variation that contains the string “facebook”.

If the word “facebook” is found in the variable “ref” the function header will set the location of the browser to facebook.html – a file we’ll create here in a minute.

To phish multiple domains you would create additional similar if statements customized to the urls desired.

The fourth line will only be processed if the statements above aren’t found to be true. In our example we’re only looking for facebook but the list could be more extensive. The require function tells php to load up the contents of the file—in our case peets.html. This could be anything from terms of service agreement, an in-flight Internet purchase page or the old index file from our beloved Auto-Rickroll.

The fifth line closes the PHP processing.

In order to capture the data posted from our faux pages we’ll need to craft an error.php file. Without going into a line-by-line explanation, basically this file looks for two variables posted to it – name and pass – and writes them to the file bitches.txt

We’ll need to create the bitches.txt file in /www/ and change its permissions so issue both “touch /www/bitches.txt” and “chmod 777 /www/bitches.txt”

I have included a few lines to prevent tampering and add logging. The end of the file is basic html to display a faux “503 Service Unavailable” error. Again, this can be customized to your hearts content. For example, returning to the login page may convince an unwitting user that their password wasn’t accepted and give them the opportunity to try “their other password”.

Modify a website to capture credentials

The last step in this phishing attack is to actually rip and modify the pages of our faux sites. In our example so far we’ve been using facebook.com as the target, so follow this example. Using a web browser (or getting fancy with curl or wget) save the homepage of your target site. In chrome click the wrench and choose “Save page as”. Save the site as “Web page complete”. This will save not only the HTML but create a folder including the additional image and javascript components.

Open the html file in your favorite text editor and look for the following string: “form method=”post”". Set the action variable to equal “error.php”.

Now check for the string “input type=”text”" and find the username field. Change the name variable to equal “name” if it is not so already.

Finally check for the string “input type=”password”" and change the name variable to “pass”.

Your faux login page is now ready to be uploaded to the WiFi Pineapple. Using a tool such as WinSCP copy the facebook.html and accompanying facebook folder to /www/ on the device.

With these three modifications your error.php script will pickup the contents of the name and pass text fields. Test this by browsing to facebook.com while connected to your WiFi Pineapple. You should see your faux login page. Entering fake credentials should bring you to the error.php displaying a fake 503 error, and checking facebook.com/bitches.txt should display the captured information.

How not to fall victim to this attack

Obviously disk limitations on the WiFi Pineapple are going to prevent one from serving up face versions of every site on the Internet – so if you’re connected to one of these devious devices and can’t access an obscure URL, something is up. You’ll also notice that navigating to facebook.com in this example forwards you to facebook.com/facebook.html – which should be a sure sign of trouble. The most obvious part about this attack is that every domain you could possibly ping is going to report back a response from 192.168.1.1 – a huge red alert that you’re not in Kansas anymore.

Finally keep in mind that having two or three passwords isn’t enough. Every site needs its own secure and unique password. Consider using a password manager such as LastPass, 1Password or KeePass.

For further reading and advice on identifying phishing sites see antiphishing.org.

John Bebo’s Auto-Rickroll payload for the WiFi Pineapple is an excellent example of using Dnsmasq to forward targets to a hosted site. While this site could be malicious, perhaps hosing the Browser Exploitation Framework, Bebo’s payload is a safe and simple prank. Any web site a victim attempts to browse to brings them to a WiFi Pineapple hosted page containing Rick Astley ASCII Art and looping audio. It uses a similar technique employed by Captive Portals – something we’ll explore in more detail soon – except a lot more annoying.

Thanks to great documentation from Bebo and Hak5 forum member Psychosis setting up your own Auto-rickrolling WiFi Pineapple is super simple. In fact, this will work on just about any OpenWRT based wireless access point – but we’ll be focusing on the WiFi Pineapple specifically for its Jasager abilities.

This article will focus on setting up the Auto-Rickroll payload in Windows so the every handy PuTTY and WinSCP tools will be used. If you’re on Mac or Linux you already have SSH and SCP. We’ll also be taking a beginners approach, so if you’re a guru you can simply download the payload and take a look at the commands at the end of the article.

Demonstration

First begin by download this package containing all of the configuration and www files. Extract the contents to a temporary directory. You should notice index.html as well as NGGUP.mp3 and NGGUP.wav – these are the www files. You’ll also notice extension-less files dhcp, network and wireless. These are the configuration files.

Next connect your WiFi Pineapple to a computer via an Ethernet cable. In its default configuration the WiFi Pineapple has the IP address of 192.168.1.1 and will assign your computer an IP address in that range using DHCP.

To test your connection to the WiFi Pineapple open a shell and issue the ipconfig command. You should have a 192.168.1.x IP address with your default gateway set as 192.168.1.1. Depending on your configuration you may need to disconnect from any wireless or other networks you are currently connected to. Issuing ping 192.168.1.1 should result in four replies.

Now that you’re directly connected to the WiFi Pineapple open WinSCP. Enter 192.168.1.1 as the host name. Leave 22 as the port number. Enter root for the user name and your password. By default the WiFi Pineapple has a password of “pineapples are yummy”. Select SCP from File protocol and click Login. You may receive two errors regarding group lookup, which are safe to disregard.

Now that you’re logged into the WiFi Pineapple with WinSCP you can begin transferring files. In the left-pane navigate to the temporary directory to which you extracted the files in the first step. The right pane will be /root on the WiFi Pineapple by default. Select the 6 extracted files on the left and drag them to the right.

Click Copy to confirm the command and wait for the procedure to complete.

Now that the files have been copied we’re ready to put them in the appropriate places on the device.

Open PuTTY and enter 192.168.1.1 in the host name field. Port 22 should be entered by default. Click Open to connect. The first time doing this you will be asked to save the key. Click yes if prompted.

When prompted login as root. Again, the default password is “pineapplesareyummy” (sans quotes). Issuing the “ls” command will display the files we copied over in the previous step.

Move the index.html and NGGUP files to /www with the command “mv index.html NGGUP.* /www/” Issuing the “ls” command again will show that only the configuration files remain.

Before moving the configuration files to their appropriate location we’ll want to backup the existing files – just in case we ever want to go back to the default. Navigate to the config directory with the “cd /etc/config” command. Again “ls” will display all of the files in this directory.

Rename network, dhcp and wireless to network.bak, dhcp.bak and wireless.bak respectively using the mv command. For example, “mv dhcp dhcp.bak”

Now you’re ready to move the auto-rickrolling configuration files to /etc/config. Since you’re already in that directory use the command “mv ~/* .” (notice the space between * and .). This command says to move (mv) everything (*) from the home directory (~/ – in our case /root since we’re logged in as root) to the current working directory (.).

Again issuing “ls” will show that the configuration files have moved.

Next we’ll need to modify the dnsmasq config file. By default it does not exist in /etc/ so to create a new one we’ll need to issue the command “touch /etc/dnsmasq.conf”

Once the file has been created we’ll need to add one line to it. We could use a text editor such as vi but I find it easier to simply echo the line into the file. Issue “echo “address=/#/192.168.1.1” > /etc/dnsmasq.conf” (mind the quotes around address=/#/192.168.1.1). The echo command prints whatever is written within the quotes. By default it is written to the screen, but since we used a greater-than sign we specified that the output of the echo command go into the file – in our case /etc/dnsmasq.conf. Alternatively if we were echoing multiple lines into the file we would use two consecurive greater-than signs, which append to the end of a file.

To verify that the configuration has been written issue “cat /etc/dnsmasq.conf”, which will return what we wrote in the previous step, sans quotes. The /#/ part of the command is a wildcard, meaning any address your target attempts to browse to will forward to, in this case, 192.168.1.1.

Now we’ll also need to modify the /etc/init.d/jasager configuration file so that is begins karma immediately upon powering on. This is the only step specific to the WiFi Pineapple and can be considered optional. I like the idea of karma coming up on its own with this configuration – it really automates the whole attack. Since the WiFi Pineapple doesn’t need Internet access (it’s forwarding everything to an internally hosted page) it’s just a matter of plugging in the battery pack and turning it on.

We’ll need to add a block of commands to a function, so a proper text editor is in order. For this issue “vi /etc/init.d/jasager”

Cursor down to the iptables command and press “i” to insert. Now prepend a # to the command to comment it out. Next, after the tail command and before the function closes enter the following string of commands exactly as outlined here. Save and close the file by pressing the escape key followed by : (colon), x (x) and enter.

Finally our configuration changes are complete and it is time to reboot, so either pull the plug on the pineapple or issue the “reboot” command. When everything comes back up either stay connected via ethernet or connect via WiFi to the newly renamed SSID of “ricknet” (or any other Jasager-ized SSID). Browse to any website and enjoy the rickroll action.

Quick steps

#scp * to your pineapple
mv *. /etc/config
mv * /www/
touch /etc/dnsmasq.conf
echo “address=/#/192.168.1.1″ > /etc/dnsmasq.conf
vi /etc/init.d/jasager
#add to start()
wlanconfig ath0 create wlandev wifi0 wlanmode master 2>&1 > /dev/null
iwpriv ath0 karma 1
brctl addif br-lan ath0
ifconfig eth0 up
#comment out iptables command
reboot

This segment, Shannon demonstrates some protecting from Firesheep using; BlackSheep.

Shannon shows you BlackSheep, which does the exact opposite. If FireSheep is being used by someone on your network, you can be warned and block against it. BlackSheep is a Firefox add-on, just like FireSheep, that was based right off the same source code. So it reuses the same network listening back-end and that same list of sites and corresponding cookies, etc. By doing this, it ensure that the fake traffic generated by BlackSheep is what FireSheep is expecting to see. BlackSheep even will show you the IP address of the person’s computer trying to hijack your account.

Now to get it working. First, download the BlackSheep add-on. Disable FireSheep if you have it as well, so BlackSheep doesn’t detect it.

In the options menu, choose the interval you want BlackSheep to create fake traffic. It’s default is 5 minutes which works fine. Click ok and you’re done configuring. Now, if FireSheep is detected on your network, you’ll see this popup on your screen.

BlackSheep is available for Mac, Windows, and Linux. You still need WinPCap if you’re on Windows and it only works with the Firefox, and only 32-bit.

Although BlackSheep does help with FireSheep, you should still be using HTTPS for your surfing.

Download Blacksheep

This segment with Darren he demos a couple of tools for us linux folks.

Again the premise is all the same. We’ll be using command line tools to tell our victim we’re the router, and vise versa.

The tools we’ll be using are the dsniff suite and driftnet. If you don’t already have ‘em and you’re rocking Ubuntu it’s simply a matter of issuing sudo apt-get install driftnet dsniff

Before we get our attack started we’ll need to enable packet forwarding. This means we’ll allow the traffic of our targets to flow through our machine.

killall arpspoof

In this Haktip Darren shows how to detecting ARP Cache Poison Attacks in Windows and Linux using XARP

The basics of the Man in the middle attack are this:

Monkey-in-the-middle tells router he’s you.
Monkey-in-the-middle tells you he’s the router.
Monkey-in-the-middle likes mountain dew.
This is achieved using ARP packets, which are how nodes identify themselves on IP networks.

Enter XARP – an advanced ARP Spoof detection suite.

In this haktip Shannon shows us the setup and use of the cookie steeling tool Firesheep to hijack Darren’s twitter session.

Websites always make you login with a username and password, but when you’re on their page all cozy and logged in, you’re browsing insecurely on a regular old HTTP site. HTTP session hacking (called sidejacking) happens when an attacker gets the users cookie which you were transmitted when you first logged in, and they can use it to do anything you would normally do. The only way to really protect yourself from this is through SSL or HTTPS like what you see on your banking websites.

Firesheep, by Eric Butler, demonstrates how vunerable your login is. It’s a man in the middle attack firefox extension that anyone has the ability to use.

To use Firesheep, first make sure to download winpcap. Then download the browser extension and open it using firefox by dragging it into your list of extensions and add-ons. You may need to restart Firefox. Go to View–>Sidebar–>Firesheep and enable it. Now, simply click start capturing and you’ll be able to see the username and photo of anyone on your network that logs into one of the specific sites that Firesheep uses. Click on the name or photo of anyone on the list, and you are now logged in as them, with the ability to do whatever you want as them on that site. Scary huh? Luckily Twitter and Facebook have caught on to this and have enabled the ability to use HTTPS secure logins on their sites. So if you haven’t updated your settings, do it now!

Shannon shows us how to perform arp cache poisoning attacks with ease.

“We get asked a million times over if we’d demonstrate an ARP-Cache Poisoning Attack for Windows, and while we’ve covered this *WAY* back in Season 1, I figured it’s worth a refresher. Now, there are a million ways to do this in the command line with linux tools, but here in Windows we’ll be using a very simple tool called Cain & Abel. Once you’ve downloaded and installed it from www.oxid.it go ahead and fire up the sniffer by flicking the chip icon in the top left. The first time you do this you’ll be asked to select your interface. You can get back to this screen anytime by clicking Configure. I’ve selected this interface here with my IP address since it’s my wireless network card. Now I can scan the network for potential targets. Go to the sniffer tab, right-click, and select Scan Mac Addresses. I’ll stick with the default “”All hosts in my subnet”” and click OK. Now that I have a list of machines on the network I can go over the the APR tab and start the actual ARP Cache Poisoning Attack. Click the blue plus icon on the toolbar to bring up the routing dialog. Here I’ll select 10.13.37.1 on the left — that’s the router — and 10.13.37.124 on the right — that’s Darren’s machine. Click OK and the route will be loaded. Now, begin the poisoning attack by clicking the radiation icon in the top left. Immediately our poisoning attack begins. Now sit back, relax, and wait for your target to do some browsing. Once enough traffic has gone through your’ll notice Full-routing below.

So, what does all of this mean?

ARP Cache Poisoning attacks basically mean a technique used to attack a wired or wireless connection. The attacker can sniff data and send a spoofed ARP message to the LAN. So when they send that spoof message, they receive data that was intended for the router or the computer in question. It’s a man in the middle attack. Neither machine knows I exist in the middle. They just think they’re sending data like usual.