Auto-Rickrolling WiFi Pineapple
John Bebo’s Auto-Rickroll payload for the WiFi Pineapple is an excellent example of using Dnsmasq to forward targets to a hosted site. While this site could be malicious, perhaps hosing the Browser Exploitation Framework, Bebo’s payload is a safe and simple prank. Any web site a victim attempts to browse to brings them to a WiFi Pineapple hosted page containing Rick Astley ASCII Art and looping audio. It uses a similar technique employed by Captive Portals – something we’ll explore in more detail soon – except a lot more annoying.
Thanks to great documentation from Bebo and Hak5 forum member Psychosis setting up your own Auto-rickrolling WiFi Pineapple is super simple. In fact, this will work on just about any OpenWRT based wireless access point – but we’ll be focusing on the WiFi Pineapple specifically for its Jasager abilities.
This article will focus on setting up the Auto-Rickroll payload in Windows so the every handy PuTTY and WinSCP tools will be used. If you’re on Mac or Linux you already have SSH and SCP. We’ll also be taking a beginners approach, so if you’re a guru you can simply download the payload and take a look at the commands at the end of the article.
Demonstration
First begin by download this package containing all of the configuration and www files. Extract the contents to a temporary directory. You should notice index.html as well as NGGUP.mp3 and NGGUP.wav – these are the www files. You’ll also notice extension-less files dhcp, network and wireless. These are the configuration files.
Next connect your WiFi Pineapple to a computer via an Ethernet cable. In its default configuration the WiFi Pineapple has the IP address of 192.168.1.1 and will assign your computer an IP address in that range using DHCP.
To test your connection to the WiFi Pineapple open a shell and issue the ipconfig command. You should have a 192.168.1.x IP address with your default gateway set as 192.168.1.1. Depending on your configuration you may need to disconnect from any wireless or other networks you are currently connected to. Issuing ping 192.168.1.1 should result in four replies.
Now that you’re directly connected to the WiFi Pineapple open WinSCP. Enter 192.168.1.1 as the host name. Leave 22 as the port number. Enter root for the user name and your password. By default the WiFi Pineapple has a password of “pineapples are yummy”. Select SCP from File protocol and click Login. You may receive two errors regarding group lookup, which are safe to disregard.
Now that you’re logged into the WiFi Pineapple with WinSCP you can begin transferring files. In the left-pane navigate to the temporary directory to which you extracted the files in the first step. The right pane will be /root on the WiFi Pineapple by default. Select the 6 extracted files on the left and drag them to the right.
Click Copy to confirm the command and wait for the procedure to complete.
Now that the files have been copied we’re ready to put them in the appropriate places on the device.
Open PuTTY and enter 192.168.1.1 in the host name field. Port 22 should be entered by default. Click Open to connect. The first time doing this you will be asked to save the key. Click yes if prompted.
When prompted login as root. Again, the default password is “pineapplesareyummy” (sans quotes). Issuing the “ls” command will display the files we copied over in the previous step.
Move the index.html and NGGUP files to /www with the command “mv index.html NGGUP.* /www/” Issuing the “ls” command again will show that only the configuration files remain.
Before moving the configuration files to their appropriate location we’ll want to backup the existing files – just in case we ever want to go back to the default. Navigate to the config directory with the “cd /etc/config” command. Again “ls” will display all of the files in this directory.
Rename network, dhcp and wireless to network.bak, dhcp.bak and wireless.bak respectively using the mv command. For example, “mv dhcp dhcp.bak”
Now you’re ready to move the auto-rickrolling configuration files to /etc/config. Since you’re already in that directory use the command “mv ~/* .” (notice the space between * and .). This command says to move (mv) everything (*) from the home directory (~/ – in our case /root since we’re logged in as root) to the current working directory (.).
Again issuing “ls” will show that the configuration files have moved.
Next we’ll need to modify the dnsmasq config file. By default it does not exist in /etc/ so to create a new one we’ll need to issue the command “touch /etc/dnsmasq.conf”
Once the file has been created we’ll need to add one line to it. We could use a text editor such as vi but I find it easier to simply echo the line into the file. Issue “echo “address=/#/192.168.1.1” > /etc/dnsmasq.conf” (mind the quotes around address=/#/192.168.1.1). The echo command prints whatever is written within the quotes. By default it is written to the screen, but since we used a greater-than sign we specified that the output of the echo command go into the file – in our case /etc/dnsmasq.conf. Alternatively if we were echoing multiple lines into the file we would use two consecurive greater-than signs, which append to the end of a file.
To verify that the configuration has been written issue “cat /etc/dnsmasq.conf”, which will return what we wrote in the previous step, sans quotes. The /#/ part of the command is a wildcard, meaning any address your target attempts to browse to will forward to, in this case, 192.168.1.1.
Now we’ll also need to modify the /etc/init.d/jasager configuration file so that is begins karma immediately upon powering on. This is the only step specific to the WiFi Pineapple and can be considered optional. I like the idea of karma coming up on its own with this configuration – it really automates the whole attack. Since the WiFi Pineapple doesn’t need Internet access (it’s forwarding everything to an internally hosted page) it’s just a matter of plugging in the battery pack and turning it on.
We’ll need to add a block of commands to a function, so a proper text editor is in order. For this issue “vi /etc/init.d/jasager”
Cursor down to the iptables command and press “i” to insert. Now prepend a # to the command to comment it out. Next, after the tail command and before the function closes enter the following string of commands exactly as outlined here. Save and close the file by pressing the escape key followed by : (colon), x (x) and enter.
Finally our configuration changes are complete and it is time to reboot, so either pull the plug on the pineapple or issue the “reboot” command. When everything comes back up either stay connected via ethernet or connect via WiFi to the newly renamed SSID of “ricknet” (or any other Jasager-ized SSID). Browse to any website and enjoy the rickroll action.
Quick steps
#scp * to your pineapple
mv *. /etc/config
mv * /www/
touch /etc/dnsmasq.conf
echo “address=/#/192.168.1.1″ > /etc/dnsmasq.conf
vi /etc/init.d/jasager
#add to start()
wlanconfig ath0 create wlandev wifi0 wlanmode master 2>&1 > /dev/null
iwpriv ath0 karma 1
brctl addif br-lan ath0
ifconfig eth0 up
#comment out iptables command
reboot
The zip file that was published has a corrupt wireless configuration file.
I downloaded the zip and it seems to be fine. Here’s the contents of wireless:
config interface loopback
option ifname lo
option proto static
option ipaddr 127.0.0.1
option netmask 255.0.0.0
config interface lan
option ifname eth0
option type bridge
option proto static
option ipaddr 192.168.1.1
option netmask 255.255.255.0
root@OpenWrt:/etc/config# cat wireless
config wifi-device wifi0
option type atheros
option channel 5
option mode ’11bg’
option diversity ’0′
option disabled ’0′
# REMOVE THIS LINE TO ENABLE WIFI:
config wifi-iface
option device wifi0
option network lan
option mode ap
option ssid ‘RickNet’
option encryption none
option hidden ’0′
option isolate ’0′
option txpower ’0′
option bgscan ’0′
option wds ’0′
Sure?
It seems to start with the network config, then appears the:
root@OpenWrt:/etc/config# cat wireless
and continues with the wireless config
To all my fellow rickrollers: This file is wrong. You need to delete everything above root@OpenWrt:/etc/config# cat wireless, including this line. Otherwise you will kill your box and have to reflash because it won’t ever again connect to anything. :-/
I strongly recommend the in the downward comments linked HowTo by HomoHabilis: http://forums.hak5.org/index.php?showtopic=20277
This works just fine for my box.
@Darren: Could you be so kind as to change the file in the download package? Would minimize the errors…
@Hak5Team: Thank you so much for your show
haha epic!
Hi, I just installed Jasager Firmware 1.0 from Digininja’s website but I don’t have the dnsmasq.options file in in /etc/… Do I have to install dnsmasq or something?
And does Jasager work on the new OpenWrt Backfire 10.3?
Thanks =)
So I somehow messed up the backup of /etc/config/network I moved it to the wrong file.
anyone have a backup of /etc/config/network as the original pineapple should be?
Thanks
Bug noticed
if you configure your pineapple with Webif interface and then do copy the configs
it will screw up the webif
2 issue what is wrong with the config files
I cannot acquire an ip adress ?
Does anyone have the default webfi index.html files for a noob that overwrited his :S
kthnx
doh.. i did the same, anyone have the default index.html.?? or where i can obtain one?
For those having trouble setting this up, user HomoHabilis has written a good post on the configuration. http://forums.hak5.org/index.php?showtopic=20277
Cheers,
Darren
Hi All,
I have an issue. I have reflashed my pineapple following a guide i found written by Derren. I am using the same wifi pineapple used in the video.
I followed the steps for auto rick rolling exactly BUT im not being directed to 192.168.1.1 , My webbrowser shows rickroll screen when i directly go to the address but will not work if i go to google.com for example. I verified my dnsmasq.conf file and am using the dhcp, network and wireless setup provided in the package. I also checked to see if the dnsmasq service was running and yes it was. I dont know what I am doing wrong and would appreciate some advice.
Thank you.
Hey guys.. i got the DNS thing sorted. Kinda obvious. I had to change the network cards DNS settings back to automatic. I had them set to google. windows users can change them by going to the network adaptor properties. Select internet protocol (TCP/IP). (vista and 7 show TCP/IP v4) and click properties. Then change the DNS to get automatically.
Sorry cant give linux or mac instructions at this time. i know i have to change the setting on my linux netbook and my mac but to be honest i dont think ill be rick rolling myself..
…. hope this helps someone.
I got my rickroll pineapple all setup and everything works except for one thing. When you go to a webpage a pop up prompts for the x-wrt username and password. If I enter them in or hit cancel I get Rick but I would like for it not to show that pop up at all. From looking over the forum posts and how to’s it seems like I may need to disable x-wrt but I’m not quite sure how to do that. Has anyone else encountered this issue and found a workaround?
Thanks!
I can’t get it to work. Tried the options here. But since I have LuCI on my OpenWRT router it has Dnsmasq options built in. What should I do?
Also. I bit off topic..
I can’t get SCP to work. Both WinSCP as Filezilla (has SFTP option) give an error and I cannot connect. I just use WGET to trasfer files but I would like SCP working
Oh come on.. Just log in via your phone to turn on karma.
How to restore to normal function?
(the easy way without deleting the files)
cant access the fon after finishing these steps, im plugged into the serial and im getting this when it starts up,
br-lan: port 2(ath0) entering learning state
br-lan: topology change detected, propagating
br-lan: port 2(ath0) entering forwarding state
ath0: unable to register device
any ideas on what to do?
Something you could do for this to make it more annoying is to add a refresh to the header
That way as soon as the clip ends it restart.
Cant get DHCP to issue an address… and not sure where teh log files are for dhcp on open wrt…(rickroll setup)
Thanks
While
Configured as outlined in the docs however I did use scp to transfer the files. Now I cannot get a dhcp address and my urls are not automatically being forwarded to the rickroll page. Any suggestions?
Thanks!!!!!!!!
Has any one done this on the MarkIII i cant find the /etc/init.d/jasager location its not there?