What you’re about to read is an expansion of an earlier article I wrote, ‘The powerful cyberweapons that can fit in your pocket.’ In this same theme, the WiFi Pineapple is a pocket-sized device that can broadcast a rogue access point. From there, the world of IEEE 802.11 is your oyster.
I remember when my Mark VII WiFi Pineapple by Hak5 first graced my mailbox last year. I was living in Dallas, within a mesh of 802.11 wireless frequencies. Inspired by such WiFi hacking legends like The Fixer and Seadog, I wanted to explore the limits of wireless security in the modern age.
Ethical hackers and Red Teamers use the WiFi Pineapple to test wireless network defenses and identify potential vulnerabilities in the network. It’s a wireless security auditor’s dream equipment with a sleek, easy-to-navigate web-based user interface. As long as I could plug it into my laptop or my phone, it was perfectly sized for mobility.
After all, when I think about wireless security as yet another potential attack vector for bad actors, I want to know what I am up against. Whether using a public wireless network or sitting safely within the inner sanctum of my home, I want to be informed.
Living in a city buzzing with different frequencies, the possibilities were endless with the right tools. Therefore, armed with the WiFi Pineapple in hand and my dual-band 802.11ac wireless adapter for a more hands-on approach to wireless intrusion, I sat in my hackerspace, which consisted of a walk-in closet, and powered it on for the first time.
Man-in-the-middle attacks and legality loopholes
Yes, the hacker in me wants to start right there.
A man-in-the-middle (MitM) attack works when a malicious actor positions themselves between two communicating parties, allowing the attacker to intercept, read, and potentially modify data packets without either party knowing. The communication still reaches the intended recipient but is compromised because the attacker can access the data being exchanged.
For example, it’s child’s play for an attacker to spoof the MAC address of their wireless interface as the MAC address of a target’s router, essentially tricking devices on the network into routing all their traffic through the target’s device.
The WiFi Pineapple excels in this area since it can be configured to broadcast a rogue access point (AP). A rouge AP can be defined as any unauthorized wireless access point positioned on a network. A bad actor can use it to intercept and manipulate network traffic or be an unauthorized device that a user has unwittingly connected to the network.
Many of our readers know that I used to be a career insider threat actor. I often used old laptops and mini PCs, secretly connecting them to my targets' routers and concealing them out of sight.
Nowadays, we have the Raspberry Pi. However, Pineapple has become the ultimate network leverage for an insider threat. To an ethical hacker, its ability to offer streamlined wireless security auditing and penetration testing is leverage to match the ambitions of bad actors, but for better reasons, of course.
I experimented with this on several occasions, creating a saucy SSID name (Service Set Identifier). When people looked for available wireless networks in the area, they found ‘RedLipstick’, and for whatever reason, they were compelled to use that network instead of their own. Now, they were in my domain.
There’s an interesting legal ‘loophole’ here. I was the hacker, but they were the intruders, and they had unwittingly committed the crime of Unauthorized Access by accessing my wireless network without my permission.
In the UK, this is called ‘piggybacking,’ which falls under the Computer Misuse Act 1990 or the Communications Act 2003. In the USA, it's defined as Unauthorized Access, which is covered by the Computer Fraud and Abuse Act (CFAA).
It was the perfect setup. But the good news is, I’m not a jerk in the classical sense. They were my unwitting test subjects because they had unwittingly committed the crime. As a responsible internet user, I wanted to ensure they weren’t doing anything illegal on my home network. Wink
What’s interesting is that there was another hacker in my wireless vicinity, and I knew he was probing around the airwaves, trying to find devices to break into. I used the WiFi Pineapple as a honeypot and gave the would-be intruder something to access on my network while I observed his rather interesting illicit online behaviors.
Evil Twin and Pineapple sandwich attacks
The Pineapple's ability to seamlessly execute an Evil Twin attack is unparalleled. An Evil Twin is a kind of rogue, malicious AP attack designed to imitate a legitimate AP in both configuration and appearance.
Think of it as a clone. Unsuspecting users will be tricked into connecting to it, thinking nothing of the familiar SSID name and channel, and connect to it. This allows the attacker to intercept, monitor, and manipulate their traffic. It falls under the umbrella of an MiTM attack.
Formerly, I only knew how to perform this attack using WiFi Pumpkin and Airgeddon, the latter of which comes preinstalled with Kali Linux and requires two compatible wireless adapters to pull off.
Pineapple sandwich via de-authentication exploit
Once the attacker is in this position, they can launch advanced attacks commonly referred to as a ‘Pineapple Sandwich,’ when all three attack conditions culminate, which goes a step further. After all, ensuring the victim’s wireless client prefers the malicious AP over the legitimate one involves an extra step and one of the easiest attacks to launch – a de-authentication attack.
In addition to broadcasting their malicious AP and performing MiTM attacks by intercepting network packets, they can launch de-authentication attacks against the wireless client. These attacks will disconnect the client from the legitimate network, forcing the client to reconnect to the malicious Evil Twin broadcasting from the WiFi Pineapple.
De-authentication attacks are basically a kind of denial-of-service attack that works by exploiting IEEE 802.11 WiFi networks by sending spoofed de-authentication frames to the victim’s wireless client, which in turn forces it to disconnect from the access point.
DNS Hijacking
There is a robust variety of modules you can add to the Pineapple’s software to expand its functionality. One that piqued my interest was the ability to perform DNS spoofing and DNS Hijacking.
This is noteworthy.
Once an attacker is positioned to perform MiTM using the malicious, rogue AP, this will allow the attacker to manipulate the Domain Name System (DNS) responses received by their target that’s connected to the malicious AP.
Now that the target is in the utmost compromised position, the attacker can now redirect the victim’s web traffic to malicious sites by simply altering the DNS requests and responses. These are ripe conditions for a Captive Portal attack. For example, if a victim likes shopping on Amazon, an attacker can redirect the victim’s browser to a phishing page masquerading as Amazon, for data harvesting, such as credential theft.
Examining your DNS cache
DNS poisoning can be persistent and difficult to detect if you’re not sure whether you’re even a victim or just experiencing ‘wonky web surfing.’
In Windows, to view the contents of your DNS cache, open Command Prompt and type: ipconfig /displaydns
Unfortunately, there isn’t a straightforward way to perform this task in Linux or MacOS since it isn’t a built-in function. Nevertheless, you can use a tool in Linux called ‘systemd-resolve’ and run it using sudo systemd-resolve --statistics to query your DNS cache.
You can compare your cached DNS entries with authentic DNS queries by using the terminal command nslookup, which is cross-compatible with Windows, Linux, and MacOS.
Additionally, using a Virtual Private Network (VPN) is paramount in protecting their data from being intercepted by an intruder. All those passwords and credit card numbers absolutely must go through an encrypted tunnel to prevent bad actors from capturing the data as it flows from the network into cyberspace.
SSL stripping and session hijacking
I don’t want to get too deep into these, as the list of functions is exhaustive. Another attack vector Pineapple can perform is SSL Stripping, which happens when an attacker downgrades HTTPS connections to HTTP, stripping away the encryption, causing user data to be sent from their device to the attacker in plain text.
Session hijacking occurs when the Pineapple intercepts a victim’s session cookies. So, to put this into perspective, if the cookies are used for authentication which is commonly cached in your browser, a bad actor can hijack these session cookies and use them to gain access without foreknowledge of the victim’s login credentials.
How to defend against the Pineapple
Now that is the million-dollar question, but it’s also a statement. Throw your computer away and just don’t use the internet – just kidding. Use stronger WiFi encryption, such as WPA2 or WPA3, and utilize a strong passphrase that isn’t a dictionary word like ‘catlover.’
If you absolutely have to use a dictionary word for fear you will forget it, obfuscate it by creating a strong password by merging unrelated words along with special characters and numbers.
Think: you do not want to use plain text passwords, easy to guess, or that may exist in a hacker’s dictionary list of possible passwords.
Thus, if you design your password based on ‘CatloverMountainKeyboard’, an adequate obfuscation could look like ‘Cat!lover#Mountain$Keyboard82’. This will prevent your wireless handshake keys from being cracked in this lifetime unless they perform a hostile take-over on one of those sweet Cray mainframes, theoretically speaking of course.
Disable automatic WiFi connections. That way, when an attacker is running a rogue AP and has de-authenticated your wireless client from your network, you don’t automatically reconnect – to a malicious clone.
Use a VPN! I’m serious about this. If you’re on a compromised wireless network and you aren’t using a VPN to encrypt your traffic or protecting your online transitions and logins, it’s only a matter of time before you learn the hard way. Using a VPN will protect your data from being transmitted to the WiFi Pineapple.
Use DNS security. Use DNS over HTTPS (DoH) or DNS over TLS (DoT) to encrypt your DNS queries and responses. This preventative measure will halt DNS hijacking attacks.
Monitor WiFi networks with a Wireless Intrusion Detection Systems (WIDS). Implementing these will detect and notify you of any rogue APs and strange WiFi activity since they can monitor the surrounding 802.11 airwaves for unauthorized devices and unusual activities.
Implement MAC address filtering to set permissions restricting which devices are authorized to connect to your network. This isn’t a foolproof solution since MAC addresses can easily be spoofed.
Always remember, Red Team enthusiasts: if you own the network, you can test the network. If you don’t, then get permission.
Written by Jesse McGraw
September 30, 2024 2:23 PM
Source can be found here
Comments