Karma is one of the best features of the WiFi Pineapple thanks to Jasager. Coupled with a tool like DNSSPoof it allows you to trick clients into connecting to your rogue access point and to then forge responses to DNS queries. With this you can launch an effective MiTM attack against all connected clients.

pineapple

Introduction

Most of us would likely find a long list of WiFi networks that we have connected to in the past if we were to look in the settings of our phone, tablet or laptop. This list is maintained so that should we happen to be in close proximity to an access point again we can automatically reconnect and enjoy surfing the web with no user intervention required. You might think that your phone maintains this list and when it sees a network that it remembers it will connect to it. You'd be wrong!

 

The Problem

What your phone actually does is walk around shouting out "Is Cost Coffee WiFi here?!?!" or "Is Starbucks WiFi here?!?!" and so on for all the networks in your remembered list. Once it finds a network that it remembers it will connect to it and stop worrying about finding another until you're disconnected. Whilst this is fine in most normal circumstances, an access point will respond with "No I'm not Costa Coffee, I'm Dave's WiFi", the Jasager firmware running on the Pineapple is different. The WiFi Pineapple will actually respond with "Of course I'm Costa Coffee, please connect to me..." and at that point your phone happily believes what it's been told and connects to the "Costa Coffee" WiFi. At this point you're at the complete mercy of the attacker controlling the rogue access point. Every single packet of data you send or receive will pass through their hands first. What's worse is that your device could have done all of this automatically whilst still in your pocket and require no intervention from you the user. You don't have to tell it to connect to your WiFi when you walk in the door from work do you. Once you're connected and your email application does it's regular 15 minute check and downloads all your latest emails, well, you can see how bad this could get and how quickly it could get there.

 

Setup

Your Pineapple will already have Karma right out of the box and if you don't have DNSSpoof on there you can grab it from the Pineapple Bar and install it to your USB drive. See my previous blog post on Installing Infusions From The Pineapple Bar if you need help. For this attack we're going to be redirecting all web traffic that comes through the Pineapple to a local site being hosted right off the USB drive. To transfer the files over to the USB drive you're going to need WinSCP and you can grab a copy right HERE. Set the protocol to SCP, input your Pineapple's IP in the Host Name field and then your username and password. Once you hit login you will get a prompt asking you to trust the host so just hit Yes and then dismiss any error messages you might receive. scp-connect scp-fingerprint scp-error

 

Now that your SCP connection is all setup you need to download the index.php file from HERE. Navigate to where you downloaded the file in the left pane and then on the right navigate to the root of your device, into the USB folder and then create a new folder called 'surprise'. Once created drag your index.php file into the folder and copy it over to the Pineapple.

scp-copy scp-folder

 

Now that the file is in place and ready to be served to unsuspecting visitors you need to create a symbolic link (or symlink) to the file from the web directory. By default the Pineapple will serve HTTP requests from the /www folder on the device but it needs to serve them from the /usb/surprise folder where the file now resides. To do this navigate to the /www folder on the Pineapple in the right pane, right click and create a new Link.

scp-new-symlink

 

The link file needs to be index.php and the shortcut needs to point to the location of where the index.php file actually is, /usb/surprise/index.php.

scp-create-symlink

 

Once you hit OK your new symlink should show up in the folder (try a right click and hit refresh if it doesn't).

scp-symlink

 

This now means that any web requests the Pineapple serves from the /www folder for index.php will be transparently replaced with the index.php in your surprise folder. The main reason behind this is the limited space found on the Pineapple itself. By moving these files onto the USB drive you can include a lot more content like images and media without worrying about space constraints. How about some videos of Rick Astley?

The last step is to configure DNSSpoof. Click the DNSSpoof Infusion and select the Hosts tab, this is where you set which DNS requests you would like to be spoofed. For my setup I have used the * wildcard and will spoof any and all DNS requests back to the Pineapple.

dnsspoof-all

 

If you like you can just target specific domains to be spoofed back to the Pineapple.

dnsspoof-specific-sites

 

This approach would be particularly useful if you were going to target a particular site, or set of sites, and upload your own replica of them to the Pineapple to phish some specific data. When the user navigates to facebook.com and sees a convincing replica they probably aren't going to worry too much about inserting their username and password.

 

The Attack

The only thing left to do now is to enable Karma and DNSSpoof and check it out! dnsspoof-enabled karma-enabled

 

Once you fire up Karma you should go from this:

wifi-not-in-range

 

To this:

wifi-connected

 

If we take a look at the Karma log tab you can see Karma picking up the probe request from my phone to see if the Coffee Shop WiFi network was in the area, Karma then responded and tricked my device into connecting to the rogue access point.

karma-log

 

Now the client has connected to your rogue access point, and DNSSpoof is running to intercept all DNS requests and forge their responses, when you open a browser and navigate to any website you end up with something like this.

uh-oh

 

Fortunately for any unsuspecting victims all this setup does is show them a friendly webpage and give them some information about what's just happened. There is obviously quite a lot of potential for this page to do a whole lot more, see my previous blogs on Session Hijacking over Coffee Shop WiFi and Code Injection by a Man In The Middle for some ideas.

As an additional note, whilst exploring the Karma functionality I found out that you can get your device to connect to it by adding a network to your device. Just like you would do when connecting to a network with a cloaked SSID, you simply create a new network and select no security. If you don't have any open WiFi networks in your network list this is a great way to create one. On my Android device I simply opened the WiFi settings, hit the + button and created a new network.

add-network-screen new-network-connected

 

Threat Mitigation

It's worth noting that the Pineapple can only perform this attack by impersonating an open network. Networks like those regularly found in coffee shops, pubs, bars and even your local shopping centre that require no password to connect. Still, whilst that reduces the scope of the attack, there is a good chance that somewhere in your list there is an open network waiting to be exploited. The best way to protect yourself from an attack such as this is to 'forget' open networks as soon as you have finished using them, just remove them from the list so they can't be abused in the future. When I first enabled Karma my phone was connecting to a network, I would forget it and then it would connect to the next one in the list. There were coffee shops, airports, hotels, pubs, clubs, restaurants and even a couple of local businesses who provide free WiFi on their premises. It was basically rich pickings for the Pineapple!

 

Conclusion

Karma is an incredibly powerful tool and I think it demonstrates some quite considerable flaws in the WiFi protocol in a manner that is capable of grabbing people's attention.

Firstly, the fact that your device even broadcasts the information of networks you have previously connected to could be a leak of some private or embarrassing information. Do you really want your phone yelling out "Is Chloe's Massage Parlour here?"... Not only that but with a list of WiFi networks you have connected to someone could feasibly build up an idea of the kind of places you visit. Pubs, clubs, restaurants and coffee shops will likely all be in there and this information is being freely broadcast to anyone willing to listen to it.

Secondly, the fact that there is no verification of the access point actually being who it claims to be. If your device stored the MAC address of the access point when you first connected it could verify any subsequent beacons from that access point and check the MAC address against the stored value. This would prevent the Pineapple from pretending to be an access point it isn't as it wouldn't pass the MAC verification step. There would however be a downside to this as there are legitimate uses to this lack of verification. If you connect to "Starbucks WiFi" at your local branch and then travel to another branch at a different location, your phone will automatically connect to the WiFi network there because the names match. This is handy for large organisations as their customers can automatically enjoy the WiFi network at different geographic locations without having to connect every time. Unfortunately if you created an open WiFi network called "Starbucks WiFi" anyone who had ever connected to a WiFi network at a Starbucks before would now automatically connect to your access point without even doing anything. It seems that this 'feature' presents too much of a security risk for the convenience it offers and whilst the MAC address filtering would be fairly useless in a targeted attack it would at least offer some protection to the majority of users.

The main thing organisations can do about this is to not use open WiFi networks. Even if you put a really simple password on the WiFi and stick it on a poster on the wall, it would prevent this kind of attack. This is because the Pineapple can't pretend to be a network secured with encryption as there are aspects of the initial handshake that simply can't be forged (yet). The fact that the WiFi password is on the wall doesn't matter because it was an open network before so anyone could connect anyway. The benefit now is that the remembered network in the client device can't be abused in such an attack.

 

Responsibility

There are obvious ways that the information in this post and the features of the Pineapple can be used for abusive and even illegal activity. The aim of disclosing this information is to make people aware of the dangers they are exposed to but are most likely unaware of. The best way we can protect ourselves from risk is to be informed and educated about the risk itself. Please use the information and tools found here responsibly.

 

Scott.
Short URL: https://scotthel.me/dnsspoof