WiFi Pineapple Active Detection via a Raspberry Pi Zero

all right so my name is Jason Burton and I work at stage 2 today I'm gonna be talking to you guys about detecting pineapples the Raspberry Pi idea a small piece of hardware that we built that kind of functions as a physical security token it's more so just for research projects so some kind of detail if you haven't had experience with pineapples exactly what pineapples are how they function what things they take advantage of and how we can sort of counteract that most of my days on taking advantage of those things on the red team side but this was more of a blue team sort of research hopefully you guys get something out of this this will be a

pretty quick presentation probably 20 to 25 minutes so definitely feel free to leave any questions you want a Q&A section or in the chat but glad that we could at least put together this virtual presentation for everyone so just to kind of begin very quickly I'm gonna kind of go over exactly what a pineapple is and how it works on some of the hardware alternatives for pineapples not everyone has access to a pineapple some people find that the forty two hundred and twenty dollar price range is a little too steep for them so I'll kind of go over how I approach things before Bryce decided to send me a pineapple I'm via the client leg line at a are 150

I'm going to very very quick hardware tear downs on both just between to ensure that they're using the same chipset the attacks that pineapple uses the Karma ena attacks that are still used to this day so how we go about detecting those things in the field and then of course the actual hardware itself and then we'll all just kind of bow our heads and pray to the demo gods I mean hope that our demo works out right so firstly of course what is a what if I pineapple I find that some most people don't have exposure to some of the internals at least from the software perspective of what a what a pineapple actually does well kind of

very lightly go over those things because this is a pretty paragraph presentation to fit in our 30-minute time slot here so in short is essentially man man-in-the-middle made easy for Wi-Fi I mean some cases especially with the Tetra and with humming solutions you can use up to three radios without any sort of lag you need one for monitoring one for stations for people to connect and one for clients to give any of your victims that internet access to ensure that devices connect successfully and that they don't know that they're actually being attacked in the last decade or so I mean there's been there's been six generations of pineapple around generation six now the current view that

you see in the bottom of the right-hand side of your screens are the current generation of software for the people that been around a while you might remember this sort of like green and black and red sort of hacker view that pineapple used to be and it was you know you felt cool using it but it was a real pain to use um things have definitely gotten much much better on the module system is actually I wouldn't say a pleasure but pretty easy to use so if you are looking to utilizing a pineapple for sort of your operations I might gonna heartily endorse it but the modules are very easy to use so there's definitely some cool things that you can

do that a lot of teams are doing out there so like I said when I started I didn't actually have access to a pineapple I knew I wanted to build this detector so it actually turns out that there's a pretty wide community for building the pineapple using off-the-shelf hardware that's much much cheaper so I kind of started my research here on HEC fives official hard drive page where they they mentioned there if there is Aaron 331 chipset which is a relatively common tricks chipset and especially in embedded devices that their us is all over the place but we can see here they use that system on chip so of course we use this as our

topic off point can we see where else this chip is in use and of course I mentioned the big line that a are 150 like I said this is a pretty popular option it's very inexpensive and you'll see when I do a quick teardown this it's really just one chip it's really not a complex system like I said it's twenty-five dollars or under sometimes you can find them used for 15 I'm so if you're really looking for just some simple research or they're easy weights have built a pineapple nano is to simply buy one of these and flash the pineapple firmware onto it as I mentioned you can see on their page is the page on the right there is directly

from blind Nets page they say that they use they if there is ninety 331 SOC so as far as we know they use the same ships and we're ready to go there's also a USB port on the back that you can put a hub into and connect all the devices you would like that being said um it really only supports two additional devices along with the internal chip and even then it's pretty slow but it does it doesn't work pretty well especially for the secondary and tertiary videos so just a very very like I said very quick tear down here it has an SE c-- ID on the back there obviously you know it's an approved device so we

could do the tear down that way but it's only a single chip so you see the next slide here that we just decided to tear it out just kind of see how it worked that chip in the center there that a little black guy is a ferrous 93 31 it does it does have two internet ports over Wayne Mullane were actually reversed in software there was if you do end up doing this on your own and of course these slides will be shared out to you guys you'll notice that there are some quirks with the software if you are to install the newest firmware there are some software changes you have to make and I go through how to build firmware

just a little bit here you also need power reset buttons drug setup so those are also included on the climate which I've made things very very useful so these are the internal chip photographs you can see here the right side is the SEC ID for the pineapple and nano and you can see you probably can't read it there but it isn't that there as I promised and if there is a are 93 31 let me see the same chip on the left so as far as we know the least key wireless hardware is compatible and everything else is sort of will figure it out as we go um the good thing to note here is

that the climate a are 150 comes with open wrt preloaded which is a huge help to us researchers because open wrt is a source and you know we can build basically anything on top of it to that end link in the center there for github the open wrt CC from the domino team they have a repo specifically for the climate AR 150 that builds any opening wrt image directly for it I mean if you want to do this yourself you can go directly to the hack 5 firmware page all the latest firmware extracted with firmware mod kit and then essentially just copy those files into the open whe CC / files directory update installed make them in

you can fake and you're good to go you ready to flash with that with that image that's been built there aren't like I said there are a few software quirks especially in the later versions or you kind of have to make sure that it's it's all PHP so it's relatively straightforward there's a lot of documentation online so feel free to google around if you have questions of course feel free to reach out but so what happens once we build it I'm like I said it's running open wrt so if we go to upgrade the firmware directly from glance administration panel and we can literally just drag our builds firmware onto their installer and flash it on

which again is just a researchers dream it's been very very easy to research with this device there is of course pineapple running or are you quiet AR 150 if you'll note I mean pineapples been around for a long time it's gotten more and more difficult to exploit new client devices clients have gotten smarter and smarter over the years so in our case we needed to apply both secondary and tertiary of radios I'm connected to a legitimate wireless access network to ensure that clients will go to connect to us directly and a lot of new clients will check to ensure that they have internet access so we need to provide the internet access to make sure that those clients will

complete their association with our evil access point so this is my actual installation that's on my desk next to me over here it has on the left side you see the go on that AR 150 on the right sides the USB hub with a spare at a max little USB Wi-Fi card that I had and of course I'm gonna on the south side there you see a very popular alpha in Wireless that's used for the injection phase of our bar attack here so all in all there's internal radio and it's acting as our station the USB the small USB there on the right the edimax acting's our monitor and then the alpha acting is our

core so I'm very very quickly here I'll just kind of go over the Karma main attacks that pineapple the cacti pineapple uses or has used in the past to exploit clients a long while ago some researchers came up with an attack called Karma and it used to be that devices would broadcast program West frames that contained what's called Pina when those P nails have a list of networks that wanted to connect to or preferred to connect to so what karma did was it would clone one of those new societies and they start up a custom network stack that would just let people connect to it and of course on the clients they don't mind where they

single be a society has multi SSIDs that's obviously no issue it's still non-issue today but in this case karma again this was back in 2004 it was basically a non mated evil to attack so very quickly I want to say in just a few short years this attack was outmoded in favor of mana which was the updated version of this attack which still works on devices today as long as the internet is available to that client so nowadays of devices probed for networks much less frequently but they do print for networks um you notice when you come home from a long day of work your phone connects to your Wi-Fi so it has to prove through that network and your

access point will respond with a directed probe response so your device is broadcasting to the SSID in the SSID with all assing you know Phoenix looking for anyone to respond to that so what Mina will do is essentially respond to anyone that asks for an access point with its MAC address with with its own destination MAC so if you Pro before it random yes SIV it will also respond to that as long as the software allows it to and again these are some very simple custom Network stats as some researchers came up with very very simple and kernel driver modifications that resulted in some pretty major change around the globe so like I said man ID responds with

directed probe responses and we have ways that we can take advantage of that which I'll kind of talk about here in a second two stipulations here for our detection of the pineapples attacks is that the pineapple filters by default it used to be that they were open now when you set up and asks you if you want your filters to the over closed you can still of course use the matte cassis and that's his ID behaviors and that's more of a passive detection I include a link later on from every code called PI bents from some researchers that have done some work in the last few years that do some passive detection of the Wi-Fi

pineapple but of course we're after this act of detection so in order to do that active detection our pineapple has to accept how our Pro requests which of course means it has to has to go through the filter of course with the advent of Mack randomization a lot of red teamers and operators in the field tend to open up those filters a little bit more which allow us to kind of get around those filters and a lot of leaks so you might have wondered what drain actually stands for a drain stands for didn't realize all insecurities needed naming I really hate acronyms and so this was my my acronym for them so that's how do we go

about attacking specifically manner a karma is not really in use anymore so two assumptions that we make when we go about our detection methodology one is that the beacon responses enable this is by default and this is pretty much expected with most if not all Wi-Fi operations on Beacon response let's an arbitrary will to respond respond to arbitrary clients so an a a beacon request comes to you you respond to that beacon with your with your MAC address and of course like I mentioned the filters must not exclude our detector it is possible that filters aren't there but in that case you're probably safe to be on that Wi-Fi network anyway Wi-Fi is a pretty old protocol with WPA 3 coming

around we might things might change a little bit here but you know the coffee from attack is still something that happens on that daily basis I'm so like I said drain only covers after detection and there's that link right there if you want to check out idents Wi-Fi hunter has a several repositories that cover passive detection some of the cookies will updating on 20/20 but most things to work so definitely give that give that a shot if you feel like you pineapple home or if you build one have a big line how do we go about detecting this in real time so our detector which we go up on a Raspberry Pi zero W firstly just Suites

the active stations in the area this is a pretty common thing that happens you know on a second a second basis middle second goal second basis by most client devices in our case we're simply get a new pallavi MAC addresses in the area that respond to our sweep and then we send probe requests for a random string to the broadcast the SSID so basically we're saying I'm looking for this sort member network does anyone in my current area have that network and then simultaneously we listen for a beacon response so we have two things that were looking out for one that a response stations is his ID matches the probe request so that's that random string

that goes out if we can response to a random string that is very very suspicious there is not a lot that should be responding to to assistant to a random string and then of course our second confirmation is that one of those VSS IDs was in our initial recon so that means to the station that's listening for connections and it has responded to a random string for association so both of those together means that more likely than not we have pineapple or potentially a different malicious device one other assumption that will make here is that an attacker has changed that sort of default MAC addresses to ensure that none of this stuff is you know

easily passively detectable obviously there are lots of other things you can do again look at PI dents for some examples so you know it's it's a we only need to make sure that we're only detecting the the active detection the act of pineapple itself so on to building our detector how do we build our detector it's a very very simple it's almost entirely in software and we use a modified kernel that comes with the Cali net hunter repo about what to you do monitor mode in our case we actually don't need too much and we can actually use some simple built-in I WS w scan commands that come with the kernel my default actually turns out if you

don't know that if you provide a specific name to iw list scan it will actually send a probe request to that name so we can sort of scrape the output and use that with a default device we actually need this modified kernel which is again great news for sort of mass-producing this eye of someone were to mass-produce it is that you don't need a secondary radio to make this work like I said using the raspberry pi 0 w it has 2.4 BGN doesn't support 5 obviously for now to cut down on costs so you know that might be a vector you might want to think about you can honestly load the software onto anything that supports the same code it just has

a standard male - about 20 G GPIO and we can sort of see the one light LED matrix that takes up that 2 by 20 lights the timber any blinked it's a great piece of little software comes with a very easy to use libraries so if you haven't used anything from memory before I'm highly recommend it on the higher end of price I'm very very easy to use and libraries are really well done so in that in that way we've built this small piece of hardware that's kind of giving us a visual indicator if there is a pineapple in the area and that case is just a popular app I bet 0w case very cool-looking case so this is something

you just keep next year laptop of course you could also implement this fully in software for various operating systems as well but that way you don't get to have a cool little light-up device to you which is obviously the goal here um so with that with 20 minutes in it's demo time so again we bow our heads you know honor the demo gods I'm just gonna reshare my screen to ensure that I can give you guys my console output hopefully I had a lost too many all right hopefully you guys can you guys can see this okay I'm some connected to that Raspberry Pi on the left and on the right side is just our live pineapple

detector there we are so I'm just gonna start up the the scanner here which was a gathering attack and you can see I'm hopefully it see it's not too much lag on that every few seconds our Raspberry Pi is simply scanning for any potential open networks in the area here it's just got some nice solid green lights and you know it looks a lot cool so I'm just gonna just gonna scroll that's gonna come back here and just plug in this pineapple and it's gonna boot up here and say the glories of virtual conferencing so now our pineap-- has been plugged in and it takes about 30 to 45 seconds to startup so right now our

our pineapple detector is just sweeping the network looking for open networks and that's it and it just does it in a loop until it finds many open networks that are potentially in use by raspberry pi I'm sorry by a planet pineapple once it finds in a potential with the network potential target it will target those and a next phase and it will send those directed probe requests and see if it can detect that specific bssid as a pineapple so hopefully here in a few seconds we will see this pineapple startup you you

okay we can see it found a hidden network with the the SSID of Bobo dead thief which if you're familiar with that is not a normal MAC address so this next phase here after the three the third time third scan it will go and try to prove that one so it says it's found a pineapple and now our pineapple detector is flashing red meaning there's a evil device in the area and that we should discontinue our wireless access immediately this is the string that of course generated for the purpose and then we can see that we got the bssid back to us from the probe request and that it was the same Bobo dead beef MAC

address we got directly back that was in the initial recon phase so this is an evil device we should obviously not be horrifying this area it's very evil and that is about it I just go just head back to my presentation here there's good as a questions page that's the my email address if you don't know where I work for stage 2 security you can feel free to send me an email or you know I'll be on the B side slack for the majority of the year if you have any questions if not then thank you for watching I appreciate it Thanks there is one question in the keyway for you I'm sure I'm clicking on clear a but

it's not actually doing anything the question says what would have happened if there were multiple pineapples in one area gotcha so in our case it actually that phase two portion actually does individual probes for each one that it finds so how are codes specifically we'll just probe for both of those individually but you know obviously if someone has more than one station you probably have a bigger issue on your hands but our code will just simply produce individually yeah that's about it wondering why I can't view these questions oh there we go

awesome well thank you guys really appreciate it this code will will go up on probably github if not the state shoe security get lab or something similar pretty soon year if anyone's interested in of course feel free to give me up ten questions