Open in app

Sign in

Write

Sign in

How can I fight against WiFi Pineapple Activities?

Besim ALTINOK
CyberPath Technology
Published in
5 min readAug 19, 2018

In this article, I am going to talk about how not to be exposed to wifipineapple devices’ attacks and how not to fall into fake access points.

PS: First of all, I would like to say that, this article is definitely not a passive attack against Hak5. I just want to share what I did to protect myself from WiFi Pineapple. Hak5 works on the attack side, and I work on the defense side. “Attack and defense are always improve each other.”

Start!

The whole process started with a WiFi pineapple device I bought about 3 years ago. Since I bought the device, I never used it to attack. For some reason I always thought “How can I protect myself from it”.

Generally, when I develop such defense methods, I have a philosophy of “Think simple, apply simple”. First, I acted like a normal user. That’s why I started to use the most popular module of WiFi Pineapple. (PineAP module)

The operation of the PineAP module occurs as follows:

How does PineAP module?

To summarize; firstly, SSID information is collected from surrounding connection requests and SSID pool is created.Subsequently, broadcasts with SSID information are opened and sometimes with automatic or with the user’s own wishes, the user becomes deluded.

From the perspective of the attacker, everything is alright so far. When we look at it a bit by the defense, things seem complicated at first. But here I have implemented the “Think simple, apply simple” method, and I started to follow the behavior of the PineAP module. As a result of this I see that there are some abnormal situations around, we can list them as follows:

  • Too many unprotected wireless networks around
  • In addition, there were wireless network broadcasts using the same SSID but using different encryption standards (Same SSID different encryption)

When I started to use scapy and wireshark to inspect a bit more detail, I noticed a different anomalous situation:

  • A single MAC address was used for all wireless network broadcasts that being made.

At this point, I’ve been looking into this a little bit and did try to confirm that if this is an abnormal situation. As a result of my work I decided that it could be regarded as an abnormal situation after a certain threshold value.

As a result of this study, I developed the tool named PiSavar

With this tool, in DEFCON26 I was able to detect the activity of 4 WiFi Pineapple and disabled them all.

Catch FakeAP!

So far, so good ..

However; If the attacker opened a single access point with the WiFi Pineapple, in this case PiSavar would not work. For this reason, I think it would be good to fingerprint this access point.

As a process of my research:

  • Firstly, I created a fake access point with wifi pineapple thinking like an attacker.
  • I connected to this fake access point that I created like a normal user.

I wanted to check the following information about the network I am connected to:

  • Did this network open by wifi pineapple?

To answer this question, I had to first collect some information about the wifi pineapple device.

As you know:

A Chinese proverb says:
"If attackers are accessing systems using default settings, 
we too can catch them with the default settings in their software and hardware."

For this reason I decided to check some descriptive features / settings of the device. As a result, I think the following information might be useful.

  • Hostname, default HTTP port, OUI

From these settings I could see that values like hostname, OUI (vendor manufacturer ID) could easily be changed from the panel, but the HTTP port could not be changed.

As a result of these studies, I developed the PiFinger tool. After than I run it for every network I connect to and it did not fail me once. :)

Enjoy!

I did not complete the process this way and wanted to add some fun into it. For this reason, I leaned on the arms for a new operation.

This time my target was to mislead the devices that use WiFi Pineapple. In this way, I aimed that the users in the environment be aware of the threats.

The focus was completely on the “Beacon” packages, as the purpose was to inform the users around it. So I had to open some publications in some way and say “There is a WiFi threat here”.

After a little thought, I decided that it would be a good idea to let the attacker do this. For this reason, I tried to fill in the SSID pool that the attacker used to create fake access points.

The attack I wanted to do seemed exactly as expressed in the following image. I would collect the connection requests (“Probe Requests”) around and I would parse and record the information (MAC, SSID) I obtained from the requests. After this point, I would change the actual SSID values to some SSID values that could tell an attacker is around, and spread them around with the same MAC address information.

PiNokyo: How does work?

As a result of this process, users will see the following values in their devices.

The attackers would see SSID pools on their devices (WiFi Pineapple) filled with these values :)

For now, I end my writing here. After I get the results of my new work, I will share them.

#HackerMaker

Wifi
Wifipineapple
Wipihunter
Pikarma
Pisavar

--

--

Besim ALTINOK
CyberPath Technology

Written by Besim ALTINOK

163 Followers
Editor for

#HackerMaker

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams