Building a Better WiFi Pineapple with Open Source Tools

Intro

I felt like every blog post I read about the WiFi Pineapple discussed the features and promises of what the device could do.  I even wrote my own article back in 2018 on how to capture handshakes using an open-source module in the Pineapple.  As time has passed the allure of the Pineapple has passed, and as a hacker I have to consider that it could be done in a better way. Which is the overall topic of today why the Pineapple is bad, and how to make a better WiFi Pineapple with Open Source tools.  

The first question we must ask is "What is a Pineapple?".  The device is described on Hak5's website as the leading rogue access point and WiFi pentest toolkit for close access operations.  That sounds very impressive, but when you consider there really are not any other direct competitors of the Pineapple it is easy to say that you are the best.  There have been several generations of upgrades to the Pineapple device and are now split further into two categories of devices.  The Pineapple Nano and the Pineapple Tetra.  The Tetra is the more expensive of the two options starting at $200 USD and features a dual band 2.4/5 GHz chipset that will allow for a wide range of testing. The second device is the Pineapple Nano which is half the cost starting at $100 USD and features only a 2.4 GHz chipset.  

So why does the Pineapple need to be better? Hak5 claims they make Top Pentest Devices, but what makes them the Top Pentest Devices? The claim is that the PineAP is a highly effective rogue access point suite for the WiFi Pineapple. Building on the simple probe request and response nature of Karma, PineAP takes the attack to the extreme.  (Their words, not mine)

In reality these devices are built on top of a myriad of open source tools and we have the ability to confirm these suspicions because Hak5 was kind enough to provide SSH access to the device.  In order to address the use of open source tools inside of a product that is being sold and how the legality works for that.  It seems that all of the open source tools are licensed using the OpenBSD copyright. From the OpenBSD website:  "OpenBSD strives to provide code that can be freely used, copied, modified, and distributed by anyone and for any purpose."  Therefore, Hak5 is completely allowed to distribute and modify the code that lives on top of their device.  It should be noted that I did in fact purchase a WiFi Pineapple Tetra for research and this blog post.  All commands and screenshots will be taken from the Tetra.  To begin let us login with SSH and snoop around a bit do some recon on the device software.  Below is a condensed screenshot of the current processes running on the WiFi pineapple followed by the version of operating system version being used.  

Alright, let's see how the Karma attack works on the Pineapple.  To test this theory I will be logging in via SSH (or attaching to the TTY, because the  Tetra crashes so frequently to use SSH) using the USB UART ports on the back of the Tetra.  After launching the Karma attack built into the Pineapple we will look at running processes using the command ps aux and determine what is happening. During the recon and karma attack functionality we finally found something executes the pineap binary that lives on the device.

With more recent releases the Pineapple software claims to be able to capture credentials using the Evil Twin method for WPA-Enterprise networks. As you can see in the screenshot below the menu options of the WiFi Pineapple's PineAP Enterprise. So when we enable this what does the ps aux say is happening.

The screenshot below shows the Pineapple performing PineAP Enterprise attack using the open-source tool hostapd which can be found here.  

As mentioned before hostapd is copyrighted under the OpenBSD license which means Hak5 is perfectly allowed to modify to work with the Pineapple and distribute it however they see fit.   However, this also means that anyone else could modify and release the Pineapple version as well.  

Diving deeper into the process above it looks like hostpad is being fed a config file called hostapd-phy0.conf. We must investigate where this file came from and how it was created.  The screenshot below shows the configuration file that was created during setup of the PineAP Enterprise.  If we look at the processes during this configuration we will find another open-source tool creating this config file.  The screenshot immediately below is the output of the config file.

When initially setting up the Enterprise certificates you can see that the Pineapple launches a bootstrap bash file and also appears to launch the OpenSSL tool.  Let's investigate the bootstrap.sh file.

Ah, yes it seems that indeed the Pineapple is just using OpenSSL to create the certificates in the /etc/pineape/certs/.    

Again, most of the tools are open source but are being modified to fit the Pineapple.

So far this is a bunch of evidence of the Pineapple using open source software, but what is the PineAP doing?  In the screenshot below you will see the list of commands available when running ./pineap directly from the command line. Seems like some generic commands like help, version, and get_status.  Those are probably just running simple output from the binary.  The other commands like add_ssid ,del_ssid, and list_ssids is probably a list that is being maintained within the binary that will be used as a whitelist/blacklist filter.  The commands I am most interested in are that of deauth, handshake_capture_start and inject.  I want to see if Hak5 is actually performing these commands or if they are using open source tools again.  

In order to find out what is happening I am going to copy the precompiled binary from the Tetra and move it to my local machine for inspection.  In order to take a peek inside this binary I will be using the NSA tool Ghidra.

In case any of you are following along it should be noted that I had an issue with the import feature in Ghidra getting the pineap binary in. Instead of using CTRL + i or file import I had to drag and drop.  Not sure why that happened but it works.  The screenshot below shows us more information about the binary.  First thing to notice is that it is compiled for the MIPS language.  Which makes sense considering the Pineapple is running on a MIPS version of OpenWRT (Another open-source platform). Further inspection it is using big endian notation and the address size is 32 bit.  

Oooh!  Well this is great, after opening the file in Ghidra it seems that Hak5 was kind enough to leave a partial symbol table for us.  This is going to be extremely helpful in figuring out exactly what is happening in this binary.  The symbol table will allow us to reference function names and some variables that exist in a compiled format.  The screenshot below shows some of the function names that are referenced in the symbol tree.

Looking into some of the functions it looks like Hak5 is passing information from the PineAP binary into a system command.  

Again, as mentioned multiple times above this open source tool is also being licensed by the BSD license, and as you can see Hak5 has made changes to work with the PineAP and Karma attacks.

The real reason I am digging into this binary is to look at how Hak5 is performing the deauth function.  Luckily the symbol table is included as I can simply click on the function deauth and Ghidra will give me a decompiled version to investigate.  It seems that the function takes in 4 parameters, which we already know about from the help menu.  The first and second parameters is the MAC address and BSSID that is being targeted for the deauth.  The third parameter is the channel which tells the pineap what channel to stay on during the attack.  The final is the multiplier which tells the pineap how many times to perform the attack.  

Hardware Limitations

Limitations in this blog post are in reference to using the Pineapple as a pentest device or for a red teaming engagement.  These limitations might not apply to everyone's use case.  

The first issue I would like to talk about is that of size.  The tetra is roughly the size of a small Netgear router.  Additionally, it has 4 rather large antennas sticking out of it and needs at least one battery that may or may not be in your field kit (more on that later).  Not to mention the size of the bag that is quite large.  

You can see a photo of me performing a wireless test in a Vegas hotel using the Tetra field kit bag below.

Okay, that is a bit of stretch, but the bag is quite large and clunky.  It's not exactly discreet. Next I will talk briefly about the battery life and battery compatibility to the Tetra. As you can see from this picture below the Tetra has two micro USB ports on the back.  In order to use the Tetra you must have a battery that supports output of power to two micro USB plugs or you could buy two batteries.  However, this is an added cost to the overall product.  I opted to purchase two Anker PowerCore+ 13400 batteries at $45.99 a piece.  This brought my total up for the entire project to roughly $400 USD.  

The battery life was very lengthy with the two batteries, and with a quick bash script I was able to test the battery length.  The Tetra stayed online with no-load for roughly 25 hours.  Which I will say is plenty for a wireless penetration test.  If the Tetra is going to be dropped on-site to provide a tunnel back into a corporate network I would highly advise plugging it into a constant power source.  

Enough about the Tetra, instead the next complaint is about the Nano. The smaller devices does not support 5 GHz support which means that it is impossible to use for an actual wireless pentest.  At the time of writing I have spent a significant amount of time attempting to figure out a solution for the Nano.  I looked at purchasing a 5 GHz USB wireless dongle to add an additional antenna to it, but according to Hak5 forums there are no supported devices.  There might be a USB device that works you, and if you want to tell me about it make sure to let me know on Twitter.

Software Alternatives

Anyone who reads my blog posts about wireless should already know what I am about to say, but of course I will say it again.  The current champ in the wireless space is Bettercap.  I have already wrote an entire blog post on Bettercap and will not repeat all of the features here, but you can read more about that here.  I will summarize that Bettercap will let you perform deauthentication attacks against WEP and WPA2 networks.  This will replace the majority of what the WiFi Pineapple can do.   Having said that it would be nice to have a drop in replacement for the Pineapple on any ARM device.  I have been working on a solution and will hopefully create a minimum viable product that can be used on a variety of different platforms.

Hardware Alternatives

Now we must talk about hardware alternatives to the Pineapple.  The best device I have found on the market to date is the Raspberry Pi 4.  Featuring many of the same features as the Tetra for a very small fraction of the Tetra.  It features up to 4GB of DDR4 RAM, USB 3.0 which can support Remote Network Driver Interface Specification (RNDIS) or networking over USB, 5Ghz network support, and ARM which will allow for more common pentesting tools.  Bonus points for the Raspberry Pi devices as they all support Bluetooth as well, which means you can test more of the wireless spectrum.  

If you said earlier that missing out on 5Ghz networks was not a big deal, well then you can get an even cheaper Raspberry Pi.  The Raspberry Pi Zero also features ARMv4 processor, 2.4Ghz support, amazingly long battery life, networking over USB, and minuscule form factor.  I will go to say that if Raspberry Pi ever creates a Zero that supports 5Ghz chipset it will be game over.  That will win the ultimate wireless pentesting hardware challenge.  Until then one can buy a USB adapter to support 5Ghz on this, but at the cost of some battery life.  

Another interesting device I found was the Zotac Mini-PC.  Which actually runs an x86 chipset which means you can put a full fledged Kali Linux operating system on the device.  It also supports 5Ghz and Bluetooth support.  I will say, that I have not had a chance to test this device so I cannot speak to the battery life, but running normal Kali tools makes it very appealing.  

The final device I would like to speak to is the portable route called the GL-INET 300<???>  which runs the same MIPS processor as the WiFi Pineapple.  In fact, there have been other blog posts on the internet on how to actually port the Pineapple firmware to the GL-INET.  This little device is power conscious and supports Power-Over-Ethernet (PoE) for certain models.  Which means you could shove it somewhere discreet on the internal network, and would be able to run much longer than relying on battery power.  

Conclusion

To conclude I am honestly, not sure what I wanted to convey in this blog post.  I feel very passionate about the need to replace or improve the Pineapple with a better product, and as a self-described Hacker I think we should investigate everything around us.  I am currently playing around with developing a drop in replacement for the Web UI for the Pineapple that can be run on a variety of different single board computers.  Because, our tools should make our lives easier and not bring more frustration. Hopefully, Hak5 will learn and improve their product line, but using their online influence and YouTube channel to continually market new devices seems to be the easier way for them to go.  

Alright that is enough of my rant.  Until next time keep exploring and investigating everything around you!  

Sources and Inspiration:

• Hak5 - https://hak5.org
• OpenBSD License - https://www.openbsd.org/policy.html raspb
• Raspberry Pi Org - https://www.raspberrypi.org/
• Bettercap Project - https://www.bettercap.org/
• hostapd - https://w1.fi/hostapd/
• hostapd-cli - https://www.freebsd.org/cgi/man.cgi?query=hostapd_cli&sektion=8&manpath=freebsd-release-ports
• GL-INET - https://www.gl-inet.com/