Cracking WiFi with a Pineapple

by Vince
in Blog
Hits: 486

I probably learned to crack WiFi over 10 years ago -- if you've never done it, do it, you won't regret it.  I learned on BackTrack and Kali using an Alpha antenna.  Somewhere along the way, I acquired a Pineapple... or four which streamlines the process.  Of the many times I've setup a Pineapple, I've never had it go smoothly and that's either because they can be buggy, I'm using older versions, or I just don't have the attention span when I'm setting them up.  

All that said, I'm doing an audit -- which is something I rarely do but I grabbed the Pineapple out of my bin of toys and here were are.

When everything is setup, we access the main page:



We move over the recon tab, we select the amount of time we want to scan, and we hit the start button:



If everything is working correctly, we see the progress bar increasing toward completion:



When it's finished, we see the results:



Hit the drop down arrow for the access point where it shows "WPA2-PSK (CCMP)", and we are brought to a page where we can start the capture:



While performing the capture, we are presented with the Stop Capture and Deauth buttons.  NOTE:  I believe it is illegal to Deauth without permission.  Quoting from the Internet:  "Transmitting deauth packets is illegal according to cases involving hotels and conference centers jamming wifi hotspots."  That does not specifically describe what we are doing and I am not a lawyer but beware.  Also, if you arrive early enough in the morning, you can capture the authentication without the need for deauth.  

For the sake of my audit, I have permission.  



When the capture is successful, we can download the PCAP file:



And the file should look like:



We now need to convert the PCAP file with cap2hccapx.bin in order to crack it with Hashcat:



We run the command against the file:



I already know the hash mode is 2500 but if you didn't, we could go to the hashcat examples site:



We scroll down to 2500:



We fire up Hashcat, point it to the output and our wordlist:



Hash mode 2500 does not work, we are directed to use 22000 which also doesn't work but we can use 2500 as long as we add the "--deprecated-check-disable" flag:



Moments later, we crack the hash:



The Pineapple is just a tool but the process is essentially the same.  I just acquired a Flipper Zero with the WiFi dev board.  I also have the SD card board which allows for the saving of the PCAP file.  In theory, we should be able to do the same thing as the Pineapple but with a much smaller package.