Hacking WiFi with a Hak5 Pineapple

- That's why you might want to use this

rather than a Alfa adapter, with Kali,

'cause you've got all these reports pre-made for you.

- And the guy recognized somehow

that his account had been taken over,

and so he changed his password.

The password (chuckles) was MOTHERF-ERSAREINMYCOMPUTER.

How much of that should we redact

when we provide it to their bosses?

- I'll tell you this:

I've done some videos where I showed people

how to crack short passwords,

and the number-one complaint I get

is "no one would use a password like this. It's dumb."

- They're wrong.

But yeah, I see a lot of really crazy stuff.

(upbeat music)

(static buzzes)

- Hey, everyone, David Bombal back with Cori.

Cori, welcome.

- Hey, David, thank you so much for having me back.

- So good to have you back.

We had so much great feedback on our previous video.

For anyone who missed it, use the link below.

Cori hacked me.

Now, Cori, whenever I talk to you now,

I'm really scared because I'm worried

that you gonna hack me again or you gonna hack my Wi-Fi.

What're we looking at today?

- Today, we are gonna be looking at the WiFi Pineapple.

It's basically just a Wi-Fi-auditing tool.

It's made by Hak5.

They make a variety of pen test tools.

It's gonna be a lotta fun.

- I'm glad that we're doing this, 'cause I've had a lot

of requests for, specifically, the WiFi Pineapple.

D'you wanna take it away?

Tell us what it is, why it's important.

Do you actually use it?

I'm assuming you use this on a lot of your pen tests,

so hopefully, we can get some like war stories as well.

- Awesome, yeah, this may be a bad thing,

but I actually don't use the WiFi Pineapple

that frequently.

- I mean, I'm (beep) shocked.

- But it is a great tool.

I use just a standard wireless card;

that's what this is;

when I do Wi-Fi pen testing.

- Alfa card. It's a Alfa network adapter, is it?

- [Cori] It is an Alfa, yeah.

- Yeah, let's talk about that.

Why would you use the WiFi Pineapple

rather than, say, an Alfa?

- Well, the WiFi Pineapple comes with its own GUI,

which is very end-user friendly, right?

People can interact with a graphical interface

versus pre-installing their own tools

and doing everything out of a terminal.

- Yeah, I suppose the problem with the Alfa

is you gotta make sure you get one

that works with your distribution.

(tuts) A lot of people have struggled

with 5 gigahertz rather than 2.4

to get the drivers installed,

whereas the Pineapple comes with everything pre-installed.

It's got a pretty GUI. It's all ready to go, right?

- Exactly, yeah, and that was a great point

that you brought up: 2.4 versus 5.

And so that used to be a problem

with the Pineapple as well, right?

(indistinct) there is a lot of questionable things

that happen once you start to integrate 5-gigahertz spans.

Today, we're actually using the Pineapple Mark VII.

It's this fancy-schmancy thing,

and it actually works with both 2.4 and 5,

so very cool feature of that.

And I should say this actually is not my Pineapple.

This was my friend Blake's.

(chuckles) He let me borrow it to make this video.

I actually only have a NANO.

So thanks, Blake. I really appreciate it.

- We'll put Blake's details below.

Go and follow him.

He's on Twitter. Is that right?

- He is on Twitter, yeah.

I'll share his Twitter.

- [David] Blake, thanks so much for sharing.

- Perfect, yeah, and I have all of these tools out

like a little show and tell.

I love Hak5. I think that they do really great stuff.

The tools that I use mostly for them

in terms of a professional setting

are the Shark Jack and the LAN Turtle.

They have very similar functions.

The Shark Jack basically just...

You plug it into a network,

and it does a very short Nmap scan.

And then, you can pull it off,

and it's a under 30-second process.

I think it only has a two-minute battery charge.

- We'll have to get you back for demoing those.

Can I just ask the audience

which Hak5 tools do you want Cori to demonstrate?

Cori, you do lotta pen tests,

so it's great to get your real-world experience and stories.

Please, put in the comments

which Hak5 tools you want us to cover.

But Cori, I don't wanna keep you any longer.

Go for the demo.

- Perfect, okay, for the sake of a demo,

I thought that we could do everything from scratch.

- That'd be great, yeah.

A lotta people struggle with that, yep,

because it's like, "I get the Pineapple. Now what?"

We won't do the unboxing,

because you've got it in your hand,

but everything else.

Is that right?

- Perfect, yeah, this is the Mark VII.

It has this little button on the front.

And then, you'll see the flashing LED,

and I think, to do a factory reset...

I believe you just hold this button for four seconds.

We'll find out live if that's true.

(David laughs)

I think that it should start flashing red.

Okay, 1, 2, 3.

And you're supposed to hold that button for about...

I think it's just three flashes of the red light.

And then, you'll just see a static red light.

I think you just wait a few seconds.

Okay, you can see that I was at this before.

My Pineapple is still red, though.

Let's refresh this.

- Just so that everyone understands,

you connecting via USB on your computer

into the WiFi Pineapple,

and that's powering it and also giving you a connection.

Is that kinda right?

- Yes, thank you so much for mentioning that.

I am connected USB-C to my computer,

and to do the factory reset,

you have to have that connection.

- And Cori, the other thing is...

Do you have to configure your PC or something

with an IP address in the same subnet as the Pineapple?

Does it come with a default IP address or something?

- Exactly, yeah, and we'll go into the Hak5 documentation

a little later,

but the standard is 172.16.42.42.

The port for the actual interface

that you interact with is 1471.

I know that's an Easter egg for something.

I can't remember what it is, but Darren Kitchen,

the guy that made Hak5,

I think he said it had something to do with a king.

I can't remember, but.

Did I answer that (chuckles) correctly, how you wanted it?

- Yeah, no, no, that's great,

yeah, 'cause, people, they're not gonna know this.

You configured your device with 172.16.42.42.

That's the address

that your PC has to be configured with, correctly?

Or correct, sorry.

- Yeah, that my Pineapple has to be configured with, yeah.

If you go to the bottom right-hand corner

and you just see all these...

I know. Just right click.

Hit properties or whatever.

And then, that's how you access it.

- Cori, I'm a boomer, so just to make sure

I understand this correctly,

you went into the properties

of the WiFi Pineapple management interface.

You configured it with that IP address.

What's it? 172.16.42.42.

And then, now we can, hopefully, connect

to the graphical user interface of the Pineapple, right?

- Yes. (keyboard clatters)

Okay, did a factory reset of the Pineapple

while it was plugged into my computer, so it was powered on.

And then, went ahead and changed the settings for this

and gave it the static IP of 172.16.42.42,

which is the Pineapple standard.

You'll navigate to that IP with no port specified,

and you'll get this recovery option, and I think

it's very similar when you do that initial setup.

It's almost the exact same thing.

And so you'll choose recovery,

and you'll just have to upload the newest firmware

for this Pineapple.

I think the link for that is hak5.org/downloads.

And we will probably just wait a minute for this to upload.

It usually takes a few minutes,

and I've found that this interface on the site

doesn't usually.

Refreshing time.

Usually, before it even lets you know that it's finished,

it is finished.

- I was just gonna ask the boomer questions

in this interview.

You configured the Pineapple with 172.16.42.42,

but you've navigated in your browser

to 172 16 fort, or, sorry, 42.1, right?

- Yeah, that's the gateway.

- And then, you log in.

Sorry, it asks you to set a username and password.

Is that right? Or did you do the firmware upgrade first?

- Yeah, so you just do the firmware upgrade first.

And then, afterwards, you navigate to 1471,

that port that everything's hosted on,

and we'll start to work through that.

This is the documentation.

It's awesome. This is Darren Kitchen, the Hak5 guy.

Sharon Morse? I hope I said her last name right.

Snubs is what she really goes by.

She has a lot of awesome content out there

on Hak5 stuff, too.

This is what we're gonna be walking through,

setting it up after that.

This may take a minute.

- Cori, while we waiting for this to update,

which Alfa adapter is your favorite?

- That's a great question.

They have the longest, craziest names.

I buy a lot of wireless adapters, a lot.

This is the only one that I really get anymore.

It's AWUS036ACH.

I know that sounds really complicated,

but it works really well with Kali,

so that's why I use it. - And do you...

And that one supports 5 gigahertz and 2.4, right?

- It does, yeah.

- And in your pen tests, do you find

that you doing a lot of 5 gigahertz these days?

Or is it just a mix-and-match of both frequencies?

- It's a mix-and-match.

- And while we waiting for the Pineapple to upgrade,

in your pen tests,

what are the kinds of attacks that you generally use?

Can you just explain. Is it like...

Do you do brute force of PSK, pre-shared keys?

Or try and...

Sorry, give us some examples of the kinda stuff that you do

and what's real-world,

because I can create a video saying,

"Here's a GPU. I'm gonna crack a pre-shared key."

But what're you doing in the real-world day-to-day

when you do these pen tests?

- Yep, that's exactly it.

We do exactly the same stuff that the Pineapple does,

and sometimes, we do additional things, like Wi-Fi OSAN.

That's basically nothing, but it's just walking the facility

of an area

and aggregating all of the data of wireless networks

and then just compiling that into a report

so that organizations can see

are there free and open networks around here

that other people could be using

to try to get our employees to connect to

or to impersonate any real networks that we have.

- Do you do fake access points

or evil-twin-type access points?

Is that how you capture credentials?

Or do you knock off clients?

Or is it all of the standard stuff that you do?

- Yeah, really, all of the standard stuff is what we do,

a lot of PSK stuff,

just like the Pineapple, really,

just a different physical tool.

- The reason I'm asking this is I'm trying to get a feel.

Theory in the books...

We won't mention any certifications here,

but certain certifications are very theoretical

versus what you actually find in the field.

(David tuts)

So do you have any favorite Wi-Fi-attacking methods

that you think work really well?

If I was gonna go...

Let's say I was going to go to a pen test and I'm new.

Which one would you recommend I start with?

Or do you have a cheat sheet?

'Cause when you did (tuts) the email campaign,

you had wonderful templates.

D'you have a sequence that you follow

or any kinds of tips for someone who's new to this?

- Yeah, exactly, I do.

I have a little playbook

that I've created for myself to reference.

I think most pen testers do that

in almost everything that they do

if they don't completely automate them.

But yeah, so there are some like standard tools

that I definitely use, a lot of people out there use.

WiFight would be one of them, if you're familiar with that.

And then, of course, the Aircrack suite,

which includes the Recon-ng

and probably all of those other Wi-Fi tools

that you've heard of.

- It's interesting that you said WiFight,

because a lot of people would say,

"That's script kiddie stuff,"

but it works, doesn't it?

(Cori chuckles)

- It is, and it's funny that you say that, because...

I can't remember who said this to me, but years ago,

they were like, "Look at information security."

People are so big on using the word script kiddie or skid.

It's just a term that...

But if you look at things like the OSCP,

the OSCP just (chuckles) makes you a script kiddie

because it just teaches you how to use scripts

to do everything within the scope of your job.

- I think it's a very valid point.

Use the tools. Don't reinvent the wheel.

What's the point of that?

Unless you wanna try something to learn

or you need it for a specific use case,

why not use the tools?

- Exactly.

- Just for everyone's benefit,

I've put links below to information

that Cori's shared with us.

Cori, thanks, as always, for sharing such valuable stuff.

We don't have it in the video, but I've put it below.

Cori's gonna share some of her secret sauce with us,

so Cori, thanks, as always.

(static buzzes)

- There's two different ways that you can start this up:

with Wi-Fi disabled and with Wi-Fi enabled.

It's just a binary option.

You either quickly press or you hold it for four seconds.

I don't know if you have a preference on what we do.

I've done it both ways.

- Cori, let's do the easy way, which is use the Wi-Fi.

- Perfect, let's do it.

(static buzzes)

And I think we can actually show here

this is exactly what I was talking about,

where the page says that it's still uploading

but you can actually navigate to it.

Oh, actually, it does still look it's loading,

so I think (chuckles)

we actually do need to wait another minute.

I guess we just need to wait longer.

I've never had it take this long before,

so I apologize.

- It's gonna take this long because we are recording.

That's why it's...

I've done this for years. This is...

It never...

It always works beautifully until you have to demo it,

so don't worry.

I know the pain.

Cori, lemme... Let's...

While we're waiting for this, some real-world stuff.

What's the dumbest stuff

that you've found out in the real world

that people set their passwords to,

like password or something's really dumb on Wi-Fi networks.

I'm just trying to, again, take it real-world

versus what they teach in books.

- Yes, I love that question,

and I also feel bad 'cause I don't want...

I'm afraid of someone watching this video we're recording

and being like, "Hey, that was my password,"

(David laughs)

or something like that.

But yeah, I see a lot of really crazy stuff,

especially passwords,

which is so funny, that you mention that,

a lot of swear words,

derogatory terms against people's bosses or their job.

But probably, the funniest story that I have

in regard to a password

is one of my co-workers

had actually compromised this machine.

And then, he was using that user's credentials

to continue moving laterally throughout the network,

and the guy recognized somehow

that his account had been taken over.

And so he changed his password, and of course,

when we eventually took that password, cracked it,

the password (chuckles) was "MOTHERF-ERSAREINMYCOMPUTER."

(David laughs)

Yeah, but it's crazy. It'll be like, "I hate my job.

I hate this place."

It's always funny.

It's like, "How much of that should we redact

when we provide it (chuckles) to their bosses?"

Yeah, a lot of crazy stuff around passwords.

Passwords is such a fun way to look,

and I think something really interesting about passwords...

There was this guy, I think his name was Matt.

I can't...

I think his last name was Kier.

His name was, like, Matt Kier,

and he did a couple of DEFCON talks years ago,

probably 8 to 10 years ago,

but they were all about analyzing passwords

and what kind of passwords

people create on different platforms,

and it was some really interesting data;

for example, when a person creates a password

on a platform that's associated with their job, I think,

the likelihood of a deity or a God

being involved in that password

was increased by 30 to 40%.

It's really interesting to see statistics like that.

- And on Wi-Fi passwords,

do people use weak passwords as well,

like really short passwords on the Wi-Fi stuff?

- Yeah, definitely, they do.

- I'll tell you this.

I've done some videos where I showed people

how to crack short passwords,

and the number-one complaint I get

is "no one would use a password this. It's dumb."

- They're wrong.

Password spraying is such an integral part

of pen testing as well,

which just goes to show people are still stuck on that.

And beyond just spraying regular common passwords,

like SUMMER2022, all that kind of stuff...

But I've found that, if you take breached credentials

from any kind of data breach, like LinkedIn or whatever,

and if you take someone's password

and you attempt iterations of that,

so if it's BILLYBOB1786,

if you change that to BILLYBOB1787 or BILLYBOB1788,

something sequential or an iteration,

the likelihood of that being valid is also increased.

- That's mad, and what about RockYou?

People still using passwords in that?

- Yeah, people do use RockYou,

but I think RockYou is more so used as a base

alongside more sophisticated password rules.

So you'll take rocky words.

And then, you'll be like,

"The first character of that string will always be capital.

The last character will always be a special character,

followed by numbers,"

something like that.

- On Wi-Fi pen tests,

are you able to crack a lotta the passwords

from outside the building?

Do you have to somehow social engineer your way

into the building?

What's your playbook to crack a Wi-Fi network?

- Yeah, I do both.

Usually, if I have to do a Wi-Fi test

while I'm doing a physical pen test,

which is accessing the interior of the building,

getting something on the network,

something like that,

I'll actually just sit in my car

while I do the Wi-Fi testing

and get as close as I need to,

because this thing's not very conspicuous.

I could put her in a backpack or something,

but usually, with the kind of pretext that I use,

because I'm a young woman, something like a backpack

would probably only hurt the way that I look.

Okay, this is the initial setup.

Obviously, everything in here's

in a graphical user interface,

but it doesn't have to be.

Once you actually finish the initial setup,

you can just establish a shell of the device.

It's bash, so we can have fun with that.

The root password is just the password we will use

every time that you try to set this up.

And the time zone...

I'm in Nashville, Tennessee,

so that's central.

And then, we'll just walk through these slowly.

The management AP,

that's the access point that you're gonna use

to actually manage the WiFi Pineapple remotely.

You gotta pick this SSID.

I'll say David Bombal.

And the password,

this is used to connect remotely,

so you'll want this, probably, to be the stronger password.

- SHEHACKEDMYDISCORD, is that right?

That's my password?

- Yeah, exactly.

And then, the open AP, this is the access point,

and it's gonna broadcast for other targets.

I'll just call this Bombal.

Don't make it so complex that you forget, though.

(David laughs)

Awesome, and then, these client...

The client filter's set up in the SSID filter.

The client filter's gonna...

It's basically an allow-deny list

for any of the actual devices

that can connect to it,

so if you do an allow

and then you put in the MAC address for whatever device,

that will be the only device

that is allowed to connect to this,

versus if you do a deny list and you put nothing in here,

then everyone can connect to it.

Or if you just put one MAC address in the deny list,

then only that device can't connect to it.

For the sake of this...

It's just a demo.

I know people are gonna get mad at me.

I'm gonna do a deny none.

I'll commit a cardinal sin right now by doing light.

(David laughs)

Accept their terms of service and license agreement,

but of course, don't read them.

- That is not legal advice, by the way. (chuckles)

- Yes, I'm not a lawyer. (David laughs)

We're back here.

Hopefully, I can remember that password that I used.

Perfect, and so now

I'm gonna connect it to the internet

so I can do some fun things,

or we can just start by doing a walkthrough of this.

You can see there's six different graphical icons

on the side.

They're all different things, of course.

This is the dashboard.

It lets you quickly see the logistics and statistics

of everything that you've done recently,

everything about the system.

You can see our systems status / disk usage.

And then, once we start running campaigns

and attacks and stuff like that,

we'll be able to see

all the clients that we currently have connected

and all of the clients, in total,

that we have had connected,

as well as the SSIDs that we've seen.

And then, of course, notifications will also pop up here.

This is the campaign tab.

Campaigns are probably more of the Wi-Fi pen testing

versus just-having-fun kind of stuff

because when you create a campaign you can configure it

with whatever scripts that you want to run.

When you're using tools like Wi-Fi or Recon-ng,

you can configure these campaigns with those.

And then, you can configure the campaigns to start

whenever your Pineapple turns on,

so you won't even have to touch this.

You'll simply just bring your Pineapple with you

to whatever physical location you're accessing

and plug it in.

Oh, and they also have reports,

which is probably super beneficial

for when you write up your pen test report.

- That's why you might wanna use this

rather than a Alfa adapter, with Kali,

'cause you've got all these reports pre-made for you.

- Exactly, yeah, they...

That's a great point. They are premade.

Of course, you can automate ways

to take output from other tools

and compile them into a report,

but this is so simple and easy.

And then, these are some the different aspects

of the Pineapple itself.

PineAP is the...

When you think about the WiFi Pineapple,

really think about PineAP.

PineAP is the suite of tools for the device.

There's a bunch of different options here.

This just sets the behavior.

It'd be very similar to when you run those campaigns.

I guess we can just go ahead and start one.

Before I do that, though, I'll go to the settings.

When you go into the settings of the WiFi Pineapple,

it has this amazing mode called censorship mode,

and it does exactly what you think it does.

It just censors everything,

and it even has random censorship,

which is really fun

because it makes all of the SSIDs different fruits.

I guess you'll see it in a minute,

but I'll do this so I don't

dox my- - It hides all your SSIDs

and MAC addresses, stuff like that, right?

- Exactly, yeah.

- Yeah, that's great.

- If you do the standard censorship mode, I think,

it just shows half of the strings as X's,

and if you do the random censorship mode,

it'll show them as fruits.

I guess I'll have to do the previous one

so that I know what I'm connecting to as well.

Before we do that, let's actually go into this tab.

This is the recon tab so recon/reconnaissance.

We'll go ahead and start a one-minute scan.

Reconnaissance is just the act discovering things.

This is just gonna take a look

at all of the access points that we can see

and all the clients that're connected to those.

- It's really simple, isn't it?

The hardest part here so far

has been trying to install the software.

- Yes, and I'm sure that I...

I know that it's easier

when you're not streaming video and audio as well.

- Yeah, it's not difficult.

I think that's the great thing.

You've got a dedicated device.

You didn't have to type any commands, whereas with...

I'm just trying to, in my head and for the audience, try

and balance do I just get an Alfa adapter

or do I get a Pineapple.

And I suppose the problem sometimes with the Alfa adapters

is you have to install.

And I just say Alfa 'cause I Alfa as well.

It's not sponsored. I'll just say that.

This video's not sponsored by Alfa.

You have to install drivers, preps,

specially with the 5-gigahertz adapters.

(tuts) You have to know the commands. You can script that.

You can use Wi-Fi, stuff like that. But this is...

Graphical's so easy, isn't it?

- Exactly, yeah, it's easy.

And I do wanna say you're not sponsored by Alfa,

but you could be,

so if Alfa reaches out to David Bombal

and wants to sponsor him,

you're not closed to that, right?

- Yeah, they've... I...

For disclosure, they have given me some adapters

in the past,

and I have given away some of their adapters,

but they've never paid me,

but yeah, of course,

if Alfa wanna sponsor or if Hak5 wanna sponsor...

And I will say this. Darren has been fantastic.

I've spoken to Darren or DMed him on Twitter,

and he's also given me

vouchers and coupon codes to give away.

So really, shout out to both companies. Both fantastic.

- That's awesome.

Yeah, but you made some amazing points.

The real difference is ease of use, right?

- Yeah. - And skill level

of the person using it.

If you're just getting started

into Wi-Fi testing or pen testing as a whole

and you're trying to explore different facets,

you would probably wanna start with the Hak5 suite

because it's such a great introduction

to those kind of things.

- It's amazing.

You've picked up a lot just in one minute, right?

- Yeah, yes, a lot. Very interesting.

This was our Recon. Yeah, we did our one-minute scan.

You can see up here's some of the statistics

of the things that we had identified.

All of the green are access points.

And then, we have clients

that were connected to those access points.

We also have this activity log, which shows us

everything that we've done on the PineAP.

Ignore the dates.

I think that the date on the system is misconfigured.

That's that section.

And then, this,

this is also, in addition to PineAP, the heart and soul

of the WiFi Pineapple,

which is the modules and packages.

So let's take a look at the modules that we have.

Oh, I need to connect to my network first.

Yeah, and to connect to a network from your WiFi Pineapple,

you can just click...

I think this is called a hamburger icon,

when it has the three dots.

And then, go to internet connection.

And then, hit network settings.

Okay, and this is one thing

that I noticed Censorship mode doesn't do well

is it does not censor anything

when you are configuring your own network settings.

awesome, we are connected to our own network.

Now we can go back into the modules if it allows us.

Think I've had a wait for this before.

I think the modules are super beneficial

'cause they have some really cool things,

like viewing any HTTP traffic as it comes in.

And of course, there's EvilAP,

which is probably one of the most famous subsets

of the WiFi Pineapple.

Yeah, and I will say between the campaigns

and the PineAP behavior settings down here,

it's almost exactly the same thing, right?

The campaign is...

When you configure the campaign,

you're just additionally saying

how you would want PineAP to behave.

- You can run different campaigns for different pen tests.

That's kind of the idea, right?

- Exactly, yeah, and you can configure it much better

with your own scripts and stuff like that,

but we'll run through these behavior settings within PineAP.

The parallels between passive and active mode are

that they both come with their own pre-configurations.

Within passive mode, it's basically just a recon.

You're collecting information

about all the access points that you see.

And then, you can add all of those access points

to a listing of access points

to potentially advertise later on.

That's that SSID pool.

And then, in active, you're doing both of those.

But then, you can actually advertise

all of those SSIDs simultaneously.

And then, within advanced settings, you get a...

It allows you to configure those settings a little more.

Obviously, logging all events, both passive and active,

do that and then notifications

for all clients that connect and disconnect,

capturing SSIDs to that pool to impersonate.

And then, you can also broadcast those.

Think that we can go ahead and start a passive scan.

Awesome, and so we will see,

and while we're doing this,

let's see if we can get those modules again.

Awesome, okay, and these take a little bit to download, too,

I think, especially because we're talking right now,

but we can just run through a couple of them,

some of my favorite ones, HTTPeek.

I had mentioned that earlier.

It just allows you to view all plain text HTTP traffic

for the clients that are connected to APs that you own.

Super beneficial, right?

Yeah, you could say there's not a lot

of HTTP traffic happening, but I think...

Actually, we should install this,

and maybe I can do it right now,

connect my own device onto it and then...

Awesome. You have to install the modules themselves.

And then, I think once you actually try to open a module,

it may make you download more.

Evil Portal, this is what I had mentioned earlier.

This is probably one of the most synonymous modules

with the WiFi Pineapple.

It lets you create captive portals; for example,

when you go to a McDonald's or a hotel or something

and you try and connect to their wireless connection

and a little webpage pops up saying,

"Do you agree to our terms and conditions?"

or, "provide me your email address,"

that's a captive portal, just like this.

And the difference is

that we are creating the captive portal here,

or we're leveraging a captive portal

that someone else has made,

because there's a lot of these available out on GitHub,

and of course, in the last video I made,

I mentioned this thing called SingleFile.

You could actually use SingleFile

to grab a different captive portal, right?

So super beneficial.

We'll install it.

We can probably run through it really quickly, too.

And then, Nmap, of course,

Nmap is just a simple port scanner.

There's a graphical user interface for this.

I actually didn't...

I just realized...

I thought the graphical user interface for Nmap

was called Zenmap,

but I guess here it is just Nmap.

Maybe those are two different things.

I really don't know.

HTTPeek, let's see if we need to download anything

before using it.

- You just scanning the air. Is that right?

And then, looking for stuff that's gonna get captured,

is that kinda right?

- Yes, and so what we're gonna do right now, right after...

Right now I'm just checking these modules, yeah,

to see if they had any dependencies,

because, frequently, I've noticed

that they do have dependencies,

and so they may just take a couple more seconds to download.

But once these finish, we'll go ahead

and spin up an evil twin access point with Pineapple.

I'll connect one of my devices to it.

And then, we'll just check up...

I'll navigate to some HTTP traffic

so you can see what it would look

if you were out in the wild doing it.

Oh, this is a great walkthrough, too, real quick.

Once you have run your Recon

and you can see all the networks that are around you,

you can click any of these devices.

This is my network,

so I feel comfortable doing this.

I won't deauth it,

so that David and I can continue to have a conversation

over (chuckles) the internet.

(David laughs)

But you could just click.

It's as easy as this little red button, right?

You can just hit deauthenticate all clients.

And then, you can go ahead

and try to capture those handshakes,

and it's really that simple.

Once you complete it, you can come back up here,

and you'll see your handshakes listed here.

And then, there's actually a subpage

where they'll all be listed,

and the format that they're listed in,

I wish I did actually have this for you,

but it's interesting because it provides it to you, I think,

both in PCAP and the hash itself

so that you can crack it in Hashcat.

And then, it also provides you the Hashcat numerical value,

which I think is 22,000.

Don't quote me on that.

I know people are gonna comment and be like,

"You have less than 22,000."

But yeah, it's really that simple.

- One of my videos which is quite popular this year

has been me using Hashcat with GPUs to crack passwords.

And again, on that video, people were saying,

"David, this is dumb because who uses a password

that's got a telephone number in?"

But the reason I used that as an example

is because an Israeli researcher found

that he was able to crack...

And I'll probably get it wrong.

I think it was 70% of Wi-Fi networks in Tel Aviv

because most people were using their telephone number

as their password on their Wi-Fi network.

And I was saying, "Look, someone's done this research.

This is real-world,

but I'm just gonna show ya how to use it with a GPU."

But I didn't just show telephone numbers

or 10-digit numbers.

I also showed how to use Hashcat

for mixed digits and text, and so forth,

just using GPUs to show

how, if you've got a powerful GPU, you could get lucky

and crack a password fairly quickly.

Or it could take a long time. It just depends.

- Yeah, and it's funny that you say that,

'cause I remember when that was published,

and I was kinda blown away

because when I think of Tel Aviv

I think of a place that's setting standards in security

and probably way ahead of America

in terms of information security and technology, but.

- It's that whole argument.

It's this thing about the security niche,

if ya like, or the...

People into security understand the risks,

and they don't, well, hopefully don't, do

too many dumb things,

but the general population,

who have no technical knowledge, don't.

They just do what's easy.

And let's be honest.

Setting some crazy Wi-Fi password is fine

except when your family comes to visit

or people come to visit

and you have to share that password.

I think non-technical people don't always realize the risks,

and that's why they get caught.

- Yeah, that's a great point.

(static buzzes)

Here we're back in our PineAP settings.

OpenAP is that open access point that we are broadcasting.

We had...

When we did the initial configuration, we named it Bombal

just to be silly.

Typically, if you're doing something this, you'd do;

I don't know if I can say this on YouTube;

McDonald's Free Wi-Fi because that's a open network,

and people are going to try to connect to it.

- Just for anyone who's watching, this is...

One the reasons for showing this is to also warn people

that just because it says McDonald's Wi-Fi

doesn't actually mean that it is,

because Cori could be trying to hack all of us.

So see this as education,

and show your grandmother.

Show your family who are not technical

that just because it says something

doesn't actually mean that that's what it is.

- Then I'm gonna go on a device.

I'm gonna go on my cell phone,

and I'm going to go ahead and connect that network.

This is McDonald's Free Wi-Fi.

(static buzzes)

You can see, in the upper right,

we actually got a notification,

a device that connected to it,

and we can go down into our HTTPeek,

which is that module that we had added earlier

that just lets us view HTTP traffic in real time.

We'll enable it and start.

And then, I'll go on my device.

The website I like to use for HTTP traffic

is the CERN website.

They have...

I guess it was the first website ever created,

and they keep it accessible.

And in case you were wondering,

obviously, I can access internet from my phone.

It's just like a man in the middle.

The Pineapple is using a legitimate network that I possess.

And then, it's broadcasting a network to other devices,

so devices connect to it,

and they can actually do things.

The Pineapple serves as...

It's called a man in the middle.

- All you did there

was you just broadcast an open network

pretending to be McDonald's.

You didn't have to do anything fancy.

Some person connected to it,

and now you're capturing their traffic.

- Exactly, yeah, and so you can see

some traffic has been generated there from me just Googling.

And then, there you go the CERN website.

You can see the client.

This is the device I'm connecting to it with.

And then, these are the actual URLs that I'm accessing.

And of course, if there was cookies

associated with whatever's performing,

I would be able to see them down here.

Really interesting. That's a really fun module within it.

And then, let's also take a look at the evil portal.

It's the name for it. We talked about it a little.

It just allows you to set up captive portals.

It also comes with a default captive portal,

so we can go ahead and start it right now.

We'll hit create new portal.

People make tons of these.

They put them up on GitHub.

I wish I could remember

and attribute this person's username,

but there is a GitHub user out there

who has a bunch of them.

We'll go ahead and do a basic portal,

which means that every client that connects to this network

will see the same exact portal.

With a targeted portal,

you can present every device that connects,

based on some function of its identity,

a different portal.

I will go ahead and do a- - I found one.

It's called kleo/evilportals.

Is that the one you were thinking of?

- Pardon?

- [David] Kleo/evilportals.

- Yes, that's it. That is it.

Awesome, and so we'll go ahead and activate this.

And then, we can preview it.

This is just the WiFi Pineapple's standard evil portal

when you don't configure it at all,

so when you connect, you'll see

this is the default portal page,

and here's your SSID, your MAC address, your IP address.

And then, you can go ahead and hit that authorize button

to connect to the network.

Awesome, and then, it also has these allowed clients.

One thing I didn't touch on earlier,

one of the big benefits of those allow list and deny list

is, when you are actually conducting a pen test

against an organization,

frequently, you're given a very specific scope of things

that you can and cannot touch,

especially because, organizations,

they work in holospaces, which are...

Multiple organizations exist under the same roof.

And so when you're in those places...

I've had it before.

I was working against a client actually,

and (sighs) I feel like "should I even say this?"

The lottery for that state was in the same building.

And so I was like, "Yeah, I really don't...

I wanna make sure that I don't touch anything

that doesn't belong to them,

because the lottery (chuckles) will come after you."

Okay, and so now I've connected to it on my phone,

and the captive portal pops up for me

with a great banner of McDonald's Free Wi-Fi.

- Tell me Cori, because this is a question

that I've been asked in the past.

Okay, I connect to this portal,

McDonald's Free Wi-Fi or Starbucks or whatever,

(tuts) but how does that help you?

Because are you gonna ask the user

to put in some specific credentials,

their corporate credentials or something,

to trick them into giving you something that's worthwhile?

Because if you connect to McDonald's or whatever

and you just put in some random stuff,

it doesn't really help you, right?

- Yeah, thank you so much for pointing that out.

Exactly, I would say the biggest goal or benefit

of using the evil portal and these captive portals

would be credential fishing

so attempting to gain credentials for whatever it is.

I think, frequently, people do things

like Facebook or other social media sites.

That's totally off limits in all pen testing, right?

But those are some of the examples that I've seen out there.

Never do that.

It's awful thing to do.

I should say that, but yeah.

Specifically, in a pen test setting,

that would be for whatever their main suite of tools is.

Whether they use the Google Workspace suite

or the Office suite,

ideally, you'd to capture those network credentials.

- So you gonna fake...

When they connect to this Wi-Fi,

it's suddenly gonna ask them

to enter a Google username, password, or whatever

to get access to the internet,

and you're gonna trick them into giving

their corporate details

so that you can get into their network.

Did I understand that right?

- Exactly, yeah, and also it does add a bit of legitimacy

because you can see a network called McDonald's Free Wi-Fi,

but McDonald's doesn't have a Wi-Fi

where you don't have to go through a captive portal, right?

There really aren't free wireless networks

that exist without captive portals anymore.

So just having one does give the target

a sense of legitimacy.

- Obviously, you're not gonna ask them

for a McDonald's-specific password.

You're asking them for something corporate,

(tuts) and you trick them into giving that, even though...

So they think it's just a standard portal

that's perhaps linked to Google, but it's not.

It's you capturing their Google credentials.

- Exactly, yeah.

- For the audience,

please, put, in the comments below,

stuff that you wanna see.

Are there any specific Pineapple features

that you want us to look at,

third-party modules or stuff?

Let us know.

Cori, I think for a lot of us,

it'll be great to get your input

of your favorite Hak5 devices.

(tuts) And again, for anyone who's watching,

please, let us know which ones you want Cori

to review and explain.

I think the...

Just coming back to real-world,

do you find that, in the real world,

you're doing a lot of Wi-Fi pen testing.

Do companies actually ask you to do that?

Or is it just an add-on on the standard pen test?

- Yeah, that's a great question.

I've never seen it not be an add-on.

I've never seen it done completely independently.

It's almost always an add-on

to work that is already happening,

whether it be internal testing, where we start

on a network with no authentication whatsoever,

and then, we'll just provide them a wireless card,

or in addition to a physical pen test,

where I'm trying to access the interior of the building

or a data center or a warehouse, whatever it be,

and then performing wireless attacks there.

- When you're in your car, do you use a Pringles can thing?

Or do you just find that you get close enough

to the buildings?

- Yeah, no.

- Show some of your cool talls, tools, sorry. Go on.

- This always works,

and I've had it work pretty far as well,

to the 16th, 17th, 18th floor of a building-

- Oh, wow. - When I'm probably

300 feet out, so no Pringles cans.

(David laughs)

- And you said you had some other devices on your table.

Is that right?

D'you wanna share anything that you've got

and tease us, perhaps, for another video?

Or what have you got to show us?

- Yes, so historically, for physical pen testing,

I've always really liked using the LAN Turtle,

which is one of their older devices.

And it basically just lets you SSH back into it.

You hook it up a network, and it's great.

It just plugs into an ethernet jack,

so if you just walk into an office space

and they have exposed ethernet jacks out,

you can hook it up in there.

Or I've done it in docks before, computer docks.

The Shark Jack, this is it.

They came out with it, I think, about two years ago.

Most of the time, this is good enough for my job.

I think the thing only has

a two-to-three-minute battery life.

But you just hook it into the network, you press the button,

and it does a quick Nmap scan,

whatever you can figure it to do,

so a port scan of the network.

And that's basically just to prove

that you were able to get on the network and access it,

establish a real IP address.

I find that this is just good enough for work

because, most of the time,

when I am doing a physical pen test,

I'm also doing it in tandem with an external pen test,

where you start up public internet,

and then an internal pen test,

where you have a device on the network.

So usually, I don't need to escalate my physical access

to an internal pen test, right?

I just need to prove that I was able to do it.

- So you're basically proving that you managed

to get into the building without them realizing

and get access to a port on a switch.

That's the proof, yeah?

- Exactly, yeah, and by establishing an IP address,

not being halted

by NAC, a network access control, or something,

I'm just proving that whatever's accomplished

on that internal pen test

could have been accomplished by that physical.

- In your experience,

do you find that you can just get into companies' networks

using the Wi-Fi

so externally sit in your car, get in?

Or do you find that securities is now got so good

on Wi-Fi networks, with WPA version three, stuff like that,

that the only way to get in

is to physically get into the building

and plug into a physical port?

Or is WiFi still wide open?

- Wi-Fi's definitely getting better.

I would say it's not as effective

as physical testing or any other form of testing, really,

but it does happen, right?

We do crack PSK and stuff in our job,

but it doesn't happen at the consistency

that other tests are successful.

- And just to reiterate reality versus the movies,

do you still find that people are using WPA weak?

Or is it WPA version two?

WPA version threes is,

especially, I suppose, in enterprises...

At home, it's a different story,

but are enterprises really locking down their Wi-Fi?

Or is it just the devices get updated,

so they're so much better today?

- They're definitely locking it down.

I would see...

And you can...

Even if you go back in this video

and you look at the kinda things

that we had seen in our dashboard,

mostly, it's multitude of WPA2.

- Cori, thanks so much. I really appreciate you sharing.

And thank you for not hacking me today

but hacking your own network.

I thank you for doing that.

Where can people reach you if they don't know already?

- Twitter. You can find me on Twitter.

I exist there.

- Cori, as always, thanks so much for sharing.

Really appreciate you taking the time.

And just for everyone watching, I can tell you this:

when we were recording this video,

we went through a lotta trouble.

Cori had to fix a few things.

It takes a lotta time and trouble to do demos,

(tuts) and they go wrong.

And Cori, thanks so much for not just talking

but showing us how it actually works.

Appreciate you putting in all the effort

in the previous video and this video, so thanks so much.

- Thank you so much, David.

(static buzzes) (upbeat music)

(static buzzes)