Skip to content

Blue For The Pineapple ….

by on April 25, 2013

tl-wr703n

Background

The WiFi Pineapple, was a device coined by the Hak5 (www.hak5.org) Team back in 2008. Originally it was a hacked Fon/Fonera AccessPoint (AP) with Karma patches applied to hostapd. Back then Digninja (Robin wood) called it Jasager (http://www.digininja.org/jasager/), it was called this because the AP software answered “Yes” to all WiFi Beacon Frames; if a WiFi client was looking for the SSID BTOpenzone the Pineapple(or Jasager) would reply “That’s Me!”, if a second WiFi client was looking for an SSID of Starbucks, again the Pineapple would reply “Thats Me!” – Thus tricking unsuspecting users/devices into associating with its private network. From this stage you could attack WiFi clients, and perfrom Man-in-The-Middle(MiTM) attacks on their interenet traffic!.

As the device was small, it was a running joke to hide it within an actual pineapple. Then the Hak5 Team discovered some novelty pineapple cocktail-cups which could house the AP board and a small battery pack (Hence the name Pineapple). Nowadays, its a chunky black Alfa AP121U with a nice sticker of an armed pineapple that looks a bit like a viking, slapped on  its front cover.

The original Fon device only had a finite amount of processing power and memory, and attacks were limited, any extensive process and the watchdog process would trigger and reset the device (assuming a DoS condition was occurring). The Hak5 development Team moved onto other devices as sourcing Fon/Foneras became difficult, and eventually onto slightly more powerful APs; which brings us to the current module Mk IV. The community has since added they’re own modules, improved the interface and added extra functionality like 3G tethering and 3G USB Modem support.

Blue for the Pineapple…

So back to the main topic. We missed the small unobtrusive AP, so conducted some research on porting the Pineapple build onto a cheap small TPLink WiFi AP that costs approximately $20USD.

Our walkthrough is below, but here is the part list:

  • TPLink WR703N – $20(USD)
  • 4GB San Cruiser FIT USB Drive – $8(USD)

As the parts are from China/Thailand they can be cheaply acquired anywhere in the world!

Install Openwrt

This blog post is centered around version 1.5 of the TPLink WR703N.  People are reporting recieving different versions upto v1.7.  For version 1.6, the image below seems to corrupt or brick the device, general consensus from the comments are to use the later 12.09-rc2. Version 1.7 Attitutude adjustment is confirmed as working, however the trunk is broken… so watch this space…

The default web interface language is all in Chinese, so follow these simple instructions to flash a copy of OpenWRT (http://openwrt.org/)

  1. Configure your computer with a static IP address of 192.168.1.111
  2. Connect your computer to the TPLink with an ethernet cable and power on the TPLink through a USB cable (or USB battery)
  3. Browse to 192.168.1.1. Login admin:admin.
  4. Mouseover the left hand links to find the DateTimeCfgRpm.htm link and click
  5. Mouseover the expanded menu to find SoftwareUpgradeRpm.htm link and click
  6. Use the dialog to upload the new flash (link below) to the TPLink. It will go through a 100% status bar twice then reboot.

Openwrt attitude adjustment on squashfs root can mount an external drive as root with overlayfs.

I used the following Firmware for  Version 1.5 (found on the back next to the Serial Number):

For version 1.6, the image above seems to corrupt or brick the device, general consensus from the comments are to use the later 12.09-rc2.

For version 1.7….. TBA

Preparing The USB as / (root)

Format a usb key with two partitions, ext4 and swap, install attitude adjustment squashfs, connect it to the internet (wifi client/eth0), update package lists.

Install:

  • kmod-usb-core
  • kmod-usb-storage
  • kmod-fs-ext4
  • block-mount

Duplicate data

Copy necessary files from flash to the new root partition:
For pivot overlay you can either use an empty new rootfs OR copy the contents of the current overlay (JFFS2) to the new rootfs (assuming the filesystem for the new external rootfs is mounted on /mnt/sda2 (swap=/dev/sda1)):

tar -C /overlay -cvf - . | tar -C /mnt/sda2 -xf -

For pivot root (”only possible as of r26109!”) you must make sure to have a complete root filesystem on the external rootfs device. One possible way to get such a system (assuming the filesystem for the new external rootfs is mounted on /mnt/sda1) is to issue

mkdir -p /tmp/cproot
mount --bind / /tmp/cproot
tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda2 -xf -
sync ; umount /mnt
umount /tmp/cproot

Whole external root (pivot root)

After r26109 you can configure a non-overlay rootfs (called a whole_root extroot because the entire filesystem must be present on device, not only the changes from the SquashFS) using option target / in the config mount section for the rootfs device.

In order to set up such a whole root overlay, refer to the example below.

While option is_rootfs will still work after r25787, the preferred method of configuring the extroot is option target /overlay in the config mount section for the rootfs device in the /etc/config/fstab file.

config mount
option target /
option device /dev/sda2
option fstype ext4
option options rw,sync
option enabled 1
option enabled_fsck 0

Reboot & Install Packages

Reboot.

You can now install whatever you want from opkg, and it all goes on the USB Drive.

For some Wifi Cracking, here’s a bunch of useful package names:

opkg install htop bash nano netcat tar openssh-sftp-client nmap tcpdump aircrack-ng kismet-client kismet-server nbtscan snort karma samba36-client elinks yafc python php5-cgi uhttpd zoneinfo-core procps

At this point you can install any additional packages you may want/need!

Installing the Hak5 Pineapple Code

The following series of instructions were performed from both a Linux and Mac OSX operating system.

Hacking the Upgrade Image

We used binwalk (https://code.google.com/p/binwalk/) to extract information about the FileSystem boundaries contained within the Hak5 Pineapples upgrade binary firmware image upgrade.bin which is obtainable from http://www.wifipineapple.com/ Direct Link to Image:Firmware-2.8.0

Below is the output of binary-walking the image file:

$ binwalk upgrade.bin
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------
0 0x0 Squashfs filesystem, little endian, version 4.0, compression: size: 5342622 bytes, 1410 inodes, blocksize: 262144 bytes, created: Thu Jul 12 02:09:55 2012
6291456 0x600000 uImage header, header size: 64 bytes, header CRC: 0x6B09056F, created: Thu Jul 12 02:10:00 2012, image size: 890595 bytes, Data Address: 0x80060000, Entry Point: 0x80060000, data CRC: 0xF9DC8F7E, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: MIPS OpenWrt Linux-3.2.14
6291520 0x600040 LZMA compressed data (sig 3), properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 2690180 bytes

Use dd to extract the image:

Next we use the native unix tool dd, to carve out the squashFS partition:

$dd if=upgrade.bin of=pineapple.img bs=1 count=5342622
5342622+0 records in
5342622+0 records out
5342622 bytes transferred in 12.967170 secs (412011 bytes/sec)

Linux and Mac OSX have a neat program called FUSE (Filesystem in UserSpacE), which allows users to mount/edit filesystems outside of standard kernel code.
Using Squashfuse(https://github.com/vasi/squashfuse) it is incredibly easy to mount the pineapple.img, we extracted earlier. This part of the walkthrough was conducted on OSX (but can easily be replicated in Linux):

mkdir -p /Volumnes/pineapple
squashfuse pineapple.img /Volumes/pineapple/

Extract the (MIPS) karma patched binaries (to save on compliation, and from having to build & patch our own binaries)

$ find /Volumes/pineapple/ -name hostapd
/Volumes/pineapple//lib/wifi/hostapd.sh
/Volumes/pineapple//usr/sbin/hostapd
$ find /Volumes/pineapple/ -name hostapd_cli
/Volumes/pineapple//usr/sbin/hostapd_cli

The copy/ssh these binaries onto the TPLink Openwrt installation.

The Pineapples Web Interface

If you followed the firmware & squashFS extraction you may continue with the following steps, or skip to the next New Opensource section….

Old Method

This stage involves copying all the PHP code for the Pineapples Web interface; earlier versions were stored at /www/pineapple later versions not store the code within the images’ root /pineappple

New Opensource Method

As of the last month Sebkinne, has made the Pineapples Web Interface available as Opensource, use git to download the repository.

git clone https://github.com/WiFiPineapple/web-interface.git /pineapple

Notes

  • Disable all update modules – as this will break the build, the upgrades/updates are all geared for Alfa AccessPoints so you should go through all the code removing the update/upgrade routines to avoid accidentally bricking the TPLink in the future.
  • Simple disable method: remove the ‘upgrade’ folder within the ‘/pineapple’ folder.

Configuration Files

To make this build compatible with the existing Pineapple Scripts (eg. http://wifipineapple.com/wp4.sh). You need to replace the exisitng Openwrt configurations with the ones listed below.

/etc/config/dhcp

config dnsmasq
option domainneeded 1
option boguspriv 1
option filterwin2k 0 # enable for dial on demand
option localise_queries 1
option rebind_protection 1 # disable if upstream must serve RFC1918 addresses
option rebind_localhost 1 # enable for RBL checking and similar services
#list rebind_domain example.lan # whitelist RFC1918 responses for domains
option local '/lan/'
option domain 'lan'
option expandhosts 1
option nonegcache 0
option authoritative 1
option readethers 1
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'

config dhcp lan
option interface lan
option start 100
option limit 150
option leasetime 12h
option 'ignore' '0'
list 'dhcp_option' '3,172.16.42.42'
list 'dhcp_option' '3,172.16.42.1'
list 'dhcp_option' '6,172.16.42.1,8.8.8.8'
list 'dhcp_option' '6,172.16.42.1,208.67.222.222'

/etc/config/firewall

config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1

config zone
option name lan
option network 'lan'
option input ACCEPT
option output ACCEPT
option forward REJECT

config zone
option name wan
option network 'wan'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1

config forwarding
option src lan
option dest wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4

# Allow IPv4 ping
config rule
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT

# include a file with users custom iptables rules
config include
option path /etc/firewall.user

/etc/config/network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config interface 'lan'
option ifname 'eth0'
option type 'bridge'
option proto 'static'
option ipaddr '172.16.42.1'
option netmask '255.255.255.0'
option gateway '172.16.42.42'
option dns '8.8.8.8'

config interface 'wan'
option ifname 'wlan0'
option proto 'dhcp'

/etc/config/uhttpd

# Server configuration
config uhttpd main

option 'index_page' 'index.php'
option 'error_page' '/index.php'
# HTTP listen addresses, multiple allowed
list listen_http 0.0.0.0:80
# list listen_http [::]:80

# HTTPS listen addresses, multiple allowed
list listen_https 0.0.0.0:443
# list listen_https [::]:443

# Server document root
option home /www

# Reject requests from RFC1918 IP addresses
# directed to the servers public IP(s).
# This is a DNS rebinding countermeasure.
option rfc1918_filter 1

# Certificate and private key for HTTPS.
# If no listen_https addresses are given,
# the key options are ignored.
option cert /etc/uhttpd.crt
option key /etc/uhttpd.key

# CGI url prefix, will be searched in docroot.
# Default is /cgi-bin
option cgi_prefix /cgi-bin

# List of extension->interpreter mappings.
# Files with an associated interpreter can
# be called outside of the CGI prefix and do
# not need to be executable.
list interpreter ".php=/usr/bin/php-cgi"
# list interpreter ".cgi=/usr/bin/perl"
# Lua url prefix and handler script.
# Lua support is disabled if no prefix given.
# option lua_prefix /luci
# option lua_handler /usr/lib/lua/luci/sgi/uhttpd.lua

# CGI/Lua timeout, if the called script does not
# write data within the given amount of seconds,
# the server will terminate the request with
# 504 Gateway Timeout response.
option script_timeout 60

# Network timeout, if the current connection is
# blocked for the specified amount of seconds,
# the server will terminate the associated
# request process.
option network_timeout 30

# TCP Keep-Alive, send periodic keep-alive probes
# over established connections to detect dead peers.
# The value is given in seconds to specify the
# interval between subsequent probes.
# Setting this to 0 will disable TCP keep-alive.
option tcp_keepalive 1

# Basic auth realm, defaults to local hostname
# option realm OpenWrt

# Certificate defaults for px5g key generator
config cert px5g

# Validity time
option days 730

# RSA key size
option bits 1024

# Location
option country DE
option state Berlin
option location Berlin

# Common name
option commonname OpenWrt

config uhttpd pineapple
list listen_http 0.0.0.0:1471
option home /pineapple
option index_page index.php
option 'error_page' '/index.php'

# Configuration file in busybox httpd format
option config /etc/config/httpd.conf
option rfc1918_filter 1

# Certificate and private key for HTTPS.
# If no listen_https addresses are given,
# the key options are ignored.
option cert /etc/uhttpd.crt
option key /etc/uhttpd.key

# CGI url prefix, will be searched in docroot.
# Default is /cgi-bin
option cgi_prefix /cgi-bin

# List of extension->interpreter mappings.
# Files with an associated interpreter can
# be called outside of the CGI prefix and do
# not need to be executable.
list interpreter ".php=/usr/bin/php-cgi"

# CGI/Lua timeout, if the called script does not
# write data within the given amount of seconds,
# the server will terminate the request with
# 504 Gateway Timeout response.
option script_timeout 60

# Network timeout, if the current connection is
# blocked for the specified amount of seconds,
# the server will terminate the associated
# request process.
option network_timeout 30# TCP Keep-Alive, send periodic keep-alive probes
# over established connections to detect dead peers.
# The value is given in seconds to specify the
# interval between subsequent probes.
# Setting this to 0 will disable TCP keep-alive.
option tcp_keepalive 1

/etc/php.ini

[PHP]

zend.ze1_compatibility_mode = Off

; Language Options

engine = On
short_open_tag = On
precision    =  12
y2k_compliance = On
output_buffering = Off
;output_handler =
zlib.output_compression = Off
;zlib.output_compression_level = -1
;zlib.output_handler =
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 100

;open_basedir =
disable_functions =
disable_classes =

; Colors for Syntax Highlighting mode.  Anything that's acceptable in
;  would work.
;highlight.string  = #DD0000
;highlight.comment = #FF9900
;highlight.keyword = #007700
;highlight.bg      = #FFFFFF
;highlight.default = #0000BB
;highlight.html    = #000000

;ignore_user_abort = On
;realpath_cache_size = 16k
;realpath_cache_ttl = 120

; Miscellaneous

expose_php = On

; Resource Limits

max_execution_time = 30	; Maximum execution time of each script, in seconds.
max_input_time = 60	; Maximum amount of time each script may spend parsing request data.
;max_input_nesting_level = 64
memory_limit = 8M	; Maximum amount of memory a script may consume.

; Error handling and logging

; Error Level Constants:
; E_ALL             - All errors and warnings (includes E_STRICT as of PHP 6.0.0)
; E_ERROR           - fatal run-time errors
; E_RECOVERABLE_ERROR  - almost fatal run-time errors
; E_WARNING         - run-time warnings (non-fatal errors)
; E_PARSE           - compile-time parse errors
; E_NOTICE          - run-time notices (these are warnings which often result
;                     from a bug in your code, but it's possible that it was
;                     intentional (e.g., using an uninitialized variable and
;                     relying on the fact it's automatically initialized to an
;                     empty string)
; E_STRICT			- run-time notices, enable to have PHP suggest changes
;                     to your code which will ensure the best interoperability
;                     and forward compatibility of your code
; E_CORE_ERROR      - fatal errors that occur during PHP's initial startup
; E_CORE_WARNING    - warnings (non-fatal errors) that occur during PHP's
;                     initial startup
; E_COMPILE_ERROR   - fatal compile-time errors
; E_COMPILE_WARNING - compile-time warnings (non-fatal errors)
; E_USER_ERROR      - user-generated error message
; E_USER_WARNING    - user-generated warning message
; E_USER_NOTICE     - user-generated notice message
; E_DEPRECATED      - warn about code that will not work in future versions
;                     of PHP
; E_USER_DEPRECATED - user-generated deprecation warnings
;
; Common Values:
;   E_ALL & ~E_NOTICE  (Show all errors, except for notices and coding standards warnings.)
;   E_ALL & ~E_NOTICE | E_STRICT  (Show all errors, except for notices)
;   E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR  (Show only errors)
;   E_ALL | E_STRICT  (Show all errors, warnings and notices including coding standards.)
; Default Value: E_ALL & ~E_NOTICE
error_reporting  =  E_ALL & ~E_NOTICE & ~E_STRICT

display_errors = On
display_startup_errors = Off
log_errors = Off
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
;report_zend_debug = 0
track_errors = Off
;html_errors = Off
;docref_root = "/phpmanual/"
;docref_ext = .html
;error_prepend_string = ""
;error_append_string = ""
; Log errors to specified file.
;error_log = /var/log/php_errors.log
; Log errors to syslog.
;error_log = syslog

; Data Handling

;arg_separator.output = "&"
;arg_separator.input = ";&"
variables_order = "EGPCS"
request_order = "GP"
register_globals = Off
register_long_arrays = Off
register_argc_argv = On
auto_globals_jit = On
post_max_size = 8M
;magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
;default_charset = "iso-8859-1"
;always_populate_raw_post_data = On

; Paths and Directories

; UNIX: "/path1:/path2"
;include_path = ".:/php/includes"
doc_root = ""
user_dir =
extension_dir = "/usr/lib/php"
enable_dl = On
;cgi.force_redirect = 1
;cgi.nph = 1
;cgi.redirect_status_env = ;
cgi.fix_pathinfo=1
;fastcgi.impersonate = 1;
;fastcgi.logging = 0
;cgi.rfc2616_headers = 0

; File Uploads

file_uploads = On
upload_tmp_dir = "/tmp"
upload_max_filesize = 2M
max_file_uploads = 20

; Fopen wrappers

allow_url_fopen = On
allow_url_include = Off
;from="john@doe.com"
;user_agent="PHP"
default_socket_timeout = 60
;auto_detect_line_endings = Off

; Dynamic Extensions

;extension=ctype.so
;extension=curl.so
;extension=dom.so
;extension=exif.so
;extension=ftp.so
;extension=gd.so
;extension=gmp.so
;extension=hash.so
;extension=iconv.so
;extension=json.so
;extension=ldap.so
;extension=mbstring.so
;extension=mcrypt.so
;extension=mysql.so
;extension=openssl.so
;extension=pcre.so
;extension=pdo.so
;extension=pdo-mysql.so
;extension=pdo-pgsql.so
;extension=pdo_sqlite.so
;extension=pgsql.so
;extension=session.so
;extension=soap.so
;extension=sockets.so
;extension=sqlite.so
;extension=sqlite3.so
;extension=tokenizer.so
;extension=xml.so
;extension=xmlreader.so
;extension=xmlwriter.so

; Module Settings

[APC]
apc.enabled = 1
apc.shm_segments = 1	;The number of shared memory segments to allocate for the compiler cache.
apc.shm_size = 4M	;The size of each shared memory segment.

[Date]
;date.timezone =
;date.default_latitude = 31.7667
;date.default_longitude = 35.2333
;date.sunrise_zenith = 90.583333
;date.sunset_zenith = 90.583333

[filter]
;filter.default = unsafe_raw
;filter.default_flags =

[iconv]
;iconv.input_encoding = ISO-8859-1
;iconv.internal_encoding = ISO-8859-1
;iconv.output_encoding = ISO-8859-1

[sqlite]
;sqlite.assoc_case = 0

[sqlite3]
;sqlite3.extension_dir =

[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=

[MySQL]
mysql.allow_local_infile = On
mysql.allow_persistent = On
mysql.cache_size = 2000
mysql.max_persistent = -1
mysql.max_links = -1
mysql.default_port =
mysql.default_socket =
mysql.default_host =
mysql.default_user =
mysql.default_password =
mysql.connect_timeout = 60
mysql.trace_mode = Off

[PostgresSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0

[Session]
session.save_handler = files
session.save_path = "/tmp"
session.use_cookies = 1
;session.cookie_secure =
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor     = 100
session.gc_maxlifetime = 1440
session.bug_compat_42 = On
session.bug_compat_warn = On
session.referer_check =
session.entropy_length = 0
;session.entropy_file = /dev/urandom
session.entropy_file =
;session.entropy_length = 16
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 4
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="

[mbstring]
;mbstring.language = Japanese
;mbstring.internal_encoding = EUC-JP
;mbstring.http_input = auto
;mbstring.http_output = SJIS
;mbstring.encoding_translation = Off
;mbstring.detect_order = auto
;mbstring.substitute_character = none;
;mbstring.func_overload = 0
;mbstring.strict_detection = Off
;mbstring.http_output_conv_mimetype=
;mbstring.script_encoding=

[gd]
;gd.jpeg_ignore_warning = 0

[exif]
;exif.encode_unicode = ISO-8859-15
;exif.decode_unicode_motorola = UCS-2BE
;exif.decode_unicode_intel    = UCS-2LE
;exif.encode_jis =
;exif.decode_jis_motorola = JIS
;exif.decode_jis_intel    = JIS

[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5

[sysvshm]
;sysvshm.init_mem = 10000

[ldap]
ldap.max_links = -1

[mcrypt]
;mcrypt.algorithms_dir=
;mcrypt.modes_dir=

New – GitHub Repo

To make code sharing easier, we have created the following Github reposotories:

About these ads
178 Comments
  1. I have a Tplink MR3020, would the same instructions apply to this device?

  2. Nice port Andy. We too looked at the 703N. Neat little bit of kit. Shame it isn’t FCC legal in the states. Great job working around the memory limitations with the external rootfs. Cheers!

  3. Would the same apply to the TP Link TL-WR702N? Because I have access to that to a decent price, while the WR703N would be a little more expensive to import.

  4. Okay.

    Except, the device you specified (WR703N) doesn’t have a USB port? So what’s the 4GB Cruzer stick for?

    • andy permalink

      There is a small USB port on the side of device, due to the memory limitations, you cant fit too many programs on the device. As of Openwrt 12.09 Attitude Adjustment I noticed something called “block mode” was supported, this allows you to mount a USB drive as root (/). Thus freeing you of the physical memory limitations of such a small and cheap device.

  5. other than size and cost what are the benefits over the pineapple?

    • andy permalink

      This post was only aimed at creating a cheaper alternative. If you can afford an Offical WiFi Pineapple, I encourage you to buy one. I spend a lot of time with students, who wish they could afford one, but do not have the money. Its a great project, and I think more people should get involved.

      Other than that, you can perform additional hardware hacks to expand the USB bus, add an antenna pigtail, increase the on-board memory.

      • I would say much of the benefit is the experience you will gain in using such tools as binwalk, soldering and the like. To be completely honest when we started the project we only put the hacked Fon router in an actual pineapple as a gag. We were initially reluctant to sell the devices, rather encouraged people to solder and flash it up themselves. It wasn’t until a donated Mark 1 raised several hundred to Hackers for Charity that we realized any commercial viability of the project – which has actually been a really good thing as its given us the resources to continue development, hence the Mark 4 and even cooler stuff coming.

        I work with all kinds of hackers, at hackerspaces and in academia so I know exactly what Andy is talking about here. We have an educational discount and are constantly looking at ways to make the device more affordable. I have a feeling that will soon be the case – but it should be no reason not to attempt this well documented hack yourself, if nothing else but for the experience. Just be mindful that the 703N lacks FCC certification…something we noticed when it first hit the market.

  6. Awesome tutorial!

    On Linux instead of mounting filesystem you can use unsquashfs command to extract all files from squashfs image, it also works without previous dd commans so it cuts down on one step ;)

    Cheers.

    • Roland permalink

      Or use the lastest (alpha/beta) version of 7zip!

  7. Looks like a fantastic project. I have the TPLink WR703N on order.

  8. mark daniels permalink

    What about 3G USB modem support?
    Will it work with this project?

    • As a basic build no, I’m using the USB port as a memory extender to store the base image and additional packages and the web interface.
      You can however build/purchase the following board, or use a usb-hub to extend the functionality.

      http://www.kean.com.au/oshw/WR703N/

      Then you can install usbmode-switch and ppp for 3g support

  9. AndyZ permalink

    Good Day,

    Thank you for the awesome project.
    I have a question/issue which I hope you help me to resolve.
    After following your instruction, I can’t get to pinapple web interface. All I get is
    “No input file specified”.
    I can see that device listening on port 1471. And I get HTTP reply.
    Is that something I need to do with PHP scripts inside pineapple folder?

    Thank you in advance,

    • have you tried creating a simple index.php page within the webroot /pineapple for interface 1471? It might help debug what exactly is going on. There are two php interpreters php and php-cgi (the original pineapple uses php), I had more luck with php-cgi on this build.

    • @andy – Thanks for writing this tutorial. Awesome work and I learned a ton.

      @AndyZ – Have you checked your /etc/php.ini ? Ensure that doc_root is empty when running multiple uhttpd instances.

      • AndyZ permalink

        Hi Tim and Andy,
        After spending some time on this issue and comparing original Pinapple code, the issue was with php.ini (I just copied whole thing from original Pineapple and it worked).

        “Thank you Tim” and “Thank you Andy” for the great post.

        I will rebuild all thing from scratch to minimize any misconfiguration on my part (as I could not make AP to stay on or broadcast any SSID).

  10. Thanks. Fyi: my new TPLink stated in the manual the router was pre configured with ip 192.168.0.254, so i needed to manually config my mac with ip 192.168.0.x (x=1-253), instead of 192.168.1.x as in your blogpost.

    • guess it depends on the model, or time of manufacture? mine was definitely 192.168.1.x

      • Sorry, my bad, found out, while i thought i ordered a 703N, it turns out it is a 702… Probably explains the different IP

  11. Chris permalink

    I was able to get up through extracting the Hak5 upgrade.bin file to a folder using unsquashfs, however I don’t quite understand where to go from here. I cloned the git repository for the web interface into the /pineapple/ folder within the filesystem I just extracted, overwriting any files that were there. From here are we only copying over the contents of

    /Volumes/pineapple//etc/hostapd
    /Volumes/pineapple//usr/sbin/hostapd
    /Volumes/pineapple//usr/sbin/hostapd_cli

    to their equivalent locations in the OpenWrt in addition to the web interface at

    /Volumes/pineapple//pineapple/

    or are there other files to copy as well? I don’t know where to find the (MIPS) karma patched binaries. I’m also not clear as to how we disable the update modules––is this done through the pineapple web interface or are there certain files to remove before copying stuff to the OpenWrt system? Any clarification you have would be greatly appreciated. Thanks for the walk-through!

    • the following are the patched karma binaries I copied across. Prior to that I just installed the karma package in the usual way:

      opkg install karma

      to install karma

      • /Volumes/pineapple//usr/sbin/hostapd
      • /Volumes/pineapple//usr/sbin/hostapd_cli

      To disable the updates, just remove the file pages/upgrade.php, so you dont accidentally go clicking links on that page that will attempt to flash hak5’s incompatible binary image

  12. Hi Andy,

    nice work, congratulations!
    i have this mini 3G wifi router :

    http://www.ebay.com/itm/5in1-150Mbps-3G-WIFI-Mobile-Wireless-USB-Router-Hotspot-1800mAh-Charger-212-/390513351841?pt=COMP_EN_Routers&hash=item5aec68dca1

    maybe you like it :) is very small and have 4h autonomy..
    can i use with your code?

  13. I followed the instructions and have a few notes that I would add:

    The config mount section relates to the /etc/config/fstab file
    In the “install some wifi cracking packages” section, php5-cgi should be in the list, since the pineapple needs php-cgi to run.
    In the /etc/php.ini file, change ‘doc_root = “/www”‘ to ‘doc_root = ‘
    I would strongly recommend using the Linux utility unsquashfs to extract the contents of the upgrade.bin file.
    After the web interface was installed, I used these two commands to replace the “ps” commands as suggested by the author.

    grep -lr -e ‘ps aux’ * | xargs sed -i ‘s/ps aux/ps/g’
    grep -lr -e ‘ps -all’ * | xargs sed -i ‘s/ps -all/ps/g’

    I did run into one error. When I try to install “karma” using opkg, I get this error. Did anyone else run across this?

    root@OpenWrt:~# opkg update
    Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/Packages.gz.
    Updated list of available packages in /var/opkg-lists/barrier_breaker.
    root@OpenWrt:~# opkg install karma
    Installing karma (20060124-1) to root…
    Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/karma_20060124-1_ar71xx.ipk.
    Collected errors:
    * satisfy_dependencies_for: Cannot satisfy the following dependencies for karma:
    * kmod-madwifi *
    * opkg_install_cmd: Cannot install package karma.

  14. Another thing concerning the ps command. I found that you can replace busybox’s ps command with a fully featured one as follows:

    opkg –force-overwrite install procps
    cd /bin
    mv ps ps.old

  15. sapling permalink

    I dont have the file /etc/hostapd in my pineapple binary image…

    • Oops, left in from the previous firmware image, don’t worry its not needed – I’ll correct the post above to reflect the 2.8.0 image.

      • sapling permalink

        Cool thanks. One other thing to note is that you cant do the git repository step directly on the device because of the https is not supported by the default git package on openwrt.

  16. swordfish permalink

    i followed all instructio got an error
    The CGI process did not produce any response
    is anybody got this error

    • I’ve added a copy of my /etc/php.ini above, as several people seem to be having trouble with the PHP configuration. Hopefully this will help resolve your issues.

    • Elladur permalink

      I’m also getting an error that states “The CGI process did not produce any response” when I try browse to the Pineapple web interface… Any ideas how to resolve this?

      • Elladur permalink

        I think I figured that error out: Run the php-cgi binary while SSH’d, it throws an error. Comment the line mentioned in /etc/php.ini and try run php-cgi again, eventually you’ll get no errors. I refreshed my web browser and up came the interface.

    • xothist permalink

      I kept getting “The CGI process did not produce any response” until I installed libxml2 through opkg.

  17. chapo permalink

    I upload the flash everything was well, but when I try to access to the router isnt letting neither telnet, any advice?

    • I configured mine over Ethernet with Internet Connection Sharing on my host PC (so your IP addresses may vary):
      SSH is not available until the blue LED stops flashing, be patient and try again. What stage are you exactly at? after flashing openwrt I had a 192.168.1.x address – use wireshark to view the DHCP conversation to get the actual IP.
      Or did you copy the network config files above, thus changing the IP address to a static 172.16.42.42?

      If you connect you device into your home router, you should be able to get the IP by running “arp -a” on your host computer (assuming your using the same network), by default the openwrt ethernet port is in client mode and is waiting for a DHCP assignment.

      • chapo permalink

        after flashing I cant connect to the device, I tried what you said in order to get the IP but there´s no ip I would like to know if there´s another way to flashing once again

      • chapo permalink

        Im confused cause I did not use the image above cause its warning that the image could brick the device but the later one did the same

  18. Elladur permalink

    I’ve stepped through these instructions twice now and I am still having trouble. I thought at first that maybe I had missed a step so started from scratch but have run into the same issue again.

    The interface comes up but the various links that run scripts come up with errors, usually stating that the script doesn’t exist. I have checked that the file exists and that they have the correct permissions set, any ideas what might be going on here? I try to run the scripts while SSH’d and I get various results.

    The web interface seems to show the same error as when I attempt to execute the scripts (the files don’t exist) like this:
    root@OpenWrt:/pineapple/karma# ./karmaclients.sh
    -ash: ./karmaclients.sh: not found

    If I execute the scripts like below I get errors:
    root@OpenWrt:/pineapple/karma# ash karmaclients.sh
    karmaclients.sh: line 4: syntax error: unexpected “(”

    The top of the scripts state they are bash scripts while it looks like the busybox binary has ash compiled in, is this is the cause of the errors? Do I need to install bash?

    • Cant remember if I installed bash, try “opkg install bash” and see if you still get errors.

      Classic mistake on not fully documenting the process on my side. Once I got this pineapple project together and had it working for personal use, others in the office liked the idea. So a cobbled together all my rough notes – obviously I have forgotten 1 or 2 smaller steps. The main important step was using block-mount for the extra memory space

      Strange, how others have successfully ported the code.

      Thanks for the feedback.

      • Elladur permalink

        Yeah that’s why I’m pretty sure it’s something I’ve overlooked and not a fault here with the steps you have. I did install bash and the scripts seemed to happier, though I was still missing libraries and various binaries that I was SCP’ing from the pineapple image. Still had some strange behaviour so decided to start again.

        As I was looking through the steps and checking them off I realised that I was using a different version of the OpenWRT image (a slightly later version of attitude adjustment), grabbed the same version you used and flashed it but it now looks like I have bricked my 703 despite everything looking OK as it flashed. I’ll have to crack out the soldering iron and add a serial port to see what is going on. I have a larger flash chip on the way that already has OpenWRT on it which should help me out of the hole I find myself in.

        Thanks for your time, I’ll keep at it and let you know how I go.

      • The only things i grabbed from the image were:

        • the php code (before it was open sourced)
        • the hostapd and hostapd_cli binaries
        • the configs mentioned above

        everything else was “opkg install ” from the main Openwrt repository.

        I used the base image mentioned above, not sure how its getting corrupted or bricking X number of devices? Will have to try a few more once my delivery from China comes in.

      • Elladur permalink

        I’ve re-flashed the one I was working on quite a few times, I think it was just bad luck that this time it failed. It appears to boot normally (LED behaves the same way normally and in failsafe mode, just no DHCP lease handed out and nobody home when trying to reach it with a static IP set). All part of the fun working with these devices! I have a spare unit here for a work colleague, I’ll start working on that and cross fingers I don’t brick that one too :P

  19. That’s interesting – I think I bricked my 703N v1.6 with the image linked in the article – I really should have engaged my brain before flashing it and checked that my h/w revision was supported.

    I’ve soldered a serial breakout to the board and managed to read the boot sequence using a Bus Pirate as an UART bridge – looks like it gets as far as:

    [ 9.870000] nf_conntrack version 0.5.0 (456 buckets, 1824 max)
    [ 10.100000] ohci_hcd: USB 1.1 ‘Open’ Host Controller (OHCI) Driver
    [ 13.170000] device eth0 entered promiscuous mode

    then nothing else happens!

    I’m new to terminal serial comms – I haven’t been able to send any commands via the terminal – I type, but nothing happens (such as typing f + enter to get to failsafe mode) – do you think it could be my dodgy soldering job on the RX pin to blame?

    • Sometimes you have to attach GND (Ground) in order to successfully send characters. Also TX and RX have to be the right way around, so RX attaches to TX and vice versa.

      Its meant to have a recovery image, if you follow the openwrt wiki. If it is bricked you can interrupt u-boot by typing TPL or tpl. Your output looks like the kernel – which loads after the u-boot.

      • Elladur permalink

        I used the update image instead of the factory image (as mine was already flashed), I just matched the version as used in the guide. After it didn’t come back up I checked that I had the correct image/version and it seemed to be OK so I guess it was just a bad flash or some other fault.

        I have some serial level converters ready to do, I’ll drop one of those in the “bricked” 703 to see what is going on before I replace the flash chip with the 16MB one from eBay (arrived in time for the weekend!).

        Interestingly my units are v1.6 too, though I thought v1.7 was the one that isn’t supported? I was previously using that latest Attitude Adjustment image and it flashed correctly, maybe this RC1 image doesn’t work on v1.6 devices?

      • Looks like my unit is v1.5.

        I’ve slightly changed the article above based on your findings.

  20. I have the choice between wr703n or mr3020 , i found the both for the same price , what i buy ?

  21. I soldered in the 16MB flash and 64MB RAM chips today, along with an external antenna from an old WAP. I just flashed it with the non-RC version, I think this is the official release of 12.09 Attitude Adjustment (not beta or release candidate) and things seem to be OK so far.

    I was reading the OpenWRT page for the 703, they stated that the version sticker on the bottom should not be trusted and that the factory firmware web interface can tell you more accurately which version you have: http://wiki.openwrt.org/toh/tp-link/tl-wr703n#warnings.gotchas

    This is the image for those who are flashing from the stock TP-Link firmware:

    http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin

    This is the upgrade image for those who already have OpenWRT on their device:

    http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-sysupgrade.bin

    Just about to start going through the guide above, hopefully I have a bit more luck this time!

  22. pr0 permalink

    Weeding through all the little problems, I’ve come to one that I haven’t been able to figure out. the /var/karma.log file, is that the log produced by hostapd or another process? It seems once I enable karma via the web interface, that file never gets populated with information.

    • pr0 permalink

      …reason is actually to fix another problem. The /pineapple/includes/logtail.php file isn’t parsing correctly, and I’m getting a partial output of the php script instead of values on the status page of the web interface. I thought this might have been due to karma.log not being populated and breaking the command line logic. Has anyone else experienced this?

      • I think permissions are getting in the way, the file can’t be created. Even after “touch”ing the file and forcing 666 perms on the file it still doesn’t get written to on my unit

  23. Hi Andy.

    After finding out i initially ordered a 702 model, i ordered a 703 model and tried to flash the firmware using the instructions above. While the flash was running my eyes read the next lines of the instructions, reading this would brick a 1.6 model … i turned over my 703 and yes: received a 1.6… Now the blue light is on, but i can’t connect to the box on 192.168.1.1.

    I found http://forums.openpilot.org/blog/52/entry-92-unbrick-wr703n-wifi-router/ , but it seems you need extra equipment to be able to unbrick it, is that correct? If the blue light is on, can my 703 be bricked? Anything else i can try without soldering and needing “”?

    Since the device seemed to flash, is there a possibility for me to use the OpenWRT failsafe? I found http://wiki.openwrt.org/doc/howto/generic.failsafe . I’ve tried http://xathrya.web.id/blog/2012/12/16/openwrt-failsafe/ , but have been unable to ping the device. When i unplug & replug & keep pressing reset the blue led continuously flashes

    Can i suggest you move the brick-statement about the model 1.5/1.6 as the 1st sentences after “Install Openwrt”? Any help about getting access to my 703 is appreciated…

    • I “bricked” my 703, failsafe isn’t an option as it appears that the box freezes very early in the boot process. I fixed mine by dropping a new flash chip in that had already been flashed with another version of OpenWRT. To fix this one you’ll probably need to flash the chip out of the unit, or hook up a serial console and try flash it via the built-in TP-Link TFTP method :(

      • Thans for the reply Elladur. With “hook up a serial console” you mean something like mentioned at http://wiki.villagetelco.org/index.php?title=Building_a_Serial_Port_for_TL-WR703N , where a “USB to serial TTL adapter from Sparkfun” is bought? If so, i probably will toss this brick into the bin and forget about it :-(

      • Yeah, that’s the one. You can get flash chips off eBay but still worth weighing up whether it’s worth the money. I already had the upgraded flash chip on the way, the “bricking” just made me swap it in earlier. Somebody with the knowhow might offer to buy it off you? Better than throwing it in the bin maybe?

      • I agree, would love to ship it to someone. But live in the Netherlands. P&P to the US (and many other countries) probably is as expensive as a new device?

      • Chuck it in your parts draw, might come in handy one day? Might bump into a local who can get it up and running again. That said they are a bit of a throw-away item I guess…

  24. sukhdeep permalink

    i’m new to linux and i’m not able to do squashfs. plz someone show all commands from squashfs install to extract files. and plz upload hostapd.sh and hostapd_cli

  25. Ok so I’m on unit #2 (I’ve given up trying to resurrect the one I referenced in my earlier comment) and everything is going much better (with the rc2 AA image).

    However, I’m having a strange problem where none of the options in the Pineapple Wifi GUI actually effect any changes. For example, changing the SSID in the configuration page says “Changes to SSID have been made persistently Karma SSID changed to “TestSSID”, but nothing actually changes and the SSID is the same as before.

    This happens for almost every option in the whole interface – starting/stopping processes doesn’t do anything, installing infusions looks like its working, but they never actually install, etc…

    Also, I noticed that nothing ever logs to the var/logs folder – could this be related? The LuCi web interface seems able to make changes to the device configurations, but the Pineapple interface can’t.

    I wondered if this is a permissions issue, but even chmod’ing the entire FS to 777 didn’t make a difference.

    Any ideas?

    • Jack Crowley permalink

      I’m having the exact same problem occur here too, some certain things like “Stealth mode” will work but everything else doesn’t seem to work. I’m pulling my hair out at this point and going crazy trying to find what’s happening since log files don’t seem to update either.

      Any progress with you finding how to fix this issue?

    • Jack Crowley permalink

      oh and so far I’ve used 3 usb sticks, started from scratch multiple times, changed permissions of everything in the pineapple directory, checked that bash was installed every time and followed every direction above

  26. sukhdeep permalink

    plz someone upload hostapd.sh and hostapd_cli

    • I didn’t have much luck with the SquashFS/SquashFUSE thing either (the compression in the 2.8.0/2.8.1 images doesn’t appear to be compatible with the SquashFUSE version I installed – I have no idea why).

      Use the alpha/beta version of 7-Zip (http://dl.7-zip.org/7z925.exe) to open the upgrade image – it has support for SquashFS and will allow you to extract things like Pineapple’s modified hostapd files yourself.

      If you’re new to Linux and would prefer Windows-based tools, you might also want to look at a program called WinSCP (http://winscp.net) which will allow you to transfer files to your 703N via SSH/SCP with a nice Windows GUI. You can use WinSCP to copy the files you extract using 7-Zip from the upgrade binary file.

      • sukhdeep permalink

        thank you for your help. now i can open files

    • Felix Meixner permalink

      Here are the files that i got from the 2.8 firmware. The pineapple folder has been patched with the changes regarding “ps aux” and so on.

      https://www.dropbox.com/s/74yhmdyomcpeqkv/fromfirmware2.8.zip

      I have gotten the web interface to work, but neither karma nor the hostapd_cli seem to work on mine. As stated above the buttons that control karma don’t work for me either. Btw i have version 1.7 so i can only run rc2 or later Openwrt firmwares.

      Does anyone know how karma and the hostapd drivers are supposed to work together and how i could debug their functionality?

      • rosswitherby permalink

        This is as far as I have gotten. I had to install a few packages to get the web interface going (whatever package the “at” command was a part of along with a few others I can’t remember), but just as you described karma doesn’t seem to be working as expected :(

        I never checked which actual hardware revision I have, though the RC1 did “brick” the unit, RC2 and the final 12.09 work well though. I think you might be onto something as far as the firmware potentially being the cause of these issues, driver incompatibility with karma/hostapd?

  27. Just updating this story: I had the ‘labeled’ v 1.6 but with the firmware v 1.7 (Build 120925 Rel.33144n). Attitude Adjustment 12.09 has gone final. I installed openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin md5sum:
    2f7361d864e4122837055b4e607abf98 and installation went well.

  28. Nick McBride permalink

    I get through nearly everything, but i messed up the firewall configuration and locked myself out of both sides. Thankfully, I was able to just remove the flash drive and boot without it, and I at least was able to get back into the device. I reformatted the flash drive and was going to start over, but now when I plug in the flash drive to start over, a moment later, the device reboots itself and then I can no longer get in. It must be trying to automatically reboot off the USB drive. How do I prevent this?

    • Nick McBride permalink

      After reflashing and starting over, I’ve been able to get almost everything to work as expected… I can access the pineapple web interface, but when I try to start any of the services, the page refreshes with no change in status at all. Trying to debug, I executed “php-cgi startkarma.php” with SSH, and I get this:

      warning: commands will be executed using /bin/sh
      Cannot open lockfile /var/spool/cron/atjobs/.SEQ

      I tried listing that directory, and /var exists, but /var/spool doesn’t even exist. Any thoughts on what’s happening, or what I’m missing?

      • John Doe permalink

        mkdir -p /var/spool/cron/atjobs/ && touch /var/spool/cron/atjobs/.SEQ

      • rosswitherby permalink

        I think you need to install the package that has the “at” command in it, I was scratching my head on this one until I started trying to run the commands that the buttons in the interface run in a terminal and finding I was getting errors about the “at” command not being available.

      • Nick McBride permalink

        I did try that, and it installed fine. I still have the same issue. I even removed it and tried again. Is there maybe a permissions issue, or something with the flash drive that would cause this?

      • John Doe permalink

        Do you have the bash shell installed too? That was another issue I had. Dont remember what problem it was, but having bash installed resolved it.

  29. Jack Crowley permalink

    When I try to install Infusions I get the following error;
    Sorry, there was an MD5 missmatch. Please try again.

    • Infusions do not directly work, you have to manually recode/rework them

  30. sukhdeep permalink

    plz update complete guide to install jasager. like where to put files and how to start or open page, php setting

  31. John Doe permalink

    So after going through the /usr/lib/opkg/status file in the firmware fs and installing every single package I could possibly install… lol… the error is fixed. gg.

    • rosswitherby permalink

      You actually installed every package? Dedication! :P – How much space does that require?

    • John Doe permalink

      Not sure how to check exactly as I had previously installed other packages. I can tell you that of the 4GB of space from my USB drive that 110mb is being allocated. Also to clarify, I installed every single package that the wifi pineapple’s firmware has installed, excluding the various drivers for their hardware ofcourse. Probably a total of around 10 packages I would say.

      • user1 permalink

        Attached is a full list of packages to install using opkg:

        kmod-usb-storage terminfo libc empty opkg kmod-usb-core libpthread ubus iw kmod-crypto-manager busybox kmod-rtl8180 chat kmod-rtl8187 kmod-crypto-hash nano kmod-tun bash kmod-rt2800-usb swconfig libcurl kmod-lib-crc-ccitt kmod-ledtrig-usbdev kmod-ipt-nat-extra libnet0 libnet1 kmod-pppoe kmod-rt2x00-usb kmod-pppox kmod-ipt-conntrack kmod-lib-crc16 base-files libcom_err kmod-input-core libpcre aircrack-ng macchanger kmod-rt2800-lib netifd autossh uboot-envtools kmod-usb-ohci dnsmasq usbutils libblkid iptables-mod-nat-extra ubusd kmod-rt2x00-lib hostapd-utils kmod-usb-net-rndis block-mount kmod-usb2 comgt libuci libip4tc sdparm kmod-ath9k iptables-mod-ipopt uci kmod-fs-ext4 wpad-mini dropbear kmod-ledtrig-timer kmod-nls-utf8 kmod-input-gpio-keys-polled zoneinfo-core kmod-crypto-aes mtd libltdl kmod-crypto-core libgcc usb-modeswitch libuuid ppp libubox kmod-leds-gpio libusb-1.0 kmod-gpio-button-hotplug kmod-input-polldev libjson kmod-usb-net librt kmod-mac80211 kmod-usb-serial usb-modeswitch-data swap-utils librpc libblobmsg-json iptables hotplug2 kmod-ipt-nathelper libelf jshn libncurses kmod-ipt-core libpcap kmod-ledtrig-default-on kmod-ppp kmod-wdt-ath79 hostapd libubus uhttpd php4 kmod-fs-nfs libxtables zlib at crda kmod-ipt-ipopt kmod-scsi-generic ettercap kmod-usb-uhci php4-cgi libsqlite3 libext2fs kmod-ath dsniff kmod-rt73-usb kernel libnl-tiny kmod-ath9k-htc blkid usbreset kmod-fs-nfs-common libusb kmod-button-hotplug kmod-nls-base libgdbm kmod-eeprom-93cx6 wireless-tools kmod-ath9k-common kmod-crypto-arc4 kmod-usb-net-cdc-ether libopenssl kmod-scsi-core kmod-cfg80211 libnids ppp-mod-pppoe kmod-lib-crc-itu-t kmod-ipt-nat kmod-ledtrig-netdev

        (Package list from pineapple ;) )

      • Added two github repositories to make code sharing easier:
        * https://github.com/PenturaLabs/web-interface
        ** With some infusions included: nmap,rickroll,dnssnarf,urlsnarf,sitesurvey,stats
        * https://github.com/PenturaLabs/Pineapple-Confs

      • Tom permalink

        Andy thnx for the files, they were a big help. I’ve got the webinterface up and running, am able to connect through wifi to my pineapple and surf the web. I can enable random roll and when i surf to the pineapple’s ip/www/randomroll it is working. However I’m unable to start the dnsspoof. When I try to start it in the main screen nothing happens, when I try to start it a the randomroll page nothing happens. When I try to start it on the dnsspoof tab it says running but when I refresh it says not running. Any idea’s on how to get dnsspoof working?

      • I think this might still be an “at” issue. Can you provide output from dmesg (to my email), I’ll stick my at config and binaries into the github Pineapple-Confs repo shortly.

    • from the web-interface does not install anything… :O

  32. Has anyone been able to install urlsnarf?

    • I had to tinker with the hak5 code, but have most modules installed and running, I have tested and confirmed:

      • rickroll
      • dnsspoof
      • urlsnarf
      • nmap

      For the other remaining plugins I have not had the time to test them…

      • root@OpenWrt:~/capturas# opkg install urlsnarf (previously updated opkg update)
        Unknown package ‘urlsnarf’.
        Collected errors:
        * opkg_install_cmd: Cannot install package urlsnarf.

        What do I do wrong?

      • John Doe permalink

        I installed urlsnarf from pineapple infusion via the web-interface.

      • John Doe permalink

        What tweaks did you make, Andy?

        Also, thanks for the guide =)

      • Sorry, Im busy with work commitments at the moment. Once I return to free-time, I’ll look at uploading the modified pineapple interface and plugins.

        Sorry for the delay.

  33. Thanks for Andy’s idea to build a Wifi Pineapple on TL-WR703N. Therefore, I decieded to build one for myself. However, I cannot get the TL-WR703N in my country -I built my own Wifi Pineapple with TP-Link TL-MR3020. Using your steps above.

    I think it should be additionally possible to implement on the TL-WR1043ND too.

  34. Tom permalink

    I’ve successfully installed pineaplle on my wn703n however when I get in the webinterface I’m not able to start my wifi. It doesn’t come up with an error. Alle the other options aren’t starting either, perhaps because my wifi is down. Does anyone have an idea on how to enable my wifi. I tried to go back into openwrt and enable the wifi there but that bricked my entire router.

    • Nick McBride permalink

      I have the same problem. Running the pages from ssh, using php-cgi revealed that I was having a problem with the atjobs stuff. I installed the “at” package, and it still has an issue. Pretty much dead in the water at this point. Oh well.

      • Tom permalink

        I fixed the issue. In my previous config I used the USB overlay option for installing PineApple. I started from scratch using the pivot root option.Then I enabled the WIFI in OpenWRT and followed the next steps. When the PineApple interface was running I could enable and disable the wifi using the GUI. So far I haven’t gotten any of the other functions working except for cron jobs. When you click on details you’ll see an error that a file called root is not available on the specified location. Go to that location and create a file called root with some content like: #sample.
        Now you can enable and disable cron jobs in the GUI of PineApple. More interesting however is DNS Spoof and Karma. Can someone please help us out here?

  35. sukhdeep permalink

    dose anyone tried uwui web interface

  36. Is there any update on getting Karma and wireless to start?
    I’ve got everything installed but the buttons in the Pinapple GUI don’t execute anything.
    So close but so far…

  37. Felix Meixner permalink

    Ok so after 2 weeks here is what i had to do to get it to work on my box. I’m running 1.7 firmware but i think the following applies to all firmwares.
    -Firstly i noticed that the file “/usr/sbin/hostapd” is just a link to “/usr/sbin/wpad”. Therefore you have to copy the “wpad” file from the pineapple to your box.

    -Secondly in order to get hostapd to start you have to configure your wireless to run as an accesspoint. To get it to work my “/etc/config/wireless” looks like this:

    config wifi-device radio0
    option type mac80211
    option channel auto
    option macaddr 14:cf:92:e1:2e:e6 #this is mine, please use your own
    option hwmode 11ng
    option htmode HT20
    list ht_capab SHORT-GI-20
    list ht_capab SHORT-GI-40
    list ht_capab RX-STBC1
    list ht_capab DSSS_CCK-40
    # REMOVE THIS LINE TO ENABLE WIFI:
    #option disabled 1

    config wifi-iface
    option device radio0
    option network lan #has to be lan because both interfaces are bridged
    option mode ap
    option ssid pineapple
    option encryption none

    to check if this is working you may run “hostapd_cli -p /var/run/hostapd-phy0″
    and then “karma_enable” and it should respond with “OK”

    -Thirdly in order to get the buttons to work on the web interface you have to install “at”
    “opkg install at”
    “/etc/init.d/atd enable”
    “/etc/init.d/atd start”
    “touch /var/spool/cron/atjobs/.SEQ”
    these commands should get at working and make the “Mk4 karma” button work

    -Also in order to actually to provide internet to people I needed to edit “/etc/config/dhcp” so that the last 4 lines now look like:
    list ‘dhcp_option’ ‘3,172.16.42.42’
    list ‘dhcp_option’ ‘3,172.16.42.42’
    list ‘dhcp_option’ ‘6,172.16.42.42,8.8.8.8’
    list ‘dhcp_option’ ‘6,172.16.42.42,208.67.222.222’

    -I also changed in “/etc/config/network” the dns to “option dns ‘172.16.42.42’ ”

    -not sure if this is needed but i copied all files from the “/lib/wifi” folder to my “/lib/wifi”

    Finally here are my files. The tarball contains my usb stick. The included web-interface is patched with all the “ps aux” fixes mentioned above.

    https://www.dropbox.com/sh/kvxhw6aio0744qd/BtT1oAK3cl

    If any of this is unclear to you then you can email me at felixpaulmeixner@gmail.com

  38. Thanks Andy and user1!
    Will give it another go!

  39. sukhdeep permalink

    error

    root@OpenWrt:~# hostapd_cli -p /var/run/hostapd-phy0 karma_enable
    Failed to connect to hostapd – wpa_ctrl_open: No such file or directory
    root@OpenWrt:~# hostapd_cli -p /var/run/hostapd-phy0 karma_get_black_white
    Failed to connect to hostapd – wpa_ctrl_open: No such file or directory
    root@OpenWrt:~# hostapd_cli -p /var/run/hostapd-phy0 karma_white
    Failed to connect to hostapd – wpa_ctrl_open: No such file or directory
    root@OpenWrt:~# hostapd_cli -p /var/run/hostapd-phy0 karma_black
    Failed to connect to hostapd – wpa_ctrl_open: No such file or directory

    • did you install karma, before copying over the binaries?
      var/run/hostapd-phy0 – looks like its missing from your build.

      • sukhdeep permalink

        plz show us step by step info to install jasager. what i do is like this

        i have 4gb peb drive with three partition swap 100mb, root 900 mb rest for torrent or samba.

        new step by step

        opkg update
        opkg install kmod-usb-storage
        opkg install kmod-fs-ntfs kmod-fs-vfat kmod-fs-ext4 block-mount
        reboot
        insert pen drive and

        tar -C /overlay -cvf – . | tar -C /mnt/sda2 -xf –
        mkdir -p /tmp/cproot
        mount –bind / /tmp/cproot
        tar -C /tmp/cproot -cvf – . | tar -C /mnt/sda2 -xf –
        sync ; umount /mnt
        umount /tmp/cproot

        then mount 900mb partition as root

        reboot

        and installed

        opkg install -d usb aircrack-ng aircrack-ptw dnsmasq dsniff elinks ettercap fdisk gzip kismet-client kismet-drone kismet-server lighttpd lighttpd-mod-fastcgi lighttpd-mod-simple-vhost lighttpd-mod-userdir luci-app-minidlna luci-app-openvpn luci-app-samba luci-app-transmission macchanger make minidlna ncat nmap openvpn php5 php5-cgi php5-fastcgi php5-mod-session python python-mini reaver samba36-server screen snort tcpdump terminfo transmission-daemon transmission-web hostapd-utils

        now when i try to run ” hostapd_cli -p /var/run/hostapd-phy0 karma_enable ” i got error

        now tell me where i’m wrong

      • opkg install karma

        you dont need the -d usb, as with block-mount the usb is now the drives/tplinks root.

      • sukhdeep permalink

        i’m not using -d usb option, and still i’m getting this error

    • I’ve the same error. I use the advices given here: http://penturalabs.wordpress.com/2013/04/25/blue-for-the-pineapple/#comment-580

      I see that there are a similar error with wpad-mini, remove and install wpad.

      https://dev.openwrt.org/ticket/9597

      Opkg remove wpad-mini
      rm /usr/sbin/hostapd
      rm /lib/wifi/hostapd.sh
      opkg install wpad

      or

      opkg install –force-reinstall wpad

      This time I copy pineapple wpad too, renember to chmod 755 hostapd, hostapd_cli and wpad. Check that /var/run/hostapd-phy0/ exist, I’ve wlan0 as socket Srwxrwx—. I tried and karma works ok. I hope that would be usefull.

      • Sorry I forgot when u remove hostapd files reinstall hostapd and hostapd-utils. After that overwrite with pineapple files.

  40. Matteo permalink

    Hi Andy can you send me your e-mail? Because i’d talk to you about a My idea of raspberry e pineapple..

    • Already working on it, hopefully should have something by end of the month? Got a few bugs/kinks to work out. I’ll send you an email later.

      • Matteo permalink

        Okk, I think that with the openwrt for rasp si easy to install the normal packages like aircrack, urlsnif, ecc ; the only ploblem that I think there will be, is the configuration of karma with a USB WiFi (Like realtek chipset).. I will wait a your email …

        Good Job!!

  41. Cr0w Tom permalink

    I have a problem…I have done everything in the tutorial and when i try to access http://172.16.42.1/ from a browser it takes me to Index of / where i can select index.html to take me to the login page of OpenWRT and when i try to access http://172.16.42.1/pineapple it gives me a message “No such file or directory” …I have tried to put the Pineapples Web Interface in /www and i can access the interface put it is ruined and nothing works…please help me.. :/

    • if you followed all my configs the pineapple interface is on port 1471

      http://172.16.42.1:1471/

      • Cr0w Tom permalink

        And again it says me “No such file or directory ” :/

      • Have you tried the configs in the github repository I started, they are straight from my Hacked TPLink.

      • Cr0w Tom permalink

        I copied them in my tplink if you mean this??

  42. Deepak permalink

    Andy, congratulations. It’s a great work. I don’t know much about OpenWRT and Pineapple, but I have been reading this post and searching a bit. I have a question. I supose this TP-LINK ap, as well as the Mark IV, will need two network interfaces. The propper wlan that complete client’s requests , and another one as a gateway that gives Internet access and redirects packets through it. So, you can only use this connected trough RJ45 to a router, or PC sharing connection?
    The other thing is use a 3G USB device, but I think you might not be able to do this , because you need the USB connection to put the 4 Gb device.
    How it works?
    In the Mark IV i have seen there are many options for connecting the device to Internet, but in this TP-LINK which are the options?
    Thank you very much for your kind attentions.
    Best Regards from Spain

    • I’ve sacrificed the 3g connectivity in this PoC build (and aids in keeping the cost down), but you could use a USB bus – to include the use of extra USB ports, there should be other links in the comments discussing various add-ons and mods. But then you would have to install the ppp packages and re-enable the 3g modules in the PHP interface. Supporting various 3G dongles would be a pain, considering the limited amount of time I spend across multiple projects. I will leave 3G as an excerise for keen/budding readers.

      At the moment, I’ve tried to replicate the MarkIV configuration – so that it works with a Mac/PC with Internet Connection Sharing (ICS); the Hak5 wp4.sh script should work, with no problems.

  43. sapling permalink

    How long should the ps replacement commands take such as grep -lr -e ‘ps aux’ * | xargs sed -i ‘s/ps aux/ps/g’
    Seems to me that I issue them and the processor is pretty much maxed out trying to run the command and its been over 30 minutes and the first one hasnt finished yet. I did get some errors such as dev/log no such device and dev/watchdog resource is busy.

    • sounds odd, i did it manually using grep to find effected files. Someone in the comments worked out that you can skip that step by installing “procps”.

  44. Matteo permalink

    Hi Andy, i saw that now there is the upgrade-2.8.1; then i’ll check with md5sum what change.

  45. So i was playing around with my WR703N, too.

    But i have some problems. I hope anyone around here can help. ;)

    – I can’t set a login password. When i specify a password, it says i should reboot the router. After the reboot, login without a password is still possible.
    – I can’t start karma, dnsspoof, etc from the web interface. The bunny animation appears, and after that, karma is still disabled. I think the problem is in /pineapple/karma/startkarma.php with the lines
    exec (“echo /pineapple/karma/startkarma.sh | at now”);
    //exec (“/pineapple/karma/startkarma.sh”); (If i comment the first line and uncomment the second one, it works. But i am sure that it should work otherwise, too. But why not for me? Dnsspoof is the same.
    – When i start karma manually via ssh, other clients don’t see any faked SSIDs.
    – The status page says that SSH is disabled. Nevertheless I can connect with ssh very well.
    – I can’t enable autostart. The php file tries to pipe something into /etc/rc.local, but it never appears there. So autostart is always disabled.
    – The cronjob section has an error. /etc/crontabs/root is missing. So i created it. Will it work now?
    – When i set up my macbook to share ethernet connections where the WR is connected to with the wifi connection, so that the WR and any clients have internet access, the default IP for the WR is inaccessible and unpingable. It reappears after disabling internet sharing again.

    I hope anyone can help me.

  46. SimonK permalink

    hello,

    I have WR703n 1.6 with ATTITUDE ADJUSTMENT (12.09, r36088) and following packages:

    at – 3.1.13-1 | base-files – 117-r36088 | bash – 4.2-3 | blkid – 2.21.2-1 | block-mount – 0.2.0-9 | busybox – 1.19.4-6 | bzip2 – 1.0.6-1 | curl – 7.29.0-1 | distribute – 0.6.21-1 | dnsmasq – 2.62-2 | dropbear – 2011.54-2 | dsniff – 2.4b1-2 | ettercap – NG-0.7.3-2 | firewall – 2-55.1 | hotplug2 – 1.0-beta-4 | htop – 1.0.1-1 | imagemagick – 6.7.8-1 | imagemagick-tools – 6.7.8-1 | iptables – 1.4.10-4 | iw – 3.6-1 | jshn – 2013-01-29-0bc317aa4d9af44806c28ca286d79a8b5a92b2b8 | karma – 20060124-1 | kernel – 3.3.8-1-d6597ebf6203328d3519ea3c3371a493 | kmod-ath – 3.3.8+2012-09-07-3 | kmod-ath9k – 3.3.8+2012-09-07-3 | kmod-ath9k-common – 3.3.8+2012-09-07-3 | kmod-cfg80211 – 3.3.8+2012-09-07-3 | kmod-crypto-aes – 3.3.8-1 | kmod-crypto-arc4 – 3.3.8-1 | kmod-crypto-core – 3.3.8-1 | kmod-fs-ext4 – 3.3.8-1 | kmod-gpio-button-hotplug – 3.3.8-1 | kmod-ipt-conntrack – 3.3.8-1 | kmod-ipt-core – 3.3.8-1 | kmod-ipt-nat – 3.3.8-1 | kmod-ipt-nathelper – 3.3.8-1 | kmod-leds-gpio – 3.3.8-1 | kmod-ledtrig-default-on – 3.3.8-1 | kmod-ledtrig-netdev – 3.3.8-1 | kmod-ledtrig-timer – 3.3.8-1 | kmod-ledtrig-usbdev – 3.3.8-1 | kmod-lib-crc-ccitt – 3.3.8-1 | kmod-lib-crc16 – 3.3.8-1 | kmod-mac80211 – 3.3.8+2012-09-07-3 | kmod-madwifi – 3.3.8+r3314-6 | kmod-nls-base – 3.3.8-1 | kmod-ppp – 3.3.8-1 | kmod-pppoe – 3.3.8-1 | kmod-pppox – 3.3.8-1 | kmod-scsi-core – 3.3.8-1 | kmod-usb-core – 3.3.8-1 | kmod-usb-ohci – 3.3.8-1 | kmod-usb-storage – 3.3.8-1 | kmod-usb2 – 3.3.8-1 | kmod-wdt-ath79 – 3.3.8-1 | libblkid – 2.21.2-1 | libblobmsg-json – 2013-01-29-0bc317aa4d9af44806c28ca286d79a8b5a92b2b8 | libbz2 – 1.0.6-1 | libc – 0.9.33.2-1 | libcap – 2.22-1 | libcurl – 7.29.0-1 | libdaq – 1.1.1-1 | libdb47 – 4.7.25.NC-6 | libdnet – 1.11-2 | libelf – 0.8.13-1 | libffi – 3.0.10-1 | libgcc – 4.6-linaro-1 | libgdbm – 1.9.1-2 | libip4tc – 1.4.10-4 | libipq – 1.4.10-4 | libiwinfo – 36 | libiwinfo-lua – 36 | libjpeg – 6b-1 | libjson – 0.9-2 | libltdl – 2.4-1 | liblua – 5.1.4-8 | libncurses – 5.7-5 | libnet0 – 1.0.2a-8 | libnet1 – 1.1.2.1-2 | libnids – 1.18-1 | libnl – 2.0-1 | libnl-tiny – 0.1-3 | libopenssl – 1.0.1e-1 | libpcap – 1.1.1-2 | libpcre – 8.11-2 | libpthread – 0.9.33.2-1 | libreadline – 5.2-2 | librpc – 0.9.32-rc2-0a2179bbc0844928f2a0ec01dba93d9b5d6d41a7 | librt – 0.9.33.2-1 | libruby – 1.9.2-p0-1 | libstdcpp – 4.6-linaro-1 | libtiff – 4.0.3-1 | libubox – 2013-01-29-0bc317aa4d9af44806c28ca286d79a8b5a92b2b8 | libubus – 2013-01-13-bf566871bd6a633e4504c60c6fc55b2a97305a50 | libubus-lua – 2013-01-13-bf566871bd6a633e4504c60c6fc55b2a97305a50 | libuci – 2013-01-04.1-1 | libuci-lua – 2013-01-04.1-1 | libusb – 0.1.12-3 | libusb-1.0 – 1.0.9-1 | libuuid – 2.21.2-1 | libxml2 – 2.7.8-2 | libxtables – 1.4.10-4 | lua – 5.1.4-8 | luci – 0.11.1-1 | luci-app-firewall – 0.11.1-1 | luci-i18n-english – 0.11.1-1 | luci-lib-core – 0.11.1-1 | luci-lib-ipkg – 0.11.1-1 | luci-lib-nixio – 0.11.1-1 | luci-lib-sys – 0.11.1-1 | luci-lib-web – 0.11.1-1 | luci-mod-admin-core – 0.11.1-1 | luci-mod-admin-full – 0.11.1-1 | luci-proto-core – 0.11.1-1 | luci-proto-ppp – 0.11.1-1 | luci-sgi-cgi – 0.11.1-1 | luci-theme-base – 0.11.1-1 | luci-theme-openwrt – 0.11.1-1 | mtd – 18.1 | nano – 2.2.6-1 | nbtscan – 1.5.1 | netcat – 0.7.1-2 | netifd – 2013-01-29.2-4bb99d4eb462776336928392010b372236ac3c93 | ngrep – 1.45-3 | nmap – 6.01-4 | opkg – 618-3 | php5 – 5.4.5-3 | php5-cgi – 5.4.5-3 | ppp – 2.4.5-8 | ppp-mod-pppoe – 2.4.5-8 | pyopenssl – 0.10-1 | python – 2.7.3-1 | python-mini – 2.7.3-1 | python-openssl – 2.7.3-1 | ruby – 1.9.2-p0-1 | samba36-client – 3.6.5-3 | sslstrip – 0.7-1 | swap-utils – 2.21.2-1 | swconfig – 10 | tar – 1.23-1 | tcpdump – 4.2.1-3 | terminfo – 5.7-5 | twisted – 2.5.0-1 | twisted-web – 2.5.0-1 | uboot-envtools – 2012.04.01-1 | ubus – 2013-01-13-bf566871bd6a633e4504c60c6fc55b2a97305a50 | ubusd – 2013-01-13-bf566871bd6a633e4504c60c6fc55b2a97305a50 | uci – 2013-01-04.1-1 | uclibcxx – 0.2.4-1 | uhttpd – 2012-10-30-e57bf6d8bfa465a50eea2c30269acdfe751a46fd | usb-modeswitch – 1.2.3-2 | usb-modeswitch-data – 20120120-1 | usbutils – 005-1 | wireless-tools – 29-5 | wpad-mini – 20120910-1 | yafc – 1.1.1-2 | zlib – 1.2.7-1 | zope-interface – 2.5.0-1 |

    In pineapple interface in status page karma seems to behave correctly by displaying
    KARMA: ENABLED
    KARMA: Probe Request from 20:68:9d:a0:38:71 for SSID ‘changed’

    etc…

    now I want to know why i dont see any other networks the victim’s phones/computers might be searching for autoconnect?

    Is this something normal?

    Also how can I manipulate the parameters written in the hostapd-phy0.conf file inside /var/run ?

    is there some kind of a command?

    I saw in hostapd.sh they are issuing the commands config_get and config_set but I dont see anywhere those commands or executable files… like # which config_get but nothing shows up..

    Is it something internal ? that loads only during execution ?

    If someone connects at the openwrt ssid then every attack seems to launch correctly. but that is not the intendend functionality. this can be accomplished with any hardware…

    which of the above packages can be removed safely from wr703n without losing serious functionality?
    ultimately my goal is this whole config must reside inside a compressed firmware inside 16M flash..
    Does anyone have a guide with information regarding transfering those files to a flash IC? I have the hardware for writting to SPI flash.

    thanx in advance for any help….
    SimonK

    • It will generally respond to the first probe per device.

      To manipulate hostapd-phy0.conf inside /var/run, used the “advanced” page, or the hosted.conf residing in /etc/

      No hostapd files? … you have to install the pkg first before copying the patched binaries “opkg install hosted”.

      No guide at the moment other than the blog post; I use the USB storage to get around the 4MB default limitation of default memory.

      This was just a Hak / PoC to prove functionality can be ported to other devices.

      I advise on using a legitimate Pineapple from Hak5, as the money spend is used in development and support, and future developments.

      This hack is really relying on the community to contribute,bugfix and patch as I can not guarantee support.

      • SimonK permalink

        I can confirm it works as expected!
        yes indeed the karma will respond to only one probe per device, also that SSID wont be seen by the user of the target machine but almost instantly his/her machine will autoconnect to the pineapple wlan ap.
        I was under the false impression by digininja’s info page that the pineapple will flood with open and known SSID’s to the target machines config and somehow this attack would be visible but thats not the case..
        anyways thanx for all the information and the help Andy

  47. Ok I’ve a 1.6 with rc2.

    I compile dsniff package with backfire ipk.

    wget http://downloads.openwrt.org/backfire/10.03.1/ar71xx/packages/dsniff_2.4b1-2_ar71xx.ipk
    opkg install dsniff_2.4b1-2_ar71xx.ipk

    I got some error in libraries, I solve linking new libraries to old needed libraries:

    cd /usr/lib
    ln -s libnl.so.2.0.0 libnsl.so.0
    ln -s libpcap.so.1.1.1 libpcap.so.1.0

    Urlsnarf works well with br-lan and wlan0. Arpspoof I can only try with eth and br-lan interface. Filesnarf seems to works well. Macof, mailsnarf, msgsnarf, sshow. Tcpkill and tcpnice appears to work.
    Dnspoff seems to work I tried but not in a real attack.

    Libgdbm.so.3 needed for dsniff, sshmitm, webmitm. I do the same in usr/lib

    ln -s libgdbm.so.4 libgdbm.so.3

    I didn’t try hard all the programs (I tried urlsnarf, arpspoof, macof) but seems to run all of then with the simbolic links. Maybe some works wrong with this “patch”

    I hope that works, sorry for my english.

  48. Tim permalink

    Ive already flashed openwrt on my wr703n and it works fine i did not however use a flash drive. can i partition one after the fact to put the pineapple firmware and other applications on it while leaving openwrt on the router?

    • You should have enough space to copy the patched binaries. However, you will be limited to command-line as there will not be enough space for the web-application and web-server components. The fact open-wrt is already installed , means it should be trivial to follow the usbmount instructions to move all of your existing files over to a USB partition and start building the interface from there.

  49. Mark Shera permalink

    Andy, thank you for this guide! I need help getting the Pineapple code working.

    I’m trying to get the Pineapple code working using the new Open Source method, but I’m currently stuck. I’ve searched everywhere for a solution, but have not found one.

    I was able to copy the Pineapple code to my WR703N using the following command:

    “git clone git://github.com/WiFiPineapple/web-interface.git /pineapple”

    and that created a /pineapple directory packed with sudirectories and files.

    What am I supposed to do now? What do you mean by the following statements?

    1. Disable all update modules…
    2. the ps command is slightly different in the version on the TPLink search
    3. from simon: grep -lr -e ‘ps aux’ * | xargs sed -i ‘s/ps aux/ps/g’…

    I’m really close to getting this working, but I’m lost now. Please help!

    • Modifying the ps statements was originally needed as I was not aware of the procps package. If you use opkg to install procps ; no need to worry about points 2 and 3.

      Point 1 – any updates from wifipineapple.com are geared for the Alfa Hornet UB/AP121, following these links will brick the TPLink, so it is suggested that they are removed.

      • Mark Shera permalink

        Thanks for the response, but I’m still confused. Am I supposed to:

        A. disable all updates for the Pineapple code? How?
        B. disable all updates for the OpenWRT packages?
        C. disable all updates for the Pineapple code and OpenWRT packages?

        I can install procps with opkg, but I still don’t understand how it relates to disabling any code updates and how it (ps) would be used for this.

        Sorry, but I’m clearly missing something with this new Open Source method, and there’s a chance that other readers may be missing it too.

        Can you be so kind as to explain it like I was 5 years old?

        Thank you once again for the great work and the terrific posts!

      • A. disable all updates for the Pineapple code? How?
        Yes, will cover this below
        B. disable all updates for the OpenWRT packages?
        Not necessary. This is ok!
        C. disable all updates for the Pineapple code and OpenWRT packages?
        Only. the Pineapple code.

        Removing pineapple updates:
        Simply delete the folder ‘upgrade’ which should be in the web-interface/pineapple root-directory;

        The original blue-pineapple hack, used the native ‘ps’ command from ‘busybox’ (a cut-down version of ps), a contributor actually found out that Hak5 were using the ‘ps’ command from the ‘procps’ package; This is similar to the ps command that is nativity found in Ubuntu. By installing the procps package, you no longer have to edit the plugins (urlsnarf, dnsspoof, ssltrip, etc). I have deleted the comments above to avoid future confusion, and added procps to the list of initial packages.

  50. Mark Shera permalink

    Thank you Andy! I think I understand now.

    Just to confirm, to install the Pineapple code using the new Open Source method I need to:

    1. copy the Pineapple code to my WR703N: “$ git clone git://github.com/WiFiPineapple…”
    2. disable all Pineapple code updates by removing the “/pineapple/upgrade” directory
    3. install a proper “ps” command with the “procps” package: “$ opkg install procps”
    4. copy the modified OpenWRT configuration files from above/Github to the WR703N:
    * /etc/config/dhcp
    * /etc/config/firewall
    * /etc/config/network
    * /etc/config/uhttpd
    * /etc/php.ini
    5. reboot + enjoy

    Is that correct? Did I miss anything?

    Cheers!

  51. Peter permalink

    Hi, I’m unable to install packages. After fixing some “bad address” problems by editing a DNS servers file, I get “Cannot install package kmod-usb-storage” and in the Web interface I get “Unknown package: kmod-usb-storage”. Also it says “No package lists available next to the Update lists button.

    Can you tell me what I’m missing? I have no prior experience with Openwrt.

    Thank you!

    • have you tried:
      opkg update

      • Peter permalink

        Thanks for the answer! Yes and I get no output and no errors either.

      • bit odd you normally get downloading Packages.gz from repository http://xxxxxx, then after the ‘opkg update’ try:
        opkg list
        it should list all available modules, kmod-usb-storage should be in that list.

        In the meantime, I’ll try and find an offline copy of the opkg.conf (currently my TPLInk is on loan ‘out-in-the-field’ ;))

      • Peter permalink

        Hi again, I listed the packages but kmod-usb-storage is not in the list, only kmod-usb-core.

        I don’t think it matters but I forgot to mention that I installed the latest version of the firmware from here: http://wiki.openwrt.org/toh/tp-link/tl-wr703n

      • Peter permalink

        Also, by reading that wiki page, I think I have the later “v 1.6 – March 2013 (FW build 130321, original FW rel. 37153n)”. Do you think that could be the problem?

      • try
        wget http://downloads.openwrt.org/attitude_adjustment/12.09-rc2/ar71xx/generic/packages/kmod-usb-storage_3.3.8-1_ar71xx.ipk
        opkg install ./kmod-usb-storage_3.3.8-1_ar71xx.ipk

      • Peter permalink

        Yes! Thank you!!! That worked! I had to install a lot of dependencies though. The packages that weren’t listed are kmod-usb-storage, kmod-fs-ext4 and block-mount. The dependencies (none of them listed) were: kmod-scsi for kmod-usb-storage, kmod-lib-crc16 for kmod-fs-ext4, blkid and swap-utils for block-mount, libblkid for blkid and liquid for libblkid.

        I was thinking that with all these installations I was going to run out of space and I did! After installing all the dependencies and trying to install bock-mount it ran out of space, but fortunately solved by deleting the .ipk files downloaded.

        I’m not sure what to do next. Just copy the contents with “tar -C /overlay -cvf – . | tar -C /mnt/sda2 -xf -“ or do I have to make the pivot root (mkdir -p /tmp/cproot…) thing too?

        Also, is the Whole external root (pivot root) step optional?

      • You have to do the root pivot – otherwise you’ll run out by writing to FLASH and will run out of space.

        The “tar -C /overlay -cvf – . | tar -C /mnt/sda2 -xf -“ simply copies the contents of FLASH-Filesystem to the USB drive.

  52. Alan permalink

    Does this device lack any features when compared to the original Wifi pineapple?

    • It has the same technology as a Mark IV. This posting was just a Proof-of-Concept to attract more users with smaller budgets. Also several of these devices were released at MACCDC(http://maccdc.org/). Depending on how your configured the device, you can either use the Mark IV infusions, or you need to manually patch them.

      Main feature left out is 3G/4G support. And general support; as I do not have time to maintain the project.

      If you want real power – Mark V for the Win!

  53. gh0st permalink

    I want to ask. Is it possible to use connect this pineapple to router/AP rather than using internet sharing from PC/laptop?

    AP/Route ==> pineapple ==> Victim

    • Yes, you just have to change your IP set up from static to DHCP on the eth0 interface

  54. donut permalink

    Are there anybody successfully run sslstrip on WR703n while using pineapple firmware?
    I found a problem when execute “iptables prerouting”, it doesn’t work for me.
    Appreciate for you help.

    • I know it suffers from the same issues as the MK IV Pineapple (Essentially the same hardware).

Trackbacks & Pingbacks

  1. Wifi Pineapple project uses updated hardware for man-in-the-middle attacks
  2. Wifi Pineapple project uses updated hardware for man-in-the-middle attacks | SIECURITY
  3. Ataques Man-In-The-Middle y otras pruebas pentesting usando hardware barato | CyberHades
  4. Wifi Pineapple project uses updated hardware for man-in-the-middle attacks | Make, Electronics projects, electronic Circuits, DIY projects, Microcontroller Projects - makeelectronic.com
  5. Pineapple Defences | Pentura Labs's Blog
  6. Turn your TP-Link TL-WR1043ND Router into a pineapple | Hezik.nl
  7. OpenWRT WR703N | Pearltrees
  8. …Yellow for a slice of Pineapple Pi… | Pentura Labs's Blog
  9. Ethical Hacking | Pearltrees
  10. … Green For The Anti-Pineapple | Pentura Labs's Blog
  11. New WiFi Pineapple; From Britain with Love! | Pentura Labs's Blog
  12. The Most Expensive Pineapple I Know | Softronic Lab
  13. Declaración de intenciones | Las notas de Paco

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 133 other followers

%d bloggers like this: