Skip to content

Pineapple Defences

by on May 9, 2013

images

Background

With the previous post (Blue for the Pineapple); sharing instructions on how to create a cheaper and more affordable clone of the infamous Hak5 Pineapple.  Awareness has risen about the capabilities and exploitability of these WiFi honeypots.  This post will discuss possible defences against the pineapple:

  • Setting Access Points to Use WPA2 or Enterprise Encryption
  • SSL
  • VPN
  • Manual Connections

Does WPA2 or Enterprise Encryption Prevent the Pineapple?

Not really!

The Pineapple responds to Beacon Frames, claiming it is the Access Point (or BSSID) your device is actively requesting.  As the whole Pineapple’s WiFi network is unencrypted, it will not prompt the user for a Pre-Shared Key (PSK) or Enterprise Credentials.  The WiFi client will blindly trust and associate with the Pineapple through the rogue SSID.

The Pineapple software has been used in several penetration testing engagements to this effect.  With a more powerful router or with some additional help from a laptop, the pineapple can be reconfigured to support RADIUS authentication, and can capture hashed/encrypted Enterprise Credentials; these can then be cracked using Cloud-computation.

Does SSL offer any protection?

Some internet postings advise forcing the use of SSL with browser plugins like HTTPS Anywhere (Chrome & Firefox). Others advise using the HSTS (HTTP Strict Transport Security) HTTP Headers on servers, so that browsers are aware that only HTTPS should be used as a communication channel.

But neither of these are effective, as the Pineapple is essentially a Man-in-The-Middle (MiTM) device, therefore it can change/manipulate the traffic that flows through the Pineapple’s internet connection.  The WiFi Pineapple website offers additional modules called Infusions.  Amongst these infusions is a module called SSLstrip (using code from Moxie Marlinspike http://www.thoughtcrime.org/software/sslstrip/).  This module essentially MiTM’s the connection, so the Pineapple will talk over SSL to the requested web server, however the Pineapple with talk plain ole regular HTTP to any wireless clients.  This module thus renders any SSL protection useless.

So in my opinion SSL offers no real protection against the Pineapple attacks.

What about VPNs?

VPN (Virtual Private Networks) are a good way of protecting you data over public Access Points (APs).  This is because your data should be adequately encrypted and tunneled through your corporate/home/trusted-provider.  This is the general protection advise when using a public or untrusted wireless network.

A VPN is not going to prevent your mobile device from being tricked into connecting to a Pineapple.  However, it should be protecting (via encrypted tunneling) your data as it flows through the Pineapple / public AP.  Therefore, infusions (modules) like SSLstrip cannot manipulate your web-traffic and the MiTM capability of the Pineapple is lost.

Managing Your Connection?

This is not really for the inexperienced, it requires understanding by the user.  Therefore, you are still vulnerable through user error.

You can configure some mobile devices, to not automatically connect to WiFi APs, additionally you may set your device to prompt if you want to connect to new networks; this may stop your device from automatically connecting, but now transfers this control to the user.  If your out in public, and trust a familiar AP (actually the SSID, example: “BTFON”) you might still tap the “Connect” button unaware that you have actually connected to a Pineapple or another rogue AP.

Conclusion

The best possible advice is –  if you do not trust the WiFi AP, turn off WiFi and use your 3G/4G connection on your mobile or 3G/4G modem!

Something New!

Coming soon “Green for the Anti-Pinepple” – a small portable Anti-Pineapple device!

From → infosec, pentura, privacy, WiFi

3 Comments
  1. useless permalink

    Hi!

    I followed the tutorial “Blue for the Pineapple”, so I was interested in the possible protections against it.

    However, I have a remark on the part about SSL, more precisely, about HTTPS Everywhere and sslstrip.

    Many websites redirects you to a HTTPS version of the site when you connect over HTTP. That’s where sslstrip strikes: it doesn’t tell your browser to redirects, so that the browser still sends everything in plain text, but the MITM connects to the server via HTTPS.

    But with an extension like HTTPS Everywhere, the first request is already made over HTTPS, so the MITM can’t do anything (except block every SSL traffic, but he’d be discovered in no time).

    Maybe there’s something I’m missing, but I think HTTPS Everywhere is a suitable measure against sslstrip.

    • But the pineapple is essentially a man-in-the-middle device, its easy to use an intercepting proxy – OK, the certificates wont match back on the client and modern browsers (IE,Firefox,Chrome) will display a warning message for the user to acknowledge the difference and if they still want to proceed? I have used this on engagements and you’ll be surprised how many people click through (I think this is down to bad SSL management within companies, for encouraging this type of behavior). Additionally, I never seen such a warning message on mobile devices (maybe my phone is a bit old???), so I have always successfully mitm’ed phones WiFi connections.

      • useless permalink

        I agree with the fact that you can generate SSL certificates on-the-fly, but the error message will mean you’re not as stealthy as possible (and I’m definitely intrigued by what you see on mobile browsers, I’ll have to take a look).

        Also it’s true that (almost) every user will accept an insecure certificate, just so that they can check their Facebook page 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: