Creating a Remote Access Pentest Dropbox with the HAK5 Wi-Fi Pineapple

If you are unfamiliar with SSH proxies, HAK5 has a video that demonstrates the concept using a Wi-Fi Pineapple – http://hak5.org/episodes/hak5-1112

This walkthrough builds on my previous post “setup a cheap ssh relay with provision host”. The client and relay configuration sections will remain the same. Only the server portion will change. In this case it will be our Wi-Fi Pineapple. The Wi-Fi Pineapple is a customized version of OpenWRT that runs Jasager. It’s built to be a wireless attack tool…but it doesn’t have to be.

Parts List

1)      Wi-Fi Pineapple – http://hakshop.myshopify.com/products/wifi-pineapple

2)      Supported USB mobile broadband modem – ZTE MF591

3)      MicroSD card – Patriot 32GB Class4

Network Nomenclature

1)      Relay – Provision Host VPS

  • FQDN: relay.example.com
  • IP: 1.2.3.4 (static)
  • Usernames: root and relay-user
  • SSH Ports: 22 and 12345

2)      Server – Wi-Fi Pineapple

  • 3G IP: 5.6.7.8 (DHCP)
  • WAN IP: 10.10.10.100 (DHCP)
  • LAN IP: 172.16.42.1 (static)
  • Usernames: root and ananas

3)      Client – Internet enabled with SSH client

  • Hostname: client-hostname
  • IP: 9.10.11.12 (DHCP)
  • Username: client-user

Setup Hardware

1)      Activate the broadband modem with your mobile provider.

2)      Prepare microSD card. Follow Step 1 of the instructions for enabling USB mass storage with swap partition – http://forums.hak5.org/index.php?/topic/25882-how-to-enable-usb-mass-storage-with-swap-partition/

3)      Insert the configured microSD card into the ZTE MF591.

Connect Wi-Fi Pineapple

1)      Plug the ZTE MF591 into the USB port.

2)      Connect an Ethernet cable from the computer you will be using to configure the Wi-Fi Pineapple to the LAN/POE port. This setup is covered in the documentation provided with the Wi-Fi Pineapple. Once configuration is complete, this cable can be removed.

3)      Connect an Ethernet cable from the WAN port to a switch port on the network you wish to test.

Configure Wi-Fi Pineapple

1)      Login to the Wi-Fi Pineapple configuration page (root/pineapplesareyummy) – http://172.16.42.1:1471

2)      Select the Upgrade tab and update the Wi-Fi Pineapple to the most current firmware available (2.7.7 as of this post) – http://cloud.wifipineapple.com/index.php?downloads

3)      Reboot.

4)      Change the root password from the Advanced tab.

5)      Configure services from the Status page.

  • Wireless – Stop (Disabling of wireless will be performed in a later step)
  • 3G bootup – Enable
  • 3G redial – Enable

6)      Enable swap on microSD. Follow Step 2 of the instructions for enabling USB mass storage with swap partition – http://forums.hak5.org/index.php?/topic/25882-how-to-enable-usb-mass-storage-with-swap-partition/

7)      Configure SSH.

  • If there is no Public Key, select Generate.
  • The only Known Hosts entry required is for the relay server.
  • Modify the SSH Connection Command text.

autossh -M 20000 -N -R 12345:localhost:22 relay-user@relay.example.com -i /etc/dropbear/id_rsa

  • Set SSH options.
    SSH on boot – Enable
    SSH Persist – Enable

8)      Disable wireless and block access from the WAN port (test network)

  • Under the Scripts tab modify the Execute on Boot text.

#Don’t touch anything above this line
ifconfig wlan0 down
iptables -A INPUT -i eth1 -j DROP
#Add your commands above this

  • Submit the changes (Update rc.local).

Test Connectivity

1)      Follow the SSH relay instructions in the HAK5 video and/or my previous post “setup a cheap ssh relay with provision host”.

client-user@client-hostname:~$ ssh root@relay.example.com -p 12345
<Pineapple graphic banner>
root@Pineapple:~#

2)      Be patient when connecting over the mobile broadband modem. AutoSSH will reestablish dropped connections, but it may take a few minutes.

Troubleshooting

1)    3G modem not recognized.

  • From the 3G tab, remove the case statement and all broadband modems other than the one you are using (ZTE MF591).

2)   MicroSD issues

  • If /dev/sda1 is not being mounted as /usb, as defined in fstab, add a sleep command to the start function in /etc/init.d/fstab.

start() {
                sleep 20

  • This may affect swapon for /dev/sda2 as well. If, after applying the above fix, the command ‘swapon -s’ still shows ‘/dev/sda2 (deleted)’ then add the following to /etc/rc.local.

    swapoff -a && swapon –a

2)   SSH issues

  • If the client SSH attempt results in a “connection refused” then be patient, autossh may need to reestablish the connection from the Pineapple to the relay server.
  • If the client SSH attempt hangs, then the problem may be on the relay server.
    • Login to the relay server.

client-user@client-hostname:~$ ssh relay-user@relay.example.com

    • su to root and find the PID for the forwarded SSH connections.

[relay-user@relay relay]$ su
Password: <relay root password>
[root@relay relay]# netstat -anp | grep 12345 

 

    • ------------------------------------------------------------
      tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 538/sshd 
      tcp 1 0 1.2.3.4:12345 9.10.11.12:38311 CLOSE_WAIT 538/sshd 
      tcp 1 0 1.2.3.4:12345 9.10.11.12:38319 CLOSE_WAIT 538/sshd 
      tcp 1 0 1.2.3.4:12345 9.10.11.12:38318 CLOSE_WAIT 538/sshd 
      tcp 0 0 1.2.3.4:12345 9.10.11.12:38299 CLOSE_WAIT 538/sshd 
      tcp 0 0 1.2.3.4:41616 1.2.3.4:12345 FIN_WAIT2 - 
      tcp 1 0 1.2.3.4:12345 9.10.11.12:38316 CLOSE_WAIT 538/sshd 
      tcp 1 0 1.2.3.4:12345 1.2.3.4:41616 CLOSE_WAIT 538/sshd 
      tcp 0 0 :::12345 :::* LISTEN 538/sshd 
      ------------------------------------------------------------

       

    • Kill the SSH demon identified above.

[root@relay relay]# kill -9 538

Secure the Pineapple

Only continue with these steps after consistent SSH relay communications can be established between the client and the Pineapple.

1)      Install sudo.

root@Pineapple:~# opkg update
root@Pineapple:~# opkg install sudo

2)      Create a non-root user

root@Pineapple:~# echo ananas:x:1001: >> /etc/group
root@Pineapple:~# echo ananas:x:1001:1001:ananas:/home/ananas:/bin/ash >> /etc/passwd
root@Pineapple:~# echo ananas::15759:0:99999:7::: >> /etc/shadow
root@Pineapple:~# mkdir /home/ananas
root@Pineapple:~# chown -R ananas /home/ananas/
root@Pineapple:~# chgrp -R ananas /home/ananas/
root@Pineapple:~# visudo
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw  # Ask for the password of the target user
# ALL ALL=(ALL) ALL  # WARNING: only use this together with ‘Defaults targetpw’
ananas ALL=(ALL) ALL

3)      Enable public key authentication

  • Copy the client public key to clipboard. If the file ~/.ssh/id_rsa.pub doesn’t exist on your client machine then follow the instructions in the previous post “setup a cheap ssh relay with provision host”.

client-user@client-hostname:~$ cd ~
client-user@client-hostname:~$ cat .ssh/id_rsa.pub
ssh-rsa <LONG KEY> client-user@client-hostname

  • Copy the client public key to the Pineapple.

client-user@client-hostname:~$ ssh ananas@relay.example.com -p 12345
ananas@Pineapple:~$ mkdir .ssh
ananas@Pineapple:~$ cd .ssh
ananas@Pineapple:~/.ssh$ echo ssh-rsa <LONG KEY> client-user@client-hostname >> authorized_keys
ananas@Pineapple:~/.ssh$ chmod 600 authorized_keys
ananas@Pineapple:~/.ssh$ exit

  • Login to the Pineapple using public key authentication.

client-user@client-hostname:~$ ssh ananas@relay.example.com -p 12345

  • If unsuccessful, then explicitly specify the private key file.

client-user@client-hostname:~$ ssh ananas@relay.example.com -p 12345 -i ~/.ssh/id_rsa 

4)      Verify ananas can sudo.

  • Login to the Pineapple as ananas and sudo.

client-user@client-hostname:~$ ssh ananas@relay.example.com -p 12345
ananas@Pineapple:~$ sudo -i
<Pineapple graphic banner>
root@Pineapple:~#
 

5)      Disallow SSH password authentication and root login. WARNING: If you don’t have a working public key authentication and sudo user this WILL prevent you from logging into the Pineapple.

  • Edit the dropbear configuration file.

root@Pineapple:~# vi /etc/config/dropbear
config dropbear
                     option PasswordAuth ‘off’
                     option RootPasswordAuth ‘off’
                     option RootLogin ‘off’
                     option Port         ’22’
root@Pineapple:~# /etc/init.d/dropbear restart

Use the Pineapple Dropbox to Remotely Scan Target Network

1)      Install nmap.

root@Pineapple:~# opkg update
root@Pineapple:~# opkg install –dest usb nmap

2)      Run a quick nmap against hosts on the target network (WAN port).

root@Pineapple:~# nmap –top-ports 10 -oA /usb/top_ports 10.10.10.1-254
<nmap output>

3)      Validate nmap output.

root@Pineapple:~# ls -al /usb

drwxr-xr-x 4 root root 4096 Feb 23 22:57 .
drwxr-xr-x 1 root root 0 Feb 17 04:15 ..
drwx------ 2 root root 16384 Feb 8 01:40 lost+found
-rw-r--r-- 1 root root 4662 Feb 23 22:57 top_ports.gnmap
-rw-r--r-- 1 root root 5190 Feb 23 22:57 top_ports.nmap
-rw-r--r-- 1 root root 23973 Feb 23 22:57 top_ports.xml
drwxr-xr-x 5 root root 4096 Feb 16 08:59 usr

root@Pineapple:~# tail /usb/top_ports.nmap

25/tcp filtered smtp
80/tcp filtered http
110/tcp filtered pop3
139/tcp open netbios-ssn
443/tcp filtered https
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
MAC Address: 0A:12:1C:85:D5:82 (Unknown)
# Nmap done at Sat Feb 23 22:57:48 2013 -- 254 IP addresses (13 hosts up) scanned in 11.94 seconds

Leave a Reply

Your email address will not be published. Required fields are marked *