The Audit - Presented by IT Audit Labs
Brought to you by IT Audit Labs. Trusted cyber security experts and their guests discuss common security threats, threat actor techniques and other industry topics.
IT Audit Labs provides your organization with the leverage of a network of partners and specialists suited for your needs.
We are experts at assessing security risk and compliance, while providing administrative and technical controls to improve our clients’ data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, while our security control assessments rank the level of maturity relative to the size of your organization.
The Audit - Presented by IT Audit Labs
Inside the Hak5 Pineapple: Tools, Tips, and Real-World Applications
Unlock the secrets behind the powerful HAC5 Pineapple tool in this episode of The Audit.
Hosts Eric Brown and Nick Mellum, joined by Cameron Birkeland, explore the tool's functionalities and features, offering practical insights and real-world applications. Discover how the HAC5 Pineapple can enhance your cybersecurity measures, with discussions on model comparisons, security implications, and best practices.
In this episode we’ll cover
- What is the HAC5 Pineapple?
Comparing the Tetra and Mark 7 models - Real-world uses and case studies for the Pineapple
- Key security implications and best practices
- Cool features of the Pineapple and a live demo
- How to generate detailed reports with the Pineapple
Join us for an engaging discussion packed with valuable information for cybersecurity professionals and enthusiasts alike. Don’t miss out on our latest insights and tips!
#Cybersecurity #HAC5Pineapple #PenTesting #EthicalHacking #WiFiSecurity #CyberThreats
Welcome everybody to the Audit hosted by Eric Brown and Nick Mellum. I'm your producer, joshua Schmidt. Today we're joined by Cameron Birkland. He's an ITOL team member. Here Today we're going to be talking about the HAC5 tool, the Pineapple, and going into depth and doing some overviews on that tool. So, cameron, why don't you give us just a quick little background of you and what you do day to day and what we're going to be talking about today?
Speaker 2:So I'm a security engineer here with IT Audit Labs Spend most of my time doing the day to day security work for a local county.
Speaker 1:What did you have for lunch today, Cameron? I had reheated stir fry.
Speaker 2:That's nice. It wasn't too bad Noodles chicken, some vegetables.
Speaker 1:How about you, Nick?
Speaker 3:Actually not too far off. My wife makes a dish that I actually request often and we call it egg roll in a bowl. So she makes everything that filling from an egg roll, put it in a bowl. You put the little crispy toppings, you know the little wonton strips or whatever. Get yourself some sweet and sour something on top.
Speaker 1:Good, to go Got ourselves a foodie here. How about you, Mr Brown?
Speaker 3:I did take pictures of it too. I'm kidding Eric, go ahead.
Speaker 4:I've got a DoorDash delivery coming here soon with some sort of vegetable bowl Chipotle. I wish it was. That was two days ago.
Speaker 1:Eric's running on empty. We've got to get you some lunch, buddy.
Speaker 4:Oh no, I'm good. We had a farewell party for one of the people that we work for, so we had a late bagel breakfast.
Speaker 1:Excellent, that sounds nice. I had a Jersey Mike's Subway shop open up next what number did you get, Josh? I got a 13 today.
Speaker 3:I had to do the.
Speaker 1:Capricola, it's like an Italian thing, it's like salami and whatnot. Jersey Mike's it's hard, it was wild. There were about 60 people in there, people in line. It's a big deal here in the south suburbs of the Twin Cities when a new dining option opens up. Did you get it miked away?
Speaker 2:I did.
Speaker 1:I did. I got the juice. I got the juice. I'm juiced up, I'm ready to go. I'm excited to hear about this tool. Let's jump right into it.
Speaker 4:Well, before you jump into it, Nick's got an interesting background going on here.
Speaker 3:I wanted to showcase my love for the feline breed.
Speaker 1:Okay, Well, we only named a few of them, so we're still taking name suggestions. So, Cameron, if you can think of a name for one of Nick's 50 cats, maybe we'll save that to the end and that will be a little teaser for our listeners to stick around to the very end.
Speaker 4:This show has just gone off the rails, cameron, I don't know what's going on here.
Speaker 3:Put your favorite cat name in the comments below, please.
Speaker 1:We're keeping it loose, we're keeping it fun. Cameron, can you tell?
Speaker 2:us a little bit of overview about the Pineapple and what it's used for and kind of your experience with it so far. I first wanted to bring up one of its big selling points as far as Hack 5 is concerned. So this is sort of a they want it to be sort of an all-in-one auditing solution, right? So this thing is designed so that you can configure it and drop it in the site and it will produce a full pen test report for you with the executive summary and everything you could possibly want the report to contain.
Speaker 4:Cameron, I've got one here that's a little bit older. It looks a little different than the one you've got. This is the Tetra which is Allen Yep. So this is the Tetra which is.
Speaker 2:Alan Yep. So this is the Mark seven. This is their kind of most recent model that they're still selling on their website Now I believe it's right around the a hundred dollar Mark. So the Tetra is yeah, it's a bit older, but that one did five gigahertz built in, whereas this one only does 2.4. As to why they discontinued the Tetra, I'm not 100% sure. I did try my best to do some research into that and all I could find was it's discontinued because they decided to discontinue it. I know there's a reason somewhere, but good luck finding it.
Speaker 4:The cool thing about Hack 5 is the names of some of the stuff. Right, we were talking earlier in the week. I was like you know, I'm bringing in the pineapple on Friday, we can mess with it in the morning before the episode, or whatever. One of the people who works on the team that's not on the engineering side, shall we say was like wow, you know kind of nerdy talking about pineapple, thinking that we were talking about some sort of fruit.
Speaker 4:And of course, now we're talking about the Wi-Fi tool, but they've also got the rubber ducky Bash bunny shark jack. Yes, yeah, really cool names. Must be fun to work on that team when coming up with the different names.
Speaker 1:For our audio only listeners. Could one of you describe what the Pineapple looks like? I mean, obviously it gets its name because it has several antennae coming out of it, but maybe give us a brief description.
Speaker 2:Yeah, yeah. So I've got the Mark 7 here, which, as I said, is the model that they're still selling. It's a kind of small square skinny box. You could fit it in a pocket without the antennas? Um, it's got three different large antennas on it, um, because it has three separate radios in it. Um, one is for scanning, one is for, so yeah, scanning and recon um, the other is for attacks and the other is a dedicated management radio so that it can do all three things at once. And the yeah with the idea that you can be working on the device, as it's both scanning and attacking it sort of looks like a star wars droid or something yeah it, it is kind of funny looking with the three antennas on it and you know you can flip them all different ways depending on how you're.
Speaker 2:Um, if you're looking to like, hide it somewhere, for example, you plug a portable battery pack into it and just fold down the antennas so that it just slips behind something. Um, it's, it's, they've tried to make it as small as possible and it's really not that big when you get down to it.
Speaker 3:It pretty much fits in my hand. One. One of the differences between Eric's Tetra and yours is Eric's. His looks quite a bit bigger, probably because of the five gigahertz.
Speaker 2:Yes, and that one has an Ethernet port on it, for example. This one does not. It can support it, but you'll have to plug in an Ethernet adapter into it. Very nice.
Speaker 3:Cameron, one of the big things that you were talking about is that obviously we've said it a few times getting rid of the five gigahertz. Um, what have you noticed? You know that you're missing it, or you probably have the adapter, but what would be some of the reasons that somebody would want the five gigahertz?
Speaker 2:yeah. So actually I don't have the adapter on me for this and this is something that I would say if you want to get a Wi-Fi pineapple, you should definitely get one, because 5 gigahertz is kind of a big deal now with Wi-Fi. I mean, almost every router has it built in, that's been built within the last five, six years or so, and the adapter is a little on the expensive side I think it was about $100, but it unlocks that, uh, five gigahertz capability. So, um, and just to be clear, so this thing by itself on its own it supports wi-fi 4, so that's that 2.4 gigahertz kind of older um standard, and the the adapter provides it with wi-fi 5 support. So that's that next generation of wi-fi.
Speaker 2:Um, some people might know the most recent is Wi-Fi 7 that just came out this year. There's also Wi-Fi 6. So the pineapple in its current state can't communicate with Wi-Fi 6 or 7 networks, it's just Wi-Fi 5. But because of backwards compatibility with IoT devices you know everybody has a lot of them now ring doorbells and thermostats and garage door openers, all that fun stuff You're not really going to have a problem because those devices usually all are either 2.4 gigahertz or on some older standard of Wi-Fi that the pineapple is going to be able to see.
Speaker 3:When you talk about 2.4, that's the first thing that comes to my mind is IoT devices, you know. So you know, doing an assessment for for an organization that is heavy into iot or something, it'd be a really good, uh good, solution for that say wi-fi six, and then there's six e and then seven and I think wi-fi six.
Speaker 2:It's confusing because that still is 2.4 and five and then 6e is six and seven is six um yeah, so there's a little bit of confusion there, um, and the wi-fi pineapple is obviously not going to be able to touch the six gigahertz band. Um, it's just too recent, sure, for a device like this. Um. It's worth noting that, while I'm on that subject, that, um, the wi-fi pineapple can't work with wpa3 networks either, the ones that are secured with WPA3. A lot of networks these days are WPA1 and 2, though, and a lot of IoT devices use those standards as well, so it's one of those situations where it's not going to be a problem. Even though there are newer standards out there, we're still using a lot of those older standards, because a lot of the devices that we're using still don't support these newer standards.
Speaker 4:When I was getting started in my IT career, I came out with WEP, which stood for Wired Equivalent Privacy, but it turned out that it wasn't quite the same privacy, but it turned out that it wasn't quite the same.
Speaker 2:Yeah, no, that WEP is one of those things that are so terrible. I guess it didn't even come to my mind. If your router supports that, definitely turn it off. Do not leave that on.
Speaker 4:But isn't the security the equivalent of plugging it in? But isn't the security the equivalent of plugging it in?
Speaker 2:See, you would think the person who named it must have thought pretty highly of it.
Speaker 1:So, before we get too technical, could you guys give us a little bit of an overview on what it is used for or what you have used it for? I know, Eric, you have some experience with this tool, and certainly Cameron does too.
Speaker 2:I'd love to hear more about that. Yeah, so if we're talking WEP, wpa, wep was like, I think, the first standard that really was out there to secure Wi-Fi networks, so that's how the communications between the device and the router is secured. At the time, of course, it was secure. I don't think it took long to crack that encryption. So now we have WPA and WPA2. This is kind of in chronological order. Now we have WPA3, which is not crackable at the moment. I don't think we really have any devices or things out there that can do much with WPA3. But still the majority of our devices today use WPA, wpa2 when they're connecting to Wi-Fi networks, so we end up having to leave those enabled in order to support those devices.
Speaker 4:And I think we'll show this here as we go. But essentially what happens and how the Pineapple or devices like it work is they act as a man in the middle. That's just the term of the technology. Where you plug it into the wall, it's going to be broadcasting out different SSIDs, and the SSIDs are the things that are the name of the network that your computer is connecting to. So you know your home network might be Mr Meowgi or whatever it is you're calling it. You can set that up yourself, nick, and then you know when your friends come over they're like oh, what's your network? And then you tell them and then you give them the password and then they can connect. Or in some cases, in a public setting, maybe a coffee shop, where you connect, there's no password but there might be a splash screen and then you have to enter the password on that splash screen.
Speaker 4:At any rate, you're connecting your device to a wireless network and you won't have to know if it's 2.456 or whatever. Your computer will just, or your mobile device will just, recognize the network. It'll try to connect to it and then, if you're authenticated, you can get on that network. Where the Wi-Fi comes in as an interesting testing tool is all of our devices right now are trying to connect to a wireless network. If Wi-Fi is enabled and it's not connected to a network, it's going to be beaconing out and it's going to say you know, mr Miyagi, are you there? And if you're at Nick's house and the Mr Miyagi network is there, it's going to try to make that connection and if it has the password to authenticate, boom, it'll connect and you'll be on that network.
Speaker 4:The neat thing about the Pineapple is it will rebroadcast out all of those SSIDs that are being broadcast out from your device. So your device is beaconing out all the time to networks that you've previously connected to, if you haven't wiped that out. So any historical network it's going to try to connect to and it's just going to say, hey, are you there? And the pineapple is collecting that and then rebroadcasting and saying, yes, you know, I am, I am here, I'm FBI surveillance van or whatever other network name you've connected to. It's going to mimic that name Starbucks, coffee shop, whatever it is. And if you are sitting in a location like an office setting that doesn't have a Starbucks and you're connected to the Starbucks network or the Delta network, well, you actually connected to somebody's device. That could be a pineapple or something like a pineapple that's sitting as a man in the middle.
Speaker 2:Yeah, and on a comment, you just mentioned the last two places I've lived, somebody has had a Wi-Fi network called FBI surveillance fan.
Speaker 2:So it's creative but maybe not so original these days days I've seen the catch a predator a few times yeah, and, and so you did mention a lot of good things about the pineapple there um, the, the big one, I think, was the karma attack. Um, so that's the, the networks that devices know. They'll send out probe requests to see if that network is there and the pineapple will respond saying, yes, I'm the network you're looking for, and it'll go through the process of authenticating with the client. That's referred to as a karma attack. And if we get into all the other things a pineapple can do, which you did mention a lot of them actually.
Speaker 2:So the pineapple can do a deauthentication attack, which is something that a lot of devices can do, it, which you did mention a lot of them actually. So the Pineapple can do a deauthentication attack, which is something that a lot of devices can do. It's not too complicated. The Flipper can do it with the Wi-Fi board attached. We have our Ponegachis that's kind of exactly what they do the deauth. So it's essentially seeing a device communicating with an access point out there and it'll send a bunch of deauth packets to try to get that device to disconnect from the network and then it'll watch as the device reconnects to the network and capture those encrypted credentials as they go by.
Speaker 1:Excellent, Nick. Do you want to get in here?
Speaker 3:Well, I'm just going to bring up Cam that you know. Let's say you've captured the credentials in an assessment that you've been in. What's the next step? What are you looking for, or what's your next move? Like if you're going into this with malicious intent, what's your next step?
Speaker 2:Yeah, so once you capture those credentials some of the really weak ones we have, you know word lists, it'll just you know. You run through and crack it. Essentially it's a little encrypted bit of code and a lot of the weak ones. It's pretty fast, you know. Usually you can crack it within, oh, a few minutes For more complicated ones. It's just, you know, essentially cracking a password, you just start running with your word lists and see which one matches.
Speaker 3:And then so when you complete this and you mentioned, we're chatting before the episode that the device you have will spit out a full report.
Speaker 2:Yeah, yeah. So with the Wi-Fi Pineapple it can put out a full pen test report, just like you'd see somebody make that was doing a pen test, the idea being that it's kind of an easy drop it in and it gives you everything solution. So it'll be able to tell you it'll be in the report whether there's weak Wi-Fi passwords, because it'll grab those credentials as they go by and if it matches something weak, something that's known it'll be able to tell just by looking at the encrypted password that it grabs.
Speaker 3:So when you, let's say, you're doing an assessment for I've only used these maybe one time, and this has been a while ago that are you able to connect this to the network and leave it and connect to it from your home, right, so can you drop this off, or do you have to be with the device at all times?
Speaker 2:Yeah, so one of the things that Hack 5 offers is called Cloud C2. Okay, cloud Command and Control, it's something that you set up. It can be in the cloud, you can run it on site, it doesn't matter, as long as this knows where the Cloud C2 instance is. You can set it up to beacon back to that and you can do all the configuration and settings remotely from there. Yep the idea being that you can ship this to somebody and have them connect it and it'll hook right up, Yep.
Speaker 3:Past engagements. Things we've done is send out a Nook device and that will allow you to connect to it, run your penetration already discussed. You know having that remote capabilities to send that to another state or wherever to an organization and perform, you know, your your assessments from there. So that's really handy to have.
Speaker 2:Yeah, as long as it has some kind of internet uplink. Maybe you'll want to. If you're sending something like this, you'd want to provide an ethernet adapter with it for a reliable uplink. But as long as it has that, it's going to beacon back to that cloud. C2 instance.
Speaker 3:You know, and this isn't as important as that, Is that power over ethernet, or does that have a separate power connection?
Speaker 2:So this has a USB-C power connection. I can't speak for the other models, but, like I know, the Enterprise is quite a bit more beefy. There's a Wi-Fi Pineapple Enterprise version that's going to probably just take a regular old power cable.
Speaker 1:Yeah.
Speaker 2:But this one, yeah, just USB. So that's why you can just plug in a battery bank, or you can plug it into your computer, or you could even power it off your phone.
Speaker 3:Well, thankful to the European standard, I guess, because now we're all using the.
Speaker 1:Yep.
Speaker 3:Yeah, so the.
Speaker 4:Tetra's got an external power adapter to it.
Speaker 4:Yeah, you know the other thing, Cam, the other attack that you could do with the man in the middle component is you can set it up as a portal so you can capture traffic. Up as a portal so you can capture traffic and emulate a particular site that might have a username and password. It's also got the ability to do character injection into sites so you could replace every word that's a, say, the. You could replace it with something else, which is kind of interesting. I've seen it in theory, but I've never been in an environment where that was an attack vector. But kind of cool in concept.
Speaker 1:Eric, you had shared with me some use cases from your on-the-job experience using the Pineapple. Can you share that with us today?
Speaker 4:One of the things that I like to do when you're going in and talking with an audience that is not really technical but is interested in security and just interested in coming to say, like a lunch, and learn, maybe, on the importance of why you might employ a VPN or why, if you're connecting to a network that's not under your control, that you take precautions and don't just connect to any network out there, maybe turn off the auto connection feature of your wireless.
Speaker 4:Well, so before we do the presentation, we'll set up the Pineapple it's kind of in the corner and let it run and as people are coming in, it's shooting out the D off and their phones are trying to reconnect and you'll just build this really long list of all of the SSIDs that people have connected to and then towards the end of the presentation, we just connect to the Pineapple and then can show all of those lists and it's stupid pet tricks, but it's pretty cool to capture and show in front of everybody all of the different SSIDs. And then you can talk about the importance of security, VPN what have you?
Speaker 1:What other kind of security implications would this device bring up? Cameron, you and I had maybe talked about skimming someone's Wi-Fi. Maybe you could grab it from your neighbor instead of having to pay that pesky monthly bill. I'm sure that's happening out there. Is that something this device can do?
Speaker 2:Oh yeah, definitely, and I'm sure people have happening out there. Is that something that's device can do? Oh yeah, definitely, and I'm sure people have bought it for that exact purpose.
Speaker 1:We're not condoning this podcast, by the way. Disclaimer, Of course.
Speaker 2:This, yeah, this if you're sitting at your house, your neighbors across the way, you're within range of their wifi network, this thing is easily going to be able to deauthenticate something that's connected to their Wi-Fi network and end up grabbing those credentials. Then all you have to do is crack the hash and you'll have their password.
Speaker 1:So what's the best way to prevent that from happening to your family or yourself?
Speaker 2:Yeah. So the best way to prevent it is to try to be on the latest Wi-Fi standards, right? Like as I mentioned earlier, these devices can't do six gigahertz, they can't do Wi-Fi 6, 6e7. They can't do WPA3. So my suggestion is just to try to change your router settings so that they're on those latest standards. You know, typically routers are set up by default to be backwards compatible. You want everything to just work with them. But if you don't have a device that needs WPA, or maybe you don't even have a device that needs 2.4 gigahertz, you could just turn that off too. That needs 2.4 gigahertz, you could just turn that off too, just to minimize the, let's just say, attack surface of your Wi-Fi network. You want to use the most secure settings possible, and maybe you can't completely prevent it, but you can definitely mitigate it.
Speaker 2:One other thing I would want to bring up is a lot of people use the router provided by their ISP. A lot of times you can't really mess with the settings of that at all. So my recommendation would be to get a router this one I got a couple of years ago from Amazon. This does Wi-Fi 6. It was only $60. It's very cheap. It's going to have WPA3. It's going to be more secure than usually what your ISP is going to provide, and it's fast too. This is going to be plenty fast for having as many devices as you want connected to it, and it's just $60. If you wanted to get into the latest standards, like Wi-Fi 7, you're going to have to shell out a bit more. But this can do pretty much everything the average person would need it to, and it'll be more secure for a pretty reasonable price.
Speaker 3:I did jump to Wi-Fi 7 myself when Eero they came out with the Wi-Fi 7 Max I think it's called, and you're certainly right, it's not a cheap device by any stretch, I think it was $600 or $700. Yeah, so I actually just got on.
Speaker 2:Wi-Fi 7. Yesterday I'm using Ubiquiti and this is my U6 Pro that I got a year ago, so this does Wi-Fi 6. I got this before Wi-Fi 7 was out, so of course it's a little obsolete now and it's only a year old, but this can still be used elsewhere. Ubiquiti is definitely my favorite manufacturer of stuff. For the people who want to be able to get in and turn those dials and mess with the settings and do all that. Ubiquiti is a very kind of almost enterprise grade hardware. A lot of places businesses actually use this stuff. It's very reliable, very solid. The access point I got was probably about 180 bucks, so it's really not too pricey either.
Speaker 3:So you just moved into the new house, cameron, so you're having fun outfitting it with all kinds of new toys.
Speaker 2:Yeah, yeah, I could probably do a whole podcast talking about that. Yeah, we're getting Ubiquiti hardware. They've got their Dream Machine. I've got a Switch from them. I'm getting set up with their Wi-Fi 7 gear. It's been pretty fun.
Speaker 3:Yeah, that's awesome.
Speaker 1:That's inspiring me to do some shopping, because I believe that you know, Comcast charges a monthly fee for renting the router.
Speaker 3:Yeah, so I've probably paid for a month, right?
Speaker 1:So I've probably paid for 20 different routers since moving here.
Speaker 2:Yeah, so. So my suggestion, if you're paying with a, if you're paying for a modem router combo, um from from a company like Comcast, would be to buy a modem, a separate modem, um. A lot of things you'll see at the store are modem router combos, um they they are a cable modem as well as a wifi router combos. They are a cable modem as well as a Wi-Fi router. I would recommend buying the one. That's only the modem, because what ends up happening and I actually experienced this myself is I got a Wi-Fi router modem combo, installed it and then found out I was stuck on an old firmware and couldn't be upgraded Because, since it's a modem, the cable company has to push out the firmware updates. It's very weird, but essentially you're never going to get firmware updates if you have your own modem router combination unit hooked up. So I always get a separate modem and router. Now.
Speaker 4:Yeah, I've gone down the rabbit hole before of experimenting with the DDWRT. I don't know if you guys have played around with that, but you can essentially put an open source operating system on the router. You can create a VPN connection out of that router to the VPN of your choice and then any traffic coming out of that device is encrypted, which is kind of fun to play around with. And back to your original question, josh, of some of the things you could do to protect yourself. Whenever you go to a third-party site, you could use a VPN connection and that will mitigate the security of the router itself. So if you're at a coffee shop, just fire up VPN and then it doesn't matter if there's a man-in-the-middle device, because they're not going to be able to open and inspect that traffic.
Speaker 3:Or, if you can avoid it, use a hotspot on your phone. Use a hotspot, yeah.
Speaker 2:Yeah, that's definitely the best solution is a hotspot. If you do have to use the guest Wi-Fi, a VPN is a good idea. That'll help. That makes a secure tunnel from your device to the VPN gateway, wherever it might be. And anybody that's on the network isn't going to be able to sniff your traffic as a result.
Speaker 4:And then at work, setting up certificate-based authentication and other, maybe more enterprise solutions are better than just the username and password.
Speaker 2:Yeah, for a business that has a central username and password, like Active Directory, definitely use some sort of certificate-based or enterprise Wi-Fi solution.
Speaker 4:you know enterprise Wi-Fi solution. One of the cool things about the Pineapple is it could be a gateway for people who want to learn more about wireless to get one and then just start playing with it. There's lots of built-in applications that you can run on the Pineapple that might teach you more about man-in-the-middle or certificates or grabbing the credentials as they come across the network and then even password cracking. So you don't have to do all of those things. But it's if you're interested in security and want a place to start. You can absolutely grab one and just start playing around and learning more about it. Lots of videos on YouTube.
Speaker 3:Grab one and just start playing around and learning more about it. Lots of videos on YouTube, yeah, so I was going to bring this up to Cam a little bit ago about just the learning curve, right? What is it If you pick one of these up? Is it pretty easy to get into? Difficult? Eric mentioned all the YouTube videos, which I'm sure there's tons out there. It doesn't seem like it's overly complicated, but maybe you can speak to how easy it is to use.
Speaker 2:No, yeah, and that's kind of the beauty of the Hack 5 tools is that they are designed to not be overly complicated, right, I don't think there's a Hack 5 tool out there. That's really hard to grasp. Of course it helps to know you know the theory and everything behind it, like how does Wi-Fi handshakes work? You know how does the authentications work, how do the attacks work. But it gives you an easy to use GUI, you know. You can just click in there and if you know how to press buttons, you can start attacking stuff, you can be dangerous.
Speaker 1:Yep, cameron, you mentioned that Hack 5 has a pretty extensive community people chatting and sharing information and also you can install firmware onto the Pineapple. Am I correct with that? Yeah?
Speaker 2:Yep. So just on that, the Wi-Fi Pineapple doesn't ship with any firmware on it. It just ships with their installation firmware. So all you get when you first hook it up is a install the firmware here page and that's, like many things, regulatory purposes. You don't want to be shipping out a device that's capable of doing all this stuff, so it's up to the user to enable the device to do that. And on the note of community yeah, there's an extensive community around Hack 5 devices and that's another advantage of using a device like this is there's going to be tutorials, there's going to be guides, if you had any questions or needed help it's out there?
Speaker 1:Can the Pineapple be integrated with any other cybersecurity tools that work in tandem Generally?
Speaker 2:it's kind of a standalone device. Of course, in the Hack 5 Cloud C2, there's quite a few other tools that can go in there, so you kind of have a centralized dashboard for all of them. I don't have off the top of my head which ones they are. There's maybe six to eight other devices that can support that. So you can kind of have a centralized dashboard for all your Hack 5 tools.
Speaker 1:Excellent, so do we want to do a little demo, show everyone what to expect when plugging this thing in and what it can do.
Speaker 2:So what we're looking at is this little Cloud C2 instance I set up for the purposes of this podcast. There will be a list of devices on it. We've got our Wi-Fi pineapple here. It'll show you the IP address of it, how much data it's transferred. Once you click on the device you get kind of the device's own dashboard. It'll tell you the uptime, tell you how much data kind of the same information that was on the last page. It'll also tell you how many clients are connected to it. Right now it's none and we have a few different tabs we can look at here.
Speaker 2:So Pine AP, as you can imagine, is kind of short for Pineapple, like Pine Access Point. This is kind of their sort of, I would say, suite that does attacks. You can see there's a few switches you can flip enable karma. So that's those karma-based attacks we were talking about earlier. It'll respond to devices that are looking for a Wi-Fi network and say, yes, I'm that network connect to me. We also have the ability to flip a switch that says capture SSIDs to pools. So that means as it's scanning for Wi-Fi networks out there, it'll automatically add them to this pool. And then the last switch you can flip is telling it to broadcast your SSID pool. So now those are the two separate pieces to it is capturing the Wi-Fi networks and then rebroadcasting them and pretending that you're the access point. So those are two separate switches you can flip on depending on what you're doing.
Speaker 2:And it has its own recon tab. There's quite a few different Wi-Fi networks in the area. I'm not actually doing anything with them, I'm just doing recon. You can see just how many networks are out there and the Wi-Fi pineapple will tell you every single network that it sees and it'll also give you a list of all the clients that it sees. So it can see, based on what it know, what it's looking at, whether it's a client communicating with an access point, whether it's an access point.
Speaker 2:So if we're looking at the next tab probes so we had briefly talked about this earlier the probes are when a Wi-Fi network's are. When a device is looking for a Wi-Fi network, it'll send out a probe to ask if the Wi-Fi networks are. When a device is looking for a Wi-Fi network, it'll send out a probe to ask if the Wi-Fi network is there. You can see it actually has most probed for SSIDs. So all it's doing is listening for these probes, right? It's not actually doing anything with them, since the device probe goes out in all directions. Since it's Wi-Fi, it can easily capture these. And of course, there's our FBI surveillance fan SSID, our favorite one this is what I talked about earlier where you can put on a filter.
Speaker 2:So this is kind of that whitelist, blacklist sort of thing. You can say only allow certain. You know, don't attack Wi-Fi networks that I don't want you to, or don't attack any Wi-Fi networks, but this specific one and then loot. So this is where we get that campaign report. The loot is essentially like stuff that you want that the Wi-Fi pineapple captures, and I did do a couple of short campaigns just to mess with it to get those reports out. So we do have a couple here that is considered the loot, and then the Pineapple sends the loot up to Cloud C2 to be accessible here. One nice thing that it actually does is it allows you to SSH into the Pineapple from Cloud C2. So I can see if I could get this started. You can also do this directly from the Wi-Fi Pineapple's UI. You can see there is a link to it Wi-Fi Pineapple UI in Cloud C2, but it does require a license.
Speaker 1:So would you be using the LUT for making reports or how are you using C2 in your day-to-day pen testing?
Speaker 2:The LUT would be. So they got these campaign reports out here. So this is similar information to what we've seen on the dashboard. This is telling you what it saw, what kind of devices were out there, if it did any handshakes, if it captured credentials. It's all going to be in here.
Speaker 1:And how would you use that you know in your day-to-day workflow, or what kind of information is valuable there?
Speaker 2:Yeah, this is part of that reporting that I had talked about. You know it's able to do a proper pen test report and this is the kind of information that you'd have in there to hand over to executives and say this is, you know, this is what we were able to grab just by dropping a device in there and seeing what's what.
Speaker 4:No, I'm like now I want to get into my pineapple over here. I just saw it dump a bunch of SSIDs out, so it's like now I want to go in and play with it. But there goes the afternoon.
Speaker 1:Hey, thanks, guys. It's been a really interesting episode today. Cameron, thanks for taking the time to do the research and bring us the information valuable information to cybersecurity pros and normies alike. Today, you've been joined by our guest once again Cameron Birkeland, nick Mellum and Eric Brown from IT Audit Labs. My name is Joshua Schmidt. I'm your producer. You've been listening to the Audit. You can find us on all the streaming platforms. We're starting to add video to Spotify. You can also find us on YouTube and Apple Podcasts as well. Please like, share and subscribe, and share us with your friends. I'll see you every two weeks with some new information on the cybersecurity front.