Hunting Wi-Fi Pineapple Device
Hello everyone,
Today i will show you how to detect Wi-Fi Pineapple device around our network. First of all i am going to start with what is the WiFi Pineapple device. WiFi Pineapple devices are very big enemies for wireless networks. Every people on the world can have this device because it is fairly cheap and easy to use. It’s allows the cybercriminals steal data from the public organizations. So let’s talk about how does it work.
How It Works
Basicly first, the attacker monitor wireless networks around of him and chooses the target. But the critical point at here will be the connection requests sprawling from the clients. I mean the attacker will collect SSID info’s from the air and after that way he put all of them in a one big SSID pool. With that informations attacker opens more than one fake access points. But right here i have to say, sometimes attackers can clone just one target they choose. It depends the way they follows.
How to Detect & Blue Team Techniques
- SSID contains “Pineapple_”
First of all, when the attacker start the attack, the device is shows itself with the SSID value starting with “Pineapple_”. So the first step to detecting Pineapple device is, if you are trying to detect Pineapple device in pcap files, searching about the SSID’s contains “Pineapple_”. - OPN and same BSSID
The second way is, taking a look OPN networks because all those fake access points are OPN. And also other way to find WiFi Pineapple device is, taking a look at the BSSID’s. All those fake access points are broadcasting with the same BSSID. So if we want to find WiFi Pineapple device, we have to look OPN networks broadcasting with the same BSSID. - What if our attacker clones just one AP?
The first two methods were for common Pineapple attacks. But what if our attacker clones just one access point? Here it is where things get deep…but don’t worry, you are in the right place. First of all, in this section our Pineapple device broadcasting with one BSSID so we can’t detect it in that way. We have to look OPN networks broadcasting with interesting SSID’s (usually attractive SSID’s like FreeNet etc). When we find our Pineapple network, we have to connect to that network for proofing that is really pineapple device. After we connect, we have to do basic port scan in our private IP range. Usually the WiFi Pineapple devices are running on port 1471 so after that port scan if our port 1471 is open and there is a HTTP service is running, we can say this is Pineapple device but if we want to say “I found it”, we have to be sure. So after all that when we post HTTP request to port 1471, if our header includes “Pineapple”, that means we find the Pineapple device! For the proof we can visit that IP:Port on our browser and when we do that, if there is a WiFi Pineapple Admin login page, that means we are done.
Follow me for more,
Thanks to all.
