Hak5 Pineapple - Project Notes


Hey, these notes (And OpenWrt in general) assume familiarity with ssh, shells, and vi.  There used to be O'Reilly books that I'd recommend for learning this stuff, but I can't find them.  If anyone wants to write the "Ubuntu: Beyond Pointy-Clicky" book, I think there's a (small) market.

Out of the Box
The Pineapple is just a compact little access point with a few software components pre-installed and configured.

  • The hardware is apparently an Accton MR3201.
    • It seems to be superseded by the WR6202, at the time of this writing.
  • It's running OpenWrt 8.09 "Kamikaze"
  • nmap says ports 22, 53, 80 and 1471 are open.
  • 80 is an X-Wrt web-based configuration interface.
  • 1471 is Jasager v.2, which includes the Karma bits
The actual documentation on the Pineapple is pretty bad.  Try these.
Getting Started
I started by powering the thing up without the ethernet attached, to keep it self-contained.  It takes mine around 50 seconds to come online.  Associate your laptop with the access point (AP) so you can talk.

  SSID: Pineapple
  Network: 192.168.1.0/24
  AP IP: 192.168.1.1
  Laptop IP: assigned by DHCP


And now you should be able to ssh into it.  If you prefer pointy-clicky, you'll find the X-Wrt web interface at http://192.168.1.1/ but I prefer command line.  It seems like some settings made in the web interface don't persist across reboots, so ssh is best.
  ssh -l root 192.168.1.1  # password : pineapplesareyummy

The system uses busybox to look mostly like a linux system.  You can use most of the basic shell commands you're used to.  And some of the config files will look familiar to you, while others won't.
  pwd
  ls /etc
  cd /etc
  cat httpd.conf

Basic Configuration
You *might* wanna change your root password on the AP.  (Or be sporting and leave the default.  Suit your mood.)
  passwd root

  vi /etc/config/timezone  # replace UTC+0 with your timezone

I recommend leaving your network settings at the default, for initial configuration.
  vi /etc/config/network  # update the "config interface lan" stanza

Update your hostname and timezone (Again?  I should determine the authoritative one...) and take a look at the reset button's configured behaviour.
  vi /etc/config/system

Change the device's SSID from the default.  It might be good to make it look innocuous, for instance "Droid Tether" so interested parties will be looking for a phone rather than an AP.
  vi /etc/config/wireless

If you're planning on doing anything spooky with openssl, you can set some defaults in /etc/ssl/openssl.cnf.  If you're going to do some *really* spooky stuff, remember that keys need to be 2048 bits, these days, for a CA to sign them.  This install defaults to 1024.

Reboot the little guy to make sure your configuration sticks.
  sync
  reboot
  sleep 72
  ssh -l root 192.168.1.1

Attaching to the Intarwebs
If you attach your Pineapple to an internet-connected network, via ethernet cable, upon rebooting it'll go into a normal wireless bridge mode.  This seems to be OpenWRT's default.  If it's not connected to a network with a DHCP server, it falls back to using 192.168.1.1/24 in the stock configuration.  When a config change goes sideways, you can always plug it into your laptop's ethernet, reboot it, wait sixty seconds or so, and ssh into 192.168.1.1.

Next Steps
Now that I know what I've got, I can get busy with some fun stuff.  The Pineapple bundle includes a battery pack, so there's fun to be had out-and-about.  There are two things I want to do with this thing, and they might be a little tricky.

I'd like to add a second SSID, that doesn't bridge, so that I can still reach the management interface even if the main SSID is bridging.  This one should be easy.
The other one may not be possible, due to hardware constraints .. I'd like to replace the wired connection to the internet, with a wireless connection to a 3G hot spot.  This would allow me to bridge clients onto the 3G.  This opens up some man-in-the-middle possibilities, in a completely portable and battery powered package.  Warsheeping, anyone?
df tells me that /tmp has 14.5 MB free.  That's a fair amount of space for logging things, especially if I'm careful to only snoop the protocol I want, and parse the output into a slim (CSV, likely) format.  In the right setting, I can interact with the thing from a laptop, but I'd love to power it up and have it go into a self-contained, automatic operation mode.

Enough for one weekend.  I'll update this page as I continue...

1 comment:

  1. I realize this is an old post, but thanks! I dug out my "Pineapple" this morning and couldn't remember what it was actually built on. You've saved me having to pop him out of his case. Unfortunately after playing him shortly after I bought him I haven't done anything with it. Time to see what I can do with it. What I'd *really* like is this guy with an external USB port.

    ReplyDelete