- That's why you might want to use this rather than a Alfa adapter, with Kali, 'cause you've got all these
reports pre-made for you. - And the guy recognized somehow that his account had been taken over, and so he changed his password. The password (chuckles) was
MOTHERF-ERSAREINMYCOMPUTER. How much of that should we redact when we provide it to their bosses? - I'll tell you this: I've done some videos
where I showed people how to crack short passwords, and the number-one complaint I get is "no one would use a
password like this. It's dumb." - They're wrong. But yeah, I see a lot
of really crazy stuff. (upbeat music) (static buzzes) - Hey, everyone, David
Bombal back with Cori. Cori, welcome. - Hey, David, thank you so
much for having me back. - So good to have you back. We had so much great feedback
on our previous video. For anyone who missed
it, use the link below. Cori hacked me. Now, Cori, whenever I talk to you now, I'm really scared because I'm worried that you gonna hack me again
or you gonna hack my Wi-Fi. What're we looking at today? - Today, we are gonna be
looking at the WiFi Pineapple. It's basically just a Wi-Fi-auditing tool. It's made by Hak5. They make a variety of pen test tools. It's gonna be a lotta fun. - I'm glad that we're doing
this, 'cause I've had a lot of requests for, specifically,
the WiFi Pineapple. D'you wanna take it away? Tell us what it is, why it's important. Do you actually use it? I'm assuming you use this
on a lot of your pen tests, so hopefully, we can get some
like war stories as well. - Awesome, yeah, this may be a bad thing, but I actually don't
use the WiFi Pineapple that frequently. - I mean, I'm (beep) shocked. - But it is a great tool. I use just a standard wireless card; that's what this is; when I do Wi-Fi pen testing. - Alfa card. It's a Alfa
network adapter, is it? - [Cori] It is an Alfa, yeah. - Yeah, let's talk about that. Why would you use the WiFi Pineapple rather than, say, an Alfa? - Well, the WiFi Pineapple
comes with its own GUI, which is very end-user friendly, right? People can interact with
a graphical interface versus pre-installing their own tools and doing everything out of a terminal. - Yeah, I suppose the
problem with the Alfa is you gotta make sure you get one that works with your distribution. (tuts) A lot of people have struggled with 5 gigahertz rather than 2.4 to get the drivers installed, whereas the Pineapple comes
with everything pre-installed. It's got a pretty GUI. It's
all ready to go, right? - Exactly, yeah, and
that was a great point that you brought up: 2.4 versus 5. And so that used to be a problem with the Pineapple as well, right? (indistinct) there is a
lot of questionable things that happen once you start to
integrate 5-gigahertz spans. Today, we're actually using
the Pineapple Mark VII. It's this fancy-schmancy thing, and it actually works with both 2.4 and 5, so very cool feature of that. And I should say this
actually is not my Pineapple. This was my friend Blake's. (chuckles) He let me borrow
it to make this video. I actually only have a NANO. So thanks, Blake. I really appreciate it. - We'll put Blake's details below. Go and follow him. He's on Twitter. Is that right? - He is on Twitter, yeah. I'll share his Twitter. - [David] Blake, thanks
so much for sharing. - Perfect, yeah, and I
have all of these tools out like a little show and tell. I love Hak5. I think that
they do really great stuff. The tools that I use mostly for them in terms of a professional setting are the Shark Jack and the LAN Turtle. They have very similar functions. The Shark Jack basically just... You plug it into a network, and it does a very short Nmap scan. And then, you can pull it off, and it's a under 30-second process. I think it only has a
two-minute battery charge. - We'll have to get you
back for demoing those. Can I just ask the audience which Hak5 tools do you
want Cori to demonstrate? Cori, you do lotta pen tests, so it's great to get your
real-world experience and stories. Please, put in the comments which Hak5 tools you want us to cover. But Cori, I don't wanna
keep you any longer. Go for the demo. - Perfect, okay, for the sake of a demo, I thought that we could do
everything from scratch. - That'd be great, yeah. A lotta people struggle with that, yep, because it's like, "I get
the Pineapple. Now what?" We won't do the unboxing, because you've got it in your hand, but everything else. Is that right? - Perfect, yeah, this is the Mark VII. It has this little button on the front. And then, you'll see the flashing LED, and I think, to do a factory reset... I believe you just hold this
button for four seconds. We'll find out live if that's true. (David laughs) I think that it should start flashing red. Okay, 1, 2, 3. And you're supposed to hold
that button for about... I think it's just three
flashes of the red light. And then, you'll just
see a static red light. I think you just wait a few seconds. Okay, you can see that
I was at this before. My Pineapple is still red, though. Let's refresh this. - Just so that everyone understands, you connecting via USB on your computer into the WiFi Pineapple, and that's powering it and
also giving you a connection. Is that kinda right? - Yes, thank you so much
for mentioning that. I am connected USB-C to my computer, and to do the factory reset, you have to have that connection. - And Cori, the other thing is... Do you have to configure
your PC or something with an IP address in the
same subnet as the Pineapple? Does it come with a default
IP address or something? - Exactly, yeah, and we'll go
into the Hak5 documentation a little later, but the standard is 172.16.42.42. The port for the actual interface that you interact with is 1471. I know that's an Easter egg for something. I can't remember what it
is, but Darren Kitchen, the guy that made Hak5, I think he said it had
something to do with a king. I can't remember, but. Did I answer that (chuckles)
correctly, how you wanted it? - Yeah, no, no, that's great, yeah, 'cause, people,
they're not gonna know this. You configured your
device with 172.16.42.42. That's the address that your PC has to be
configured with, correctly? Or correct, sorry. - Yeah, that my Pineapple has
to be configured with, yeah. If you go to the bottom right-hand corner and you just see all these... I know. Just right click. Hit properties or whatever. And then, that's how you access it. - Cori, I'm a boomer, so just to make sure I understand this correctly, you went into the properties of the WiFi Pineapple
management interface. You configured it with that IP address. What's it? 172.16.42.42. And then, now we can, hopefully, connect to the graphical user interface
of the Pineapple, right? - Yes.
(keyboard clatters) Okay, did a factory reset of the Pineapple while it was plugged into my
computer, so it was powered on. And then, went ahead and
changed the settings for this and gave it the static IP of 172.16.42.42, which is the Pineapple standard. You'll navigate to that
IP with no port specified, and you'll get this
recovery option, and I think it's very similar when
you do that initial setup. It's almost the exact same thing. And so you'll choose recovery, and you'll just have to
upload the newest firmware for this Pineapple. I think the link for that
is hak5.org/downloads. And we will probably just wait
a minute for this to upload. It usually takes a few minutes, and I've found that this
interface on the site doesn't usually. Refreshing time. Usually, before it even lets
you know that it's finished, it is finished. - I was just gonna ask
the boomer questions in this interview. You configured the
Pineapple with 172.16.42.42, but you've navigated in your browser to 172 16 fort, or, sorry, 42.1, right? - Yeah, that's the gateway. - And then, you log in. Sorry, it asks you to set
a username and password. Is that right? Or did you do
the firmware upgrade first? - Yeah, so you just do the
firmware upgrade first. And then, afterwards,
you navigate to 1471, that port that everything's hosted on, and we'll start to work through that. This is the documentation. It's awesome. This is Darren
Kitchen, the Hak5 guy. Sharon Morse? I hope I
said her last name right. Snubs is what she really goes by. She has a lot of awesome content out there on Hak5 stuff, too. This is what we're gonna
be walking through, setting it up after that. This may take a minute. - Cori, while we waiting
for this to update, which Alfa adapter is your favorite? - That's a great question. They have the longest, craziest names. I buy a lot of wireless adapters, a lot. This is the only one that
I really get anymore. It's AWUS036ACH. I know that sounds really complicated, but it works really well with Kali, so that's why I use it.
- And do you... And that one supports 5
gigahertz and 2.4, right? - It does, yeah. - And in your pen tests, do you find that you doing a lot of
5 gigahertz these days? Or is it just a mix-and-match
of both frequencies? - It's a mix-and-match. - And while we waiting for
the Pineapple to upgrade, in your pen tests, what are the kinds of attacks
that you generally use? Can you just explain. Is it like... Do you do brute force
of PSK, pre-shared keys? Or try and... Sorry, give us some examples
of the kinda stuff that you do and what's real-world, because I can create a video saying, "Here's a GPU. I'm gonna
crack a pre-shared key." But what're you doing in
the real-world day-to-day when you do these pen tests? - Yep, that's exactly it. We do exactly the same stuff
that the Pineapple does, and sometimes, we do additional
things, like Wi-Fi OSAN. That's basically nothing, but
it's just walking the facility of an area and aggregating all of the
data of wireless networks and then just compiling that into a report so that organizations can see are there free and open
networks around here that other people could be using to try to get our employees to connect to or to impersonate any real
networks that we have. - Do you do fake access points or evil-twin-type access points? Is that how you capture credentials? Or do you knock off clients? Or is it all of the
standard stuff that you do? - Yeah, really, all of the
standard stuff is what we do, a lot of PSK stuff, just like the Pineapple, really, just a different physical tool. - The reason I'm asking this
is I'm trying to get a feel. Theory in the books... We won't mention any certifications here, but certain certifications
are very theoretical versus what you actually
find in the field. (David tuts) So do you have any favorite
Wi-Fi-attacking methods that you think work really well? If I was gonna go... Let's say I was going to go
to a pen test and I'm new. Which one would you
recommend I start with? Or do you have a cheat sheet? 'Cause when you did
(tuts) the email campaign, you had wonderful templates. D'you have a sequence that you follow or any kinds of tips for
someone who's new to this? - Yeah, exactly, I do. I have a little playbook that I've created for myself to reference. I think most pen testers do that in almost everything that they do if they don't completely automate them. But yeah, so there are
some like standard tools that I definitely use, a
lot of people out there use. WiFight would be one of them,
if you're familiar with that. And then, of course, the Aircrack suite, which includes the Recon-ng and probably all of
those other Wi-Fi tools that you've heard of. - It's interesting that you said WiFight, because a lot of people would say, "That's script kiddie stuff," but it works, doesn't it? (Cori chuckles) - It is, and it's funny that
you say that, because... I can't remember who said
this to me, but years ago, they were like, "Look at
information security." People are so big on using the
word script kiddie or skid. It's just a term that... But if you look at things like the OSCP, the OSCP just (chuckles)
makes you a script kiddie because it just teaches
you how to use scripts to do everything within
the scope of your job. - I think it's a very valid point. Use the tools. Don't reinvent the wheel. What's the point of that? Unless you wanna try something to learn or you need it for a specific use case, why not use the tools? - Exactly. - Just for everyone's benefit, I've put links below to information that Cori's shared with us. Cori, thanks, as always, for
sharing such valuable stuff. We don't have it in the
video, but I've put it below. Cori's gonna share some of
her secret sauce with us, so Cori, thanks, as always. (static buzzes) - There's two different ways
that you can start this up: with Wi-Fi disabled
and with Wi-Fi enabled. It's just a binary option. You either quickly press or
you hold it for four seconds. I don't know if you have a
preference on what we do. I've done it both ways. - Cori, let's do the easy
way, which is use the Wi-Fi. - Perfect, let's do it. (static buzzes) And I think we can actually show here this is exactly what I was talking about, where the page says that
it's still uploading but you can actually navigate to it. Oh, actually, it does
still look it's loading, so I think (chuckles) we actually do need to
wait another minute. I guess we just need to wait longer. I've never had it take this long before, so I apologize. - It's gonna take this long
because we are recording. That's why it's... I've done this for years. This is... It never... It always works beautifully
until you have to demo it, so don't worry. I know the pain. Cori, lemme... Let's... While we're waiting for
this, some real-world stuff. What's the dumbest stuff that you've found out in the real world that people set their passwords to, like password or something's
really dumb on Wi-Fi networks. I'm just trying to,
again, take it real-world versus what they teach in books. - Yes, I love that question, and I also feel bad 'cause I don't want... I'm afraid of someone watching
this video we're recording and being like, "Hey,
that was my password," (David laughs) or something like that. But yeah, I see a lot
of really crazy stuff, especially passwords, which is so funny, that you mention that, a lot of swear words, derogatory terms against
people's bosses or their job. But probably, the
funniest story that I have in regard to a password is one of my co-workers had actually compromised this machine. And then, he was using
that user's credentials to continue moving laterally
throughout the network, and the guy recognized somehow that his account had been taken over. And so he changed his
password, and of course, when we eventually took
that password, cracked it, the password (chuckles) was
"MOTHERF-ERSAREINMYCOMPUTER." (David laughs) Yeah, but it's crazy. It'll
be like, "I hate my job. I hate this place." It's always funny. It's like, "How much of
that should we redact when we provide it
(chuckles) to their bosses?" Yeah, a lot of crazy
stuff around passwords. Passwords is such a fun way to look, and I think something really
interesting about passwords... There was this guy, I
think his name was Matt. I can't... I think his last name was Kier. His name was, like, Matt Kier, and he did a couple of
DEFCON talks years ago, probably 8 to 10 years ago, but they were all about
analyzing passwords and what kind of passwords people create on different platforms, and it was some really interesting data; for example, when a
person creates a password on a platform that's associated
with their job, I think, the likelihood of a deity or a God being involved in that password was increased by 30 to 40%. It's really interesting to
see statistics like that. - And on Wi-Fi passwords, do people use weak passwords as well, like really short passwords
on the Wi-Fi stuff? - Yeah, definitely, they do. - I'll tell you this. I've done some videos
where I showed people how to crack short passwords, and the number-one complaint I get is "no one would use a
password this. It's dumb." - They're wrong. Password spraying is such an integral part of pen testing as well, which just goes to show people
are still stuck on that. And beyond just spraying
regular common passwords, like SUMMER2022, all that kind of stuff... But I've found that, if you
take breached credentials from any kind of data breach,
like LinkedIn or whatever, and if you take someone's password and you attempt iterations of that, so if it's BILLYBOB1786, if you change that to
BILLYBOB1787 or BILLYBOB1788, something sequential or an iteration, the likelihood of that being
valid is also increased. - That's mad, and what about RockYou? People still using passwords in that? - Yeah, people do use RockYou, but I think RockYou is
more so used as a base alongside more sophisticated
password rules. So you'll take rocky words. And then, you'll be like, "The first character of that
string will always be capital. The last character will
always be a special character, followed by numbers," something like that. - On Wi-Fi pen tests, are you able to crack
a lotta the passwords from outside the building? Do you have to somehow
social engineer your way into the building? What's your playbook to
crack a Wi-Fi network? - Yeah, I do both. Usually, if I have to do a Wi-Fi test while I'm doing a physical pen test, which is accessing the
interior of the building, getting something on the network, something like that, I'll actually just sit in my car while I do the Wi-Fi testing and get as close as I need to, because this thing's not very conspicuous. I could put her in a
backpack or something, but usually, with the kind
of pretext that I use, because I'm a young woman,
something like a backpack would probably only hurt
the way that I look. Okay, this is the initial setup. Obviously, everything in here's in a graphical user interface, but it doesn't have to be. Once you actually finish
the initial setup, you can just establish
a shell of the device. It's bash, so we can have fun with that. The root password is just
the password we will use every time that you try to set this up. And the time zone... I'm in Nashville, Tennessee, so that's central. And then, we'll just walk
through these slowly. The management AP, that's the access point
that you're gonna use to actually manage the
WiFi Pineapple remotely. You gotta pick this SSID. I'll say David Bombal. And the password, this is used to connect remotely, so you'll want this, probably,
to be the stronger password. - SHEHACKEDMYDISCORD, is that right? That's my password? - Yeah, exactly. And then, the open AP,
this is the access point, and it's gonna broadcast
for other targets. I'll just call this Bombal. Don't make it so complex
that you forget, though. (David laughs) Awesome, and then, these client... The client filter's set
up in the SSID filter. The client filter's gonna... It's basically an allow-deny list for any of the actual devices that can connect to it, so if you do an allow and then you put in the MAC
address for whatever device, that will be the only device that is allowed to connect to this, versus if you do a deny list
and you put nothing in here, then everyone can connect to it. Or if you just put one MAC
address in the deny list, then only that device can't connect to it. For the sake of this... It's just a demo. I know people are gonna get mad at me. I'm gonna do a deny none. I'll commit a cardinal sin
right now by doing light. (David laughs) Accept their terms of service
and license agreement, but of course, don't read them. - That is not legal advice,
by the way. (chuckles) - Yes, I'm not a lawyer.
(David laughs) We're back here. Hopefully, I can remember
that password that I used. Perfect, and so now I'm gonna connect it to the internet so I can do some fun things, or we can just start by
doing a walkthrough of this. You can see there's six
different graphical icons on the side. They're all different things, of course. This is the dashboard. It lets you quickly see the
logistics and statistics of everything that you've done recently, everything about the system. You can see our systems
status / disk usage. And then, once we start running campaigns and attacks and stuff like that, we'll be able to see all the clients that we
currently have connected and all of the clients, in total, that we have had connected, as well as the SSIDs that we've seen. And then, of course, notifications
will also pop up here. This is the campaign tab. Campaigns are probably more
of the Wi-Fi pen testing versus just-having-fun kind of stuff because when you create a
campaign you can configure it with whatever scripts
that you want to run. When you're using tools
like Wi-Fi or Recon-ng, you can configure these
campaigns with those. And then, you can configure
the campaigns to start whenever your Pineapple turns on, so you won't even have to touch this. You'll simply just bring
your Pineapple with you to whatever physical
location you're accessing and plug it in. Oh, and they also have reports, which is probably super beneficial for when you write up
your pen test report. - That's why you might wanna use this rather than a Alfa adapter, with Kali, 'cause you've got all these
reports pre-made for you. - Exactly, yeah, they... That's a great point. They are premade. Of course, you can automate ways to take output from other tools and compile them into a report, but this is so simple and easy. And then, these are some
the different aspects of the Pineapple itself. PineAP is the... When you think about the WiFi Pineapple, really think about PineAP. PineAP is the suite of
tools for the device. There's a bunch of different options here. This just sets the behavior. It'd be very similar to when
you run those campaigns. I guess we can just go
ahead and start one. Before I do that, though,
I'll go to the settings. When you go into the settings
of the WiFi Pineapple, it has this amazing mode
called censorship mode, and it does exactly
what you think it does. It just censors everything, and it even has random censorship, which is really fun because it makes all of
the SSIDs different fruits. I guess you'll see it in a minute, but I'll do this so I don't dox my-
- It hides all your SSIDs and MAC addresses, stuff like that, right? - Exactly, yeah. - Yeah, that's great. - If you do the standard
censorship mode, I think, it just shows half of the strings as X's, and if you do the random censorship mode, it'll show them as fruits. I guess I'll have to do the previous one so that I know what I'm
connecting to as well. Before we do that, let's
actually go into this tab. This is the recon tab
so recon/reconnaissance. We'll go ahead and
start a one-minute scan. Reconnaissance is just the
act discovering things. This is just gonna take a look at all of the access
points that we can see and all the clients
that're connected to those. - It's really simple, isn't it? The hardest part here so far has been trying to install the software. - Yes, and I'm sure that I... I know that it's easier when you're not streaming
video and audio as well. - Yeah, it's not difficult. I think that's the great thing. You've got a dedicated device. You didn't have to type any
commands, whereas with... I'm just trying to, in my
head and for the audience, try and balance do I just get an Alfa adapter or do I get a Pineapple. And I suppose the problem
sometimes with the Alfa adapters is you have to install. And I just say Alfa 'cause I Alfa as well. It's not sponsored. I'll just say that. This video's not sponsored by Alfa. You have to install drivers, preps, specially with the 5-gigahertz adapters. (tuts) You have to know the
commands. You can script that. You can use Wi-Fi, stuff
like that. But this is... Graphical's so easy, isn't it? - Exactly, yeah, it's easy. And I do wanna say you're
not sponsored by Alfa, but you could be, so if Alfa reaches out to David Bombal and wants to sponsor him, you're not closed to that, right? - Yeah, they've... I... For disclosure, they have
given me some adapters in the past, and I have given away
some of their adapters, but they've never paid me, but yeah, of course, if Alfa wanna sponsor or
if Hak5 wanna sponsor... And I will say this.
Darren has been fantastic. I've spoken to Darren
or DMed him on Twitter, and he's also given me vouchers and coupon codes to give away. So really, shout out to both
companies. Both fantastic. - That's awesome. Yeah, but you made some amazing points. The real difference is ease of use, right? - Yeah.
- And skill level of the person using it. If you're just getting started into Wi-Fi testing or
pen testing as a whole and you're trying to
explore different facets, you would probably wanna
start with the Hak5 suite because it's such a great introduction to those kind of things. - It's amazing. You've picked up a lot
just in one minute, right? - Yeah, yes, a lot. Very interesting. This was our Recon. Yeah,
we did our one-minute scan. You can see up here's
some of the statistics of the things that we had identified. All of the green are access points. And then, we have clients that were connected to
those access points. We also have this activity
log, which shows us everything that we've done on the PineAP. Ignore the dates. I think that the date on
the system is misconfigured. That's that section. And then, this, this is also, in addition to
PineAP, the heart and soul of the WiFi Pineapple, which is the modules and packages. So let's take a look at
the modules that we have. Oh, I need to connect to my network first. Yeah, and to connect to a
network from your WiFi Pineapple, you can just click... I think this is called a hamburger icon, when it has the three dots. And then, go to internet connection. And then, hit network settings. Okay, and this is one thing that I noticed Censorship
mode doesn't do well is it does not censor anything when you are configuring
your own network settings. awesome, we are connected
to our own network. Now we can go back into the
modules if it allows us. Think I've had a wait for this before. I think the modules are super beneficial 'cause they have some really cool things, like viewing any HTTP
traffic as it comes in. And of course, there's EvilAP, which is probably one of
the most famous subsets of the WiFi Pineapple. Yeah, and I will say between the campaigns and the PineAP behavior
settings down here, it's almost exactly the same thing, right? The campaign is... When you configure the campaign, you're just additionally saying how you would want PineAP to behave. - You can run different campaigns
for different pen tests. That's kind of the idea, right? - Exactly, yeah, and you
can configure it much better with your own scripts and stuff like that, but we'll run through these
behavior settings within PineAP. The parallels between
passive and active mode are that they both come with
their own pre-configurations. Within passive mode, it's
basically just a recon. You're collecting information about all the access points that you see. And then, you can add all
of those access points to a listing of access points to potentially advertise later on. That's that SSID pool. And then, in active,
you're doing both of those. But then, you can actually advertise all of those SSIDs simultaneously. And then, within advanced
settings, you get a... It allows you to configure
those settings a little more. Obviously, logging all events,
both passive and active, do that and then notifications for all clients that
connect and disconnect, capturing SSIDs to that
pool to impersonate. And then, you can also broadcast those. Think that we can go ahead
and start a passive scan. Awesome, and so we will see, and while we're doing this, let's see if we can get
those modules again. Awesome, okay, and these take
a little bit to download, too, I think, especially because
we're talking right now, but we can just run
through a couple of them, some of my favorite ones, HTTPeek. I had mentioned that earlier. It just allows you to view
all plain text HTTP traffic for the clients that are
connected to APs that you own. Super beneficial, right? Yeah, you could say there's not a lot of HTTP traffic happening, but I think... Actually, we should install this, and maybe I can do it right now, connect my own device onto it and then... Awesome. You have to install
the modules themselves. And then, I think once you
actually try to open a module, it may make you download more. Evil Portal, this is what
I had mentioned earlier. This is probably one of
the most synonymous modules with the WiFi Pineapple. It lets you create captive
portals; for example, when you go to a McDonald's
or a hotel or something and you try and connect to
their wireless connection and a little webpage pops up saying, "Do you agree to our
terms and conditions?" or, "provide me your email address," that's a captive portal, just like this. And the difference is that we are creating
the captive portal here, or we're leveraging a captive portal that someone else has made, because there's a lot of
these available out on GitHub, and of course, in the last video I made, I mentioned this thing called SingleFile. You could actually use SingleFile to grab a different captive portal, right? So super beneficial. We'll install it. We can probably run through
it really quickly, too. And then, Nmap, of course, Nmap is just a simple port scanner. There's a graphical
user interface for this. I actually didn't... I just realized... I thought the graphical
user interface for Nmap was called Zenmap, but I guess here it is just Nmap. Maybe those are two different things. I really don't know. HTTPeek, let's see if we
need to download anything before using it. - You just scanning
the air. Is that right? And then, looking for stuff
that's gonna get captured, is that kinda right? - Yes, and so what we're gonna
do right now, right after... Right now I'm just checking
these modules, yeah, to see if they had any dependencies, because, frequently, I've noticed that they do have dependencies, and so they may just take a
couple more seconds to download. But once these finish, we'll go ahead and spin up an evil twin
access point with Pineapple. I'll connect one of my devices to it. And then, we'll just check up... I'll navigate to some HTTP traffic so you can see what it would look if you were out in the wild doing it. Oh, this is a great
walkthrough, too, real quick. Once you have run your Recon and you can see all the
networks that are around you, you can click any of these devices. This is my network, so I feel comfortable doing this. I won't deauth it, so that David and I can
continue to have a conversation over (chuckles) the internet. (David laughs) But you could just click. It's as easy as this
little red button, right? You can just hit
deauthenticate all clients. And then, you can go ahead and try to capture those handshakes, and it's really that simple. Once you complete it, you
can come back up here, and you'll see your
handshakes listed here. And then, there's actually a subpage where they'll all be listed, and the format that they're listed in, I wish I did actually have this for you, but it's interesting because
it provides it to you, I think, both in PCAP and the hash itself so that you can crack it in Hashcat. And then, it also provides you
the Hashcat numerical value, which I think is 22,000. Don't quote me on that. I know people are gonna
comment and be like, "You have less than 22,000." But yeah, it's really that simple. - One of my videos which
is quite popular this year has been me using Hashcat
with GPUs to crack passwords. And again, on that video,
people were saying, "David, this is dumb
because who uses a password that's got a telephone number in?" But the reason I used that as an example is because an Israeli researcher found that he was able to crack... And I'll probably get it wrong. I think it was 70% of
Wi-Fi networks in Tel Aviv because most people were
using their telephone number as their password on their Wi-Fi network. And I was saying, "Look,
someone's done this research. This is real-world, but I'm just gonna show ya
how to use it with a GPU." But I didn't just show telephone numbers or 10-digit numbers. I also showed how to use Hashcat for mixed digits and text, and so forth, just using GPUs to show how, if you've got a powerful
GPU, you could get lucky and crack a password fairly quickly. Or it could take a long
time. It just depends. - Yeah, and it's funny that you say that, 'cause I remember when that was published, and I was kinda blown away because when I think of Tel Aviv I think of a place that's
setting standards in security and probably way ahead of America in terms of information
security and technology, but. - It's that whole argument. It's this thing about the security niche, if ya like, or the... People into security understand the risks, and they don't, well, hopefully don't, do too many dumb things, but the general population, who have no technical knowledge, don't. They just do what's easy. And let's be honest. Setting some crazy Wi-Fi password is fine except when your family comes to visit or people come to visit and you have to share that password. I think non-technical people
don't always realize the risks, and that's why they get caught. - Yeah, that's a great point. (static buzzes) Here we're back in our PineAP settings. OpenAP is that open access
point that we are broadcasting. We had... When we did the initial
configuration, we named it Bombal just to be silly. Typically, if you're doing
something this, you'd do; I don't know if I can say this on YouTube; McDonald's Free Wi-Fi because
that's a open network, and people are going to
try to connect to it. - Just for anyone who's
watching, this is... One the reasons for showing
this is to also warn people that just because it says McDonald's Wi-Fi doesn't actually mean that it is, because Cori could be
trying to hack all of us. So see this as education, and show your grandmother. Show your family who are not technical that just because it says something doesn't actually mean
that that's what it is. - Then I'm gonna go on a device. I'm gonna go on my cell phone, and I'm going to go ahead
and connect that network. This is McDonald's Free Wi-Fi. (static buzzes) You can see, in the upper right, we actually got a notification, a device that connected to it, and we can go down into our HTTPeek, which is that module
that we had added earlier that just lets us view
HTTP traffic in real time. We'll enable it and start. And then, I'll go on my device. The website I like to use for HTTP traffic is the CERN website. They have... I guess it was the first
website ever created, and they keep it accessible. And in case you were wondering, obviously, I can access
internet from my phone. It's just like a man in the middle. The Pineapple is using a
legitimate network that I possess. And then, it's broadcasting
a network to other devices, so devices connect to it, and they can actually do things. The Pineapple serves as... It's called a man in the middle. - All you did there was you just broadcast an open network pretending to be McDonald's. You didn't have to do anything fancy. Some person connected to it, and now you're capturing their traffic. - Exactly, yeah, and so you can see some traffic has been generated
there from me just Googling. And then, there you go the CERN website. You can see the client. This is the device I'm
connecting to it with. And then, these are the actual
URLs that I'm accessing. And of course, if there was cookies associated with whatever's performing, I would be able to see them down here. Really interesting. That's a
really fun module within it. And then, let's also take
a look at the evil portal. It's the name for it. We
talked about it a little. It just allows you to
set up captive portals. It also comes with a
default captive portal, so we can go ahead and start it right now. We'll hit create new portal. People make tons of these. They put them up on GitHub. I wish I could remember and attribute this person's username, but there is a GitHub user out there who has a bunch of them. We'll go ahead and do a basic portal, which means that every client
that connects to this network will see the same exact portal. With a targeted portal, you can present every
device that connects, based on some function of its identity, a different portal. I will go ahead and do a-
- I found one. It's called kleo/evilportals. Is that the one you were thinking of? - Pardon? - [David] Kleo/evilportals. - Yes, that's it. That is it. Awesome, and so we'll go
ahead and activate this. And then, we can preview it. This is just the WiFi
Pineapple's standard evil portal when you don't configure it at all, so when you connect, you'll see this is the default portal page, and here's your SSID, your
MAC address, your IP address. And then, you can go ahead
and hit that authorize button to connect to the network. Awesome, and then, it also
has these allowed clients. One thing I didn't touch on earlier, one of the big benefits of
those allow list and deny list is, when you are actually
conducting a pen test against an organization, frequently, you're given a
very specific scope of things that you can and cannot touch, especially because, organizations, they work in holospaces, which are... Multiple organizations
exist under the same roof. And so when you're in those places... I've had it before. I was working against a client actually, and (sighs) I feel like
"should I even say this?" The lottery for that state
was in the same building. And so I was like,
"Yeah, I really don't... I wanna make sure that
I don't touch anything that doesn't belong to them, because the lottery (chuckles)
will come after you." Okay, and so now I've
connected to it on my phone, and the captive portal pops up for me with a great banner of
McDonald's Free Wi-Fi. - Tell me Cori, because this is a question that I've been asked in the past. Okay, I connect to this portal, McDonald's Free Wi-Fi or
Starbucks or whatever, (tuts) but how does that help you? Because are you gonna ask the user to put in some specific credentials, their corporate credentials or something, to trick them into giving you
something that's worthwhile? Because if you connect
to McDonald's or whatever and you just put in some random stuff, it doesn't really help you, right? - Yeah, thank you so much
for pointing that out. Exactly, I would say the
biggest goal or benefit of using the evil portal
and these captive portals would be credential fishing so attempting to gain
credentials for whatever it is. I think, frequently, people do things like Facebook or other social media sites. That's totally off limits
in all pen testing, right? But those are some of the
examples that I've seen out there. Never do that. It's awful thing to do. I should say that, but yeah. Specifically, in a pen test setting, that would be for whatever
their main suite of tools is. Whether they use the
Google Workspace suite or the Office suite, ideally, you'd to capture
those network credentials. - So you gonna fake... When they connect to this Wi-Fi, it's suddenly gonna ask them to enter a Google username,
password, or whatever to get access to the internet, and you're gonna trick them into giving their corporate details so that you can get into their network. Did I understand that right? - Exactly, yeah, and also it
does add a bit of legitimacy because you can see a network
called McDonald's Free Wi-Fi, but McDonald's doesn't have a Wi-Fi where you don't have to go
through a captive portal, right? There really aren't free wireless networks that exist without
captive portals anymore. So just having one does give the target a sense of legitimacy. - Obviously, you're not gonna ask them for a McDonald's-specific password. You're asking them for
something corporate, (tuts) and you trick them into
giving that, even though... So they think it's just a standard portal that's perhaps linked
to Google, but it's not. It's you capturing their
Google credentials. - Exactly, yeah. - For the audience, please, put, in the comments below, stuff that you wanna see. Are there any specific Pineapple features that you want us to look at, third-party modules or stuff? Let us know. Cori, I think for a lot of us, it'll be great to get your input of your favorite Hak5 devices. (tuts) And again, for
anyone who's watching, please, let us know
which ones you want Cori to review and explain. I think the... Just coming back to real-world, do you find that, in the real world, you're doing a lot of Wi-Fi pen testing. Do companies actually ask you to do that? Or is it just an add-on
on the standard pen test? - Yeah, that's a great question. I've never seen it not be an add-on. I've never seen it done
completely independently. It's almost always an add-on to work that is already happening, whether it be internal
testing, where we start on a network with no
authentication whatsoever, and then, we'll just provide
them a wireless card, or in addition to a physical pen test, where I'm trying to access
the interior of the building or a data center or a
warehouse, whatever it be, and then performing
wireless attacks there. - When you're in your car, do
you use a Pringles can thing? Or do you just find that
you get close enough to the buildings? - Yeah, no. - Show some of your cool
talls, tools, sorry. Go on. - This always works, and I've had it work pretty far as well, to the 16th, 17th, 18th
floor of a building- - Oh, wow.
- When I'm probably 300 feet out, so no Pringles cans. (David laughs) - And you said you had some
other devices on your table. Is that right? D'you wanna share anything that you've got and tease us, perhaps, for another video? Or what have you got to show us? - Yes, so historically,
for physical pen testing, I've always really liked
using the LAN Turtle, which is one of their older devices. And it basically just
lets you SSH back into it. You hook it up a network, and it's great. It just plugs into an ethernet jack, so if you just walk into an office space and they have exposed ethernet jacks out, you can hook it up in there. Or I've done it in docks
before, computer docks. The Shark Jack, this is it. They came out with it, I
think, about two years ago. Most of the time, this is
good enough for my job. I think the thing only has a two-to-three-minute battery life. But you just hook it into the
network, you press the button, and it does a quick Nmap scan, whatever you can figure it to do, so a port scan of the network. And that's basically just to prove that you were able to get on
the network and access it, establish a real IP address. I find that this is just
good enough for work because, most of the time, when I am doing a physical pen test, I'm also doing it in tandem
with an external pen test, where you start up public internet, and then an internal pen test, where you have a device on the network. So usually, I don't need to
escalate my physical access to an internal pen test, right? I just need to prove
that I was able to do it. - So you're basically
proving that you managed to get into the building
without them realizing and get access to a port on a switch. That's the proof, yeah? - Exactly, yeah, and by
establishing an IP address, not being halted by NAC, a network access
control, or something, I'm just proving that
whatever's accomplished on that internal pen test could have been accomplished
by that physical. - In your experience, do you find that you can just
get into companies' networks using the Wi-Fi so externally sit in your car, get in? Or do you find that
securities is now got so good on Wi-Fi networks, with WPA
version three, stuff like that, that the only way to get in is to physically get into the building and plug into a physical port? Or is WiFi still wide open? - Wi-Fi's definitely getting better. I would say it's not as effective as physical testing or any
other form of testing, really, but it does happen, right? We do crack PSK and stuff in our job, but it doesn't happen at the consistency that other tests are successful. - And just to reiterate
reality versus the movies, do you still find that
people are using WPA weak? Or is it WPA version two? WPA version threes is, especially, I suppose, in enterprises... At home, it's a different story, but are enterprises really
locking down their Wi-Fi? Or is it just the devices get updated, so they're so much better today? - They're definitely locking it down. I would see... And you can... Even if you go back in this video and you look at the kinda things that we had seen in our dashboard, mostly, it's multitude of WPA2. - Cori, thanks so much. I
really appreciate you sharing. And thank you for not hacking me today but hacking your own network. I thank you for doing that. Where can people reach you
if they don't know already? - Twitter. You can find me on Twitter. I exist there. - Cori, as always, thanks
so much for sharing. Really appreciate you taking the time. And just for everyone
watching, I can tell you this: when we were recording this video, we went through a lotta trouble. Cori had to fix a few things. It takes a lotta time
and trouble to do demos, (tuts) and they go wrong. And Cori, thanks so much
for not just talking but showing us how it actually works. Appreciate you putting in all the effort in the previous video and
this video, so thanks so much. - Thank you so much, David. (static buzzes)
(upbeat music) (static buzzes)
