Hacker hunts and pwns WiFi Pineapples with zero-day at Def Con

The WiFi Pineapple makes man-in-the-middle attacks incredibly easy, but users better know what they’re doing before trying out the Pineapple at the biggest hacker hangout in the U.S. A classic example of that wisdom can be seen via a screenshot tweeted by @JoFo after an intern deployed a Pineapple at Def Con 22.

Feel free to see it yourself in the original form, but the general gist is below…with creative asterisk spellings for words I can’t publish here. Hopefully you will be as amused by the message as I was.

Dear Lamer,

You just got popped with some 0-day s**t. Mess with the best and die like the rest. Should have just bought a t-shirt.

You’re going to mess around with someone’s Wi-Fi in Vegas at a f***ing hacker con? What the h*ll did you expect?

Your sh*t’s all wrecked now. If you really are the bad*ss you’re pretending to be, you ought to be able to fix it.

If you have no idea what is going on then I recommend you take this back to the Hak5 booth, ask for a refund, and stop sh***ing-up the Wi-Fi.

Read the f***ing code the next time you buy super elite skiddie hax0r gear. This s**t is criminally insecure.

Sincerely,

@IHuntPineapples

Apparently, @ihuntpineapples has a network at DEFCON that is popping shells on pineapples with an 0day.

— Brandon Perry (@BrandonPrry) August 8, 2014

There is a fix if it was bricked or if it needed a firmware update, but if a person wanted to know more about the Pineapple, then the Def Con 22 Wireless Village would have been a good start. For example, Hak5’s Darren Kitchen and WiFi Pineapple developer Sebastian Kinne released new firmware 2.0. But, in theory, @IHuntPineapples used a zero-day exploit on the newest Pineapple firmware 2.0.0.

Step one: take advantage of someone’s brain fart of checking authentication in the footer after all the PHP runs

— I Hunt Pineapples (@ihuntpineapples) August 9, 2014

Step 2: command inject. One possible: /components/system/karma/functions.php?client_list=true, POST remove_client=false mac=”;commands;”

— I Hunt Pineapples (@ihuntpineapples) August 9, 2014

Kinne later took to the Hak5 forum to explain that 2.0.0 fixed numerous security issues, so long as the root password isn’t known. “If you know the root password, you can inject into POST or even some GET requests. You could also just use the functions.php in the configuration tile that will execute commands for you – a built-in function of the tile. We’ll have to lock that – and other things down now.”

We cannot really fix the fact that passwords can be sniffed over the open wireless – use a cable to manage it without the password leaking into the air. Only thing we could do in that regard is put self-signed SSL certs on every Pineapple… but that would be a hassle for everyone. Nginx DOES support SSL, so feel free to set that up.

TLDR: Download 2.0.1 once it’s out, it has the logout bug fixed.

The very same day, 2.0.2 was released.

Tripwire’s Craig Young, a security researcher for its Vulnerability and Exposure Research Team, also gave a “Pineapple Abductions” talk at the Wireless Village. He talked about poor SSL implementations and showed “how a simple hack with a Pineapple WiFi can be used to abduct, stalk, spy on, or even physically harm unsuspecting victims.”

Hak5 says it sells WiFi Pineapples to anyone, which has spurred folks to claim there are no legitimate uses for the Pineapple other than nefarious activities. Hak5 host Darren Kitchen has disputed that by stating, “The claim that the device has ‘no legitimate use’ contradicts the countless government agencies and penetration testers who’ve used the WiFi Pineapple in authorized security audits.”

As if “worrying” about G-men playing around with a Pineapple isn’t bad enough, wise folks might keep an eye open for War Kitteh or for “Denial of Service Dog” that walks around with a “saddle-bag containing the WiFi Pineapple Mark V wireless network hacker tool.”